Lines Matching refs:access
7 Smack is a kernel based implementation of mandatory access
29 access to systems that use them as Smack does.
39 smackctl - load the Smack access rules
40 smackaccess - report if a process with one label has access
69 Used to make access control decisions. In almost all cases
77 label does not allow all of the access permitted to a process
83 the Smack rule (more below) that permitted the write access
90 Use the Smack label in this attribute for access control
94 Use the Smack label in this attribute for access control
110 access
112 Smack label has a particular access to an object with a
113 specified Smack label. Write a fixed format access rule to
114 this file. The next read will indicate whether the access
116 access, or "0" indicating denial.
119 Smack label has a particular access to an object with a
120 specified Smack label. Write a long format access rule to
121 this file. The next read will indicate whether the access
123 access, or "0" indicating denial.
128 This interface allows modification of existing access control rules.
132 object label, the third the access to allow and the fourth the
133 access to deny. The access strings may contain only the characters
137 created using the access specified in the third and the fourth strings.
161 This interface allows access control rules in addition to
166 object label, and the third the requested access. The access
168 which sort of access is allowed. The "-" is a placeholder for
170 specify read and execute access. Labels are limited to 23
173 This interface allows access control rules in addition to
178 object label, and the third the requested access. The access
180 which sort of access is allowed. The "-" is a placeholder for
182 specify read and execute access.
184 This interface allows process specific access rules to be
185 defined. These rules are only consulted if access would
190 This interface allows process specific access rules to be
191 defined. These rules are only consulted if access would
204 that have Smack write access to the host label. All packets
216 0 - default: this is the policy that relies on Smack access rules.
217 For the PTRACE_READ a subject needs to have a read access on
218 object. For the PTRACE_ATTACH a read-write access is required.
225 Writing a Smack label here sets the access to '-' for all access
231 the access permitted if it wouldn't be otherwise. Note that this
235 You can add access rules in /etc/smack/accesses. They take the form:
237 subjectlabel objectlabel access
239 access is a combination of the letters rwxatb which specify the
240 kind of access permitted a subject with subjectlabel on an
241 object with objectlabel. If there is no rule no access is allowed.
257 access to pieces of data. These schemes are called discretionary access
258 control mechanisms because the access control is specified at the discretion
260 program can access up to users or programs. These schemes are called mandatory
261 access control mechanisms because you don't have a choice regarding the users
262 or programs that have access to pieces of data.
287 LaPadula are addressed by providing a scheme whereby access can be controlled
290 Enforcement and avoided by defining access controls in terms of the access
308 information from an object is an access.
330 on what subjects can access which objects, based on the labels attached to
359 Smack uses the traditional access modes of Linux. These modes are read,
361 access mode may not be obvious. These include:
368 Smack restricts access based on the label attached to a subject and the label
369 attached to the object it is trying to access. The rules enforced are, in
372 1. Any access requested by a task labeled "*" is denied.
373 2. A read or execute access requested by a task labeled "^"
375 3. A read or execute access requested on an object labeled "_"
377 4. Any access requested on an object labeled "*" is permitted.
378 5. Any access requested by a task on an object with the same
380 6. Any access requested that is explicitly defined in the loaded
382 7. Any other access is denied.
386 With the isolation provided by Smack access separation is simple. There are
387 many interesting cases where limited access by subjects to objects with
392 mechanism for specifying rules allowing access between labels.
396 The format of an access rule is:
398 subject-label object-label access
401 label of the thing being accessed, and access is a string specifying the sort
402 of access allowed. The access specification is searched for letters that
403 describe access modes:
405 a: indicates that append access should be granted.
406 r: indicates that read access should be granted.
407 w: indicates that write access should be granted.
408 x: indicates that execute access should be granted.
430 Spaces are not allowed in labels. Since a subject always has access to files
433 access specifications. The dash is a placeholder, so "a-r" is the same
434 as "ar". A lone dash is used to specify that no access should be allowed.
441 access control models is not one of them. Smack strives to treat accesses as
446 and devices require access permissions that closely match those used by mode
447 bit access. To open a file for reading read access is required on the file. To
448 search a directory requires execute access. Creating a file with write access
449 requires both read and write access on the containing directory. Deleting a
450 file requires read and write access to the file and to the containing
452 but not any of its attributes by the circumstance of having read access to the
457 access rule that allows a process to create an object in that directory
458 includes 't' access the label assigned to the new object will be that
461 access to all of their files.
464 namespaces and access requests are only required to match the object in
467 Process objects reflect tasks on the system and the Smack label used to access
468 them is the same Smack label that the task would use for its own access
472 tasks with identical Smack labels and requires no access checks.
475 one process to another requires that the sender have write access to the
476 receiver. The receiver is not required to have read access to the sender.
503 CAP_MAC_OVERRIDE allows the process access to objects it would
509 As mentioned before, Smack enforces access control on network protocol
515 packet has write access to the receiving process and if that is not the case
585 It means that your application will have unlabeled access to @IP1 if it has
586 write access on LABEL1, and access to the subnet @IP2/MASK if it has write
587 access on LABEL2.
593 @ means Internet, any application with any label has access to it
601 Internet access, you can have :
618 whether the process has execute access to the program.
678 smackfshat=label: specifies a label that must have read access to
682 filesystem must have read access. Not yet enforced.
708 access mode will logged. When a new label is introduced for processes
714 able to access any object, and objects with that label accessible to
715 all subjects. Any access that is granted because a label is unconfined