Discussion:
[tomoyo-users-en 679] Re: [Caitsith] bind wildcard expressions
Tetsuo Handa
2017-05-24 20:43:46 UTC
Permalink
Is it possible to bind '\$' for a query occurring during run-time and
then use it in the rules? With the following, I want to allow only root
and the current process to read its /proc/\$/mem. Is something
like this possible with caitsith?
Such binding is not possible, but "/proc/self" is represented as "proc:/self"
rather than "proc:/\$". Thus,
10 acl read /proc/\$/mem
1 allow task.euid=0
10 allow task.pid=\$
100 deny
I think you want something like below.

10 acl read path.fsmagic=0x9FA0 path="proc:/\*/mem"
audit 0
10 allow path="proc:/self/mem"
20 allow task.uid=0 task.gid=0 task.euid=0 task.egid=0
30 deny

This example checks filesystem magic before checking pathnames
so that the kernel does not need to evaluate "proc:/\*/mem" for
pathnames not in proc filesystem.
Torsten Wörtwein
2017-05-25 05:50:07 UTC
Permalink
thank you! I will look into that.

On Thu, 25 May 2017 05:43:46 +0900 Tetsuo Handa
Post by Tetsuo Handa
Is it possible to bind '\$' for a query occurring during run-time
and then use it in the rules? With the following, I want to allow
only root and the current process to read its /proc/\$/mem. Is
something like this possible with caitsith?
Such binding is not possible, but "/proc/self" is represented as
"proc:/self" rather than "proc:/\$". Thus,
10 acl read /proc/\$/mem
1 allow task.euid=0
10 allow task.pid=\$
100 deny
I think you want something like below.
10 acl read path.fsmagic=0x9FA0 path="proc:/\*/mem"
audit 0
10 allow path="proc:/self/mem"
20 allow task.uid=0 task.gid=0 task.euid=0 task.egid=0
30 deny
This example checks filesystem magic before checking pathnames
so that the kernel does not need to evaluate "proc:/\*/mem" for
pathnames not in proc filesystem.
Loading...