Roman Yeryomin wrote:
> > This is a situation where CaitSith will fit better.
> >
> > Since Memory Technology Device is a character device with major = 90,
> > you will be able to define CaitSith's rule like below.
> >
> > ----------------------------------------
> > 10 read path.type=char path.dev_major=90
> > 10 allow task.exe="/bin/dd"
> > 20 allow task.exe="/sbin/fw-tool"
> > 30 deny
> >
> > 10 write path.type=char path.dev_major=90
> > 10 allow task.exe="/sbin/fw-tool"
> > 20 deny
> >
> > 10 append path.type=char path.dev_major=90
> > 10 allow task.exe="/sbin/fw-tool"
> > 20 deny
> > ----------------------------------------
>
> Thank you for this pointer, I will certainly look closer at CaitSith!
>
I forgot to add "acl" keyword in the example above.
Anyway, here is what I guess you want to try if you use CaitSith.
---------- /etc/caitsith/policy/current ----------
quota memory audit 16777216
quota memory query 1048576
quota audit[0] allowed=0 denied=1024 unmatched=0
10 acl read path.type=char path.dev_major=90
audit 0
10 allow task.exe="/usr/bin/dd"
20 allow task.exe="/sbin/the-tool"
30 deny
10 acl read path.fsmagic=0x9FA0 path="proc:/mtd"
audit 0
10 allow task.exe="/sbin/the-tool"
20 deny
10 acl write path.type=char path.dev_major=90
audit 0
10 allow task.exe="/sbin/the-tool"
20 deny
10 acl append path.type=char path.dev_major=90
audit 0
10 allow task.exe="/sbin/the-tool"
20 deny
100 acl mount
audit 1
10 deny task.exe!="/bin/mount"
20 allow target="/proc/" fstype="proc" flags=0x0
30 allow target="/sys/" fstype="sysfs" flags=0x0
40 deny
0 acl modify_policy
audit 0
10 deny
---------- /etc/caitsith/policy/current ----------
Since /proc/mtd is recognized as proc:/mtd (because proc filesystem
does not support rename operation), /\*/\*\-mtd\?\* will not match
/proc/mtd .
The "0 acl modify_policy" block in CaitSith corresponds to
/etc/tomoyo/policy/current/manager.conf in TOMOYO 2.5.
In the above example, no programs can modify policy (i.e.
production state).
The "100 acl mount" block is for preventing attackers from disguising
programs using e.g. "mount --bind" request.
If you can make partitions for programs being mounted as read-only,
you will be able to omit e.g. "acl rename" blocks. If you cannot,
you can define e.g. "acl rename" blocks in order to control ranges
attackers can tamper the system.
> > If you need to use TOMOYO 2.5, you can still use file's attributes
> > like below (though it is less flexible than CaitSith).
> >
> > ----------------------------------------
> > <kernel>
> > use_profile 4
> > file read @ANY_DIR
> > file read/write/append @ANY_FILE path1.type!=char
> > file read/write/append @ANY_FILE path1.type=char path1.dev_major!=90
> >
> > </bin/dd>
> > use_profile 4
> > file read @ANY_DIR
> > file read @ANY_FILE
> > file write/append @ANY_FILE path1.type!=char
> > file write/append @ANY_FILE path1.type=char path1.dev_major!=90
> >
> > </sbin/fw-tool>
> > use_profile 0
> > file read @ANY_DIR
> > file read/write/append @ANY_FILE
> > ----------------------------------------
> >
Below is similar rule using TOMOYO 2.5.
---------- /etc/tomoyo/policy/current/profile.conf ----------
<kernel> PROFILE_VERSION=20110903
<kernel> 0-COMMENT=-----Disabled Mode-----
<kernel> 0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
<kernel> 0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
<kernel> 1-COMMENT=-----Learning Mode-----
<kernel> 1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
<kernel> 1-CONFIG={ mode=learning grant_log=no reject_log=yes }
<kernel> 2-COMMENT=-----Permissive Mode-----
<kernel> 2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
<kernel> 2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
<kernel> 3-COMMENT=-----Enforcing Mode-----
<kernel> 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
<kernel> 3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
<kernel> 4-COMMENT=-----Enforcing Mode (File Open Only)-----
<kernel> 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
<kernel> 4-CONFIG={ mode=disabled grant_log=no reject_log=no }
<kernel> 4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes }
</usr/bin/dd> PROFILE_VERSION=20110903
</usr/bin/dd> 4-COMMENT=-----Enforcing Mode (File Open Only)-----
</usr/bin/dd> 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
</usr/bin/dd> 4-CONFIG={ mode=disabled grant_log=no reject_log=no }
</usr/bin/dd> 4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes
}
</sbin/the-tool> PROFILE_VERSION=20110903
</sbin/the-tool> 0-COMMENT=-----Disabled Mode-----
</sbin/the-tool> 0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
</sbin/the-tool> 0-CONFIG={ mode=disabled grant_log=no reject_log=no }
---------- /etc/tomoyo/policy/current/profile.conf ----------
---------- /etc/tomoyo/policy/current/exception_policy.conf ----------
<kernel> aggregator proc:/self/exe /proc/self/exe
<kernel> reset_domain /sbin/the-tool from any
<kernel> reset_domain /usr/bin/dd from any
<kernel> keep_domain any from any
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD /
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD /\*
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD /\{\*\}/
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD /\{\*\}/\*
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD \*:\-proc:/\*
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD proc:/\*\-mtd
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/\{\*\}/
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/\{\*\}/\*
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD \*:[\$]
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD
socket:[family=\$:type=\$:protocol=\$]
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD /
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD /\*
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD /\{\*\}/
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD /\{\*\}/\*
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD \*:\-proc:/\*
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD proc:/\*\-mtd
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/\{\*\}/
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/\{\*\}/\*
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD \*:[\$]
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD
socket:[family=\$:type=\$:protocol=\$]
</usr/bin/dd> path_group ANY_PATHNAME /
</usr/bin/dd> path_group ANY_PATHNAME /\*
</usr/bin/dd> path_group ANY_PATHNAME /\{\*\}/
</usr/bin/dd> path_group ANY_PATHNAME /\{\*\}/\*
</usr/bin/dd> path_group ANY_PATHNAME \*:/
</usr/bin/dd> path_group ANY_PATHNAME \*:/\*
</usr/bin/dd> path_group ANY_PATHNAME \*:/\{\*\}/
</usr/bin/dd> path_group ANY_PATHNAME \*:/\{\*\}/\*
</usr/bin/dd> path_group ANY_PATHNAME \*:[\$]
</usr/bin/dd> path_group ANY_PATHNAME socket:[family=\$:type=\$:protocol=\$]
---------- /etc/tomoyo/policy/current/exception_policy.conf ----------
---------- /etc/tomoyo/policy/current/domain_policy.conf ----------
<kernel>
use_profile 4
use_group 0
file read/write/append @ANY_PATHNAME_BUT_PROC_MTD path1.type!=char
file read/write/append @ANY_PATHNAME_BUT_PROC_MTD path1.type=char
path1.dev_major!=90
</usr/bin/dd>
use_profile 4
use_group 0
file read @ANY_PATHNAME_BUT_PROC_MTD
file write/append @ANY_PATHNAME path1.type!=char
file write/append @ANY_PATHNAME path1.type=char path1.dev_major!=90
</sbin/the-tool>
use_profile 0
use_group 0
---------- /etc/tomoyo/policy/current/domain_policy.conf ----------
> > Please be aware that the programs you want to allow access to specific
> > resource (i.e. /bin/dd and /sbin/fw-tool in your case) might be disguised
> > unless you also restrict operations which modify directory entries and/or
> > mount namespace. For example, doing
> >
> > # mount --bind /bin/cat /sbin/fw-tools
> >
> > or
> >
> > # mv /sbin/fw-tool /sbin/fw-tool.orig
> > # ln /bin/cat /sbin/fw-tool
> >
> > allows the attacker to run in </sbin/fw-tool> domain while its functionality
> > would be still /bin/cat . Therefore, it is recommended to restrict
> > operations
> > which modify directory entries and/or mount namespace in addition to
> > restricting read/write/append operations.
>
> I was going to develop this policy further and restrict ssh (the only
> access method) to only several configuration files.
> Would this solve the problem?
>
What do you think about other programs which can issue such requests
when exploited? Any process running as root user would be able to issue
above requests (even without using shell, by directly using system calls).
> >>
> >> As I understand from domain transition logic described here
> >> http://tomoyo.osdn.jp/2.5/policy-specification/domain-transition-procedure.html.en#transition_by_execute
> >> it should work
> >> But neither dd no the-tool don't have even read access to /dev/mtdX
> >>
> >> Any pointers on what am I doing wrong?
> >> Thanks in advance!
> >>
> >
> > I guess that /bin/dd and /sbin/fw-tool are running in the <kernel> domain.
>
> It seems you are right.
> tomoyo-queryd showed that the-tool runs with profile 4 while
> </sbin/the-tool> domain is configured as profile 0.
> But then I don't understand how domain transition (exception policy) rules
> work.
> Will they always match the most "hungry"/vague rule? not the first one?
It should match as described in the link above.
> Like in my config it looks like any /sbin/the-tool instance will match
> "keep_domain any from <kernel>" not "reset_domain /sbin/the-tool from
> any" as I was expecting.
> And adding "no_keep_domain /sbin/the-tool from any" also doesn't help.
> So I'm confused here.
>
I think you can try how domain transition tree would look like, by
removing reset_domain / keep_domain entries and generating via usual
learning steps. You might find that the pathnames you assumed /bin/dd and
/sbin/fw-tool might be recognized as different names (e.g. if /sbin is
a symlink to /usr/sbin , /sbin/fw-tool will be recognized as
/usr/sbin/fw-tool ). After TOMOYO generated domains as detail as possible,
you can design which domains should be compressed.
Also, as far as I saw, you don't need to use policy namespace.
If you don't have reason to use policy namespace, you will be able to
replace reset_domain with initialize_domain .
>
> Regards,
> Roman
>
> _______________________________________________
> tomoyo-users-en mailing list
> tomoyo-users-en@lists.osdn.me
> http://lists.osdn.me/mailman/listinfo/tomoyo-users-en
>
_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en@lists.osdn.me
http://lists.osdn.me/mailman/listinfo/tomoyo-users-en
