subject:"\[PATCH 13\/17\] doc\: ReSTify Smack.txt"

Re: [PATCH 13/17] doc: ReSTify Smack.txt

2017-05-15 Thread Casey Schaufler

On 5/13/2017 4:51 AM, Kees Cook wrote:
> Adjusts for ReST markup and moves under LSM admin guide.
>
> Cc: Casey Schaufler 
> Signed-off-by: Kees Cook 

Acked-by: Casey Schaufler 

Thank you.

> ---
>  .../Smack.txt => admin-guide/LSM/Smack.rst}| 273 
> ++---
>  Documentation/admin-guide/LSM/index.rst|   1 +
>  Documentation/security/00-INDEX|   2 -
>  MAINTAINERS|   2 +-
>  4 files changed, 191 insertions(+), 87 deletions(-)
>  rename Documentation/{security/Smack.txt => admin-guide/LSM/Smack.rst} (85%)
>
> diff --git a/Documentation/security/Smack.txt 
> b/Documentation/admin-guide/LSM/Smack.rst
> similarity index 85%
> rename from Documentation/security/Smack.txt
> rename to Documentation/admin-guide/LSM/Smack.rst
> index 945cc633d883..6a5826a13aea 100644
> --- a/Documentation/security/Smack.txt
> +++ b/Documentation/admin-guide/LSM/Smack.rst
> @@ -1,3 +1,6 @@
> +=
> +Smack
> +=
>  
>  
>  "Good for you, you've decided to clean the elevator!"
> @@ -14,6 +17,7 @@ available to determine which is best suited to the problem
>  at hand.
>  
>  Smack consists of three major components:
> +
>  - The kernel
>  - Basic utilities, which are helpful but not required
>  - Configuration data
> @@ -39,16 +43,24 @@ The current git repository for Smack user space is:
>  This should make and install on most modern distributions.
>  There are five commands included in smackutil:
>  
> -chsmack- display or set Smack extended attribute values
> -smackctl   - load the Smack access rules
> -smackaccess - report if a process with one label has access
> -  to an object with another
> +chsmack:
> + display or set Smack extended attribute values
> +
> +smackctl:
> + load the Smack access rules
> +
> +smackaccess:
> + report if a process with one label has access
> + to an object with another
>  
>  These two commands are obsolete with the introduction of
>  the smackfs/load2 and smackfs/cipso2 interfaces.
>  
> -smackload  - properly formats data for writing to smackfs/load
> -smackcipso - properly formats data for writing to smackfs/cipso
> +smackload:
> + properly formats data for writing to smackfs/load
> +
> +smackcipso:
> + properly formats data for writing to smackfs/cipso
>  
>  In keeping with the intent of Smack, configuration data is
>  minimal and not strictly required. The most important
> @@ -56,15 +68,15 @@ configuration step is mounting the smackfs pseudo 
> filesystem.
>  If smackutil is installed the startup script will take care
>  of this, but it can be manually as well.
>  
> -Add this line to /etc/fstab:
> +Add this line to ``/etc/fstab``::
>  
>  smackfs /sys/fs/smackfs smackfs defaults 0 0
>  
> -The /sys/fs/smackfs directory is created by the kernel.
> +The ``/sys/fs/smackfs`` directory is created by the kernel.
>  
>  Smack uses extended attributes (xattrs) to store labels on filesystem
>  objects. The attributes are stored in the extended attribute security
> -name space. A process must have CAP_MAC_ADMIN to change any of these
> +name space. A process must have ``CAP_MAC_ADMIN`` to change any of these
>  attributes.
>  
>  The extended attributes that Smack uses are:
> @@ -73,14 +85,17 @@ SMACK64
>   Used to make access control decisions. In almost all cases
>   the label given to a new filesystem object will be the label
>   of the process that created it.
> +
>  SMACK64EXEC
>   The Smack label of a process that execs a program file with
>   this attribute set will run with this attribute's value.
> +
>  SMACK64MMAP
>   Don't allow the file to be mmapped by a process whose Smack
>   label does not allow all of the access permitted to a process
>   with the label contained in this attribute. This is a very
>   specific use case for shared libraries.
> +
>  SMACK64TRANSMUTE
>   Can only have the value "TRUE". If this attribute is present
>   on a directory when an object is created in the directory and
> @@ -89,27 +104,29 @@ SMACK64TRANSMUTE
>   gets the label of the directory instead of the label of the
>   creating process. If the object being created is a directory
>   the SMACK64TRANSMUTE attribute is set as well.
> +
>  SMACK64IPIN
>   This attribute is only available on file descriptors for sockets.
>   Use the Smack label in this attribute for access control
>   decisions on packets being delivered to this socket.
> +
>  SMACK64IPOUT
>   This attribute is only available on file descriptors for sockets.
>   Use the Smack label in this attribute for access control
>   decisions on packets coming from this socket.
>  
> -There are multiple ways to set a Smack label on a file:
> +There are multiple ways to set a Smack label on a file::
>  
>  # attr -S -s SMACK64 -V "value" path
>  #

[PATCH 13/17] doc: ReSTify Smack.txt

2017-05-13 Thread Kees Cook

Adjusts for ReST markup and moves under LSM admin guide.

Cc: Casey Schaufler 
Signed-off-by: Kees Cook 
---
 .../Smack.txt => admin-guide/LSM/Smack.rst}| 273 ++---
 Documentation/admin-guide/LSM/index.rst|   1 +
 Documentation/security/00-INDEX|   2 -
 MAINTAINERS|   2 +-
 4 files changed, 191 insertions(+), 87 deletions(-)
 rename Documentation/{security/Smack.txt => admin-guide/LSM/Smack.rst} (85%)

diff --git a/Documentation/security/Smack.txt 
b/Documentation/admin-guide/LSM/Smack.rst
similarity index 85%
rename from Documentation/security/Smack.txt
rename to Documentation/admin-guide/LSM/Smack.rst
index 945cc633d883..6a5826a13aea 100644
--- a/Documentation/security/Smack.txt
+++ b/Documentation/admin-guide/LSM/Smack.rst
@@ -1,3 +1,6 @@
+=
+Smack
+=
 
 
 "Good for you, you've decided to clean the elevator!"
@@ -14,6 +17,7 @@ available to determine which is best suited to the problem
 at hand.
 
 Smack consists of three major components:
+
 - The kernel
 - Basic utilities, which are helpful but not required
 - Configuration data
@@ -39,16 +43,24 @@ The current git repository for Smack user space is:
 This should make and install on most modern distributions.
 There are five commands included in smackutil:
 
-chsmack- display or set Smack extended attribute values
-smackctl   - load the Smack access rules
-smackaccess - report if a process with one label has access
-  to an object with another
+chsmack:
+   display or set Smack extended attribute values
+
+smackctl:
+   load the Smack access rules
+
+smackaccess:
+   report if a process with one label has access
+   to an object with another
 
 These two commands are obsolete with the introduction of
 the smackfs/load2 and smackfs/cipso2 interfaces.
 
-smackload  - properly formats data for writing to smackfs/load
-smackcipso - properly formats data for writing to smackfs/cipso
+smackload:
+   properly formats data for writing to smackfs/load
+
+smackcipso:
+   properly formats data for writing to smackfs/cipso
 
 In keeping with the intent of Smack, configuration data is
 minimal and not strictly required. The most important
@@ -56,15 +68,15 @@ configuration step is mounting the smackfs pseudo 
filesystem.
 If smackutil is installed the startup script will take care
 of this, but it can be manually as well.
 
-Add this line to /etc/fstab:
+Add this line to ``/etc/fstab``::
 
 smackfs /sys/fs/smackfs smackfs defaults 0 0
 
-The /sys/fs/smackfs directory is created by the kernel.
+The ``/sys/fs/smackfs`` directory is created by the kernel.
 
 Smack uses extended attributes (xattrs) to store labels on filesystem
 objects. The attributes are stored in the extended attribute security
-name space. A process must have CAP_MAC_ADMIN to change any of these
+name space. A process must have ``CAP_MAC_ADMIN`` to change any of these
 attributes.
 
 The extended attributes that Smack uses are:
@@ -73,14 +85,17 @@ SMACK64
Used to make access control decisions. In almost all cases
the label given to a new filesystem object will be the label
of the process that created it.
+
 SMACK64EXEC
The Smack label of a process that execs a program file with
this attribute set will run with this attribute's value.
+
 SMACK64MMAP
Don't allow the file to be mmapped by a process whose Smack
label does not allow all of the access permitted to a process
with the label contained in this attribute. This is a very
specific use case for shared libraries.
+
 SMACK64TRANSMUTE
Can only have the value "TRUE". If this attribute is present
on a directory when an object is created in the directory and
@@ -89,27 +104,29 @@ SMACK64TRANSMUTE
gets the label of the directory instead of the label of the
creating process. If the object being created is a directory
the SMACK64TRANSMUTE attribute is set as well.
+
 SMACK64IPIN
This attribute is only available on file descriptors for sockets.
Use the Smack label in this attribute for access control
decisions on packets being delivered to this socket.
+
 SMACK64IPOUT
This attribute is only available on file descriptors for sockets.
Use the Smack label in this attribute for access control
decisions on packets coming from this socket.
 
-There are multiple ways to set a Smack label on a file:
+There are multiple ways to set a Smack label on a file::
 
 # attr -S -s SMACK64 -V "value" path
 # chsmack -a value path
 
 A process can see the Smack label it is running with by
-reading /proc/self/attr/current. A process with CAP_MAC_ADMIN
+reading ``/proc/self/attr/current``. A process with ``CAP_MAC_ADMIN``
 can set the process Smack by writing there.
 
 Most Smack configuration is

Re: [PATCH 13/17] doc: ReSTify Smack.txt

[PATCH 13/17] doc: ReSTify Smack.txt

2 matches

Site Navigation

Mail list logo

Footer information