lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 12 Aug 2007 13:45:18 +1000 From: Keith Owens <kaos@....com.au> To: casey@...aufler-ca.com cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, akpm@...l.org, torvalds@...l.org Subject: Re: [PATCH] Smack: Simplified Mandatory Access Control Kernel Casey Schaufler (on Sat, 11 Aug 2007 10:57:31 -0700) wrote: >Smack is the Simplified Mandatory Access Control Kernel. > > [snip] > >Smack defines and uses these labels: > > "*" - pronounced "star" > "_" - pronounced "floor" > "^" - pronounced "hat" > "?" - pronounced "huh" > >The access rules enforced by Smack are, in order: > >1. Any access requested by a task labeled "*" is denied. >2. A read or execute access requested by a task labeled "^" > is permitted. >3. A read or execute access requested on an object labeled "_" > is permitted. >4. Any access requested on an object labeled "*" is permitted. >5. Any access requested by a task on an object with the same > label is permitted. >6. Any access requested that is explicitly defined in the loaded > rule set is permitted. >7. Any other access is denied. Some security systems that have the concept of "no default access" (task labeled "*") also allow access by those tasks but only if there is an explicit rule giving access to the task. IOW, rule 6 is applied before rule 1. In my experience this simplifies special cases where a task should only have access to a very small set of resources. I'm curious why smack goes the other way? - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists