Home
last modified time | relevance | path

Searched refs:LSM (Results 1 – 25 of 72) sorted by relevance

123

/linux-6.15/Documentation/translations/zh_CN/security/
H A Dlsm.rst38 Linux安全模块(LSM)项目是由WireX发起开发的这样一个框架。LSM是几个安全
44 LSM框架
47 LSM框架提供了一个通用的内核框架来支持安全模块。特别地,LSM框架主要关注
50 LSM框架是可选的,要求开启 `CONFIG_SECURITY` 配置。权能逻辑作为一个安全
51 模块被实现。该权能模块将在 `LSM权能模块`_ 一节中进一步讨论。
53 LSM框架在内核数据结构中包含安全域,并在内核代码的关键点调用钩子函数来
58 LSM安全域只是 ``void*`` 指针。数据被称为blob,这些数据可以由框架或使用
76 LSM钩子被维护在链表中。每个钩子函数都维护一个链表,这些钩子按照CONFIG_LSM中
79 LSM框架提供了一种近似通用的安全模块堆栈。它定义了security_add_hooks(),每个安
81 ,该结构会被添加到链表中。LSM框架没有提供移除已注册钩子的机制。SELinux安全
[all …]
H A Dcredentials.rst173 5. LSM
175 Linux安全模块允许在任务执行操作时施加额外的控制。目前,Linux支持几种LSM选项。
201 * LSM security label;
214 通过(uid, gid)或(groups, keys, LSM security)进行访问。每个任务在其
394 这将修改凭据和进程的各个方面,给LSM提供机会做同样的修改,然后使用
H A Dlandlock.rst13 Landlock LSM: 内核文档
25 Landlock 旨在为非特权进程使用,同时遵循由其他访问控制机制(例如 DAC、LSM
/linux-6.15/Documentation/netlabel/
H A Dlsm_interface.rst13 network packets. It is intended to be used by LSM developers who want to make
27 configuration. It is up to the LSM developer to translate the NetLabel
29 particular LSM.
31 NetLabel LSM Protocol Operations
34 These are the functions which allow the LSM developer to manipulate the labels
44 label and the internal LSM security identifier can be time consuming. The
47 LSM has received a packet, used NetLabel to decode its security attributes,
48 and translated the security attributes into a LSM internal identifier the LSM
49 can use the NetLabel caching functions to associate the LSM internal
52 NetLabel translation mechanisms bypassed but the LSM translation mechanisms are
H A Dcipso_ipv4.rst26 that it is set upon the socket's creation. The LSM can set the socket's CIPSO
35 IP layer without any special handling required by the LSM. However, in order
36 to decode and translate the CIPSO label on the packet the LSM must use the
39 LSM hook.
55 mappings from the network labels to the corresponding LSM identifiers. The
/linux-6.15/Documentation/bpf/
H A Dfs_kfuncs.rst9 BPF LSM programs need to access filesystem data from LSM hooks. The following
18 1. These kfuncs are only permitted from BPF LSM function.
19 2. These kfuncs should not call into other LSM hooks, i.e. security_*(). For
21 the latter calls LSM hook ``security_inode_getxattr``.
H A Dprog_lsm.rst5 LSM BPF Programs
8 These BPF programs allow runtime instrumentation of the LSM hooks by privileged
16 LSM hook:
20 Other LSM hooks which can be instrumented can be found in
61 * ``"lsm/file_mprotect"`` indicates the LSM hook that the program must
117 Attachment to LSM Hooks
120 The LSM allows attachment of eBPF programs as LSM hooks using :manpage:`bpf(2)`
124 The program can be detached from the LSM hook by *destroying* the ``link``
H A Dbpf_licensing.rst78 Further, some BPF program types - Linux Security Modules (LSM) and TCP
81 registration step of LSM and TCP congestion control modules of the Linux
82 kernel is done through EXPORT_SYMBOL_GPL kernel functions. In that sense LSM
/linux-6.15/Documentation/ABI/testing/
H A Dprocfs-attr-prev6 a Linux security module (LSM) active on the system
9 this interface is LSM dependent.
13 this interface are LSM dependent.
14 The format of the data used by this interface is LSM
H A Dprocfs-attr-current6 security module (LSM) that is active on the system.
9 of the task identified is LSM dependent.
14 the task identified are LSM dependent.
15 The format of the data used by this interface is LSM
H A Dprocfs-attr-exec6 by a Linux security module (LSM) active on the system
10 of the task identified is LSM dependent.
15 the task identified are LSM dependent.
16 The format of the data used by this interface is LSM
H A Dima_policy9 the policy can be constrained based on LSM specific data.
49 lsm: are LSM specific
126 Examples of LSM specific definitions:
189 either based on a filesystem's UUID (fsuuid) or based on LSM
/linux-6.15/Documentation/security/
H A Dlsm-development.rst6 a new LSM is accepted into the kernel when its intent (a description of
8 use it) has been appropriately documented in ``Documentation/admin-guide/LSM/``.
9 This allows an LSM's code to be easily compared to its goals, and so
13 For extensive documentation on the available LSM hook interfaces, please
H A Dlsm.rst37 The Linux Security Modules (LSM) project was started by WireX to develop
38 such a framework. LSM was a joint development effort by several security
46 LSM Framework
49 The LSM framework provides a general kernel framework to support
50 security modules. In particular, the LSM framework is primarily focused
54 the infrastructure to support security modules. The LSM framework is
58 `LSM Capabilities Module`_.
67 The LSM security fields are simply ``void*`` pointers.
98 LSM hooks are maintained in lists. A list is maintained for each
103 The LSM framework provides for a close approximation of
[all …]
/linux-6.15/Documentation/translations/zh_CN/process/
H A D3.Early-stage.rst31 模块(LSM)框架中的内核模块;这个模块可以配置为允许特定的应用程序访问实时
35 内核社区来说,这被视为对LSM框架的滥用(LSM框架并不打算授予他们原本不具备的
/linux-6.15/Documentation/translations/zh_CN/userspace-api/
H A Dno_new_privs.rst31 LSM)不会在execve调用后放松限制。
37 不过要小心,Linux安全模块(LSM)也可能不会在 ``no_new_privs`` 模式下收紧约束。
39 会干扰基于LSM的沙箱。)
/linux-6.15/Documentation/translations/zh_TW/process/
H A D3.Early-stage.rst34 模塊(LSM)框架中的內核模塊;這個模塊可以配置爲允許特定的應用程序訪問實時
38 內核社區來說,這被視爲對LSM框架的濫用(LSM框架並不打算授予他們原本不具備的
/linux-6.15/security/lockdown/
H A DKconfig6 Build support for an LSM that enforces a coarse kernel lockdown
10 bool "Enable lockdown LSM early in init"
13 Enable the lockdown LSM early in boot. This is necessary in order
/linux-6.15/Documentation/admin-guide/LSM/
H A Dindex.rst5 The Linux Security Module (LSM) framework provides a mechanism for
13 The primary users of the LSM interface are Mandatory Access Control
16 MAC extensions, other extensions can be built using the LSM to provide
H A DSafeSetID.rst4 SafeSetID is an LSM module that gates the setid family of syscalls to restrict
31 This SafeSetID LSM seeks to provide a solution for restricting setid
34 The main use case for this LSM is to allow a non-root program to transition to
37 additional restrictions imposed by this LSM would mean it is a "safer" version
54 as implemented in this LSM, an alternative option would be to simply take away
88 Use an existing LSM
99 This LSM hooks the setid syscalls to make sure transitions are allowed if an
H A Dtomoyo.rst8 TOMOYO is a name-based MAC extension (LSM module) for the Linux kernel.
15 Though these tutorials use non-LSM version of TOMOYO, they are useful for you
/linux-6.15/scripts/selinux/
H A DREADME1 Please see Documentation/admin-guide/LSM/SELinux.rst for information on
/linux-6.15/Documentation/translations/zh_CN/userspace-api/ebpf/
H A Dindex.rst15 括网络,跟踪和Linux安全模块(LSM)等。
/linux-6.15/Documentation/userspace-api/ebpf/
H A Dindex.rst10 (LSM).
/linux-6.15/security/yama/
H A DKconfig12 Documentation/admin-guide/LSM/Yama.rst.

123