[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4733E68C.1040307@schaufler-ca.com>
Date: Thu, 08 Nov 2007 20:48:12 -0800
From: Casey Schaufler <casey@...aufler-ca.com>
To: akpm@...l.org, torvalds@...l.org
Cc: linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, method@...icmethod.com
Subject: [PATCH 0/2] Version 11 (2.6.24-rc2) Smack: Simplified Mandatory Access
Control Kernel
This is version 11 of the Simplified Mandatory Access Control Kernel.
The whole thing as available on the Smack home page at
http://schaufler-ca.com
The attachments to this message are not kernel code.
They are early versions of the smackload and smackcipso
programs, and are included in the hope that doing so
may reduce (I certainly wouldn't count on it eliminating)
whinging about the revised versions of smack_write_load()
and smack_write_cipso().
The /smack/load and /smack/cipso special files are a minor
component of Smack, and much too much energy has gone into
them, and I would much prefer that people who don't like
Smack crux about things that are important rather than the
details and moral implications of parsers in kernel code.
Writes to /smack/load are now required to have this format:
SubjectLabel ObjectLabel Mode[decorations]
| 24 bytes || 24 bytes ||4 ||undefined |
A write to /smack/load must be 52 or more bytes in length.
The 4 mode bytes must be of the form [rR-][wW-][xX-][aA-],
in that order. The regular rules enforced by smack_import()
apply to the strings at offset 0 and offset 24.
Writes to /smack/cipso are now required to have this format:
LabelMapped Level CatCount [cat]...
| 24 bytes || 4 || 4 | |4|
A write to /smack/cipso must be at least 32 bytes long,
and also must be 32 + (4 * CatCount) bytes long. If there
are no categories CatCount must be "0 ". The label is
read using smack_import(). All other values are left
justified ("2 ", not " 2") integers in 4 bytes.
Since these formats are so fussy I have provided programs
that take care of that. They are still human readable text,
but no longer require parsing in the kernel. It is my sincere
hope that we can put the bruhaha about parsing to bed.
Two patches here. Paul Moore's netlabel api patch has been updated
due to unrelated changes in that code.
View attachment "smackload.c" of type "text/plain" (1646 bytes)
View attachment "smackcipso.c" of type "text/plain" (2217 bytes)
Powered by blists - more mailing lists