We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

The PTags Linux Security Module

Formal Metadata

Title
The PTags Linux Security Module
Title of Series
Number of Parts
611
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language
Production Year2017

Content Metadata

Subject Area
Genre
Abstract
What should be done of the PTags Linux Security Module? PTags means Process-Tags, it allows to tag processes and is compatible withuser namespaces. What problem does it solves? How does it works? How can it be used and forwhat purposes? Answers to these questions would allows to answer the main question: should itbe part of linux tree? PTags allows a system to attach tags to processes. The tags can receivevalues. The semantic of tags and of the values is not enforced and that is thebig strength of that model that can be widely used for several purposes. This talk will answer the following questions: \- What problem does it solves?\- How does it works? (including user namespace) \- How can it be used and forwhat purposes? It firstly came from studies on "user land" capabilities attached to APIs. Butas the process of tagging can be more widely used in system, it became moregeneric and simply solve the problem of attaching data (or meta-data) to aprocess and its possibly forked children. It works by writing or reading the file /proc/PID/attr/ptags. When reading thefile, the tag list is read. When writing the file, the tag list can be changedunder conditions. The file can be monitored using inotify to be alerted onwrite accesses that presumely change the content. An available C libraryimplements common operations. The implementation is aware of user namespace. It can thus be used safely incontainers because a same process is able to expose different tags indifferent namespaces, depending on there history. Examples will show that it can be used for: \- managing capabilities in theuser land \- setting cookies on processes \- publishing, or exposing, data orstate of a process \- passing data without IPC \- managing lifecycle ofprocesses \- tracking forks \- ...