[tomoyo-users-en 685] tomoyo with squashfs

Tetsuo Handa

2017-07-17 13:41:40 UTC

Hello.

Post by Matthias Lay
Hi,
I am playing around with tomoyo rulesets on a system with a RO squashfs
as root filesystem.
I noticed all rootfs binaries are prefixed with "squashfs:"
..... squashfs:/bin/cat' not defined
but i cant create a rule with that prefix, as the editor doesnt like
the prefix in his syntax.
"squashfs:/bin/cat is an invalid domainname"
the executed programs dont show up in the editor either.
the only way to get them to show up and create working rules is to
create aggregators like
aggregator squashfs:/bin/cat /bin/cat
with this set in exception_policies.conf, the /bin/cat shows up in the
editor and I can create rules for /bin/cat.

Yes, that will be the easiest approach when using learning mode (i.e.
recording possible domain transition patterns).

Post by Matthias Lay
is there another way to get this working, without the need to create an
aggregator for every binary on the system?

Not applicable to learning mode, but I think that you can explicitly specify
to which domain should the current thread transit at "file execute" entry (

file execute [candidate] [domainname]
file execute [candidate] [pathname]

in http://tomoyo.osdn.jp/2.5/policy-specification/domain-transition-procedure.html#transition_by_execute ).

If you specify

keep_domain any from any

in exception policy, domain transition will be suppressed by default
(i.e. no need to enumerate all binaries in squashfs using "aggregator" entry).
You can specify [domainname] or [pathname] as needed in order to force domain
transition.

Post by Matthias Lay
Greetz
Matze

Regards.