1a5606cedSKees Cook===== 2a5606cedSKees CookSmack 3a5606cedSKees Cook===== 4a5606cedSKees Cook 5a5606cedSKees Cook 6a5606cedSKees Cook "Good for you, you've decided to clean the elevator!" 7a5606cedSKees Cook - The Elevator, from Dark Star 8a5606cedSKees Cook 9a5606cedSKees CookSmack is the Simplified Mandatory Access Control Kernel. 10a5606cedSKees CookSmack is a kernel based implementation of mandatory access 11a5606cedSKees Cookcontrol that includes simplicity in its primary design goals. 12a5606cedSKees Cook 13a5606cedSKees CookSmack is not the only Mandatory Access Control scheme 14a5606cedSKees Cookavailable for Linux. Those new to Mandatory Access Control 15a5606cedSKees Cookare encouraged to compare Smack with the other mechanisms 16a5606cedSKees Cookavailable to determine which is best suited to the problem 17a5606cedSKees Cookat hand. 18a5606cedSKees Cook 19a5606cedSKees CookSmack consists of three major components: 20a5606cedSKees Cook 21a5606cedSKees Cook - The kernel 22a5606cedSKees Cook - Basic utilities, which are helpful but not required 23a5606cedSKees Cook - Configuration data 24a5606cedSKees Cook 25a5606cedSKees CookThe kernel component of Smack is implemented as a Linux 26a5606cedSKees CookSecurity Modules (LSM) module. It requires netlabel and 27a5606cedSKees Cookworks best with file systems that support extended attributes, 28a5606cedSKees Cookalthough xattr support is not strictly required. 29a5606cedSKees CookIt is safe to run a Smack kernel under a "vanilla" distribution. 30a5606cedSKees Cook 31a5606cedSKees CookSmack kernels use the CIPSO IP option. Some network 32a5606cedSKees Cookconfigurations are intolerant of IP options and can impede 33a5606cedSKees Cookaccess to systems that use them as Smack does. 34a5606cedSKees Cook 35a5606cedSKees CookSmack is used in the Tizen operating system. Please 36a5606cedSKees Cookgo to http://wiki.tizen.org for information about how 37a5606cedSKees CookSmack is used in Tizen. 38a5606cedSKees Cook 39a5606cedSKees CookThe current git repository for Smack user space is: 40a5606cedSKees Cook 41a5606cedSKees Cook git://github.com/smack-team/smack.git 42a5606cedSKees Cook 43a5606cedSKees CookThis should make and install on most modern distributions. 44a5606cedSKees CookThere are five commands included in smackutil: 45a5606cedSKees Cook 46a5606cedSKees Cookchsmack: 47a5606cedSKees Cook display or set Smack extended attribute values 48a5606cedSKees Cook 49a5606cedSKees Cooksmackctl: 50a5606cedSKees Cook load the Smack access rules 51a5606cedSKees Cook 52a5606cedSKees Cooksmackaccess: 53a5606cedSKees Cook report if a process with one label has access 54a5606cedSKees Cook to an object with another 55a5606cedSKees Cook 56a5606cedSKees CookThese two commands are obsolete with the introduction of 57a5606cedSKees Cookthe smackfs/load2 and smackfs/cipso2 interfaces. 58a5606cedSKees Cook 59a5606cedSKees Cooksmackload: 60a5606cedSKees Cook properly formats data for writing to smackfs/load 61a5606cedSKees Cook 62a5606cedSKees Cooksmackcipso: 63a5606cedSKees Cook properly formats data for writing to smackfs/cipso 64a5606cedSKees Cook 65a5606cedSKees CookIn keeping with the intent of Smack, configuration data is 66a5606cedSKees Cookminimal and not strictly required. The most important 67a5606cedSKees Cookconfiguration step is mounting the smackfs pseudo filesystem. 68a5606cedSKees CookIf smackutil is installed the startup script will take care 69a5606cedSKees Cookof this, but it can be manually as well. 70a5606cedSKees Cook 71a5606cedSKees CookAdd this line to ``/etc/fstab``:: 72a5606cedSKees Cook 73a5606cedSKees Cook smackfs /sys/fs/smackfs smackfs defaults 0 0 74a5606cedSKees Cook 75a5606cedSKees CookThe ``/sys/fs/smackfs`` directory is created by the kernel. 76a5606cedSKees Cook 77a5606cedSKees CookSmack uses extended attributes (xattrs) to store labels on filesystem 78a5606cedSKees Cookobjects. The attributes are stored in the extended attribute security 79a5606cedSKees Cookname space. A process must have ``CAP_MAC_ADMIN`` to change any of these 80a5606cedSKees Cookattributes. 81a5606cedSKees Cook 82a5606cedSKees CookThe extended attributes that Smack uses are: 83a5606cedSKees Cook 84a5606cedSKees CookSMACK64 85a5606cedSKees Cook Used to make access control decisions. In almost all cases 86a5606cedSKees Cook the label given to a new filesystem object will be the label 87a5606cedSKees Cook of the process that created it. 88a5606cedSKees Cook 89a5606cedSKees CookSMACK64EXEC 90a5606cedSKees Cook The Smack label of a process that execs a program file with 91a5606cedSKees Cook this attribute set will run with this attribute's value. 92a5606cedSKees Cook 93a5606cedSKees CookSMACK64MMAP 94a5606cedSKees Cook Don't allow the file to be mmapped by a process whose Smack 95a5606cedSKees Cook label does not allow all of the access permitted to a process 96a5606cedSKees Cook with the label contained in this attribute. This is a very 97a5606cedSKees Cook specific use case for shared libraries. 98a5606cedSKees Cook 99a5606cedSKees CookSMACK64TRANSMUTE 100a5606cedSKees Cook Can only have the value "TRUE". If this attribute is present 101a5606cedSKees Cook on a directory when an object is created in the directory and 102a5606cedSKees Cook the Smack rule (more below) that permitted the write access 103a5606cedSKees Cook to the directory includes the transmute ("t") mode the object 104a5606cedSKees Cook gets the label of the directory instead of the label of the 105a5606cedSKees Cook creating process. If the object being created is a directory 106a5606cedSKees Cook the SMACK64TRANSMUTE attribute is set as well. 107a5606cedSKees Cook 108a5606cedSKees CookSMACK64IPIN 109a5606cedSKees Cook This attribute is only available on file descriptors for sockets. 110a5606cedSKees Cook Use the Smack label in this attribute for access control 111a5606cedSKees Cook decisions on packets being delivered to this socket. 112a5606cedSKees Cook 113a5606cedSKees CookSMACK64IPOUT 114a5606cedSKees Cook This attribute is only available on file descriptors for sockets. 115a5606cedSKees Cook Use the Smack label in this attribute for access control 116a5606cedSKees Cook decisions on packets coming from this socket. 117a5606cedSKees Cook 118a5606cedSKees CookThere are multiple ways to set a Smack label on a file:: 119a5606cedSKees Cook 120a5606cedSKees Cook # attr -S -s SMACK64 -V "value" path 121a5606cedSKees Cook # chsmack -a value path 122a5606cedSKees Cook 123a5606cedSKees CookA process can see the Smack label it is running with by 124a5606cedSKees Cookreading ``/proc/self/attr/current``. A process with ``CAP_MAC_ADMIN`` 125a5606cedSKees Cookcan set the process Smack by writing there. 126a5606cedSKees Cook 127a5606cedSKees CookMost Smack configuration is accomplished by writing to files 128a5606cedSKees Cookin the smackfs filesystem. This pseudo-filesystem is mounted 129a5606cedSKees Cookon ``/sys/fs/smackfs``. 130a5606cedSKees Cook 131a5606cedSKees Cookaccess 132a5606cedSKees Cook Provided for backward compatibility. The access2 interface 133a5606cedSKees Cook is preferred and should be used instead. 134a5606cedSKees Cook This interface reports whether a subject with the specified 135a5606cedSKees Cook Smack label has a particular access to an object with a 136a5606cedSKees Cook specified Smack label. Write a fixed format access rule to 137a5606cedSKees Cook this file. The next read will indicate whether the access 138a5606cedSKees Cook would be permitted. The text will be either "1" indicating 139a5606cedSKees Cook access, or "0" indicating denial. 140a5606cedSKees Cook 141a5606cedSKees Cookaccess2 142a5606cedSKees Cook This interface reports whether a subject with the specified 143a5606cedSKees Cook Smack label has a particular access to an object with a 144a5606cedSKees Cook specified Smack label. Write a long format access rule to 145a5606cedSKees Cook this file. The next read will indicate whether the access 146a5606cedSKees Cook would be permitted. The text will be either "1" indicating 147a5606cedSKees Cook access, or "0" indicating denial. 148a5606cedSKees Cook 149a5606cedSKees Cookambient 150a5606cedSKees Cook This contains the Smack label applied to unlabeled network 151a5606cedSKees Cook packets. 152a5606cedSKees Cook 153a5606cedSKees Cookchange-rule 154a5606cedSKees Cook This interface allows modification of existing access control rules. 155a5606cedSKees Cook The format accepted on write is:: 156a5606cedSKees Cook 157a5606cedSKees Cook "%s %s %s %s" 158a5606cedSKees Cook 159a5606cedSKees Cook where the first string is the subject label, the second the 160a5606cedSKees Cook object label, the third the access to allow and the fourth the 161a5606cedSKees Cook access to deny. The access strings may contain only the characters 162a5606cedSKees Cook "rwxat-". If a rule for a given subject and object exists it will be 163a5606cedSKees Cook modified by enabling the permissions in the third string and disabling 164a5606cedSKees Cook those in the fourth string. If there is no such rule it will be 165a5606cedSKees Cook created using the access specified in the third and the fourth strings. 166a5606cedSKees Cook 167a5606cedSKees Cookcipso 168a5606cedSKees Cook Provided for backward compatibility. The cipso2 interface 169a5606cedSKees Cook is preferred and should be used instead. 170a5606cedSKees Cook This interface allows a specific CIPSO header to be assigned 171a5606cedSKees Cook to a Smack label. The format accepted on write is:: 172a5606cedSKees Cook 173a5606cedSKees Cook "%24s%4d%4d"["%4d"]... 174a5606cedSKees Cook 175a5606cedSKees Cook The first string is a fixed Smack label. The first number is 176a5606cedSKees Cook the level to use. The second number is the number of categories. 177a5606cedSKees Cook The following numbers are the categories:: 178a5606cedSKees Cook 179a5606cedSKees Cook "level-3-cats-5-19 3 2 5 19" 180a5606cedSKees Cook 181a5606cedSKees Cookcipso2 182a5606cedSKees Cook This interface allows a specific CIPSO header to be assigned 183a5606cedSKees Cook to a Smack label. The format accepted on write is:: 184a5606cedSKees Cook 185a5606cedSKees Cook "%s%4d%4d"["%4d"]... 186a5606cedSKees Cook 187a5606cedSKees Cook The first string is a long Smack label. The first number is 188a5606cedSKees Cook the level to use. The second number is the number of categories. 189a5606cedSKees Cook The following numbers are the categories:: 190a5606cedSKees Cook 191a5606cedSKees Cook "level-3-cats-5-19 3 2 5 19" 192a5606cedSKees Cook 193a5606cedSKees Cookdirect 194a5606cedSKees Cook This contains the CIPSO level used for Smack direct label 195a5606cedSKees Cook representation in network packets. 196a5606cedSKees Cook 197a5606cedSKees Cookdoi 198a5606cedSKees Cook This contains the CIPSO domain of interpretation used in 199a5606cedSKees Cook network packets. 200a5606cedSKees Cook 201a5606cedSKees Cookipv6host 202a5606cedSKees Cook This interface allows specific IPv6 internet addresses to be 203a5606cedSKees Cook treated as single label hosts. Packets are sent to single 204a5606cedSKees Cook label hosts only from processes that have Smack write access 205a5606cedSKees Cook to the host label. All packets received from single label hosts 206a5606cedSKees Cook are given the specified label. The format accepted on write is:: 207a5606cedSKees Cook 208a5606cedSKees Cook "%h:%h:%h:%h:%h:%h:%h:%h label" or 209a5606cedSKees Cook "%h:%h:%h:%h:%h:%h:%h:%h/%d label". 210a5606cedSKees Cook 211a5606cedSKees Cook The "::" address shortcut is not supported. 212a5606cedSKees Cook If label is "-DELETE" a matched entry will be deleted. 213a5606cedSKees Cook 214a5606cedSKees Cookload 215a5606cedSKees Cook Provided for backward compatibility. The load2 interface 216a5606cedSKees Cook is preferred and should be used instead. 217a5606cedSKees Cook This interface allows access control rules in addition to 218a5606cedSKees Cook the system defined rules to be specified. The format accepted 219a5606cedSKees Cook on write is:: 220a5606cedSKees Cook 221a5606cedSKees Cook "%24s%24s%5s" 222a5606cedSKees Cook 223a5606cedSKees Cook where the first string is the subject label, the second the 224a5606cedSKees Cook object label, and the third the requested access. The access 225a5606cedSKees Cook string may contain only the characters "rwxat-", and specifies 226a5606cedSKees Cook which sort of access is allowed. The "-" is a placeholder for 227a5606cedSKees Cook permissions that are not allowed. The string "r-x--" would 228a5606cedSKees Cook specify read and execute access. Labels are limited to 23 229a5606cedSKees Cook characters in length. 230a5606cedSKees Cook 231a5606cedSKees Cookload2 232a5606cedSKees Cook This interface allows access control rules in addition to 233a5606cedSKees Cook the system defined rules to be specified. The format accepted 234a5606cedSKees Cook on write is:: 235a5606cedSKees Cook 236a5606cedSKees Cook "%s %s %s" 237a5606cedSKees Cook 238a5606cedSKees Cook where the first string is the subject label, the second the 239a5606cedSKees Cook object label, and the third the requested access. The access 240a5606cedSKees Cook string may contain only the characters "rwxat-", and specifies 241a5606cedSKees Cook which sort of access is allowed. The "-" is a placeholder for 242a5606cedSKees Cook permissions that are not allowed. The string "r-x--" would 243a5606cedSKees Cook specify read and execute access. 244a5606cedSKees Cook 245a5606cedSKees Cookload-self 246a5606cedSKees Cook Provided for backward compatibility. The load-self2 interface 247a5606cedSKees Cook is preferred and should be used instead. 248a5606cedSKees Cook This interface allows process specific access rules to be 249a5606cedSKees Cook defined. These rules are only consulted if access would 250a5606cedSKees Cook otherwise be permitted, and are intended to provide additional 251a5606cedSKees Cook restrictions on the process. The format is the same as for 252a5606cedSKees Cook the load interface. 253a5606cedSKees Cook 254a5606cedSKees Cookload-self2 255a5606cedSKees Cook This interface allows process specific access rules to be 256a5606cedSKees Cook defined. These rules are only consulted if access would 257a5606cedSKees Cook otherwise be permitted, and are intended to provide additional 258a5606cedSKees Cook restrictions on the process. The format is the same as for 259a5606cedSKees Cook the load2 interface. 260a5606cedSKees Cook 261a5606cedSKees Cooklogging 262a5606cedSKees Cook This contains the Smack logging state. 263a5606cedSKees Cook 264a5606cedSKees Cookmapped 265a5606cedSKees Cook This contains the CIPSO level used for Smack mapped label 266a5606cedSKees Cook representation in network packets. 267a5606cedSKees Cook 268a5606cedSKees Cooknetlabel 269a5606cedSKees Cook This interface allows specific internet addresses to be 270a5606cedSKees Cook treated as single label hosts. Packets are sent to single 271a5606cedSKees Cook label hosts without CIPSO headers, but only from processes 272a5606cedSKees Cook that have Smack write access to the host label. All packets 273a5606cedSKees Cook received from single label hosts are given the specified 274a5606cedSKees Cook label. The format accepted on write is:: 275a5606cedSKees Cook 276a5606cedSKees Cook "%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label". 277a5606cedSKees Cook 278a5606cedSKees Cook If the label specified is "-CIPSO" the address is treated 279a5606cedSKees Cook as a host that supports CIPSO headers. 280a5606cedSKees Cook 281a5606cedSKees Cookonlycap 282a5606cedSKees Cook This contains labels processes must have for CAP_MAC_ADMIN 283a5606cedSKees Cook and ``CAP_MAC_OVERRIDE`` to be effective. If this file is empty 284a5606cedSKees Cook these capabilities are effective at for processes with any 285a5606cedSKees Cook label. The values are set by writing the desired labels, separated 286a5606cedSKees Cook by spaces, to the file or cleared by writing "-" to the file. 287a5606cedSKees Cook 288a5606cedSKees Cookptrace 289a5606cedSKees Cook This is used to define the current ptrace policy 290a5606cedSKees Cook 291a5606cedSKees Cook 0 - default: 292a5606cedSKees Cook this is the policy that relies on Smack access rules. 293a5606cedSKees Cook For the ``PTRACE_READ`` a subject needs to have a read access on 294a5606cedSKees Cook object. For the ``PTRACE_ATTACH`` a read-write access is required. 295a5606cedSKees Cook 296a5606cedSKees Cook 1 - exact: 297a5606cedSKees Cook this is the policy that limits ``PTRACE_ATTACH``. Attach is 298a5606cedSKees Cook only allowed when subject's and object's labels are equal. 299a5606cedSKees Cook ``PTRACE_READ`` is not affected. Can be overridden with ``CAP_SYS_PTRACE``. 300a5606cedSKees Cook 301a5606cedSKees Cook 2 - draconian: 302a5606cedSKees Cook this policy behaves like the 'exact' above with an 303a5606cedSKees Cook exception that it can't be overridden with ``CAP_SYS_PTRACE``. 304a5606cedSKees Cook 305a5606cedSKees Cookrevoke-subject 306a5606cedSKees Cook Writing a Smack label here sets the access to '-' for all access 307a5606cedSKees Cook rules with that subject label. 308a5606cedSKees Cook 309a5606cedSKees Cookunconfined 310a5606cedSKees Cook If the kernel is configured with ``CONFIG_SECURITY_SMACK_BRINGUP`` 311a5606cedSKees Cook a process with ``CAP_MAC_ADMIN`` can write a label into this interface. 312a5606cedSKees Cook Thereafter, accesses that involve that label will be logged and 313a5606cedSKees Cook the access permitted if it wouldn't be otherwise. Note that this 314a5606cedSKees Cook is dangerous and can ruin the proper labeling of your system. 315a5606cedSKees Cook It should never be used in production. 316a5606cedSKees Cook 317a5606cedSKees Cookrelabel-self 318a5606cedSKees Cook This interface contains a list of labels to which the process can 319a5606cedSKees Cook transition to, by writing to ``/proc/self/attr/current``. 320a5606cedSKees Cook Normally a process can change its own label to any legal value, but only 321a5606cedSKees Cook if it has ``CAP_MAC_ADMIN``. This interface allows a process without 322a5606cedSKees Cook ``CAP_MAC_ADMIN`` to relabel itself to one of labels from predefined list. 323a5606cedSKees Cook A process without ``CAP_MAC_ADMIN`` can change its label only once. When it 324a5606cedSKees Cook does, this list will be cleared. 325a5606cedSKees Cook The values are set by writing the desired labels, separated 326a5606cedSKees Cook by spaces, to the file or cleared by writing "-" to the file. 327a5606cedSKees Cook 328a5606cedSKees CookIf you are using the smackload utility 329a5606cedSKees Cookyou can add access rules in ``/etc/smack/accesses``. They take the form:: 330a5606cedSKees Cook 331a5606cedSKees Cook subjectlabel objectlabel access 332a5606cedSKees Cook 333a5606cedSKees Cookaccess is a combination of the letters rwxatb which specify the 334a5606cedSKees Cookkind of access permitted a subject with subjectlabel on an 335a5606cedSKees Cookobject with objectlabel. If there is no rule no access is allowed. 336a5606cedSKees Cook 337a5606cedSKees CookLook for additional programs on http://schaufler-ca.com 338a5606cedSKees Cook 339a5606cedSKees CookThe Simplified Mandatory Access Control Kernel (Whitepaper) 340a5606cedSKees Cook=========================================================== 341a5606cedSKees Cook 342a5606cedSKees CookCasey Schaufler 343a5606cedSKees Cookcasey@schaufler-ca.com 344a5606cedSKees Cook 345a5606cedSKees CookMandatory Access Control 346a5606cedSKees Cook------------------------ 347a5606cedSKees Cook 348a5606cedSKees CookComputer systems employ a variety of schemes to constrain how information is 349a5606cedSKees Cookshared among the people and services using the machine. Some of these schemes 350a5606cedSKees Cookallow the program or user to decide what other programs or users are allowed 351a5606cedSKees Cookaccess to pieces of data. These schemes are called discretionary access 352a5606cedSKees Cookcontrol mechanisms because the access control is specified at the discretion 353a5606cedSKees Cookof the user. Other schemes do not leave the decision regarding what a user or 354a5606cedSKees Cookprogram can access up to users or programs. These schemes are called mandatory 355a5606cedSKees Cookaccess control mechanisms because you don't have a choice regarding the users 356a5606cedSKees Cookor programs that have access to pieces of data. 357a5606cedSKees Cook 358a5606cedSKees CookBell & LaPadula 359a5606cedSKees Cook--------------- 360a5606cedSKees Cook 361a5606cedSKees CookFrom the middle of the 1980's until the turn of the century Mandatory Access 362a5606cedSKees CookControl (MAC) was very closely associated with the Bell & LaPadula security 363a5606cedSKees Cookmodel, a mathematical description of the United States Department of Defense 364a5606cedSKees Cookpolicy for marking paper documents. MAC in this form enjoyed a following 365a5606cedSKees Cookwithin the Capital Beltway and Scandinavian supercomputer centers but was 366a5606cedSKees Cookoften sited as failing to address general needs. 367a5606cedSKees Cook 368a5606cedSKees CookDomain Type Enforcement 369a5606cedSKees Cook----------------------- 370a5606cedSKees Cook 371a5606cedSKees CookAround the turn of the century Domain Type Enforcement (DTE) became popular. 372a5606cedSKees CookThis scheme organizes users, programs, and data into domains that are 373a5606cedSKees Cookprotected from each other. This scheme has been widely deployed as a component 374a5606cedSKees Cookof popular Linux distributions. The administrative overhead required to 375a5606cedSKees Cookmaintain this scheme and the detailed understanding of the whole system 376a5606cedSKees Cooknecessary to provide a secure domain mapping leads to the scheme being 377a5606cedSKees Cookdisabled or used in limited ways in the majority of cases. 378a5606cedSKees Cook 379a5606cedSKees CookSmack 380a5606cedSKees Cook----- 381a5606cedSKees Cook 382a5606cedSKees CookSmack is a Mandatory Access Control mechanism designed to provide useful MAC 383a5606cedSKees Cookwhile avoiding the pitfalls of its predecessors. The limitations of Bell & 384a5606cedSKees CookLaPadula are addressed by providing a scheme whereby access can be controlled 385a5606cedSKees Cookaccording to the requirements of the system and its purpose rather than those 386a5606cedSKees Cookimposed by an arcane government policy. The complexity of Domain Type 387a5606cedSKees CookEnforcement and avoided by defining access controls in terms of the access 388a5606cedSKees Cookmodes already in use. 389a5606cedSKees Cook 390a5606cedSKees CookSmack Terminology 391a5606cedSKees Cook----------------- 392a5606cedSKees Cook 393a5606cedSKees CookThe jargon used to talk about Smack will be familiar to those who have dealt 394a5606cedSKees Cookwith other MAC systems and shouldn't be too difficult for the uninitiated to 395a5606cedSKees Cookpick up. There are four terms that are used in a specific way and that are 396a5606cedSKees Cookespecially important: 397a5606cedSKees Cook 398a5606cedSKees Cook Subject: 399a5606cedSKees Cook A subject is an active entity on the computer system. 400a5606cedSKees Cook On Smack a subject is a task, which is in turn the basic unit 401a5606cedSKees Cook of execution. 402a5606cedSKees Cook 403a5606cedSKees Cook Object: 404a5606cedSKees Cook An object is a passive entity on the computer system. 405a5606cedSKees Cook On Smack files of all types, IPC, and tasks can be objects. 406a5606cedSKees Cook 407a5606cedSKees Cook Access: 408a5606cedSKees Cook Any attempt by a subject to put information into or get 409a5606cedSKees Cook information from an object is an access. 410a5606cedSKees Cook 411a5606cedSKees Cook Label: 412a5606cedSKees Cook Data that identifies the Mandatory Access Control 413a5606cedSKees Cook characteristics of a subject or an object. 414a5606cedSKees Cook 415a5606cedSKees CookThese definitions are consistent with the traditional use in the security 416a5606cedSKees Cookcommunity. There are also some terms from Linux that are likely to crop up: 417a5606cedSKees Cook 418a5606cedSKees Cook Capability: 419a5606cedSKees Cook A task that possesses a capability has permission to 420a5606cedSKees Cook violate an aspect of the system security policy, as identified by 421a5606cedSKees Cook the specific capability. A task that possesses one or more 422a5606cedSKees Cook capabilities is a privileged task, whereas a task with no 423a5606cedSKees Cook capabilities is an unprivileged task. 424a5606cedSKees Cook 425a5606cedSKees Cook Privilege: 426a5606cedSKees Cook A task that is allowed to violate the system security 427a5606cedSKees Cook policy is said to have privilege. As of this writing a task can 428a5606cedSKees Cook have privilege either by possessing capabilities or by having an 429a5606cedSKees Cook effective user of root. 430a5606cedSKees Cook 431a5606cedSKees CookSmack Basics 432a5606cedSKees Cook------------ 433a5606cedSKees Cook 434a5606cedSKees CookSmack is an extension to a Linux system. It enforces additional restrictions 435a5606cedSKees Cookon what subjects can access which objects, based on the labels attached to 436a5606cedSKees Cookeach of the subject and the object. 437a5606cedSKees Cook 438a5606cedSKees CookLabels 439a5606cedSKees Cook~~~~~~ 440a5606cedSKees Cook 441a5606cedSKees CookSmack labels are ASCII character strings. They can be up to 255 characters 442a5606cedSKees Cooklong, but keeping them to twenty-three characters is recommended. 443a5606cedSKees CookSingle character labels using special characters, that being anything 444a5606cedSKees Cookother than a letter or digit, are reserved for use by the Smack development 445a5606cedSKees Cookteam. Smack labels are unstructured, case sensitive, and the only operation 446a5606cedSKees Cookever performed on them is comparison for equality. Smack labels cannot 447a5606cedSKees Cookcontain unprintable characters, the "/" (slash), the "\" (backslash), the "'" 448a5606cedSKees Cook(quote) and '"' (double-quote) characters. 449a5606cedSKees CookSmack labels cannot begin with a '-'. This is reserved for special options. 450a5606cedSKees Cook 451a5606cedSKees CookThere are some predefined labels:: 452a5606cedSKees Cook 453a5606cedSKees Cook _ Pronounced "floor", a single underscore character. 454a5606cedSKees Cook ^ Pronounced "hat", a single circumflex character. 455a5606cedSKees Cook * Pronounced "star", a single asterisk character. 456a5606cedSKees Cook ? Pronounced "huh", a single question mark character. 457a5606cedSKees Cook @ Pronounced "web", a single at sign character. 458a5606cedSKees Cook 459a5606cedSKees CookEvery task on a Smack system is assigned a label. The Smack label 460a5606cedSKees Cookof a process will usually be assigned by the system initialization 461a5606cedSKees Cookmechanism. 462a5606cedSKees Cook 463a5606cedSKees CookAccess Rules 464a5606cedSKees Cook~~~~~~~~~~~~ 465a5606cedSKees Cook 466a5606cedSKees CookSmack uses the traditional access modes of Linux. These modes are read, 467a5606cedSKees Cookexecute, write, and occasionally append. There are a few cases where the 468a5606cedSKees Cookaccess mode may not be obvious. These include: 469a5606cedSKees Cook 470a5606cedSKees Cook Signals: 471a5606cedSKees Cook A signal is a write operation from the subject task to 472a5606cedSKees Cook the object task. 473a5606cedSKees Cook 474a5606cedSKees Cook Internet Domain IPC: 475a5606cedSKees Cook Transmission of a packet is considered a 476a5606cedSKees Cook write operation from the source task to the destination task. 477a5606cedSKees Cook 478a5606cedSKees CookSmack restricts access based on the label attached to a subject and the label 479a5606cedSKees Cookattached to the object it is trying to access. The rules enforced are, in 480a5606cedSKees Cookorder: 481a5606cedSKees Cook 482a5606cedSKees Cook 1. Any access requested by a task labeled "*" is denied. 483a5606cedSKees Cook 2. A read or execute access requested by a task labeled "^" 484a5606cedSKees Cook is permitted. 485a5606cedSKees Cook 3. A read or execute access requested on an object labeled "_" 486a5606cedSKees Cook is permitted. 487a5606cedSKees Cook 4. Any access requested on an object labeled "*" is permitted. 488a5606cedSKees Cook 5. Any access requested by a task on an object with the same 489a5606cedSKees Cook label is permitted. 490a5606cedSKees Cook 6. Any access requested that is explicitly defined in the loaded 491a5606cedSKees Cook rule set is permitted. 492a5606cedSKees Cook 7. Any other access is denied. 493a5606cedSKees Cook 494a5606cedSKees CookSmack Access Rules 495a5606cedSKees Cook~~~~~~~~~~~~~~~~~~ 496a5606cedSKees Cook 497a5606cedSKees CookWith the isolation provided by Smack access separation is simple. There are 498a5606cedSKees Cookmany interesting cases where limited access by subjects to objects with 499a5606cedSKees Cookdifferent labels is desired. One example is the familiar spy model of 500a5606cedSKees Cooksensitivity, where a scientist working on a highly classified project would be 501a5606cedSKees Cookable to read documents of lower classifications and anything she writes will 502a5606cedSKees Cookbe "born" highly classified. To accommodate such schemes Smack includes a 503a5606cedSKees Cookmechanism for specifying rules allowing access between labels. 504a5606cedSKees Cook 505a5606cedSKees CookAccess Rule Format 506a5606cedSKees Cook~~~~~~~~~~~~~~~~~~ 507a5606cedSKees Cook 508a5606cedSKees CookThe format of an access rule is:: 509a5606cedSKees Cook 510a5606cedSKees Cook subject-label object-label access 511a5606cedSKees Cook 512a5606cedSKees CookWhere subject-label is the Smack label of the task, object-label is the Smack 513a5606cedSKees Cooklabel of the thing being accessed, and access is a string specifying the sort 514a5606cedSKees Cookof access allowed. The access specification is searched for letters that 515a5606cedSKees Cookdescribe access modes: 516a5606cedSKees Cook 517a5606cedSKees Cook a: indicates that append access should be granted. 518a5606cedSKees Cook r: indicates that read access should be granted. 519a5606cedSKees Cook w: indicates that write access should be granted. 520a5606cedSKees Cook x: indicates that execute access should be granted. 521a5606cedSKees Cook t: indicates that the rule requests transmutation. 522a5606cedSKees Cook b: indicates that the rule should be reported for bring-up. 523a5606cedSKees Cook 524a5606cedSKees CookUppercase values for the specification letters are allowed as well. 525a5606cedSKees CookAccess mode specifications can be in any order. Examples of acceptable rules 526a5606cedSKees Cookare:: 527a5606cedSKees Cook 528a5606cedSKees Cook TopSecret Secret rx 529a5606cedSKees Cook Secret Unclass R 530a5606cedSKees Cook Manager Game x 531a5606cedSKees Cook User HR w 532a5606cedSKees Cook Snap Crackle rwxatb 533a5606cedSKees Cook New Old rRrRr 534a5606cedSKees Cook Closed Off - 535a5606cedSKees Cook 536a5606cedSKees CookExamples of unacceptable rules are:: 537a5606cedSKees Cook 538a5606cedSKees Cook Top Secret Secret rx 539a5606cedSKees Cook Ace Ace r 540a5606cedSKees Cook Odd spells waxbeans 541a5606cedSKees Cook 542a5606cedSKees CookSpaces are not allowed in labels. Since a subject always has access to files 543a5606cedSKees Cookwith the same label specifying a rule for that case is pointless. Only 544a5606cedSKees Cookvalid letters (rwxatbRWXATB) and the dash ('-') character are allowed in 545a5606cedSKees Cookaccess specifications. The dash is a placeholder, so "a-r" is the same 546a5606cedSKees Cookas "ar". A lone dash is used to specify that no access should be allowed. 547a5606cedSKees Cook 548a5606cedSKees CookApplying Access Rules 549a5606cedSKees Cook~~~~~~~~~~~~~~~~~~~~~ 550a5606cedSKees Cook 551a5606cedSKees CookThe developers of Linux rarely define new sorts of things, usually importing 552a5606cedSKees Cookschemes and concepts from other systems. Most often, the other systems are 553a5606cedSKees Cookvariants of Unix. Unix has many endearing properties, but consistency of 554a5606cedSKees Cookaccess control models is not one of them. Smack strives to treat accesses as 555a5606cedSKees Cookuniformly as is sensible while keeping with the spirit of the underlying 556a5606cedSKees Cookmechanism. 557a5606cedSKees Cook 558a5606cedSKees CookFile system objects including files, directories, named pipes, symbolic links, 559a5606cedSKees Cookand devices require access permissions that closely match those used by mode 560a5606cedSKees Cookbit access. To open a file for reading read access is required on the file. To 561a5606cedSKees Cooksearch a directory requires execute access. Creating a file with write access 562a5606cedSKees Cookrequires both read and write access on the containing directory. Deleting a 563a5606cedSKees Cookfile requires read and write access to the file and to the containing 564a5606cedSKees Cookdirectory. It is possible that a user may be able to see that a file exists 565a5606cedSKees Cookbut not any of its attributes by the circumstance of having read access to the 566a5606cedSKees Cookcontaining directory but not to the differently labeled file. This is an 567a5606cedSKees Cookartifact of the file name being data in the directory, not a part of the file. 568a5606cedSKees Cook 569a5606cedSKees CookIf a directory is marked as transmuting (SMACK64TRANSMUTE=TRUE) and the 570a5606cedSKees Cookaccess rule that allows a process to create an object in that directory 571a5606cedSKees Cookincludes 't' access the label assigned to the new object will be that 572a5606cedSKees Cookof the directory, not the creating process. This makes it much easier 573a5606cedSKees Cookfor two processes with different labels to share data without granting 574a5606cedSKees Cookaccess to all of their files. 575a5606cedSKees Cook 576a5606cedSKees CookIPC objects, message queues, semaphore sets, and memory segments exist in flat 577a5606cedSKees Cooknamespaces and access requests are only required to match the object in 578a5606cedSKees Cookquestion. 579a5606cedSKees Cook 580a5606cedSKees CookProcess objects reflect tasks on the system and the Smack label used to access 581a5606cedSKees Cookthem is the same Smack label that the task would use for its own access 582a5606cedSKees Cookattempts. Sending a signal via the kill() system call is a write operation 583a5606cedSKees Cookfrom the signaler to the recipient. Debugging a process requires both reading 584a5606cedSKees Cookand writing. Creating a new task is an internal operation that results in two 585a5606cedSKees Cooktasks with identical Smack labels and requires no access checks. 586a5606cedSKees Cook 587a5606cedSKees CookSockets are data structures attached to processes and sending a packet from 588a5606cedSKees Cookone process to another requires that the sender have write access to the 589a5606cedSKees Cookreceiver. The receiver is not required to have read access to the sender. 590a5606cedSKees Cook 591a5606cedSKees CookSetting Access Rules 592a5606cedSKees Cook~~~~~~~~~~~~~~~~~~~~ 593a5606cedSKees Cook 594a5606cedSKees CookThe configuration file /etc/smack/accesses contains the rules to be set at 595a5606cedSKees Cooksystem startup. The contents are written to the special file 596a5606cedSKees Cook/sys/fs/smackfs/load2. Rules can be added at any time and take effect 597a5606cedSKees Cookimmediately. For any pair of subject and object labels there can be only 598a5606cedSKees Cookone rule, with the most recently specified overriding any earlier 599a5606cedSKees Cookspecification. 600a5606cedSKees Cook 601a5606cedSKees CookTask Attribute 602a5606cedSKees Cook~~~~~~~~~~~~~~ 603a5606cedSKees Cook 604a5606cedSKees CookThe Smack label of a process can be read from /proc/<pid>/attr/current. A 605a5606cedSKees Cookprocess can read its own Smack label from /proc/self/attr/current. A 606a5606cedSKees Cookprivileged process can change its own Smack label by writing to 607a5606cedSKees Cook/proc/self/attr/current but not the label of another process. 608a5606cedSKees Cook 609a5606cedSKees CookFile Attribute 610a5606cedSKees Cook~~~~~~~~~~~~~~ 611a5606cedSKees Cook 612a5606cedSKees CookThe Smack label of a filesystem object is stored as an extended attribute 613a5606cedSKees Cooknamed SMACK64 on the file. This attribute is in the security namespace. It can 614a5606cedSKees Cookonly be changed by a process with privilege. 615a5606cedSKees Cook 616a5606cedSKees CookPrivilege 617a5606cedSKees Cook~~~~~~~~~ 618a5606cedSKees Cook 619a5606cedSKees CookA process with CAP_MAC_OVERRIDE or CAP_MAC_ADMIN is privileged. 620a5606cedSKees CookCAP_MAC_OVERRIDE allows the process access to objects it would 621a5606cedSKees Cookbe denied otherwise. CAP_MAC_ADMIN allows a process to change 622a5606cedSKees CookSmack data, including rules and attributes. 623a5606cedSKees Cook 624a5606cedSKees CookSmack Networking 625a5606cedSKees Cook~~~~~~~~~~~~~~~~ 626a5606cedSKees Cook 627a5606cedSKees CookAs mentioned before, Smack enforces access control on network protocol 628a5606cedSKees Cooktransmissions. Every packet sent by a Smack process is tagged with its Smack 629a5606cedSKees Cooklabel. This is done by adding a CIPSO tag to the header of the IP packet. Each 630a5606cedSKees Cookpacket received is expected to have a CIPSO tag that identifies the label and 631a5606cedSKees Cookif it lacks such a tag the network ambient label is assumed. Before the packet 632a5606cedSKees Cookis delivered a check is made to determine that a subject with the label on the 633a5606cedSKees Cookpacket has write access to the receiving process and if that is not the case 634a5606cedSKees Cookthe packet is dropped. 635a5606cedSKees Cook 636a5606cedSKees CookCIPSO Configuration 637a5606cedSKees Cook~~~~~~~~~~~~~~~~~~~ 638a5606cedSKees Cook 639a5606cedSKees CookIt is normally unnecessary to specify the CIPSO configuration. The default 640a5606cedSKees Cookvalues used by the system handle all internal cases. Smack will compose CIPSO 641a5606cedSKees Cooklabel values to match the Smack labels being used without administrative 642a5606cedSKees Cookintervention. Unlabeled packets that come into the system will be given the 643a5606cedSKees Cookambient label. 644a5606cedSKees Cook 645a5606cedSKees CookSmack requires configuration in the case where packets from a system that is 646a5606cedSKees Cooknot Smack that speaks CIPSO may be encountered. Usually this will be a Trusted 647a5606cedSKees CookSolaris system, but there are other, less widely deployed systems out there. 648a5606cedSKees CookCIPSO provides 3 important values, a Domain Of Interpretation (DOI), a level, 649a5606cedSKees Cookand a category set with each packet. The DOI is intended to identify a group 650a5606cedSKees Cookof systems that use compatible labeling schemes, and the DOI specified on the 651a5606cedSKees CookSmack system must match that of the remote system or packets will be 652a5606cedSKees Cookdiscarded. The DOI is 3 by default. The value can be read from 653a5606cedSKees Cook/sys/fs/smackfs/doi and can be changed by writing to /sys/fs/smackfs/doi. 654a5606cedSKees Cook 655a5606cedSKees CookThe label and category set are mapped to a Smack label as defined in 656a5606cedSKees Cook/etc/smack/cipso. 657a5606cedSKees Cook 658a5606cedSKees CookA Smack/CIPSO mapping has the form:: 659a5606cedSKees Cook 660a5606cedSKees Cook smack level [category [category]*] 661a5606cedSKees Cook 662a5606cedSKees CookSmack does not expect the level or category sets to be related in any 663a5606cedSKees Cookparticular way and does not assume or assign accesses based on them. Some 664a5606cedSKees Cookexamples of mappings:: 665a5606cedSKees Cook 666a5606cedSKees Cook TopSecret 7 667a5606cedSKees Cook TS:A,B 7 1 2 668a5606cedSKees Cook SecBDE 5 2 4 6 669a5606cedSKees Cook RAFTERS 7 12 26 670a5606cedSKees Cook 671a5606cedSKees CookThe ":" and "," characters are permitted in a Smack label but have no special 672a5606cedSKees Cookmeaning. 673a5606cedSKees Cook 674a5606cedSKees CookThe mapping of Smack labels to CIPSO values is defined by writing to 675a5606cedSKees Cook/sys/fs/smackfs/cipso2. 676a5606cedSKees Cook 677a5606cedSKees CookIn addition to explicit mappings Smack supports direct CIPSO mappings. One 678a5606cedSKees CookCIPSO level is used to indicate that the category set passed in the packet is 679a5606cedSKees Cookin fact an encoding of the Smack label. The level used is 250 by default. The 680a5606cedSKees Cookvalue can be read from /sys/fs/smackfs/direct and changed by writing to 681a5606cedSKees Cook/sys/fs/smackfs/direct. 682a5606cedSKees Cook 683a5606cedSKees CookSocket Attributes 684a5606cedSKees Cook~~~~~~~~~~~~~~~~~ 685a5606cedSKees Cook 686a5606cedSKees CookThere are two attributes that are associated with sockets. These attributes 687a5606cedSKees Cookcan only be set by privileged tasks, but any task can read them for their own 688a5606cedSKees Cooksockets. 689a5606cedSKees Cook 690a5606cedSKees Cook SMACK64IPIN: 691a5606cedSKees Cook The Smack label of the task object. A privileged 692a5606cedSKees Cook program that will enforce policy may set this to the star label. 693a5606cedSKees Cook 694a5606cedSKees Cook SMACK64IPOUT: 695a5606cedSKees Cook The Smack label transmitted with outgoing packets. 696a5606cedSKees Cook A privileged program may set this to match the label of another 697a5606cedSKees Cook task with which it hopes to communicate. 698a5606cedSKees Cook 699a5606cedSKees CookSmack Netlabel Exceptions 700a5606cedSKees Cook~~~~~~~~~~~~~~~~~~~~~~~~~ 701a5606cedSKees Cook 702a5606cedSKees CookYou will often find that your labeled application has to talk to the outside, 703a5606cedSKees Cookunlabeled world. To do this there's a special file /sys/fs/smackfs/netlabel 704a5606cedSKees Cookwhere you can add some exceptions in the form of:: 705a5606cedSKees Cook 706a5606cedSKees Cook @IP1 LABEL1 or 707a5606cedSKees Cook @IP2/MASK LABEL2 708a5606cedSKees Cook 709a5606cedSKees CookIt means that your application will have unlabeled access to @IP1 if it has 710a5606cedSKees Cookwrite access on LABEL1, and access to the subnet @IP2/MASK if it has write 711a5606cedSKees Cookaccess on LABEL2. 712a5606cedSKees Cook 713a5606cedSKees CookEntries in the /sys/fs/smackfs/netlabel file are matched by longest mask 714a5606cedSKees Cookfirst, like in classless IPv4 routing. 715a5606cedSKees Cook 716a5606cedSKees CookA special label '@' and an option '-CIPSO' can be used there:: 717a5606cedSKees Cook 718a5606cedSKees Cook @ means Internet, any application with any label has access to it 719a5606cedSKees Cook -CIPSO means standard CIPSO networking 720a5606cedSKees Cook 721a5606cedSKees CookIf you don't know what CIPSO is and don't plan to use it, you can just do:: 722a5606cedSKees Cook 723a5606cedSKees Cook echo 127.0.0.1 -CIPSO > /sys/fs/smackfs/netlabel 724a5606cedSKees Cook echo 0.0.0.0/0 @ > /sys/fs/smackfs/netlabel 725a5606cedSKees Cook 726a5606cedSKees CookIf you use CIPSO on your 192.168.0.0/16 local network and need also unlabeled 727a5606cedSKees CookInternet access, you can have:: 728a5606cedSKees Cook 729a5606cedSKees Cook echo 127.0.0.1 -CIPSO > /sys/fs/smackfs/netlabel 730a5606cedSKees Cook echo 192.168.0.0/16 -CIPSO > /sys/fs/smackfs/netlabel 731a5606cedSKees Cook echo 0.0.0.0/0 @ > /sys/fs/smackfs/netlabel 732a5606cedSKees Cook 733a5606cedSKees CookWriting Applications for Smack 734a5606cedSKees Cook------------------------------ 735a5606cedSKees Cook 736a5606cedSKees CookThere are three sorts of applications that will run on a Smack system. How an 737a5606cedSKees Cookapplication interacts with Smack will determine what it will have to do to 738a5606cedSKees Cookwork properly under Smack. 739a5606cedSKees Cook 740a5606cedSKees CookSmack Ignorant Applications 741a5606cedSKees Cook--------------------------- 742a5606cedSKees Cook 743a5606cedSKees CookBy far the majority of applications have no reason whatever to care about the 744a5606cedSKees Cookunique properties of Smack. Since invoking a program has no impact on the 745a5606cedSKees CookSmack label associated with the process the only concern likely to arise is 746a5606cedSKees Cookwhether the process has execute access to the program. 747a5606cedSKees Cook 748a5606cedSKees CookSmack Relevant Applications 749a5606cedSKees Cook--------------------------- 750a5606cedSKees Cook 751a5606cedSKees CookSome programs can be improved by teaching them about Smack, but do not make 752a5606cedSKees Cookany security decisions themselves. The utility ls(1) is one example of such a 753a5606cedSKees Cookprogram. 754a5606cedSKees Cook 755a5606cedSKees CookSmack Enforcing Applications 756a5606cedSKees Cook---------------------------- 757a5606cedSKees Cook 758a5606cedSKees CookThese are special programs that not only know about Smack, but participate in 759a5606cedSKees Cookthe enforcement of system policy. In most cases these are the programs that 760a5606cedSKees Cookset up user sessions. There are also network services that provide information 761a5606cedSKees Cookto processes running with various labels. 762a5606cedSKees Cook 763a5606cedSKees CookFile System Interfaces 764a5606cedSKees Cook---------------------- 765a5606cedSKees Cook 766a5606cedSKees CookSmack maintains labels on file system objects using extended attributes. The 767a5606cedSKees CookSmack label of a file, directory, or other file system object can be obtained 768a5606cedSKees Cookusing getxattr(2):: 769a5606cedSKees Cook 770a5606cedSKees Cook len = getxattr("/", "security.SMACK64", value, sizeof (value)); 771a5606cedSKees Cook 772a5606cedSKees Cookwill put the Smack label of the root directory into value. A privileged 773a5606cedSKees Cookprocess can set the Smack label of a file system object with setxattr(2):: 774a5606cedSKees Cook 775a5606cedSKees Cook len = strlen("Rubble"); 776a5606cedSKees Cook rc = setxattr("/foo", "security.SMACK64", "Rubble", len, 0); 777a5606cedSKees Cook 778a5606cedSKees Cookwill set the Smack label of /foo to "Rubble" if the program has appropriate 779a5606cedSKees Cookprivilege. 780a5606cedSKees Cook 781a5606cedSKees CookSocket Interfaces 782a5606cedSKees Cook----------------- 783a5606cedSKees Cook 784a5606cedSKees CookThe socket attributes can be read using fgetxattr(2). 785a5606cedSKees Cook 786a5606cedSKees CookA privileged process can set the Smack label of outgoing packets with 787a5606cedSKees Cookfsetxattr(2):: 788a5606cedSKees Cook 789a5606cedSKees Cook len = strlen("Rubble"); 790a5606cedSKees Cook rc = fsetxattr(fd, "security.SMACK64IPOUT", "Rubble", len, 0); 791a5606cedSKees Cook 792a5606cedSKees Cookwill set the Smack label "Rubble" on packets going out from the socket if the 793a5606cedSKees Cookprogram has appropriate privilege:: 794a5606cedSKees Cook 795a5606cedSKees Cook rc = fsetxattr(fd, "security.SMACK64IPIN, "*", strlen("*"), 0); 796a5606cedSKees Cook 797a5606cedSKees Cookwill set the Smack label "*" as the object label against which incoming 798a5606cedSKees Cookpackets will be checked if the program has appropriate privilege. 799a5606cedSKees Cook 800a5606cedSKees CookAdministration 801a5606cedSKees Cook-------------- 802a5606cedSKees Cook 803a5606cedSKees CookSmack supports some mount options: 804a5606cedSKees Cook 805a5606cedSKees Cook smackfsdef=label: 806a5606cedSKees Cook specifies the label to give files that lack 807a5606cedSKees Cook the Smack label extended attribute. 808a5606cedSKees Cook 809a5606cedSKees Cook smackfsroot=label: 810a5606cedSKees Cook specifies the label to assign the root of the 811a5606cedSKees Cook file system if it lacks the Smack extended attribute. 812a5606cedSKees Cook 813a5606cedSKees Cook smackfshat=label: 814a5606cedSKees Cook specifies a label that must have read access to 815a5606cedSKees Cook all labels set on the filesystem. Not yet enforced. 816a5606cedSKees Cook 817a5606cedSKees Cook smackfsfloor=label: 818a5606cedSKees Cook specifies a label to which all labels set on the 819a5606cedSKees Cook filesystem must have read access. Not yet enforced. 820a5606cedSKees Cook 821*55b078f0SJosé Bollo smackfstransmute=label: 822*55b078f0SJosé Bollo behaves exactly like smackfsroot except that it also 823*55b078f0SJosé Bollo sets the transmute flag on the root of the mount 824*55b078f0SJosé Bollo 825a5606cedSKees CookThese mount options apply to all file system types. 826a5606cedSKees Cook 827a5606cedSKees CookSmack auditing 828a5606cedSKees Cook-------------- 829a5606cedSKees Cook 830a5606cedSKees CookIf you want Smack auditing of security events, you need to set CONFIG_AUDIT 831a5606cedSKees Cookin your kernel configuration. 832a5606cedSKees CookBy default, all denied events will be audited. You can change this behavior by 833a5606cedSKees Cookwriting a single character to the /sys/fs/smackfs/logging file:: 834a5606cedSKees Cook 835a5606cedSKees Cook 0 : no logging 836a5606cedSKees Cook 1 : log denied (default) 837a5606cedSKees Cook 2 : log accepted 838a5606cedSKees Cook 3 : log denied & accepted 839a5606cedSKees Cook 840a5606cedSKees CookEvents are logged as 'key=value' pairs, for each event you at least will get 841a5606cedSKees Cookthe subject, the object, the rights requested, the action, the kernel function 842a5606cedSKees Cookthat triggered the event, plus other pairs depending on the type of event 843a5606cedSKees Cookaudited. 844a5606cedSKees Cook 845a5606cedSKees CookBringup Mode 846a5606cedSKees Cook------------ 847a5606cedSKees Cook 848a5606cedSKees CookBringup mode provides logging features that can make application 849a5606cedSKees Cookconfiguration and system bringup easier. Configure the kernel with 850a5606cedSKees CookCONFIG_SECURITY_SMACK_BRINGUP to enable these features. When bringup 851a5606cedSKees Cookmode is enabled accesses that succeed due to rules marked with the "b" 852a5606cedSKees Cookaccess mode will logged. When a new label is introduced for processes 853a5606cedSKees Cookrules can be added aggressively, marked with the "b". The logging allows 854a5606cedSKees Cooktracking of which rules actual get used for that label. 855a5606cedSKees Cook 856a5606cedSKees CookAnother feature of bringup mode is the "unconfined" option. Writing 857a5606cedSKees Cooka label to /sys/fs/smackfs/unconfined makes subjects with that label 858a5606cedSKees Cookable to access any object, and objects with that label accessible to 859a5606cedSKees Cookall subjects. Any access that is granted because a label is unconfined 860a5606cedSKees Cookis logged. This feature is dangerous, as files and directories may 861a5606cedSKees Cookbe created in places they couldn't if the policy were being enforced. 862