-
Overview
-
redpesk OS releases
-
Security updates
-
Application Framework Manager
-
Application Framework Binder
-
APIs & Services
-
Security manager
-
Trusted Boot
-
Recovery features
-
redpak
-
Minimal image
- Reduce image size
- Optimizing boot time
-
kernel fragments description
- Introduction to Linux Kernel Configuration
- 01 Disable IPC, Timers and Audit
- 02 Disable Kconfig, Scheduler and Initrd
- 03 Disable Perf, Profiling and Errata
- 04 Disable EFI, Power Management Debug and Energy Model
- 05 Disable Schedutil, CPUFreq Governors and Virtualization
- 06 Disable Kprobes and Jump Labels
- 07 Disable GCC Plugins and Function Alignment
- 08 Disable Partition Parsers
- 09 Enable Inline Spinlocks and Kernel Operations
- 10 Disable Swap, Memory Hotplug and KSM
- 11 Disable Networking IPv4, IPv6, Netfilter
- 12 Disable SCTP, VLAN, TIPC, BATMAN
- 13 Disable Wireless, Bluetooth, CAN and RFKILL
- 14 Disable PCI and Firmware
- 15 Disable GNSS and ProcEvents
- 16 Disable Block Storage NBD and AoE
- 17 Disable EEPROM and Misc Drivers
- 18 Disable Network Device Drivers
- 19 Disable PHY Drivers
- 20 Disable PPP, WLAN Coexistence, and Failover
- 21 Disable Input Devices
- 22 Disable Serial, TTY and TPM
- 23 Disable I2C, Power and Sensor Drivers
- 24 Disable MFD, Display and Media Drivers
- 25 Disable USB, Sound, RTC and VirtIO
- 26 Disable Filesystem Encodings and Compatibility
- 27 Enable Minimal Cryptographic Core with SHA3 and XTS
- 28 Disable Hardware Cryptography, Keep DRBG and Jitter Entropy
- 29 Disable Kernel Debugging Features
- 30 Disable Filesystem Verity and SecurityFS
-
Zephyr in Redpesk
-
Mender redpesk (OTA)
-
Hardware support
- Download images
- Image metrics
- Trusted Boot
- Boards - ARM64
- Boards - x86_64
- Boards - Virtual
- Miscs
SMACK
SMACK (Simplified Mandatory Access Control Kernel) allows to define simple rules to limit a user or a process rights.
Context
The actual user context is defined in the following file :
/proc/$$/attr/current
Rules
A rule is defined as follows :
System User rwxat
- System is the subject’s label
- User is the object’s label
- rwx are the access read, write, execute, append and transmute
ℹ️ The processes System can read, write and execute User objects.
Possible access
| Code | Meaning |
|---|---|
r |
read |
w |
write |
x |
execute |
t |
transmute |
a |
append |
l |
lock |
b |
bring-up |
- Transmute: a file created in a directory with transmute access will inherit the parent’s label
- Lock: make a file read-only
- Bring-up: equivalent of permissive mode
Without any capability, you can only reduce accesses. If you want to change a rule you need CAP_MAC_ADMIN capability.
You have two ways to change rules :
Runtime
smackload subject object rwt
Changes are lost on restart.
Persistent
Create a file in /etc/smack/accesses.d/ with rules :
# vim /etc/smack/accesses.d/demo-app.smack
subject object rwt
Changes are applied on restart.
Default smack access rules
| REQUESTED BY | REQUESTED ON | |
|---|---|---|
| * | 🛑 Access | ✔️ Access |
| ^ | ✔️ Read or execute access | |
| _ | ✔️ Read or execute access |
✔️ If subject and object have the same label
🛑 All other rules not explicitly defined