Discussion:
[tomoyo-users-en 602] Tomoyo so easy bypassing?
(too old to reply)
Roman
2014-05-30 04:38:48 UTC
Permalink
Raw Message
Hello

~$ uname -a
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.57-3+deb7u1 x86_64 GNU/Linux


<kernel> /bin/netstat
use_profile 3
use_group 0


initialize_domain /bin/netstat from any

->

~$ netstat
bash: /bin/netstat: Operation not permitted

Good

But

~$ /lib64/ld-linux-x86-64.so.2 /bin/netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 local:42109 la-in-f188.1e100.n:5228 ESTABLISHED
.....

How fix it?
Tetsuo Handa
2014-05-30 12:15:24 UTC
Permalink
Raw Message
Post by Roman
Hello
~$ uname -a
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.57-3+deb7u1 x86_64 GNU/Linux
<kernel> /bin/netstat
use_profile 3
use_group 0
initialize_domain /bin/netstat from any
->
~$ netstat
bash: /bin/netstat: Operation not permitted
Good
Not good at all. Imagine the following case.

$ cat /bin/netstat > /tmp/netstat
$ chmod +x /tmp/netstat
$ /tmp/netstat
Post by Roman
But
~$ /lib64/ld-linux-x86-64.so.2 /bin/netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 local:42109 la-in-f188.1e100.n:5228 ESTABLISHED
.....
How fix it?
If you want to fix it, you need to stop using blacklisting.
Blacklisting is by nature so easy to bypass.

That said, the following is a placebo.

<kernel> /lib64/ld-linux-x86-64.so.2
use_profile 3
use_group 0

initialize_domain /lib64/ld-linux-x86-64.so.2 from any

Loading...