SMACK uses the term label to describe what SELinux calls the security context. These are unstructured case-sensitive strings up to 23 characters in length. All subjects and objects are assigned a label. Labels are stored as extended attributes on filesystem objects, and as Commercial Internet Protocol Security Option (CIPSO) tags in the header of IP packets. The mapping of labels to CIPSO values is done by the smackcipso utility, which formats data and writes it to /sys/fs/smack/cipso.

The chsmack utility allows us to display or set extended attribute values. For example, you can show the smack label for a file with:

# chsmack /bin/cat
cat access="_"  

Processes can read their SMACK label from /proc/<pid>/attr/current.

Some predefined labels are:

• _: A single underscore character
• ^: A single circumflex character
• ?: A single question mark character
• @: A single at character

All tasks are assigned a label, with _ being used for system tasks.

SMACK configuration is done via the smackfs filesystem. The meta-security-smack layer does not mount it by default, but we can add the following recipes-core/base-files/base-files_%.bbappend to our custom layer to do so:

do_install_append () { 
   cat >> ${D}${sysconfdir}/fstab <<EOF 
  # Mount smackfs 
  smackfs /sys/fs/smackfs smackfs defaults 0 0 
  EOF 
} 

As opposed to SELinux, Linux kernel SMACK support already has a default policy in place.

SMACK uses the kernel's audit support (CONFIG_AUDIT) to log access violations, logging all denied accessed by default. This can be changed in /sys/fs/smackfs/logging where:

• 0 is no logging
• 1 logs denied events (default)
• 2 logs accepted events
• 3 logs both denied and accepted events

SMACK rules are as follows:

1. Subjects labeled * are denied all access to objects
2. Subjects labeled ^ are allowed rx access to objects
3. Objects labeled _ are allowed rx access
4. Objects labeled * are allowed all access
5. Any access by subjects on objects with the same label is allowed
6. Any access explicitly allowed in the loaded rule set is allowed
7. Other access is denied

Rules are stored under /etc/smack/accesses and look like this:

<subject-label> <object-label> <accesses> 

Rules are loaded using the smackload utility, which formats the data and writes it to /sys/fs/smack/load.

Access can be:

• Read (r)
• Write (w)
• Execute (x)
• Append (a)
• Transmute (t) (allows for applications with different labels to share data in a directory, allowing files to inherit labels from directories instead of processes)
• No access (-)

Rules can either be added using the chsmack utility or to /etc/smack/accesses.d/.