doc: ReSTify and split LSM.txt
The existing LSM.txt file covered both usage and development, so split this into two files, one under admin-guide and one under kernel development. Cc: James Morris <james.l.morris@oracle.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
This commit is contained in:
Kees Cook
committed by
Jonathan Corbet
Jonathan Corbet
parent
f00f85a8b2
commit
504f231cda
31
Documentation/admin-guide/LSM/index.rst
Normal file
31
Documentation/admin-guide/LSM/index.rst
Normal file
@@ -0,0 +1,31 @@
|
||||
===========================
|
||||
Linux Security Module Usage
|
||||
===========================
|
||||
|
||||
The Linux Security Module (LSM) framework provides a mechanism for
|
||||
various security checks to be hooked by new kernel extensions. The name
|
||||
"module" is a bit of a misnomer since these extensions are not actually
|
||||
loadable kernel modules. Instead, they are selectable at build-time via
|
||||
CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the
|
||||
``"security=..."`` kernel command line argument, in the case where multiple
|
||||
LSMs were built into a given kernel.
|
||||
|
||||
The primary users of the LSM interface are Mandatory Access Control
|
||||
(MAC) extensions which provide a comprehensive security policy. Examples
|
||||
include SELinux, Smack, Tomoyo, and AppArmor. In addition to the larger
|
||||
MAC extensions, other extensions can be built using the LSM to provide
|
||||
specific changes to system operation when these tweaks are not available
|
||||
in the core functionality of Linux itself.
|
||||
|
||||
Without a specific LSM built into the kernel, the default LSM will be the
|
||||
Linux capabilities system. Most LSMs choose to extend the capabilities
|
||||
system, building their checks on top of the defined capability hooks.
|
||||
For more details on capabilities, see ``capabilities(7)`` in the Linux
|
||||
man-pages project.
|
||||
|
||||
A list of the active security modules can be found by reading
|
||||
``/sys/kernel/security/lsm``. This is a comma separated list, and
|
||||
will always include the capability module. The list reflects the
|
||||
order in which checks are made. The capability module will always
|
||||
be first, followed by any "minor" modules (e.g. Yama) and then
|
||||
the one "major" module (e.g. SELinux) if there is one configured.
|
||||
@@ -61,6 +61,7 @@ configure specific aspects of kernel behavior to your liking.
|
||||
java
|
||||
ras
|
||||
pm/index
|
||||
LSM/index
|
||||
|
||||
.. only:: subproject and html
|
||||
|
||||
|
||||
Reference in New Issue
Block a user