What should be done of the PTags Linux Security Module? PTags means Process-Tags, it allows to tag processes and is compatible withuser namespaces. What problem does it solves? How does it works? How can it be used and forwhat purposes? Answers to these questions would allows to answer the main question: should itbe part of linux tree? PTags allows a system to attach tags to processes. The tags can receivevalues. The semantic of tags and of the values is not enforced and that is thebig strength of that model that can be widely used for several purposes. This talk will answer the following questions: \- What problem does it solves?\- How does it works? (including user namespace) \- How can it be used and forwhat purposes? It firstly came from studies on "user land" capabilities attached to APIs. Butas the process of tagging can be more widely used in system, it became moregeneric and simply solve the problem of attaching data (or meta-data) to aprocess and its possibly forked children. It works by writing or reading the file /proc/PID/attr/ptags. When reading thefile, the tag list is read. When writing the file, the tag list can be changedunder conditions. The file can be monitored using inotify to be alerted onwrite accesses that presumely change the content. An available C libraryimplements common operations. The implementation is aware of user namespace. It can thus be used safely incontainers because a same process is able to expose different tags indifferent namespaces, depending on there history. Examples will show that it can be used for: \- managing capabilities in theuser land \- setting cookies on processes \- publishing, or exposing, data orstate of a process \- passing data without IPC \- managing lifecycle ofprocesses \- tracking forks \- ... |