[rsbac] appending rsbac data to /proc/$pid/status

Amon Ott ao at rsbac.org
Sat Mar 17 11:10:53 CET 2018

Am 13.03.18 um 23:20 schrieb Javier Juan Martínez Cabezón:
> Hi Amon, I think it would be useful to append rsbac data to
> /proc/$pid/status or make something like this under /proc/rsbac-info. It
> would help userspace development tools highly.
> For example rc_role of this process, rc_type of proc, w or x enabled or
> not, if jailed etc, the kind of data that we could retrieve from
> attr_get_process.

Reading various process attributes goes through individual access
control checks in all decision modules. Putting them into one /proc file
would either make detailed control impossible or change the format
depending on current access rights.

What we could e.g. do is add new files into /proc/$pid/rsbac/, each
named like the attribute and containing a single value.

However, I would prefer a ps extension in C that uses librsbac to get
the values through sys_rsbac system calls. This would be much faster and
actually easier than parsing files, and it would come with two
advantages: full access control and no further extensions to /proc.
There are also python bindings flying around somewhere.

The idea of a ps extension is not new, but nice, I might soon have a
look at it myself.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <http://www.rsbac.org/pipermail/rsbac/attachments/20180317/3ef945c9/attachment.sig>

More information about the rsbac mailing list