[tomoyo-users-en 599] disable the execution of files in a directory

Tetsuo Handa

2014-05-24 01:09:05 UTC

Post by ÐÐº ÐÐº
I tried to disable the execution of files in a directory /home using Tomoyo

When using black listing, please be careful with copying programs under /home
to (e.g.) /tmp directory in order to bypass black listing restriction.

Given that said, I think that the easiest way is to use a separate partition
for /home and mount that partition with noexec mount option.

If you allocated a separate partition for /home , you can specify
using major/minor block device numbers.

Using TOMOYO, you can do

acl_group 4 file execute @ANY_PATHNAME path1.major!=8
acl_group 4 file execute @ANY_PATHNAME path1.major=8 path1.minor!=3

and use

use_group 4

to allow execution of programs which are not on /dev/sda3 .

Using CaitSith, you can do

100 acl execute
100 deny path.major=8 path.minor=3
200 allow

to deny execution of programs which are on /dev/sda3 .

Post by ÐÐº ÐÐº
path_group ANY_PATHNAME2 /\{\*\}\-home/
path_group ANY_PATHNAME2 /\{\*\}\-home/\*

These are invalid usage of /\{ \}/ operator. /\{ \}/ operator is used
like /data/\{\*\-.svn\}/ rather than /data/\{\*\}\-.svn\/ .

Post by ÐÐº ÐÐº
path_group ANY_PATHNAME2 \*\-home:/
path_group ANY_PATHNAME2 \*\-home:/\*
path_group ANY_PATHNAME2 \*\-home:/\{\*\}/
path_group ANY_PATHNAME2 \*\-home:/\{\*\}/\*
path_group ANY_PATHNAME2 \*\-home:[\$]

I think these are useless lines because fsname:filename format
will not be used for /home .

Post by ÐÐº ÐÐº
But it not working
#kernel panic: switch_root can't execute sbin/init
what was my mistake?

Because /\{\*\}\-home/\* did not match /sbin/init .

Regards.