Rahmadi Trimananda wrote: > > Thanks! The wrapper programs work well. I was thinking about doing that > too, but I think I made a mistake in that I didn't use "exec", so I didn't > get a different domain for each java execution and just got the domains for > the shell scripts.
OK. > > I am not really clear about the second option that uses self_domain > interface. Do you mean in Test.java and Test2.java I need to make a section > of code that writes into /sys/kernel/security/tomoyo/self_domain? Right. > Do we have a program that allows this writing, e.g. tomoyo-loadpolicy? Or > do we simply have to make edits directly to that file? mod_tomoyo.c in https://tomoyo.osdn.jp/2.5/chapter-13.html.en explains how to use that interface from Apache 2. Any process which can write using a file descriptor of /sys/kernel/security/tomoyo/self_domain can use that interface because its permission is set to 0666. But only domainnames explicitly specified in the policy will be permitted. > > The TOMOYO webpage says: *This can be used to split permissions without > requiring an execution, but the application must be modified to write to > the interface at the appropriate time.* > https://tomoyo.osdn.jp/2.5/policy-specification/domain-policy-syntax.html.en#task_manual_domain_transition > > When is this appropriate time? Then am I going to be able to see the 2 > domains using tomoyo-editpolicy and do the training for both domains so > that I don't have to generate the policies from scratch? Please be careful that second option will not work unless you can give "task manual_domain_transition" permissions to the domain for /usr/bin/java before you try to launch Test/Test2 recompiled with a section of code added. By the way, 2 more options are explained at https://tomoyo.osdn.jp/2.5/policy-specification/domain-transition-procedure.html.en#transition_by_execute . The third option is to use symbolic links (or hard links) like mkdir -p /usr/local/test/bin /usr/local/test2/bin ln -s /usr/bin/java /usr/local/test/bin/java ln -s /usr/bin/java /usr/local/test2/bin/java and launch like /usr/local/test/bin/java Test /usr/local/test2/bin/java Test2 because TOMOYO can transit domains based on symbolic/hard link's pathnames when executing programs. The fourth option is to explicitly specify domainnames like file execute /usr/bin/java //Test exec.argc=2 exec.argv[1]="Test" file execute /usr/bin/java //Test2 exec.argc=2 exec.argv[1]="Test2" because it overrides domain transition control directives in exception policy. You can choose from 4 options. Please choose one that suits your case. Option 1 (use wrapper programs) and option 3 (use symbolic link or hard link) would suit better when you try to generate the policies from scratch. If you already know the domain for launching /usr/bin/java, option 4 would suit. > > Apologies for having too many questions. :) The documentation on > self_domain seems to be very little. > > Regards, > Rahmadi _______________________________________________ tomoyo-users-en mailing list tomoyo-users-en@lists.osdn.me http://lists.osdn.me/mailman/listinfo/tomoyo-users-en
