Re: [PATCH v10 13/25] LSM: Specify which LSM to display

[Casey Schaufler <casey@schaufler-ca.com>]

On 10/29/2019 7:44 AM, Simon McVittie wrote:
> On Thu, 24 Oct 2019 at 13:52:16 -0700, Casey Schaufler wrote:
>> Create a new entry "display" in /proc/.../attr for controlling
>> which LSM security information is displayed for a process.
> It still isn't immediately obvious to me from the commit message whether
> the "..." stands for the pid of the process that will read LSM information,
> or the pid of the process whose LSM information will be read.

For all practical purposes "..." will be "self". You can read the
attr/display of another process, but I don't know where that would
be useful. You can't write to the attr/display of an different process.

>
> I believe the intended meaning was the former? So perhaps
>
>     Create a new entry "display" in /proc/$reader/attr that controls
>     which LSM security information will be displayed when the process
>     $reader reads LSM information.
>
>     (Note that when $reader reads /proc/$subject/attr/current for
>     $reader != $subject, it is /proc/$reader/attr/display that controls
>     what is displayed there, not /proc/$subject/attr/display.)
>
> The commit that introduces /proc/.../attr/context could probably
> benefit from similar treatment - maybe it could be referred to as
> /proc/$subject/attr/context?

Thanks. I'll work on making it clearer.

>
>     smcv