Languages

Menu
Sites
Language
Smack labels on Tizen Device

Hello, I'm trying to understand smack protection. During reading I found that smack rules use some "Smack labels", that can discribe either the object or the subject in the rule. So, breafly, smack operates the rules in such format:

Object Subject Access_Flags

Sometimes it's possible to use default smack labels like _, *, ^. But if I want to specify my own label, how can I do that? Besides my own labels there are some predifined labels that can already exist. For example, System::Run is label for /run directory. System::Log is label for the /var/log dir. How I can find out, that it is so? And how I can enumerate all already created labels?

As I understood, Object is always describes the process object (I mean file system operations, not network). And Subject is always the file description. Am i right?

 

Responses

5 Replies
Alex Dem

Hi,
Please look here regarding label manipulation:
https://wiki.tizen.org/wiki/Security/Tizen_2.X_Smack_Developer_Guide
I hope this help.
Alexey.

Jean Yang

Hi, 

From my understanding, in Object is linux core object, for example, file, message queue, socket ...or can be a process,  the subeject is a linux core process.

Dongeup Ham

The resources of system / applications are "Object", so the object labels are applied to them.

If you make your own application and install it on the system, you can have your own world.(Sandboxing)

Your all resources are labled by pkgid(i.e. org.tizen.myapp) to be accessed by your application only. And your execute binary is labled by pkgid(i.e. org.tizen.myapp) that is operated as subject label in this case.

 

And you need not assign SMACK rules directly, instead of that, you just declare the privileges in the manifest.

Installer converts the privileges to smack rules automatically.

 

Dongeup.

Dongeup Ham

The resources of system / applications are "Object", so the object labels are applied to them.

If you make your own application and install it on the system, you can have your own world.(Sandboxing)

Your all resources are labled by pkgid(i.e. org.tizen.myapp) to be accessed by your application only. And your execute binary is labled by pkgid(i.e. org.tizen.myapp) that is operated as subject label in this case.

 

And you need not assign SMACK rules directly, instead of that, you just declare the privileges in the manifest.

Installer converts the privileges to smack rules automatically.

 

Dongeup.

Bogon Kim

Subject is process, Object is resources such as file, ipc , socket or ip address