diff options
author | Casey Schaufler <casey@schaufler-ca.com> | 2012-05-06 18:22:02 -0400 |
---|---|---|
committer | Casey Schaufler <cschaufler@vaio-ubuntu.(none)> | 2012-05-15 01:48:38 -0400 |
commit | f7112e6c9abf1c70f001dcf097c1d6e218a93f5c (patch) | |
tree | 8ddcab31388e3f220f3ef911f4ec9dce8ac4be92 /Documentation/security/Smack.txt | |
parent | ceffec5541cc22486d3ff492e3d76a33a68fbfa3 (diff) |
Smack: allow for significantly longer Smack labels v4
V4 updated to current linux-security#next
Targeted for git://gitorious.org/smack-next/kernel.git
Modern application runtime environments like to use
naming schemes that are structured and generated without
human intervention. Even though the Smack limit of 23
characters for a label name is perfectly rational for
human use there have been complaints that the limit is
a problem in environments where names are composed from
a set or sources, including vendor, author, distribution
channel and application name. Names like
softwarehouse-pgwodehouse-coolappstore-mellowmuskrats
are becoming harder to avoid. This patch introduces long
label support in Smack. Labels are now limited to 255
characters instead of the old 23.
The primary reason for limiting the labels to 23 characters
was so they could be directly contained in CIPSO category sets.
This is still done were possible, but for labels that are too
large a mapping is required. This is perfectly safe for communication
that stays "on the box" and doesn't require much coordination
between boxes beyond what would have been required to keep label
names consistent.
The bulk of this patch is in smackfs, adding and updating
administrative interfaces. Because existing APIs can't be
changed new ones that do much the same things as old ones
have been introduced.
The Smack specific CIPSO data representation has been removed
and replaced with the data format used by netlabel. The CIPSO
header is now computed when a label is imported rather than
on use. This results in improved IP performance. The smack
label is now allocated separately from the containing structure,
allowing for larger strings.
Four new /smack interfaces have been introduced as four
of the old interfaces strictly required labels be specified
in fixed length arrays.
The access interface is supplemented with the check interface:
access "Subject Object rwxat"
access2 "Subject Object rwaxt"
The load interface is supplemented with the rules interface:
load "Subject Object rwxat"
load2 "Subject Object rwaxt"
The load-self interface is supplemented with the self-rules interface:
load-self "Subject Object rwxat"
load-self2 "Subject Object rwaxt"
The cipso interface is supplemented with the wire interface:
cipso "Subject lvl cnt c1 c2 ..."
cipso2 "Subject lvl cnt c1 c2 ..."
The old interfaces are maintained for compatibility.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'Documentation/security/Smack.txt')
-rw-r--r-- | Documentation/security/Smack.txt | 204 |
1 files changed, 164 insertions, 40 deletions
diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt index d2f72ae66432..a416479b8a1c 100644 --- a/Documentation/security/Smack.txt +++ b/Documentation/security/Smack.txt | |||
@@ -15,7 +15,7 @@ at hand. | |||
15 | 15 | ||
16 | Smack consists of three major components: | 16 | Smack consists of three major components: |
17 | - The kernel | 17 | - The kernel |
18 | - A start-up script and a few modified applications | 18 | - Basic utilities, which are helpful but not required |
19 | - Configuration data | 19 | - Configuration data |
20 | 20 | ||
21 | The kernel component of Smack is implemented as a Linux | 21 | The kernel component of Smack is implemented as a Linux |
@@ -23,37 +23,28 @@ Security Modules (LSM) module. It requires netlabel and | |||
23 | works best with file systems that support extended attributes, | 23 | works best with file systems that support extended attributes, |
24 | although xattr support is not strictly required. | 24 | although xattr support is not strictly required. |
25 | It is safe to run a Smack kernel under a "vanilla" distribution. | 25 | It is safe to run a Smack kernel under a "vanilla" distribution. |
26 | |||
26 | Smack kernels use the CIPSO IP option. Some network | 27 | Smack kernels use the CIPSO IP option. Some network |
27 | configurations are intolerant of IP options and can impede | 28 | configurations are intolerant of IP options and can impede |
28 | access to systems that use them as Smack does. | 29 | access to systems that use them as Smack does. |
29 | 30 | ||
30 | The startup script etc-init.d-smack should be installed | 31 | The current git repositories for Smack user space are: |
31 | in /etc/init.d/smack and should be invoked early in the | ||
32 | start-up process. On Fedora rc5.d/S02smack is recommended. | ||
33 | This script ensures that certain devices have the correct | ||
34 | Smack attributes and loads the Smack configuration if | ||
35 | any is defined. This script invokes two programs that | ||
36 | ensure configuration data is properly formatted. These | ||
37 | programs are /usr/sbin/smackload and /usr/sin/smackcipso. | ||
38 | The system will run just fine without these programs, | ||
39 | but it will be difficult to set access rules properly. | ||
40 | |||
41 | A version of "ls" that provides a "-M" option to display | ||
42 | Smack labels on long listing is available. | ||
43 | 32 | ||
44 | A hacked version of sshd that allows network logins by users | 33 | git@gitorious.org:meego-platform-security/smackutil.git |
45 | with specific Smack labels is available. This version does | 34 | git@gitorious.org:meego-platform-security/libsmack.git |
46 | not work for scp. You must set the /etc/ssh/sshd_config | ||
47 | line: | ||
48 | UsePrivilegeSeparation no | ||
49 | 35 | ||
50 | The format of /etc/smack/usr is: | 36 | These should make and install on most modern distributions. |
37 | There are three commands included in smackutil: | ||
51 | 38 | ||
52 | username smack | 39 | smackload - properly formats data for writing to /smack/load |
40 | smackcipso - properly formats data for writing to /smack/cipso | ||
41 | chsmack - display or set Smack extended attribute values | ||
53 | 42 | ||
54 | In keeping with the intent of Smack, configuration data is | 43 | In keeping with the intent of Smack, configuration data is |
55 | minimal and not strictly required. The most important | 44 | minimal and not strictly required. The most important |
56 | configuration step is mounting the smackfs pseudo filesystem. | 45 | configuration step is mounting the smackfs pseudo filesystem. |
46 | If smackutil is installed the startup script will take care | ||
47 | of this, but it can be manually as well. | ||
57 | 48 | ||
58 | Add this line to /etc/fstab: | 49 | Add this line to /etc/fstab: |
59 | 50 | ||
@@ -61,19 +52,148 @@ Add this line to /etc/fstab: | |||
61 | 52 | ||
62 | and create the /smack directory for mounting. | 53 | and create the /smack directory for mounting. |
63 | 54 | ||
64 | Smack uses extended attributes (xattrs) to store file labels. | 55 | Smack uses extended attributes (xattrs) to store labels on filesystem |
65 | The command to set a Smack label on a file is: | 56 | objects. The attributes are stored in the extended attribute security |
57 | name space. A process must have CAP_MAC_ADMIN to change any of these | ||
58 | attributes. | ||
59 | |||
60 | The extended attributes that Smack uses are: | ||
61 | |||
62 | SMACK64 | ||
63 | Used to make access control decisions. In almost all cases | ||
64 | the label given to a new filesystem object will be the label | ||
65 | of the process that created it. | ||
66 | SMACK64EXEC | ||
67 | The Smack label of a process that execs a program file with | ||
68 | this attribute set will run with this attribute's value. | ||
69 | SMACK64MMAP | ||
70 | Don't allow the file to be mmapped by a process whose Smack | ||
71 | label does not allow all of the access permitted to a process | ||
72 | with the label contained in this attribute. This is a very | ||
73 | specific use case for shared libraries. | ||
74 | SMACK64TRANSMUTE | ||
75 | Can only have the value "TRUE". If this attribute is present | ||
76 | on a directory when an object is created in the directory and | ||
77 | the Smack rule (more below) that permitted the write access | ||
78 | to the directory includes the transmute ("t") mode the object | ||
79 | gets the label of the directory instead of the label of the | ||
80 | creating process. If the object being created is a directory | ||
81 | the SMACK64TRANSMUTE attribute is set as well. | ||
82 | SMACK64IPIN | ||
83 | This attribute is only available on file descriptors for sockets. | ||
84 | Use the Smack label in this attribute for access control | ||
85 | decisions on packets being delivered to this socket. | ||
86 | SMACK64IPOUT | ||
87 | This attribute is only available on file descriptors for sockets. | ||
88 | Use the Smack label in this attribute for access control | ||
89 | decisions on packets coming from this socket. | ||
90 | |||
91 | There are multiple ways to set a Smack label on a file: | ||
66 | 92 | ||
67 | # attr -S -s SMACK64 -V "value" path | 93 | # attr -S -s SMACK64 -V "value" path |
94 | # chsmack -a value path | ||
68 | 95 | ||
69 | NOTE: Smack labels are limited to 23 characters. The attr command | 96 | A process can see the smack label it is running with by |
70 | does not enforce this restriction and can be used to set | 97 | reading /proc/self/attr/current. A process with CAP_MAC_ADMIN |
71 | invalid Smack labels on files. | 98 | can set the process smack by writing there. |
72 | 99 | ||
73 | If you don't do anything special all users will get the floor ("_") | 100 | Most Smack configuration is accomplished by writing to files |
74 | label when they log in. If you do want to log in via the hacked ssh | 101 | in the smackfs filesystem. This pseudo-filesystem is usually |
75 | at other labels use the attr command to set the smack value on the | 102 | mounted on /smack. |
76 | home directory and its contents. | 103 | |
104 | access | ||
105 | This interface reports whether a subject with the specified | ||
106 | Smack label has a particular access to an object with a | ||
107 | specified Smack label. Write a fixed format access rule to | ||
108 | this file. The next read will indicate whether the access | ||
109 | would be permitted. The text will be either "1" indicating | ||
110 | access, or "0" indicating denial. | ||
111 | access2 | ||
112 | This interface reports whether a subject with the specified | ||
113 | Smack label has a particular access to an object with a | ||
114 | specified Smack label. Write a long format access rule to | ||
115 | this file. The next read will indicate whether the access | ||
116 | would be permitted. The text will be either "1" indicating | ||
117 | access, or "0" indicating denial. | ||
118 | ambient | ||
119 | This contains the Smack label applied to unlabeled network | ||
120 | packets. | ||
121 | cipso | ||
122 | This interface allows a specific CIPSO header to be assigned | ||
123 | to a Smack label. The format accepted on write is: | ||
124 | "%24s%4d%4d"["%4d"]... | ||
125 | The first string is a fixed Smack label. The first number is | ||
126 | the level to use. The second number is the number of categories. | ||
127 | The following numbers are the categories. | ||
128 | "level-3-cats-5-19 3 2 5 19" | ||
129 | cipso2 | ||
130 | This interface allows a specific CIPSO header to be assigned | ||
131 | to a Smack label. The format accepted on write is: | ||
132 | "%s%4d%4d"["%4d"]... | ||
133 | The first string is a long Smack label. The first number is | ||
134 | the level to use. The second number is the number of categories. | ||
135 | The following numbers are the categories. | ||
136 | "level-3-cats-5-19 3 2 5 19" | ||
137 | direct | ||
138 | This contains the CIPSO level used for Smack direct label | ||
139 | representation in network packets. | ||
140 | doi | ||
141 | This contains the CIPSO domain of interpretation used in | ||
142 | network packets. | ||
143 | load | ||
144 | This interface allows access control rules in addition to | ||
145 | the system defined rules to be specified. The format accepted | ||
146 | on write is: | ||
147 | "%24s%24s%5s" | ||
148 | where the first string is the subject label, the second the | ||
149 | object label, and the third the requested access. The access | ||
150 | string may contain only the characters "rwxat-", and specifies | ||
151 | which sort of access is allowed. The "-" is a placeholder for | ||
152 | permissions that are not allowed. The string "r-x--" would | ||
153 | specify read and execute access. Labels are limited to 23 | ||
154 | characters in length. | ||
155 | load2 | ||
156 | This interface allows access control rules in addition to | ||
157 | the system defined rules to be specified. The format accepted | ||
158 | on write is: | ||
159 | "%s %s %s" | ||
160 | where the first string is the subject label, the second the | ||
161 | object label, and the third the requested access. The access | ||
162 | string may contain only the characters "rwxat-", and specifies | ||
163 | which sort of access is allowed. The "-" is a placeholder for | ||
164 | permissions that are not allowed. The string "r-x--" would | ||
165 | specify read and execute access. | ||
166 | load-self | ||
167 | This interface allows process specific access rules to be | ||
168 | defined. These rules are only consulted if access would | ||
169 | otherwise be permitted, and are intended to provide additional | ||
170 | restrictions on the process. The format is the same as for | ||
171 | the load interface. | ||
172 | load-self2 | ||
173 | This interface allows process specific access rules to be | ||
174 | defined. These rules are only consulted if access would | ||
175 | otherwise be permitted, and are intended to provide additional | ||
176 | restrictions on the process. The format is the same as for | ||
177 | the load2 interface. | ||
178 | logging | ||
179 | This contains the Smack logging state. | ||
180 | mapped | ||
181 | This contains the CIPSO level used for Smack mapped label | ||
182 | representation in network packets. | ||
183 | netlabel | ||
184 | This interface allows specific internet addresses to be | ||
185 | treated as single label hosts. Packets are sent to single | ||
186 | label hosts without CIPSO headers, but only from processes | ||
187 | that have Smack write access to the host label. All packets | ||
188 | received from single label hosts are given the specified | ||
189 | label. The format accepted on write is: | ||
190 | "%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label". | ||
191 | onlycap | ||
192 | This contains the label processes must have for CAP_MAC_ADMIN | ||
193 | and CAP_MAC_OVERRIDE to be effective. If this file is empty | ||
194 | these capabilities are effective at for processes with any | ||
195 | label. The value is set by writing the desired label to the | ||
196 | file or cleared by writing "-" to the file. | ||
77 | 197 | ||
78 | You can add access rules in /etc/smack/accesses. They take the form: | 198 | You can add access rules in /etc/smack/accesses. They take the form: |
79 | 199 | ||
@@ -83,10 +203,6 @@ access is a combination of the letters rwxa which specify the | |||
83 | kind of access permitted a subject with subjectlabel on an | 203 | kind of access permitted a subject with subjectlabel on an |
84 | object with objectlabel. If there is no rule no access is allowed. | 204 | object with objectlabel. If there is no rule no access is allowed. |
85 | 205 | ||
86 | A process can see the smack label it is running with by | ||
87 | reading /proc/self/attr/current. A privileged process can | ||
88 | set the process smack by writing there. | ||
89 | |||
90 | Look for additional programs on http://schaufler-ca.com | 206 | Look for additional programs on http://schaufler-ca.com |
91 | 207 | ||
92 | From the Smack Whitepaper: | 208 | From the Smack Whitepaper: |
@@ -186,7 +302,7 @@ team. Smack labels are unstructured, case sensitive, and the only operation | |||
186 | ever performed on them is comparison for equality. Smack labels cannot | 302 | ever performed on them is comparison for equality. Smack labels cannot |
187 | contain unprintable characters, the "/" (slash), the "\" (backslash), the "'" | 303 | contain unprintable characters, the "/" (slash), the "\" (backslash), the "'" |
188 | (quote) and '"' (double-quote) characters. | 304 | (quote) and '"' (double-quote) characters. |
189 | Smack labels cannot begin with a '-', which is reserved for special options. | 305 | Smack labels cannot begin with a '-'. This is reserved for special options. |
190 | 306 | ||
191 | There are some predefined labels: | 307 | There are some predefined labels: |
192 | 308 | ||
@@ -194,7 +310,7 @@ There are some predefined labels: | |||
194 | ^ Pronounced "hat", a single circumflex character. | 310 | ^ Pronounced "hat", a single circumflex character. |
195 | * Pronounced "star", a single asterisk character. | 311 | * Pronounced "star", a single asterisk character. |
196 | ? Pronounced "huh", a single question mark character. | 312 | ? Pronounced "huh", a single question mark character. |
197 | @ Pronounced "Internet", a single at sign character. | 313 | @ Pronounced "web", a single at sign character. |
198 | 314 | ||
199 | Every task on a Smack system is assigned a label. System tasks, such as | 315 | Every task on a Smack system is assigned a label. System tasks, such as |
200 | init(8) and systems daemons, are run with the floor ("_") label. User tasks | 316 | init(8) and systems daemons, are run with the floor ("_") label. User tasks |
@@ -246,13 +362,14 @@ The format of an access rule is: | |||
246 | 362 | ||
247 | Where subject-label is the Smack label of the task, object-label is the Smack | 363 | Where subject-label is the Smack label of the task, object-label is the Smack |
248 | label of the thing being accessed, and access is a string specifying the sort | 364 | label of the thing being accessed, and access is a string specifying the sort |
249 | of access allowed. The Smack labels are limited to 23 characters. The access | 365 | of access allowed. The access specification is searched for letters that |
250 | specification is searched for letters that describe access modes: | 366 | describe access modes: |
251 | 367 | ||
252 | a: indicates that append access should be granted. | 368 | a: indicates that append access should be granted. |
253 | r: indicates that read access should be granted. | 369 | r: indicates that read access should be granted. |
254 | w: indicates that write access should be granted. | 370 | w: indicates that write access should be granted. |
255 | x: indicates that execute access should be granted. | 371 | x: indicates that execute access should be granted. |
372 | t: indicates that the rule requests transmutation. | ||
256 | 373 | ||
257 | Uppercase values for the specification letters are allowed as well. | 374 | Uppercase values for the specification letters are allowed as well. |
258 | Access mode specifications can be in any order. Examples of acceptable rules | 375 | Access mode specifications can be in any order. Examples of acceptable rules |
@@ -273,7 +390,7 @@ Examples of unacceptable rules are: | |||
273 | 390 | ||
274 | Spaces are not allowed in labels. Since a subject always has access to files | 391 | Spaces are not allowed in labels. Since a subject always has access to files |
275 | with the same label specifying a rule for that case is pointless. Only | 392 | with the same label specifying a rule for that case is pointless. Only |
276 | valid letters (rwxaRWXA) and the dash ('-') character are allowed in | 393 | valid letters (rwxatRWXAT) and the dash ('-') character are allowed in |
277 | access specifications. The dash is a placeholder, so "a-r" is the same | 394 | access specifications. The dash is a placeholder, so "a-r" is the same |
278 | as "ar". A lone dash is used to specify that no access should be allowed. | 395 | as "ar". A lone dash is used to specify that no access should be allowed. |
279 | 396 | ||
@@ -297,6 +414,13 @@ but not any of its attributes by the circumstance of having read access to the | |||
297 | containing directory but not to the differently labeled file. This is an | 414 | containing directory but not to the differently labeled file. This is an |
298 | artifact of the file name being data in the directory, not a part of the file. | 415 | artifact of the file name being data in the directory, not a part of the file. |
299 | 416 | ||
417 | If a directory is marked as transmuting (SMACK64TRANSMUTE=TRUE) and the | ||
418 | access rule that allows a process to create an object in that directory | ||
419 | includes 't' access the label assigned to the new object will be that | ||
420 | of the directory, not the creating process. This makes it much easier | ||
421 | for two processes with different labels to share data without granting | ||
422 | access to all of their files. | ||
423 | |||
300 | IPC objects, message queues, semaphore sets, and memory segments exist in flat | 424 | IPC objects, message queues, semaphore sets, and memory segments exist in flat |
301 | namespaces and access requests are only required to match the object in | 425 | namespaces and access requests are only required to match the object in |
302 | question. | 426 | question. |