SMACK: Add configuration options. (v3)

This adds SMACK label configuration options to socket units. SMACK labels should be applied to most objects on disk well before execution time, but two items remain that are generated dynamically at run time that require SMACK labels to be set in order to enforce MAC on all objects. Files on disk can be labelled using package management. For device nodes, simple udev rules are sufficient to add SMACK labels at boot/insertion time. Sockets can be created at run time and systemd does just that for several services. In order to protect FIFO's and UNIX domain sockets, we must instruct systemd to apply SMACK labels at runtime. This patch adds the following options: Smack - applicable to FIFO's. SmackIpIn/SmackIpOut - applicable to sockets. No external dependencies are required to support SMACK, as setting the labels is done using fsetxattr(). The labels can be set on a kernel that does not have SMACK enabled either, so there is no need to #ifdef any of this code out. For more information about SMACK, please see Documentation/Smack.txt in the kernel source code. v3 of this patch changes the config options to be CamelCased.
author: Auke Kok <auke-jan.h.kok@intel.com> 2012-10-29 15:30:05 -0700
committer: Lennart Poettering <lennart@poettering.net> 2012-10-30 03:40:42 +0100
commit: 0eb59ccfe619cbc4b42ef8ff02b52971994dfe05 (patch)
tree: 67cd3e7e7638b8d5e34fee03fce91d070f56a2ef /man/systemd.socket.xml
parent: 978cf3c75fbd94fd0e046206ada6169b35edd919 (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index 9db39b1de..ae8497e8a 100644
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -485,6 +485,26 @@
                         </varlistentry>
 
                         <varlistentry>
+                                <term><varname>SmackLabel=</varname></term>
+                                <term><varname>SmackLabelIPIn=</varname></term>
+                                <term><varname>SmackLabelIPOut=</varname></term>
+                                <listitem><para>Takes a string
+                                value. Controls the extended
+                                attributes
+                                <literal>security.SMACK64</literal>,
+                                <literal>security.SMACK64IPIN</literal>
+                                and
+                                <literal>security.SMACK64IPOUT</literal>,
+                                respectively, i.e. the security label
+                                of the FIFO, or the security label for
+                                the incoming or outgoing connections
+                                of the socket, respectively.  See
+                                <ulink
+                                url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink>
+                                for details.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
                                 <term><varname>PipeSize=</varname></term>
                                 <listitem><para>Takes an integer
                                 value. Controls the pipe buffer size
author	Auke Kok <auke-jan.h.kok@intel.com>	2012-10-29 15:30:05 -0700
committer	Lennart Poettering <lennart@poettering.net>	2012-10-30 03:40:42 +0100
commit	0eb59ccfe619cbc4b42ef8ff02b52971994dfe05 (patch)
tree	67cd3e7e7638b8d5e34fee03fce91d070f56a2ef /man/systemd.socket.xml
parent	978cf3c75fbd94fd0e046206ada6169b35edd919 (diff)