Re: [PATCH 13/17] doc: ReSTify Smack.txt
On 5/13/2017 4:51 AM, Kees Cook wrote: > Adjusts for ReST markup and moves under LSM admin guide. > > Cc: Casey Schaufler> Signed-off-by: Kees Cook Acked-by: Casey Schaufler Thank you. > --- > .../Smack.txt => admin-guide/LSM/Smack.rst}| 273 > ++--- > Documentation/admin-guide/LSM/index.rst| 1 + > Documentation/security/00-INDEX| 2 - > MAINTAINERS| 2 +- > 4 files changed, 191 insertions(+), 87 deletions(-) > rename Documentation/{security/Smack.txt => admin-guide/LSM/Smack.rst} (85%) > > diff --git a/Documentation/security/Smack.txt > b/Documentation/admin-guide/LSM/Smack.rst > similarity index 85% > rename from Documentation/security/Smack.txt > rename to Documentation/admin-guide/LSM/Smack.rst > index 945cc633d883..6a5826a13aea 100644 > --- a/Documentation/security/Smack.txt > +++ b/Documentation/admin-guide/LSM/Smack.rst > @@ -1,3 +1,6 @@ > += > +Smack > += > > > "Good for you, you've decided to clean the elevator!" > @@ -14,6 +17,7 @@ available to determine which is best suited to the problem > at hand. > > Smack consists of three major components: > + > - The kernel > - Basic utilities, which are helpful but not required > - Configuration data > @@ -39,16 +43,24 @@ The current git repository for Smack user space is: > This should make and install on most modern distributions. > There are five commands included in smackutil: > > -chsmack- display or set Smack extended attribute values > -smackctl - load the Smack access rules > -smackaccess - report if a process with one label has access > - to an object with another > +chsmack: > + display or set Smack extended attribute values > + > +smackctl: > + load the Smack access rules > + > +smackaccess: > + report if a process with one label has access > + to an object with another > > These two commands are obsolete with the introduction of > the smackfs/load2 and smackfs/cipso2 interfaces. > > -smackload - properly formats data for writing to smackfs/load > -smackcipso - properly formats data for writing to smackfs/cipso > +smackload: > + properly formats data for writing to smackfs/load > + > +smackcipso: > + properly formats data for writing to smackfs/cipso > > In keeping with the intent of Smack, configuration data is > minimal and not strictly required. The most important > @@ -56,15 +68,15 @@ configuration step is mounting the smackfs pseudo > filesystem. > If smackutil is installed the startup script will take care > of this, but it can be manually as well. > > -Add this line to /etc/fstab: > +Add this line to ``/etc/fstab``:: > > smackfs /sys/fs/smackfs smackfs defaults 0 0 > > -The /sys/fs/smackfs directory is created by the kernel. > +The ``/sys/fs/smackfs`` directory is created by the kernel. > > Smack uses extended attributes (xattrs) to store labels on filesystem > objects. The attributes are stored in the extended attribute security > -name space. A process must have CAP_MAC_ADMIN to change any of these > +name space. A process must have ``CAP_MAC_ADMIN`` to change any of these > attributes. > > The extended attributes that Smack uses are: > @@ -73,14 +85,17 @@ SMACK64 > Used to make access control decisions. In almost all cases > the label given to a new filesystem object will be the label > of the process that created it. > + > SMACK64EXEC > The Smack label of a process that execs a program file with > this attribute set will run with this attribute's value. > + > SMACK64MMAP > Don't allow the file to be mmapped by a process whose Smack > label does not allow all of the access permitted to a process > with the label contained in this attribute. This is a very > specific use case for shared libraries. > + > SMACK64TRANSMUTE > Can only have the value "TRUE". If this attribute is present > on a directory when an object is created in the directory and > @@ -89,27 +104,29 @@ SMACK64TRANSMUTE > gets the label of the directory instead of the label of the > creating process. If the object being created is a directory > the SMACK64TRANSMUTE attribute is set as well. > + > SMACK64IPIN > This attribute is only available on file descriptors for sockets. > Use the Smack label in this attribute for access control > decisions on packets being delivered to this socket. > + > SMACK64IPOUT > This attribute is only available on file descriptors for sockets. > Use the Smack label in this attribute for access control > decisions on packets coming from this socket. > > -There are multiple ways to set a Smack label on a file: > +There are multiple ways to set a Smack label on a file:: > > # attr -S -s SMACK64 -V "value" path > #
[PATCH 13/17] doc: ReSTify Smack.txt
Adjusts for ReST markup and moves under LSM admin guide. Cc: Casey SchauflerSigned-off-by: Kees Cook --- .../Smack.txt => admin-guide/LSM/Smack.rst}| 273 ++--- Documentation/admin-guide/LSM/index.rst| 1 + Documentation/security/00-INDEX| 2 - MAINTAINERS| 2 +- 4 files changed, 191 insertions(+), 87 deletions(-) rename Documentation/{security/Smack.txt => admin-guide/LSM/Smack.rst} (85%) diff --git a/Documentation/security/Smack.txt b/Documentation/admin-guide/LSM/Smack.rst similarity index 85% rename from Documentation/security/Smack.txt rename to Documentation/admin-guide/LSM/Smack.rst index 945cc633d883..6a5826a13aea 100644 --- a/Documentation/security/Smack.txt +++ b/Documentation/admin-guide/LSM/Smack.rst @@ -1,3 +1,6 @@ += +Smack += "Good for you, you've decided to clean the elevator!" @@ -14,6 +17,7 @@ available to determine which is best suited to the problem at hand. Smack consists of three major components: + - The kernel - Basic utilities, which are helpful but not required - Configuration data @@ -39,16 +43,24 @@ The current git repository for Smack user space is: This should make and install on most modern distributions. There are five commands included in smackutil: -chsmack- display or set Smack extended attribute values -smackctl - load the Smack access rules -smackaccess - report if a process with one label has access - to an object with another +chsmack: + display or set Smack extended attribute values + +smackctl: + load the Smack access rules + +smackaccess: + report if a process with one label has access + to an object with another These two commands are obsolete with the introduction of the smackfs/load2 and smackfs/cipso2 interfaces. -smackload - properly formats data for writing to smackfs/load -smackcipso - properly formats data for writing to smackfs/cipso +smackload: + properly formats data for writing to smackfs/load + +smackcipso: + properly formats data for writing to smackfs/cipso In keeping with the intent of Smack, configuration data is minimal and not strictly required. The most important @@ -56,15 +68,15 @@ configuration step is mounting the smackfs pseudo filesystem. If smackutil is installed the startup script will take care of this, but it can be manually as well. -Add this line to /etc/fstab: +Add this line to ``/etc/fstab``:: smackfs /sys/fs/smackfs smackfs defaults 0 0 -The /sys/fs/smackfs directory is created by the kernel. +The ``/sys/fs/smackfs`` directory is created by the kernel. Smack uses extended attributes (xattrs) to store labels on filesystem objects. The attributes are stored in the extended attribute security -name space. A process must have CAP_MAC_ADMIN to change any of these +name space. A process must have ``CAP_MAC_ADMIN`` to change any of these attributes. The extended attributes that Smack uses are: @@ -73,14 +85,17 @@ SMACK64 Used to make access control decisions. In almost all cases the label given to a new filesystem object will be the label of the process that created it. + SMACK64EXEC The Smack label of a process that execs a program file with this attribute set will run with this attribute's value. + SMACK64MMAP Don't allow the file to be mmapped by a process whose Smack label does not allow all of the access permitted to a process with the label contained in this attribute. This is a very specific use case for shared libraries. + SMACK64TRANSMUTE Can only have the value "TRUE". If this attribute is present on a directory when an object is created in the directory and @@ -89,27 +104,29 @@ SMACK64TRANSMUTE gets the label of the directory instead of the label of the creating process. If the object being created is a directory the SMACK64TRANSMUTE attribute is set as well. + SMACK64IPIN This attribute is only available on file descriptors for sockets. Use the Smack label in this attribute for access control decisions on packets being delivered to this socket. + SMACK64IPOUT This attribute is only available on file descriptors for sockets. Use the Smack label in this attribute for access control decisions on packets coming from this socket. -There are multiple ways to set a Smack label on a file: +There are multiple ways to set a Smack label on a file:: # attr -S -s SMACK64 -V "value" path # chsmack -a value path A process can see the Smack label it is running with by -reading /proc/self/attr/current. A process with CAP_MAC_ADMIN +reading ``/proc/self/attr/current``. A process with ``CAP_MAC_ADMIN`` can set the process Smack by writing there. Most Smack configuration is