The Simplified Mandatory Access Control Kernel (Smack) provides a complete Linux kernel based mechanism for protecting processes and data from inappropriate manipulation. Smack uses process, file, and network labels combined with an easy to understand and manipulate way to identify the kind of accesses that should be allowed.
Availability
As of 2.6.25 Smack is in the mainline kernel. The best place to get Smack is from the latest kernel version on The Linux Kernel Archives . There are multiple distributions (alas, I'm not at liberty to say which ones) that have begun the process of incorporating Smack. Stay tuned for announcements.
Downloads
The smack-util-0.1 tarball includes the source and source patches for the current set of Smack utilities, including the current busybox updates. The smack-util-0.1-x86 tarball includes the x86 binaries for the current set of Smack utilities, including the initial busybox. Use these binaries at your own risk. They have received some verification, and significant use, not they are not guaranteed complete.
The last patch for the 2.6.24 kernel does not have all of the work done for 2.6.25. In particular, there is a change in the way that peer labels are reported on TCP sockets. This does not affect the access decision, but does impact the program's ability to inquire about the label of the session. There is also an important change to the way Smack interacts with systems that do not use CIPSO IP options. The kernel patches are available alone, with some application sources, or with some x86 binaries. Since Smack is readily available in the mainline kernel in 2.6.25 the 2.6.24 patches will be removed from this site before long.
The white paper is a work in progress. Your kind feedback is appreciated. It was last updated on March 7, 2008. The Server Guide is a discussion on how to configure servers on Smack.
Links
For more information about Smack, check out the following links.
- LWN.net, Smack for simplified access control, by Jake Edge, 8/8/07.
- LWN.net, v8 Simplified Mandatory Access Control Kernel, by Casey Schaufler, 7/31/07.
- LWN.net, SMACK meets the One True Security Model, by Jonathan Corbet, 10/2/07.
If you'd like to join the project please let me know. casey, here at schaufler-ca.com. There are a number of projects in networking, file systems, and applications that I would be happy to have more hands working on.
The Smack presentation from linux.conf.au is available at the conference site.
See you at the Ottawa Linux Symposium.
Copyright © 2007-2008 Casey Schaufler, all rights reserved.