aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation
diff options
context:
space:
mode:
authorCasey Schaufler <casey@schaufler-ca.com>2012-05-06 18:22:02 -0400
committerCasey Schaufler <cschaufler@vaio-ubuntu.(none)>2012-05-15 01:48:38 -0400
commitf7112e6c9abf1c70f001dcf097c1d6e218a93f5c (patch)
tree8ddcab31388e3f220f3ef911f4ec9dce8ac4be92 /Documentation
parentceffec5541cc22486d3ff492e3d76a33a68fbfa3 (diff)
Smack: allow for significantly longer Smack labels v4
V4 updated to current linux-security#next Targeted for git://gitorious.org/smack-next/kernel.git Modern application runtime environments like to use naming schemes that are structured and generated without human intervention. Even though the Smack limit of 23 characters for a label name is perfectly rational for human use there have been complaints that the limit is a problem in environments where names are composed from a set or sources, including vendor, author, distribution channel and application name. Names like softwarehouse-pgwodehouse-coolappstore-mellowmuskrats are becoming harder to avoid. This patch introduces long label support in Smack. Labels are now limited to 255 characters instead of the old 23. The primary reason for limiting the labels to 23 characters was so they could be directly contained in CIPSO category sets. This is still done were possible, but for labels that are too large a mapping is required. This is perfectly safe for communication that stays "on the box" and doesn't require much coordination between boxes beyond what would have been required to keep label names consistent. The bulk of this patch is in smackfs, adding and updating administrative interfaces. Because existing APIs can't be changed new ones that do much the same things as old ones have been introduced. The Smack specific CIPSO data representation has been removed and replaced with the data format used by netlabel. The CIPSO header is now computed when a label is imported rather than on use. This results in improved IP performance. The smack label is now allocated separately from the containing structure, allowing for larger strings. Four new /smack interfaces have been introduced as four of the old interfaces strictly required labels be specified in fixed length arrays. The access interface is supplemented with the check interface: access "Subject Object rwxat" access2 "Subject Object rwaxt" The load interface is supplemented with the rules interface: load "Subject Object rwxat" load2 "Subject Object rwaxt" The load-self interface is supplemented with the self-rules interface: load-self "Subject Object rwxat" load-self2 "Subject Object rwaxt" The cipso interface is supplemented with the wire interface: cipso "Subject lvl cnt c1 c2 ..." cipso2 "Subject lvl cnt c1 c2 ..." The old interfaces are maintained for compatibility. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'Documentation')
-rw-r--r--Documentation/security/Smack.txt204
1 files changed, 164 insertions, 40 deletions
diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt
index d2f72ae66432..a416479b8a1c 100644
--- a/Documentation/security/Smack.txt
+++ b/Documentation/security/Smack.txt
@@ -15,7 +15,7 @@ at hand.
15 15
16Smack consists of three major components: 16Smack consists of three major components:
17 - The kernel 17 - The kernel
18 - A start-up script and a few modified applications 18 - Basic utilities, which are helpful but not required
19 - Configuration data 19 - Configuration data
20 20
21The kernel component of Smack is implemented as a Linux 21The kernel component of Smack is implemented as a Linux
@@ -23,37 +23,28 @@ Security Modules (LSM) module. It requires netlabel and
23works best with file systems that support extended attributes, 23works best with file systems that support extended attributes,
24although xattr support is not strictly required. 24although xattr support is not strictly required.
25It is safe to run a Smack kernel under a "vanilla" distribution. 25It is safe to run a Smack kernel under a "vanilla" distribution.
26
26Smack kernels use the CIPSO IP option. Some network 27Smack kernels use the CIPSO IP option. Some network
27configurations are intolerant of IP options and can impede 28configurations are intolerant of IP options and can impede
28access to systems that use them as Smack does. 29access to systems that use them as Smack does.
29 30
30The startup script etc-init.d-smack should be installed 31The current git repositories for Smack user space are:
31in /etc/init.d/smack and should be invoked early in the
32start-up process. On Fedora rc5.d/S02smack is recommended.
33This script ensures that certain devices have the correct
34Smack attributes and loads the Smack configuration if
35any is defined. This script invokes two programs that
36ensure configuration data is properly formatted. These
37programs are /usr/sbin/smackload and /usr/sin/smackcipso.
38The system will run just fine without these programs,
39but it will be difficult to set access rules properly.
40
41A version of "ls" that provides a "-M" option to display
42Smack labels on long listing is available.
43 32
44A hacked version of sshd that allows network logins by users 33 git@gitorious.org:meego-platform-security/smackutil.git
45with specific Smack labels is available. This version does 34 git@gitorious.org:meego-platform-security/libsmack.git
46not work for scp. You must set the /etc/ssh/sshd_config
47line:
48 UsePrivilegeSeparation no
49 35
50The format of /etc/smack/usr is: 36These should make and install on most modern distributions.
37There are three commands included in smackutil:
51 38
52 username smack 39smackload - properly formats data for writing to /smack/load
40smackcipso - properly formats data for writing to /smack/cipso
41chsmack - display or set Smack extended attribute values
53 42
54In keeping with the intent of Smack, configuration data is 43In keeping with the intent of Smack, configuration data is
55minimal and not strictly required. The most important 44minimal and not strictly required. The most important
56configuration step is mounting the smackfs pseudo filesystem. 45configuration step is mounting the smackfs pseudo filesystem.
46If smackutil is installed the startup script will take care
47of this, but it can be manually as well.
57 48
58Add this line to /etc/fstab: 49Add this line to /etc/fstab:
59 50
@@ -61,19 +52,148 @@ Add this line to /etc/fstab:
61 52
62and create the /smack directory for mounting. 53and create the /smack directory for mounting.
63 54
64Smack uses extended attributes (xattrs) to store file labels. 55Smack uses extended attributes (xattrs) to store labels on filesystem
65The command to set a Smack label on a file is: 56objects. The attributes are stored in the extended attribute security
57name space. A process must have CAP_MAC_ADMIN to change any of these
58attributes.
59
60The extended attributes that Smack uses are:
61
62SMACK64
63 Used to make access control decisions. In almost all cases
64 the label given to a new filesystem object will be the label
65 of the process that created it.
66SMACK64EXEC
67 The Smack label of a process that execs a program file with
68 this attribute set will run with this attribute's value.
69SMACK64MMAP
70 Don't allow the file to be mmapped by a process whose Smack
71 label does not allow all of the access permitted to a process
72 with the label contained in this attribute. This is a very
73 specific use case for shared libraries.
74SMACK64TRANSMUTE
75 Can only have the value "TRUE". If this attribute is present
76 on a directory when an object is created in the directory and
77 the Smack rule (more below) that permitted the write access
78 to the directory includes the transmute ("t") mode the object
79 gets the label of the directory instead of the label of the
80 creating process. If the object being created is a directory
81 the SMACK64TRANSMUTE attribute is set as well.
82SMACK64IPIN
83 This attribute is only available on file descriptors for sockets.
84 Use the Smack label in this attribute for access control
85 decisions on packets being delivered to this socket.
86SMACK64IPOUT
87 This attribute is only available on file descriptors for sockets.
88 Use the Smack label in this attribute for access control
89 decisions on packets coming from this socket.
90
91There are multiple ways to set a Smack label on a file:
66 92
67 # attr -S -s SMACK64 -V "value" path 93 # attr -S -s SMACK64 -V "value" path
94 # chsmack -a value path
68 95
69NOTE: Smack labels are limited to 23 characters. The attr command 96A process can see the smack label it is running with by
70 does not enforce this restriction and can be used to set 97reading /proc/self/attr/current. A process with CAP_MAC_ADMIN
71 invalid Smack labels on files. 98can set the process smack by writing there.
72 99
73If you don't do anything special all users will get the floor ("_") 100Most Smack configuration is accomplished by writing to files
74label when they log in. If you do want to log in via the hacked ssh 101in the smackfs filesystem. This pseudo-filesystem is usually
75at other labels use the attr command to set the smack value on the 102mounted on /smack.
76home directory and its contents. 103
104access
105 This interface reports whether a subject with the specified
106 Smack label has a particular access to an object with a
107 specified Smack label. Write a fixed format access rule to
108 this file. The next read will indicate whether the access
109 would be permitted. The text will be either "1" indicating
110 access, or "0" indicating denial.
111access2
112 This interface reports whether a subject with the specified
113 Smack label has a particular access to an object with a
114 specified Smack label. Write a long format access rule to
115 this file. The next read will indicate whether the access
116 would be permitted. The text will be either "1" indicating
117 access, or "0" indicating denial.
118ambient
119 This contains the Smack label applied to unlabeled network
120 packets.
121cipso
122 This interface allows a specific CIPSO header to be assigned
123 to a Smack label. The format accepted on write is:
124 "%24s%4d%4d"["%4d"]...
125 The first string is a fixed Smack label. The first number is
126 the level to use. The second number is the number of categories.
127 The following numbers are the categories.
128 "level-3-cats-5-19 3 2 5 19"
129cipso2
130 This interface allows a specific CIPSO header to be assigned
131 to a Smack label. The format accepted on write is:
132 "%s%4d%4d"["%4d"]...
133 The first string is a long Smack label. The first number is
134 the level to use. The second number is the number of categories.
135 The following numbers are the categories.
136 "level-3-cats-5-19 3 2 5 19"
137direct
138 This contains the CIPSO level used for Smack direct label
139 representation in network packets.
140doi
141 This contains the CIPSO domain of interpretation used in
142 network packets.
143load
144 This interface allows access control rules in addition to
145 the system defined rules to be specified. The format accepted
146 on write is:
147 "%24s%24s%5s"
148 where the first string is the subject label, the second the
149 object label, and the third the requested access. The access
150 string may contain only the characters "rwxat-", and specifies
151 which sort of access is allowed. The "-" is a placeholder for
152 permissions that are not allowed. The string "r-x--" would
153 specify read and execute access. Labels are limited to 23
154 characters in length.
155load2
156 This interface allows access control rules in addition to
157 the system defined rules to be specified. The format accepted
158 on write is:
159 "%s %s %s"
160 where the first string is the subject label, the second the
161 object label, and the third the requested access. The access
162 string may contain only the characters "rwxat-", and specifies
163 which sort of access is allowed. The "-" is a placeholder for
164 permissions that are not allowed. The string "r-x--" would
165 specify read and execute access.
166load-self
167 This interface allows process specific access rules to be
168 defined. These rules are only consulted if access would
169 otherwise be permitted, and are intended to provide additional
170 restrictions on the process. The format is the same as for
171 the load interface.
172load-self2
173 This interface allows process specific access rules to be
174 defined. These rules are only consulted if access would
175 otherwise be permitted, and are intended to provide additional
176 restrictions on the process. The format is the same as for
177 the load2 interface.
178logging
179 This contains the Smack logging state.
180mapped
181 This contains the CIPSO level used for Smack mapped label
182 representation in network packets.
183netlabel
184 This interface allows specific internet addresses to be
185 treated as single label hosts. Packets are sent to single
186 label hosts without CIPSO headers, but only from processes
187 that have Smack write access to the host label. All packets
188 received from single label hosts are given the specified
189 label. The format accepted on write is:
190 "%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".
191onlycap
192 This contains the label processes must have for CAP_MAC_ADMIN
193 and CAP_MAC_OVERRIDE to be effective. If this file is empty
194 these capabilities are effective at for processes with any
195 label. The value is set by writing the desired label to the
196 file or cleared by writing "-" to the file.
77 197
78You can add access rules in /etc/smack/accesses. They take the form: 198You can add access rules in /etc/smack/accesses. They take the form:
79 199
@@ -83,10 +203,6 @@ access is a combination of the letters rwxa which specify the
83kind of access permitted a subject with subjectlabel on an 203kind of access permitted a subject with subjectlabel on an
84object with objectlabel. If there is no rule no access is allowed. 204object with objectlabel. If there is no rule no access is allowed.
85 205
86A process can see the smack label it is running with by
87reading /proc/self/attr/current. A privileged process can
88set the process smack by writing there.
89
90Look for additional programs on http://schaufler-ca.com 206Look for additional programs on http://schaufler-ca.com
91 207
92From the Smack Whitepaper: 208From the Smack Whitepaper:
@@ -186,7 +302,7 @@ team. Smack labels are unstructured, case sensitive, and the only operation
186ever performed on them is comparison for equality. Smack labels cannot 302ever performed on them is comparison for equality. Smack labels cannot
187contain unprintable characters, the "/" (slash), the "\" (backslash), the "'" 303contain unprintable characters, the "/" (slash), the "\" (backslash), the "'"
188(quote) and '"' (double-quote) characters. 304(quote) and '"' (double-quote) characters.
189Smack labels cannot begin with a '-', which is reserved for special options. 305Smack labels cannot begin with a '-'. This is reserved for special options.
190 306
191There are some predefined labels: 307There are some predefined labels:
192 308
@@ -194,7 +310,7 @@ There are some predefined labels:
194 ^ Pronounced "hat", a single circumflex character. 310 ^ Pronounced "hat", a single circumflex character.
195 * Pronounced "star", a single asterisk character. 311 * Pronounced "star", a single asterisk character.
196 ? Pronounced "huh", a single question mark character. 312 ? Pronounced "huh", a single question mark character.
197 @ Pronounced "Internet", a single at sign character. 313 @ Pronounced "web", a single at sign character.
198 314
199Every task on a Smack system is assigned a label. System tasks, such as 315Every task on a Smack system is assigned a label. System tasks, such as
200init(8) and systems daemons, are run with the floor ("_") label. User tasks 316init(8) and systems daemons, are run with the floor ("_") label. User tasks
@@ -246,13 +362,14 @@ The format of an access rule is:
246 362
247Where subject-label is the Smack label of the task, object-label is the Smack 363Where subject-label is the Smack label of the task, object-label is the Smack
248label of the thing being accessed, and access is a string specifying the sort 364label of the thing being accessed, and access is a string specifying the sort
249of access allowed. The Smack labels are limited to 23 characters. The access 365of access allowed. The access specification is searched for letters that
250specification is searched for letters that describe access modes: 366describe access modes:
251 367
252 a: indicates that append access should be granted. 368 a: indicates that append access should be granted.
253 r: indicates that read access should be granted. 369 r: indicates that read access should be granted.
254 w: indicates that write access should be granted. 370 w: indicates that write access should be granted.
255 x: indicates that execute access should be granted. 371 x: indicates that execute access should be granted.
372 t: indicates that the rule requests transmutation.
256 373
257Uppercase values for the specification letters are allowed as well. 374Uppercase values for the specification letters are allowed as well.
258Access mode specifications can be in any order. Examples of acceptable rules 375Access mode specifications can be in any order. Examples of acceptable rules
@@ -273,7 +390,7 @@ Examples of unacceptable rules are:
273 390
274Spaces are not allowed in labels. Since a subject always has access to files 391Spaces are not allowed in labels. Since a subject always has access to files
275with the same label specifying a rule for that case is pointless. Only 392with the same label specifying a rule for that case is pointless. Only
276valid letters (rwxaRWXA) and the dash ('-') character are allowed in 393valid letters (rwxatRWXAT) and the dash ('-') character are allowed in
277access specifications. The dash is a placeholder, so "a-r" is the same 394access specifications. The dash is a placeholder, so "a-r" is the same
278as "ar". A lone dash is used to specify that no access should be allowed. 395as "ar". A lone dash is used to specify that no access should be allowed.
279 396
@@ -297,6 +414,13 @@ but not any of its attributes by the circumstance of having read access to the
297containing directory but not to the differently labeled file. This is an 414containing directory but not to the differently labeled file. This is an
298artifact of the file name being data in the directory, not a part of the file. 415artifact of the file name being data in the directory, not a part of the file.
299 416
417If a directory is marked as transmuting (SMACK64TRANSMUTE=TRUE) and the
418access rule that allows a process to create an object in that directory
419includes 't' access the label assigned to the new object will be that
420of the directory, not the creating process. This makes it much easier
421for two processes with different labels to share data without granting
422access to all of their files.
423
300IPC objects, message queues, semaphore sets, and memory segments exist in flat 424IPC objects, message queues, semaphore sets, and memory segments exist in flat
301namespaces and access requests are only required to match the object in 425namespaces and access requests are only required to match the object in
302question. 426question.