Commit b86b9d2e authored by Simon Ruderich's avatar Simon Ruderich
Browse files

slsm: allow access to current label through /proc/$pid/attr/current

parent 44881844
......@@ -49,6 +49,9 @@ Currently available flags are
* `f` SLSM-specific flags described above, `inherit` is 1, `confine` is 2,
`exact` is 4, `protect` is 8 (optional)
The current "label" of each process, the (inherited) path, is available in
`/proc/$pid/attr/current`.
# Examples #
## Protecting SSH private keys ##
......
......@@ -397,6 +397,19 @@ static int passt_unix_may_send(struct socket *sock, struct socket *other) {
}
static int passt_getprocattr(struct task_struct *p, char *name, char **value) {
struct passt_task *pt = task_security(p);
if (strcmp(name, "current"))
return -EINVAL;
*value = kstrdup(pt->label, GFP_KERNEL);
if (!*value)
return -ENOMEM;
return (int)strlen(*value);
}
static struct security_hook_list passt_hooks[] = {
LSM_HOOK_INIT(ptrace_access_check, passt_ptrace_access_check),
......@@ -421,7 +434,7 @@ static struct security_hook_list passt_hooks[] = {
LSM_HOOK_INIT(file_open, passt_file_open),
/* LSM_HOOK_INIT(file_mprotect, passt_file_mprotect), */
/* LSM_HOOK_INIT(getprocattr, passt_getprocattr), */
LSM_HOOK_INIT(getprocattr, passt_getprocattr),
/* LSM_HOOK_INIT(setprocattr, passt_setprocattr), */
/**
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment