2014-03-25 16:54:55 UTC
I'm playing with tomoyo as a way to not whitelist but blacklist all
syscalls from executing on a particular path (/mnt).
The idea is that I want to make sure certain users with root privilege will
be forced to gain root via a separate shell script (which will allow me to
create an explicit exception policy for that domain) and limit any syscalls
being invoked to/from that path.
Thankfully since /mnt is a branch off of the root directory, it's
reasonably easy to whitelist everything else as most 1_level from root has
already been defined/enumerated. I managed to make this work and it's
That said, this can get a bit cumbersome in a use case when you need to
blacklist multiple paths in multiple locations.
I understand that tomoyo is a MAC, which by philosophy is designed to
explicitly enumerate allowed executions but it would be nice if we can
create a layer of abstraction on the exception policy / profile where you
can switch to a blacklisting or negative assertion where everything is
allowed except ones listed.
Yes, it can get really tricky but seeing as how the LSM has a pretty
contained class of syscalls that we can manage it seems doable. I wonder if
anyone's thought about this or discussed this in the past?
-------------- next part --------------
An HTML attachment was scrubbed...