Smack and CIPSO
The Common Internet Protocol Security Option (CIPSO, pronounced sip-sew) is a protocol carried in the options portion of the Internet Protocol (IP) header. CIPSO information is optional for IP packets. There are a number of ways that CIPSO can represent security information, but they are all oriented toward a system that uses numeric security levels and categories. CIPSO includes a Domain of Interpretation (DOI) to assist in identifying how specific CIPSO values should be treated.
Smack does not use levels or categories; decisions are based on Smack label text. A Smack label can be given an explicit CIPSO representation with an arbitrary level and category. Smack uses an encoding scheme if no explicit value is specified. Smack usually encodes the text of the label in the CIPSO categories and sets the level to the direct value. If the Smack label is too long for the encoding to fit in the CIPSO header (longer than 23 characters) an integer reference value is encoded in the categories and the level is set to the mapped value. Because the reference value may differ between machines, mapped CIPSO values should never be sent between machines. Any long Smack label sent over the wire should have an explicit CIPSO value set.
The CIPSO headers on incoming packets are translated into Smack labels by a simple lookup of the CIPSO values associated with labels known to the system.
CIPSO Usage Conflicts
The doi, mapped and direct values may be changed. These values may conflict with values used by other CIPSO based systems including Trusted Solaris.
Smack and Unlabeled Packets
Most computers and network enabled devices do not use CIPSO. Smack requires access control for all network communications. A Smack label must be associated with each packet. Smack uses two mechanisms for dealing with unlabeled IP packets: A network address or range of addresses can be assigned a specific label. A specific Smack label is assigned to all other unlabeled packets.
Single Label Hosts
A network address or range of network addresses can be assigned a specific Smack label using the netlabel interface. All packets coming from that address range are treated as if they have the CIPSO value associated with that Smack label. Sending packets to that address range requires write access to the configured Smack label. Packets sent to that address range will not have CIPSO headers.
The Ambient Label
Packets that do not have CIPSO headers and are not coming from a single label host are given the ambient Smack label. Packets that are sent from processes with the ambient Smack label are sent without CIPSO headers.
Configuring Smack Networking
Smack network configuration is changed by writing to files in the smackfs filesystem. The smackfs filesystem is mounted at /sys/fs/smackfs or, on some older systems, at /smack.
This contains the Smack label applied to unlabeled network packets.
This interface is obsolete. The cipso2 interface should be used instead. This interface allows a specific CIPSO header to be assigned to a Smack label. The format accepted on write is:
The first string is a short (23 character or less) Smack label. The first number is the level to use. The second number is the number of categories. The following numbers are the categories.
- "level-3-cats-5-19 3 2 5 19"
This interface allows a specific CIPSO header to be assigned to a Smack label. The format accepted on write is:
The first string is a Smack label. The first number is the level to use. The second number is the number of categories. The following numbers are the categories.
- "level-3-cats-5-19 3 2 5 19"
This contains the CIPSO level used for Smack direct label representation in network packets.
This contains the CIPSO domain of interpretation used in network packets.
This contains the CIPSO level used for Smack mapped label representation in network packets.
This interface allows specific internet addresses to be treated as single label hosts. Packets are sent to single label hosts without CIPSO headers, but only from processes that have Smack write access to the host label. All packets received from single label hosts are given the specified label. The format accepted on write is:
- "%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".