Provided by: manpages_6.7-2_all 
NAME
/proc/pid/attr/ - security-related attributes
DESCRIPTION
/proc/pid/attr/
The files in this directory provide an API for security modules. The contents of
this directory are files that can be read and written in order to set security-
related attributes. This directory was added to support SELinux, but the intention
was that the API be general enough to support other security modules. For the
purpose of explanation, examples of how SELinux uses these files are provided
below.
This directory is present only if the kernel was configured with CONFIG_SECURITY.
/proc/pid/attr/current (since Linux 2.6.0)
The contents of this file represent the current security attributes of the process.
In SELinux, this file is used to get the security context of a process. Prior to
Linux 2.6.11, this file could not be used to set the security context (a write was
always denied), since SELinux limited process security transitions to execve(2)
(see the description of /proc/pid/attr/exec, below). Since Linux 2.6.11, SELinux
lifted this restriction and began supporting "set" operations via writes to this
node if authorized by policy, although use of this operation is only suitable for
applications that are trusted to maintain any desired separation between the old
and new security contexts.
Prior to Linux 2.6.28, SELinux did not allow threads within a multithreaded process
to set their security context via this node as it would yield an inconsistency
among the security contexts of the threads sharing the same memory space. Since
Linux 2.6.28, SELinux lifted this restriction and began supporting "set" operations
for threads within a multithreaded process if the new security context is bounded
by the old security context, where the bounded relation is defined in policy and
guarantees that the new security context has a subset of the permissions of the old
security context.
Other security modules may choose to support "set" operations via writes to this
node.
/proc/pid/attr/exec (since Linux 2.6.0)
This file represents the attributes to assign to the process upon a subsequent
execve(2).
In SELinux, this is needed to support role/domain transitions, and execve(2) is the
preferred point to make such transitions because it offers better control over the
initialization of the process in the new security label and the inheritance of
state. In SELinux, this attribute is reset on execve(2) so that the new program
reverts to the default behavior for any execve(2) calls that it may make. In
SELinux, a process can set only its own /proc/pid/attr/exec attribute.
/proc/pid/attr/fscreate (since Linux 2.6.0)
This file represents the attributes to assign to files created by subsequent calls
to open(2), mkdir(2), symlink(2), and mknod(2)
SELinux employs this file to support creation of a file (using the aforementioned
system calls) in a secure state, so that there is no risk of inappropriate access
being obtained between the time of creation and the time that attributes are set.
In SELinux, this attribute is reset on execve(2), so that the new program reverts
to the default behavior for any file creation calls it may make, but the attribute
will persist across multiple file creation calls within a program unless it is
explicitly reset. In SELinux, a process can set only its own
/proc/pid/attr/fscreate attribute.
/proc/pid/attr/keycreate (since Linux 2.6.18)
If a process writes a security context into this file, all subsequently created
keys (add_key(2)) will be labeled with this context. For further information, see
the kernel source file Documentation/security/keys/core.rst (or file
Documentation/security/keys.txt between Linux 3.0 and Linux 4.13, or
Documentation/keys.txt before Linux 3.0).
/proc/pid/attr/prev (since Linux 2.6.0)
This file contains the security context of the process before the last execve(2);
that is, the previous value of /proc/pid/attr/current.
/proc/pid/attr/socketcreate (since Linux 2.6.18)
If a process writes a security context into this file, all subsequently created
sockets will be labeled with this context.
SEE ALSO
proc(5)