SMACK UPDATEOCTOBER 2018

Casey Schaufler

Intel Open Source

Technology Center

CASEY SCHAUFLER

2

• Kernel developer from the 1970’s

• Supercomputers in the 1990’s

• Smack Linux Security Module

• Security module stacking

Photo Curtesy Ann Forrister

WHAT IS SMACK?

• 3rd generation implementation of Multi Level Security

• Subject/Object/Access security model

• Doesn’t try to solve other problems

3

LABEL BASICS

• File gets the label of its creator

• IPC treats receiver as the object

• Write access required

• Exec attribute on program files

• Transmute attribute on directories

4

Pop Pop

Crackle Pop

ACCESS BASED ON LABEL RELATIONSHIPS

• Basic rule is that labels must match

• Special labels for things like /dev/null

• Explicit relationships can be defined

• Snap Pop rwxa

5

Crackle Pop

Crackle *

Snap Pop

SPECIAL LABELS

• Floor (“_”)

• Star (“*”)

• Hat (“^”)

6

Crackle _

Crackle *

^ Pop

NETWORK LABELS

• CIPSO used by default

• Unlabeled packets use “ambient” label

• Address label specificiations

7

Snap Snap

<nothing> _

192.100.0.6

192.100.0.6

<nothing> Crackle

192.100.0.6

WHO’S USING SMACK?

• Tizen

• Automotive Grade Linux

• Yocto Project

8

WHAT’S NEW IN SMACK?

• Overlayfs support

• Privilege to change keys

9

WHAT’S FIXED IN SMACK?

• Memory leaks

• smack_inode_removexattr

• smack_inode_getsecctx

• IPv4 over IPv6

• UDP-Lite and DCCP

10

NETWORKING PROJECTS

• Calipso

• Netlabel clean up

11

OTHER PROJECTS

• Smack namespace

• Revive Samsung’s project

• Infiniband

• libvert

• eBPF

12

RULE SET FOR DISTRIBUTIONS

13

THANK YOU