smack update october 2018 - linux foundation …...who’s using smack? •tizen •automotive grade...
TRANSCRIPT
SMACK UPDATEOCTOBER 2018
Casey Schaufler
Intel Open Source
Technology Center
CASEY SCHAUFLER
2
• Kernel developer from the 1970’s
• Supercomputers in the 1990’s
• Smack Linux Security Module
• Security module stacking
Photo Curtesy Ann Forrister
WHAT IS SMACK?
• 3rd generation implementation of Multi Level Security
• Subject/Object/Access security model
• Doesn’t try to solve other problems
3
LABEL BASICS
• File gets the label of its creator
• IPC treats receiver as the object
• Write access required
• Exec attribute on program files
• Transmute attribute on directories
4
Pop Pop
Crackle Pop
ACCESS BASED ON LABEL RELATIONSHIPS
• Basic rule is that labels must match
• Special labels for things like /dev/null
• Explicit relationships can be defined
• Snap Pop rwxa
5
Crackle Pop
Crackle *
Snap Pop
SPECIAL LABELS
• Floor (“_”)
• Star (“*”)
• Hat (“^”)
6
Crackle _
Crackle *
^ Pop
NETWORK LABELS
• CIPSO used by default
• Unlabeled packets use “ambient” label
• Address label specificiations
7
Snap Snap
<nothing> _
192.100.0.6
192.100.0.6
<nothing> Crackle
192.100.0.6
WHO’S USING SMACK?
• Tizen
• Automotive Grade Linux
• Yocto Project
8
WHAT’S NEW IN SMACK?
• Overlayfs support
• Privilege to change keys
9
WHAT’S FIXED IN SMACK?
• Memory leaks
• smack_inode_removexattr
• smack_inode_getsecctx
• IPv4 over IPv6
• UDP-Lite and DCCP
10
NETWORKING PROJECTS
• Calipso
• Netlabel clean up
11
OTHER PROJECTS
• Smack namespace
• Revive Samsung’s project
• Infiniband
• libvert
• eBPF
12
RULE SET FOR DISTRIBUTIONS
13
THANK YOU