[thirdparty/man-pages.git] / man5 / proc_pid_attr.5

.\" Copyright (C) 1994, 1995, Daniel Quinlan <quinlan@yggdrasil.com)
.\" Copyright (C) 2002-2008, 2017, Michael Kerrisk <mtk.manpages@gmail.com>
.\" Copyright (C) 2023, Alejandro Colomar <alx@kernel.org>
.\"
.\" SPDX-License-Identifier: GPL-3.0-or-later
.\"
.TH proc_pid_attr 5 (date) "Linux man-pages (unreleased)"
.SH NAME
/proc/pid/attr/ \- security-related attributes
.SH DESCRIPTION
.TP
.IR /proc/ pid /attr/
.\" https://lwn.net/Articles/28222/
.\" From:    Stephen Smalley <sds@epoch.ncsc.mil>
.\" To:	     LKML and others
.\" Subject: [RFC][PATCH] Process Attribute API for Security Modules
.\" Date:    08 Apr 2003 16:17:52 -0400
.\"
.\"	http://www.nsa.gov/research/_files/selinux/papers/module/x362.shtml
.\"
The files in this directory provide an API for security modules.
The contents of this directory are files that can be read and written
in order to set security-related attributes.
This directory was added to support SELinux,
but the intention was that the API be general enough to support
other security modules.
For the purpose of explanation,
examples of how SELinux uses these files are provided below.
.IP
This directory is present only if the kernel was configured with
.BR CONFIG_SECURITY .
.TP
.IR /proc/ pid /attr/current " (since Linux 2.6.0)"
The contents of this file represent the current
security attributes of the process.
.IP
In SELinux, this file is used to get the security context of a process.
Prior to Linux 2.6.11, this file could not be used to set the security
context (a write was always denied), since SELinux limited process security
transitions to
.BR execve (2)
(see the description of
.IR /proc/ pid /attr/exec ,
below).
Since Linux 2.6.11, SELinux lifted this restriction and began supporting
"set" operations via writes to this node if authorized by policy,
although use of this operation is only suitable for applications that are
trusted to maintain any desired separation between the old and new security
contexts.
.IP
Prior to Linux 2.6.28, SELinux did not allow threads within a
multithreaded process to set their security context via this node
as it would yield an inconsistency among the security contexts of the
threads sharing the same memory space.
Since Linux 2.6.28, SELinux lifted
this restriction and began supporting "set" operations for threads within
a multithreaded process if the new security context is bounded by the old
security context, where the bounded relation is defined in policy and
guarantees that the new security context has a subset of the permissions
of the old security context.
.IP
Other security modules may choose to support "set" operations via
writes to this node.
.TP
.IR /proc/ pid /attr/exec " (since Linux 2.6.0)"
This file represents the attributes to assign to the
process upon a subsequent
.BR execve (2).
.IP
In SELinux,
this is needed to support role/domain transitions, and
.BR execve (2)
is the preferred point to make such transitions because it offers better
control over the initialization of the process in the new security label
and the inheritance of state.
In SELinux, this attribute is reset on
.BR execve (2)
so that the new program reverts to the default behavior for any
.BR execve (2)
calls that it may make.
In SELinux, a process can set
only its own
.IR /proc/ pid /attr/exec
attribute.
.TP
.IR /proc/ pid /attr/fscreate " (since Linux 2.6.0)"
This file represents the attributes to assign to files
created by subsequent calls to
.BR open (2),
.BR mkdir (2),
.BR symlink (2),
and
.BR mknod (2)
.IP
SELinux employs this file to support creation of a file
(using the aforementioned system calls)
in a secure state,
so that there is no risk of inappropriate access being obtained
between the time of creation and the time that attributes are set.
In SELinux, this attribute is reset on
.BR execve (2),
so that the new program reverts to the default behavior for
any file creation calls it may make, but the attribute will persist
across multiple file creation calls within a program unless it is
explicitly reset.
In SELinux, a process can set only its own
.IR /proc/ pid /attr/fscreate
attribute.
.TP
.IR /proc/ pid /attr/keycreate " (since Linux 2.6.18)"
.\" commit 4eb582cf1fbd7b9e5f466e3718a59c957e75254e
If a process writes a security context into this file,
all subsequently created keys
.RB ( add_key (2))
will be labeled with this context.
For further information, see the kernel source file
.I Documentation/security/keys/core.rst
(or file
.\" commit b68101a1e8f0263dbc7b8375d2a7c57c6216fb76
.I Documentation/security/keys.txt
between Linux 3.0 and Linux 4.13, or
.\" commit d410fa4ef99112386de5f218dd7df7b4fca910b4
.I Documentation/keys.txt
before Linux 3.0).
.TP
.IR /proc/ pid /attr/prev " (since Linux 2.6.0)"
This file contains the security context of the process before the last
.BR execve (2);
that is, the previous value of
.IR /proc/ pid /attr/current .
.TP
.IR /proc/ pid /attr/socketcreate " (since Linux 2.6.18)"
.\" commit 42c3e03ef6b298813557cdb997bd6db619cd65a2
If a process writes a security context into this file,
all subsequently created sockets will be labeled with this context.
.SH SEE ALSO
.BR proc (5)
Commit	Line	Data
17cec8ff AC	1	.\" Copyright (C) 1994, 1995, Daniel Quinlan <quinlan@yggdrasil.com)
	2	.\" Copyright (C) 2002-2008, 2017, Michael Kerrisk <mtk.manpages@gmail.com>
	3	.\" Copyright (C) 2023, Alejandro Colomar <alx@kernel.org>
	4	.\"
	5	.\" SPDX-License-Identifier: GPL-3.0-or-later
	6	.\"
	7	.TH proc_pid_attr 5 (date) "Linux man-pages (unreleased)"
	8	.SH NAME
	9	/proc/pid/attr/ \- security-related attributes
	10	.SH DESCRIPTION
	11	.TP
	12	.IR /proc/ pid /attr/
	13	.\" https://lwn.net/Articles/28222/
	14	.\" From: Stephen Smalley <sds@epoch.ncsc.mil>
	15	.\" To: LKML and others
	16	.\" Subject: [RFC][PATCH] Process Attribute API for Security Modules
	17	.\" Date: 08 Apr 2003 16:17:52 -0400
	18	.\"
	19	.\" http://www.nsa.gov/research/_files/selinux/papers/module/x362.shtml
	20	.\"
	21	The files in this directory provide an API for security modules.
	22	The contents of this directory are files that can be read and written
	23	in order to set security-related attributes.
	24	This directory was added to support SELinux,
	25	but the intention was that the API be general enough to support
	26	other security modules.
	27	For the purpose of explanation,
	28	examples of how SELinux uses these files are provided below.
	29	.IP
	30	This directory is present only if the kernel was configured with
	31	.BR CONFIG_SECURITY .
	32	.TP
	33	.IR /proc/ pid /attr/current " (since Linux 2.6.0)"
	34	The contents of this file represent the current
	35	security attributes of the process.
	36	.IP
	37	In SELinux, this file is used to get the security context of a process.
	38	Prior to Linux 2.6.11, this file could not be used to set the security
	39	context (a write was always denied), since SELinux limited process security
	40	transitions to
	41	.BR execve (2)
	42	(see the description of
	43	.IR /proc/ pid /attr/exec ,
	44	below).
	45	Since Linux 2.6.11, SELinux lifted this restriction and began supporting
	46	"set" operations via writes to this node if authorized by policy,
	47	although use of this operation is only suitable for applications that are
	48	trusted to maintain any desired separation between the old and new security
	49	contexts.
	50	.IP
	51	Prior to Linux 2.6.28, SELinux did not allow threads within a
	52	multithreaded process to set their security context via this node
	53	as it would yield an inconsistency among the security contexts of the
	54	threads sharing the same memory space.
	55	Since Linux 2.6.28, SELinux lifted
	56	this restriction and began supporting "set" operations for threads within
	57	a multithreaded process if the new security context is bounded by the old
	58	security context, where the bounded relation is defined in policy and
	59	guarantees that the new security context has a subset of the permissions
	60	of the old security context.
	61	.IP
	62	Other security modules may choose to support "set" operations via
	63	writes to this node.
	64	.TP
65	.IR /proc/ pid /attr/exec " (since Linux 2.6.0)"
66	This file represents the attributes to assign to the
67	process upon a subsequent
68	.BR execve (2).
69	.IP
70	In SELinux,
71	this is needed to support role/domain transitions, and
72	.BR execve (2)
73	is the preferred point to make such transitions because it offers better
74	control over the initialization of the process in the new security label
75	and the inheritance of state.
76	In SELinux, this attribute is reset on
77	.BR execve (2)
78	so that the new program reverts to the default behavior for any
79	.BR execve (2)
80	calls that it may make.
81	In SELinux, a process can set
82	only its own
83	.IR /proc/ pid /attr/exec
84	attribute.
85	.TP
86	.IR /proc/ pid /attr/fscreate " (since Linux 2.6.0)"
87	This file represents the attributes to assign to files
88	created by subsequent calls to
89	.BR open (2),
90	.BR mkdir (2),
91	.BR symlink (2),
92	and
93	.BR mknod (2)
94	.IP
95	SELinux employs this file to support creation of a file
96	(using the aforementioned system calls)
97	in a secure state,
98	so that there is no risk of inappropriate access being obtained
99	between the time of creation and the time that attributes are set.
100	In SELinux, this attribute is reset on
101	.BR execve (2),
102	so that the new program reverts to the default behavior for
103	any file creation calls it may make, but the attribute will persist
104	across multiple file creation calls within a program unless it is
105	explicitly reset.
106	In SELinux, a process can set only its own
107	.IR /proc/ pid /attr/fscreate
108	attribute.
109	.TP
110	.IR /proc/ pid /attr/keycreate " (since Linux 2.6.18)"
111	.\" commit 4eb582cf1fbd7b9e5f466e3718a59c957e75254e
112	If a process writes a security context into this file,
113	all subsequently created keys
114	.RB ( add_key (2))
115	will be labeled with this context.
116	For further information, see the kernel source file
117	.I Documentation/security/keys/core.rst
118	(or file
119	.\" commit b68101a1e8f0263dbc7b8375d2a7c57c6216fb76
120	.I Documentation/security/keys.txt
121	between Linux 3.0 and Linux 4.13, or
122	.\" commit d410fa4ef99112386de5f218dd7df7b4fca910b4
123	.I Documentation/keys.txt
124	before Linux 3.0).
125	.TP
126	.IR /proc/ pid /attr/prev " (since Linux 2.6.0)"
127	This file contains the security context of the process before the last
128	.BR execve (2);
129	that is, the previous value of
130	.IR /proc/ pid /attr/current .
131	.TP
132	.IR /proc/ pid /attr/socketcreate " (since Linux 2.6.18)"
133	.\" commit 42c3e03ef6b298813557cdb997bd6db619cd65a2
134	If a process writes a security context into this file,
135	all subsequently created sockets will be labeled with this context.
136	.SH SEE ALSO
137	.BR proc (5)