doc: ReSTify Smack.txt · tjh.dev/kernel@a5606ce

+1

Documentation/admin-guide/LSM/index.rst

··· 36 36 apparmor 37 37 LoadPin 38 38 SELinux 39 + Smack 39 40 tomoyo 40 41 Yama

-2

Documentation/security/00-INDEX

··· 1 1 00-INDEX 2 2 - this file. 3 - Smack.txt 4 - - documentation on the Smack Linux Security Module. 5 3 keys-ecryptfs.txt 6 4 - description of the encryption keys for the ecryptfs filesystem. 7 5 keys-request-key.txt

+189 -84

Documentation/security/Smack.txt Documentation/admin-guide/LSM/Smack.rst

··· 1 + ===== 2 + Smack 3 + ===== 1 4 2 5 3 6 "Good for you, you've decided to clean the elevator!" ··· 17 14 at hand. 18 15 19 16 Smack consists of three major components: 17 + 20 18 - The kernel 21 19 - Basic utilities, which are helpful but not required 22 20 - Configuration data ··· 43 39 This should make and install on most modern distributions. 44 40 There are five commands included in smackutil: 45 41 46 - chsmack - display or set Smack extended attribute values 47 - smackctl - load the Smack access rules 48 - smackaccess - report if a process with one label has access 49 - to an object with another 42 + chsmack: 43 + display or set Smack extended attribute values 44 + 45 + smackctl: 46 + load the Smack access rules 47 + 48 + smackaccess: 49 + report if a process with one label has access 50 + to an object with another 50 51 51 52 These two commands are obsolete with the introduction of 52 53 the smackfs/load2 and smackfs/cipso2 interfaces. 53 54 54 - smackload - properly formats data for writing to smackfs/load 55 - smackcipso - properly formats data for writing to smackfs/cipso 55 + smackload: 56 + properly formats data for writing to smackfs/load 57 + 58 + smackcipso: 59 + properly formats data for writing to smackfs/cipso 56 60 57 61 In keeping with the intent of Smack, configuration data is 58 62 minimal and not strictly required. The most important ··· 68 56 If smackutil is installed the startup script will take care 69 57 of this, but it can be manually as well. 70 58 71 - Add this line to /etc/fstab: 59 + Add this line to ``/etc/fstab``:: 72 60 73 61 smackfs /sys/fs/smackfs smackfs defaults 0 0 74 62 75 - The /sys/fs/smackfs directory is created by the kernel. 63 + The ``/sys/fs/smackfs`` directory is created by the kernel. 76 64 77 65 Smack uses extended attributes (xattrs) to store labels on filesystem 78 66 objects. The attributes are stored in the extended attribute security 79 - name space. A process must have CAP_MAC_ADMIN to change any of these 67 + name space. A process must have ``CAP_MAC_ADMIN`` to change any of these 80 68 attributes. 81 69 82 70 The extended attributes that Smack uses are: ··· 85 73 Used to make access control decisions. In almost all cases 86 74 the label given to a new filesystem object will be the label 87 75 of the process that created it. 76 + 88 77 SMACK64EXEC 89 78 The Smack label of a process that execs a program file with 90 79 this attribute set will run with this attribute's value. 80 + 91 81 SMACK64MMAP 92 82 Don't allow the file to be mmapped by a process whose Smack 93 83 label does not allow all of the access permitted to a process 94 84 with the label contained in this attribute. This is a very 95 85 specific use case for shared libraries. 86 + 96 87 SMACK64TRANSMUTE 97 88 Can only have the value "TRUE". If this attribute is present 98 89 on a directory when an object is created in the directory and ··· 104 89 gets the label of the directory instead of the label of the 105 90 creating process. If the object being created is a directory 106 91 the SMACK64TRANSMUTE attribute is set as well. 92 + 107 93 SMACK64IPIN 108 94 This attribute is only available on file descriptors for sockets. 109 95 Use the Smack label in this attribute for access control 110 96 decisions on packets being delivered to this socket. 97 + 111 98 SMACK64IPOUT 112 99 This attribute is only available on file descriptors for sockets. 113 100 Use the Smack label in this attribute for access control 114 101 decisions on packets coming from this socket. 115 102 116 - There are multiple ways to set a Smack label on a file: 103 + There are multiple ways to set a Smack label on a file:: 117 104 118 105 # attr -S -s SMACK64 -V "value" path 119 106 # chsmack -a value path 120 107 121 108 A process can see the Smack label it is running with by 122 - reading /proc/self/attr/current. A process with CAP_MAC_ADMIN 109 + reading ``/proc/self/attr/current``. A process with ``CAP_MAC_ADMIN`` 123 110 can set the process Smack by writing there. 124 111 125 112 Most Smack configuration is accomplished by writing to files 126 113 in the smackfs filesystem. This pseudo-filesystem is mounted 127 - on /sys/fs/smackfs. 114 + on ``/sys/fs/smackfs``. 128 115 129 116 access 130 117 Provided for backward compatibility. The access2 interface ··· 137 120 this file. The next read will indicate whether the access 138 121 would be permitted. The text will be either "1" indicating 139 122 access, or "0" indicating denial. 123 + 140 124 access2 141 125 This interface reports whether a subject with the specified 142 126 Smack label has a particular access to an object with a ··· 145 127 this file. The next read will indicate whether the access 146 128 would be permitted. The text will be either "1" indicating 147 129 access, or "0" indicating denial. 130 + 148 131 ambient 149 132 This contains the Smack label applied to unlabeled network 150 133 packets. 134 + 151 135 change-rule 152 136 This interface allows modification of existing access control rules. 153 - The format accepted on write is: 137 + The format accepted on write is:: 138 + 154 139 "%s %s %s %s" 140 + 155 141 where the first string is the subject label, the second the 156 142 object label, the third the access to allow and the fourth the 157 143 access to deny. The access strings may contain only the characters ··· 163 141 modified by enabling the permissions in the third string and disabling 164 142 those in the fourth string. If there is no such rule it will be 165 143 created using the access specified in the third and the fourth strings. 144 + 166 145 cipso 167 146 Provided for backward compatibility. The cipso2 interface 168 147 is preferred and should be used instead. 169 148 This interface allows a specific CIPSO header to be assigned 170 - to a Smack label. The format accepted on write is: 149 + to a Smack label. The format accepted on write is:: 150 + 171 151 "%24s%4d%4d"["%4d"]... 152 + 172 153 The first string is a fixed Smack label. The first number is 173 154 the level to use. The second number is the number of categories. 174 - The following numbers are the categories. 175 - "level-3-cats-5-19 3 2 5 19" 155 + The following numbers are the categories:: 156 + 157 + "level-3-cats-5-19 3 2 5 19" 158 + 176 159 cipso2 177 160 This interface allows a specific CIPSO header to be assigned 178 - to a Smack label. The format accepted on write is: 179 - "%s%4d%4d"["%4d"]... 161 + to a Smack label. The format accepted on write is:: 162 + 163 + "%s%4d%4d"["%4d"]... 164 + 180 165 The first string is a long Smack label. The first number is 181 166 the level to use. The second number is the number of categories. 182 - The following numbers are the categories. 183 - "level-3-cats-5-19 3 2 5 19" 167 + The following numbers are the categories:: 168 + 169 + "level-3-cats-5-19 3 2 5 19" 170 + 184 171 direct 185 172 This contains the CIPSO level used for Smack direct label 186 173 representation in network packets. 174 + 187 175 doi 188 176 This contains the CIPSO domain of interpretation used in 189 177 network packets. 178 + 190 179 ipv6host 191 180 This interface allows specific IPv6 internet addresses to be 192 181 treated as single label hosts. Packets are sent to single 193 182 label hosts only from processes that have Smack write access 194 183 to the host label. All packets received from single label hosts 195 - are given the specified label. The format accepted on write is: 184 + are given the specified label. The format accepted on write is:: 185 + 196 186 "%h:%h:%h:%h:%h:%h:%h:%h label" or 197 187 "%h:%h:%h:%h:%h:%h:%h:%h/%d label". 188 + 198 189 The "::" address shortcut is not supported. 199 190 If label is "-DELETE" a matched entry will be deleted. 191 + 200 192 load 201 193 Provided for backward compatibility. The load2 interface 202 194 is preferred and should be used instead. 203 195 This interface allows access control rules in addition to 204 196 the system defined rules to be specified. The format accepted 205 - on write is: 197 + on write is:: 198 + 206 199 "%24s%24s%5s" 200 + 207 201 where the first string is the subject label, the second the 208 202 object label, and the third the requested access. The access 209 203 string may contain only the characters "rwxat-", and specifies ··· 227 189 permissions that are not allowed. The string "r-x--" would 228 190 specify read and execute access. Labels are limited to 23 229 191 characters in length. 192 + 230 193 load2 231 194 This interface allows access control rules in addition to 232 195 the system defined rules to be specified. The format accepted 233 - on write is: 196 + on write is:: 197 + 234 198 "%s %s %s" 199 + 235 200 where the first string is the subject label, the second the 236 201 object label, and the third the requested access. The access 237 202 string may contain only the characters "rwxat-", and specifies 238 203 which sort of access is allowed. The "-" is a placeholder for 239 204 permissions that are not allowed. The string "r-x--" would 240 205 specify read and execute access. 206 + 241 207 load-self 242 208 Provided for backward compatibility. The load-self2 interface 243 209 is preferred and should be used instead. ··· 250 208 otherwise be permitted, and are intended to provide additional 251 209 restrictions on the process. The format is the same as for 252 210 the load interface. 211 + 253 212 load-self2 254 213 This interface allows process specific access rules to be 255 214 defined. These rules are only consulted if access would 256 215 otherwise be permitted, and are intended to provide additional 257 216 restrictions on the process. The format is the same as for 258 217 the load2 interface. 218 + 259 219 logging 260 220 This contains the Smack logging state. 221 + 261 222 mapped 262 223 This contains the CIPSO level used for Smack mapped label 263 224 representation in network packets. 225 + 264 226 netlabel 265 227 This interface allows specific internet addresses to be 266 228 treated as single label hosts. Packets are sent to single 267 229 label hosts without CIPSO headers, but only from processes 268 230 that have Smack write access to the host label. All packets 269 231 received from single label hosts are given the specified 270 - label. The format accepted on write is: 232 + label. The format accepted on write is:: 233 + 271 234 "%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label". 235 + 272 236 If the label specified is "-CIPSO" the address is treated 273 237 as a host that supports CIPSO headers. 238 + 274 239 onlycap 275 240 This contains labels processes must have for CAP_MAC_ADMIN 276 - and CAP_MAC_OVERRIDE to be effective. If this file is empty 241 + and ``CAP_MAC_OVERRIDE`` to be effective. If this file is empty 277 242 these capabilities are effective at for processes with any 278 243 label. The values are set by writing the desired labels, separated 279 244 by spaces, to the file or cleared by writing "-" to the file. 245 + 280 246 ptrace 281 247 This is used to define the current ptrace policy 282 - 0 - default: this is the policy that relies on Smack access rules. 283 - For the PTRACE_READ a subject needs to have a read access on 284 - object. For the PTRACE_ATTACH a read-write access is required. 285 - 1 - exact: this is the policy that limits PTRACE_ATTACH. Attach is 248 + 249 + 0 - default: 250 + this is the policy that relies on Smack access rules. 251 + For the ``PTRACE_READ`` a subject needs to have a read access on 252 + object. For the ``PTRACE_ATTACH`` a read-write access is required. 253 + 254 + 1 - exact: 255 + this is the policy that limits ``PTRACE_ATTACH``. Attach is 286 256 only allowed when subject's and object's labels are equal. 287 - PTRACE_READ is not affected. Can be overridden with CAP_SYS_PTRACE. 288 - 2 - draconian: this policy behaves like the 'exact' above with an 289 - exception that it can't be overridden with CAP_SYS_PTRACE. 257 + ``PTRACE_READ`` is not affected. Can be overridden with ``CAP_SYS_PTRACE``. 258 + 259 + 2 - draconian: 260 + this policy behaves like the 'exact' above with an 261 + exception that it can't be overridden with ``CAP_SYS_PTRACE``. 262 + 290 263 revoke-subject 291 264 Writing a Smack label here sets the access to '-' for all access 292 265 rules with that subject label. 266 + 293 267 unconfined 294 - If the kernel is configured with CONFIG_SECURITY_SMACK_BRINGUP 295 - a process with CAP_MAC_ADMIN can write a label into this interface. 268 + If the kernel is configured with ``CONFIG_SECURITY_SMACK_BRINGUP`` 269 + a process with ``CAP_MAC_ADMIN`` can write a label into this interface. 296 270 Thereafter, accesses that involve that label will be logged and 297 271 the access permitted if it wouldn't be otherwise. Note that this 298 272 is dangerous and can ruin the proper labeling of your system. 299 273 It should never be used in production. 274 + 300 275 relabel-self 301 276 This interface contains a list of labels to which the process can 302 - transition to, by writing to /proc/self/attr/current. 277 + transition to, by writing to ``/proc/self/attr/current``. 303 278 Normally a process can change its own label to any legal value, but only 304 - if it has CAP_MAC_ADMIN. This interface allows a process without 305 - CAP_MAC_ADMIN to relabel itself to one of labels from predefined list. 306 - A process without CAP_MAC_ADMIN can change its label only once. When it 279 + if it has ``CAP_MAC_ADMIN``. This interface allows a process without 280 + ``CAP_MAC_ADMIN`` to relabel itself to one of labels from predefined list. 281 + A process without ``CAP_MAC_ADMIN`` can change its label only once. When it 307 282 does, this list will be cleared. 308 283 The values are set by writing the desired labels, separated 309 284 by spaces, to the file or cleared by writing "-" to the file. 310 285 311 286 If you are using the smackload utility 312 - you can add access rules in /etc/smack/accesses. They take the form: 287 + you can add access rules in ``/etc/smack/accesses``. They take the form:: 313 288 314 289 subjectlabel objectlabel access 315 290 ··· 336 277 337 278 Look for additional programs on http://schaufler-ca.com 338 279 339 - From the Smack Whitepaper: 340 - 341 - The Simplified Mandatory Access Control Kernel 280 + The Simplified Mandatory Access Control Kernel (Whitepaper) 281 + =========================================================== 342 282 343 283 Casey Schaufler 344 284 casey@schaufler-ca.com 345 285 346 286 Mandatory Access Control 287 + ------------------------ 347 288 348 289 Computer systems employ a variety of schemes to constrain how information is 349 290 shared among the people and services using the machine. Some of these schemes ··· 356 297 or programs that have access to pieces of data. 357 298 358 299 Bell & LaPadula 300 + --------------- 359 301 360 302 From the middle of the 1980's until the turn of the century Mandatory Access 361 303 Control (MAC) was very closely associated with the Bell & LaPadula security ··· 366 306 often sited as failing to address general needs. 367 307 368 308 Domain Type Enforcement 309 + ----------------------- 369 310 370 311 Around the turn of the century Domain Type Enforcement (DTE) became popular. 371 312 This scheme organizes users, programs, and data into domains that are ··· 377 316 disabled or used in limited ways in the majority of cases. 378 317 379 318 Smack 319 + ----- 380 320 381 321 Smack is a Mandatory Access Control mechanism designed to provide useful MAC 382 322 while avoiding the pitfalls of its predecessors. The limitations of Bell & ··· 388 326 modes already in use. 389 327 390 328 Smack Terminology 329 + ----------------- 391 330 392 331 The jargon used to talk about Smack will be familiar to those who have dealt 393 332 with other MAC systems and shouldn't be too difficult for the uninitiated to 394 333 pick up. There are four terms that are used in a specific way and that are 395 334 especially important: 396 335 397 - Subject: A subject is an active entity on the computer system. 336 + Subject: 337 + A subject is an active entity on the computer system. 398 338 On Smack a subject is a task, which is in turn the basic unit 399 339 of execution. 400 340 401 - Object: An object is a passive entity on the computer system. 341 + Object: 342 + An object is a passive entity on the computer system. 402 343 On Smack files of all types, IPC, and tasks can be objects. 403 344 404 - Access: Any attempt by a subject to put information into or get 345 + Access: 346 + Any attempt by a subject to put information into or get 405 347 information from an object is an access. 406 348 407 - Label: Data that identifies the Mandatory Access Control 349 + Label: 350 + Data that identifies the Mandatory Access Control 408 351 characteristics of a subject or an object. 409 352 410 353 These definitions are consistent with the traditional use in the security 411 354 community. There are also some terms from Linux that are likely to crop up: 412 355 413 - Capability: A task that possesses a capability has permission to 356 + Capability: 357 + A task that possesses a capability has permission to 414 358 violate an aspect of the system security policy, as identified by 415 359 the specific capability. A task that possesses one or more 416 360 capabilities is a privileged task, whereas a task with no 417 361 capabilities is an unprivileged task. 418 362 419 - Privilege: A task that is allowed to violate the system security 363 + Privilege: 364 + A task that is allowed to violate the system security 420 365 policy is said to have privilege. As of this writing a task can 421 366 have privilege either by possessing capabilities or by having an 422 367 effective user of root. 423 368 424 369 Smack Basics 370 + ------------ 425 371 426 372 Smack is an extension to a Linux system. It enforces additional restrictions 427 373 on what subjects can access which objects, based on the labels attached to 428 374 each of the subject and the object. 429 375 430 376 Labels 377 + ~~~~~~ 431 378 432 379 Smack labels are ASCII character strings. They can be up to 255 characters 433 380 long, but keeping them to twenty-three characters is recommended. ··· 448 377 (quote) and '"' (double-quote) characters. 449 378 Smack labels cannot begin with a '-'. This is reserved for special options. 450 379 451 - There are some predefined labels: 380 + There are some predefined labels:: 452 381 453 382 _ Pronounced "floor", a single underscore character. 454 383 ^ Pronounced "hat", a single circumflex character. ··· 461 390 mechanism. 462 391 463 392 Access Rules 393 + ~~~~~~~~~~~~ 464 394 465 395 Smack uses the traditional access modes of Linux. These modes are read, 466 396 execute, write, and occasionally append. There are a few cases where the 467 397 access mode may not be obvious. These include: 468 398 469 - Signals: A signal is a write operation from the subject task to 399 + Signals: 400 + A signal is a write operation from the subject task to 470 401 the object task. 471 - Internet Domain IPC: Transmission of a packet is considered a 402 + 403 + Internet Domain IPC: 404 + Transmission of a packet is considered a 472 405 write operation from the source task to the destination task. 473 406 474 407 Smack restricts access based on the label attached to a subject and the label ··· 492 417 7. Any other access is denied. 493 418 494 419 Smack Access Rules 420 + ~~~~~~~~~~~~~~~~~~ 495 421 496 422 With the isolation provided by Smack access separation is simple. There are 497 423 many interesting cases where limited access by subjects to objects with ··· 503 427 mechanism for specifying rules allowing access between labels. 504 428 505 429 Access Rule Format 430 + ~~~~~~~~~~~~~~~~~~ 506 431 507 - The format of an access rule is: 432 + The format of an access rule is:: 508 433 509 434 subject-label object-label access 510 435 ··· 523 446 524 447 Uppercase values for the specification letters are allowed as well. 525 448 Access mode specifications can be in any order. Examples of acceptable rules 526 - are: 449 + are:: 527 450 528 451 TopSecret Secret rx 529 452 Secret Unclass R ··· 533 456 New Old rRrRr 534 457 Closed Off - 535 458 536 - Examples of unacceptable rules are: 459 + Examples of unacceptable rules are:: 537 460 538 461 Top Secret Secret rx 539 462 Ace Ace r ··· 546 469 as "ar". A lone dash is used to specify that no access should be allowed. 547 470 548 471 Applying Access Rules 472 + ~~~~~~~~~~~~~~~~~~~~~ 549 473 550 474 The developers of Linux rarely define new sorts of things, usually importing 551 475 schemes and concepts from other systems. Most often, the other systems are ··· 589 511 receiver. The receiver is not required to have read access to the sender. 590 512 591 513 Setting Access Rules 514 + ~~~~~~~~~~~~~~~~~~~~ 592 515 593 516 The configuration file /etc/smack/accesses contains the rules to be set at 594 517 system startup. The contents are written to the special file ··· 599 520 specification. 600 521 601 522 Task Attribute 523 + ~~~~~~~~~~~~~~ 602 524 603 525 The Smack label of a process can be read from /proc/<pid>/attr/current. A 604 526 process can read its own Smack label from /proc/self/attr/current. A ··· 607 527 /proc/self/attr/current but not the label of another process. 608 528 609 529 File Attribute 530 + ~~~~~~~~~~~~~~ 610 531 611 532 The Smack label of a filesystem object is stored as an extended attribute 612 533 named SMACK64 on the file. This attribute is in the security namespace. It can 613 534 only be changed by a process with privilege. 614 535 615 536 Privilege 537 + ~~~~~~~~~ 616 538 617 539 A process with CAP_MAC_OVERRIDE or CAP_MAC_ADMIN is privileged. 618 540 CAP_MAC_OVERRIDE allows the process access to objects it would ··· 622 540 Smack data, including rules and attributes. 623 541 624 542 Smack Networking 543 + ~~~~~~~~~~~~~~~~ 625 544 626 545 As mentioned before, Smack enforces access control on network protocol 627 546 transmissions. Every packet sent by a Smack process is tagged with its Smack ··· 634 551 the packet is dropped. 635 552 636 553 CIPSO Configuration 554 + ~~~~~~~~~~~~~~~~~~~ 637 555 638 556 It is normally unnecessary to specify the CIPSO configuration. The default 639 557 values used by the system handle all internal cases. Smack will compose CIPSO ··· 655 571 The label and category set are mapped to a Smack label as defined in 656 572 /etc/smack/cipso. 657 573 658 - A Smack/CIPSO mapping has the form: 574 + A Smack/CIPSO mapping has the form:: 659 575 660 576 smack level [category [category]*] 661 577 662 578 Smack does not expect the level or category sets to be related in any 663 579 particular way and does not assume or assign accesses based on them. Some 664 - examples of mappings: 580 + examples of mappings:: 665 581 666 582 TopSecret 7 667 583 TS:A,B 7 1 2 ··· 681 597 /sys/fs/smackfs/direct. 682 598 683 599 Socket Attributes 600 + ~~~~~~~~~~~~~~~~~ 684 601 685 602 There are two attributes that are associated with sockets. These attributes 686 603 can only be set by privileged tasks, but any task can read them for their own 687 604 sockets. 688 605 689 - SMACK64IPIN: The Smack label of the task object. A privileged 606 + SMACK64IPIN: 607 + The Smack label of the task object. A privileged 690 608 program that will enforce policy may set this to the star label. 691 609 692 - SMACK64IPOUT: The Smack label transmitted with outgoing packets. 610 + SMACK64IPOUT: 611 + The Smack label transmitted with outgoing packets. 693 612 A privileged program may set this to match the label of another 694 613 task with which it hopes to communicate. 695 614 696 615 Smack Netlabel Exceptions 616 + ~~~~~~~~~~~~~~~~~~~~~~~~~ 697 617 698 618 You will often find that your labeled application has to talk to the outside, 699 619 unlabeled world. To do this there's a special file /sys/fs/smackfs/netlabel 700 - where you can add some exceptions in the form of : 701 - @IP1 LABEL1 or 702 - @IP2/MASK LABEL2 620 + where you can add some exceptions in the form of:: 621 + 622 + @IP1 LABEL1 or 623 + @IP2/MASK LABEL2 703 624 704 625 It means that your application will have unlabeled access to @IP1 if it has 705 626 write access on LABEL1, and access to the subnet @IP2/MASK if it has write ··· 713 624 Entries in the /sys/fs/smackfs/netlabel file are matched by longest mask 714 625 first, like in classless IPv4 routing. 715 626 716 - A special label '@' and an option '-CIPSO' can be used there : 717 - @ means Internet, any application with any label has access to it 718 - -CIPSO means standard CIPSO networking 627 + A special label '@' and an option '-CIPSO' can be used there:: 719 628 720 - If you don't know what CIPSO is and don't plan to use it, you can just do : 721 - echo 127.0.0.1 -CIPSO > /sys/fs/smackfs/netlabel 722 - echo 0.0.0.0/0 @ > /sys/fs/smackfs/netlabel 629 + @ means Internet, any application with any label has access to it 630 + -CIPSO means standard CIPSO networking 631 + 632 + If you don't know what CIPSO is and don't plan to use it, you can just do:: 633 + 634 + echo 127.0.0.1 -CIPSO > /sys/fs/smackfs/netlabel 635 + echo 0.0.0.0/0 @ > /sys/fs/smackfs/netlabel 723 636 724 637 If you use CIPSO on your 192.168.0.0/16 local network and need also unlabeled 725 - Internet access, you can have : 726 - echo 127.0.0.1 -CIPSO > /sys/fs/smackfs/netlabel 727 - echo 192.168.0.0/16 -CIPSO > /sys/fs/smackfs/netlabel 728 - echo 0.0.0.0/0 @ > /sys/fs/smackfs/netlabel 638 + Internet access, you can have:: 729 639 640 + echo 127.0.0.1 -CIPSO > /sys/fs/smackfs/netlabel 641 + echo 192.168.0.0/16 -CIPSO > /sys/fs/smackfs/netlabel 642 + echo 0.0.0.0/0 @ > /sys/fs/smackfs/netlabel 730 643 731 644 Writing Applications for Smack 645 + ------------------------------ 732 646 733 647 There are three sorts of applications that will run on a Smack system. How an 734 648 application interacts with Smack will determine what it will have to do to 735 649 work properly under Smack. 736 650 737 651 Smack Ignorant Applications 652 + --------------------------- 738 653 739 654 By far the majority of applications have no reason whatever to care about the 740 655 unique properties of Smack. Since invoking a program has no impact on the ··· 746 653 whether the process has execute access to the program. 747 654 748 655 Smack Relevant Applications 656 + --------------------------- 749 657 750 658 Some programs can be improved by teaching them about Smack, but do not make 751 659 any security decisions themselves. The utility ls(1) is one example of such a 752 660 program. 753 661 754 662 Smack Enforcing Applications 663 + ---------------------------- 755 664 756 665 These are special programs that not only know about Smack, but participate in 757 666 the enforcement of system policy. In most cases these are the programs that ··· 761 666 to processes running with various labels. 762 667 763 668 File System Interfaces 669 + ---------------------- 764 670 765 671 Smack maintains labels on file system objects using extended attributes. The 766 672 Smack label of a file, directory, or other file system object can be obtained 767 - using getxattr(2). 673 + using getxattr(2):: 768 674 769 675 len = getxattr("/", "security.SMACK64", value, sizeof (value)); 770 676 771 677 will put the Smack label of the root directory into value. A privileged 772 - process can set the Smack label of a file system object with setxattr(2). 678 + process can set the Smack label of a file system object with setxattr(2):: 773 679 774 680 len = strlen("Rubble"); 775 681 rc = setxattr("/foo", "security.SMACK64", "Rubble", len, 0); ··· 779 683 privilege. 780 684 781 685 Socket Interfaces 686 + ----------------- 782 687 783 688 The socket attributes can be read using fgetxattr(2). 784 689 785 690 A privileged process can set the Smack label of outgoing packets with 786 - fsetxattr(2). 691 + fsetxattr(2):: 787 692 788 693 len = strlen("Rubble"); 789 694 rc = fsetxattr(fd, "security.SMACK64IPOUT", "Rubble", len, 0); 790 695 791 696 will set the Smack label "Rubble" on packets going out from the socket if the 792 - program has appropriate privilege. 697 + program has appropriate privilege:: 793 698 794 699 rc = fsetxattr(fd, "security.SMACK64IPIN, "*", strlen("*"), 0); 795 700 ··· 798 701 packets will be checked if the program has appropriate privilege. 799 702 800 703 Administration 704 + -------------- 801 705 802 706 Smack supports some mount options: 803 707 804 - smackfsdef=label: specifies the label to give files that lack 708 + smackfsdef=label: 709 + specifies the label to give files that lack 805 710 the Smack label extended attribute. 806 711 807 - smackfsroot=label: specifies the label to assign the root of the 712 + smackfsroot=label: 713 + specifies the label to assign the root of the 808 714 file system if it lacks the Smack extended attribute. 809 715 810 - smackfshat=label: specifies a label that must have read access to 716 + smackfshat=label: 717 + specifies a label that must have read access to 811 718 all labels set on the filesystem. Not yet enforced. 812 719 813 - smackfsfloor=label: specifies a label to which all labels set on the 720 + smackfsfloor=label: 721 + specifies a label to which all labels set on the 814 722 filesystem must have read access. Not yet enforced. 815 723 816 724 These mount options apply to all file system types. 817 725 818 726 Smack auditing 727 + -------------- 819 728 820 729 If you want Smack auditing of security events, you need to set CONFIG_AUDIT 821 730 in your kernel configuration. 822 731 By default, all denied events will be audited. You can change this behavior by 823 - writing a single character to the /sys/fs/smackfs/logging file : 824 - 0 : no logging 825 - 1 : log denied (default) 826 - 2 : log accepted 827 - 3 : log denied & accepted 732 + writing a single character to the /sys/fs/smackfs/logging file:: 733 + 734 + 0 : no logging 735 + 1 : log denied (default) 736 + 2 : log accepted 737 + 3 : log denied & accepted 828 738 829 739 Events are logged as 'key=value' pairs, for each event you at least will get 830 740 the subject, the object, the rights requested, the action, the kernel function ··· 839 735 audited. 840 736 841 737 Bringup Mode 738 + ------------ 842 739 843 740 Bringup mode provides logging features that can make application 844 741 configuration and system bringup easier. Configure the kernel with

+1 -1

MAINTAINERS

··· 11876 11876 W: http://schaufler-ca.com 11877 11877 T: git git://github.com/cschaufler/smack-next 11878 11878 S: Maintained 11879 - F: Documentation/security/Smack.txt 11879 + F: Documentation/admin-guide/LSM/Smack.rst 11880 11880 F: security/smack/ 11881 11881 11882 11882 DRIVERS FOR ADAPTIVE VOLTAGE SCALING (AVS)