summaryrefslogtreecommitdiff
path: root/Documentation/security
diff options
context:
space:
mode:
authorRafal Krypa <r.krypa@samsung.com>2015-06-02 11:23:48 +0200
committerCasey Schaufler <casey@schaufler-ca.com>2015-06-02 11:53:42 -0700
commitc0d77c884461fc0dec0411e49797dc3f3651c31b (patch)
treec526c2ae841b0fc358d29af69cddcdb63ae72431 /Documentation/security
parent01fa8474fba7e80f6a2ac31d0790385a993cb7ba (diff)
downloadlwn-c0d77c884461fc0dec0411e49797dc3f3651c31b.tar.gz
lwn-c0d77c884461fc0dec0411e49797dc3f3651c31b.zip
Smack: allow multiple labels in onlycap
Smack onlycap allows limiting of CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to processes running with the configured label. But having single privileged label is not enough in some real use cases. On a complex system like Tizen, there maybe few programs that need to configure Smack policy in run-time and running them all with a single label is not always practical. This patch extends onlycap feature for multiple labels. They are configured in the same smackfs "onlycap" interface, separated by spaces. Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Diffstat (limited to 'Documentation/security')
-rw-r--r--Documentation/security/Smack.txt6
1 files changed, 3 insertions, 3 deletions
diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt
index abc82f85215b..de5e1aeca7fb 100644
--- a/Documentation/security/Smack.txt
+++ b/Documentation/security/Smack.txt
@@ -206,11 +206,11 @@ netlabel
label. The format accepted on write is:
"%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".
onlycap
- This contains the label processes must have for CAP_MAC_ADMIN
+ This contains labels processes must have for CAP_MAC_ADMIN
and CAP_MAC_OVERRIDE to be effective. If this file is empty
these capabilities are effective at for processes with any
- label. The value is set by writing the desired label to the
- file or cleared by writing "-" to the file.
+ label. The values are set by writing the desired labels, separated
+ by spaces, to the file or cleared by writing "-" to the file.
ptrace
This is used to define the current ptrace policy
0 - default: this is the policy that relies on Smack access rules.