Lines Matching refs:with
12 are encouraged to compare Smack with the other mechanisms
23 works best with file systems that support extended attributes,
40 smackaccess - report if a process with one label has access
41 to an object with another
43 These two commands are obsolete with the introduction of
49 In keeping with the intent of Smack, configuration data is
73 The Smack label of a process that execs a program file with
74 this attribute set will run with this attribute's value.
78 with the label contained in this attribute. This is a very
102 A process can see the Smack label it is running with by
103 reading /proc/self/attr/current. A process with CAP_MAC_ADMIN
111 This interface reports whether a subject with the specified
112 Smack label has a particular access to an object with a
118 This interface reports whether a subject with the specified
119 Smack label has a particular access to an object with a
211 these capabilities are effective at for processes with any
221 PTRACE_READ is not affected. Can be overridden with CAP_SYS_PTRACE.
222 2 - draconian: this policy behaves like the 'exact' above with an
223 exception that it can't be overridden with CAP_SYS_PTRACE.
226 rules with that subject label.
228 If the kernel is configured with CONFIG_SECURITY_SMACK_BRINGUP
229 a process with CAP_MAC_ADMIN can write a label into this interface.
240 kind of access permitted a subject with subjectlabel on an
241 object with objectlabel. If there is no rule no access is allowed.
267 Control (MAC) was very closely associated with the Bell & LaPadula security
296 with other MAC systems and shouldn't be too difficult for the uninitiated to
313 These definitions are consistent with the traditional use in the security
319 capabilities is a privileged task, whereas a task with no
343 Smack labels cannot begin with a '-'. This is reserved for special options.
378 5. Any access requested by a task on an object with the same
387 many interesting cases where limited access by subjects to objects with
431 with the same label specifying a rule for that case is pointless. Only
442 uniformly as is sensible while keeping with the spirit of the underlying
448 search a directory requires execute access. Creating a file with write access
460 for two processes with different labels to share data without granting
472 tasks with identical Smack labels and requires no access checks.
484 one rule, with the most recently specified overriding any earlier
498 only be changed by a process with privilege.
502 A process with CAP_MAC_OVERRIDE or CAP_MAC_ADMIN is privileged.
510 transmissions. Every packet sent by a Smack process is tagged with its Smack
514 is delivered a check is made to determine that a subject with the label on the
530 and a category set with each packet. The DOI is intended to identify a group
566 There are two attributes that are associated with sockets. These attributes
573 SMACK64IPOUT: The Smack label transmitted with outgoing packets.
575 task with which it hopes to communicate.
593 @ means Internet, any application with any label has access to it
610 application interacts with Smack will determine what it will have to do to
617 Smack label associated with the process the only concern likely to arise is
631 to processes running with various labels.
642 process can set the Smack label of a file system object with setxattr(2).
654 A privileged process can set the Smack label of outgoing packets with
705 configuration and system bringup easier. Configure the kernel with
707 mode is enabled accesses that succeed due to rules marked with the "b"
709 rules can be added aggressively, marked with the "b". The logging allows
713 a label to /sys/fs/smackfs/unconfined makes subjects with that label
714 able to access any object, and objects with that label accessible to