Milton Yates wrote:
> I'm starting with Tomoyo, could you advise if policies written for 2.3
> can be easily ported to 2.4?
Sorry, policies cannot be ported to other versions.
/etc/tomoyo/policy/current/profile.conf and /etc/tomoyo/stat.conf for TOMOYO
2.4 can be created by executing /usr/lib/tomoyo/init_policy for TOMOYO 2.4.
/etc/tomoyo/policy/current/manager.conf for TOMOYO 2.4 can be reused by
removing /usr/sbin/tomoyo-ld-watch line from /etc/tomoyo/manager.conf for
TOMOYO 2.3.
Regarding /etc/tomoyo/policy/current/domain_policy.conf and
/etc/tomoyo/policy/current/exception_policy.conf , there is no means to
automatically convert from TOMOYO 2.3. But if you want to understand how
converting policies from TOMOYO 2.3 to TOMOYO 2.4 would look like, you can
read below awk scripts for rough estimation. Note that these scripts are not
for actual use. You should recreate policy files so that you can obtain better
policies that make use of the capabilities of TOMOYO 2.4.
----------------------------------------
#! /bin/awk
# This script tries to convert /etc/tomoyo/domain_policy.conf for TOMOYO 2.3 to
# /etc/tomoyo/policy/current/domain_policy.conf for TOMOYO 2.4.
# But since there are many changes, this script cannot do perfect conversion.
{
# Domainnames in TOMOYO 2.3 are reusable in TOMOYO 2.4.
if ($1 == "<kernel>") {
print $0;
# Each domain in TOMOYO 2.4 has "use_group" directive.
print "use_group 0";
next;
}
# "use_profile" directive in TOMOYO 2.3 are reusable in TOMOYO 2.4.
if ($1 == "use_profile") {
print $0;
next;
}
# Other directives in TOMOYO 2.3 have been renamed from "allow_..." style to
# "file ..." style. Thus, rename directives as needed.
#
# Also, TOMOYO 2.4 replaced combination of "deny_rewrite" in exception policy
# and "allow_rewrite" in domain policy with "file write" or "file append" in
# domain policy.
# But since "deny_rewrite" was by default applied to only /var/log/ files,
# we cannot determine whether the files outside /var/log/ were opened for
# overwriting mode or not. Thus, rename "allow_write" to "file write/append".
if ($1 == "allow_read/write")
$1 = "file read/write/append";
else if ($1 == "allow_read")
$1 = "file read";
else if ($1 == "allow_write")
$1 = "file write/append";
else if ($1 == "allow_execute")
$1 = "file execute";
else if ($1 == "allow_create")
$1 = "file create";
else if ($1 == "allow_unlink")
$1 = "file unlink";
else if ($1 == "allow_mkdir")
$1 = "file mkdir";
else if ($1 == "allow_rmdir")
$1 = "file rmdir";
else if ($1 == "allow_mkfifo")
$1 = "file mkfifo";
else if ($1 == "allow_mksock")
$1 = "file mksock";
else if ($1 == "allow_truncate")
$1 = "file truncate";
else if ($1 == "allow_symlink")
$1 = "file symlink";
else if ($1 == "allow_mkblock")
$1 = "file mkblock";
else if ($1 == "allow_mkchar")
$1 = "file mkchar";
else if ($1 == "allow_link")
$1 = "file link";
else if ($1 == "allow_rename")
$1 = "file rename";
else if ($1 == "allow_chmod")
$1 = "file chmod";
else if ($1 == "allow_chown")
$1 = "file chown";
else if ($1 == "allow_chgrp")
$1 = "file chgrp";
else if ($1 == "allow_ioctl")
$1 = "file ioctl";
else if ($1 == "allow_chroot")
$1 = "file chroot";
else if ($1 == "allow_mount")
$1 = "file mount";
else if ($1 == "allow_unmount")
$1 = "file unmount";
else if ($1 == "allow_pivot_root")
$1 = "file pivot_root";
# TOMOYO 2.4 uses filesystem's name as prefix if the filesystem where
# the file resides does not support rename operation.
# This script handles only typical filesystems on typical locations.
# You will likely need to convert manually.
for (i = 2; i <= NF; i++) {
if (substr($i, 1, 14) == "/proc/bus/usb/")
$i = "usbfs:" substr($i, 14);
else if (substr($i, 1, 25) == "/proc/sys/fs/binfmt_misc/")
$i = "binfmt_misc:" substr($i, 25);
else if (substr($i, 1, 6) == "/proc/")
$i = "proc:" substr($i, 6);
else if (substr($i, 1, 21) == "/sys/kernel/security/")
$i = "securityfs:" substr($i, 21);
else if (substr($i, 1, 18) == "/sys/kernel/debug/")
$i = "debugfs:" substr($i, 18);
else if (substr($i, 1, 5) == "/sys/")
$i = "sysfs:" substr($i, 5);
else if (substr($i, 1, 9) == "/dev/pts/")
$i = "devpts:" substr($i, 9);
else if (substr($i, 1, 24) == "/var/lib/nfs/rpc_pipefs/")
$i = "rpc_pipefs:" substr($i, 24);
else if ($i == "socket:[\\$]")
$i = "socket:[family=\\$:type=\\$:protocol=\\$]";
}
# There will be other files that needs to be renamed. For example,
# /etc/tomoyo/domain_policy.\$-\$-\$.\$:\$:\$.conf in TOMOYO 2.3 needs to be
# renamed to /etc/tomoyo/policy/\*/domain_policy.conf in TOMOYO 2.4.
print $0;
}
----------------------------------------
#! /bin/awk
# This script tries to convert /etc/tomoyo/exception_policy.conf for TOMOYO 2.3
# to /etc/tomoyo/policy/current/exception_policy.conf for TOMOYO 2.4.
# But since there are many changes, this script cannot do perfect conversion.
{
# Exception policy for TOMOYO 2.4 uses "acl_group" directive.
if ($1 == "allow_read") {
$1 = "acl_group 0 file read";
i = 2;
if (substr($i, 1, 14) == "/proc/bus/usb/")
$i = "usbfs:" substr($i, 14);
else if (substr($i, 1, 25) == "/proc/sys/fs/binfmt_misc/")
$i = "binfmt_misc:" substr($i, 25);
else if (substr($i, 1, 6) == "/proc/")
$i = "proc:" substr($i, 6);
else if (substr($i, 1, 21) == "/sys/kernel/security/")
$i = "securityfs:" substr($i, 21);
else if (substr($i, 1, 18) == "/sys/kernel/debug/")
$i = "debugfs:" substr($i, 18);
else if (substr($i, 1, 5) == "/sys/")
$i = "sysfs:" substr($i, 5);
else if (substr($i, 1, 9) == "/dev/pts/")
$i = "devpts:" substr($i, 9);
else if (substr($i, 1, 24) == "/var/lib/nfs/rpc_pipefs/")
$i = "rpc_pipefs:" substr($i, 24);
else if ($i == "socket:[\\$]")
$i = "socket:[family=\\$:type=\\$:protocol=\\$]";
}
# TOMOYO 2.4 no longer supports learning patterned pathnames in the kernel.
# Patterning is done in the userland using /usr/sbin/tomoyo-patternize .
else if ($1 == "file_pattern")
next;
# TOMOYO 2.4 no longer uses "deny_rewrite" + "allow_rewrite".
else if ($1 == "deny_rewrite")
next;
print $0;
}
END {
# Some of entries that will be added by executing /usr/lib/tomoyo/init_policy
# for TOMOYO 2.4.
print "number_group COMMON_IOCTL_CMDS 0x5401"
print "path_group ANY_DIRECTORY /"
print "path_group ANY_DIRECTORY /\\{\\*\\}/"
print "path_group ANY_DIRECTORY \\*:/"
print "path_group ANY_DIRECTORY \\*:/\\{\\*\\}/"
print "path_group ANY_PATHNAME /"
print "path_group ANY_PATHNAME /\\*"
print "path_group ANY_PATHNAME /\\{\\*\\}/"
print "path_group ANY_PATHNAME /\\{\\*\\}/\\*"
print "path_group ANY_PATHNAME \\*:/"
print "path_group ANY_PATHNAME \\*:/\\*"
print "path_group ANY_PATHNAME \\*:/\\{\\*\\}/"
print "path_group ANY_PATHNAME \\*:/\\{\\*\\}/\\*"
print "path_group ANY_PATHNAME \\*:[\\$]"
print "acl_group 0 file ioctl @ANY_PATHNAME @COMMON_IOCTL_CMDS"
print "acl_group 0 file read /etc/ld.so.cache"
print "acl_group 0 file read /etc/locale.alias"
print "acl_group 0 file read /lib/ld-2.\\*.so"
print "acl_group 0 file read /lib/lib\\*.so\\*"
print "acl_group 0 file read /lib/tls/ld-2.\\*.so"
print "acl_group 0 file read /lib/tls/lib\\*.so\\*"
print "acl_group 0 file read /usr/X11R6/lib/lib\\*.so\\*"
print "acl_group 0 file read /usr/lib/i486/lib\\*.so\\*"
print "acl_group 0 file read /usr/lib/i586/lib\\*.so\\*"
print "acl_group 0 file read /usr/lib/i686/cmov/lib\\*.so\\*"
print "acl_group 0 file read /usr/lib/i686/lib\\*.so\\*"
print "acl_group 0 file read /usr/lib/lib\\*.so\\*"
print "acl_group 0 file read proc:/meminfo"
print "acl_group 0 file read proc:/sys/kernel/version"
# TOMOYO 2.4 checks file's getattr permission.
print "acl_group 0 file getattr @ANY_PATHNAME"
# TOMOYO 2.4 checks directory's read permission.
print "acl_group 0 file read @ANY_DIRECTORY"
# TOMOYO 2.4 uses proc:/self when accessing current thread's information.
# TOMOYO 2.3 was using /proc/\\$ even when accessing only current thread's
# information. Since we cannot determine whether granting access to only
# current thread's information is sufficient or not, we globally grant
# read access to current thread's information.
print "acl_group 0 file read proc:/self/\\*"
print "acl_group 0 file read proc:/self/\\{\\*\\}/\\*"
}
----------------------------------------
_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
