Lines Matching refs:with
12 are encouraged to compare Smack with the other mechanisms
23 works best with file systems that support extended attributes,
44 smackaccess - report if a process with one label has access
45 to an object with another
47 These two commands are obsolete with the introduction of
53 In keeping with the intent of Smack, configuration data is
77 The Smack label of a process that execs a program file with
78 this attribute set will run with this attribute's value.
82 with the label contained in this attribute. This is a very
106 A process can see the Smack label it is running with by
107 reading /proc/self/attr/current. A process with CAP_MAC_ADMIN
117 This interface reports whether a subject with the specified
118 Smack label has a particular access to an object with a
124 This interface reports whether a subject with the specified
125 Smack label has a particular access to an object with a
235 these capabilities are effective at for processes with any
245 PTRACE_READ is not affected. Can be overridden with CAP_SYS_PTRACE.
246 2 - draconian: this policy behaves like the 'exact' above with an
247 exception that it can't be overridden with CAP_SYS_PTRACE.
250 rules with that subject label.
252 If the kernel is configured with CONFIG_SECURITY_SMACK_BRINGUP
253 a process with CAP_MAC_ADMIN can write a label into this interface.
275 kind of access permitted a subject with subjectlabel on an
276 object with objectlabel. If there is no rule no access is allowed.
302 Control (MAC) was very closely associated with the Bell & LaPadula security
331 with other MAC systems and shouldn't be too difficult for the uninitiated to
348 These definitions are consistent with the traditional use in the security
354 capabilities is a privileged task, whereas a task with no
378 Smack labels cannot begin with a '-'. This is reserved for special options.
413 5. Any access requested by a task on an object with the same
422 many interesting cases where limited access by subjects to objects with
466 with the same label specifying a rule for that case is pointless. Only
477 uniformly as is sensible while keeping with the spirit of the underlying
483 search a directory requires execute access. Creating a file with write access
495 for two processes with different labels to share data without granting
507 tasks with identical Smack labels and requires no access checks.
519 one rule, with the most recently specified overriding any earlier
533 only be changed by a process with privilege.
537 A process with CAP_MAC_OVERRIDE or CAP_MAC_ADMIN is privileged.
545 transmissions. Every packet sent by a Smack process is tagged with its Smack
549 is delivered a check is made to determine that a subject with the label on the
565 and a category set with each packet. The DOI is intended to identify a group
601 There are two attributes that are associated with sockets. These attributes
608 SMACK64IPOUT: The Smack label transmitted with outgoing packets.
610 task with which it hopes to communicate.
628 @ means Internet, any application with any label has access to it
645 application interacts with Smack will determine what it will have to do to
652 Smack label associated with the process the only concern likely to arise is
666 to processes running with various labels.
677 process can set the Smack label of a file system object with setxattr(2).
689 A privileged process can set the Smack label of outgoing packets with
740 configuration and system bringup easier. Configure the kernel with
742 mode is enabled accesses that succeed due to rules marked with the "b"
744 rules can be added aggressively, marked with the "b". The logging allows
748 a label to /sys/fs/smackfs/unconfined makes subjects with that label
749 able to access any object, and objects with that label accessible to