Casey Schaufler (on Sat, 11 Aug 2007 10:57:31 -0700) wrote: >Smack is the Simplified Mandatory Access Control Kernel. > > [snip] > >Smack defines and uses these labels: > > "*" - pronounced "star" > "_" - pronounced "floor" > "^" - pronounced "hat" > "?" - pronounced "huh" > >The access rules enforced by Smack are, in order: > >1. Any access requested by a task labeled "*" is denied. >2. A read or execute access requested by a task labeled "^" > is permitted. >3. A read or execute access requested on an object labeled "_" > is permitted. >4. Any access requested on an object labeled "*" is permitted. >5. Any access requested by a task on an object with the same > label is permitted. >6. Any access requested that is explicitly defined in the loaded > rule set is permitted. >7. Any other access is denied.
Some security systems that have the concept of "no default access" (task labeled "*") also allow access by those tasks but only if there is an explicit rule giving access to the task. IOW, rule 6 is applied before rule 1. In my experience this simplifies special cases where a task should only have access to a very small set of resources. I'm curious why smack goes the other way? - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
