Documentation/security/Smack.txt at v4.3-rc6

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / Documentation / security / Smack.txt
at v4.3-rc6 742 lines 32 kB view raw
wrap content
  1
  2
  3    "Good for you, you've decided to clean the elevator!"
  4    - The Elevator, from Dark Star
  5
  6Smack is the Simplified Mandatory Access Control Kernel.
  7Smack is a kernel based implementation of mandatory access
  8control that includes simplicity in its primary design goals.
  9
 10Smack is not the only Mandatory Access Control scheme
 11available for Linux. Those new to Mandatory Access Control
 12are encouraged to compare Smack with the other mechanisms
 13available to determine which is best suited to the problem
 14at hand.
 15
 16Smack consists of three major components:
 17    - The kernel
 18    - Basic utilities, which are helpful but not required
 19    - Configuration data
 20
 21The kernel component of Smack is implemented as a Linux
 22Security Modules (LSM) module. It requires netlabel and
 23works best with file systems that support extended attributes,
 24although xattr support is not strictly required.
 25It is safe to run a Smack kernel under a "vanilla" distribution.
 26
 27Smack kernels use the CIPSO IP option. Some network
 28configurations are intolerant of IP options and can impede
 29access to systems that use them as Smack does.
 30
 31Smack is used in the Tizen operating system. Please
 32go to http://wiki.tizen.org for information about how
 33Smack is used in Tizen.
 34
 35The current git repository for Smack user space is:
 36
 37	git://github.com/smack-team/smack.git
 38
 39This should make and install on most modern distributions.
 40There are five commands included in smackutil:
 41
 42chsmack    - display or set Smack extended attribute values
 43smackctl   - load the Smack access rules
 44smackaccess - report if a process with one label has access
 45              to an object with another
 46
 47These two commands are obsolete with the introduction of
 48the smackfs/load2 and smackfs/cipso2 interfaces.
 49
 50smackload  - properly formats data for writing to smackfs/load
 51smackcipso - properly formats data for writing to smackfs/cipso
 52
 53In keeping with the intent of Smack, configuration data is
 54minimal and not strictly required. The most important
 55configuration step is mounting the smackfs pseudo filesystem.
 56If smackutil is installed the startup script will take care
 57of this, but it can be manually as well.
 58
 59Add this line to /etc/fstab:
 60
 61    smackfs /sys/fs/smackfs smackfs defaults 0 0
 62
 63The /sys/fs/smackfs directory is created by the kernel.
 64
 65Smack uses extended attributes (xattrs) to store labels on filesystem
 66objects. The attributes are stored in the extended attribute security
 67name space. A process must have CAP_MAC_ADMIN to change any of these
 68attributes.
 69
 70The extended attributes that Smack uses are:
 71
 72SMACK64
 73	Used to make access control decisions. In almost all cases
 74	the label given to a new filesystem object will be the label
 75	of the process that created it.
 76SMACK64EXEC
 77	The Smack label of a process that execs a program file with
 78	this attribute set will run with this attribute's value.
 79SMACK64MMAP
 80	Don't allow the file to be mmapped by a process whose Smack
 81	label does not allow all of the access permitted to a process
 82	with the label contained in this attribute. This is a very
 83	specific use case for shared libraries.
 84SMACK64TRANSMUTE
 85	Can only have the value "TRUE". If this attribute is present
 86	on a directory when an object is created in the directory and
 87	the Smack rule (more below) that permitted the write access
 88	to the directory includes the transmute ("t") mode the object
 89	gets the label of the directory instead of the label of the
 90	creating process. If the object being created is a directory
 91	the SMACK64TRANSMUTE attribute is set as well.
 92SMACK64IPIN
 93	This attribute is only available on file descriptors for sockets.
 94	Use the Smack label in this attribute for access control
 95	decisions on packets being delivered to this socket.
 96SMACK64IPOUT
 97	This attribute is only available on file descriptors for sockets.
 98	Use the Smack label in this attribute for access control
 99	decisions on packets coming from this socket.
100
101There are multiple ways to set a Smack label on a file:
102
103    # attr -S -s SMACK64 -V "value" path
104    # chsmack -a value path
105
106A process can see the Smack label it is running with by
107reading /proc/self/attr/current. A process with CAP_MAC_ADMIN
108can set the process Smack by writing there.
109
110Most Smack configuration is accomplished by writing to files
111in the smackfs filesystem. This pseudo-filesystem is mounted
112on /sys/fs/smackfs.
113
114access
115	Provided for backward compatibility. The access2 interface
116	is preferred and should be used instead.
117	This interface reports whether a subject with the specified
118	Smack label has a particular access to an object with a
119	specified Smack label. Write a fixed format access rule to
120	this file. The next read will indicate whether the access
121	would be permitted. The text will be either "1" indicating
122	access, or "0" indicating denial.
123access2
124	This interface reports whether a subject with the specified
125	Smack label has a particular access to an object with a
126	specified Smack label. Write a long format access rule to
127	this file. The next read will indicate whether the access
128	would be permitted. The text will be either "1" indicating
129	access, or "0" indicating denial.
130ambient
131	This contains the Smack label applied to unlabeled network
132	packets.
133change-rule
134	This interface allows modification of existing access control rules.
135	The format accepted on write is:
136		"%s %s %s %s"
137	where the first string is the subject label, the second the
138	object label, the third the access to allow and the fourth the
139	access to deny. The access strings may contain only the characters
140	"rwxat-". If a rule for a given subject and object exists it will be
141	modified by enabling the permissions in the third string and disabling
142	those in the fourth string. If there is no such rule it will be
143	created using the access specified in the third and the fourth strings.
144cipso
145	Provided for backward compatibility. The cipso2 interface
146	is preferred and should be used instead.
147	This interface allows a specific CIPSO header to be assigned
148	to a Smack label. The format accepted on write is:
149		"%24s%4d%4d"["%4d"]...
150	The first string is a fixed Smack label. The first number is
151	the level to use. The second number is the number of categories.
152	The following numbers are the categories.
153	"level-3-cats-5-19          3   2   5  19"
154cipso2
155	This interface allows a specific CIPSO header to be assigned
156	to a Smack label. The format accepted on write is:
157	"%s%4d%4d"["%4d"]...
158	The first string is a long Smack label. The first number is
159	the level to use. The second number is the number of categories.
160	The following numbers are the categories.
161	"level-3-cats-5-19   3   2   5  19"
162direct
163	This contains the CIPSO level used for Smack direct label
164	representation in network packets.
165doi
166	This contains the CIPSO domain of interpretation used in
167	network packets.
168ipv6host
169	This interface allows specific IPv6 internet addresses to be
170	treated as single label hosts. Packets are sent to single
171	label hosts only from processes that have Smack write access
172	to the host label. All packets received from single label hosts
173	are given the specified label. The format accepted on write is:
174		"%h:%h:%h:%h:%h:%h:%h:%h label" or
175		"%h:%h:%h:%h:%h:%h:%h:%h/%d label".
176	The "::" address shortcut is not supported.
177	If label is "-DELETE" a matched entry will be deleted.
178load
179	Provided for backward compatibility. The load2 interface
180	is preferred and should be used instead.
181	This interface allows access control rules in addition to
182	the system defined rules to be specified. The format accepted
183	on write is:
184		"%24s%24s%5s"
185	where the first string is the subject label, the second the
186	object label, and the third the requested access. The access
187	string may contain only the characters "rwxat-", and specifies
188	which sort of access is allowed. The "-" is a placeholder for
189	permissions that are not allowed. The string "r-x--" would
190	specify read and execute access. Labels are limited to 23
191	characters in length.
192load2
193	This interface allows access control rules in addition to
194	the system defined rules to be specified. The format accepted
195	on write is:
196		"%s %s %s"
197	where the first string is the subject label, the second the
198	object label, and the third the requested access. The access
199	string may contain only the characters "rwxat-", and specifies
200	which sort of access is allowed. The "-" is a placeholder for
201	permissions that are not allowed. The string "r-x--" would
202	specify read and execute access.
203load-self
204	Provided for backward compatibility. The load-self2 interface
205	is preferred and should be used instead.
206	This interface allows process specific access rules to be
207	defined. These rules are only consulted if access would
208	otherwise be permitted, and are intended to provide additional
209	restrictions on the process. The format is the same as for
210	the load interface.
211load-self2
212	This interface allows process specific access rules to be
213	defined. These rules are only consulted if access would
214	otherwise be permitted, and are intended to provide additional
215	restrictions on the process. The format is the same as for
216	the load2 interface.
217logging
218	This contains the Smack logging state.
219mapped
220	This contains the CIPSO level used for Smack mapped label
221	representation in network packets.
222netlabel
223	This interface allows specific internet addresses to be
224	treated as single label hosts. Packets are sent to single
225	label hosts without CIPSO headers, but only from processes
226	that have Smack write access to the host label. All packets
227	received from single label hosts are given the specified
228	label. The format accepted on write is:
229		"%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".
230	If the label specified is "-CIPSO" the address is treated
231	as a host that supports CIPSO headers.
232onlycap
233	This contains labels processes must have for CAP_MAC_ADMIN
234	and CAP_MAC_OVERRIDE to be effective. If this file is empty
235	these capabilities are effective at for processes with any
236	label. The values are set by writing the desired labels, separated
237	by spaces, to the file or cleared by writing "-" to the file.
238ptrace
239	This is used to define the current ptrace policy
240	0 - default: this is the policy that relies on Smack access rules.
241	    For the PTRACE_READ a subject needs to have a read access on
242	    object. For the PTRACE_ATTACH a read-write access is required.
243	1 - exact: this is the policy that limits PTRACE_ATTACH. Attach is
244	    only allowed when subject's and object's labels are equal.
245	    PTRACE_READ is not affected. Can be overridden with CAP_SYS_PTRACE.
246	2 - draconian: this policy behaves like the 'exact' above with an
247	    exception that it can't be overridden with CAP_SYS_PTRACE.
248revoke-subject
249	Writing a Smack label here sets the access to '-' for all access
250	rules with that subject label.
251unconfined
252	If the kernel is configured with CONFIG_SECURITY_SMACK_BRINGUP
253	a process with CAP_MAC_ADMIN can write a label into this interface.
254	Thereafter, accesses that involve that label will be logged and
255	the access permitted if it wouldn't be otherwise. Note that this
256	is dangerous and can ruin the proper labeling of your system.
257	It should never be used in production.
258
259If you are using the smackload utility
260you can add access rules in /etc/smack/accesses. They take the form:
261
262    subjectlabel objectlabel access
263
264access is a combination of the letters rwxatb which specify the
265kind of access permitted a subject with subjectlabel on an
266object with objectlabel. If there is no rule no access is allowed.
267
268Look for additional programs on http://schaufler-ca.com
269
270From the Smack Whitepaper:
271
272The Simplified Mandatory Access Control Kernel
273
274Casey Schaufler
275casey@schaufler-ca.com
276
277Mandatory Access Control
278
279Computer systems employ a variety of schemes to constrain how information is
280shared among the people and services using the machine. Some of these schemes
281allow the program or user to decide what other programs or users are allowed
282access to pieces of data. These schemes are called discretionary access
283control mechanisms because the access control is specified at the discretion
284of the user. Other schemes do not leave the decision regarding what a user or
285program can access up to users or programs. These schemes are called mandatory
286access control mechanisms because you don't have a choice regarding the users
287or programs that have access to pieces of data.
288
289Bell & LaPadula
290
291From the middle of the 1980's until the turn of the century Mandatory Access
292Control (MAC) was very closely associated with the Bell & LaPadula security
293model, a mathematical description of the United States Department of Defense
294policy for marking paper documents. MAC in this form enjoyed a following
295within the Capital Beltway and Scandinavian supercomputer centers but was
296often sited as failing to address general needs.
297
298Domain Type Enforcement
299
300Around the turn of the century Domain Type Enforcement (DTE) became popular.
301This scheme organizes users, programs, and data into domains that are
302protected from each other. This scheme has been widely deployed as a component
303of popular Linux distributions. The administrative overhead required to
304maintain this scheme and the detailed understanding of the whole system
305necessary to provide a secure domain mapping leads to the scheme being
306disabled or used in limited ways in the majority of cases.
307
308Smack
309
310Smack is a Mandatory Access Control mechanism designed to provide useful MAC
311while avoiding the pitfalls of its predecessors. The limitations of Bell &
312LaPadula are addressed by providing a scheme whereby access can be controlled
313according to the requirements of the system and its purpose rather than those
314imposed by an arcane government policy. The complexity of Domain Type
315Enforcement and avoided by defining access controls in terms of the access
316modes already in use.
317
318Smack Terminology
319
320The jargon used to talk about Smack will be familiar to those who have dealt
321with other MAC systems and shouldn't be too difficult for the uninitiated to
322pick up. There are four terms that are used in a specific way and that are
323especially important:
324
325	Subject: A subject is an active entity on the computer system.
326	On Smack a subject is a task, which is in turn the basic unit
327	of execution.
328
329	Object: An object is a passive entity on the computer system.
330	On Smack files of all types, IPC, and tasks can be objects.
331
332	Access: Any attempt by a subject to put information into or get
333	information from an object is an access.
334
335	Label: Data that identifies the Mandatory Access Control
336	characteristics of a subject or an object.
337
338These definitions are consistent with the traditional use in the security
339community. There are also some terms from Linux that are likely to crop up:
340
341	Capability: A task that possesses a capability has permission to
342	violate an aspect of the system security policy, as identified by
343	the specific capability. A task that possesses one or more
344	capabilities is a privileged task, whereas a task with no
345	capabilities is an unprivileged task.
346
347	Privilege: A task that is allowed to violate the system security
348	policy is said to have privilege. As of this writing a task can
349	have privilege either by possessing capabilities or by having an
350	effective user of root.
351
352Smack Basics
353
354Smack is an extension to a Linux system. It enforces additional restrictions
355on what subjects can access which objects, based on the labels attached to
356each of the subject and the object.
357
358Labels
359
360Smack labels are ASCII character strings. They can be up to 255 characters
361long, but keeping them to twenty-three characters is recommended.
362Single character labels using special characters, that being anything
363other than a letter or digit, are reserved for use by the Smack development
364team. Smack labels are unstructured, case sensitive, and the only operation
365ever performed on them is comparison for equality. Smack labels cannot
366contain unprintable characters, the "/" (slash), the "\" (backslash), the "'"
367(quote) and '"' (double-quote) characters.
368Smack labels cannot begin with a '-'. This is reserved for special options.
369
370There are some predefined labels:
371
372	_ 	Pronounced "floor", a single underscore character.
373	^ 	Pronounced "hat", a single circumflex character.
374	* 	Pronounced "star", a single asterisk character.
375	? 	Pronounced "huh", a single question mark character.
376	@ 	Pronounced "web", a single at sign character.
377
378Every task on a Smack system is assigned a label. The Smack label
379of a process will usually be assigned by the system initialization
380mechanism.
381
382Access Rules
383
384Smack uses the traditional access modes of Linux. These modes are read,
385execute, write, and occasionally append. There are a few cases where the
386access mode may not be obvious. These include:
387
388	Signals: A signal is a write operation from the subject task to
389	the object task.
390	Internet Domain IPC: Transmission of a packet is considered a
391	write operation from the source task to the destination task.
392
393Smack restricts access based on the label attached to a subject and the label
394attached to the object it is trying to access. The rules enforced are, in
395order:
396
397	1. Any access requested by a task labeled "*" is denied.
398	2. A read or execute access requested by a task labeled "^"
399	   is permitted.
400	3. A read or execute access requested on an object labeled "_"
401	   is permitted.
402	4. Any access requested on an object labeled "*" is permitted.
403	5. Any access requested by a task on an object with the same
404	   label is permitted.
405	6. Any access requested that is explicitly defined in the loaded
406	   rule set is permitted.
407	7. Any other access is denied.
408
409Smack Access Rules
410
411With the isolation provided by Smack access separation is simple. There are
412many interesting cases where limited access by subjects to objects with
413different labels is desired. One example is the familiar spy model of
414sensitivity, where a scientist working on a highly classified project would be
415able to read documents of lower classifications and anything she writes will
416be "born" highly classified. To accommodate such schemes Smack includes a
417mechanism for specifying rules allowing access between labels.
418
419Access Rule Format
420
421The format of an access rule is:
422
423	subject-label object-label access
424
425Where subject-label is the Smack label of the task, object-label is the Smack
426label of the thing being accessed, and access is a string specifying the sort
427of access allowed. The access specification is searched for letters that
428describe access modes:
429
430	a: indicates that append access should be granted.
431	r: indicates that read access should be granted.
432	w: indicates that write access should be granted.
433	x: indicates that execute access should be granted.
434	t: indicates that the rule requests transmutation.
435	b: indicates that the rule should be reported for bring-up.
436
437Uppercase values for the specification letters are allowed as well.
438Access mode specifications can be in any order. Examples of acceptable rules
439are:
440
441	TopSecret Secret  rx
442	Secret    Unclass R
443	Manager   Game    x
444	User      HR      w
445	Snap      Crackle rwxatb
446	New       Old     rRrRr
447	Closed    Off     -
448
449Examples of unacceptable rules are:
450
451	Top Secret Secret     rx
452	Ace        Ace        r
453	Odd        spells     waxbeans
454
455Spaces are not allowed in labels. Since a subject always has access to files
456with the same label specifying a rule for that case is pointless. Only
457valid letters (rwxatbRWXATB) and the dash ('-') character are allowed in
458access specifications. The dash is a placeholder, so "a-r" is the same
459as "ar". A lone dash is used to specify that no access should be allowed.
460
461Applying Access Rules
462
463The developers of Linux rarely define new sorts of things, usually importing
464schemes and concepts from other systems. Most often, the other systems are
465variants of Unix. Unix has many endearing properties, but consistency of
466access control models is not one of them. Smack strives to treat accesses as
467uniformly as is sensible while keeping with the spirit of the underlying
468mechanism.
469
470File system objects including files, directories, named pipes, symbolic links,
471and devices require access permissions that closely match those used by mode
472bit access. To open a file for reading read access is required on the file. To
473search a directory requires execute access. Creating a file with write access
474requires both read and write access on the containing directory. Deleting a
475file requires read and write access to the file and to the containing
476directory. It is possible that a user may be able to see that a file exists
477but not any of its attributes by the circumstance of having read access to the
478containing directory but not to the differently labeled file. This is an
479artifact of the file name being data in the directory, not a part of the file.
480
481If a directory is marked as transmuting (SMACK64TRANSMUTE=TRUE) and the
482access rule that allows a process to create an object in that directory
483includes 't' access the label assigned to the new object will be that
484of the directory, not the creating process. This makes it much easier
485for two processes with different labels to share data without granting
486access to all of their files.
487
488IPC objects, message queues, semaphore sets, and memory segments exist in flat
489namespaces and access requests are only required to match the object in
490question.
491
492Process objects reflect tasks on the system and the Smack label used to access
493them is the same Smack label that the task would use for its own access
494attempts. Sending a signal via the kill() system call is a write operation
495from the signaler to the recipient. Debugging a process requires both reading
496and writing. Creating a new task is an internal operation that results in two
497tasks with identical Smack labels and requires no access checks.
498
499Sockets are data structures attached to processes and sending a packet from
500one process to another requires that the sender have write access to the
501receiver. The receiver is not required to have read access to the sender.
502
503Setting Access Rules
504
505The configuration file /etc/smack/accesses contains the rules to be set at
506system startup. The contents are written to the special file
507/sys/fs/smackfs/load2. Rules can be added at any time and take effect
508immediately. For any pair of subject and object labels there can be only
509one rule, with the most recently specified overriding any earlier
510specification.
511
512Task Attribute
513
514The Smack label of a process can be read from /proc/<pid>/attr/current. A
515process can read its own Smack label from /proc/self/attr/current. A
516privileged process can change its own Smack label by writing to
517/proc/self/attr/current but not the label of another process.
518
519File Attribute
520
521The Smack label of a filesystem object is stored as an extended attribute
522named SMACK64 on the file. This attribute is in the security namespace. It can
523only be changed by a process with privilege.
524
525Privilege
526
527A process with CAP_MAC_OVERRIDE or CAP_MAC_ADMIN is privileged.
528CAP_MAC_OVERRIDE allows the process access to objects it would
529be denied otherwise. CAP_MAC_ADMIN allows a process to change
530Smack data, including rules and attributes.
531
532Smack Networking
533
534As mentioned before, Smack enforces access control on network protocol
535transmissions. Every packet sent by a Smack process is tagged with its Smack
536label. This is done by adding a CIPSO tag to the header of the IP packet. Each
537packet received is expected to have a CIPSO tag that identifies the label and
538if it lacks such a tag the network ambient label is assumed. Before the packet
539is delivered a check is made to determine that a subject with the label on the
540packet has write access to the receiving process and if that is not the case
541the packet is dropped.
542
543CIPSO Configuration
544
545It is normally unnecessary to specify the CIPSO configuration. The default
546values used by the system handle all internal cases. Smack will compose CIPSO
547label values to match the Smack labels being used without administrative
548intervention. Unlabeled packets that come into the system will be given the
549ambient label.
550
551Smack requires configuration in the case where packets from a system that is
552not Smack that speaks CIPSO may be encountered. Usually this will be a Trusted
553Solaris system, but there are other, less widely deployed systems out there.
554CIPSO provides 3 important values, a Domain Of Interpretation (DOI), a level,
555and a category set with each packet. The DOI is intended to identify a group
556of systems that use compatible labeling schemes, and the DOI specified on the
557Smack system must match that of the remote system or packets will be
558discarded. The DOI is 3 by default. The value can be read from
559/sys/fs/smackfs/doi and can be changed by writing to /sys/fs/smackfs/doi.
560
561The label and category set are mapped to a Smack label as defined in
562/etc/smack/cipso.
563
564A Smack/CIPSO mapping has the form:
565
566	smack level [category [category]*]
567
568Smack does not expect the level or category sets to be related in any
569particular way and does not assume or assign accesses based on them. Some
570examples of mappings:
571
572	TopSecret 7
573	TS:A,B    7 1 2
574	SecBDE    5 2 4 6
575	RAFTERS   7 12 26
576
577The ":" and "," characters are permitted in a Smack label but have no special
578meaning.
579
580The mapping of Smack labels to CIPSO values is defined by writing to
581/sys/fs/smackfs/cipso2.
582
583In addition to explicit mappings Smack supports direct CIPSO mappings. One
584CIPSO level is used to indicate that the category set passed in the packet is
585in fact an encoding of the Smack label. The level used is 250 by default. The
586value can be read from /sys/fs/smackfs/direct and changed by writing to
587/sys/fs/smackfs/direct.
588
589Socket Attributes
590
591There are two attributes that are associated with sockets. These attributes
592can only be set by privileged tasks, but any task can read them for their own
593sockets.
594
595	SMACK64IPIN: The Smack label of the task object. A privileged
596	program that will enforce policy may set this to the star label.
597
598	SMACK64IPOUT: The Smack label transmitted with outgoing packets.
599	A privileged program may set this to match the label of another
600	task with which it hopes to communicate.
601
602Smack Netlabel Exceptions
603
604You will often find that your labeled application has to talk to the outside,
605unlabeled world. To do this there's a special file /sys/fs/smackfs/netlabel
606where you can add some exceptions in the form of :
607@IP1	   LABEL1 or
608@IP2/MASK  LABEL2
609
610It means that your application will have unlabeled access to @IP1 if it has
611write access on LABEL1, and access to the subnet @IP2/MASK if it has write
612access on LABEL2.
613
614Entries in the /sys/fs/smackfs/netlabel file are matched by longest mask
615first, like in classless IPv4 routing.
616
617A special label '@' and an option '-CIPSO' can be used there :
618@      means Internet, any application with any label has access to it
619-CIPSO means standard CIPSO networking
620
621If you don't know what CIPSO is and don't plan to use it, you can just do :
622echo 127.0.0.1 -CIPSO > /sys/fs/smackfs/netlabel
623echo 0.0.0.0/0 @      > /sys/fs/smackfs/netlabel
624
625If you use CIPSO on your 192.168.0.0/16 local network and need also unlabeled
626Internet access, you can have :
627echo 127.0.0.1      -CIPSO > /sys/fs/smackfs/netlabel
628echo 192.168.0.0/16 -CIPSO > /sys/fs/smackfs/netlabel
629echo 0.0.0.0/0      @      > /sys/fs/smackfs/netlabel
630
631
632Writing Applications for Smack
633
634There are three sorts of applications that will run on a Smack system. How an
635application interacts with Smack will determine what it will have to do to
636work properly under Smack.
637
638Smack Ignorant Applications
639
640By far the majority of applications have no reason whatever to care about the
641unique properties of Smack. Since invoking a program has no impact on the
642Smack label associated with the process the only concern likely to arise is
643whether the process has execute access to the program.
644
645Smack Relevant Applications
646
647Some programs can be improved by teaching them about Smack, but do not make
648any security decisions themselves. The utility ls(1) is one example of such a
649program.
650
651Smack Enforcing Applications
652
653These are special programs that not only know about Smack, but participate in
654the enforcement of system policy. In most cases these are the programs that
655set up user sessions. There are also network services that provide information
656to processes running with various labels.
657
658File System Interfaces
659
660Smack maintains labels on file system objects using extended attributes. The
661Smack label of a file, directory, or other file system object can be obtained
662using getxattr(2).
663
664	len = getxattr("/", "security.SMACK64", value, sizeof (value));
665
666will put the Smack label of the root directory into value. A privileged
667process can set the Smack label of a file system object with setxattr(2).
668
669	len = strlen("Rubble");
670	rc = setxattr("/foo", "security.SMACK64", "Rubble", len, 0);
671
672will set the Smack label of /foo to "Rubble" if the program has appropriate
673privilege.
674
675Socket Interfaces
676
677The socket attributes can be read using fgetxattr(2).
678
679A privileged process can set the Smack label of outgoing packets with
680fsetxattr(2).
681
682	len = strlen("Rubble");
683	rc = fsetxattr(fd, "security.SMACK64IPOUT", "Rubble", len, 0);
684
685will set the Smack label "Rubble" on packets going out from the socket if the
686program has appropriate privilege.
687
688	rc = fsetxattr(fd, "security.SMACK64IPIN, "*", strlen("*"), 0);
689
690will set the Smack label "*" as the object label against which incoming
691packets will be checked if the program has appropriate privilege.
692
693Administration
694
695Smack supports some mount options:
696
697	smackfsdef=label: specifies the label to give files that lack
698	the Smack label extended attribute.
699
700	smackfsroot=label: specifies the label to assign the root of the
701	file system if it lacks the Smack extended attribute.
702
703	smackfshat=label: specifies a label that must have read access to
704	all labels set on the filesystem. Not yet enforced.
705
706	smackfsfloor=label: specifies a label to which all labels set on the
707	filesystem must have read access. Not yet enforced.
708
709These mount options apply to all file system types.
710
711Smack auditing
712
713If you want Smack auditing of security events, you need to set CONFIG_AUDIT
714in your kernel configuration.
715By default, all denied events will be audited. You can change this behavior by
716writing a single character to the /sys/fs/smackfs/logging file :
7170 : no logging
7181 : log denied (default)
7192 : log accepted
7203 : log denied & accepted
721
722Events are logged as 'key=value' pairs, for each event you at least will get
723the subject, the object, the rights requested, the action, the kernel function
724that triggered the event, plus other pairs depending on the type of event
725audited.
726
727Bringup Mode
728
729Bringup mode provides logging features that can make application
730configuration and system bringup easier. Configure the kernel with
731CONFIG_SECURITY_SMACK_BRINGUP to enable these features. When bringup
732mode is enabled accesses that succeed due to rules marked with the "b"
733access mode will logged. When a new label is introduced for processes
734rules can be added aggressively, marked with the "b". The logging allows
735tracking of which rules actual get used for that label.
736
737Another feature of bringup mode is the "unconfined" option. Writing
738a label to /sys/fs/smackfs/unconfined makes subjects with that label
739able to access any object, and objects with that label accessible to
740all subjects. Any access that is granted because a label is unconfined
741is logged. This feature is dangerous, as files and directories may
742be created in places they couldn't if the policy were being enforced.
Configure Feed

Configure Feed
