About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Documentation / security / Smack.txt




Custom Search

Based on kernel version 4.7.2. Page generated on 2016-08-22 22:47 EST.

1	
2	
3	    "Good for you, you've decided to clean the elevator!"
4	    - The Elevator, from Dark Star
5	
6	Smack is the Simplified Mandatory Access Control Kernel.
7	Smack is a kernel based implementation of mandatory access
8	control that includes simplicity in its primary design goals.
9	
10	Smack is not the only Mandatory Access Control scheme
11	available for Linux. Those new to Mandatory Access Control
12	are encouraged to compare Smack with the other mechanisms
13	available to determine which is best suited to the problem
14	at hand.
15	
16	Smack consists of three major components:
17	    - The kernel
18	    - Basic utilities, which are helpful but not required
19	    - Configuration data
20	
21	The kernel component of Smack is implemented as a Linux
22	Security Modules (LSM) module. It requires netlabel and
23	works best with file systems that support extended attributes,
24	although xattr support is not strictly required.
25	It is safe to run a Smack kernel under a "vanilla" distribution.
26	
27	Smack kernels use the CIPSO IP option. Some network
28	configurations are intolerant of IP options and can impede
29	access to systems that use them as Smack does.
30	
31	Smack is used in the Tizen operating system. Please
32	go to http://wiki.tizen.org for information about how
33	Smack is used in Tizen.
34	
35	The current git repository for Smack user space is:
36	
37		git://github.com/smack-team/smack.git
38	
39	This should make and install on most modern distributions.
40	There are five commands included in smackutil:
41	
42	chsmack    - display or set Smack extended attribute values
43	smackctl   - load the Smack access rules
44	smackaccess - report if a process with one label has access
45	              to an object with another
46	
47	These two commands are obsolete with the introduction of
48	the smackfs/load2 and smackfs/cipso2 interfaces.
49	
50	smackload  - properly formats data for writing to smackfs/load
51	smackcipso - properly formats data for writing to smackfs/cipso
52	
53	In keeping with the intent of Smack, configuration data is
54	minimal and not strictly required. The most important
55	configuration step is mounting the smackfs pseudo filesystem.
56	If smackutil is installed the startup script will take care
57	of this, but it can be manually as well.
58	
59	Add this line to /etc/fstab:
60	
61	    smackfs /sys/fs/smackfs smackfs defaults 0 0
62	
63	The /sys/fs/smackfs directory is created by the kernel.
64	
65	Smack uses extended attributes (xattrs) to store labels on filesystem
66	objects. The attributes are stored in the extended attribute security
67	name space. A process must have CAP_MAC_ADMIN to change any of these
68	attributes.
69	
70	The extended attributes that Smack uses are:
71	
72	SMACK64
73		Used to make access control decisions. In almost all cases
74		the label given to a new filesystem object will be the label
75		of the process that created it.
76	SMACK64EXEC
77		The Smack label of a process that execs a program file with
78		this attribute set will run with this attribute's value.
79	SMACK64MMAP
80		Don't allow the file to be mmapped by a process whose Smack
81		label does not allow all of the access permitted to a process
82		with the label contained in this attribute. This is a very
83		specific use case for shared libraries.
84	SMACK64TRANSMUTE
85		Can only have the value "TRUE". If this attribute is present
86		on a directory when an object is created in the directory and
87		the Smack rule (more below) that permitted the write access
88		to the directory includes the transmute ("t") mode the object
89		gets the label of the directory instead of the label of the
90		creating process. If the object being created is a directory
91		the SMACK64TRANSMUTE attribute is set as well.
92	SMACK64IPIN
93		This attribute is only available on file descriptors for sockets.
94		Use the Smack label in this attribute for access control
95		decisions on packets being delivered to this socket.
96	SMACK64IPOUT
97		This attribute is only available on file descriptors for sockets.
98		Use the Smack label in this attribute for access control
99		decisions on packets coming from this socket.
100	
101	There are multiple ways to set a Smack label on a file:
102	
103	    # attr -S -s SMACK64 -V "value" path
104	    # chsmack -a value path
105	
106	A process can see the Smack label it is running with by
107	reading /proc/self/attr/current. A process with CAP_MAC_ADMIN
108	can set the process Smack by writing there.
109	
110	Most Smack configuration is accomplished by writing to files
111	in the smackfs filesystem. This pseudo-filesystem is mounted
112	on /sys/fs/smackfs.
113	
114	access
115		Provided for backward compatibility. The access2 interface
116		is preferred and should be used instead.
117		This interface reports whether a subject with the specified
118		Smack label has a particular access to an object with a
119		specified Smack label. Write a fixed format access rule to
120		this file. The next read will indicate whether the access
121		would be permitted. The text will be either "1" indicating
122		access, or "0" indicating denial.
123	access2
124		This interface reports whether a subject with the specified
125		Smack label has a particular access to an object with a
126		specified Smack label. Write a long format access rule to
127		this file. The next read will indicate whether the access
128		would be permitted. The text will be either "1" indicating
129		access, or "0" indicating denial.
130	ambient
131		This contains the Smack label applied to unlabeled network
132		packets.
133	change-rule
134		This interface allows modification of existing access control rules.
135		The format accepted on write is:
136			"%s %s %s %s"
137		where the first string is the subject label, the second the
138		object label, the third the access to allow and the fourth the
139		access to deny. The access strings may contain only the characters
140		"rwxat-". If a rule for a given subject and object exists it will be
141		modified by enabling the permissions in the third string and disabling
142		those in the fourth string. If there is no such rule it will be
143		created using the access specified in the third and the fourth strings.
144	cipso
145		Provided for backward compatibility. The cipso2 interface
146		is preferred and should be used instead.
147		This interface allows a specific CIPSO header to be assigned
148		to a Smack label. The format accepted on write is:
149			"%24s%4d%4d"["%4d"]...
150		The first string is a fixed Smack label. The first number is
151		the level to use. The second number is the number of categories.
152		The following numbers are the categories.
153		"level-3-cats-5-19          3   2   5  19"
154	cipso2
155		This interface allows a specific CIPSO header to be assigned
156		to a Smack label. The format accepted on write is:
157		"%s%4d%4d"["%4d"]...
158		The first string is a long Smack label. The first number is
159		the level to use. The second number is the number of categories.
160		The following numbers are the categories.
161		"level-3-cats-5-19   3   2   5  19"
162	direct
163		This contains the CIPSO level used for Smack direct label
164		representation in network packets.
165	doi
166		This contains the CIPSO domain of interpretation used in
167		network packets.
168	ipv6host
169		This interface allows specific IPv6 internet addresses to be
170		treated as single label hosts. Packets are sent to single
171		label hosts only from processes that have Smack write access
172		to the host label. All packets received from single label hosts
173		are given the specified label. The format accepted on write is:
174			"%h:%h:%h:%h:%h:%h:%h:%h label" or
175			"%h:%h:%h:%h:%h:%h:%h:%h/%d label".
176		The "::" address shortcut is not supported.
177		If label is "-DELETE" a matched entry will be deleted.
178	load
179		Provided for backward compatibility. The load2 interface
180		is preferred and should be used instead.
181		This interface allows access control rules in addition to
182		the system defined rules to be specified. The format accepted
183		on write is:
184			"%24s%24s%5s"
185		where the first string is the subject label, the second the
186		object label, and the third the requested access. The access
187		string may contain only the characters "rwxat-", and specifies
188		which sort of access is allowed. The "-" is a placeholder for
189		permissions that are not allowed. The string "r-x--" would
190		specify read and execute access. Labels are limited to 23
191		characters in length.
192	load2
193		This interface allows access control rules in addition to
194		the system defined rules to be specified. The format accepted
195		on write is:
196			"%s %s %s"
197		where the first string is the subject label, the second the
198		object label, and the third the requested access. The access
199		string may contain only the characters "rwxat-", and specifies
200		which sort of access is allowed. The "-" is a placeholder for
201		permissions that are not allowed. The string "r-x--" would
202		specify read and execute access.
203	load-self
204		Provided for backward compatibility. The load-self2 interface
205		is preferred and should be used instead.
206		This interface allows process specific access rules to be
207		defined. These rules are only consulted if access would
208		otherwise be permitted, and are intended to provide additional
209		restrictions on the process. The format is the same as for
210		the load interface.
211	load-self2
212		This interface allows process specific access rules to be
213		defined. These rules are only consulted if access would
214		otherwise be permitted, and are intended to provide additional
215		restrictions on the process. The format is the same as for
216		the load2 interface.
217	logging
218		This contains the Smack logging state.
219	mapped
220		This contains the CIPSO level used for Smack mapped label
221		representation in network packets.
222	netlabel
223		This interface allows specific internet addresses to be
224		treated as single label hosts. Packets are sent to single
225		label hosts without CIPSO headers, but only from processes
226		that have Smack write access to the host label. All packets
227		received from single label hosts are given the specified
228		label. The format accepted on write is:
229			"%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".
230		If the label specified is "-CIPSO" the address is treated
231		as a host that supports CIPSO headers.
232	onlycap
233		This contains labels processes must have for CAP_MAC_ADMIN
234		and CAP_MAC_OVERRIDE to be effective. If this file is empty
235		these capabilities are effective at for processes with any
236		label. The values are set by writing the desired labels, separated
237		by spaces, to the file or cleared by writing "-" to the file.
238	ptrace
239		This is used to define the current ptrace policy
240		0 - default: this is the policy that relies on Smack access rules.
241		    For the PTRACE_READ a subject needs to have a read access on
242		    object. For the PTRACE_ATTACH a read-write access is required.
243		1 - exact: this is the policy that limits PTRACE_ATTACH. Attach is
244		    only allowed when subject's and object's labels are equal.
245		    PTRACE_READ is not affected. Can be overridden with CAP_SYS_PTRACE.
246		2 - draconian: this policy behaves like the 'exact' above with an
247		    exception that it can't be overridden with CAP_SYS_PTRACE.
248	revoke-subject
249		Writing a Smack label here sets the access to '-' for all access
250		rules with that subject label.
251	unconfined
252		If the kernel is configured with CONFIG_SECURITY_SMACK_BRINGUP
253		a process with CAP_MAC_ADMIN can write a label into this interface.
254		Thereafter, accesses that involve that label will be logged and
255		the access permitted if it wouldn't be otherwise. Note that this
256		is dangerous and can ruin the proper labeling of your system.
257		It should never be used in production.
258	relabel-self
259		This interface contains a list of labels to which the process can
260		transition to, by writing to /proc/self/attr/current.
261		Normally a process can change its own label to any legal value, but only
262		if it has CAP_MAC_ADMIN. This interface allows a process without
263		CAP_MAC_ADMIN to relabel itself to one of labels from predefined list.
264		A process without CAP_MAC_ADMIN can change its label only once. When it
265		does, this list will be cleared.
266		The values are set by writing the desired labels, separated
267		by spaces, to the file or cleared by writing "-" to the file.
268	
269	If you are using the smackload utility
270	you can add access rules in /etc/smack/accesses. They take the form:
271	
272	    subjectlabel objectlabel access
273	
274	access is a combination of the letters rwxatb which specify the
275	kind of access permitted a subject with subjectlabel on an
276	object with objectlabel. If there is no rule no access is allowed.
277	
278	Look for additional programs on http://schaufler-ca.com
279	
280	From the Smack Whitepaper:
281	
282	The Simplified Mandatory Access Control Kernel
283	
284	Casey Schaufler
285	casey@schaufler-ca.com
286	
287	Mandatory Access Control
288	
289	Computer systems employ a variety of schemes to constrain how information is
290	shared among the people and services using the machine. Some of these schemes
291	allow the program or user to decide what other programs or users are allowed
292	access to pieces of data. These schemes are called discretionary access
293	control mechanisms because the access control is specified at the discretion
294	of the user. Other schemes do not leave the decision regarding what a user or
295	program can access up to users or programs. These schemes are called mandatory
296	access control mechanisms because you don't have a choice regarding the users
297	or programs that have access to pieces of data.
298	
299	Bell & LaPadula
300	
301	From the middle of the 1980's until the turn of the century Mandatory Access
302	Control (MAC) was very closely associated with the Bell & LaPadula security
303	model, a mathematical description of the United States Department of Defense
304	policy for marking paper documents. MAC in this form enjoyed a following
305	within the Capital Beltway and Scandinavian supercomputer centers but was
306	often sited as failing to address general needs.
307	
308	Domain Type Enforcement
309	
310	Around the turn of the century Domain Type Enforcement (DTE) became popular.
311	This scheme organizes users, programs, and data into domains that are
312	protected from each other. This scheme has been widely deployed as a component
313	of popular Linux distributions. The administrative overhead required to
314	maintain this scheme and the detailed understanding of the whole system
315	necessary to provide a secure domain mapping leads to the scheme being
316	disabled or used in limited ways in the majority of cases.
317	
318	Smack
319	
320	Smack is a Mandatory Access Control mechanism designed to provide useful MAC
321	while avoiding the pitfalls of its predecessors. The limitations of Bell &
322	LaPadula are addressed by providing a scheme whereby access can be controlled
323	according to the requirements of the system and its purpose rather than those
324	imposed by an arcane government policy. The complexity of Domain Type
325	Enforcement and avoided by defining access controls in terms of the access
326	modes already in use.
327	
328	Smack Terminology
329	
330	The jargon used to talk about Smack will be familiar to those who have dealt
331	with other MAC systems and shouldn't be too difficult for the uninitiated to
332	pick up. There are four terms that are used in a specific way and that are
333	especially important:
334	
335		Subject: A subject is an active entity on the computer system.
336		On Smack a subject is a task, which is in turn the basic unit
337		of execution.
338	
339		Object: An object is a passive entity on the computer system.
340		On Smack files of all types, IPC, and tasks can be objects.
341	
342		Access: Any attempt by a subject to put information into or get
343		information from an object is an access.
344	
345		Label: Data that identifies the Mandatory Access Control
346		characteristics of a subject or an object.
347	
348	These definitions are consistent with the traditional use in the security
349	community. There are also some terms from Linux that are likely to crop up:
350	
351		Capability: A task that possesses a capability has permission to
352		violate an aspect of the system security policy, as identified by
353		the specific capability. A task that possesses one or more
354		capabilities is a privileged task, whereas a task with no
355		capabilities is an unprivileged task.
356	
357		Privilege: A task that is allowed to violate the system security
358		policy is said to have privilege. As of this writing a task can
359		have privilege either by possessing capabilities or by having an
360		effective user of root.
361	
362	Smack Basics
363	
364	Smack is an extension to a Linux system. It enforces additional restrictions
365	on what subjects can access which objects, based on the labels attached to
366	each of the subject and the object.
367	
368	Labels
369	
370	Smack labels are ASCII character strings. They can be up to 255 characters
371	long, but keeping them to twenty-three characters is recommended.
372	Single character labels using special characters, that being anything
373	other than a letter or digit, are reserved for use by the Smack development
374	team. Smack labels are unstructured, case sensitive, and the only operation
375	ever performed on them is comparison for equality. Smack labels cannot
376	contain unprintable characters, the "/" (slash), the "\" (backslash), the "'"
377	(quote) and '"' (double-quote) characters.
378	Smack labels cannot begin with a '-'. This is reserved for special options.
379	
380	There are some predefined labels:
381	
382		_ 	Pronounced "floor", a single underscore character.
383		^ 	Pronounced "hat", a single circumflex character.
384		* 	Pronounced "star", a single asterisk character.
385		? 	Pronounced "huh", a single question mark character.
386		@ 	Pronounced "web", a single at sign character.
387	
388	Every task on a Smack system is assigned a label. The Smack label
389	of a process will usually be assigned by the system initialization
390	mechanism.
391	
392	Access Rules
393	
394	Smack uses the traditional access modes of Linux. These modes are read,
395	execute, write, and occasionally append. There are a few cases where the
396	access mode may not be obvious. These include:
397	
398		Signals: A signal is a write operation from the subject task to
399		the object task.
400		Internet Domain IPC: Transmission of a packet is considered a
401		write operation from the source task to the destination task.
402	
403	Smack restricts access based on the label attached to a subject and the label
404	attached to the object it is trying to access. The rules enforced are, in
405	order:
406	
407		1. Any access requested by a task labeled "*" is denied.
408		2. A read or execute access requested by a task labeled "^"
409		   is permitted.
410		3. A read or execute access requested on an object labeled "_"
411		   is permitted.
412		4. Any access requested on an object labeled "*" is permitted.
413		5. Any access requested by a task on an object with the same
414		   label is permitted.
415		6. Any access requested that is explicitly defined in the loaded
416		   rule set is permitted.
417		7. Any other access is denied.
418	
419	Smack Access Rules
420	
421	With the isolation provided by Smack access separation is simple. There are
422	many interesting cases where limited access by subjects to objects with
423	different labels is desired. One example is the familiar spy model of
424	sensitivity, where a scientist working on a highly classified project would be
425	able to read documents of lower classifications and anything she writes will
426	be "born" highly classified. To accommodate such schemes Smack includes a
427	mechanism for specifying rules allowing access between labels.
428	
429	Access Rule Format
430	
431	The format of an access rule is:
432	
433		subject-label object-label access
434	
435	Where subject-label is the Smack label of the task, object-label is the Smack
436	label of the thing being accessed, and access is a string specifying the sort
437	of access allowed. The access specification is searched for letters that
438	describe access modes:
439	
440		a: indicates that append access should be granted.
441		r: indicates that read access should be granted.
442		w: indicates that write access should be granted.
443		x: indicates that execute access should be granted.
444		t: indicates that the rule requests transmutation.
445		b: indicates that the rule should be reported for bring-up.
446	
447	Uppercase values for the specification letters are allowed as well.
448	Access mode specifications can be in any order. Examples of acceptable rules
449	are:
450	
451		TopSecret Secret  rx
452		Secret    Unclass R
453		Manager   Game    x
454		User      HR      w
455		Snap      Crackle rwxatb
456		New       Old     rRrRr
457		Closed    Off     -
458	
459	Examples of unacceptable rules are:
460	
461		Top Secret Secret     rx
462		Ace        Ace        r
463		Odd        spells     waxbeans
464	
465	Spaces are not allowed in labels. Since a subject always has access to files
466	with the same label specifying a rule for that case is pointless. Only
467	valid letters (rwxatbRWXATB) and the dash ('-') character are allowed in
468	access specifications. The dash is a placeholder, so "a-r" is the same
469	as "ar". A lone dash is used to specify that no access should be allowed.
470	
471	Applying Access Rules
472	
473	The developers of Linux rarely define new sorts of things, usually importing
474	schemes and concepts from other systems. Most often, the other systems are
475	variants of Unix. Unix has many endearing properties, but consistency of
476	access control models is not one of them. Smack strives to treat accesses as
477	uniformly as is sensible while keeping with the spirit of the underlying
478	mechanism.
479	
480	File system objects including files, directories, named pipes, symbolic links,
481	and devices require access permissions that closely match those used by mode
482	bit access. To open a file for reading read access is required on the file. To
483	search a directory requires execute access. Creating a file with write access
484	requires both read and write access on the containing directory. Deleting a
485	file requires read and write access to the file and to the containing
486	directory. It is possible that a user may be able to see that a file exists
487	but not any of its attributes by the circumstance of having read access to the
488	containing directory but not to the differently labeled file. This is an
489	artifact of the file name being data in the directory, not a part of the file.
490	
491	If a directory is marked as transmuting (SMACK64TRANSMUTE=TRUE) and the
492	access rule that allows a process to create an object in that directory
493	includes 't' access the label assigned to the new object will be that
494	of the directory, not the creating process. This makes it much easier
495	for two processes with different labels to share data without granting
496	access to all of their files.
497	
498	IPC objects, message queues, semaphore sets, and memory segments exist in flat
499	namespaces and access requests are only required to match the object in
500	question.
501	
502	Process objects reflect tasks on the system and the Smack label used to access
503	them is the same Smack label that the task would use for its own access
504	attempts. Sending a signal via the kill() system call is a write operation
505	from the signaler to the recipient. Debugging a process requires both reading
506	and writing. Creating a new task is an internal operation that results in two
507	tasks with identical Smack labels and requires no access checks.
508	
509	Sockets are data structures attached to processes and sending a packet from
510	one process to another requires that the sender have write access to the
511	receiver. The receiver is not required to have read access to the sender.
512	
513	Setting Access Rules
514	
515	The configuration file /etc/smack/accesses contains the rules to be set at
516	system startup. The contents are written to the special file
517	/sys/fs/smackfs/load2. Rules can be added at any time and take effect
518	immediately. For any pair of subject and object labels there can be only
519	one rule, with the most recently specified overriding any earlier
520	specification.
521	
522	Task Attribute
523	
524	The Smack label of a process can be read from /proc/<pid>/attr/current. A
525	process can read its own Smack label from /proc/self/attr/current. A
526	privileged process can change its own Smack label by writing to
527	/proc/self/attr/current but not the label of another process.
528	
529	File Attribute
530	
531	The Smack label of a filesystem object is stored as an extended attribute
532	named SMACK64 on the file. This attribute is in the security namespace. It can
533	only be changed by a process with privilege.
534	
535	Privilege
536	
537	A process with CAP_MAC_OVERRIDE or CAP_MAC_ADMIN is privileged.
538	CAP_MAC_OVERRIDE allows the process access to objects it would
539	be denied otherwise. CAP_MAC_ADMIN allows a process to change
540	Smack data, including rules and attributes.
541	
542	Smack Networking
543	
544	As mentioned before, Smack enforces access control on network protocol
545	transmissions. Every packet sent by a Smack process is tagged with its Smack
546	label. This is done by adding a CIPSO tag to the header of the IP packet. Each
547	packet received is expected to have a CIPSO tag that identifies the label and
548	if it lacks such a tag the network ambient label is assumed. Before the packet
549	is delivered a check is made to determine that a subject with the label on the
550	packet has write access to the receiving process and if that is not the case
551	the packet is dropped.
552	
553	CIPSO Configuration
554	
555	It is normally unnecessary to specify the CIPSO configuration. The default
556	values used by the system handle all internal cases. Smack will compose CIPSO
557	label values to match the Smack labels being used without administrative
558	intervention. Unlabeled packets that come into the system will be given the
559	ambient label.
560	
561	Smack requires configuration in the case where packets from a system that is
562	not Smack that speaks CIPSO may be encountered. Usually this will be a Trusted
563	Solaris system, but there are other, less widely deployed systems out there.
564	CIPSO provides 3 important values, a Domain Of Interpretation (DOI), a level,
565	and a category set with each packet. The DOI is intended to identify a group
566	of systems that use compatible labeling schemes, and the DOI specified on the
567	Smack system must match that of the remote system or packets will be
568	discarded. The DOI is 3 by default. The value can be read from
569	/sys/fs/smackfs/doi and can be changed by writing to /sys/fs/smackfs/doi.
570	
571	The label and category set are mapped to a Smack label as defined in
572	/etc/smack/cipso.
573	
574	A Smack/CIPSO mapping has the form:
575	
576		smack level [category [category]*]
577	
578	Smack does not expect the level or category sets to be related in any
579	particular way and does not assume or assign accesses based on them. Some
580	examples of mappings:
581	
582		TopSecret 7
583		TS:A,B    7 1 2
584		SecBDE    5 2 4 6
585		RAFTERS   7 12 26
586	
587	The ":" and "," characters are permitted in a Smack label but have no special
588	meaning.
589	
590	The mapping of Smack labels to CIPSO values is defined by writing to
591	/sys/fs/smackfs/cipso2.
592	
593	In addition to explicit mappings Smack supports direct CIPSO mappings. One
594	CIPSO level is used to indicate that the category set passed in the packet is
595	in fact an encoding of the Smack label. The level used is 250 by default. The
596	value can be read from /sys/fs/smackfs/direct and changed by writing to
597	/sys/fs/smackfs/direct.
598	
599	Socket Attributes
600	
601	There are two attributes that are associated with sockets. These attributes
602	can only be set by privileged tasks, but any task can read them for their own
603	sockets.
604	
605		SMACK64IPIN: The Smack label of the task object. A privileged
606		program that will enforce policy may set this to the star label.
607	
608		SMACK64IPOUT: The Smack label transmitted with outgoing packets.
609		A privileged program may set this to match the label of another
610		task with which it hopes to communicate.
611	
612	Smack Netlabel Exceptions
613	
614	You will often find that your labeled application has to talk to the outside,
615	unlabeled world. To do this there's a special file /sys/fs/smackfs/netlabel
616	where you can add some exceptions in the form of :
617	@IP1	   LABEL1 or
618	@IP2/MASK  LABEL2
619	
620	It means that your application will have unlabeled access to @IP1 if it has
621	write access on LABEL1, and access to the subnet @IP2/MASK if it has write
622	access on LABEL2.
623	
624	Entries in the /sys/fs/smackfs/netlabel file are matched by longest mask
625	first, like in classless IPv4 routing.
626	
627	A special label '@' and an option '-CIPSO' can be used there :
628	@      means Internet, any application with any label has access to it
629	-CIPSO means standard CIPSO networking
630	
631	If you don't know what CIPSO is and don't plan to use it, you can just do :
632	echo 127.0.0.1 -CIPSO > /sys/fs/smackfs/netlabel
633	echo 0.0.0.0/0 @      > /sys/fs/smackfs/netlabel
634	
635	If you use CIPSO on your 192.168.0.0/16 local network and need also unlabeled
636	Internet access, you can have :
637	echo 127.0.0.1      -CIPSO > /sys/fs/smackfs/netlabel
638	echo 192.168.0.0/16 -CIPSO > /sys/fs/smackfs/netlabel
639	echo 0.0.0.0/0      @      > /sys/fs/smackfs/netlabel
640	
641	
642	Writing Applications for Smack
643	
644	There are three sorts of applications that will run on a Smack system. How an
645	application interacts with Smack will determine what it will have to do to
646	work properly under Smack.
647	
648	Smack Ignorant Applications
649	
650	By far the majority of applications have no reason whatever to care about the
651	unique properties of Smack. Since invoking a program has no impact on the
652	Smack label associated with the process the only concern likely to arise is
653	whether the process has execute access to the program.
654	
655	Smack Relevant Applications
656	
657	Some programs can be improved by teaching them about Smack, but do not make
658	any security decisions themselves. The utility ls(1) is one example of such a
659	program.
660	
661	Smack Enforcing Applications
662	
663	These are special programs that not only know about Smack, but participate in
664	the enforcement of system policy. In most cases these are the programs that
665	set up user sessions. There are also network services that provide information
666	to processes running with various labels.
667	
668	File System Interfaces
669	
670	Smack maintains labels on file system objects using extended attributes. The
671	Smack label of a file, directory, or other file system object can be obtained
672	using getxattr(2).
673	
674		len = getxattr("/", "security.SMACK64", value, sizeof (value));
675	
676	will put the Smack label of the root directory into value. A privileged
677	process can set the Smack label of a file system object with setxattr(2).
678	
679		len = strlen("Rubble");
680		rc = setxattr("/foo", "security.SMACK64", "Rubble", len, 0);
681	
682	will set the Smack label of /foo to "Rubble" if the program has appropriate
683	privilege.
684	
685	Socket Interfaces
686	
687	The socket attributes can be read using fgetxattr(2).
688	
689	A privileged process can set the Smack label of outgoing packets with
690	fsetxattr(2).
691	
692		len = strlen("Rubble");
693		rc = fsetxattr(fd, "security.SMACK64IPOUT", "Rubble", len, 0);
694	
695	will set the Smack label "Rubble" on packets going out from the socket if the
696	program has appropriate privilege.
697	
698		rc = fsetxattr(fd, "security.SMACK64IPIN, "*", strlen("*"), 0);
699	
700	will set the Smack label "*" as the object label against which incoming
701	packets will be checked if the program has appropriate privilege.
702	
703	Administration
704	
705	Smack supports some mount options:
706	
707		smackfsdef=label: specifies the label to give files that lack
708		the Smack label extended attribute.
709	
710		smackfsroot=label: specifies the label to assign the root of the
711		file system if it lacks the Smack extended attribute.
712	
713		smackfshat=label: specifies a label that must have read access to
714		all labels set on the filesystem. Not yet enforced.
715	
716		smackfsfloor=label: specifies a label to which all labels set on the
717		filesystem must have read access. Not yet enforced.
718	
719	These mount options apply to all file system types.
720	
721	Smack auditing
722	
723	If you want Smack auditing of security events, you need to set CONFIG_AUDIT
724	in your kernel configuration.
725	By default, all denied events will be audited. You can change this behavior by
726	writing a single character to the /sys/fs/smackfs/logging file :
727	0 : no logging
728	1 : log denied (default)
729	2 : log accepted
730	3 : log denied & accepted
731	
732	Events are logged as 'key=value' pairs, for each event you at least will get
733	the subject, the object, the rights requested, the action, the kernel function
734	that triggered the event, plus other pairs depending on the type of event
735	audited.
736	
737	Bringup Mode
738	
739	Bringup mode provides logging features that can make application
740	configuration and system bringup easier. Configure the kernel with
741	CONFIG_SECURITY_SMACK_BRINGUP to enable these features. When bringup
742	mode is enabled accesses that succeed due to rules marked with the "b"
743	access mode will logged. When a new label is introduced for processes
744	rules can be added aggressively, marked with the "b". The logging allows
745	tracking of which rules actual get used for that label.
746	
747	Another feature of bringup mode is the "unconfined" option. Writing
748	a label to /sys/fs/smackfs/unconfined makes subjects with that label
749	able to access any object, and objects with that label accessible to
750	all subjects. Any access that is granted because a label is unconfined
751	is logged. This feature is dangerous, as files and directories may
752	be created in places they couldn't if the policy were being enforced.
Hide Line Numbers
About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Information is copyright its respective author. All material is available from the Linux Kernel Source distributed under a GPL License. This page is provided as a free service by mjmwired.net.