Security/Tizen Smack
Smack
Smack(Simplified Mandatory Access Control in Kernel) is one of the Mandatory Access Control(MAC) mechanisms available in Linux kernel since 2.6.25. Smack is designated as the access control mechanism for Tizen out of many kinds of technologies such as SELINUX, TOMOYO and APPARMOR because of the simplicity and ease of use. Smack defines three components: subject, object and access type. Subject represents domain of process, object represents domain of resource(e.g. file, process, IPC, network, and so on) which process tries to access. Access type is the parameter of operation that the subject wants to do with the object: read, write, execute and so on.
Smack Label is identifier of subject and object, represented as a null terminated character string, with maximum length of 255 bytes (in older versions it was max 23). No spaces and some of special characters are allowed in label. For details, see Linux source tree documentation.
Smack uses extended attributes(xattr) to store file labels (under security.* attributes) and netlabel mechanism to label internet packets. Labels on files are stored in security.SMACK64. These attributes are taking place of object label during policy checks, when some process is trying to access the file. A running process that was executed using one of the exec libc functions inherits its label from it's binary attribute security.SMACK64EXEC (not the regular security.SMACK64). Also worth noting are security.SMACK64IPIN and security.SMACK64IPOUT set on socket files, which are used for access control decisions on packets being delivered to and coming from the socket.
Smack rule is represented as a triple:
- Subject_label Object_label Access_type
There are seven Smack access types; read, write, execute, append, transmute, lock and bringup. Read, write, execute and append are the same as standard DAC access types.
Transmute is the TRUE/FALSE flag set on directories, which specifies that all newly created objects inside that directory will inherit the label of the parent (all directories inherit also transmute setting). For a process to make use of the transmute flag, not only the transmute attribute on directory has to be set; also , the process needs to have the "t" access mode Smack rule to the directory's label.
Lock is used for locking a file (especially needed in case of databases, which require locking even with read-only operations). Write includes lock automatically.
Bringup means that all successful accesses will be logged in the system with actual rights that were needed to perform the operation (this mode was created to help policy creation for developers - all logged accesses can be analysed and minimum set of Smack rules can be created for processes to work properly).
Official documentation is available on authors site (note that this documentation is a little outdated): http://schaufler-ca.com/description_from_the_linux_source_tree
More information can be acquired from newest linux source tree documentation: http://lxr.free-electrons.com/source/Documentation/security/Smack.txt
Default labels and rules
Smack defines default labels and rules to provide efficient management.
| label | name |
|---|---|
| _ | floor |
| ^ | hat |
| * | star |
| ? | question mark |
| @ | web |
Table below shows default rules in order, which they are processed inside the kernel:
| order | subject label | object label | access type | permission | Main usage |
|---|---|---|---|---|---|
| 1 | * | any | any | denied | N/A |
| 2 | @ | any | any | permitted | only web packets |
| 3 | any | @ | any | permitted | only web packets |
| 4 | any | * | any | permitted | e.g. shared files |
| 6 | X | X | any | permitted | |
| 5 | any | _ | read / lock / execute | permitted | e.g. shared libraries |
| 7 | ^ | any | read / lock / execute | permitted | |
| 8 | X | Y | any | based on rules | access control |
Floor label is mostly used for shared library files placed in /usr/lib. It implies that developer should not declare Smack rule which would allow write to floor label.
Last row in the table means that any access between different subject and object labels must be explicitly specified with Smack rules, otherwise it will be denied.
Smackfs interface
For Smack configuration virtual filesystem on /sys/fs/smackfs (name is smackfs, /smack is old path) is mounted. User can communicate with Smack through set of interfaces available in smackfs. The most important are:
- load, load2 - used for the same functionality - loading Smack rules to kernel, but the former one supports only shorted Smack labels (up to 23 characters). Format accepted on writing to file : "%s %s %s" - first string corresponds to subject label, second one to object label and the last one is access granted (rwxal) with possible additional bringup specifier 'b'. '-' in access type is interpreted as placeholder for access which should be denied.
- access, accsess2 - used for checking specified access between subject and object (difference between two is the same as in case of load - access accepts labels with length up to 23 chars). Format accepted on write is the same as in case of load, load2. The next read will return value indicating if access would be permitted ("1") or denied ("0").
- onlycap - contains set of labels required for process to have effective CAP_MAC_ADMIN or CAP_MAC_OVERRIDE. Empty file means no such label is specified - these capabilities are effective for processes with any label. Writing to file will overwrite this set.
To fetch process label read from /proc/<pid>/attr/current. To read current process label read from /proc/self/attr/current. If process have effective CAP_MAC_ADMIN it can change its own label through writing to /proc/self/attr/current. One process cannot change label of different running process.
User-space Smack
Repository https://github.com/smack-team/smack contains set of user space tools and a library which communicate through Smack sysfs interface underneath. libsmack is a C library allowing:
- checking if access is permitted between labels,
- adding, clearing and loading rules (from files, to kernel, to file etc.),
- getting Smack labels from files, opened fds, opened sockets, processes.
- relabeling files, current process.
Provided command line tools allow reading and writing to Smack interface with proper format and properly managing labels under different security attributes
- chsmack - set, remove or change appropriate security extended attribute (access, execute, mmap, transmute). For e.g. "chsmack -a mylabel /tmp/myfile" sets access label "mylabel" on file "/tmp/myfile"; "chsmack /tmp/myfile" gets all security attributes set on file "/tmp/myfile".
- smackaccess - write and read with proper format and from proper access[2] Smack interface with specified arguments,
- smackload - write with proper format and to proper load[2] Smack interface with specified arguments
