diff options
| author | James Morris <james.l.morris@oracle.com> | 2015-10-21 01:49:29 +0200 |
|---|---|---|
| committer | James Morris <james.l.morris@oracle.com> | 2015-10-21 01:49:29 +0200 |
| commit | 09302fd19efbff9569eaad3f78ead8f411defd87 (patch) | |
| tree | ea7445250c19d8af6092eecb6908f1547dde86d6 /Documentation | |
| parent | Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/li... (diff) | |
| parent | Smack: limited capability for changing process label (diff) | |
| download | linux-09302fd19efbff9569eaad3f78ead8f411defd87.tar.xz linux-09302fd19efbff9569eaad3f78ead8f411defd87.zip | |
Merge branch 'smack-for-4.4' of https://github.com/cschaufler/smack-next into next
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/security/Smack.txt | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt index 5e6d07fbed07..945cc633d883 100644 --- a/Documentation/security/Smack.txt +++ b/Documentation/security/Smack.txt @@ -255,6 +255,16 @@ unconfined the access permitted if it wouldn't be otherwise. Note that this is dangerous and can ruin the proper labeling of your system. It should never be used in production. +relabel-self + This interface contains a list of labels to which the process can + transition to, by writing to /proc/self/attr/current. + Normally a process can change its own label to any legal value, but only + if it has CAP_MAC_ADMIN. This interface allows a process without + CAP_MAC_ADMIN to relabel itself to one of labels from predefined list. + A process without CAP_MAC_ADMIN can change its label only once. When it + does, this list will be cleared. + The values are set by writing the desired labels, separated + by spaces, to the file or cleared by writing "-" to the file. If you are using the smackload utility you can add access rules in /etc/smack/accesses. They take the form: |