1 =====
2 Smack
3 =====
4
5
6 "Good for you, you've decided to clean the
7 - The Elevator, from Dark Star
8
9 Smack is the Simplified Mandatory Access Contr
10 Smack is a kernel based implementation of mand
11 control that includes simplicity in its primar
12
13 Smack is not the only Mandatory Access Control
14 available for Linux. Those new to Mandatory Ac
15 are encouraged to compare Smack with the other
16 available to determine which is best suited to
17 at hand.
18
19 Smack consists of three major components:
20
21 - The kernel
22 - Basic utilities, which are helpful but n
23 - Configuration data
24
25 The kernel component of Smack is implemented a
26 Security Modules (LSM) module. It requires net
27 works best with file systems that support exte
28 although xattr support is not strictly require
29 It is safe to run a Smack kernel under a "vani
30
31 Smack kernels use the CIPSO IP option. Some ne
32 configurations are intolerant of IP options an
33 access to systems that use them as Smack does.
34
35 Smack is used in the Tizen operating system. P
36 go to http://wiki.tizen.org for information ab
37 Smack is used in Tizen.
38
39 The current git repository for Smack user spac
40
41 git://github.com/smack-team/smack.git
42
43 This should make and install on most modern di
44 There are five commands included in smackutil:
45
46 chsmack:
47 display or set Smack extended attribut
48
49 smackctl:
50 load the Smack access rules
51
52 smackaccess:
53 report if a process with one label has
54 to an object with another
55
56 These two commands are obsolete with the intro
57 the smackfs/load2 and smackfs/cipso2 interface
58
59 smackload:
60 properly formats data for writing to s
61
62 smackcipso:
63 properly formats data for writing to s
64
65 In keeping with the intent of Smack, configura
66 minimal and not strictly required. The most im
67 configuration step is mounting the smackfs pse
68 If smackutil is installed the startup script w
69 of this, but it can be manually as well.
70
71 Add this line to ``/etc/fstab``::
72
73 smackfs /sys/fs/smackfs smackfs defaults 0
74
75 The ``/sys/fs/smackfs`` directory is created b
76
77 Smack uses extended attributes (xattrs) to sto
78 objects. The attributes are stored in the exte
79 name space. A process must have ``CAP_MAC_ADMI
80 attributes.
81
82 The extended attributes that Smack uses are:
83
84 SMACK64
85 Used to make access control decisions.
86 the label given to a new filesystem ob
87 of the process that created it.
88
89 SMACK64EXEC
90 The Smack label of a process that exec
91 this attribute set will run with this
92
93 SMACK64MMAP
94 Don't allow the file to be mmapped by
95 label does not allow all of the access
96 with the label contained in this attri
97 specific use case for shared libraries
98
99 SMACK64TRANSMUTE
100 Can only have the value "TRUE". If thi
101 on a directory when an object is creat
102 the Smack rule (more below) that permi
103 to the directory includes the transmut
104 gets the label of the directory instea
105 creating process. If the object being
106 the SMACK64TRANSMUTE attribute is set
107
108 SMACK64IPIN
109 This attribute is only available on fi
110 Use the Smack label in this attribute
111 decisions on packets being delivered t
112
113 SMACK64IPOUT
114 This attribute is only available on fi
115 Use the Smack label in this attribute
116 decisions on packets coming from this
117
118 There are multiple ways to set a Smack label o
119
120 # attr -S -s SMACK64 -V "value" path
121 # chsmack -a value path
122
123 A process can see the Smack label it is runnin
124 reading ``/proc/self/attr/current``. A process
125 can set the process Smack by writing there.
126
127 Most Smack configuration is accomplished by wr
128 in the smackfs filesystem. This pseudo-filesys
129 on ``/sys/fs/smackfs``.
130
131 access
132 Provided for backward compatibility. T
133 is preferred and should be used instea
134 This interface reports whether a subje
135 Smack label has a particular access to
136 specified Smack label. Write a fixed f
137 this file. The next read will indicate
138 would be permitted. The text will be e
139 access, or "0" indicating denial.
140
141 access2
142 This interface reports whether a subje
143 Smack label has a particular access to
144 specified Smack label. Write a long fo
145 this file. The next read will indicate
146 would be permitted. The text will be e
147 access, or "0" indicating denial.
148
149 ambient
150 This contains the Smack label applied
151 packets.
152
153 change-rule
154 This interface allows modification of
155 The format accepted on write is::
156
157 "%s %s %s %s"
158
159 where the first string is the subject
160 object label, the third the access to
161 access to deny. The access strings may
162 "rwxat-". If a rule for a given subjec
163 modified by enabling the permissions i
164 those in the fourth string. If there i
165 created using the access specified in
166
167 cipso
168 Provided for backward compatibility. T
169 is preferred and should be used instea
170 This interface allows a specific CIPSO
171 to a Smack label. The format accepted
172
173 "%24s%4d%4d"["%4d"]...
174
175 The first string is a fixed Smack labe
176 the level to use. The second number is
177 The following numbers are the categori
178
179 "level-3-cats-5-19 3
180
181 cipso2
182 This interface allows a specific CIPSO
183 to a Smack label. The format accepted
184
185 "%s%4d%4d"["%4d"]...
186
187 The first string is a long Smack label
188 the level to use. The second number is
189 The following numbers are the categori
190
191 "level-3-cats-5-19 3 2 5
192
193 direct
194 This contains the CIPSO level used for
195 representation in network packets.
196
197 doi
198 This contains the CIPSO domain of inte
199 network packets.
200
201 ipv6host
202 This interface allows specific IPv6 in
203 treated as single label hosts. Packets
204 label hosts only from processes that h
205 to the host label. All packets receive
206 are given the specified label. The for
207
208 "%h:%h:%h:%h:%h:%h:%h:%h label
209 "%h:%h:%h:%h:%h:%h:%h:%h/%d la
210
211 The "::" address shortcut is not suppo
212 If label is "-DELETE" a matched entry
213
214 load
215 Provided for backward compatibility. T
216 is preferred and should be used instea
217 This interface allows access control r
218 the system defined rules to be specifi
219 on write is::
220
221 "%24s%24s%5s"
222
223 where the first string is the subject
224 object label, and the third the reques
225 string may contain only the characters
226 which sort of access is allowed. The "
227 permissions that are not allowed. The
228 specify read and execute access. Label
229 characters in length.
230
231 load2
232 This interface allows access control r
233 the system defined rules to be specifi
234 on write is::
235
236 "%s %s %s"
237
238 where the first string is the subject
239 object label, and the third the reques
240 string may contain only the characters
241 which sort of access is allowed. The "
242 permissions that are not allowed. The
243 specify read and execute access.
244
245 load-self
246 Provided for backward compatibility. T
247 is preferred and should be used instea
248 This interface allows process specific
249 defined. These rules are only consulte
250 otherwise be permitted, and are intend
251 restrictions on the process. The forma
252 the load interface.
253
254 load-self2
255 This interface allows process specific
256 defined. These rules are only consulte
257 otherwise be permitted, and are intend
258 restrictions on the process. The forma
259 the load2 interface.
260
261 logging
262 This contains the Smack logging state.
263
264 mapped
265 This contains the CIPSO level used for
266 representation in network packets.
267
268 netlabel
269 This interface allows specific interne
270 treated as single label hosts. Packets
271 label hosts without CIPSO headers, but
272 that have Smack write access to the ho
273 received from single label hosts are g
274 label. The format accepted on write is
275
276 "%d.%d.%d.%d label" or "%d.%d.
277
278 If the label specified is "-CIPSO" the
279 as a host that supports CIPSO headers.
280
281 onlycap
282 This contains labels processes must ha
283 and ``CAP_MAC_OVERRIDE`` to be effecti
284 these capabilities are effective at fo
285 label. The values are set by writing t
286 by spaces, to the file or cleared by w
287
288 ptrace
289 This is used to define the current ptr
290
291 0 - default:
292 this is the policy that relies on
293 For the ``PTRACE_READ`` a subject
294 object. For the ``PTRACE_ATTACH``
295
296 1 - exact:
297 this is the policy that limits ``P
298 only allowed when subject's and ob
299 ``PTRACE_READ`` is not affected. C
300
301 2 - draconian:
302 this policy behaves like the 'exac
303 exception that it can't be overrid
304
305 revoke-subject
306 Writing a Smack label here sets the ac
307 rules with that subject label.
308
309 unconfined
310 If the kernel is configured with ``CON
311 a process with ``CAP_MAC_ADMIN`` can w
312 Thereafter, accesses that involve that
313 the access permitted if it wouldn't be
314 is dangerous and can ruin the proper l
315 It should never be used in production.
316
317 relabel-self
318 This interface contains a list of labe
319 transition to, by writing to ``/proc/s
320 Normally a process can change its own
321 if it has ``CAP_MAC_ADMIN``. This inte
322 ``CAP_MAC_ADMIN`` to relabel itself to
323 A process without ``CAP_MAC_ADMIN`` ca
324 does, this list will be cleared.
325 The values are set by writing the desi
326 by spaces, to the file or cleared by w
327
328 If you are using the smackload utility
329 you can add access rules in ``/etc/smack/acces
330
331 subjectlabel objectlabel access
332
333 access is a combination of the letters rwxatb
334 kind of access permitted a subject with subjec
335 object with objectlabel. If there is no rule n
336
337 Look for additional programs on http://schaufl
338
339 The Simplified Mandatory Access Control Kernel
340 ==============================================
341
342 Casey Schaufler
343 casey@schaufler-ca.com
344
345 Mandatory Access Control
346 ------------------------
347
348 Computer systems employ a variety of schemes t
349 shared among the people and services using the
350 allow the program or user to decide what other
351 access to pieces of data. These schemes are ca
352 control mechanisms because the access control
353 of the user. Other schemes do not leave the de
354 program can access up to users or programs. Th
355 access control mechanisms because you don't ha
356 or programs that have access to pieces of data
357
358 Bell & LaPadula
359 ---------------
360
361 From the middle of the 1980's until the turn o
362 Control (MAC) was very closely associated with
363 model, a mathematical description of the Unite
364 policy for marking paper documents. MAC in thi
365 within the Capital Beltway and Scandinavian su
366 often sited as failing to address general need
367
368 Domain Type Enforcement
369 -----------------------
370
371 Around the turn of the century Domain Type Enf
372 This scheme organizes users, programs, and dat
373 protected from each other. This scheme has bee
374 of popular Linux distributions. The administra
375 maintain this scheme and the detailed understa
376 necessary to provide a secure domain mapping l
377 disabled or used in limited ways in the majori
378
379 Smack
380 -----
381
382 Smack is a Mandatory Access Control mechanism
383 while avoiding the pitfalls of its predecessor
384 LaPadula are addressed by providing a scheme w
385 according to the requirements of the system an
386 imposed by an arcane government policy. The co
387 Enforcement and avoided by defining access con
388 modes already in use.
389
390 Smack Terminology
391 -----------------
392
393 The jargon used to talk about Smack will be fa
394 with other MAC systems and shouldn't be too di
395 pick up. There are four terms that are used in
396 especially important:
397
398 Subject:
399 A subject is an active entity on the c
400 On Smack a subject is a task, which is
401 of execution.
402
403 Object:
404 An object is a passive entity on the c
405 On Smack files of all types, IPC, and
406
407 Access:
408 Any attempt by a subject to put inform
409 information from an object is an acces
410
411 Label:
412 Data that identifies the Mandatory Acc
413 characteristics of a subject or an obj
414
415 These definitions are consistent with the trad
416 community. There are also some terms from Linu
417
418 Capability:
419 A task that possesses a capability has
420 violate an aspect of the system securi
421 the specific capability. A task that p
422 capabilities is a privileged task, whe
423 capabilities is an unprivileged task.
424
425 Privilege:
426 A task that is allowed to violate the
427 policy is said to have privilege. As o
428 have privilege either by possessing ca
429 effective user of root.
430
431 Smack Basics
432 ------------
433
434 Smack is an extension to a Linux system. It en
435 on what subjects can access which objects, bas
436 each of the subject and the object.
437
438 Labels
439 ~~~~~~
440
441 Smack labels are ASCII character strings. They
442 long, but keeping them to twenty-three charact
443 Single character labels using special characte
444 other than a letter or digit, are reserved for
445 team. Smack labels are unstructured, case sens
446 ever performed on them is comparison for equal
447 contain unprintable characters, the "/" (slash
448 (quote) and '"' (double-quote) characters.
449 Smack labels cannot begin with a '-'. This is
450
451 There are some predefined labels::
452
453 _ Pronounced "floor", a single u
454 ^ Pronounced "hat", a single cir
455 * Pronounced "star", a single as
456 ? Pronounced "huh", a single que
457 @ Pronounced "web", a single at
458
459 Every task on a Smack system is assigned a lab
460 of a process will usually be assigned by the s
461 mechanism.
462
463 Access Rules
464 ~~~~~~~~~~~~
465
466 Smack uses the traditional access modes of Lin
467 execute, write, and occasionally append. There
468 access mode may not be obvious. These include:
469
470 Signals:
471 A signal is a write operation from the
472 the object task.
473
474 Internet Domain IPC:
475 Transmission of a packet is considered
476 write operation from the source task t
477
478 Smack restricts access based on the label atta
479 attached to the object it is trying to access.
480 order:
481
482 1. Any access requested by a task labe
483 2. A read or execute access requested
484 is permitted.
485 3. A read or execute access requested
486 is permitted.
487 4. Any access requested on an object l
488 5. Any access requested by a task on a
489 label is permitted.
490 6. Any access requested that is explic
491 rule set is permitted.
492 7. Any other access is denied.
493
494 Smack Access Rules
495 ~~~~~~~~~~~~~~~~~~
496
497 With the isolation provided by Smack access se
498 many interesting cases where limited access by
499 different labels is desired. One example is th
500 sensitivity, where a scientist working on a hi
501 able to read documents of lower classification
502 be "born" highly classified. To accommodate su
503 mechanism for specifying rules allowing access
504
505 Access Rule Format
506 ~~~~~~~~~~~~~~~~~~
507
508 The format of an access rule is::
509
510 subject-label object-label access
511
512 Where subject-label is the Smack label of the
513 label of the thing being accessed, and access
514 of access allowed. The access specification is
515 describe access modes:
516
517 a: indicates that append access should
518 r: indicates that read access should b
519 w: indicates that write access should
520 x: indicates that execute access shoul
521 t: indicates that the rule requests tr
522 b: indicates that the rule should be r
523
524 Uppercase values for the specification letters
525 Access mode specifications can be in any order
526 are::
527
528 TopSecret Secret rx
529 Secret Unclass R
530 Manager Game x
531 User HR w
532 Snap Crackle rwxatb
533 New Old rRrRr
534 Closed Off -
535
536 Examples of unacceptable rules are::
537
538 Top Secret Secret rx
539 Ace Ace r
540 Odd spells waxbeans
541
542 Spaces are not allowed in labels. Since a subj
543 with the same label specifying a rule for that
544 valid letters (rwxatbRWXATB) and the dash ('-'
545 access specifications. The dash is a placehold
546 as "ar". A lone dash is used to specify that n
547
548 Applying Access Rules
549 ~~~~~~~~~~~~~~~~~~~~~
550
551 The developers of Linux rarely define new sort
552 schemes and concepts from other systems. Most
553 variants of Unix. Unix has many endearing prop
554 access control models is not one of them. Smac
555 uniformly as is sensible while keeping with th
556 mechanism.
557
558 File system objects including files, directori
559 and devices require access permissions that cl
560 bit access. To open a file for reading read ac
561 search a directory requires execute access. Cr
562 requires both read and write access on the con
563 file requires read and write access to the fil
564 directory. It is possible that a user may be a
565 but not any of its attributes by the circumsta
566 containing directory but not to the differentl
567 artifact of the file name being data in the di
568
569 If a directory is marked as transmuting (SMACK
570 access rule that allows a process to create an
571 includes 't' access the label assigned to the
572 of the directory, not the creating process. Th
573 for two processes with different labels to sha
574 access to all of their files.
575
576 IPC objects, message queues, semaphore sets, a
577 namespaces and access requests are only requir
578 question.
579
580 Process objects reflect tasks on the system an
581 them is the same Smack label that the task wou
582 attempts. Sending a signal via the kill() syst
583 from the signaler to the recipient. Debugging
584 and writing. Creating a new task is an interna
585 tasks with identical Smack labels and requires
586
587 Sockets are data structures attached to proces
588 one process to another requires that the sende
589 receiver. The receiver is not required to have
590
591 Setting Access Rules
592 ~~~~~~~~~~~~~~~~~~~~
593
594 The configuration file /etc/smack/accesses con
595 system startup. The contents are written to th
596 /sys/fs/smackfs/load2. Rules can be added at a
597 immediately. For any pair of subject and objec
598 one rule, with the most recently specified ove
599 specification.
600
601 Task Attribute
602 ~~~~~~~~~~~~~~
603
604 The Smack label of a process can be read from
605 process can read its own Smack label from /pro
606 privileged process can change its own Smack la
607 /proc/self/attr/current but not the label of a
608
609 File Attribute
610 ~~~~~~~~~~~~~~
611
612 The Smack label of a filesystem object is stor
613 named SMACK64 on the file. This attribute is i
614 only be changed by a process with privilege.
615
616 Privilege
617 ~~~~~~~~~
618
619 A process with CAP_MAC_OVERRIDE or CAP_MAC_ADM
620 CAP_MAC_OVERRIDE allows the process access to
621 be denied otherwise. CAP_MAC_ADMIN allows a pr
622 Smack data, including rules and attributes.
623
624 Smack Networking
625 ~~~~~~~~~~~~~~~~
626
627 As mentioned before, Smack enforces access con
628 transmissions. Every packet sent by a Smack pr
629 label. This is done by adding a CIPSO tag to t
630 packet received is expected to have a CIPSO ta
631 if it lacks such a tag the network ambient lab
632 is delivered a check is made to determine that
633 packet has write access to the receiving proce
634 the packet is dropped.
635
636 CIPSO Configuration
637 ~~~~~~~~~~~~~~~~~~~
638
639 It is normally unnecessary to specify the CIPS
640 values used by the system handle all internal
641 label values to match the Smack labels being u
642 intervention. Unlabeled packets that come into
643 ambient label.
644
645 Smack requires configuration in the case where
646 not Smack that speaks CIPSO may be encountered
647 Solaris system, but there are other, less wide
648 CIPSO provides 3 important values, a Domain Of
649 and a category set with each packet. The DOI i
650 of systems that use compatible labeling scheme
651 Smack system must match that of the remote sys
652 discarded. The DOI is 3 by default. The value
653 /sys/fs/smackfs/doi and can be changed by writ
654
655 The label and category set are mapped to a Sma
656 /etc/smack/cipso.
657
658 A Smack/CIPSO mapping has the form::
659
660 smack level [category [category]*]
661
662 Smack does not expect the level or category se
663 particular way and does not assume or assign a
664 examples of mappings::
665
666 TopSecret 7
667 TS:A,B 7 1 2
668 SecBDE 5 2 4 6
669 RAFTERS 7 12 26
670
671 The ":" and "," characters are permitted in a
672 meaning.
673
674 The mapping of Smack labels to CIPSO values is
675 /sys/fs/smackfs/cipso2.
676
677 In addition to explicit mappings Smack support
678 CIPSO level is used to indicate that the categ
679 in fact an encoding of the Smack label. The le
680 value can be read from /sys/fs/smackfs/direct
681 /sys/fs/smackfs/direct.
682
683 Socket Attributes
684 ~~~~~~~~~~~~~~~~~
685
686 There are two attributes that are associated w
687 can only be set by privileged tasks, but any t
688 sockets.
689
690 SMACK64IPIN:
691 The Smack label of the task object. A
692 program that will enforce policy may s
693
694 SMACK64IPOUT:
695 The Smack label transmitted with outgo
696 A privileged program may set this to m
697 task with which it hopes to communicat
698
699 Smack Netlabel Exceptions
700 ~~~~~~~~~~~~~~~~~~~~~~~~~
701
702 You will often find that your labeled applicat
703 unlabeled world. To do this there's a special
704 where you can add some exceptions in the form
705
706 @IP1 LABEL1 or
707 @IP2/MASK LABEL2
708
709 It means that your application will have unlab
710 write access on LABEL1, and access to the subn
711 access on LABEL2.
712
713 Entries in the /sys/fs/smackfs/netlabel file a
714 first, like in classless IPv4 routing.
715
716 A special label '@' and an option '-CIPSO' can
717
718 @ means Internet, any application
719 -CIPSO means standard CIPSO networking
720
721 If you don't know what CIPSO is and don't plan
722
723 echo 127.0.0.1 -CIPSO > /sys/fs/smackf
724 echo 0.0.0.0/0 @ > /sys/fs/smackf
725
726 If you use CIPSO on your 192.168.0.0/16 local
727 Internet access, you can have::
728
729 echo 127.0.0.1 -CIPSO > /sys/fs/s
730 echo 192.168.0.0/16 -CIPSO > /sys/fs/s
731 echo 0.0.0.0/0 @ > /sys/fs/s
732
733 Writing Applications for Smack
734 ------------------------------
735
736 There are three sorts of applications that wil
737 application interacts with Smack will determin
738 work properly under Smack.
739
740 Smack Ignorant Applications
741 ---------------------------
742
743 By far the majority of applications have no re
744 unique properties of Smack. Since invoking a p
745 Smack label associated with the process the on
746 whether the process has execute access to the
747
748 Smack Relevant Applications
749 ---------------------------
750
751 Some programs can be improved by teaching them
752 any security decisions themselves. The utility
753 program.
754
755 Smack Enforcing Applications
756 ----------------------------
757
758 These are special programs that not only know
759 the enforcement of system policy. In most case
760 set up user sessions. There are also network s
761 to processes running with various labels.
762
763 File System Interfaces
764 ----------------------
765
766 Smack maintains labels on file system objects
767 Smack label of a file, directory, or other fil
768 using getxattr(2)::
769
770 len = getxattr("/", "security.SMACK64"
771
772 will put the Smack label of the root directory
773 process can set the Smack label of a file syst
774
775 len = strlen("Rubble");
776 rc = setxattr("/foo", "security.SMACK6
777
778 will set the Smack label of /foo to "Rubble" i
779 privilege.
780
781 Socket Interfaces
782 -----------------
783
784 The socket attributes can be read using fgetxa
785
786 A privileged process can set the Smack label o
787 fsetxattr(2)::
788
789 len = strlen("Rubble");
790 rc = fsetxattr(fd, "security.SMACK64IP
791
792 will set the Smack label "Rubble" on packets g
793 program has appropriate privilege::
794
795 rc = fsetxattr(fd, "security.SMACK64IP
796
797 will set the Smack label "*" as the object lab
798 packets will be checked if the program has app
799
800 Administration
801 --------------
802
803 Smack supports some mount options:
804
805 smackfsdef=label:
806 specifies the label to give files that
807 the Smack label extended attribute.
808
809 smackfsroot=label:
810 specifies the label to assign the root
811 file system if it lacks the Smack exte
812
813 smackfshat=label:
814 specifies a label that must have read
815 all labels set on the filesystem. Not
816
817 smackfsfloor=label:
818 specifies a label to which all labels
819 filesystem must have read access. Not
820
821 smackfstransmute=label:
822 behaves exactly like smackfsroot excep
823 sets the transmute flag on the root of
824
825 These mount options apply to all file system t
826
827 Smack auditing
828 --------------
829
830 If you want Smack auditing of security events,
831 in your kernel configuration.
832 By default, all denied events will be audited.
833 writing a single character to the /sys/fs/smac
834
835 0 : no logging
836 1 : log denied (default)
837 2 : log accepted
838 3 : log denied & accepted
839
840 Events are logged as 'key=value' pairs, for ea
841 the subject, the object, the rights requested,
842 that triggered the event, plus other pairs dep
843 audited.
844
845 Bringup Mode
846 ------------
847
848 Bringup mode provides logging features that ca
849 configuration and system bringup easier. Confi
850 CONFIG_SECURITY_SMACK_BRINGUP to enable these
851 mode is enabled accesses that succeed due to r
852 access mode will logged. When a new label is i
853 rules can be added aggressively, marked with t
854 tracking of which rules actual get used for th
855
856 Another feature of bringup mode is the "unconf
857 a label to /sys/fs/smackfs/unconfined makes su
858 able to access any object, and objects with th
859 all subjects. Any access that is granted becau
860 is logged. This feature is dangerous, as files
861 be created in places they couldn't if the poli
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.