Discussion:
[tomoyo-users-en 669] Command line policy management and port management
Rahmadi Trimananda
2017-04-04 04:58:06 UTC
Permalink
Hello,

I am a new Tomoyo user and I've been trying to read the Tomoyo
documentation (https://tomoyo.osdn.jp/2.5/index.html.en) for the past
couple days. I've got 2 questions:

1) I seem to get the impression that Tomoyo policy needs to be developed by
learning process and then little edits to adjust them. Is there any way
that I specify policies from command lines? I am looking for something like
Linux iptables. Could you point me to the right documentations?

2) Does Tomoyo still support IP network management, such as protocol (TCP,
UDP, port numbers, etc.)? I seem to have Tomoyo version 2.X but I think I
still need to do Kernel recompilation (I am using Raspbian for RaspberryPi,
a variant of Debian).

Thank you!

Regards,
Rahmadi
Tetsuo Handa
2017-04-04 10:41:59 UTC
Permalink
Hello.
Post by Rahmadi Trimananda
Hello,
I am a new Tomoyo user and I've been trying to read the Tomoyo
documentation (https://tomoyo.osdn.jp/2.5/index.html.en) for the past
1) I seem to get the impression that Tomoyo policy needs to be developed by
learning process and then little edits to adjust them. Is there any way
that I specify policies from command lines? I am looking for something like
Linux iptables. Could you point me to the right documentations?
Yes, tomoyo-loadpolicy is a way to specify policies from command line.
https://tomoyo.osdn.jp/2.5/man-pages/tomoyo-loadpolicy.html.en
Post by Rahmadi Trimananda
2) Does Tomoyo still support IP network management, such as protocol (TCP,
UDP, port numbers, etc.)? I seem to have Tomoyo version 2.X but I think I
still need to do Kernel recompilation (I am using Raspbian for RaspberryPi,
a variant of Debian).
Yes, though TOMOYO is different from iptables that TOMOYO checks permissions
at system call layer.
https://tomoyo.osdn.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet

Hints at https://tomoyo.osdn.jp/2.5/yocto-arm.html.en will be helpful
even if you are using Raspbian.
Post by Rahmadi Trimananda
Thank you!
Regards,
Rahmadi
Rahmadi Trimananda
2017-04-04 20:27:12 UTC
Permalink
Thank you! I managed to install Tomoyo on my system and it's working well.
:)

I have another question that I hope is do-able to do on Tomoyo.

So, I am experimenting with a folder (shown below):

***@raspberrypi:~/tomoyo/test $ ls
a.out save Test2.class test2.txt Test.class test.txt
edit stat Test2.java test.c Test.java

Basically, I wish to create separate domains for different java executions.
So, as I have 2 class files, I would like to create separate domains for
"java Test" and "java Test2". I've been trying to use initialize_domain and
no_initialize_domain in Exception Policy Editor but no success yet. It
seems that no_initialize_domain only works if the application is run from
different paths? Need your insights/advice to make this work. Thank you!

Regards,
Rahmadi


On Tue, Apr 4, 2017 at 3:41 AM, Tetsuo Handa <
Post by Tetsuo Handa
Hello.
Post by Rahmadi Trimananda
Hello,
I am a new Tomoyo user and I've been trying to read the Tomoyo
documentation (https://tomoyo.osdn.jp/2.5/index.html.en) for the past
1) I seem to get the impression that Tomoyo policy needs to be developed
by
Post by Rahmadi Trimananda
learning process and then little edits to adjust them. Is there any way
that I specify policies from command lines? I am looking for something
like
Post by Rahmadi Trimananda
Linux iptables. Could you point me to the right documentations?
Yes, tomoyo-loadpolicy is a way to specify policies from command line.
https://tomoyo.osdn.jp/2.5/man-pages/tomoyo-loadpolicy.html.en
Post by Rahmadi Trimananda
2) Does Tomoyo still support IP network management, such as protocol
(TCP,
Post by Rahmadi Trimananda
UDP, port numbers, etc.)? I seem to have Tomoyo version 2.X but I think I
still need to do Kernel recompilation (I am using Raspbian for
RaspberryPi,
Post by Rahmadi Trimananda
a variant of Debian).
Yes, though TOMOYO is different from iptables that TOMOYO checks permissions
at system call layer.
https://tomoyo.osdn.jp/2.5/policy-specification/domain-
policy-syntax.html.en#network_inet
Hints at https://tomoyo.osdn.jp/2.5/yocto-arm.html.en will be helpful
even if you are using Raspbian.
Post by Rahmadi Trimananda
Thank you!
Regards,
Rahmadi
--
Kind regards,
Rahmadi Trimananda

Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
Tetsuo Handa
2017-04-04 21:40:54 UTC
Permalink
Post by Rahmadi Trimananda
Thank you! I managed to install Tomoyo on my system and it's working well.
:)
Good.
Post by Rahmadi Trimananda
I have another question that I hope is do-able to do on Tomoyo.
a.out save Test2.class test2.txt Test.class test.txt
edit stat Test2.java test.c Test.java
Basically, I wish to create separate domains for different java executions.
So, as I have 2 class files, I would like to create separate domains for
"java Test" and "java Test2". I've been trying to use initialize_domain and
no_initialize_domain in Exception Policy Editor but no success yet. It
seems that no_initialize_domain only works if the application is run from
different paths? Need your insights/advice to make this work. Thank you!
Please use wrapper programs

---------- run_Test1 start ----------
#!/bin/sh
exec /usr/bin/java Test
---------- run_Test1 end ----------

---------- run_Test2 start ----------
#!/bin/sh
exec /usr/bin/java Test2
---------- run_Test2 end ----------

and specify path to these wrapper programs instead of /usr/bin/java .

If Test.java and Test2.java can be updated to write to
/sys/kernel/security/tomoyo/self_domain interface, you can specify
for example

<kernel> /usr/bin/java
task manual_domain_transition <kernel> //Test
task manual_domain_transition <kernel> //Test2

<kernel> //Test

<kernel> //Test2

instead.

http://tomoyo.osdn.jp/2.5/policy-specification/domain-transition-procedure.html.en#transition_by_non_execute
Post by Rahmadi Trimananda
Regards,
Rahmadi
Rahmadi Trimananda
2017-04-04 22:26:53 UTC
Permalink
Thanks! The wrapper programs work well. I was thinking about doing that
too, but I think I made a mistake in that I didn't use "exec", so I didn't
get a different domain for each java execution and just got the domains for
the shell scripts.

I am not really clear about the second option that uses self_domain
interface. Do you mean in Test.java and Test2.java I need to make a section
of code that writes into /sys/kernel/security/tomoyo/self_domain?
Do we have a program that allows this writing, e.g. tomoyo-loadpolicy? Or
do we simply have to make edits directly to that file?

The TOMOYO webpage says: *This can be used to split permissions without
requiring an execution, but the application must be modified to write to
the interface at the appropriate time.*
https://tomoyo.osdn.jp/2.5/policy-specification/domain-policy-syntax.html.en#task_manual_domain_transition

When is this appropriate time? Then am I going to be able to see the 2
domains using tomoyo-editpolicy and do the training for both domains so
that I don't have to generate the policies from scratch?

Apologies for having too many questions. :) The documentation on
self_domain seems to be very little.

Regards,
Rahmadi


On Tue, Apr 4, 2017 at 2:40 PM, Tetsuo Handa <
Post by Rahmadi Trimananda
Post by Rahmadi Trimananda
Thank you! I managed to install Tomoyo on my system and it's working
well.
Post by Rahmadi Trimananda
:)
Good.
Post by Rahmadi Trimananda
I have another question that I hope is do-able to do on Tomoyo.
a.out save Test2.class test2.txt Test.class test.txt
edit stat Test2.java test.c Test.java
Basically, I wish to create separate domains for different java
executions.
Post by Rahmadi Trimananda
So, as I have 2 class files, I would like to create separate domains for
"java Test" and "java Test2". I've been trying to use initialize_domain
and
Post by Rahmadi Trimananda
no_initialize_domain in Exception Policy Editor but no success yet. It
seems that no_initialize_domain only works if the application is run from
different paths? Need your insights/advice to make this work. Thank you!
Please use wrapper programs
---------- run_Test1 start ----------
#!/bin/sh
exec /usr/bin/java Test
---------- run_Test1 end ----------
---------- run_Test2 start ----------
#!/bin/sh
exec /usr/bin/java Test2
---------- run_Test2 end ----------
and specify path to these wrapper programs instead of /usr/bin/java .
If Test.java and Test2.java can be updated to write to
/sys/kernel/security/tomoyo/self_domain interface, you can specify
for example
<kernel> /usr/bin/java
task manual_domain_transition <kernel> //Test
task manual_domain_transition <kernel> //Test2
<kernel> //Test
<kernel> //Test2
instead.
http://tomoyo.osdn.jp/2.5/policy-specification/domain-
transition-procedure.html.en#transition_by_non_execute
Post by Rahmadi Trimananda
Regards,
Rahmadi
--
Kind regards,
Rahmadi Trimananda

Ph.D. student @ University of California, Irvine
"Stay hungry, stay foolish!" - Steve Jobs -
Tetsuo Handa
2017-04-05 13:57:00 UTC
Permalink
Post by Rahmadi Trimananda
Thanks! The wrapper programs work well. I was thinking about doing that
too, but I think I made a mistake in that I didn't use "exec", so I didn't
get a different domain for each java execution and just got the domains for
the shell scripts.
OK.
Post by Rahmadi Trimananda
I am not really clear about the second option that uses self_domain
interface. Do you mean in Test.java and Test2.java I need to make a section
of code that writes into /sys/kernel/security/tomoyo/self_domain?
Right.
Post by Rahmadi Trimananda
Do we have a program that allows this writing, e.g. tomoyo-loadpolicy? Or
do we simply have to make edits directly to that file?
mod_tomoyo.c in https://tomoyo.osdn.jp/2.5/chapter-13.html.en explains
how to use that interface from Apache 2. Any process which can write using
a file descriptor of /sys/kernel/security/tomoyo/self_domain can use
that interface because its permission is set to 0666. But only domainnames
explicitly specified in the policy will be permitted.
Post by Rahmadi Trimananda
The TOMOYO webpage says: *This can be used to split permissions without
requiring an execution, but the application must be modified to write to
the interface at the appropriate time.*
https://tomoyo.osdn.jp/2.5/policy-specification/domain-policy-syntax.html.en#task_manual_domain_transition
When is this appropriate time? Then am I going to be able to see the 2
domains using tomoyo-editpolicy and do the training for both domains so
that I don't have to generate the policies from scratch?
Please be careful that second option will not work unless you can give
"task manual_domain_transition" permissions to the domain for /usr/bin/java
before you try to launch Test/Test2 recompiled with a section of code added.



By the way, 2 more options are explained at
https://tomoyo.osdn.jp/2.5/policy-specification/domain-transition-procedure.html.en#transition_by_execute .

The third option is to use symbolic links (or hard links) like

mkdir -p /usr/local/test/bin /usr/local/test2/bin
ln -s /usr/bin/java /usr/local/test/bin/java
ln -s /usr/bin/java /usr/local/test2/bin/java

and launch like

/usr/local/test/bin/java Test
/usr/local/test2/bin/java Test2

because TOMOYO can transit domains based on symbolic/hard link's pathnames
when executing programs.

The fourth option is to explicitly specify domainnames like

file execute /usr/bin/java //Test exec.argc=2 exec.argv[1]="Test"
file execute /usr/bin/java //Test2 exec.argc=2 exec.argv[1]="Test2"

because it overrides domain transition control directives in exception policy.



You can choose from 4 options. Please choose one that suits your case.

Option 1 (use wrapper programs) and option 3 (use symbolic link or hard
link) would suit better when you try to generate the policies from scratch.
If you already know the domain for launching /usr/bin/java, option 4 would suit.
Post by Rahmadi Trimananda
Apologies for having too many questions. :) The documentation on
self_domain seems to be very little.
Regards,
Rahmadi
Loading...