Discussion:
[tomoyo-users-en 593] CaitSith-operation_group
(too old to reply)
Torsten Wörtwein
2014-04-12 11:02:58 UTC
Permalink
Raw Message
Hi there,

does CaitSith support something like an operation_group? That would simplify rule creation.

so something like

operation_group general_file_operations read
operation_group general_file_operations write
operation_group general_file_operations append
..

1 acl @general_file_operations task.exe="/usr/bin/example"
..

instead of

1 acl read task.exe="/usr/bin/example"
..
1 acl write task.exe="/usr/bin/example"
..
1 acl create task.exe="/usr/bin/example"
..
1 acl append task.exe="/usr/bin/example"
..

Thanks
Torsten
Tetsuo Handa
2014-04-12 11:33:15 UTC
Permalink
Raw Message
Post by Torsten Wörtwein
does CaitSith support something like an operation_group? That would simplify rule creation.
Not implemented, for the conditional variables applicable to one operation may
not be applicable to another. For example, creating a file accepts "perm"
variable whereas opening a file for reading does not.

The variables are the characteristic and the power of TOMOYO/AKARI/CaitSith.
Grouping multiple operations into one will limit the power of variables.

Regards.
Torsten Wörtwein
2014-04-14 17:22:10 UTC
Permalink
Raw Message
ok, thanks.

I read that the behaviour of domains has changed since Tomoyo. But should not a task.domain from a child process contain task.exe from its parent process? In my case, my mail-client calls a pdf viewer which has set task.domain="<kernel>" instead of task.domain="/usr/bin/claws-mail".
Or does Tomoyo (TOMOYO Linux 2.x) interfere with CaitSith (fully featured version) - Tomoyo has a initialize_domain on the pdf viewer, so in Tomoyo's case domain <kernel> is correct.

Thanks
Torsten


On Sat, 12 Apr 2014 20:33:15 +0900
Post by Tetsuo Handa
Post by Torsten Wörtwein
does CaitSith support something like an operation_group? That would simplify rule creation.
Not implemented, for the conditional variables applicable to one operation may
not be applicable to another. For example, creating a file accepts "perm"
variable whereas opening a file for reading does not.
The variables are the characteristic and the power of TOMOYO/AKARI/CaitSith.
Grouping multiple operations into one will limit the power of variables.
Regards.
Tetsuo Handa
2014-04-14 21:38:03 UTC
Permalink
Raw Message
Although TOMOYO's automatic domain creation/transition is helpful for
understanding how your system works, TOMOYO's multiple words domainname (e.g.
<kernel> /sbin/init ) is not parser friendly because a domainname must occupy
an entire line in order to safely split by white spaces and new lines.

Therefore, I changed CaitSith to use single word domainname. If you want to
emulate multiple words domainname in CaitSith, you can do something like below.

10 acl execute task.domain="mail-client"
audit 0
10 allow path="/path/to/pdf/viewer" transition="mail-client/pdf-viewer"
20 deny

10 acl read task.domain="mail-client/pdf-viewer"
audit 0
10 allow path="/path/to/pdf/files"
20 deny

Also, TOMOYO's domainname tends to become too long to read. When actually
writing access restriction rules, users are interested in only a few past
programs rather than all past programs. (Users might be interested in all
past programs for tracing purpose like http://lwn.net/Articles/575044/ .)

Therefore, I changed CaitSith not to automatically append requested program
to current domainname.

With abovementioned changes, there is no longer exception_policy file for
controlling domain transition in CaitSith. Much simpler to understand.
Please see http://caitsith.sourceforge.jp/#6.1 for how to control domain
transitions in CaitSith.
Post by Torsten Wörtwein
ok, thanks.
I read that the behaviour of domains has changed since Tomoyo. But should not
a task.domain from a child process contain task.exe from its parent process?
In my case, my mail-client calls a pdf viewer which has set
task.domain="<kernel>" instead of task.domain="/usr/bin/claws-mail".
Or does Tomoyo (TOMOYO Linux 2.x) interfere with CaitSith (fully featured
version) - Tomoyo has a initialize_domain on the pdf viewer, so in Tomoyo's
case domain <kernel> is correct.
Thanks
Torsten
Loading...