Simplified Mandatory Access Control Kernel
From Wikipedia, the free encyclopedia
| Smack | |
|---|---|
 |
|
| Design by | Casey Schaufler |
| OS | Linux |
| Genre | Computer security |
| License | GPL2 |
| Website | http://schaufler-ca.com/ |
Smack is a Linux kernel security module that provides a mechanism for protecting data and processes interaction from malicious manipulation using a set of custom mandatory access control rules provided by the system administrator. Simplicity is the primary design goal of Smack[1].
[edit] Design
Smack consists of three components:
- A kernel component that is implemented as a Linux Security Modules module. It requires netlabel and works best with file systems that support extended attributes.
- A startup script that insures that some device files have the correct Smack attributes and loads Smack configuration if any is defined.
- A set of patches to the GNU Core Utilities package to make it aware of Smack extended file attributes. A set of similar initial patches to Busybox are also created. It's important to note that SMACK can perfectly work with no kind of user-space support.
[edit] Criticism
Smack has been criticized for being written as a new LSM module instead of a Selinux security policy which can provide equivalent functionality. Smack author replied that it's a bit of strong assertion to assume that a Selinux policy can become a SMACK substitute due to Selinux's over-complicated configuration syntax and the philosophical difference between SMACK and Selinux designs[2].
[edit] External links
- Official Website
- Jake Edge (2007-08-08). Smack for simplified access control. Linux Weekly News.
- Jonathan Corbet (2007-02-10). SMACK meets the One True Security Module. Linux Weekly News.
