Simplified Mandatory Access Control Kernel

Smack

Original author(s)	Casey Schaufler
Operating system	Linux
Type	Computer security
License	GPL2
Website	http://schaufler-ca.com/

Smack is a Linux kernel security module that provides a mechanism for protecting data and process interaction from malicious manipulation using a set of custom mandatory access control rules provided by the system administrator. Simplicity is the primary design goal of Smack.^[1]

Design

Smack consists of three components:

• A kernel component that is implemented as a Linux Security Modules module. It requires netlabel and works best with file systems that support extended attributes.
• A startup script that ensures that some device files have the correct Smack attributes and loads Smack configuration if any is defined.
• A set of patches to the GNU Core Utilities package to make it aware of Smack extended file attributes. A set of similar initial patches to Busybox were also created. It's important to note that SMACK does not require user-space support.^{[citation needed]}

Criticism

Smack has been criticized for being written as a new LSM module instead of an SELinux security policy which can provide equivalent functionality. Such SELinux policies have been proposed, but none has ever been demonstrated. The author of SMACK replied that it would not be practical due to SELinux's over-complicated configuration syntax and the philosophical difference between SMACK and SELinux designs.^[2]

References

	Free software portal
	Computer security portal
	Linux portal

1. "Home page for Casey Schaufler of California". http://schaufler-ca.com. 
2. "LKML.org". http://lkml.org/lkml/2007/8/11/133. 

Further reading

• Jake Edge (2007-08-08). "Smack for simplified access control". Linux Weekly News. http://lwn.net/Articles/244531/. 
• Jonathan Corbet (2007-02-10). "SMACK meets the One True Security Module". Linux Weekly News. http://lwn.net/Articles/252562/. 

External links

• Official Website