diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-06-10 13:05:36 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-06-10 13:05:36 -0400 |
| commit | fad0701eaa091beb8ce5ef2eef04b5e833617368 (patch) | |
| tree | 788297c7b05b167599265013ef8ec473a0d367fe /Documentation/security/Smack.txt | |
| parent | d53b47c08d8fda1892f47393de8eeab4e34b3188 (diff) | |
| parent | f9b2a735bdddf836214b5dca74f6ca7712e5a08c (diff) | |
Merge branch 'serge-next-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux-security
Pull security layer updates from Serge Hallyn:
"This is a merge of James Morris' security-next tree from 3.14 to
yesterday's master, plus four patches from Paul Moore which are in
linux-next, plus one patch from Mimi"
* 'serge-next-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux-security:
ima: audit log files opened with O_DIRECT flag
selinux: conditionally reschedule in hashtab_insert while loading selinux policy
selinux: conditionally reschedule in mls_convert_context while loading selinux policy
selinux: reject setexeccon() on MNT_NOSUID applications with -EACCES
selinux: Report permissive mode in avc: denied messages.
Warning in scanf string typing
Smack: Label cgroup files for systemd
Smack: Verify read access on file open - v3
security: Convert use of typedef ctl_table to struct ctl_table
Smack: bidirectional UDS connect check
Smack: Correctly remove SMACK64TRANSMUTE attribute
SMACK: Fix handling value==NULL in post setxattr
bugfix patch for SMACK
Smack: adds smackfs/ptrace interface
Smack: unify all ptrace accesses in the smack
Smack: fix the subject/object order in smack_ptrace_traceme()
Minor improvement of 'smack_sb_kern_mount'
smack: fix key permission verification
KEYS: Move the flags representing required permission to linux/key.h
Diffstat (limited to 'Documentation/security/Smack.txt')
| -rw-r--r-- | Documentation/security/Smack.txt | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt index 5ea996f21d6c..b6ef7e9dba30 100644 --- a/Documentation/security/Smack.txt +++ b/Documentation/security/Smack.txt | |||
| @@ -204,6 +204,16 @@ onlycap | |||
| 204 | these capabilities are effective at for processes with any | 204 | these capabilities are effective at for processes with any |
| 205 | label. The value is set by writing the desired label to the | 205 | label. The value is set by writing the desired label to the |
| 206 | file or cleared by writing "-" to the file. | 206 | file or cleared by writing "-" to the file. |
| 207 | ptrace | ||
| 208 | This is used to define the current ptrace policy | ||
| 209 | 0 - default: this is the policy that relies on smack access rules. | ||
| 210 | For the PTRACE_READ a subject needs to have a read access on | ||
| 211 | object. For the PTRACE_ATTACH a read-write access is required. | ||
| 212 | 1 - exact: this is the policy that limits PTRACE_ATTACH. Attach is | ||
| 213 | only allowed when subject's and object's labels are equal. | ||
| 214 | PTRACE_READ is not affected. Can be overriden with CAP_SYS_PTRACE. | ||
| 215 | 2 - draconian: this policy behaves like the 'exact' above with an | ||
| 216 | exception that it can't be overriden with CAP_SYS_PTRACE. | ||
| 207 | revoke-subject | 217 | revoke-subject |
| 208 | Writing a Smack label here sets the access to '-' for all access | 218 | Writing a Smack label here sets the access to '-' for all access |
| 209 | rules with that subject label. | 219 | rules with that subject label. |