Paolo Bolzoni
2013-03-26 15:46:48 UTC
Dear list,
I am using linux 3.8.4, tomoyo tools 2.5.0, and I want to sandbox
the skype process.
I installed tomoyo, added the kernel line and followed the instructions
from the Archlinux wiki(0), the wiki presents a domain_policy.conf
file and a exeption_policy.conf . The two files seems reasonable to
me, and seems a good starting point to eventually fine tune.
(0) https://wiki.archlinux.org/index.php/Skype#TOMOYO
Unfortunately with those settings Skype does not start at all, and
I cannot understand the reason. I started tomoyo-auditd, and checked
the /var/log/tomoyo/reject_003.log to understand what is wrong.
I copied a part of the reject_003.log in the bottom of the email,
the first line it is expected as the original configuration file
did not mention infinality, and I fixed it with two new lines in
domain_policy.conf:
file read /etc/fonts/infinality/styles.conf.avail/infinality/\*.conf
file read /etc/fonts/infinality/\*.conf
Updating the configuration and restarting skype the lines disappear.
But the next lines completely puzzled me, the path_group in
exception_policy.conf contains all the files and directory under
~/.Skype and the configuration file domain_policy.conf the lines
file create @SKYPE_FILES 0666
file read/write/unlink/truncate @SKYPE_FILES
should ensure that Skype can do whatever it needs in the directory.
Why tomoyo is stopping the request?
Thanks for any insight,
Paolo
#2013/03/26 15:33:04# profile=3 mode=enforcing granted=no
(global-pid=12304) task={ pid=12304 ppid=8058 uid=1000 gid=1000
euid=1000 egid=1000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 }
path1={ uid=0 gid=0 ino=192620 major=0 minor=17 perm=0644 type=file }
path1.parent={ uid=0 gid=0 ino=192609 perm=0755 }
<kernel> /usr/lib32/skype/skype
file read /etc/fonts/infinality/styles.conf.avail/infinality/52-infinality.conf
#2013/03/26 15:33:04# profile=3 mode=enforcing granted=no
(global-pid=12314) task={ pid=12304 ppid=8058 uid=1000 gid=1000
euid=1000 egid=1000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 }
path1.parent={ uid=1000 gid=1000 ino=53455 perm=0700 }
<kernel> /usr/lib32/skype/skype
file create /home/paolo/.Skype/shared_dynco/dc.lock 0600
#2013/03/26 15:33:04# profile=3 mode=enforcing granted=no
(global-pid=12314) task={ pid=12304 ppid=8058 uid=1000 gid=1000
euid=1000 egid=1000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 }
path1.parent={ uid=1000 gid=1000 ino=53455 perm=0700 }
<kernel> /usr/lib32/skype/skype
file create /home/paolo/.Skype/shared_dynco/dc.lock 0600
[...]
#2013/03/26 15:33:05# profile=3 mode=enforcing granted=no
(global-pid=12314) task={ pid=12304 ppid=8058 uid=1000 gid=1000
euid=1000 egid=1000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 }
path1.parent={ uid=1000 gid=1000 ino=53475 perm=0700 }
<kernel> /usr/lib32/skype/skype
file create /home/paolo/.Skype/paolo_bolzoni/config.tmp 0600
#2013/03/26 15:33:05# profile=3 mode=enforcing granted=no
(global-pid=12318) task={ pid=12304 ppid=8058 uid=1000 gid=1000
euid=1000 egid=1000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 }
path1={ uid=0 gid=0 ino=93211 major=0 minor=17 perm=0755 type=file }
path1.parent={ uid=0 gid=0 ino=93206 perm=0755 }
<kernel> /usr/lib32/skype/skype
file read /usr/lib32/libv4l/plugins/libv4l-mplane.so
[...]
I am using linux 3.8.4, tomoyo tools 2.5.0, and I want to sandbox
the skype process.
I installed tomoyo, added the kernel line and followed the instructions
from the Archlinux wiki(0), the wiki presents a domain_policy.conf
file and a exeption_policy.conf . The two files seems reasonable to
me, and seems a good starting point to eventually fine tune.
(0) https://wiki.archlinux.org/index.php/Skype#TOMOYO
Unfortunately with those settings Skype does not start at all, and
I cannot understand the reason. I started tomoyo-auditd, and checked
the /var/log/tomoyo/reject_003.log to understand what is wrong.
I copied a part of the reject_003.log in the bottom of the email,
the first line it is expected as the original configuration file
did not mention infinality, and I fixed it with two new lines in
domain_policy.conf:
file read /etc/fonts/infinality/styles.conf.avail/infinality/\*.conf
file read /etc/fonts/infinality/\*.conf
Updating the configuration and restarting skype the lines disappear.
But the next lines completely puzzled me, the path_group in
exception_policy.conf contains all the files and directory under
~/.Skype and the configuration file domain_policy.conf the lines
file create @SKYPE_FILES 0666
file read/write/unlink/truncate @SKYPE_FILES
should ensure that Skype can do whatever it needs in the directory.
Why tomoyo is stopping the request?
Thanks for any insight,
Paolo
#2013/03/26 15:33:04# profile=3 mode=enforcing granted=no
(global-pid=12304) task={ pid=12304 ppid=8058 uid=1000 gid=1000
euid=1000 egid=1000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 }
path1={ uid=0 gid=0 ino=192620 major=0 minor=17 perm=0644 type=file }
path1.parent={ uid=0 gid=0 ino=192609 perm=0755 }
<kernel> /usr/lib32/skype/skype
file read /etc/fonts/infinality/styles.conf.avail/infinality/52-infinality.conf
#2013/03/26 15:33:04# profile=3 mode=enforcing granted=no
(global-pid=12314) task={ pid=12304 ppid=8058 uid=1000 gid=1000
euid=1000 egid=1000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 }
path1.parent={ uid=1000 gid=1000 ino=53455 perm=0700 }
<kernel> /usr/lib32/skype/skype
file create /home/paolo/.Skype/shared_dynco/dc.lock 0600
#2013/03/26 15:33:04# profile=3 mode=enforcing granted=no
(global-pid=12314) task={ pid=12304 ppid=8058 uid=1000 gid=1000
euid=1000 egid=1000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 }
path1.parent={ uid=1000 gid=1000 ino=53455 perm=0700 }
<kernel> /usr/lib32/skype/skype
file create /home/paolo/.Skype/shared_dynco/dc.lock 0600
[...]
#2013/03/26 15:33:05# profile=3 mode=enforcing granted=no
(global-pid=12314) task={ pid=12304 ppid=8058 uid=1000 gid=1000
euid=1000 egid=1000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 }
path1.parent={ uid=1000 gid=1000 ino=53475 perm=0700 }
<kernel> /usr/lib32/skype/skype
file create /home/paolo/.Skype/paolo_bolzoni/config.tmp 0600
#2013/03/26 15:33:05# profile=3 mode=enforcing granted=no
(global-pid=12318) task={ pid=12304 ppid=8058 uid=1000 gid=1000
euid=1000 egid=1000 suid=1000 sgid=1000 fsuid=1000 fsgid=1000 }
path1={ uid=0 gid=0 ino=93211 major=0 minor=17 perm=0755 type=file }
path1.parent={ uid=0 gid=0 ino=93206 perm=0755 }
<kernel> /usr/lib32/skype/skype
file read /usr/lib32/libv4l/plugins/libv4l-mplane.so
[...]