Smack: improves the documentation
diff mbox

Message ID 1478172406-7574-1-git-send-email-jobol@nonadev.net
State New
Headers show

Commit Message

José Bollo Nov. 3, 2016, 11:26 a.m. UTC
From: José Bollo <jose.bollo@iot.bzh>

Update the documentation to reflect the processing
made in function 'smk_access' of smack_access.c

Change-Id: I60e11cb8233efe6c9be3aeedd8402d8f8ed9823b
Signed-off-by: José Bollo <jobol@nonadev.net>
---
 Documentation/security/Smack.txt | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

Comments

Casey Schaufler Nov. 3, 2016, 9:34 p.m. UTC | #1
On 11/3/2016 4:26 AM, jobol@nonadev.net wrote:

> From: José Bollo <jose.bollo@iot.bzh>
>
> Update the documentation to reflect the processing
> made in function 'smk_access' of smack_access.c
>
> Change-Id: I60e11cb8233efe6c9be3aeedd8402d8f8ed9823b
> Signed-off-by: José Bollo <jobol@nonadev.net>
> ---
>  Documentation/security/Smack.txt | 14 ++++++++------
>  1 file changed, 8 insertions(+), 6 deletions(-)
>
> diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt
> index 945cc63..564def1 100644
> --- a/Documentation/security/Smack.txt
> +++ b/Documentation/security/Smack.txt
> @@ -405,16 +405,18 @@ attached to the object it is trying to access. The rules enforced are, in
>  order:
>  
>  	1. Any access requested by a task labeled "*" is denied.
> -	2. A read or execute access requested by a task labeled "^"
> -	   is permitted.
> -	3. A read or execute access requested on an object labeled "_"
> -	   is permitted.
> +	2. Any access requested on an object labeled "@" is permitted.
> +	3. Any access requested by a task labeled "@" is permitted.

Tasks are not allowed the web ("@") label. The only way it shows up
as the subject in an access check is in a network connection.

>  	4. Any access requested on an object labeled "*" is permitted.
>  	5. Any access requested by a task on an object with the same
>  	   label is permitted.
> -	6. Any access requested that is explicitly defined in the loaded
> +	6. A read, execute or lock access requested on an object labeled "_"
> +	   is permitted.
> +	7. A read, execute or lock access requested by a task labeled "^"
> +	   is permitted.
> +	8. Any access requested that is explicitly defined in the loaded
>  	   rule set is permitted.
> -	7. Any other access is denied.
> +	9. Any other access is denied.
>  
>  Smack Access Rules
>  

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch
diff mbox

diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt
index 945cc63..564def1 100644
--- a/Documentation/security/Smack.txt
+++ b/Documentation/security/Smack.txt
@@ -405,16 +405,18 @@  attached to the object it is trying to access. The rules enforced are, in
 order:
 
 	1. Any access requested by a task labeled "*" is denied.
-	2. A read or execute access requested by a task labeled "^"
-	   is permitted.
-	3. A read or execute access requested on an object labeled "_"
-	   is permitted.
+	2. Any access requested on an object labeled "@" is permitted.
+	3. Any access requested by a task labeled "@" is permitted.
 	4. Any access requested on an object labeled "*" is permitted.
 	5. Any access requested by a task on an object with the same
 	   label is permitted.
-	6. Any access requested that is explicitly defined in the loaded
+	6. A read, execute or lock access requested on an object labeled "_"
+	   is permitted.
+	7. A read, execute or lock access requested by a task labeled "^"
+	   is permitted.
+	8. Any access requested that is explicitly defined in the loaded
 	   rule set is permitted.
-	7. Any other access is denied.
+	9. Any other access is denied.
 
 Smack Access Rules