Smack (Simplified Mandatory Access Control Kernel) is a Linux kernel security module that enforces mandatory access control (MAC) rules to protect data and process interactions with an emphasis on simplicity. Officially merged since Linux 2.6.25, Smack was central to the MeeGo OS and is used to sandbox HTML5 apps in the Tizen platform. It is also employed in Wind River Linux for embedded development, Philips Digital TVs, and Intel's Ostro OS for IoT devices. Smack was mandatory in Automotive Grade Linux between 2016-2021, before the project migrated to SELinux.
Design
Smack consists of three components:
- A kernel module that is implemented as a Linux Security Module. It works best with file systems that support extended attributes.
- A startup script that ensures that device files have the correct Smack attributes and loads the Smack configuration.
- A set of patches to the GNU Core Utilities package to make it aware of Smack extended file attributes. A set of similar patches to Busybox were also created. SMACK does not require user-space support.12
Criticism
Smack has been criticized for being written as a new LSM module instead of an SELinux security policy which can provide equivalent functionality. Such SELinux policies have been proposed, but none had been demonstrated. Smack's author replied that it would not be practical due to SELinux's complicated configuration syntax and the philosophical difference between Smack and SELinux designs.13
- Free and open-source software portal
- Linux portal
Further reading
- Jake Edge (2007-08-08). "Smack for simplified access control". Linux Weekly News.
- Jonathan Corbet (2007-02-10). "SMACK meets the One True Security Module". Linux Weekly News.
- Casey Schaufler (January 2008). "The Simplified Mandatory Access Control Kernel" (PPT). Linux.conf.au. Archived from the original on 2014-01-11. Session video (OGG). Melbourne, Australia.
- Jake Edge (2008-08-06). "Ottawa Linux Symposium: Smack for embedded devices". Linux Weekly News.
- Casey Schaufler (July 2008). "Smack in Embedded Computing" (PDF). Proceedings of the Linux Symposium. Vol. 2. pp. 186–197. Archived from the original (PDF) on 2013-06-29.
- Jake Edge (2009-10-07). "Linux Plumbers Conference: Three sessions from the security track". Linux Weekly News.
- Elena Reshetova, Casey Schaufler (November 2010). "Mobile Simplified Security Framework Overview" (PDF). MeeGo Conference. Archived from the original (PDF) on 2012-07-25.
References
"Official SMACK documentation from the Linux source tree". Archived from the original on 2013-05-01. http://schaufler-ca.com/description_from_the_linux_source_tree ↩
Jonathan Corbet. "More stuff for 2.6.25". Archived from the original on 2012-11-02. https://lwn.net/Articles/267849/ ↩
Jake Edge. "The MeeGo Security Framework". Archived from the original on 2012-11-02. https://lwn.net/Articles/416771/ ↩
The Linux Foundation. "MeeGo Security Architecture". Archived from the original on 2013-01-28. https://archive.today/20130128191453/http://wiki.meego.com/Security/Architecture ↩
Onur Aciicmez, Andrew Blaich. "Understanding the Access Control Model for Tizen Application Sandboxing" (PDF). Archived from the original on 2013-01-28. http://download.tizen.org/misc/media/conference2012/wednesday/seacliff/2012-05-09-0945-1025-understanding_the_permission_and_access_control_model_for_tizen_application_sandboxing.pdf ↩
Wind River. "Wind River Linux 4 Product Note" (PDF). Archived from the original (PDF) on 2012-05-23. https://web.archive.org/web/20120523233907/http://www.windriver.com/products/product-notes/PN_Linux_4_1_0811.pdf ↩
Wind River. "Wind River Linux 3 Product Note" (PDF). Archived from the original (PDF) on 2014-09-23. https://web.archive.org/web/20140923011750/http://www.windriver.com/products/product-notes/wind-river-linux-product-note.pdf ↩
Embedded Alley Solutions, Inc. "SMACK for Digital TV" (PDF). Archived from the original (PDF) on 2012-09-13. https://web.archive.org/web/20120913095934/http://www.embeddedalley.com/pdfs/Smack_for_DigitalTV.pdf ↩
Intel Open Source Technology Center. "Ostro™ OS Architecture Overview". Archived from the original on 2024-05-28. https://archive.today/20240528001445/https://www.webcitation.org/6le9ACbCJ?url=https://ostroproject.org/documentation/architecture/architecture-overview.html ↩
Automotive Grade Linux. "AGL Security Framework". Archived from the original on 2017-06-06. https://web.archive.org/web/20170606093533/http://docs.automotivelinux.org/docs/architecture/en/dev/reference/security/01-overview.html ↩
Dominig ar Foll. "AGL as a generic secured industrial embedded Linux". Archived from the original on 2024-05-28. https://fosdem.org/2017/schedule/event/agl_secure_industrial/ ↩
"Smack Userspace Tools README". Archived from the original on 2016-09-20. https://raw.github.com/promovicz/smack-util/master/README ↩
Casey Schaufler. "Re: PATCH: Smack: Simplified Mandatory Access Control Kernel". Archived from the original on 2016-10-12. https://web.archive.org/web/20161012102047/http://article.gmane.org/gmane.linux.kernel/568396 ↩