| Message ID | 1478172406-7574-1-git-send-email-jobol@nonadev.net (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 11/3/2016 4:26 AM, jobol@nonadev.net wrote: > From: José Bollo <jose.bollo@iot.bzh> > > Update the documentation to reflect the processing > made in function 'smk_access' of smack_access.c > > Change-Id: I60e11cb8233efe6c9be3aeedd8402d8f8ed9823b > Signed-off-by: José Bollo <jobol@nonadev.net> > --- > Documentation/security/Smack.txt | 14 ++++++++------ > 1 file changed, 8 insertions(+), 6 deletions(-) > > diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt > index 945cc63..564def1 100644 > --- a/Documentation/security/Smack.txt > +++ b/Documentation/security/Smack.txt > @@ -405,16 +405,18 @@ attached to the object it is trying to access. The rules enforced are, in > order: > > 1. Any access requested by a task labeled "*" is denied. > - 2. A read or execute access requested by a task labeled "^" > - is permitted. > - 3. A read or execute access requested on an object labeled "_" > - is permitted. > + 2. Any access requested on an object labeled "@" is permitted. > + 3. Any access requested by a task labeled "@" is permitted. Tasks are not allowed the web ("@") label. The only way it shows up as the subject in an access check is in a network connection. > 4. Any access requested on an object labeled "*" is permitted. > 5. Any access requested by a task on an object with the same > label is permitted. > - 6. Any access requested that is explicitly defined in the loaded > + 6. A read, execute or lock access requested on an object labeled "_" > + is permitted. > + 7. A read, execute or lock access requested by a task labeled "^" > + is permitted. > + 8. Any access requested that is explicitly defined in the loaded > rule set is permitted. > - 7. Any other access is denied. > + 9. Any other access is denied. > > Smack Access Rules > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt index 945cc63..564def1 100644 --- a/Documentation/security/Smack.txt +++ b/Documentation/security/Smack.txt @@ -405,16 +405,18 @@ attached to the object it is trying to access. The rules enforced are, in order: 1. Any access requested by a task labeled "*" is denied. - 2. A read or execute access requested by a task labeled "^" - is permitted. - 3. A read or execute access requested on an object labeled "_" - is permitted. + 2. Any access requested on an object labeled "@" is permitted. + 3. Any access requested by a task labeled "@" is permitted. 4. Any access requested on an object labeled "*" is permitted. 5. Any access requested by a task on an object with the same label is permitted. - 6. Any access requested that is explicitly defined in the loaded + 6. A read, execute or lock access requested on an object labeled "_" + is permitted. + 7. A read, execute or lock access requested by a task labeled "^" + is permitted. + 8. Any access requested that is explicitly defined in the loaded rule set is permitted. - 7. Any other access is denied. + 9. Any other access is denied. Smack Access Rules