1 files changed, 37 insertions, 5 deletions
diff --git a/Documentation/Smack.txt b/Documentation/Smack.txt
index 989c2fcd8111..629c92e99783 100644
--- a/Documentation/Smack.txt
+++ b/Documentation/Smack.txt
@@ -184,14 +184,16 @@ length. Single character labels using special characters, that being anything
 other than a letter or digit, are reserved for use by the Smack development
 team. Smack labels are unstructured, case sensitive, and the only operation
 ever performed on them is comparison for equality. Smack labels cannot
-contain unprintable characters or the "/" (slash) character.
+contain unprintable characters or the "/" (slash) character. Smack labels
+cannot begin with a '-', which is reserved for special options.
 There are some predefined labels:
-        _ Pronounced "floor", a single underscore character.
+        _       Pronounced "floor", a single underscore character.
-        ^ Pronounced "hat", a single circumflex character.
+        ^       Pronounced "hat", a single circumflex character.
-        * Pronounced "star", a single asterisk character.
+        *       Pronounced "star", a single asterisk character.
-        ? Pronounced "huh", a single question mark character.
+        ?       Pronounced "huh", a single question mark character.
+        @       Pronounced "Internet", a single at sign character.
 Every task on a Smack system is assigned a label. System tasks, such as
 init(8) and systems daemons, are run with the floor ("_") label. User tasks
@@ -412,6 +414,36 @@ sockets.
        A privileged program may set this to match the label of another
        task with which it hopes to communicate.
+Smack Netlabel Exceptions
+You will often find that your labeled application has to talk to the outside,
+unlabeled world. To do this there's a special file /smack/netlabel where you can
+add some exceptions in the form of :
+@IP1       LABEL1 or
+@IP2/MASK  LABEL2
+It means that your application will have unlabeled access to @IP1 if it has
+write access on LABEL1, and access to the subnet @IP2/MASK if it has write
+access on LABEL2.
+Entries in the /smack/netlabel file are matched by longest mask first, like in
+classless IPv4 routing.
+A special label '@' and an option '-CIPSO' can be used there :
+@      means Internet, any application with any label has access to it
+-CIPSO means standard CIPSO networking
+If you don't know what CIPSO is and don't plan to use it, you can just do :
+echo 127.0.0.1 -CIPSO > /smack/netlabel
+echo 0.0.0.0/0 @      > /smack/netlabel
+If you use CIPSO on your 192.168.0.0/16 local network and need also unlabeled
+Internet access, you can have :
+echo 127.0.0.1      -CIPSO > /smack/netlabel
+echo 192.168.0.0/16 -CIPSO > /smack/netlabel
+echo 0.0.0.0/0      @      > /smack/netlabel
 Writing Applications for Smack
 There are three sorts of applications that will run on a Smack system. How an

diff --git a/Documentation/Smack.txt b/Documentation/Smack.txt index 989c2fcd8111..629c92e99783 100644 --- a/Documentation/Smack.txt +++ b/Documentation/Smack.txt
@@ -184,14 +184,16 @@ length. Single character labels using special characters, that being anything
184	other than a letter or digit, are reserved for use by the Smack development	184	other than a letter or digit, are reserved for use by the Smack development
185	team. Smack labels are unstructured, case sensitive, and the only operation	185	team. Smack labels are unstructured, case sensitive, and the only operation
186	ever performed on them is comparison for equality. Smack labels cannot	186	ever performed on them is comparison for equality. Smack labels cannot
187	contain unprintable characters or the "/" (slash) character.	187	contain unprintable characters or the "/" (slash) character. Smack labels
		188	cannot begin with a '-', which is reserved for special options.
188		189
189	There are some predefined labels:	190	There are some predefined labels:
190		191
191	_ Pronounced "floor", a single underscore character.	192	_ Pronounced "floor", a single underscore character.
192	^ Pronounced "hat", a single circumflex character.	193	^ Pronounced "hat", a single circumflex character.
193	* Pronounced "star", a single asterisk character.	194	* Pronounced "star", a single asterisk character.
194	? Pronounced "huh", a single question mark character.	195	? Pronounced "huh", a single question mark character.
		196	@ Pronounced "Internet", a single at sign character.
195		197
196	Every task on a Smack system is assigned a label. System tasks, such as	198	Every task on a Smack system is assigned a label. System tasks, such as
197	init(8) and systems daemons, are run with the floor ("_") label. User tasks	199	init(8) and systems daemons, are run with the floor ("_") label. User tasks
@@ -412,6 +414,36 @@ sockets.
412	A privileged program may set this to match the label of another	414	A privileged program may set this to match the label of another
413	task with which it hopes to communicate.	415	task with which it hopes to communicate.
414		416
		417	Smack Netlabel Exceptions
		418
		419	You will often find that your labeled application has to talk to the outside,
		420	unlabeled world. To do this there's a special file /smack/netlabel where you can
		421	add some exceptions in the form of :
		422	@IP1 LABEL1 or
		423	@IP2/MASK LABEL2
		424
		425	It means that your application will have unlabeled access to @IP1 if it has
		426	write access on LABEL1, and access to the subnet @IP2/MASK if it has write
		427	access on LABEL2.
		428
		429	Entries in the /smack/netlabel file are matched by longest mask first, like in
		430	classless IPv4 routing.
		431
		432	A special label '@' and an option '-CIPSO' can be used there :
		433	@ means Internet, any application with any label has access to it
		434	-CIPSO means standard CIPSO networking
		435
		436	If you don't know what CIPSO is and don't plan to use it, you can just do :
		437	echo 127.0.0.1 -CIPSO > /smack/netlabel
		438	echo 0.0.0.0/0 @ > /smack/netlabel
		439
		440	If you use CIPSO on your 192.168.0.0/16 local network and need also unlabeled
		441	Internet access, you can have :
		442	echo 127.0.0.1 -CIPSO > /smack/netlabel
		443	echo 192.168.0.0/16 -CIPSO > /smack/netlabel
		444	echo 0.0.0.0/0 @ > /smack/netlabel
		445
		446
415	Writing Applications for Smack	447	Writing Applications for Smack
416		448
417	There are three sorts of applications that will run on a Smack system. How an	449	There are three sorts of applications that will run on a Smack system. How an