Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/Documentation/admin-guide/LSM/Smack.rst 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) =====
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) Smack
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3) =====
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6)     "Good for you, you've decided to clean the elevator!"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7)     - The Elevator, from Dark Star
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9) Smack is the Simplified Mandatory Access Control Kernel.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10) Smack is a kernel based implementation of mandatory access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11) control that includes simplicity in its primary design goals.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13) Smack is not the only Mandatory Access Control scheme
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14) available for Linux. Those new to Mandatory Access Control
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15) are encouraged to compare Smack with the other mechanisms
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16) available to determine which is best suited to the problem
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17) at hand.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19) Smack consists of three major components:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21)     - The kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22)     - Basic utilities, which are helpful but not required
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23)     - Configuration data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25) The kernel component of Smack is implemented as a Linux
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26) Security Modules (LSM) module. It requires netlabel and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27) works best with file systems that support extended attributes,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28) although xattr support is not strictly required.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29) It is safe to run a Smack kernel under a "vanilla" distribution.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31) Smack kernels use the CIPSO IP option. Some network
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32) configurations are intolerant of IP options and can impede
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33) access to systems that use them as Smack does.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35) Smack is used in the Tizen operating system. Please
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36) go to http://wiki.tizen.org for information about how
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37) Smack is used in Tizen.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39) The current git repository for Smack user space is:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41) 	git://github.com/smack-team/smack.git
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43) This should make and install on most modern distributions.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44) There are five commands included in smackutil:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46) chsmack:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47) 	display or set Smack extended attribute values
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49) smackctl:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50) 	load the Smack access rules
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52) smackaccess:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53) 	report if a process with one label has access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) 	to an object with another
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) These two commands are obsolete with the introduction of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) the smackfs/load2 and smackfs/cipso2 interfaces.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) smackload:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60) 	properly formats data for writing to smackfs/load
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62) smackcipso:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63) 	properly formats data for writing to smackfs/cipso
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65) In keeping with the intent of Smack, configuration data is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66) minimal and not strictly required. The most important
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67) configuration step is mounting the smackfs pseudo filesystem.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) If smackutil is installed the startup script will take care
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69) of this, but it can be manually as well.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71) Add this line to ``/etc/fstab``::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73)     smackfs /sys/fs/smackfs smackfs defaults 0 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75) The ``/sys/fs/smackfs`` directory is created by the kernel.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77) Smack uses extended attributes (xattrs) to store labels on filesystem
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78) objects. The attributes are stored in the extended attribute security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79) name space. A process must have ``CAP_MAC_ADMIN`` to change any of these
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80) attributes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82) The extended attributes that Smack uses are:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84) SMACK64
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85) 	Used to make access control decisions. In almost all cases
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86) 	the label given to a new filesystem object will be the label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87) 	of the process that created it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) SMACK64EXEC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) 	The Smack label of a process that execs a program file with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) 	this attribute set will run with this attribute's value.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) SMACK64MMAP
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) 	Don't allow the file to be mmapped by a process whose Smack
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95) 	label does not allow all of the access permitted to a process
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96) 	with the label contained in this attribute. This is a very
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97) 	specific use case for shared libraries.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99) SMACK64TRANSMUTE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) 	Can only have the value "TRUE". If this attribute is present
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) 	on a directory when an object is created in the directory and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) 	the Smack rule (more below) that permitted the write access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) 	to the directory includes the transmute ("t") mode the object
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) 	gets the label of the directory instead of the label of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) 	creating process. If the object being created is a directory
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) 	the SMACK64TRANSMUTE attribute is set as well.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) SMACK64IPIN
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) 	This attribute is only available on file descriptors for sockets.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) 	Use the Smack label in this attribute for access control
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) 	decisions on packets being delivered to this socket.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) SMACK64IPOUT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) 	This attribute is only available on file descriptors for sockets.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) 	Use the Smack label in this attribute for access control
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) 	decisions on packets coming from this socket.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) There are multiple ways to set a Smack label on a file::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120)     # attr -S -s SMACK64 -V "value" path
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121)     # chsmack -a value path
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) A process can see the Smack label it is running with by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) reading ``/proc/self/attr/current``. A process with ``CAP_MAC_ADMIN``
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) can set the process Smack by writing there.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) Most Smack configuration is accomplished by writing to files
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) in the smackfs filesystem. This pseudo-filesystem is mounted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) on ``/sys/fs/smackfs``.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) 	Provided for backward compatibility. The access2 interface
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) 	is preferred and should be used instead.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) 	This interface reports whether a subject with the specified
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) 	Smack label has a particular access to an object with a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) 	specified Smack label. Write a fixed format access rule to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) 	this file. The next read will indicate whether the access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) 	would be permitted. The text will be either "1" indicating
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) 	access, or "0" indicating denial.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) access2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) 	This interface reports whether a subject with the specified
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) 	Smack label has a particular access to an object with a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) 	specified Smack label. Write a long format access rule to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) 	this file. The next read will indicate whether the access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) 	would be permitted. The text will be either "1" indicating
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) 	access, or "0" indicating denial.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) ambient
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) 	This contains the Smack label applied to unlabeled network
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) 	packets.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) change-rule
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) 	This interface allows modification of existing access control rules.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) 	The format accepted on write is::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) 		"%s %s %s %s"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) 	where the first string is the subject label, the second the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) 	object label, the third the access to allow and the fourth the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) 	access to deny. The access strings may contain only the characters
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) 	"rwxat-". If a rule for a given subject and object exists it will be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) 	modified by enabling the permissions in the third string and disabling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) 	those in the fourth string. If there is no such rule it will be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) 	created using the access specified in the third and the fourth strings.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) cipso
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) 	Provided for backward compatibility. The cipso2 interface
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) 	is preferred and should be used instead.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) 	This interface allows a specific CIPSO header to be assigned
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) 	to a Smack label. The format accepted on write is::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) 		"%24s%4d%4d"["%4d"]...
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) 	The first string is a fixed Smack label. The first number is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) 	the level to use. The second number is the number of categories.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) 	The following numbers are the categories::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) 		"level-3-cats-5-19          3   2   5  19"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) cipso2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) 	This interface allows a specific CIPSO header to be assigned
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) 	to a Smack label. The format accepted on write is::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) 		"%s%4d%4d"["%4d"]...
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) 	The first string is a long Smack label. The first number is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) 	the level to use. The second number is the number of categories.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) 	The following numbers are the categories::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) 		"level-3-cats-5-19   3   2   5  19"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) direct
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) 	This contains the CIPSO level used for Smack direct label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) 	representation in network packets.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) doi
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) 	This contains the CIPSO domain of interpretation used in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) 	network packets.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) ipv6host
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) 	This interface allows specific IPv6 internet addresses to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) 	treated as single label hosts. Packets are sent to single
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) 	label hosts only from processes that have Smack write access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) 	to the host label. All packets received from single label hosts
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) 	are given the specified label. The format accepted on write is::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) 		"%h:%h:%h:%h:%h:%h:%h:%h label" or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) 		"%h:%h:%h:%h:%h:%h:%h:%h/%d label".
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) 	The "::" address shortcut is not supported.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) 	If label is "-DELETE" a matched entry will be deleted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) load
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) 	Provided for backward compatibility. The load2 interface
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) 	is preferred and should be used instead.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) 	This interface allows access control rules in addition to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) 	the system defined rules to be specified. The format accepted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) 	on write is::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) 		"%24s%24s%5s"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) 	where the first string is the subject label, the second the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) 	object label, and the third the requested access. The access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) 	string may contain only the characters "rwxat-", and specifies
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) 	which sort of access is allowed. The "-" is a placeholder for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) 	permissions that are not allowed. The string "r-x--" would
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) 	specify read and execute access. Labels are limited to 23
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) 	characters in length.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) load2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) 	This interface allows access control rules in addition to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) 	the system defined rules to be specified. The format accepted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) 	on write is::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) 		"%s %s %s"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) 	where the first string is the subject label, the second the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) 	object label, and the third the requested access. The access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) 	string may contain only the characters "rwxat-", and specifies
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) 	which sort of access is allowed. The "-" is a placeholder for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) 	permissions that are not allowed. The string "r-x--" would
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) 	specify read and execute access.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) load-self
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) 	Provided for backward compatibility. The load-self2 interface
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) 	is preferred and should be used instead.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) 	This interface allows process specific access rules to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) 	defined. These rules are only consulted if access would
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) 	otherwise be permitted, and are intended to provide additional
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) 	restrictions on the process. The format is the same as for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) 	the load interface.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) load-self2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) 	This interface allows process specific access rules to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) 	defined. These rules are only consulted if access would
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) 	otherwise be permitted, and are intended to provide additional
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) 	restrictions on the process. The format is the same as for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) 	the load2 interface.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) logging
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) 	This contains the Smack logging state.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) mapped
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) 	This contains the CIPSO level used for Smack mapped label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) 	representation in network packets.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) netlabel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) 	This interface allows specific internet addresses to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) 	treated as single label hosts. Packets are sent to single
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) 	label hosts without CIPSO headers, but only from processes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) 	that have Smack write access to the host label. All packets
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) 	received from single label hosts are given the specified
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) 	label. The format accepted on write is::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) 		"%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) 	If the label specified is "-CIPSO" the address is treated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) 	as a host that supports CIPSO headers.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) onlycap
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) 	This contains labels processes must have for CAP_MAC_ADMIN
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) 	and ``CAP_MAC_OVERRIDE`` to be effective. If this file is empty
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) 	these capabilities are effective at for processes with any
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) 	label. The values are set by writing the desired labels, separated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) 	by spaces, to the file or cleared by writing "-" to the file.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) ptrace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) 	This is used to define the current ptrace policy
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) 	0 - default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) 	    this is the policy that relies on Smack access rules.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) 	    For the ``PTRACE_READ`` a subject needs to have a read access on
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) 	    object. For the ``PTRACE_ATTACH`` a read-write access is required.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) 	1 - exact:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) 	    this is the policy that limits ``PTRACE_ATTACH``. Attach is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) 	    only allowed when subject's and object's labels are equal.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) 	    ``PTRACE_READ`` is not affected. Can be overridden with ``CAP_SYS_PTRACE``.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) 	2 - draconian:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) 	    this policy behaves like the 'exact' above with an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) 	    exception that it can't be overridden with ``CAP_SYS_PTRACE``.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) revoke-subject
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) 	Writing a Smack label here sets the access to '-' for all access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) 	rules with that subject label.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) unconfined
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) 	If the kernel is configured with ``CONFIG_SECURITY_SMACK_BRINGUP``
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) 	a process with ``CAP_MAC_ADMIN`` can write a label into this interface.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) 	Thereafter, accesses that involve that label will be logged and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) 	the access permitted if it wouldn't be otherwise. Note that this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) 	is dangerous and can ruin the proper labeling of your system.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) 	It should never be used in production.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) relabel-self
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) 	This interface contains a list of labels to which the process can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) 	transition to, by writing to ``/proc/self/attr/current``.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) 	Normally a process can change its own label to any legal value, but only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) 	if it has ``CAP_MAC_ADMIN``. This interface allows a process without
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) 	``CAP_MAC_ADMIN`` to relabel itself to one of labels from predefined list.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) 	A process without ``CAP_MAC_ADMIN`` can change its label only once. When it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) 	does, this list will be cleared.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) 	The values are set by writing the desired labels, separated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) 	by spaces, to the file or cleared by writing "-" to the file.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) If you are using the smackload utility
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329) you can add access rules in ``/etc/smack/accesses``. They take the form::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331)     subjectlabel objectlabel access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) access is a combination of the letters rwxatb which specify the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) kind of access permitted a subject with subjectlabel on an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) object with objectlabel. If there is no rule no access is allowed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) Look for additional programs on http://schaufler-ca.com
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) The Simplified Mandatory Access Control Kernel (Whitepaper)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) ===========================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) Casey Schaufler
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) casey@schaufler-ca.com
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) Mandatory Access Control
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) ------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) Computer systems employ a variety of schemes to constrain how information is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349) shared among the people and services using the machine. Some of these schemes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) allow the program or user to decide what other programs or users are allowed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) access to pieces of data. These schemes are called discretionary access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352) control mechanisms because the access control is specified at the discretion
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) of the user. Other schemes do not leave the decision regarding what a user or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) program can access up to users or programs. These schemes are called mandatory
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355) access control mechanisms because you don't have a choice regarding the users
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) or programs that have access to pieces of data.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) Bell & LaPadula
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359) ---------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) From the middle of the 1980's until the turn of the century Mandatory Access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) Control (MAC) was very closely associated with the Bell & LaPadula security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363) model, a mathematical description of the United States Department of Defense
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) policy for marking paper documents. MAC in this form enjoyed a following
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) within the Capital Beltway and Scandinavian supercomputer centers but was
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) often sited as failing to address general needs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) Domain Type Enforcement
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369) -----------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) Around the turn of the century Domain Type Enforcement (DTE) became popular.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) This scheme organizes users, programs, and data into domains that are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) protected from each other. This scheme has been widely deployed as a component
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) of popular Linux distributions. The administrative overhead required to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) maintain this scheme and the detailed understanding of the whole system
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) necessary to provide a secure domain mapping leads to the scheme being
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) disabled or used in limited ways in the majority of cases.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379) Smack
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) -----
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) Smack is a Mandatory Access Control mechanism designed to provide useful MAC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) while avoiding the pitfalls of its predecessors. The limitations of Bell &
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) LaPadula are addressed by providing a scheme whereby access can be controlled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) according to the requirements of the system and its purpose rather than those
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) imposed by an arcane government policy. The complexity of Domain Type
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387) Enforcement and avoided by defining access controls in terms of the access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) modes already in use.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) Smack Terminology
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) -----------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) The jargon used to talk about Smack will be familiar to those who have dealt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) with other MAC systems and shouldn't be too difficult for the uninitiated to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) pick up. There are four terms that are used in a specific way and that are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) especially important:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398)   Subject:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) 	A subject is an active entity on the computer system.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) 	On Smack a subject is a task, which is in turn the basic unit
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) 	of execution.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403)   Object:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) 	An object is a passive entity on the computer system.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) 	On Smack files of all types, IPC, and tasks can be objects.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407)   Access:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) 	Any attempt by a subject to put information into or get
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) 	information from an object is an access.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411)   Label:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) 	Data that identifies the Mandatory Access Control
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) 	characteristics of a subject or an object.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) These definitions are consistent with the traditional use in the security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) community. There are also some terms from Linux that are likely to crop up:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418)   Capability:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) 	A task that possesses a capability has permission to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) 	violate an aspect of the system security policy, as identified by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) 	the specific capability. A task that possesses one or more
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) 	capabilities is a privileged task, whereas a task with no
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) 	capabilities is an unprivileged task.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425)   Privilege:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) 	A task that is allowed to violate the system security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) 	policy is said to have privilege. As of this writing a task can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) 	have privilege either by possessing capabilities or by having an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) 	effective user of root.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 431) Smack Basics
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 432) ------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 433) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 434) Smack is an extension to a Linux system. It enforces additional restrictions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 435) on what subjects can access which objects, based on the labels attached to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 436) each of the subject and the object.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 437) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 438) Labels
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 439) ~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 440) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 441) Smack labels are ASCII character strings. They can be up to 255 characters
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 442) long, but keeping them to twenty-three characters is recommended.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 443) Single character labels using special characters, that being anything
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 444) other than a letter or digit, are reserved for use by the Smack development
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 445) team. Smack labels are unstructured, case sensitive, and the only operation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 446) ever performed on them is comparison for equality. Smack labels cannot
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 447) contain unprintable characters, the "/" (slash), the "\" (backslash), the "'"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 448) (quote) and '"' (double-quote) characters.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 449) Smack labels cannot begin with a '-'. This is reserved for special options.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 450) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 451) There are some predefined labels::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 452) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 453) 	_ 	Pronounced "floor", a single underscore character.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 454) 	^ 	Pronounced "hat", a single circumflex character.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 455) 	* 	Pronounced "star", a single asterisk character.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 456) 	? 	Pronounced "huh", a single question mark character.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 457) 	@ 	Pronounced "web", a single at sign character.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 458) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 459) Every task on a Smack system is assigned a label. The Smack label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 460) of a process will usually be assigned by the system initialization
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 461) mechanism.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 462) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 463) Access Rules
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 464) ~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 465) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 466) Smack uses the traditional access modes of Linux. These modes are read,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 467) execute, write, and occasionally append. There are a few cases where the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 468) access mode may not be obvious. These include:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 469) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 470)   Signals:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 471) 	A signal is a write operation from the subject task to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 472) 	the object task.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 473) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 474)   Internet Domain IPC:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 475) 	Transmission of a packet is considered a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 476) 	write operation from the source task to the destination task.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 477) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 478) Smack restricts access based on the label attached to a subject and the label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 479) attached to the object it is trying to access. The rules enforced are, in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 480) order:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 481) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 482) 	1. Any access requested by a task labeled "*" is denied.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 483) 	2. A read or execute access requested by a task labeled "^"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 484) 	   is permitted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 485) 	3. A read or execute access requested on an object labeled "_"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 486) 	   is permitted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 487) 	4. Any access requested on an object labeled "*" is permitted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 488) 	5. Any access requested by a task on an object with the same
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 489) 	   label is permitted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 490) 	6. Any access requested that is explicitly defined in the loaded
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 491) 	   rule set is permitted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 492) 	7. Any other access is denied.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 493) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 494) Smack Access Rules
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 495) ~~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 496) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 497) With the isolation provided by Smack access separation is simple. There are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 498) many interesting cases where limited access by subjects to objects with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 499) different labels is desired. One example is the familiar spy model of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 500) sensitivity, where a scientist working on a highly classified project would be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 501) able to read documents of lower classifications and anything she writes will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 502) be "born" highly classified. To accommodate such schemes Smack includes a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 503) mechanism for specifying rules allowing access between labels.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 504) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 505) Access Rule Format
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 506) ~~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 507) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 508) The format of an access rule is::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 509) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 510) 	subject-label object-label access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 511) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 512) Where subject-label is the Smack label of the task, object-label is the Smack
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 513) label of the thing being accessed, and access is a string specifying the sort
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 514) of access allowed. The access specification is searched for letters that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 515) describe access modes:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 516) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 517) 	a: indicates that append access should be granted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 518) 	r: indicates that read access should be granted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 519) 	w: indicates that write access should be granted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 520) 	x: indicates that execute access should be granted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 521) 	t: indicates that the rule requests transmutation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 522) 	b: indicates that the rule should be reported for bring-up.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 523) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 524) Uppercase values for the specification letters are allowed as well.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 525) Access mode specifications can be in any order. Examples of acceptable rules
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 526) are::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 527) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 528) 	TopSecret Secret  rx
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 529) 	Secret    Unclass R
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 530) 	Manager   Game    x
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 531) 	User      HR      w
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 532) 	Snap      Crackle rwxatb
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 533) 	New       Old     rRrRr
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 534) 	Closed    Off     -
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 535) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 536) Examples of unacceptable rules are::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 537) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 538) 	Top Secret Secret     rx
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 539) 	Ace        Ace        r
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 540) 	Odd        spells     waxbeans
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 541) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 542) Spaces are not allowed in labels. Since a subject always has access to files
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 543) with the same label specifying a rule for that case is pointless. Only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 544) valid letters (rwxatbRWXATB) and the dash ('-') character are allowed in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 545) access specifications. The dash is a placeholder, so "a-r" is the same
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 546) as "ar". A lone dash is used to specify that no access should be allowed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 547) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 548) Applying Access Rules
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 549) ~~~~~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 550) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 551) The developers of Linux rarely define new sorts of things, usually importing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 552) schemes and concepts from other systems. Most often, the other systems are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 553) variants of Unix. Unix has many endearing properties, but consistency of
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 554) access control models is not one of them. Smack strives to treat accesses as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 555) uniformly as is sensible while keeping with the spirit of the underlying
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 556) mechanism.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 557) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 558) File system objects including files, directories, named pipes, symbolic links,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 559) and devices require access permissions that closely match those used by mode
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 560) bit access. To open a file for reading read access is required on the file. To
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 561) search a directory requires execute access. Creating a file with write access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 562) requires both read and write access on the containing directory. Deleting a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 563) file requires read and write access to the file and to the containing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 564) directory. It is possible that a user may be able to see that a file exists
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 565) but not any of its attributes by the circumstance of having read access to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 566) containing directory but not to the differently labeled file. This is an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 567) artifact of the file name being data in the directory, not a part of the file.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 568) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 569) If a directory is marked as transmuting (SMACK64TRANSMUTE=TRUE) and the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 570) access rule that allows a process to create an object in that directory
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 571) includes 't' access the label assigned to the new object will be that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 572) of the directory, not the creating process. This makes it much easier
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 573) for two processes with different labels to share data without granting
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 574) access to all of their files.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 575) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 576) IPC objects, message queues, semaphore sets, and memory segments exist in flat
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 577) namespaces and access requests are only required to match the object in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 578) question.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 579) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 580) Process objects reflect tasks on the system and the Smack label used to access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 581) them is the same Smack label that the task would use for its own access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 582) attempts. Sending a signal via the kill() system call is a write operation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 583) from the signaler to the recipient. Debugging a process requires both reading
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 584) and writing. Creating a new task is an internal operation that results in two
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 585) tasks with identical Smack labels and requires no access checks.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 586) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 587) Sockets are data structures attached to processes and sending a packet from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 588) one process to another requires that the sender have write access to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 589) receiver. The receiver is not required to have read access to the sender.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 590) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 591) Setting Access Rules
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 592) ~~~~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 593) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 594) The configuration file /etc/smack/accesses contains the rules to be set at
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 595) system startup. The contents are written to the special file
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 596) /sys/fs/smackfs/load2. Rules can be added at any time and take effect
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 597) immediately. For any pair of subject and object labels there can be only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 598) one rule, with the most recently specified overriding any earlier
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 599) specification.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 600) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 601) Task Attribute
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 602) ~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 603) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 604) The Smack label of a process can be read from /proc/<pid>/attr/current. A
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 605) process can read its own Smack label from /proc/self/attr/current. A
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 606) privileged process can change its own Smack label by writing to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 607) /proc/self/attr/current but not the label of another process.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 608) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 609) File Attribute
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 610) ~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 611) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 612) The Smack label of a filesystem object is stored as an extended attribute
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 613) named SMACK64 on the file. This attribute is in the security namespace. It can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 614) only be changed by a process with privilege.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 615) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 616) Privilege
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 617) ~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 618) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 619) A process with CAP_MAC_OVERRIDE or CAP_MAC_ADMIN is privileged.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 620) CAP_MAC_OVERRIDE allows the process access to objects it would
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 621) be denied otherwise. CAP_MAC_ADMIN allows a process to change
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 622) Smack data, including rules and attributes.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 623) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 624) Smack Networking
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 625) ~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 626) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 627) As mentioned before, Smack enforces access control on network protocol
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 628) transmissions. Every packet sent by a Smack process is tagged with its Smack
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 629) label. This is done by adding a CIPSO tag to the header of the IP packet. Each
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 630) packet received is expected to have a CIPSO tag that identifies the label and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 631) if it lacks such a tag the network ambient label is assumed. Before the packet
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 632) is delivered a check is made to determine that a subject with the label on the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 633) packet has write access to the receiving process and if that is not the case
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 634) the packet is dropped.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 635) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 636) CIPSO Configuration
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 637) ~~~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 638) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 639) It is normally unnecessary to specify the CIPSO configuration. The default
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 640) values used by the system handle all internal cases. Smack will compose CIPSO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 641) label values to match the Smack labels being used without administrative
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 642) intervention. Unlabeled packets that come into the system will be given the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 643) ambient label.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 644) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 645) Smack requires configuration in the case where packets from a system that is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 646) not Smack that speaks CIPSO may be encountered. Usually this will be a Trusted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 647) Solaris system, but there are other, less widely deployed systems out there.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 648) CIPSO provides 3 important values, a Domain Of Interpretation (DOI), a level,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 649) and a category set with each packet. The DOI is intended to identify a group
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 650) of systems that use compatible labeling schemes, and the DOI specified on the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 651) Smack system must match that of the remote system or packets will be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 652) discarded. The DOI is 3 by default. The value can be read from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 653) /sys/fs/smackfs/doi and can be changed by writing to /sys/fs/smackfs/doi.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 654) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 655) The label and category set are mapped to a Smack label as defined in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 656) /etc/smack/cipso.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 657) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 658) A Smack/CIPSO mapping has the form::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 659) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 660) 	smack level [category [category]*]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 661) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 662) Smack does not expect the level or category sets to be related in any
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 663) particular way and does not assume or assign accesses based on them. Some
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 664) examples of mappings::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 665) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 666) 	TopSecret 7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 667) 	TS:A,B    7 1 2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 668) 	SecBDE    5 2 4 6
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 669) 	RAFTERS   7 12 26
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 670) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 671) The ":" and "," characters are permitted in a Smack label but have no special
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 672) meaning.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 673) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 674) The mapping of Smack labels to CIPSO values is defined by writing to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 675) /sys/fs/smackfs/cipso2.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 676) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 677) In addition to explicit mappings Smack supports direct CIPSO mappings. One
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 678) CIPSO level is used to indicate that the category set passed in the packet is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 679) in fact an encoding of the Smack label. The level used is 250 by default. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 680) value can be read from /sys/fs/smackfs/direct and changed by writing to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 681) /sys/fs/smackfs/direct.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 682) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 683) Socket Attributes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 684) ~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 685) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 686) There are two attributes that are associated with sockets. These attributes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 687) can only be set by privileged tasks, but any task can read them for their own
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 688) sockets.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 689) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 690)   SMACK64IPIN:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 691) 	The Smack label of the task object. A privileged
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 692) 	program that will enforce policy may set this to the star label.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 693) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 694)   SMACK64IPOUT:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 695) 	The Smack label transmitted with outgoing packets.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 696) 	A privileged program may set this to match the label of another
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 697) 	task with which it hopes to communicate.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 698) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 699) Smack Netlabel Exceptions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 700) ~~~~~~~~~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 701) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 702) You will often find that your labeled application has to talk to the outside,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 703) unlabeled world. To do this there's a special file /sys/fs/smackfs/netlabel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 704) where you can add some exceptions in the form of::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 705) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 706) 	@IP1	   LABEL1 or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 707) 	@IP2/MASK  LABEL2
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 708) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 709) It means that your application will have unlabeled access to @IP1 if it has
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 710) write access on LABEL1, and access to the subnet @IP2/MASK if it has write
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 711) access on LABEL2.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 712) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 713) Entries in the /sys/fs/smackfs/netlabel file are matched by longest mask
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 714) first, like in classless IPv4 routing.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 715) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 716) A special label '@' and an option '-CIPSO' can be used there::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 717) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 718) 	@      means Internet, any application with any label has access to it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 719) 	-CIPSO means standard CIPSO networking
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 720) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 721) If you don't know what CIPSO is and don't plan to use it, you can just do::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 722) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 723) 	echo 127.0.0.1 -CIPSO > /sys/fs/smackfs/netlabel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 724) 	echo 0.0.0.0/0 @      > /sys/fs/smackfs/netlabel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 725) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 726) If you use CIPSO on your 192.168.0.0/16 local network and need also unlabeled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 727) Internet access, you can have::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 728) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 729) 	echo 127.0.0.1      -CIPSO > /sys/fs/smackfs/netlabel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 730) 	echo 192.168.0.0/16 -CIPSO > /sys/fs/smackfs/netlabel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 731) 	echo 0.0.0.0/0      @      > /sys/fs/smackfs/netlabel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 732) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 733) Writing Applications for Smack
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 734) ------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 735) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 736) There are three sorts of applications that will run on a Smack system. How an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 737) application interacts with Smack will determine what it will have to do to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 738) work properly under Smack.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 739) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 740) Smack Ignorant Applications
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 741) ---------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 742) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 743) By far the majority of applications have no reason whatever to care about the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 744) unique properties of Smack. Since invoking a program has no impact on the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 745) Smack label associated with the process the only concern likely to arise is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 746) whether the process has execute access to the program.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 747) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 748) Smack Relevant Applications
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 749) ---------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 750) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 751) Some programs can be improved by teaching them about Smack, but do not make
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 752) any security decisions themselves. The utility ls(1) is one example of such a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 753) program.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 754) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 755) Smack Enforcing Applications
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 756) ----------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 757) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 758) These are special programs that not only know about Smack, but participate in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 759) the enforcement of system policy. In most cases these are the programs that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 760) set up user sessions. There are also network services that provide information
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 761) to processes running with various labels.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 762) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 763) File System Interfaces
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 764) ----------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 765) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 766) Smack maintains labels on file system objects using extended attributes. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 767) Smack label of a file, directory, or other file system object can be obtained
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 768) using getxattr(2)::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 769) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 770) 	len = getxattr("/", "security.SMACK64", value, sizeof (value));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 771) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 772) will put the Smack label of the root directory into value. A privileged
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 773) process can set the Smack label of a file system object with setxattr(2)::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 774) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 775) 	len = strlen("Rubble");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 776) 	rc = setxattr("/foo", "security.SMACK64", "Rubble", len, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 777) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 778) will set the Smack label of /foo to "Rubble" if the program has appropriate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 779) privilege.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 780) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 781) Socket Interfaces
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 782) -----------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 783) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 784) The socket attributes can be read using fgetxattr(2).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 785) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 786) A privileged process can set the Smack label of outgoing packets with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 787) fsetxattr(2)::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 788) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 789) 	len = strlen("Rubble");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 790) 	rc = fsetxattr(fd, "security.SMACK64IPOUT", "Rubble", len, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 791) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 792) will set the Smack label "Rubble" on packets going out from the socket if the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 793) program has appropriate privilege::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 794) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 795) 	rc = fsetxattr(fd, "security.SMACK64IPIN, "*", strlen("*"), 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 796) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 797) will set the Smack label "*" as the object label against which incoming
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 798) packets will be checked if the program has appropriate privilege.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 799) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 800) Administration
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 801) --------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 802) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 803) Smack supports some mount options:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 804) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 805)   smackfsdef=label:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 806) 	specifies the label to give files that lack
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 807) 	the Smack label extended attribute.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 808) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 809)   smackfsroot=label:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 810) 	specifies the label to assign the root of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 811) 	file system if it lacks the Smack extended attribute.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 812) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 813)   smackfshat=label:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 814) 	specifies a label that must have read access to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 815) 	all labels set on the filesystem. Not yet enforced.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 816) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 817)   smackfsfloor=label:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 818) 	specifies a label to which all labels set on the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 819) 	filesystem must have read access. Not yet enforced.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 820) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 821)   smackfstransmute=label:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 822) 	behaves exactly like smackfsroot except that it also
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 823) 	sets the transmute flag on the root of the mount
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 824) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 825) These mount options apply to all file system types.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 826) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 827) Smack auditing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 828) --------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 829) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 830) If you want Smack auditing of security events, you need to set CONFIG_AUDIT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 831) in your kernel configuration.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 832) By default, all denied events will be audited. You can change this behavior by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 833) writing a single character to the /sys/fs/smackfs/logging file::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 834) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 835) 	0 : no logging
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 836) 	1 : log denied (default)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 837) 	2 : log accepted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 838) 	3 : log denied & accepted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 839) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 840) Events are logged as 'key=value' pairs, for each event you at least will get
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 841) the subject, the object, the rights requested, the action, the kernel function
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 842) that triggered the event, plus other pairs depending on the type of event
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 843) audited.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 844) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 845) Bringup Mode
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 846) ------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 847) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 848) Bringup mode provides logging features that can make application
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 849) configuration and system bringup easier. Configure the kernel with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 850) CONFIG_SECURITY_SMACK_BRINGUP to enable these features. When bringup
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 851) mode is enabled accesses that succeed due to rules marked with the "b"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 852) access mode will logged. When a new label is introduced for processes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 853) rules can be added aggressively, marked with the "b". The logging allows
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 854) tracking of which rules actual get used for that label.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 855) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 856) Another feature of bringup mode is the "unconfined" option. Writing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 857) a label to /sys/fs/smackfs/unconfined makes subjects with that label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 858) able to access any object, and objects with that label accessible to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 859) all subjects. Any access that is granted because a label is unconfined
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 860) is logged. This feature is dangerous, as files and directories may
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 861) be created in places they couldn't if the policy were being enforced.
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.