slsm: Documentation: misc minor improvements

30ba7b2b · Simon Ruderich · 01563cd6 · 30ba7b2b
Commit 30ba7b2b authored Apr 15, 2016 by Simon Ruderich
--- a/Documentation/security/slsm.txt
+++ b/Documentation/security/slsm.txt
@@ -5,7 +5,8 @@ SLSM is a simple, path-based security module.
 It's main goals are to be
 * distribution-independent
 * straight-forward to use on desktops
-* simple in implementation 
+* simple in implementation
+
 Some common use-cases are
 * restrict access to a file for all programs, with exceptions;
  e.g. only ssh-add can read your private keys
@@ -14,18 +15,18 @@ Some common use-cases are
 # Overview #

 In SLSM, programs are identified by their path in the filesystem (symlinks are
-resolved first). This means `exec` changes permissions!
+resolved first). This means `exec` changes permissions unless restricted (see
+below)!

-Access rules are stored in a tree structure resembling the filesystem.
-At each node (corresponding to a directory entry), rules matching either all
-or one specific program are specified.
-To check access to a file, the tree is traversed from the root. At each node,
-the last rule (in the order they were inserted) matching the executing program
-is remembered. The last match determines the permissions the program has for
-this file.
+Access rules are stored in a tree structure resembling the filesystem. At each
+node (corresponding to a directory entry), rules matching either all or one
+specific program are specified. To check access to a file, the tree is
+traversed from the root. At each node, the last rule (in the order they were
+inserted) matching the executing program is remembered. The last match
+determines the permissions the program has for this file.

 Rules consist of the program they apply to and a combination of UNIX-like `rwx`
-bits (`x` is not neccessary to `cd`) and a set of SLSM-specific flags:
+bits (`x` is not necessary to `cd`) and a set of SLSM-specific flags:
 * A rule with the `exact` flag applies only if the program tries to access the
  exact node at which the rule is placed.
 * The `confine` flag prevents a process from gaining new permissions via `exec`.
@@ -61,7 +62,8 @@ from reading the files contained therein, but allow listing the keys:
 	3. allow `ssh-add` to read file contents:
 		p=/home/user/.ssh/private\0m=4\0a=/usr/bin/ssh-add\0\0

-To apply this setup, run something like the following:
+To apply this setup, run something like the following (replace user with your
+user name):

 	printf 'p=/home/user/.ssh/private\0m=0\0\0p=/home/user/.ssh/private\0m=4\0f=4\0\0p=/home/user/.ssh/private\0m=4\0a=/usr/bin/ssh-add\0\0' >/sys/kernel/security/slsm/profiles