About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Documentation / security / Smack.txt

Custom Search

Based on kernel version 4.3. Page generated on 2015-11-02 12:51 EST.

3	    "Good for you, you've decided to clean the elevator!"
4	    - The Elevator, from Dark Star
6	Smack is the Simplified Mandatory Access Control Kernel.
7	Smack is a kernel based implementation of mandatory access
8	control that includes simplicity in its primary design goals.
10	Smack is not the only Mandatory Access Control scheme
11	available for Linux. Those new to Mandatory Access Control
12	are encouraged to compare Smack with the other mechanisms
13	available to determine which is best suited to the problem
14	at hand.
16	Smack consists of three major components:
17	    - The kernel
18	    - Basic utilities, which are helpful but not required
19	    - Configuration data
21	The kernel component of Smack is implemented as a Linux
22	Security Modules (LSM) module. It requires netlabel and
23	works best with file systems that support extended attributes,
24	although xattr support is not strictly required.
25	It is safe to run a Smack kernel under a "vanilla" distribution.
27	Smack kernels use the CIPSO IP option. Some network
28	configurations are intolerant of IP options and can impede
29	access to systems that use them as Smack does.
31	Smack is used in the Tizen operating system. Please
32	go to http://wiki.tizen.org for information about how
33	Smack is used in Tizen.
35	The current git repository for Smack user space is:
37		git://github.com/smack-team/smack.git
39	This should make and install on most modern distributions.
40	There are five commands included in smackutil:
42	chsmack    - display or set Smack extended attribute values
43	smackctl   - load the Smack access rules
44	smackaccess - report if a process with one label has access
45	              to an object with another
47	These two commands are obsolete with the introduction of
48	the smackfs/load2 and smackfs/cipso2 interfaces.
50	smackload  - properly formats data for writing to smackfs/load
51	smackcipso - properly formats data for writing to smackfs/cipso
53	In keeping with the intent of Smack, configuration data is
54	minimal and not strictly required. The most important
55	configuration step is mounting the smackfs pseudo filesystem.
56	If smackutil is installed the startup script will take care
57	of this, but it can be manually as well.
59	Add this line to /etc/fstab:
61	    smackfs /sys/fs/smackfs smackfs defaults 0 0
63	The /sys/fs/smackfs directory is created by the kernel.
65	Smack uses extended attributes (xattrs) to store labels on filesystem
66	objects. The attributes are stored in the extended attribute security
67	name space. A process must have CAP_MAC_ADMIN to change any of these
68	attributes.
70	The extended attributes that Smack uses are:
72	SMACK64
73		Used to make access control decisions. In almost all cases
74		the label given to a new filesystem object will be the label
75		of the process that created it.
77		The Smack label of a process that execs a program file with
78		this attribute set will run with this attribute's value.
80		Don't allow the file to be mmapped by a process whose Smack
81		label does not allow all of the access permitted to a process
82		with the label contained in this attribute. This is a very
83		specific use case for shared libraries.
85		Can only have the value "TRUE". If this attribute is present
86		on a directory when an object is created in the directory and
87		the Smack rule (more below) that permitted the write access
88		to the directory includes the transmute ("t") mode the object
89		gets the label of the directory instead of the label of the
90		creating process. If the object being created is a directory
91		the SMACK64TRANSMUTE attribute is set as well.
93		This attribute is only available on file descriptors for sockets.
94		Use the Smack label in this attribute for access control
95		decisions on packets being delivered to this socket.
97		This attribute is only available on file descriptors for sockets.
98		Use the Smack label in this attribute for access control
99		decisions on packets coming from this socket.
101	There are multiple ways to set a Smack label on a file:
103	    # attr -S -s SMACK64 -V "value" path
104	    # chsmack -a value path
106	A process can see the Smack label it is running with by
107	reading /proc/self/attr/current. A process with CAP_MAC_ADMIN
108	can set the process Smack by writing there.
110	Most Smack configuration is accomplished by writing to files
111	in the smackfs filesystem. This pseudo-filesystem is mounted
112	on /sys/fs/smackfs.
114	access
115		Provided for backward compatibility. The access2 interface
116		is preferred and should be used instead.
117		This interface reports whether a subject with the specified
118		Smack label has a particular access to an object with a
119		specified Smack label. Write a fixed format access rule to
120		this file. The next read will indicate whether the access
121		would be permitted. The text will be either "1" indicating
122		access, or "0" indicating denial.
123	access2
124		This interface reports whether a subject with the specified
125		Smack label has a particular access to an object with a
126		specified Smack label. Write a long format access rule to
127		this file. The next read will indicate whether the access
128		would be permitted. The text will be either "1" indicating
129		access, or "0" indicating denial.
130	ambient
131		This contains the Smack label applied to unlabeled network
132		packets.
133	change-rule
134		This interface allows modification of existing access control rules.
135		The format accepted on write is:
136			"%s %s %s %s"
137		where the first string is the subject label, the second the
138		object label, the third the access to allow and the fourth the
139		access to deny. The access strings may contain only the characters
140		"rwxat-". If a rule for a given subject and object exists it will be
141		modified by enabling the permissions in the third string and disabling
142		those in the fourth string. If there is no such rule it will be
143		created using the access specified in the third and the fourth strings.
144	cipso
145		Provided for backward compatibility. The cipso2 interface
146		is preferred and should be used instead.
147		This interface allows a specific CIPSO header to be assigned
148		to a Smack label. The format accepted on write is:
149			"%24s%4d%4d"["%4d"]...
150		The first string is a fixed Smack label. The first number is
151		the level to use. The second number is the number of categories.
152		The following numbers are the categories.
153		"level-3-cats-5-19          3   2   5  19"
154	cipso2
155		This interface allows a specific CIPSO header to be assigned
156		to a Smack label. The format accepted on write is:
157		"%s%4d%4d"["%4d"]...
158		The first string is a long Smack label. The first number is
159		the level to use. The second number is the number of categories.
160		The following numbers are the categories.
161		"level-3-cats-5-19   3   2   5  19"
162	direct
163		This contains the CIPSO level used for Smack direct label
164		representation in network packets.
165	doi
166		This contains the CIPSO domain of interpretation used in
167		network packets.
168	ipv6host
169		This interface allows specific IPv6 internet addresses to be
170		treated as single label hosts. Packets are sent to single
171		label hosts only from processes that have Smack write access
172		to the host label. All packets received from single label hosts
173		are given the specified label. The format accepted on write is:
174			"%h:%h:%h:%h:%h:%h:%h:%h label" or
175			"%h:%h:%h:%h:%h:%h:%h:%h/%d label".
176		The "::" address shortcut is not supported.
177		If label is "-DELETE" a matched entry will be deleted.
178	load
179		Provided for backward compatibility. The load2 interface
180		is preferred and should be used instead.
181		This interface allows access control rules in addition to
182		the system defined rules to be specified. The format accepted
183		on write is:
184			"%24s%24s%5s"
185		where the first string is the subject label, the second the
186		object label, and the third the requested access. The access
187		string may contain only the characters "rwxat-", and specifies
188		which sort of access is allowed. The "-" is a placeholder for
189		permissions that are not allowed. The string "r-x--" would
190		specify read and execute access. Labels are limited to 23
191		characters in length.
192	load2
193		This interface allows access control rules in addition to
194		the system defined rules to be specified. The format accepted
195		on write is:
196			"%s %s %s"
197		where the first string is the subject label, the second the
198		object label, and the third the requested access. The access
199		string may contain only the characters "rwxat-", and specifies
200		which sort of access is allowed. The "-" is a placeholder for
201		permissions that are not allowed. The string "r-x--" would
202		specify read and execute access.
203	load-self
204		Provided for backward compatibility. The load-self2 interface
205		is preferred and should be used instead.
206		This interface allows process specific access rules to be
207		defined. These rules are only consulted if access would
208		otherwise be permitted, and are intended to provide additional
209		restrictions on the process. The format is the same as for
210		the load interface.
211	load-self2
212		This interface allows process specific access rules to be
213		defined. These rules are only consulted if access would
214		otherwise be permitted, and are intended to provide additional
215		restrictions on the process. The format is the same as for
216		the load2 interface.
217	logging
218		This contains the Smack logging state.
219	mapped
220		This contains the CIPSO level used for Smack mapped label
221		representation in network packets.
222	netlabel
223		This interface allows specific internet addresses to be
224		treated as single label hosts. Packets are sent to single
225		label hosts without CIPSO headers, but only from processes
226		that have Smack write access to the host label. All packets
227		received from single label hosts are given the specified
228		label. The format accepted on write is:
229			"%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".
230		If the label specified is "-CIPSO" the address is treated
231		as a host that supports CIPSO headers.
232	onlycap
233		This contains labels processes must have for CAP_MAC_ADMIN
234		and CAP_MAC_OVERRIDE to be effective. If this file is empty
235		these capabilities are effective at for processes with any
236		label. The values are set by writing the desired labels, separated
237		by spaces, to the file or cleared by writing "-" to the file.
238	ptrace
239		This is used to define the current ptrace policy
240		0 - default: this is the policy that relies on Smack access rules.
241		    For the PTRACE_READ a subject needs to have a read access on
242		    object. For the PTRACE_ATTACH a read-write access is required.
243		1 - exact: this is the policy that limits PTRACE_ATTACH. Attach is
244		    only allowed when subject's and object's labels are equal.
245		    PTRACE_READ is not affected. Can be overridden with CAP_SYS_PTRACE.
246		2 - draconian: this policy behaves like the 'exact' above with an
247		    exception that it can't be overridden with CAP_SYS_PTRACE.
248	revoke-subject
249		Writing a Smack label here sets the access to '-' for all access
250		rules with that subject label.
251	unconfined
252		If the kernel is configured with CONFIG_SECURITY_SMACK_BRINGUP
253		a process with CAP_MAC_ADMIN can write a label into this interface.
254		Thereafter, accesses that involve that label will be logged and
255		the access permitted if it wouldn't be otherwise. Note that this
256		is dangerous and can ruin the proper labeling of your system.
257		It should never be used in production.
259	If you are using the smackload utility
260	you can add access rules in /etc/smack/accesses. They take the form:
262	    subjectlabel objectlabel access
264	access is a combination of the letters rwxatb which specify the
265	kind of access permitted a subject with subjectlabel on an
266	object with objectlabel. If there is no rule no access is allowed.
268	Look for additional programs on http://schaufler-ca.com
270	From the Smack Whitepaper:
272	The Simplified Mandatory Access Control Kernel
274	Casey Schaufler
275	casey@schaufler-ca.com
277	Mandatory Access Control
279	Computer systems employ a variety of schemes to constrain how information is
280	shared among the people and services using the machine. Some of these schemes
281	allow the program or user to decide what other programs or users are allowed
282	access to pieces of data. These schemes are called discretionary access
283	control mechanisms because the access control is specified at the discretion
284	of the user. Other schemes do not leave the decision regarding what a user or
285	program can access up to users or programs. These schemes are called mandatory
286	access control mechanisms because you don't have a choice regarding the users
287	or programs that have access to pieces of data.
289	Bell & LaPadula
291	From the middle of the 1980's until the turn of the century Mandatory Access
292	Control (MAC) was very closely associated with the Bell & LaPadula security
293	model, a mathematical description of the United States Department of Defense
294	policy for marking paper documents. MAC in this form enjoyed a following
295	within the Capital Beltway and Scandinavian supercomputer centers but was
296	often sited as failing to address general needs.
298	Domain Type Enforcement
300	Around the turn of the century Domain Type Enforcement (DTE) became popular.
301	This scheme organizes users, programs, and data into domains that are
302	protected from each other. This scheme has been widely deployed as a component
303	of popular Linux distributions. The administrative overhead required to
304	maintain this scheme and the detailed understanding of the whole system
305	necessary to provide a secure domain mapping leads to the scheme being
306	disabled or used in limited ways in the majority of cases.
308	Smack
310	Smack is a Mandatory Access Control mechanism designed to provide useful MAC
311	while avoiding the pitfalls of its predecessors. The limitations of Bell &
312	LaPadula are addressed by providing a scheme whereby access can be controlled
313	according to the requirements of the system and its purpose rather than those
314	imposed by an arcane government policy. The complexity of Domain Type
315	Enforcement and avoided by defining access controls in terms of the access
316	modes already in use.
318	Smack Terminology
320	The jargon used to talk about Smack will be familiar to those who have dealt
321	with other MAC systems and shouldn't be too difficult for the uninitiated to
322	pick up. There are four terms that are used in a specific way and that are
323	especially important:
325		Subject: A subject is an active entity on the computer system.
326		On Smack a subject is a task, which is in turn the basic unit
327		of execution.
329		Object: An object is a passive entity on the computer system.
330		On Smack files of all types, IPC, and tasks can be objects.
332		Access: Any attempt by a subject to put information into or get
333		information from an object is an access.
335		Label: Data that identifies the Mandatory Access Control
336		characteristics of a subject or an object.
338	These definitions are consistent with the traditional use in the security
339	community. There are also some terms from Linux that are likely to crop up:
341		Capability: A task that possesses a capability has permission to
342		violate an aspect of the system security policy, as identified by
343		the specific capability. A task that possesses one or more
344		capabilities is a privileged task, whereas a task with no
345		capabilities is an unprivileged task.
347		Privilege: A task that is allowed to violate the system security
348		policy is said to have privilege. As of this writing a task can
349		have privilege either by possessing capabilities or by having an
350		effective user of root.
352	Smack Basics
354	Smack is an extension to a Linux system. It enforces additional restrictions
355	on what subjects can access which objects, based on the labels attached to
356	each of the subject and the object.
358	Labels
360	Smack labels are ASCII character strings. They can be up to 255 characters
361	long, but keeping them to twenty-three characters is recommended.
362	Single character labels using special characters, that being anything
363	other than a letter or digit, are reserved for use by the Smack development
364	team. Smack labels are unstructured, case sensitive, and the only operation
365	ever performed on them is comparison for equality. Smack labels cannot
366	contain unprintable characters, the "/" (slash), the "\" (backslash), the "'"
367	(quote) and '"' (double-quote) characters.
368	Smack labels cannot begin with a '-'. This is reserved for special options.
370	There are some predefined labels:
372		_ 	Pronounced "floor", a single underscore character.
373		^ 	Pronounced "hat", a single circumflex character.
374		* 	Pronounced "star", a single asterisk character.
375		? 	Pronounced "huh", a single question mark character.
376		@ 	Pronounced "web", a single at sign character.
378	Every task on a Smack system is assigned a label. The Smack label
379	of a process will usually be assigned by the system initialization
380	mechanism.
382	Access Rules
384	Smack uses the traditional access modes of Linux. These modes are read,
385	execute, write, and occasionally append. There are a few cases where the
386	access mode may not be obvious. These include:
388		Signals: A signal is a write operation from the subject task to
389		the object task.
390		Internet Domain IPC: Transmission of a packet is considered a
391		write operation from the source task to the destination task.
393	Smack restricts access based on the label attached to a subject and the label
394	attached to the object it is trying to access. The rules enforced are, in
395	order:
397		1. Any access requested by a task labeled "*" is denied.
398		2. A read or execute access requested by a task labeled "^"
399		   is permitted.
400		3. A read or execute access requested on an object labeled "_"
401		   is permitted.
402		4. Any access requested on an object labeled "*" is permitted.
403		5. Any access requested by a task on an object with the same
404		   label is permitted.
405		6. Any access requested that is explicitly defined in the loaded
406		   rule set is permitted.
407		7. Any other access is denied.
409	Smack Access Rules
411	With the isolation provided by Smack access separation is simple. There are
412	many interesting cases where limited access by subjects to objects with
413	different labels is desired. One example is the familiar spy model of
414	sensitivity, where a scientist working on a highly classified project would be
415	able to read documents of lower classifications and anything she writes will
416	be "born" highly classified. To accommodate such schemes Smack includes a
417	mechanism for specifying rules allowing access between labels.
419	Access Rule Format
421	The format of an access rule is:
423		subject-label object-label access
425	Where subject-label is the Smack label of the task, object-label is the Smack
426	label of the thing being accessed, and access is a string specifying the sort
427	of access allowed. The access specification is searched for letters that
428	describe access modes:
430		a: indicates that append access should be granted.
431		r: indicates that read access should be granted.
432		w: indicates that write access should be granted.
433		x: indicates that execute access should be granted.
434		t: indicates that the rule requests transmutation.
435		b: indicates that the rule should be reported for bring-up.
437	Uppercase values for the specification letters are allowed as well.
438	Access mode specifications can be in any order. Examples of acceptable rules
439	are:
441		TopSecret Secret  rx
442		Secret    Unclass R
443		Manager   Game    x
444		User      HR      w
445		Snap      Crackle rwxatb
446		New       Old     rRrRr
447		Closed    Off     -
449	Examples of unacceptable rules are:
451		Top Secret Secret     rx
452		Ace        Ace        r
453		Odd        spells     waxbeans
455	Spaces are not allowed in labels. Since a subject always has access to files
456	with the same label specifying a rule for that case is pointless. Only
457	valid letters (rwxatbRWXATB) and the dash ('-') character are allowed in
458	access specifications. The dash is a placeholder, so "a-r" is the same
459	as "ar". A lone dash is used to specify that no access should be allowed.
461	Applying Access Rules
463	The developers of Linux rarely define new sorts of things, usually importing
464	schemes and concepts from other systems. Most often, the other systems are
465	variants of Unix. Unix has many endearing properties, but consistency of
466	access control models is not one of them. Smack strives to treat accesses as
467	uniformly as is sensible while keeping with the spirit of the underlying
468	mechanism.
470	File system objects including files, directories, named pipes, symbolic links,
471	and devices require access permissions that closely match those used by mode
472	bit access. To open a file for reading read access is required on the file. To
473	search a directory requires execute access. Creating a file with write access
474	requires both read and write access on the containing directory. Deleting a
475	file requires read and write access to the file and to the containing
476	directory. It is possible that a user may be able to see that a file exists
477	but not any of its attributes by the circumstance of having read access to the
478	containing directory but not to the differently labeled file. This is an
479	artifact of the file name being data in the directory, not a part of the file.
481	If a directory is marked as transmuting (SMACK64TRANSMUTE=TRUE) and the
482	access rule that allows a process to create an object in that directory
483	includes 't' access the label assigned to the new object will be that
484	of the directory, not the creating process. This makes it much easier
485	for two processes with different labels to share data without granting
486	access to all of their files.
488	IPC objects, message queues, semaphore sets, and memory segments exist in flat
489	namespaces and access requests are only required to match the object in
490	question.
492	Process objects reflect tasks on the system and the Smack label used to access
493	them is the same Smack label that the task would use for its own access
494	attempts. Sending a signal via the kill() system call is a write operation
495	from the signaler to the recipient. Debugging a process requires both reading
496	and writing. Creating a new task is an internal operation that results in two
497	tasks with identical Smack labels and requires no access checks.
499	Sockets are data structures attached to processes and sending a packet from
500	one process to another requires that the sender have write access to the
501	receiver. The receiver is not required to have read access to the sender.
503	Setting Access Rules
505	The configuration file /etc/smack/accesses contains the rules to be set at
506	system startup. The contents are written to the special file
507	/sys/fs/smackfs/load2. Rules can be added at any time and take effect
508	immediately. For any pair of subject and object labels there can be only
509	one rule, with the most recently specified overriding any earlier
510	specification.
512	Task Attribute
514	The Smack label of a process can be read from /proc/<pid>/attr/current. A
515	process can read its own Smack label from /proc/self/attr/current. A
516	privileged process can change its own Smack label by writing to
517	/proc/self/attr/current but not the label of another process.
519	File Attribute
521	The Smack label of a filesystem object is stored as an extended attribute
522	named SMACK64 on the file. This attribute is in the security namespace. It can
523	only be changed by a process with privilege.
525	Privilege
527	A process with CAP_MAC_OVERRIDE or CAP_MAC_ADMIN is privileged.
528	CAP_MAC_OVERRIDE allows the process access to objects it would
529	be denied otherwise. CAP_MAC_ADMIN allows a process to change
530	Smack data, including rules and attributes.
532	Smack Networking
534	As mentioned before, Smack enforces access control on network protocol
535	transmissions. Every packet sent by a Smack process is tagged with its Smack
536	label. This is done by adding a CIPSO tag to the header of the IP packet. Each
537	packet received is expected to have a CIPSO tag that identifies the label and
538	if it lacks such a tag the network ambient label is assumed. Before the packet
539	is delivered a check is made to determine that a subject with the label on the
540	packet has write access to the receiving process and if that is not the case
541	the packet is dropped.
543	CIPSO Configuration
545	It is normally unnecessary to specify the CIPSO configuration. The default
546	values used by the system handle all internal cases. Smack will compose CIPSO
547	label values to match the Smack labels being used without administrative
548	intervention. Unlabeled packets that come into the system will be given the
549	ambient label.
551	Smack requires configuration in the case where packets from a system that is
552	not Smack that speaks CIPSO may be encountered. Usually this will be a Trusted
553	Solaris system, but there are other, less widely deployed systems out there.
554	CIPSO provides 3 important values, a Domain Of Interpretation (DOI), a level,
555	and a category set with each packet. The DOI is intended to identify a group
556	of systems that use compatible labeling schemes, and the DOI specified on the
557	Smack system must match that of the remote system or packets will be
558	discarded. The DOI is 3 by default. The value can be read from
559	/sys/fs/smackfs/doi and can be changed by writing to /sys/fs/smackfs/doi.
561	The label and category set are mapped to a Smack label as defined in
562	/etc/smack/cipso.
564	A Smack/CIPSO mapping has the form:
566		smack level [category [category]*]
568	Smack does not expect the level or category sets to be related in any
569	particular way and does not assume or assign accesses based on them. Some
570	examples of mappings:
572		TopSecret 7
573		TS:A,B    7 1 2
574		SecBDE    5 2 4 6
575		RAFTERS   7 12 26
577	The ":" and "," characters are permitted in a Smack label but have no special
578	meaning.
580	The mapping of Smack labels to CIPSO values is defined by writing to
581	/sys/fs/smackfs/cipso2.
583	In addition to explicit mappings Smack supports direct CIPSO mappings. One
584	CIPSO level is used to indicate that the category set passed in the packet is
585	in fact an encoding of the Smack label. The level used is 250 by default. The
586	value can be read from /sys/fs/smackfs/direct and changed by writing to
587	/sys/fs/smackfs/direct.
589	Socket Attributes
591	There are two attributes that are associated with sockets. These attributes
592	can only be set by privileged tasks, but any task can read them for their own
593	sockets.
595		SMACK64IPIN: The Smack label of the task object. A privileged
596		program that will enforce policy may set this to the star label.
598		SMACK64IPOUT: The Smack label transmitted with outgoing packets.
599		A privileged program may set this to match the label of another
600		task with which it hopes to communicate.
602	Smack Netlabel Exceptions
604	You will often find that your labeled application has to talk to the outside,
605	unlabeled world. To do this there's a special file /sys/fs/smackfs/netlabel
606	where you can add some exceptions in the form of :
607	@IP1	   LABEL1 or
610	It means that your application will have unlabeled access to @IP1 if it has
611	write access on LABEL1, and access to the subnet @IP2/MASK if it has write
612	access on LABEL2.
614	Entries in the /sys/fs/smackfs/netlabel file are matched by longest mask
615	first, like in classless IPv4 routing.
617	A special label '@' and an option '-CIPSO' can be used there :
618	@      means Internet, any application with any label has access to it
619	-CIPSO means standard CIPSO networking
621	If you don't know what CIPSO is and don't plan to use it, you can just do :
622	echo -CIPSO > /sys/fs/smackfs/netlabel
623	echo @      > /sys/fs/smackfs/netlabel
625	If you use CIPSO on your local network and need also unlabeled
626	Internet access, you can have :
627	echo      -CIPSO > /sys/fs/smackfs/netlabel
628	echo -CIPSO > /sys/fs/smackfs/netlabel
629	echo      @      > /sys/fs/smackfs/netlabel
632	Writing Applications for Smack
634	There are three sorts of applications that will run on a Smack system. How an
635	application interacts with Smack will determine what it will have to do to
636	work properly under Smack.
638	Smack Ignorant Applications
640	By far the majority of applications have no reason whatever to care about the
641	unique properties of Smack. Since invoking a program has no impact on the
642	Smack label associated with the process the only concern likely to arise is
643	whether the process has execute access to the program.
645	Smack Relevant Applications
647	Some programs can be improved by teaching them about Smack, but do not make
648	any security decisions themselves. The utility ls(1) is one example of such a
649	program.
651	Smack Enforcing Applications
653	These are special programs that not only know about Smack, but participate in
654	the enforcement of system policy. In most cases these are the programs that
655	set up user sessions. There are also network services that provide information
656	to processes running with various labels.
658	File System Interfaces
660	Smack maintains labels on file system objects using extended attributes. The
661	Smack label of a file, directory, or other file system object can be obtained
662	using getxattr(2).
664		len = getxattr("/", "security.SMACK64", value, sizeof (value));
666	will put the Smack label of the root directory into value. A privileged
667	process can set the Smack label of a file system object with setxattr(2).
669		len = strlen("Rubble");
670		rc = setxattr("/foo", "security.SMACK64", "Rubble", len, 0);
672	will set the Smack label of /foo to "Rubble" if the program has appropriate
673	privilege.
675	Socket Interfaces
677	The socket attributes can be read using fgetxattr(2).
679	A privileged process can set the Smack label of outgoing packets with
680	fsetxattr(2).
682		len = strlen("Rubble");
683		rc = fsetxattr(fd, "security.SMACK64IPOUT", "Rubble", len, 0);
685	will set the Smack label "Rubble" on packets going out from the socket if the
686	program has appropriate privilege.
688		rc = fsetxattr(fd, "security.SMACK64IPIN, "*", strlen("*"), 0);
690	will set the Smack label "*" as the object label against which incoming
691	packets will be checked if the program has appropriate privilege.
693	Administration
695	Smack supports some mount options:
697		smackfsdef=label: specifies the label to give files that lack
698		the Smack label extended attribute.
700		smackfsroot=label: specifies the label to assign the root of the
701		file system if it lacks the Smack extended attribute.
703		smackfshat=label: specifies a label that must have read access to
704		all labels set on the filesystem. Not yet enforced.
706		smackfsfloor=label: specifies a label to which all labels set on the
707		filesystem must have read access. Not yet enforced.
709	These mount options apply to all file system types.
711	Smack auditing
713	If you want Smack auditing of security events, you need to set CONFIG_AUDIT
714	in your kernel configuration.
715	By default, all denied events will be audited. You can change this behavior by
716	writing a single character to the /sys/fs/smackfs/logging file :
717	0 : no logging
718	1 : log denied (default)
719	2 : log accepted
720	3 : log denied & accepted
722	Events are logged as 'key=value' pairs, for each event you at least will get
723	the subject, the object, the rights requested, the action, the kernel function
724	that triggered the event, plus other pairs depending on the type of event
725	audited.
727	Bringup Mode
729	Bringup mode provides logging features that can make application
730	configuration and system bringup easier. Configure the kernel with
731	CONFIG_SECURITY_SMACK_BRINGUP to enable these features. When bringup
732	mode is enabled accesses that succeed due to rules marked with the "b"
733	access mode will logged. When a new label is introduced for processes
734	rules can be added aggressively, marked with the "b". The logging allows
735	tracking of which rules actual get used for that label.
737	Another feature of bringup mode is the "unconfined" option. Writing
738	a label to /sys/fs/smackfs/unconfined makes subjects with that label
739	able to access any object, and objects with that label accessible to
740	all subjects. Any access that is granted because a label is unconfined
741	is logged. This feature is dangerous, as files and directories may
742	be created in places they couldn't if the policy were being enforced.
Hide Line Numbers
About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Information is copyright its respective author. All material is available from the Linux Kernel Source distributed under a GPL License. This page is provided as a free service by mjmwired.net.