Brussels / 4 & 5 February 2017


The PTags Linux Security Module

What should be done of the PTags Linux Security Module?

PTags means Process-Tags, it allows to tag processes and is compatible with user namespaces.

What problem does it solves? How does it works? How can it be used and for what purposes?

Answers to these questions would allows to answer the main question: should it be part of linux tree?

PTags allows a system to attach tags to processes. The tags can receive values. The semantic of tags and of the values is not enforced and that is the big strength of that model that can be widely used for several purposes.

This talk will answer the following questions: - What problem does it solves? - How does it works? (including user namespace) - How can it be used and for what purposes?

It firstly came from studies on "user land" capabilities attached to APIs. But as the process of tagging can be more widely used in system, it became more generic and simply solve the problem of attaching data (or meta-data) to a process and its possibly forked children.

It works by writing or reading the file /proc/PID/attr/ptags. When reading the file, the tag list is read. When writing the file, the tag list can be changed under conditions. The file can be monitored using inotify to be alerted on write accesses that presumely change the content. An available C library implements common operations.

The implementation is aware of user namespace. It can thus be used safely in containers because a same process is able to expose different tags in different namespaces, depending on there history.

Examples will show that it can be used for: - managing capabilities in the user land - setting cookies on processes - publishing, or exposing, data or state of a process - passing data without IPC - managing lifecycle of processes - tracking forks - ...


José Bollo