Hello.
Roman Yeryomin wrote:
> Hello!
>
> I'm trying to build a minimal policy for my embedded system where all
> read/write requests to /dev/mtd* should be blocked except for several
> programs.
> In profile.conf I have:
>
> <kernel> PROFILE_VERSION=20110903
> <kernel> 0-COMMENT=-----Disabled Mode-----
> <kernel> 0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
> enforcing_penalty=0 }
> <kernel> 0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
> <kernel> 1-COMMENT=-----Learning Mode-----
> <kernel> 1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
> enforcing_penalty=0 }
> <kernel> 1-CONFIG={ mode=learning grant_log=no reject_log=yes }
> <kernel> 2-COMMENT=-----Permissive Mode-----
> <kernel> 2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
> enforcing_penalty=0 }
> <kernel> 2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
> <kernel> 3-COMMENT=-----Enforcing Mode-----
> <kernel> 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
> enforcing_penalty=0 }
> <kernel> 3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
> <kernel> 4-COMMENT=-----Enforcing Mode-----
> <kernel> 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
> enforcing_penalty=0 }
> <kernel> 4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes }
> </bin/dd> PROFILE_VERSION=20110903
> </bin/dd> 4-COMMENT=-----Enforcing Mode-----
> </bin/dd> 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
> enforcing_penalty=0 }
> </bin/dd> 4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes }
> </sbin/the-tool> PROFILE_VERSION=20110903
> </sbin/the-tool> 0-COMMENT=-----Disabled Mode-----
> </sbin/the-tool> 0-PREFERENCE={ max_audit_log=1024
> max_learning_entry=2048 enforcing_penalty=0 }
> </sbin/the-tool> 0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
>
> in exception_policy.conf:
>
> reset_domain /sbin/the-tool from any
> reset_domain /bin/dd from any
> keep_domain any from </sbin/the-tool>
> keep_domain any from </bin/dd>
> keep_domain any from <kernel>
> path_group ALMOST_ANY_FILE /\*
> path_group ALMOST_ANY_FILE /\*/\*\-mtd\?\*
> path_group ALMOST_ANY_FILE /\*/\*/\*/\*
> path_group ALMOST_ANY_FILE /\*/\*/\{\*\}/\*
> path_group ALMOST_ANY_FILE \*:/\*
> path_group ALMOST_ANY_FILE \*:/\{\*\}/\*
> path_group ALMOST_ANY_FILE \*:[\$]
> path_group ANY_FILE /\*
> path_group ANY_FILE /\{\*\}/\*
> path_group ANY_FILE \*:/\*
> path_group ANY_FILE \*:/\{\*\}/\*
> path_group ANY_FILE \*:[\$]
> path_group ANY_DIR /
> path_group ANY_DIR /\{\*\}/
> path_group ANY_DIR \*:/
> path_group ANY_DIR \*:/\{\*\}/
>
> and in domain_policy.conf
>
> <kernel>
> use_profile 4
> use_group 0
> file read/write/append @ANY_DIR
> file read/write/append @ALMOST_ANY_FILE
> file read/write socket:[family=\$:type=\$:protocol=\$]
>
> </bin/dd>
> use_profile 4
> use_group 0
> file read/write/append @ANY_DIR
> file read @ANY_FILE
> file write/append @ALMOST_ANY_FILE
> file read/write socket:[family=\$:type=\$:protocol=\$]
>
> </sbin/the-tool>
> use_profile 0
> use_group 0
>
This is a situation where CaitSith will fit better.
Since Memory Technology Device is a character device with major = 90,
you will be able to define CaitSith's rule like below.
----------------------------------------
10 read path.type=char path.dev_major=90
10 allow task.exe="/bin/dd"
20 allow task.exe="/sbin/fw-tool"
30 deny
10 write path.type=char path.dev_major=90
10 allow task.exe="/sbin/fw-tool"
20 deny
10 append path.type=char path.dev_major=90
10 allow task.exe="/sbin/fw-tool"
20 deny
----------------------------------------
If you need to use TOMOYO 2.5, you can still use file's attributes
like below (though it is less flexible than CaitSith).
----------------------------------------
<kernel>
use_profile 4
file read @ANY_DIR
file read/write/append @ANY_FILE path1.type!=char
file read/write/append @ANY_FILE path1.type=char path1.dev_major!=90
</bin/dd>
use_profile 4
file read @ANY_DIR
file read @ANY_FILE
file write/append @ANY_FILE path1.type!=char
file write/append @ANY_FILE path1.type=char path1.dev_major!=90
</sbin/fw-tool>
use_profile 0
file read @ANY_DIR
file read/write/append @ANY_FILE
----------------------------------------
Please be aware that the programs you want to allow access to specific
resource (i.e. /bin/dd and /sbin/fw-tool in your case) might be disguised
unless you also restrict operations which modify directory entries and/or
mount namespace. For example, doing
# mount --bind /bin/cat /sbin/fw-tools
or
# mv /sbin/fw-tool /sbin/fw-tool.orig
# ln /bin/cat /sbin/fw-tool
allows the attacker to run in </sbin/fw-tool> domain while its functionality
would be still /bin/cat . Therefore, it is recommended to restrict operations
which modify directory entries and/or mount namespace in addition to
restricting read/write/append operations.
>
> As I understand from domain transition logic described here
> http://tomoyo.osdn.jp/2.5/policy-specification/domain-transition-procedure.html.en#transition_by_execute
> it should work
> But neither dd no the-tool don't have even read access to /dev/mtdX
>
> Any pointers on what am I doing wrong?
> Thanks in advance!
>
I guess that /bin/dd and /sbin/fw-tool are running in the <kernel> domain.
If you can run /usr/sbin/tomoyo-queryd , please see how to use it
at http://tomoyo.osdn.jp/2.5/chapter-7.html#7.3 .
If you cannot run /usr/sbin/tomoyo-queryd , please check what the reject
log says.
If you are running /usr/sbin/tomoyo-auditd with
# Save rejected logs with profile=4 to /var/log/tomoyo/reject_004.log
header.contains profile=4
destination /var/log/tomoyo/reject_004.log
lines appended to /etc/tomoyo/tools/auditd.conf , you can examine
/var/log/tomoyo/reject_*.log . If you are not running /usr/sbin/tomoyo-auditd ,
you can examine /sys/kernel/security/tomoyo/audit interface (please be sure to
mount securityfs on /sys/kernel/security/ if it is not mounted yet).
>
> Regards,
> Roman
>
> _______________________________________________
> tomoyo-users-en mailing list
> tomoyo-users-en@lists.osdn.me
> http://lists.osdn.me/mailman/listinfo/tomoyo-users-en
>
_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en@lists.osdn.me
http://lists.osdn.me/mailman/listinfo/tomoyo-users-en
