projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Smack: setprocattr memory leak fix
[deliverable/linux.git] / Documentation / security / Smack.txt
CommitLineData
e114e473
CS		 1
2
3 "Good for you, you've decided to clean the elevator!"
4 - The Elevator, from Dark Star
5
6Smack is the the Simplified Mandatory Access Control Kernel.
7Smack is a kernel based implementation of mandatory access
8control that includes simplicity in its primary design goals.
9
10Smack is not the only Mandatory Access Control scheme
11available for Linux. Those new to Mandatory Access Control
12are encouraged to compare Smack with the other mechanisms
13available to determine which is best suited to the problem
14at hand.
15
16Smack consists of three major components:
17 - The kernel
f7112e6c 18 - Basic utilities, which are helpful but not required
e114e473
CS		 19 - Configuration data
20
21The kernel component of Smack is implemented as a Linux
22Security Modules (LSM) module. It requires netlabel and
23works best with file systems that support extended attributes,
24although xattr support is not strictly required.
25It is safe to run a Smack kernel under a "vanilla" distribution.
f7112e6c 26
e114e473
CS		 27Smack kernels use the CIPSO IP option. Some network
28configurations are intolerant of IP options and can impede
29access to systems that use them as Smack does.
30
f7112e6c 31The current git repositories for Smack user space are:
e114e473 32
f7112e6c
CS		 33 git@gitorious.org:meego-platform-security/smackutil.git
34 git@gitorious.org:meego-platform-security/libsmack.git
e114e473 35
f7112e6c
CS		 36These should make and install on most modern distributions.
37There are three commands included in smackutil:
e114e473 38
f7112e6c
CS		 39smackload - properly formats data for writing to /smack/load
40smackcipso - properly formats data for writing to /smack/cipso
41chsmack - display or set Smack extended attribute values
e114e473
CS		 42
43In keeping with the intent of Smack, configuration data is
44minimal and not strictly required. The most important
45configuration step is mounting the smackfs pseudo filesystem.
f7112e6c
CS		 46If smackutil is installed the startup script will take care
47of this, but it can be manually as well.
e114e473
CS		 48
49Add this line to /etc/fstab:
50
51 smackfs /smack smackfs smackfsdef=* 0 0
52
53and create the /smack directory for mounting.
54
f7112e6c
CS		 55Smack uses extended attributes (xattrs) to store labels on filesystem
56objects. The attributes are stored in the extended attribute security
57name space. A process must have CAP_MAC_ADMIN to change any of these
58attributes.
59
60The extended attributes that Smack uses are:
61
62SMACK64
63 Used to make access control decisions. In almost all cases
64 the label given to a new filesystem object will be the label
65 of the process that created it.
66SMACK64EXEC
67 The Smack label of a process that execs a program file with
68 this attribute set will run with this attribute's value.
69SMACK64MMAP
70 Don't allow the file to be mmapped by a process whose Smack
71 label does not allow all of the access permitted to a process
72 with the label contained in this attribute. This is a very
73 specific use case for shared libraries.
74SMACK64TRANSMUTE
75 Can only have the value "TRUE". If this attribute is present
76 on a directory when an object is created in the directory and
77 the Smack rule (more below) that permitted the write access
78 to the directory includes the transmute ("t") mode the object
79 gets the label of the directory instead of the label of the
80 creating process. If the object being created is a directory
81 the SMACK64TRANSMUTE attribute is set as well.
82SMACK64IPIN
83 This attribute is only available on file descriptors for sockets.
84 Use the Smack label in this attribute for access control
85 decisions on packets being delivered to this socket.
86SMACK64IPOUT
87 This attribute is only available on file descriptors for sockets.
88 Use the Smack label in this attribute for access control
89 decisions on packets coming from this socket.
90
91There are multiple ways to set a Smack label on a file:
e114e473
CS		 92
93 # attr -S -s SMACK64 -V "value" path
f7112e6c 94 # chsmack -a value path
e114e473 95
f7112e6c
CS		 96A process can see the smack label it is running with by
97reading /proc/self/attr/current. A process with CAP_MAC_ADMIN
98can set the process smack by writing there.
99
100Most Smack configuration is accomplished by writing to files
101in the smackfs filesystem. This pseudo-filesystem is usually
102mounted on /smack.
103
104access
105 This interface reports whether a subject with the specified
106 Smack label has a particular access to an object with a
107 specified Smack label. Write a fixed format access rule to
108 this file. The next read will indicate whether the access
109 would be permitted. The text will be either "1" indicating
110 access, or "0" indicating denial.
111access2
112 This interface reports whether a subject with the specified
113 Smack label has a particular access to an object with a
114 specified Smack label. Write a long format access rule to
115 this file. The next read will indicate whether the access
116 would be permitted. The text will be either "1" indicating
117 access, or "0" indicating denial.
118ambient
119 This contains the Smack label applied to unlabeled network
120 packets.
121cipso
122 This interface allows a specific CIPSO header to be assigned
123 to a Smack label. The format accepted on write is:
124 "%24s%4d%4d"["%4d"]...
125 The first string is a fixed Smack label. The first number is
126 the level to use. The second number is the number of categories.
127 The following numbers are the categories.
128 "level-3-cats-5-19 3 2 5 19"
129cipso2
130 This interface allows a specific CIPSO header to be assigned
131 to a Smack label. The format accepted on write is:
132 "%s%4d%4d"["%4d"]...
133 The first string is a long Smack label. The first number is
134 the level to use. The second number is the number of categories.
135 The following numbers are the categories.
136 "level-3-cats-5-19 3 2 5 19"
137direct
138 This contains the CIPSO level used for Smack direct label
139 representation in network packets.
140doi
141 This contains the CIPSO domain of interpretation used in
142 network packets.
143load
144 This interface allows access control rules in addition to
145 the system defined rules to be specified. The format accepted
146 on write is:
147 "%24s%24s%5s"
148 where the first string is the subject label, the second the
149 object label, and the third the requested access. The access
150 string may contain only the characters "rwxat-", and specifies
151 which sort of access is allowed. The "-" is a placeholder for
152 permissions that are not allowed. The string "r-x--" would
153 specify read and execute access. Labels are limited to 23
154 characters in length.
155load2
156 This interface allows access control rules in addition to
157 the system defined rules to be specified. The format accepted
158 on write is:
159 "%s %s %s"
160 where the first string is the subject label, the second the
161 object label, and the third the requested access. The access
162 string may contain only the characters "rwxat-", and specifies
163 which sort of access is allowed. The "-" is a placeholder for
164 permissions that are not allowed. The string "r-x--" would
165 specify read and execute access.
166load-self
167 This interface allows process specific access rules to be
168 defined. These rules are only consulted if access would
169 otherwise be permitted, and are intended to provide additional
170 restrictions on the process. The format is the same as for
171 the load interface.
172load-self2
173 This interface allows process specific access rules to be
174 defined. These rules are only consulted if access would
175 otherwise be permitted, and are intended to provide additional
176 restrictions on the process. The format is the same as for
177 the load2 interface.
178logging
179 This contains the Smack logging state.
180mapped
181 This contains the CIPSO level used for Smack mapped label
182 representation in network packets.
183netlabel
184 This interface allows specific internet addresses to be
185 treated as single label hosts. Packets are sent to single
186 label hosts without CIPSO headers, but only from processes
187 that have Smack write access to the host label. All packets
188 received from single label hosts are given the specified
189 label. The format accepted on write is:
190 "%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".
191onlycap
192 This contains the label processes must have for CAP_MAC_ADMIN
193 and CAP_MAC_OVERRIDE to be effective. If this file is empty
194 these capabilities are effective at for processes with any
195 label. The value is set by writing the desired label to the
196 file or cleared by writing "-" to the file.
449543b0
RK		 197revoke-subject
198 Writing a Smack label here sets the access to '-' for all access
199 rules with that subject label.
e114e473
CS		 200
201You can add access rules in /etc/smack/accesses. They take the form:
202
203 subjectlabel objectlabel access
204
205access is a combination of the letters rwxa which specify the
206kind of access permitted a subject with subjectlabel on an
207object with objectlabel. If there is no rule no access is allowed.
208
e114e473
CS		 209Look for additional programs on http://schaufler-ca.com
210
211From the Smack Whitepaper:
212
213The Simplified Mandatory Access Control Kernel
214
215Casey Schaufler
216casey@schaufler-ca.com
217
218Mandatory Access Control
219
220Computer systems employ a variety of schemes to constrain how information is
221shared among the people and services using the machine. Some of these schemes
222allow the program or user to decide what other programs or users are allowed
223access to pieces of data. These schemes are called discretionary access
224control mechanisms because the access control is specified at the discretion
225of the user. Other schemes do not leave the decision regarding what a user or
226program can access up to users or programs. These schemes are called mandatory
227access control mechanisms because you don't have a choice regarding the users
228or programs that have access to pieces of data.
229
230Bell & LaPadula
231
232From the middle of the 1980's until the turn of the century Mandatory Access
233Control (MAC) was very closely associated with the Bell & LaPadula security
234model, a mathematical description of the United States Department of Defense
235policy for marking paper documents. MAC in this form enjoyed a following
236within the Capital Beltway and Scandinavian supercomputer centers but was
237often sited as failing to address general needs.
238
239Domain Type Enforcement
240
241Around the turn of the century Domain Type Enforcement (DTE) became popular.
242This scheme organizes users, programs, and data into domains that are
243protected from each other. This scheme has been widely deployed as a component
244of popular Linux distributions. The administrative overhead required to
245maintain this scheme and the detailed understanding of the whole system
246necessary to provide a secure domain mapping leads to the scheme being
247disabled or used in limited ways in the majority of cases.
248
249Smack
250
251Smack is a Mandatory Access Control mechanism designed to provide useful MAC
252while avoiding the pitfalls of its predecessors. The limitations of Bell &
253LaPadula are addressed by providing a scheme whereby access can be controlled
254according to the requirements of the system and its purpose rather than those
255imposed by an arcane government policy. The complexity of Domain Type
256Enforcement and avoided by defining access controls in terms of the access
257modes already in use.
258
259Smack Terminology
260
261The jargon used to talk about Smack will be familiar to those who have dealt
262with other MAC systems and shouldn't be too difficult for the uninitiated to
263pick up. There are four terms that are used in a specific way and that are
264especially important:
265
266 Subject: A subject is an active entity on the computer system.
267 On Smack a subject is a task, which is in turn the basic unit
268 of execution.
269
270 Object: An object is a passive entity on the computer system.
271 On Smack files of all types, IPC, and tasks can be objects.
272
273 Access: Any attempt by a subject to put information into or get
274 information from an object is an access.
275
276 Label: Data that identifies the Mandatory Access Control
277 characteristics of a subject or an object.
278
279These definitions are consistent with the traditional use in the security
280community. There are also some terms from Linux that are likely to crop up:
281
282 Capability: A task that possesses a capability has permission to
283 violate an aspect of the system security policy, as identified by
284 the specific capability. A task that possesses one or more
285 capabilities is a privileged task, whereas a task with no
286 capabilities is an unprivileged task.
287
288 Privilege: A task that is allowed to violate the system security
289 policy is said to have privilege. As of this writing a task can
290 have privilege either by possessing capabilities or by having an
291 effective user of root.
292
293Smack Basics
294
295Smack is an extension to a Linux system. It enforces additional restrictions
296on what subjects can access which objects, based on the labels attached to
297each of the subject and the object.
298
299Labels
300
301Smack labels are ASCII character strings, one to twenty-three characters in
302length. Single character labels using special characters, that being anything
303other than a letter or digit, are reserved for use by the Smack development
304team. Smack labels are unstructured, case sensitive, and the only operation
305ever performed on them is comparison for equality. Smack labels cannot
ecfcc53f
EB		 306contain unprintable characters, the "/" (slash), the "\" (backslash), the "'"
307(quote) and '"' (double-quote) characters.
f7112e6c 308Smack labels cannot begin with a '-'. This is reserved for special options.
e114e473
CS		 309
310There are some predefined labels:
311
4303154e
EB		 312 _ Pronounced "floor", a single underscore character.
313 ^ Pronounced "hat", a single circumflex character.
314 * Pronounced "star", a single asterisk character.
315 ? Pronounced "huh", a single question mark character.
f7112e6c 316 @ Pronounced "web", a single at sign character.
e114e473
CS		 317
318Every task on a Smack system is assigned a label. System tasks, such as
319init(8) and systems daemons, are run with the floor ("_") label. User tasks
320are assigned labels according to the specification found in the
321/etc/smack/user configuration file.
322
323Access Rules
324
325Smack uses the traditional access modes of Linux. These modes are read,
326execute, write, and occasionally append. There are a few cases where the
327access mode may not be obvious. These include:
328
329 Signals: A signal is a write operation from the subject task to
330 the object task.
331 Internet Domain IPC: Transmission of a packet is considered a
332 write operation from the source task to the destination task.
333
334Smack restricts access based on the label attached to a subject and the label
335attached to the object it is trying to access. The rules enforced are, in
336order:
337
338 1. Any access requested by a task labeled "*" is denied.
339 2. A read or execute access requested by a task labeled "^"
340 is permitted.
341 3. A read or execute access requested on an object labeled "_"
342 is permitted.
343 4. Any access requested on an object labeled "*" is permitted.
344 5. Any access requested by a task on an object with the same
345 label is permitted.
346 6. Any access requested that is explicitly defined in the loaded
347 rule set is permitted.
348 7. Any other access is denied.
349
350Smack Access Rules
351
352With the isolation provided by Smack access separation is simple. There are
353many interesting cases where limited access by subjects to objects with
354different labels is desired. One example is the familiar spy model of
355sensitivity, where a scientist working on a highly classified project would be
356able to read documents of lower classifications and anything she writes will
357be "born" highly classified. To accommodate such schemes Smack includes a
358mechanism for specifying rules allowing access between labels.
359
360Access Rule Format
361
362The format of an access rule is:
363
364 subject-label object-label access
365
366Where subject-label is the Smack label of the task, object-label is the Smack
367label of the thing being accessed, and access is a string specifying the sort
f7112e6c
CS		 368of access allowed. The access specification is searched for letters that
369describe access modes:
e114e473
CS		 370
371 a: indicates that append access should be granted.
372 r: indicates that read access should be granted.
373 w: indicates that write access should be granted.
374 x: indicates that execute access should be granted.
f7112e6c 375 t: indicates that the rule requests transmutation.
e114e473
CS		 376
377Uppercase values for the specification letters are allowed as well.
378Access mode specifications can be in any order. Examples of acceptable rules
379are:
380
381 TopSecret Secret rx
382 Secret Unclass R
383 Manager Game x
384 User HR w
385 New Old rRrRr
386 Closed Off -
387
388Examples of unacceptable rules are:
389
390 Top Secret Secret rx
391 Ace Ace r
392 Odd spells waxbeans
393
394Spaces are not allowed in labels. Since a subject always has access to files
395with the same label specifying a rule for that case is pointless. Only
f7112e6c 396valid letters (rwxatRWXAT) and the dash ('-') character are allowed in
e114e473
CS		 397access specifications. The dash is a placeholder, so "a-r" is the same
398as "ar". A lone dash is used to specify that no access should be allowed.
399
400Applying Access Rules
401
402The developers of Linux rarely define new sorts of things, usually importing
403schemes and concepts from other systems. Most often, the other systems are
404variants of Unix. Unix has many endearing properties, but consistency of
405access control models is not one of them. Smack strives to treat accesses as
406uniformly as is sensible while keeping with the spirit of the underlying
407mechanism.
408
409File system objects including files, directories, named pipes, symbolic links,
410and devices require access permissions that closely match those used by mode
411bit access. To open a file for reading read access is required on the file. To
412search a directory requires execute access. Creating a file with write access
413requires both read and write access on the containing directory. Deleting a
414file requires read and write access to the file and to the containing
415directory. It is possible that a user may be able to see that a file exists
416but not any of its attributes by the circumstance of having read access to the
417containing directory but not to the differently labeled file. This is an
418artifact of the file name being data in the directory, not a part of the file.
419
f7112e6c
CS		 420If a directory is marked as transmuting (SMACK64TRANSMUTE=TRUE) and the
421access rule that allows a process to create an object in that directory
422includes 't' access the label assigned to the new object will be that
423of the directory, not the creating process. This makes it much easier
424for two processes with different labels to share data without granting
425access to all of their files.
426
e114e473
CS		 427IPC objects, message queues, semaphore sets, and memory segments exist in flat
428namespaces and access requests are only required to match the object in
429question.
430
431Process objects reflect tasks on the system and the Smack label used to access
432them is the same Smack label that the task would use for its own access
433attempts. Sending a signal via the kill() system call is a write operation
434from the signaler to the recipient. Debugging a process requires both reading
435and writing. Creating a new task is an internal operation that results in two
436tasks with identical Smack labels and requires no access checks.
437
438Sockets are data structures attached to processes and sending a packet from
439one process to another requires that the sender have write access to the
440receiver. The receiver is not required to have read access to the sender.
441
442Setting Access Rules
443
444The configuration file /etc/smack/accesses contains the rules to be set at
445system startup. The contents are written to the special file /smack/load.
446Rules can be written to /smack/load at any time and take effect immediately.
447For any pair of subject and object labels there can be only one rule, with the
448most recently specified overriding any earlier specification.
449
450The program smackload is provided to ensure data is formatted
451properly when written to /smack/load. This program reads lines
452of the form
453
454 subjectlabel objectlabel mode.
455
456Task Attribute
457
458The Smack label of a process can be read from /proc/<pid>/attr/current. A
459process can read its own Smack label from /proc/self/attr/current. A
460privileged process can change its own Smack label by writing to
461/proc/self/attr/current but not the label of another process.
462
463File Attribute
464
465The Smack label of a filesystem object is stored as an extended attribute
466named SMACK64 on the file. This attribute is in the security namespace. It can
467only be changed by a process with privilege.
468
469Privilege
470
471A process with CAP_MAC_OVERRIDE is privileged.
472
473Smack Networking
474
475As mentioned before, Smack enforces access control on network protocol
476transmissions. Every packet sent by a Smack process is tagged with its Smack
477label. This is done by adding a CIPSO tag to the header of the IP packet. Each
478packet received is expected to have a CIPSO tag that identifies the label and
479if it lacks such a tag the network ambient label is assumed. Before the packet
480is delivered a check is made to determine that a subject with the label on the
481packet has write access to the receiving process and if that is not the case
482the packet is dropped.
483
484CIPSO Configuration
485
486It is normally unnecessary to specify the CIPSO configuration. The default
487values used by the system handle all internal cases. Smack will compose CIPSO
488label values to match the Smack labels being used without administrative
489intervention. Unlabeled packets that come into the system will be given the
490ambient label.
491
492Smack requires configuration in the case where packets from a system that is
493not smack that speaks CIPSO may be encountered. Usually this will be a Trusted
494Solaris system, but there are other, less widely deployed systems out there.
495CIPSO provides 3 important values, a Domain Of Interpretation (DOI), a level,
496and a category set with each packet. The DOI is intended to identify a group
497of systems that use compatible labeling schemes, and the DOI specified on the
498smack system must match that of the remote system or packets will be
499discarded. The DOI is 3 by default. The value can be read from /smack/doi and
500can be changed by writing to /smack/doi.
501
502The label and category set are mapped to a Smack label as defined in
503/etc/smack/cipso.
504
505A Smack/CIPSO mapping has the form:
506
507 smack level [category [category]*]
508
509Smack does not expect the level or category sets to be related in any
510particular way and does not assume or assign accesses based on them. Some
511examples of mappings:
512
513 TopSecret 7
514 TS:A,B 7 1 2
515 SecBDE 5 2 4 6
516 RAFTERS 7 12 26
517
518The ":" and "," characters are permitted in a Smack label but have no special
519meaning.
520
521The mapping of Smack labels to CIPSO values is defined by writing to
522/smack/cipso. Again, the format of data written to this special file
523is highly restrictive, so the program smackcipso is provided to
524ensure the writes are done properly. This program takes mappings
525on the standard input and sends them to /smack/cipso properly.
526
527In addition to explicit mappings Smack supports direct CIPSO mappings. One
528CIPSO level is used to indicate that the category set passed in the packet is
529in fact an encoding of the Smack label. The level used is 250 by default. The
530value can be read from /smack/direct and changed by writing to /smack/direct.
531
532Socket Attributes
533
534There are two attributes that are associated with sockets. These attributes
535can only be set by privileged tasks, but any task can read them for their own
536sockets.
537
538 SMACK64IPIN: The Smack label of the task object. A privileged
539 program that will enforce policy may set this to the star label.
540
541 SMACK64IPOUT: The Smack label transmitted with outgoing packets.
542 A privileged program may set this to match the label of another
543 task with which it hopes to communicate.
544
4303154e
EB		 545Smack Netlabel Exceptions
546
547You will often find that your labeled application has to talk to the outside,
548unlabeled world. To do this there's a special file /smack/netlabel where you can
549add some exceptions in the form of :
550@IP1 LABEL1 or
551@IP2/MASK LABEL2
552
553It means that your application will have unlabeled access to @IP1 if it has
554write access on LABEL1, and access to the subnet @IP2/MASK if it has write
555access on LABEL2.
556
557Entries in the /smack/netlabel file are matched by longest mask first, like in
558classless IPv4 routing.
559
560A special label '@' and an option '-CIPSO' can be used there :
561@ means Internet, any application with any label has access to it
562-CIPSO means standard CIPSO networking
563
564If you don't know what CIPSO is and don't plan to use it, you can just do :
565echo 127.0.0.1 -CIPSO > /smack/netlabel
566echo 0.0.0.0/0 @ > /smack/netlabel
567
568If you use CIPSO on your 192.168.0.0/16 local network and need also unlabeled
569Internet access, you can have :
570echo 127.0.0.1 -CIPSO > /smack/netlabel
571echo 192.168.0.0/16 -CIPSO > /smack/netlabel
572echo 0.0.0.0/0 @ > /smack/netlabel
573
574
e114e473
CS		 575Writing Applications for Smack
576
577There are three sorts of applications that will run on a Smack system. How an
578application interacts with Smack will determine what it will have to do to
579work properly under Smack.
580
581Smack Ignorant Applications
582
583By far the majority of applications have no reason whatever to care about the
584unique properties of Smack. Since invoking a program has no impact on the
585Smack label associated with the process the only concern likely to arise is
586whether the process has execute access to the program.
587
588Smack Relevant Applications
589
590Some programs can be improved by teaching them about Smack, but do not make
591any security decisions themselves. The utility ls(1) is one example of such a
592program.
593
594Smack Enforcing Applications
595
596These are special programs that not only know about Smack, but participate in
597the enforcement of system policy. In most cases these are the programs that
598set up user sessions. There are also network services that provide information
599to processes running with various labels.
600
601File System Interfaces
602
603Smack maintains labels on file system objects using extended attributes. The
604Smack label of a file, directory, or other file system object can be obtained
605using getxattr(2).
606
607 len = getxattr("/", "security.SMACK64", value, sizeof (value));
608
609will put the Smack label of the root directory into value. A privileged
610process can set the Smack label of a file system object with setxattr(2).
611
612 len = strlen("Rubble");
613 rc = setxattr("/foo", "security.SMACK64", "Rubble", len, 0);
614
615will set the Smack label of /foo to "Rubble" if the program has appropriate
616privilege.
617
618Socket Interfaces
619
620The socket attributes can be read using fgetxattr(2).
621
622A privileged process can set the Smack label of outgoing packets with
623fsetxattr(2).
624
625 len = strlen("Rubble");
626 rc = fsetxattr(fd, "security.SMACK64IPOUT", "Rubble", len, 0);
627
628will set the Smack label "Rubble" on packets going out from the socket if the
629program has appropriate privilege.
630
631 rc = fsetxattr(fd, "security.SMACK64IPIN, "*", strlen("*"), 0);
632
633will set the Smack label "*" as the object label against which incoming
634packets will be checked if the program has appropriate privilege.
635
636Administration
637
638Smack supports some mount options:
639
640 smackfsdef=label: specifies the label to give files that lack
641 the Smack label extended attribute.
642
643 smackfsroot=label: specifies the label to assign the root of the
644 file system if it lacks the Smack extended attribute.
645
646 smackfshat=label: specifies a label that must have read access to
647 all labels set on the filesystem. Not yet enforced.
648
649 smackfsfloor=label: specifies a label to which all labels set on the
650 filesystem must have read access. Not yet enforced.
651
652These mount options apply to all file system types.
653
ecfcc53f
EB		 654Smack auditing
655
656If you want Smack auditing of security events, you need to set CONFIG_AUDIT
657in your kernel configuration.
658By default, all denied events will be audited. You can change this behavior by
659writing a single character to the /smack/logging file :
6600 : no logging
6611 : log denied (default)
6622 : log accepted
6633 : log denied & accepted
664
665Events are logged as 'key=value' pairs, for each event you at least will get
40e47125 666the subject, the object, the rights requested, the action, the kernel function
ecfcc53f
EB		 667that triggered the event, plus other pairs depending on the type of event
668audited.
Linux kernel - Deliverables
This page took 0.339006 seconds and 5 git commands to generate.