Software:Smack

Smack
Original author(s)	Casey Schaufler
Initial release	April 17, 2008
Operating system	Linux
Type	Computer security, Linux Security Modules (LSM)
License	GPL2
Website	schaufler-ca.com

Short description: Linux kernel security module

Smack (full name: Simplified Mandatory Access Control Kernel) is a Linux kernel security module that protects data and process interaction from malicious manipulation using a set of custom mandatory access control (MAC) rules, with simplicity as its main design goal.^[1] It has been officially merged since the Linux 2.6.25 release,^[2] it was the main access control mechanism for the MeeGo mobile Operating System.^[3]^[4] It is also used to sandbox HTML5 web applications in the Tizen architecture,^[5] in the commercial Wind River Linux solutions for embedded device development,^[6]^[7] in Philips Digital TV products.,^[8] and in Intel's Ostro OS for IoT devices.^[9]

Since 2016, Smack is required in all Automotive Grade Linux (AGL) implementations where it provides in association with other Linux facilities the base for the AGL security framework. ^[10] ^[11]

Design

Smack consists of three components:

A kernel module that is implemented as a Linux Security Module. It works best with file systems that support extended attributes.
A startup script that ensures that device files have the correct Smack attributes and loads the Smack configuration.
A set of patches to the GNU Core Utilities package to make it aware of Smack extended file attributes. A set of similar patches to Busybox were also created. SMACK does not require user-space support.^[12]

Criticism

Smack has been criticized for being written as a new LSM module instead of an SELinux security policy which can provide equivalent functionality. Such SELinux policies have been proposed, but none had been demonstrated. Smack's author replied that it would not be practical due to SELinux's complicated configuration syntax and the philosophical difference between Smack and SELinux designs.^[13]

References

↑ "Official SMACK documentation from the Linux source tree". http://schaufler-ca.com/description_from_the_linux_source_tree.
↑ Jonathan Corbet. "More stuff for 2.6.25". https://lwn.net/Articles/267849/.
↑ Jake Edge. "The MeeGo Security Framework". https://lwn.net/Articles/416771/.
↑ The Linux Foundation. "MeeGo Security Architecture". http://wiki.meego.com/Security/Architecture.
↑ Onur Aciicmez, Andrew Blaich. "Understanding the Access Control Model for Tizen Application Sandboxing". http://download.tizen.org/misc/media/conference2012/wednesday/seacliff/2012-05-09-0945-1025-understanding_the_permission_and_access_control_model_for_tizen_application_sandboxing.pdf.
↑ Wind River. "Wind River Linux 4 Product Note". http://windriver.com/products/product-notes/PN_Linux_4_1_0811.pdf.
↑ Wind River. "Wind River Linux 3 Product Note". http://www.windriver.com/products/product-notes/wind-river-linux-product-note.pdf.
↑ Embedded Alley Solutions, Inc.. "SMACK for Digital TV". http://www.embeddedalley.com/pdfs/Smack_for_DigitalTV.pdf.
↑ Intel Open Source Technology Center.. "Ostro™ OS Architecture Overview". https://ostroproject.org/documentation/architecture/architecture-overview.html.
↑ Automotive Grade Linux. "AGL Security Framework". http://docs.automotivelinux.org/docs/architecture/en/dev/.
↑ Dominig ar Foll. "AGL as a generic secured industrial embedded Linux". https://fosdem.org/2017/schedule/event/agl_secure_industrial/.
↑ "Smack Userspace Tools README". https://raw.github.com/promovicz/smack-util/master/README.
↑ Casey Schaufler. "Re: PATCH: Smack: Simplified Mandatory Access Control Kernel". http://article.gmane.org/gmane.linux.kernel/568396.

Jake Edge (2007-08-08). "Smack for simplified access control". Linux Weekly News. https://lwn.net/Articles/244531/.
Jonathan Corbet (2007-02-10). "SMACK meets the One True Security Module". Linux Weekly News. https://lwn.net/Articles/252562/.
Casey Schaufler (January 2008). "The Simplified Mandatory Access Control Kernel" (PPT). http://mirror.linux.org.au/pub/linux.conf.au/2008/slides/092-SmackLCA2007.ppt. Session video (OGG). Melbourne, Australia.
Jake Edge (2008-08-06). "Ottawa Linux Symposium: Smack for embedded devices". Linux Weekly News. https://lwn.net/Articles/292291/.
Casey Schaufler (July 2008). "Smack in Embedded Computing". 2. pp. 186–197. http://www.linuxsymposium.org/archives/OLS/Reprints-2008/schaufler-reprint.pdf.
Jake Edge (2009-10-07). "Linux Plumbers Conference: Three sessions from the security track". Linux Weekly News. https://lwn.net/Articles/355015/.
Elena Reshetova, Casey Schaufler (November 2010). "Mobile Simplified Security Framework Overview". http://conference2010.meego.com/sites/all/files/sessions/meego-conference-overview_v_final.pdf.

0.00

(0 votes)

[Major-1] "Official SMACK documentation from the Linux source tree". http://schaufler-ca.com/description_from_the_linux_source_tree.

[Merge-2] Jonathan Corbet. "More stuff for 2.6.25". https://lwn.net/Articles/267849/.

[MeeGo-3] Jake Edge. "The MeeGo Security Framework". https://lwn.net/Articles/416771/.

[MeeGo2-4] The Linux Foundation. "MeeGo Security Architecture". http://wiki.meego.com/Security/Architecture.

[Tizen-5] Onur Aciicmez, Andrew Blaich. "Understanding the Access Control Model for Tizen Application Sandboxing". http://download.tizen.org/misc/media/conference2012/wednesday/seacliff/2012-05-09-0945-1025-understanding_the_permission_and_access_control_model_for_tizen_application_sandboxing.pdf.

[Winriver1-6] Wind River. "Wind River Linux 4 Product Note". http://windriver.com/products/product-notes/PN_Linux_4_1_0811.pdf.

[Winriver2-7] Wind River. "Wind River Linux 3 Product Note". http://www.windriver.com/products/product-notes/wind-river-linux-product-note.pdf.

[philips-8] Embedded Alley Solutions, Inc.. "SMACK for Digital TV". http://www.embeddedalley.com/pdfs/Smack_for_DigitalTV.pdf.

[ostro-9] Intel Open Source Technology Center.. "Ostro™ OS Architecture Overview". https://ostroproject.org/documentation/architecture/architecture-overview.html.

[AGL-Doc-10] Automotive Grade Linux. "AGL Security Framework". http://docs.automotivelinux.org/docs/architecture/en/dev/.

[AGL-Fosdem17-11] Dominig ar Foll. "AGL as a generic secured industrial embedded Linux". https://fosdem.org/2017/schedule/event/agl_secure_industrial/.

[busybox-12] "Smack Userspace Tools README". https://raw.github.com/promovicz/smack-util/master/README.

[Simplicity-13] Casey Schaufler. "Re: PATCH: Smack: Simplified Mandatory Access Control Kernel". http://article.gmane.org/gmane.linux.kernel/568396.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

Anonymous

Search

Software:Smack

Namespaces

More

Page actions

Contents

Design

Criticism

References

Further reading

Navigation

Navigation

Help

Translate

Wiki tools

Wiki tools

Anonymous

Search

Software:Smack

Design

Criticism

References

Further reading

Navigation

Wiki tools

Page tools

Other projects

Categories