Tags:
create new tag
, view all tags

Simplified Mandatory Access Control Kernel

Authors: Casey Schaufler

Complete Citation

Abstract

Smack is the Simplified Mandatory Access Control Kernel.

Smack implements mandatory access control (MAC) using labels attached to tasks and data containers, including files, SVIPC, and other tasks. Smack is a kernel based scheme that requires an absolute minimum of application support and a very small amount of configuration data.

Smack is implemented as a clean LSM. It requires no external code changes and the patch modifies only the Kconfig and Makefile in the security directory. Smack uses extended attributes and provides a set of general mount options, borrowing technics used elsewhere. Smack uses netlabel for CIPSO labeling. Smack provides a pseudo-filesystem smackfs that is used for manipulation of system Smack attributes.

The patch, patches for ls and sshd, a README, a startup script, and x86 binaries for ls and sshd are also available on

http:/www.schaufler-ca.com

Smack provides mandatory access controls based on the label attached to a task and the label attached to the object it is attempting to access. Smack labels are deliberately short (1-23 characters) text strings. Single character labels using special characters are reserved for system use. The only operation applied to Smack labels is equality comparison. No wildcards or expressions, regular or otherwise, are used.

Annotations

Labels:
  • _ Pronounced “floor”, a single underscore character.
  • ^ Pronounced “hat”, a single circumflex character.
  • * Pronounced “star”, a single asterisk character.
  • ? Pronounced “huh”, a single question mark character.
The access rules enforced by Smack are, in order:
  • 1. Any access requested by a task labeled "*" is denied.
  • 2. A read or execute access requested by a task labeled "^" is permitted.
  • 3. A read or execute access requested on an object labeled "_" is permitted.
  • 4. Any access requested on an object labeled "*" is permitted.
  • 5. Any access requested by a task on an object with the same label is permitted.
  • 6. Any access requested that is explicitly defined in the loaded rule set is permitted.
  • 7. Any other access is denied.

  • Figure 1:
    Picture_1.png
In Figure 1 a user barney has been assigned the Smack label Rubble. This user can read or execute the floor labeled system programs and data. He can also read from and write to the special device /dev/null, which has the star label. System processes running with the floor label do not have any access to Barney’s data. A system process running with the hat label is allowed read access to the user’s data but not write access.

Smack Networking:

Every packet sent by a Smack process is tagged with its Smack label. This is done by adding a CIPSO tag to the header of the IP packet. Each packet received is expected to have a CIPSO tag that identifies the label and if it lacks such a tag the network ambient label is assumed. Before the packet is delivered a check is made to determine that a subject with the label on the packet has write access to the receiving process and if that is not the case the packet is dropped.

-- AndrewBlaich - 17 Oct 2007

Edit | Attach | Print version | History: r1 | Backlinks | Raw View | More topic actions
Topic revision: r1 - 17 Oct 2007 - AndrewBlaich
 
This site is powered by the TWiki collaboration platformCopyright © 2008-2012 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback