Documentation/security/LSM.txt

Chinese translated version of Documentation/security/LSM.txt

If you have any comment or update to the content, please contact the
original document maintainer directly.  However, if you have a problem
communicating in English you can also ask the Chinese maintainer for
help.  Contact the Chinese maintainer if this translation is outdated
or if there is a problem with the translation.

Chinese maintainer:Luo Yangyang <794436342@qq.com>
---------------------------------------------------------------------
Documentation/security/LSM.txt 的中文翻译

如果想评论或更新本文的内容，请直接联系原文档的维护者。如果你使用英文
交流有困难的话，也可以向中文版维护者求助。如果本翻译更新不及时或者翻
译存在问题，请联系中文版维护者。

中文版维护者： 罗秧秧  <794436342@qq.com>
中文版翻译者： 罗秧秧  <794436342@qq.com>
中文版校译者： 罗秧秧  <794436342@qq.com>

以下为正文
---------------------------------------------------------------------

Linux Security Module framework
-------------------------------
Linux安全模块框架
-------------------------------


The Linux Security Module (LSM) framework provides a mechanism for
various security checks to be hooked by new kernel extensions. The name
"module" is a bit of a misnomer since these extensions are not actually
loadable kernel modules. Instead, they are selectable at build-time via
CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the
"security=..." kernel command line argument, in the case where multiple
LSMs were built into a given kernel.

Linux安全模块（ LSM ）框架提供了一种机制，可以通过新的内核扩展钩进行各种安全检查。
这个名字“模块”是一个有点使用不当的名称，因为这些扩展实际上不是
真的可加载内核模块。相反，它们在编译时选择通过
CONFIG_DEFAULT_SECURITY，和在开机时通过
“security=...”内核命令行参数可以重写覆盖，在这种情况下，多
个Linux安全模块被建在一个给定的内核里。

The primary users of the LSM interface are Mandatory Access Control
(MAC) extensions which provide a comprehensive security policy. Examples
include SELinux, Smack, Tomoyo, and AppArmor. In addition to the larger
MAC extensions, other extensions can be built using the LSM to provide
specific changes to system operation when these tweaks are not available
in the core functionality of Linux itself.

LSM接口的主要用户是强制访问控制
（ MAC ）的扩展，它提供了一个全面的安全策略。
比如SELinux, Smack, Tomoyo和AppArmor的。除了较大的
MAC扩展，当这些调整功能不可用在Linux本身的核心功能上时，
其它扩展可以被建立，使用LSM提供对系统操作的具体变化。

Without a specific LSM built into the kernel, the default LSM will be the
Linux capabilities system. Most LSMs choose to extend the capabilities
system, building their checks on top of the defined capability hooks.
For more details on capabilities, see capabilities(7) in the Linux
man-pages project.

没有一个具体的LSM被构建到内核中 ，默认的LSM将是
Linux的能力系统。大多数LSM选择扩展能力
系统，是建立在它们在对定义的能力钩上的检测。
为了得到功能上的更多细节，请参阅Linux人个网页项目里的功能（7）。

Based on http://kerneltrap.org/Linux/Documenting_Security_Module_Intent,
a new LSM is accepted into the kernel when its intent (a description of
what it tries to protect against and in what cases one would expect to
use it) has been appropriately documented in Documentation/security/.
This allows an LSM's code to be easily compared to its goals, and so
that end users and distros can make a more informed decision about which
LSMs suit their requirements.

根据http://kerneltrap.org/Linux/Documenting_Security_Module_Intent ，
当一个新的LSM的意图（描述它试图防止和在什么情况下，人们会期望
使用它）已经被适当地记录在Documentation/security/时，它就被接受进入内核。
这使得一个LSM的代码很容易地与它的目标相比较，所以
最终用户和发行版可以在哪些
LSM满足他们的要求做出更明智的决定。

For extensive documentation on the available LSM hook interfaces, please
see include/linux/security.h.

有关可用的LSM钩接口的大量文档，请查看文档include/linux/security.h。