diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2025-12-03 10:58:59 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2025-12-03 10:58:59 -0800 |
| commit | 204a920f284e7264aa6dcd5876cbb1e03a7e4ebc (patch) | |
| tree | 34c30b6fc36edf2aa90d851731d4658a0e36ffc6 /Documentation | |
| parent | 0eae3283c3024d576623736eeafcde75135ad585 (diff) | |
| parent | 29c701f90b9341f1f9c1854a9c22b71c2318457d (diff) | |
Merge tag 'Smack-for-6.19' of https://github.com/cschaufler/smack-next
Pull smack updates from Casey Schaufler:
- fix several cases where labels were treated inconsistently when
imported from user space
- clean up the assignment of extended attributes
- documentation improvements
* tag 'Smack-for-6.19' of https://github.com/cschaufler/smack-next:
Smack: function parameter 'gfp' not described
smack: fix kernel-doc warnings for smk_import_valid_label()
smack: fix bug: setting task label silently ignores input garbage
smack: fix bug: unprivileged task can create labels
smack: fix bug: invalid label of unix socket file
smack: always "instantiate" inode in smack_inode_init_security()
smack: deduplicate xattr setting in smack_inode_init_security()
smack: fix bug: SMACK64TRANSMUTE set on non-directory
smack: deduplicate "does access rule request transmutation"
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/admin-guide/LSM/Smack.rst | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/Documentation/admin-guide/LSM/Smack.rst b/Documentation/admin-guide/LSM/Smack.rst index 6d44f4fdbf59..c5ed775f2d10 100644 --- a/Documentation/admin-guide/LSM/Smack.rst +++ b/Documentation/admin-guide/LSM/Smack.rst @@ -601,10 +601,15 @@ specification. Task Attribute ~~~~~~~~~~~~~~ -The Smack label of a process can be read from /proc/<pid>/attr/current. A -process can read its own Smack label from /proc/self/attr/current. A +The Smack label of a process can be read from ``/proc/<pid>/attr/current``. A +process can read its own Smack label from ``/proc/self/attr/current``. A privileged process can change its own Smack label by writing to -/proc/self/attr/current but not the label of another process. +``/proc/self/attr/current`` but not the label of another process. + +Format of writing is : only the label or the label followed by one of the +3 trailers: ``\n`` (by common agreement for ``/proc/...`` interfaces), +``\0`` (because some applications incorrectly include it), +``\n\0`` (because we think some applications may incorrectly include it). File Attribute ~~~~~~~~~~~~~~ @@ -696,6 +701,11 @@ sockets. A privileged program may set this to match the label of another task with which it hopes to communicate. +UNIX domain socket (UDS) with a BSD address functions both as a file in a +filesystem and as a socket. As a file, it carries the SMACK64 attribute. This +attribute is not involved in Smack security enforcement and is immutably +assigned the label "*". + Smack Netlabel Exceptions ~~~~~~~~~~~~~~~~~~~~~~~~~ |