The task_struct structure is the kernel object representing kernel schedulable tasks. It contains basic task information such as user and group ID, resource limits, and scheduling policies and priorities. LSM provides a group of task hooks, task_security_ops, that mediate a task's access to this basic task information. Interprocess signalling is mediated by the LSM task hooks to monitor tasks' abilities to send and receive signals. LSM adds a security field to the task_struct to allow security policies to label a task with a policy specific security label.
The LSM task hooks have full task life-cycle coverage. The create() task hook is called, verifying that a task can spawn children. If this is successful, a new task is created and the alloc_security() task hook is used to manage the new task's security field. When a task exits, the kill() task hook is consulted to verify that the task can signal its parent. Similarly, the wait() task hook is called in the parent task context, verifying the parent task can receive the child's signal. And finally, the task's security field is released by the free_security() task hook.
During the life of a task it may attempt to change some of its basic task information. For example a task may call setuid(2). This is, of course, managed by LSM with a corresponding setuid() task hook. If this is successful the kernel updates the task's user identity and then notifies the policy module via the post_setuid() task hook. The notification allows the module to update state and, for example, update the task's security field.
To avoid leaking potentially sensitive task information, LSM mediates the ability to query another task's state. So, for example, a query for the process group ID or the scheduler policy of an arbitrary task is protected by the getpgid() or getscheduler() task hooks respectively.