Discussion:
[tomoyo-users-en 590] Thoughts on blacklisting and negative assertions?
(too old to reply)
Ryan Seu
2014-03-25 16:54:55 UTC
Permalink
Raw Message
Hi folks,

I'm playing with tomoyo as a way to not whitelist but blacklist all
syscalls from executing on a particular path (/mnt).

The idea is that I want to make sure certain users with root privilege will
be forced to gain root via a separate shell script (which will allow me to
create an explicit exception policy for that domain) and limit any syscalls
being invoked to/from that path.

Thankfully since /mnt is a branch off of the root directory, it's
reasonably easy to whitelist everything else as most 1_level from root has
already been defined/enumerated. I managed to make this work and it's
awesome!

That said, this can get a bit cumbersome in a use case when you need to
blacklist multiple paths in multiple locations.

I understand that tomoyo is a MAC, which by philosophy is designed to
explicitly enumerate allowed executions but it would be nice if we can
create a layer of abstraction on the exception policy / profile where you
can switch to a blacklisting or negative assertion where everything is
allowed except ones listed.

Yes, it can get really tricky but seeing as how the LSM has a pretty
contained class of syscalls that we can manage it seems doable. I wonder if
anyone's thought about this or discussed this in the past?

Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sourceforge.jp/mailman/archives/tomoyo-users-en/attachments/20140325/c3792d6a/attachment.htm
Tetsuo Handa
2014-03-25 21:40:28 UTC
Permalink
Raw Message
Hello.
Post by Ryan Seu
I'm playing with tomoyo as a way to not whitelist but blacklist all
syscalls from executing on a particular path (/mnt).
CaitSith would be easier and suitable for that purpose.
http://I-love.SAKURA.ne.jp/tomoyo/CaitSith-en.pdf
Ryan Seu
2014-03-26 01:09:29 UTC
Permalink
Raw Message
This is awesome stuff Tetsuo - it seems like you've enumerated all the
problems I've been thinking about for some time.

I'll definitely play with it but there's going to be some barrier in deploy
since it is a LKM that we have to build/support/maintain.

This brings to an interesting question - have you ran into any folks that
are deploying tomoyo/caitsith in large scale? It would be interesting to
see what type of perf impact there are. I can see you've already figure out
some memory management when it comes to audit and ruleset check.

For now, I'll implement tomoyo as is (no caithsith) and test out what the
perf impact is.

Again, thank you for all your work and if you're ever visiting the San
Francisco area, please let me know. Would love to chat with you more :)

Ryan



On Tue, Mar 25, 2014 at 2:40 PM, Tetsuo Handa <
Post by Tetsuo Handa
Hello.
Post by Ryan Seu
I'm playing with tomoyo as a way to not whitelist but blacklist all
syscalls from executing on a particular path (/mnt).
CaitSith would be easier and suitable for that purpose.
http://I-love.SAKURA.ne.jp/tomoyo/CaitSith-en.pdf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sourceforge.jp/mailman/archives/tomoyo-users-en/attachments/20140325/dbb62474/attachment.htm
Loading...