--- Stephen Smalley <[EMAIL PROTECTED]> wrote:
> On Sat, 2007-07-14 at 14:47 -0700, Casey Schaufler wrote:
> > Smack is the Simplified Mandatory Access Control Kernel.
> >
> > ...
> >
> > A file always gets the Smack label of the task that created it.
> >
> > Smack defines and uses these labels:
> >
> > "*" - pronounced "star"
> > "_" - pronounced "floor"
> > "^" - pronounced "hat"
> > "?" - pronounced "huh"
> >
> > The access rules enforced by Smack are, in order:
> >
> > 1. Any access requested by a task labeled "*" is denied.
>
> So why allow "*" to ever be set on a task at all? Versus just
> prohibiting it up front in setprocattr?
I really want to be sure that files labeled star ("*") don't
happen by accident. Even if I were checking for "*" in setprocattr
(which is not a bad idea) I would still want to do the check here.
> Also, how does "*" differ from "-" (dash, not floor). Your code seems
> to make them identical but your description omitted dash entirely.
At one point during the implementation of smackfs symlinks it
seemed like a good idea. The rational eludes me at this point,
however, and it's not being used, so dash will likely join some
of my other curious and unnecessary notions in that great never
to be used again tar archive in the sky.
Casey Schaufler
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
