Update how to setup a policy namespace for containers

2025-03-04 08:24:42 +01:00 · 2019-05-03 02:03:01 +00:00 · 2019-05-03 02:03:01 +00:00 · 9c9c290876
commit 9c9c290876
parent ad18465c20
1 changed files with 26 additions and 0 deletions
--- a/how-to-setup-a-policy-namespace-for-containers.md
+++ b/how-to-setup-a-policy-namespace-for-containers.md
@ -203,6 +203,32 @@ LSM stacking, but hopefully 5.3)
 there is flexibility in the ordering but if you stick to the above
 ordering you avoid some of the potential problems.

+# The display LSM
+
+The display LSM is how the LSM virtualizes shared interfaces in userspace. The display LSM can be set per task and governs which LSM receives and displays information on shared interfaces. Unfortunately AppArmor, Smack and selinux all share a few user space interfaces.
+
+  /proc/<pid>/attr/
+
+  SO_PEER_CRED
+
+## Setting the display LSM
+
+  lsm-exec
+
+  aa-exec
+
+  writing /proc/<pid>/attr/display
+
+## When setting the display LSM are needed
+
+AppArmor and Smack have been migrating away from the shared interfaces to use private interfaces which will negate the need for setting the display LSM in the future but setting the display LSM is needed for legacy user space Applications that don't support the new interfaces.
+
+AppArmor 2.x: requires the display LSM be set.
+
+AppArmor 3.x: supports the new private interfaces, available on Kernel 5.3 or later.
+
+Note: some applications (eg. LXD, snapd) use AppArmor's lowlevel interfaces directly instead of going through the libapparmor api. For these applications setting the display LSM may be required even if AppArmor 3 is installed on the system.
+
 # Mounting securityfs

 AppArmor using a virtual filesystem to interface with the userspace.