Radoslaw Szkodzinski wrote: > > >> I think ccs-queryd doesn't have the whole ruleset, am I right? > > > > ccs-queryd does not have ruleset, but ccs-queryd can fetch it by reading > > /proc/ccs/domain_policy . A shortcut "select global-pid=$GPID\n" allows > > ccs-queryd to fetch ruleset for only specific domain. > > > > Good enough for me, but can I push an update in a similar way?
TOMOYO's policy is manipulated in a way similar to LADP's LDIF file. All operations are specified in a diff-like format compared to current. > Preferably even append to a domain and not replace it whole, but that > is also ok. You can append allow_read /etc/fstab to a domain which a process with global-pid=1234 belongs to by # ccs-loadpolicy -d select global-pid=1234 allow_read /etc/fstab ^D . You can append allow_read /etc/\* to "<kernel> /foo" domain and delete allow_read /etc/fstab from "<kernel> /foo" domain by # ccs-loadpolicy -d select <kernel> /foo allow_read /etc/\* delete allow_read /etc/fstab ^D . There is no "replace it whole". > > If DAC allows stat() syscall on some file or directory, TOMOYO will allow > > stat() syscall on that file or directory. > > But it could get the syscall itself, any security_file_stat() in there? There is security_inode_getattr() which can reject stat() syscall, but TOMOYO is not using security_inode_getattr(). > > You don't need to specify "allow_stat" keyword for reading access flags, > > xattrs, file size and so on because TOMOYO cannot prevent stat() syscall. > > And I would like it to. Could be used to hide some more information. > Perhaps allow_read should also allow_stat to make it easier to use. Is hiding DAC's mode, filesize, owner/group etc. useful? I don't think so. If we restrict stat() operation for hiding some more information, we should restrict readdir() operation as well. > I'd like then a forced conditional inclusion of a group of rules. Is > that possible? > e.g. > <kernel> /foo > ... > include_domain "/uid:1234 /foo" if task.uid=1234 > > or some other way to pick a whole set of rules based on an uid, so as > to not reload the whole ruleset when some user decides to accept > something forever. Looks far better than many > allow_read /foo/bar/* if task.uid=1234 > allow_read /bar/baz/* if task.uid=2345 > ... > I need to make sure why you tried to use allow_transit keyword. Guessing from what you wrote | <kernel> /usr/lib/firefox/firefox-bin | allow_read cookies | allow_write cookies | ... | allow_network ... | allow_transit /uid:1234 /usr/lib/firefox/firefox-bin if task.uid=1234 | allow_transit /uid:777 /usr/lib/firefox/firefox-bin if task.uid=2345 | allow_execute /usr/lib/firefox/plugin-container | | <kernel> /usr/lib/firefox/firefox-bin /usr/lib/firefox/plugin-container | allow_stat /store/downloads | allow_write /store/downloads | allow_execute flash | allow_execute java | ... | | <kernel> /uid:1234 /usr/lib/firefox/firefox-bin | allow_write /home/1234/downloads | allow_read /home/1234/downloads | allow_chmod 0770 /home/1234/downloads | # to allow overwriting | allow_rename /home/1234/downloads/* /home/1234/downloads/* you want to allow different permissions based on uid. You can specify different permissions based on uid without using allow_transit keyword. If you want to do something like <kernel> /usr/lib/firefox/firefox-bin use_profile 4 allow_read @cookies allow_write @cookies allow_network TCP connect @servers @ports allow_execute /usr/lib/firefox/plugin-container allow_write /home/1234/downloads if task.uid=1234 allow_read /home/1234/downloads if task.uid=1234 allow_chmod 0770 /home/1234/downloads if task.uid=1234 allow_rename /home/1234/downloads/\* /home/1234/downloads/\* if task.uid=1234 allow_write /home/2345/downloads if task.uid=2345 allow_read /home/2345/downloads if task.uid=2345 allow_chmod 0770 /2345/1234/downloads if task.uid=2345 allow_rename /home/2345/downloads/\* /home/2345/downloads/\* if task.uid=2345 allow_read /home/2345/uploads/\* if task.uid=2345 <kernel> /usr/lib/firefox/firefox-bin /usr/lib/firefox/plugin-container use_profile 4 allow_write /store/downloads allow_execute /path/to/flash allow_execute /path/to/java , you can group like below <kernel> /usr/lib/firefox/firefox-bin use_profile 4 allow_read @cookies allow_write @cookies allow_network TCP connect @servers @ports allow_execute /usr/lib/firefox/plugin-container allow_write @downloads if task.uid=path1.uid allow_read @downloadsif task.uid=path1.uid allow_chmod 0770 @downloads if task.uid=path1.uid allow_rename /home/\*/downloads/\* /home/\*/downloads/\* if task.uid=path1.uid allow_read /home/2345/uploads/\* if task.uid=2345 <kernel> /usr/lib/firefox/firefox-bin /usr/lib/firefox/plugin-container use_profile 4 allow_write /store/downloads allow_execute /path/to/flash allow_execute /path/to/java with below group definitions defined in exception policy. path_group cookies /home/\*/cookies/\* path_group downloads /home/\*/downloads address_group servers 10.0.0.1-10.255.255.255 address_group servers 192.168.1.1-192.168.255.255 number_group ports 80 number_group ports 443 If a user with uid=1234 decided to accept "allow_write /dev/null" forever, you can do # ccs-loadpolicy -d select <kernel> /usr/lib/firefox/firefox-bin allow_write /dev/null if task.uid=1234 ^D . > > If targets are specified like > > > > <kernel> /foo5 > > use_profile 2 > > allow_execute /bin/ls > > allow_read /etc/fstab > > ask_execute /bin/bash > > > > where execute request for /bin/bash is sent to /proc/ccs/query > > interface, it might make sense. That would be blacklisting approach. > > > > Do you want TOMOYO to support blacklisting approach? > > That should work already, setting mode=permissive then adding deny_*, right? > But yes, I'd like that. It could also be useful to trim down wide > allow_* rules with a few exceptions. > Of course the blacklist rule would have to be higher priority than the > one which allows the access... > > Better example would be: > <kernel> /foo5 > # permissive with query=yes > use_profile 6 > # and this goes to ccs-queryd, which sees profile==6 and asks. > deny_execute /bin/bash What happens if /bin/bash is linked to /tmp/bash and /tmp/bash is requested? /tmp/bash will be executed without letting ccs-qeuryd to ask. Unless mode=enforcing, blacklisting does not help so much. Regards. _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
