Discussion:
[tomoyo-users-en 669] Command line policy management and port management
(too old to reply)
Rahmadi Trimananda
2017-04-04 04:58:06 UTC
Permalink
Raw Message
Hello,

I am a new Tomoyo user and I've been trying to read the Tomoyo
documentation (https://tomoyo.osdn.jp/2.5/index.html.en) for the past
couple days. I've got 2 questions:

1) I seem to get the impression that Tomoyo policy needs to be developed by
learning process and then little edits to adjust them. Is there any way
that I specify policies from command lines? I am looking for something like
Linux iptables. Could you point me to the right documentations?

2) Does Tomoyo still support IP network management, such as protocol (TCP,
UDP, port numbers, etc.)? I seem to have Tomoyo version 2.X but I think I
still need to do Kernel recompilation (I am using Raspbian for RaspberryPi,
a variant of Debian).

Thank you!

Regards,
Rahmadi
Tetsuo Handa
2017-04-04 10:41:59 UTC
Permalink
Raw Message
Hello.
Post by Rahmadi Trimananda
Hello,
I am a new Tomoyo user and I've been trying to read the Tomoyo
documentation (https://tomoyo.osdn.jp/2.5/index.html.en) for the past
1) I seem to get the impression that Tomoyo policy needs to be developed by
learning process and then little edits to adjust them. Is there any way
that I specify policies from command lines? I am looking for something like
Linux iptables. Could you point me to the right documentations?
Yes, tomoyo-loadpolicy is a way to specify policies from command line.
https://tomoyo.osdn.jp/2.5/man-pages/tomoyo-loadpolicy.html.en
Post by Rahmadi Trimananda
2) Does Tomoyo still support IP network management, such as protocol (TCP,
UDP, port numbers, etc.)? I seem to have Tomoyo version 2.X but I think I
still need to do Kernel recompilation (I am using Raspbian for RaspberryPi,
a variant of Debian).
Yes, though TOMOYO is different from iptables that TOMOYO checks permissions
at system call layer.
https://tomoyo.osdn.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet

Hints at https://tomoyo.osdn.jp/2.5/yocto-arm.html.en will be helpful
even if you are using Raspbian.
Post by Rahmadi Trimananda
Thank you!
Regards,
Rahmadi
Rahmadi Trimananda
2017-04-04 20:27:12 UTC
Permalink
Raw Message
Thank you! I managed to install Tomoyo on my system and it's working well.
:)

I have another question that I hope is do-able to do on Tomoyo.

So, I am experimenting with a folder (shown below):

***@raspberrypi:~/tomoyo/test $ ls
a.out save Test2.class test2.txt Test.class test.txt
edit stat Test2.java test.c Test.java

Basically, I wish to create separate domains for different java executions.
So, as I have 2 class files, I would like to create separate domains for
"java Test" and "java Test2". I've been trying to use initialize_domain and
no_initialize_domain in Exception Policy Editor but no success yet. It
seems that no_initialize_domain only works if the application is run from
different paths? Need your insights/advice to make this work. Thank you!

Regards,
Rahmadi


On Tue, Apr 4, 2017 at 3:41 AM, Tetsuo Handa <
Post by Tetsuo Handa
Hello.
Post by Rahmadi Trimananda
Hello,
I am a new Tomoyo user and I've been trying to read the Tomoyo
documentation (https://tomoyo.osdn.jp/2.5/index.html.en) for the past
1) I seem to get the impression that Tomoyo policy needs to be developed
by
Post by Rahmadi Trimananda
learning process and then little edits to adjust them. Is there any way
that I specify policies from command lines? I am looking for something
like
Post by Rahmadi Trimananda
Linux iptables. Could you point me to the right documentations?
Yes, tomoyo-loadpolicy is a way to specify policies from command line.
https://tomoyo.osdn.jp/2.5/man-pages/tomoyo-loadpolicy.html.en
Post by Rahmadi Trimananda
2) Does Tomoyo still support IP network management, such as protocol
(TCP,
Post by Rahmadi Trimananda
UDP, port numbers, etc.)? I seem to have Tomoyo version 2.X but I think I
still need to do Kernel recompilation (I am using Raspbian for
RaspberryPi,
Post by Rahmadi Trimananda
a variant of Debian).
Yes, though TOMOYO is different from iptables that TOMOYO checks permissions
at system call layer.
https://tomoyo.osdn.jp/2.5/policy-specification/domain-
policy-syntax.html.en#network_inet
Hints at https://tomoyo.osdn.jp/2.5/yocto-arm.html.en will be helpful
even if you are using Raspbian.
Post by Rahmadi Trimananda
Thank you!
Regards,
Rahmadi
--
Kind regards,
Rahmadi Trimananda

Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
Tetsuo Handa
2017-04-04 21:40:54 UTC
Permalink
Raw Message
Post by Rahmadi Trimananda
Thank you! I managed to install Tomoyo on my system and it's working well.
:)
Good.
Post by Rahmadi Trimananda
I have another question that I hope is do-able to do on Tomoyo.
a.out save Test2.class test2.txt Test.class test.txt
edit stat Test2.java test.c Test.java
Basically, I wish to create separate domains for different java executions.
So, as I have 2 class files, I would like to create separate domains for
"java Test" and "java Test2". I've been trying to use initialize_domain and
no_initialize_domain in Exception Policy Editor but no success yet. It
seems that no_initialize_domain only works if the application is run from
different paths? Need your insights/advice to make this work. Thank you!
Please use wrapper programs

---------- run_Test1 start ----------
#!/bin/sh
exec /usr/bin/java Test
---------- run_Test1 end ----------

---------- run_Test2 start ----------
#!/bin/sh
exec /usr/bin/java Test2
---------- run_Test2 end ----------

and specify path to these wrapper programs instead of /usr/bin/java .

If Test.java and Test2.java can be updated to write to
/sys/kernel/security/tomoyo/self_domain interface, you can specify
for example

<kernel> /usr/bin/java
task manual_domain_transition <kernel> //Test
task manual_domain_transition <kernel> //Test2

<kernel> //Test

<kernel> //Test2

instead.

http://tomoyo.osdn.jp/2.5/policy-specification/domain-transition-procedure.html.en#transition_by_non_execute
Post by Rahmadi Trimananda
Regards,
Rahmadi
Loading...