Lines Matching refs:access
7 Smack is a kernel based implementation of mandatory access
29 access to systems that use them as Smack does.
43 smackctl - load the Smack access rules
44 smackaccess - report if a process with one label has access
73 Used to make access control decisions. In almost all cases
81 label does not allow all of the access permitted to a process
87 the Smack rule (more below) that permitted the write access
94 Use the Smack label in this attribute for access control
98 Use the Smack label in this attribute for access control
114 access
118 Smack label has a particular access to an object with a
119 specified Smack label. Write a fixed format access rule to
120 this file. The next read will indicate whether the access
122 access, or "0" indicating denial.
125 Smack label has a particular access to an object with a
126 specified Smack label. Write a long format access rule to
127 this file. The next read will indicate whether the access
129 access, or "0" indicating denial.
134 This interface allows modification of existing access control rules.
138 object label, the third the access to allow and the fourth the
139 access to deny. The access strings may contain only the characters
143 created using the access specified in the third and the fourth strings.
171 label hosts only from processes that have Smack write access
181 This interface allows access control rules in addition to
186 object label, and the third the requested access. The access
188 which sort of access is allowed. The "-" is a placeholder for
190 specify read and execute access. Labels are limited to 23
193 This interface allows access control rules in addition to
198 object label, and the third the requested access. The access
200 which sort of access is allowed. The "-" is a placeholder for
202 specify read and execute access.
206 This interface allows process specific access rules to be
207 defined. These rules are only consulted if access would
212 This interface allows process specific access rules to be
213 defined. These rules are only consulted if access would
226 that have Smack write access to the host label. All packets
240 0 - default: this is the policy that relies on Smack access rules.
241 For the PTRACE_READ a subject needs to have a read access on
242 object. For the PTRACE_ATTACH a read-write access is required.
249 Writing a Smack label here sets the access to '-' for all access
255 the access permitted if it wouldn't be otherwise. Note that this
270 you can add access rules in /etc/smack/accesses. They take the form:
272 subjectlabel objectlabel access
274 access is a combination of the letters rwxatb which specify the
275 kind of access permitted a subject with subjectlabel on an
276 object with objectlabel. If there is no rule no access is allowed.
292 access to pieces of data. These schemes are called discretionary access
293 control mechanisms because the access control is specified at the discretion
295 program can access up to users or programs. These schemes are called mandatory
296 access control mechanisms because you don't have a choice regarding the users
297 or programs that have access to pieces of data.
322 LaPadula are addressed by providing a scheme whereby access can be controlled
325 Enforcement and avoided by defining access controls in terms of the access
343 information from an object is an access.
365 on what subjects can access which objects, based on the labels attached to
394 Smack uses the traditional access modes of Linux. These modes are read,
396 access mode may not be obvious. These include:
403 Smack restricts access based on the label attached to a subject and the label
404 attached to the object it is trying to access. The rules enforced are, in
407 1. Any access requested by a task labeled "*" is denied.
408 2. A read or execute access requested by a task labeled "^"
410 3. A read or execute access requested on an object labeled "_"
412 4. Any access requested on an object labeled "*" is permitted.
413 5. Any access requested by a task on an object with the same
415 6. Any access requested that is explicitly defined in the loaded
417 7. Any other access is denied.
421 With the isolation provided by Smack access separation is simple. There are
422 many interesting cases where limited access by subjects to objects with
427 mechanism for specifying rules allowing access between labels.
431 The format of an access rule is:
433 subject-label object-label access
436 label of the thing being accessed, and access is a string specifying the sort
437 of access allowed. The access specification is searched for letters that
438 describe access modes:
440 a: indicates that append access should be granted.
441 r: indicates that read access should be granted.
442 w: indicates that write access should be granted.
443 x: indicates that execute access should be granted.
465 Spaces are not allowed in labels. Since a subject always has access to files
468 access specifications. The dash is a placeholder, so "a-r" is the same
469 as "ar". A lone dash is used to specify that no access should be allowed.
476 access control models is not one of them. Smack strives to treat accesses as
481 and devices require access permissions that closely match those used by mode
482 bit access. To open a file for reading read access is required on the file. To
483 search a directory requires execute access. Creating a file with write access
484 requires both read and write access on the containing directory. Deleting a
485 file requires read and write access to the file and to the containing
487 but not any of its attributes by the circumstance of having read access to the
492 access rule that allows a process to create an object in that directory
493 includes 't' access the label assigned to the new object will be that
496 access to all of their files.
499 namespaces and access requests are only required to match the object in
502 Process objects reflect tasks on the system and the Smack label used to access
503 them is the same Smack label that the task would use for its own access
507 tasks with identical Smack labels and requires no access checks.
510 one process to another requires that the sender have write access to the
511 receiver. The receiver is not required to have read access to the sender.
538 CAP_MAC_OVERRIDE allows the process access to objects it would
544 As mentioned before, Smack enforces access control on network protocol
550 packet has write access to the receiving process and if that is not the case
620 It means that your application will have unlabeled access to @IP1 if it has
621 write access on LABEL1, and access to the subnet @IP2/MASK if it has write
622 access on LABEL2.
628 @ means Internet, any application with any label has access to it
636 Internet access, you can have :
653 whether the process has execute access to the program.
713 smackfshat=label: specifies a label that must have read access to
717 filesystem must have read access. Not yet enforced.
743 access mode will logged. When a new label is introduced for processes
749 able to access any object, and objects with that label accessible to
750 all subjects. Any access that is granted because a label is unconfined