tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Smack: Updates for Smack documentation

Document the Smack bringup features. Update the proper location for
mounting smackfs from /smack to /sys/fs/smackfs. Fix some spelling errors.
Suggest the use of the load2 interface instead of the load interface.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

Casey Schaufler 18779b75 f43b65ba

+79 -50
+79 -50
Documentation/security/Smack.txt
··· 33 33 git://github.com/smack-team/smack.git 34 34 35 35 This should make and install on most modern distributions. 36 - There are three commands included in smackutil: 36 + There are five commands included in smackutil: 37 37 38 - smackload - properly formats data for writing to /smack/load 39 - smackcipso - properly formats data for writing to /smack/cipso 40 38 chsmack - display or set Smack extended attribute values 39 + smackctl - load the Smack access rules 40 + smackaccess - report if a process with one label has access 41 + to an object with another 42 + 43 + These two commands are obsolete with the introduction of 44 + the smackfs/load2 and smackfs/cipso2 interfaces. 45 + 46 + smackload - properly formats data for writing to smackfs/load 47 + smackcipso - properly formats data for writing to smackfs/cipso 41 48 42 49 In keeping with the intent of Smack, configuration data is 43 50 minimal and not strictly required. The most important ··· 54 47 55 48 Add this line to /etc/fstab: 56 49 57 - smackfs /smack smackfs smackfsdef=* 0 0 50 + smackfs /sys/fs/smackfs smackfs defaults 0 0 58 51 59 - and create the /smack directory for mounting. 52 + The /sys/fs/smackfs directory is created by the kernel. 60 53 61 54 Smack uses extended attributes (xattrs) to store labels on filesystem 62 55 objects. The attributes are stored in the extended attribute security ··· 99 92 # attr -S -s SMACK64 -V "value" path 100 93 # chsmack -a value path 101 94 102 - A process can see the smack label it is running with by 95 + A process can see the Smack label it is running with by 103 96 reading /proc/self/attr/current. A process with CAP_MAC_ADMIN 104 - can set the process smack by writing there. 97 + can set the process Smack by writing there. 105 98 106 99 Most Smack configuration is accomplished by writing to files 107 - in the smackfs filesystem. This pseudo-filesystem is usually 108 - mounted on /smack. 100 + in the smackfs filesystem. This pseudo-filesystem is mounted 101 + on /sys/fs/smackfs. 109 102 110 103 access 111 104 This interface reports whether a subject with the specified ··· 213 206 file or cleared by writing "-" to the file. 214 207 ptrace 215 208 This is used to define the current ptrace policy 216 - 0 - default: this is the policy that relies on smack access rules. 209 + 0 - default: this is the policy that relies on Smack access rules. 217 210 For the PTRACE_READ a subject needs to have a read access on 218 211 object. For the PTRACE_ATTACH a read-write access is required. 219 212 1 - exact: this is the policy that limits PTRACE_ATTACH. Attach is 220 213 only allowed when subject's and object's labels are equal. 221 - PTRACE_READ is not affected. Can be overriden with CAP_SYS_PTRACE. 214 + PTRACE_READ is not affected. Can be overridden with CAP_SYS_PTRACE. 222 215 2 - draconian: this policy behaves like the 'exact' above with an 223 - exception that it can't be overriden with CAP_SYS_PTRACE. 216 + exception that it can't be overridden with CAP_SYS_PTRACE. 224 217 revoke-subject 225 218 Writing a Smack label here sets the access to '-' for all access 226 219 rules with that subject label. 220 + unconfined 221 + If the kernel is configured with CONFIG_SECURITY_SMACK_BRINGUP 222 + a process with CAP_MAC_ADMIN can write a label into this interface. 223 + Thereafter, accesses that involve that label will be logged and 224 + the access permitted if it wouldn't be otherwise. Note that this 225 + is dangerous and can ruin the proper labeling of your system. 226 + It should never be used in production. 227 227 228 228 You can add access rules in /etc/smack/accesses. They take the form: 229 229 230 230 subjectlabel objectlabel access 231 231 232 - access is a combination of the letters rwxa which specify the 232 + access is a combination of the letters rwxatb which specify the 233 233 kind of access permitted a subject with subjectlabel on an 234 234 object with objectlabel. If there is no rule no access is allowed. 235 235 ··· 332 318 333 319 Labels 334 320 335 - Smack labels are ASCII character strings, one to twenty-three characters in 336 - length. Single character labels using special characters, that being anything 321 + Smack labels are ASCII character strings. They can be up to 255 characters 322 + long, but keeping them to twenty-three characters is recommended. 323 + Single character labels using special characters, that being anything 337 324 other than a letter or digit, are reserved for use by the Smack development 338 325 team. Smack labels are unstructured, case sensitive, and the only operation 339 326 ever performed on them is comparison for equality. Smack labels cannot ··· 350 335 ? Pronounced "huh", a single question mark character. 351 336 @ Pronounced "web", a single at sign character. 352 337 353 - Every task on a Smack system is assigned a label. System tasks, such as 354 - init(8) and systems daemons, are run with the floor ("_") label. User tasks 355 - are assigned labels according to the specification found in the 356 - /etc/smack/user configuration file. 338 + Every task on a Smack system is assigned a label. The Smack label 339 + of a process will usually be assigned by the system initialization 340 + mechanism. 357 341 358 342 Access Rules 359 343 ··· 407 393 w: indicates that write access should be granted. 408 394 x: indicates that execute access should be granted. 409 395 t: indicates that the rule requests transmutation. 396 + b: indicates that the rule should be reported for bring-up. 410 397 411 398 Uppercase values for the specification letters are allowed as well. 412 399 Access mode specifications can be in any order. Examples of acceptable rules ··· 417 402 Secret Unclass R 418 403 Manager Game x 419 404 User HR w 405 + Snap Crackle rwxatb 420 406 New Old rRrRr 421 407 Closed Off - 422 408 ··· 429 413 430 414 Spaces are not allowed in labels. Since a subject always has access to files 431 415 with the same label specifying a rule for that case is pointless. Only 432 - valid letters (rwxatRWXAT) and the dash ('-') character are allowed in 416 + valid letters (rwxatbRWXATB) and the dash ('-') character are allowed in 433 417 access specifications. The dash is a placeholder, so "a-r" is the same 434 418 as "ar". A lone dash is used to specify that no access should be allowed. 435 419 ··· 478 462 Setting Access Rules 479 463 480 464 The configuration file /etc/smack/accesses contains the rules to be set at 481 - system startup. The contents are written to the special file /smack/load. 482 - Rules can be written to /smack/load at any time and take effect immediately. 483 - For any pair of subject and object labels there can be only one rule, with the 484 - most recently specified overriding any earlier specification. 485 - 486 - The program smackload is provided to ensure data is formatted 487 - properly when written to /smack/load. This program reads lines 488 - of the form 489 - 490 - subjectlabel objectlabel mode. 465 + system startup. The contents are written to the special file 466 + /sys/fs/smackfs/load2. Rules can be added at any time and take effect 467 + immediately. For any pair of subject and object labels there can be only 468 + one rule, with the most recently specified overriding any earlier 469 + specification. 491 470 492 471 Task Attribute 493 472 ··· 499 488 500 489 Privilege 501 490 502 - A process with CAP_MAC_OVERRIDE is privileged. 491 + A process with CAP_MAC_OVERRIDE or CAP_MAC_ADMIN is privileged. 492 + CAP_MAC_OVERRIDE allows the process access to objects it would 493 + be denied otherwise. CAP_MAC_ADMIN allows a process to change 494 + Smack data, including rules and attributes. 503 495 504 496 Smack Networking 505 497 ··· 524 510 ambient label. 525 511 526 512 Smack requires configuration in the case where packets from a system that is 527 - not smack that speaks CIPSO may be encountered. Usually this will be a Trusted 513 + not Smack that speaks CIPSO may be encountered. Usually this will be a Trusted 528 514 Solaris system, but there are other, less widely deployed systems out there. 529 515 CIPSO provides 3 important values, a Domain Of Interpretation (DOI), a level, 530 516 and a category set with each packet. The DOI is intended to identify a group 531 517 of systems that use compatible labeling schemes, and the DOI specified on the 532 - smack system must match that of the remote system or packets will be 533 - discarded. The DOI is 3 by default. The value can be read from /smack/doi and 534 - can be changed by writing to /smack/doi. 518 + Smack system must match that of the remote system or packets will be 519 + discarded. The DOI is 3 by default. The value can be read from 520 + /sys/fs/smackfs/doi and can be changed by writing to /sys/fs/smackfs/doi. 535 521 536 522 The label and category set are mapped to a Smack label as defined in 537 523 /etc/smack/cipso. ··· 553 539 meaning. 554 540 555 541 The mapping of Smack labels to CIPSO values is defined by writing to 556 - /smack/cipso. Again, the format of data written to this special file 557 - is highly restrictive, so the program smackcipso is provided to 558 - ensure the writes are done properly. This program takes mappings 559 - on the standard input and sends them to /smack/cipso properly. 542 + /sys/fs/smackfs/cipso2. 560 543 561 544 In addition to explicit mappings Smack supports direct CIPSO mappings. One 562 545 CIPSO level is used to indicate that the category set passed in the packet is 563 546 in fact an encoding of the Smack label. The level used is 250 by default. The 564 - value can be read from /smack/direct and changed by writing to /smack/direct. 547 + value can be read from /sys/fs/smackfs/direct and changed by writing to 548 + /sys/fs/smackfs/direct. 565 549 566 550 Socket Attributes 567 551 ··· 577 565 Smack Netlabel Exceptions 578 566 579 567 You will often find that your labeled application has to talk to the outside, 580 - unlabeled world. To do this there's a special file /smack/netlabel where you can 581 - add some exceptions in the form of : 568 + unlabeled world. To do this there's a special file /sys/fs/smackfs/netlabel 569 + where you can add some exceptions in the form of : 582 570 @IP1 LABEL1 or 583 571 @IP2/MASK LABEL2 584 572 ··· 586 574 write access on LABEL1, and access to the subnet @IP2/MASK if it has write 587 575 access on LABEL2. 588 576 589 - Entries in the /smack/netlabel file are matched by longest mask first, like in 590 - classless IPv4 routing. 577 + Entries in the /sys/fs/smackfs/netlabel file are matched by longest mask 578 + first, like in classless IPv4 routing. 591 579 592 580 A special label '@' and an option '-CIPSO' can be used there : 593 581 @ means Internet, any application with any label has access to it 594 582 -CIPSO means standard CIPSO networking 595 583 596 584 If you don't know what CIPSO is and don't plan to use it, you can just do : 597 - echo 127.0.0.1 -CIPSO > /smack/netlabel 598 - echo 0.0.0.0/0 @ > /smack/netlabel 585 + echo 127.0.0.1 -CIPSO > /sys/fs/smackfs/netlabel 586 + echo 0.0.0.0/0 @ > /sys/fs/smackfs/netlabel 599 587 600 588 If you use CIPSO on your 192.168.0.0/16 local network and need also unlabeled 601 589 Internet access, you can have : 602 - echo 127.0.0.1 -CIPSO > /smack/netlabel 603 - echo 192.168.0.0/16 -CIPSO > /smack/netlabel 604 - echo 0.0.0.0/0 @ > /smack/netlabel 590 + echo 127.0.0.1 -CIPSO > /sys/fs/smackfs/netlabel 591 + echo 192.168.0.0/16 -CIPSO > /sys/fs/smackfs/netlabel 592 + echo 0.0.0.0/0 @ > /sys/fs/smackfs/netlabel 605 593 606 594 607 595 Writing Applications for Smack ··· 688 676 If you want Smack auditing of security events, you need to set CONFIG_AUDIT 689 677 in your kernel configuration. 690 678 By default, all denied events will be audited. You can change this behavior by 691 - writing a single character to the /smack/logging file : 679 + writing a single character to the /sys/fs/smackfs/logging file : 692 680 0 : no logging 693 681 1 : log denied (default) 694 682 2 : log accepted ··· 698 686 the subject, the object, the rights requested, the action, the kernel function 699 687 that triggered the event, plus other pairs depending on the type of event 700 688 audited. 689 + 690 + Bringup Mode 691 + 692 + Bringup mode provides logging features that can make application 693 + configuration and system bringup easier. Configure the kernel with 694 + CONFIG_SECURITY_SMACK_BRINGUP to enable these features. When bringup 695 + mode is enabled accesses that succeed due to rules marked with the "b" 696 + access mode will logged. When a new label is introduced for processes 697 + rules can be added aggressively, marked with the "b". The logging allows 698 + tracking of which rules actual get used for that label. 699 + 700 + Another feature of bringup mode is the "unconfined" option. Writing 701 + a label to /sys/fs/smackfs/unconfined makes subjects with that label 702 + able to access any object, and objects with that label accessible to 703 + all subjects. Any access that is granted because a label is unconfined 704 + is logged. This feature is dangerous, as files and directories may 705 + be created in places they couldn't if the policy were being enforced.