Smack Reference Policy: Creating a Rule Set for Linux Distributions

Explore the development of a Smack reference policy in this 45-minute conference talk by Casey Schaufler, author of the Simplified Mandatory Access Control Kernel (Smack) Linux security module. Learn about Smack's functionality, its differences from SELinux and AppArmor, and the ongoing effort to create a reference set of Smack rules for a major Linux distribution. Discover the three-domain approach to threat protection, the process of selecting a target distribution, and the challenges faced in implementing the policy. Gain insights into Smack's built-in and specified access rules, access modes, and quirks. Understand the reference threat model, tooling considerations, and the proposed simple configuration for various system components. Engage with the project's current state, identified challenges, and future work required for distribution integration.

Intro
Simplified Mandatory Access Control Kernel
Compared To SELinux
Compared To AppArmor
Smack is not a privilege system
Built In Smack Access Rules
Specified Smack Access Rules
Access Modes
Access Quirks
The Reference Threat
Complications
Choosing A Use Case
Tooling Considerations
Choosing A Distribution
The Three Domain Model
Toolbox
What Accesses Are Unwanted?
Simple Configuration
Transmuting Directories
var/lib/apt
Graphically
With Implicit Access
With Privileged Access
And Shared Data
To Consider
Work To Be Done For The Distribution