diff options
author | Rafal Krypa <r.krypa@samsung.com> | 2015-06-02 11:23:48 +0200 |
---|---|---|
committer | Casey Schaufler <casey@schaufler-ca.com> | 2015-06-02 11:53:42 -0700 |
commit | c0d77c884461fc0dec0411e49797dc3f3651c31b (patch) | |
tree | c526c2ae841b0fc358d29af69cddcdb63ae72431 /Documentation/security | |
parent | 01fa8474fba7e80f6a2ac31d0790385a993cb7ba (diff) | |
download | lwn-c0d77c884461fc0dec0411e49797dc3f3651c31b.tar.gz lwn-c0d77c884461fc0dec0411e49797dc3f3651c31b.zip |
Smack: allow multiple labels in onlycap
Smack onlycap allows limiting of CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to
processes running with the configured label. But having single privileged
label is not enough in some real use cases. On a complex system like Tizen,
there maybe few programs that need to configure Smack policy in run-time
and running them all with a single label is not always practical.
This patch extends onlycap feature for multiple labels. They are configured
in the same smackfs "onlycap" interface, separated by spaces.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Diffstat (limited to 'Documentation/security')
-rw-r--r-- | Documentation/security/Smack.txt | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt index abc82f85215b..de5e1aeca7fb 100644 --- a/Documentation/security/Smack.txt +++ b/Documentation/security/Smack.txt @@ -206,11 +206,11 @@ netlabel label. The format accepted on write is: "%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label". onlycap - This contains the label processes must have for CAP_MAC_ADMIN + This contains labels processes must have for CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to be effective. If this file is empty these capabilities are effective at for processes with any - label. The value is set by writing the desired label to the - file or cleared by writing "-" to the file. + label. The values are set by writing the desired labels, separated + by spaces, to the file or cleared by writing "-" to the file. ptrace This is used to define the current ptrace policy 0 - default: this is the policy that relies on Smack access rules. |