Simplified Mandatory Access Control Kernel (SMACK) provides a simple solution for mandatory access control (MAC). MAC provides the ability for a centralized entity to set access policy for system resources.

The Linux default access control policy is governed by permission bits on system resources at the discretion of the resource owner: discretionary access control (DAC). Policies are set in a distributed way so different system users can set access policy for their own resources.

MAC policies are often used to overcome DAC limitations for systems that require a higher level of security.

SMACK is used to supplement DAC. DAC permissions are checked first; if access is granted, SMACK permissions are then checked. SMACK can only limit access, it can't grant access beyond DAC permissions.

SMACK uses 'labels' on resources (objects in SMACK terminology) and processes (subjects) to determine access. Labels on resources can only be set by a privileged process (the CAP_MAC_OVERRIDE label designates a process as privileged)

SMACK policies are set by the Legato startup scripts, the Legato Installer and the Legato Supervisor.

Here's Implementing SMACK.

Copyright (C) Sierra Wireless Inc. Use of this work is subject to license.