Smack: allow multiple labels in onlycap

Smack onlycap allows limiting of CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to processes running with the configured label. But having single privileged label is not enough in some real use cases. On a complex system like Tizen, there maybe few programs that need to configure Smack policy in run-time and running them all with a single label is not always practical. This patch extends onlycap feature for multiple labels. They are configured in the same smackfs "onlycap" interface, separated by spaces. Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
author: Rafal Krypa <r.krypa@samsung.com> 2015-06-02 05:23:48 -0400
committer: Casey Schaufler <casey@schaufler-ca.com> 2015-06-02 14:53:42 -0400
commit: c0d77c884461fc0dec0411e49797dc3f3651c31b (patch)
tree: c526c2ae841b0fc358d29af69cddcdb63ae72431 /Documentation/security
parent: 01fa8474fba7e80f6a2ac31d0790385a993cb7ba (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt
index abc82f85215b..de5e1aeca7fb 100644
--- a/Documentation/security/Smack.txt
+++ b/Documentation/security/Smack.txt
@@ -206,11 +206,11 @@ netlabel
        label. The format accepted on write is:
                "%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".
 onlycap
-        This contains the label processes must have for CAP_MAC_ADMIN
+        This contains labels processes must have for CAP_MAC_ADMIN
        and CAP_MAC_OVERRIDE to be effective. If this file is empty
        these capabilities are effective at for processes with any
-        label. The value is set by writing the desired label to the
+        label. The values are set by writing the desired labels, separated
-        file or cleared by writing "-" to the file.
+        by spaces, to the file or cleared by writing "-" to the file.
 ptrace
        This is used to define the current ptrace policy
        0 - default: this is the policy that relies on Smack access rules.
author	Rafal Krypa <r.krypa@samsung.com>	2015-06-02 05:23:48 -0400
committer	Casey Schaufler <casey@schaufler-ca.com>	2015-06-02 14:53:42 -0400
commit	c0d77c884461fc0dec0411e49797dc3f3651c31b (patch)
tree	c526c2ae841b0fc358d29af69cddcdb63ae72431 /Documentation/security
parent	01fa8474fba7e80f6a2ac31d0790385a993cb7ba (diff)

diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt index abc82f85215b..de5e1aeca7fb 100644 --- a/Documentation/security/Smack.txt +++ b/Documentation/security/Smack.txt
@@ -206,11 +206,11 @@ netlabel
206	label. The format accepted on write is:	206	label. The format accepted on write is:
207	"%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".	207	"%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".
208	onlycap	208	onlycap
209	This contains the label processes must have for CAP_MAC_ADMIN	209	This contains labels processes must have for CAP_MAC_ADMIN
210	and CAP_MAC_OVERRIDE to be effective. If this file is empty	210	and CAP_MAC_OVERRIDE to be effective. If this file is empty
211	these capabilities are effective at for processes with any	211	these capabilities are effective at for processes with any
212	label. The value is set by writing the desired label to the	212	label. The values are set by writing the desired labels, separated
213	file or cleared by writing "-" to the file.	213	by spaces, to the file or cleared by writing "-" to the file.
214	ptrace	214	ptrace
215	This is used to define the current ptrace policy	215	This is used to define the current ptrace policy
216	0 - default: this is the policy that relies on Smack access rules.	216	0 - default: this is the policy that relies on Smack access rules.