Discussion:
[tomoyo-users-en 507] Feature-request-for-exception-policy-and-bug-in-tomoyo-checkpolicy?
(too old to reply)
Torsten Ww
2012-07-30 15:59:35 UTC
Permalink
Raw Message
Dear Tomoyo-Developers,

I want to restrict all programs, which were executing from /home/*/ but
something like

exception_policy.conf
<kernel> initialize_domain /home/\*/\*\-.xinitrc from any
<kernel> initialize_domain /home/\*/\{\*\}/\* from any

does not work, it seems as if there are no wildcards allowed
in exception_policy.conf


and secondly it looks like tomoyo-checkpolicy has a bug while checking
the exception_policy.conf

# tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
1: ERROR: '<kernel>' is a bad argument.
2: ERROR: '<kernel>' is a bad argument.
3: ERROR: '<kernel>' is a bad argument.
...
35: ERROR: '<kernel>' is a bad argument.
36: ERROR: '<kernel>' is a bad argument.
37: ERROR: '<kernel>' is a bad argument.
Total: 37 Lines 37 Errors 0 Warning

the only two line I added are the first two

# cat /etc/tomoyo/exception_policy.conf
<kernel> initialize_domain /opt/i2p/i2prouter from any
<kernel> initialize_domain /usr/bin/mpd from any
<kernel> path_group ANY_PATHNAME /
<kernel> path_group ANY_PATHNAME /\*
<kernel> path_group ANY_PATHNAME /\{\*\}/
<kernel> path_group ANY_PATHNAME /\{\*\}/\*
<kernel> path_group ANY_PATHNAME \*:/
<kernel> path_group ANY_PATHNAME \*:/\*
<kernel> path_group ANY_PATHNAME \*:/\{\*\}/
<kernel> path_group ANY_PATHNAME \*:/\{\*\}/\*
<kernel> path_group ANY_PATHNAME \*:[\$]
<kernel> path_group ANY_PATHNAME socket:[family=\$:type=\$:protocol=\$]
<kernel> path_group ANY_DIRECTORY /
<kernel> path_group ANY_DIRECTORY /\{\*\}/
<kernel> path_group ANY_DIRECTORY \*:/
<kernel> path_group ANY_DIRECTORY \*:/\{\*\}/
<kernel> number_group COMMON_IOCTL_CMDS 0x5401
<kernel> acl_group 0 file read /etc/ld.so.cache
<kernel> acl_group 0 file read proc:/meminfo
<kernel> acl_group 0 file read proc:/sys/kernel/version
<kernel> acl_group 0 file read /usr/share/zoneinfo/Europe/Berlin
<kernel> acl_group 0 file read /usr/share/locale/locale.alias
<kernel> acl_group 0 file read proc:/self/\*
<kernel> acl_group 0 file read proc:/self/\{\*\}/\*
<kernel> acl_group 0 file read /lib/lib\*.so\*
<kernel> acl_group 0 file read /usr/lib/lib\*.so\*
<kernel> acl_group 0 file read /lib64/lib\*.so\*
<kernel> acl_group 0 file read /usr/lib/perl5/core_perl/CORE/libperl.so
<kernel> acl_group 0 file read
/usr/lib/device-mapper/libdevmapper-event-lvm2snapshot.so
<kernel> acl_group 0 file read
/usr/lib/device-mapper/libdevmapper-event-lvm2raid.so
<kernel> acl_group 0 file read
/usr/lib/device-mapper/libdevmapper-event-lvm2mirror.so
<kernel> acl_group 0 file read
/usr/lib/ADM_plugins/videoEncoder/libADM_vidEnc_x264.so
<kernel> acl_group 0 file read
/usr/lib/ADM_plugins/videoEncoder/libADM_vidEnc_xvid.so
<kernel> acl_group 0 file read /lib/ld-2.\*.so
<kernel> acl_group 0 file ioctl @ANY_PATHNAME @COMMON_IOCTL_CMDS
<kernel> acl_group 0 file read @ANY_DIRECTORY
<kernel> acl_group 0 file getattr @ANY_PATHNAME

some information about the operating system:

# uname -a
Linux jellyfish 3.4.5-netbook #1 SMP PREEMPT Sat Jul 28 14:02:33 CEST 2012
x86_64 GNU/Linux

tomoyo-tools 2.5.0.20111025-1 (Archlinux)

Regards
Torsten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sourceforge.jp/mailman/archives/tomoyo-users-en/attachments/20120730/71a4cd98/attachment.htm
Tetsuo Handa
2012-07-31 12:28:05 UTC
Permalink
Raw Message
Hello.
Post by Torsten Ww
I want to restrict all programs, which were executing from /home/*/ but
something like
exception_policy.conf
<kernel> initialize_domain /home/\*/\*\-.xinitrc from any
<kernel> initialize_domain /home/\*/\{\*\}/\* from any
does not work, it seems as if there are no wildcards allowed
in exception_policy.conf
If wildcards were allowed in domain transition control directives, calculation
of the domainname to transit to becomes fuzzy. In order to avoid fuzziness,
wildcards are not allowed in domain transition control directives.
You can instead do

aggregator /home/\*/\*\-.xinitrc /user-defined-programs
aggregator /home/\*/\{\*\}/\* /user-defined-programs
initialize_domain /user-defined-programs from any

which the user defined programs will be jumped to

<kernel> /user-defined-programs

domain. You may also want to specify

keep_domain any from <kernel> /user-defined-programs

in order to simplify permissions for user defined programs by (by default)
suppressing domain transitions from user defined programs.
Post by Torsten Ww
and secondly it looks like tomoyo-checkpolicy has a bug while checking
the exception_policy.conf
# tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
1: ERROR: '<kernel>' is a bad argument.
2: ERROR: '<kernel>' is a bad argument.
3: ERROR: '<kernel>' is a bad argument.
...
35: ERROR: '<kernel>' is a bad argument.
36: ERROR: '<kernel>' is a bad argument.
37: ERROR: '<kernel>' is a bad argument.
Total: 37 Lines 37 Errors 0 Warning
Indeed. This is a bug in ccs-checkpolicy and was copied to tomoyo-checkpolicy.
I've just commited the fix
http://sourceforge.jp/projects/tomoyo/scm/svn/commits/6111
and I will release updated tools packages. Thank you for finding this bug.
Tetsuo Handa
2012-08-05 01:37:47 UTC
Permalink
Raw Message
Hello.
Post by Tetsuo Handa
If wildcards were allowed in domain transition control directives, calculation
of the domainname to transit to becomes fuzzy. In order to avoid fuzziness,
wildcards are not allowed in domain transition control directives.
Well, my explanation was wrong.

Wildcards are allowed in domainnames like

<kernel> /usr/sbin/sshd /bin/bash /home/\*/\*\-.\*

and wildcards are allowed in "file execute" entries like

file execute /home/\*/\*\-.\*

and wildcards are allowed in domain transition control directives like

initialize_domain /home/\*/\*\-.\* from any

. Therefore, you will get domains like

<kernel> /home/\*/\*\-.\*

by giving entries like

file execute /home/\*/\*\-.\*

and

initialize_domain /home/\*/\*\-.\* from any

.

Since the pathname specified by "file execute" keyword (which might contain
wildcards) is used for comparing with the pathname specified by
"initialize_domain" keyword (which might contain wildcards), strcmp() is used
(that is, wildcard characters are treated as normal characters) when matching
domain transition control directives.

However, since what you want to do is to transit to

<kernel> /home/\*/\*\-.\*

domain without giving

file execute /home/\*/\*\-.\*

to every domain,

initialize_domain /home/\*/\*\-.\* from any

will not work. Please use

aggregator /home/\*/\*\-.\* /user-defined-programs

and

initialize_domain /user-defined-programs from any

so that you can transit to

<kernel> /user-defined-programs

domain without explicitly giving

file execute /home/\*/\*\-.\*

to every domain.

Loading...