Discussion:
[tomoyo-users-en 605] tomoyo-init quirky behavior
Ryan Seu
2014-06-05 06:29:06 UTC
Permalink
Hi tomoyo-users,

I'm seeing some quirky behavior that, on retrospect, might make sense but
isn't really documented anywhere.

I have a domain policy that I've applied an acl group and profile on:
<kernel> blah/blah/blah
use_profile 3
use_group 1

I've also created it so the profile will selective enforce based on the
syscall types:

3-CONFIG::file={ mode=enforcing grant_log=no reject_log=yes }
3-CONFIG::file::ioctl={ mode=disabled grant_log=no reject_log=no }
3-CONFIG::file::mount={ mode=disabled grant_log=no reject_log=no }
3-CONFIG::misc::env={ mode=disabled grant_log=no reject_log=no }
3-CONFIG::network={ mode=disabled grant_log=no reject_log=no }
*3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }*

I've created the profile and domain policy under /etc/tomoyo and restart
the system, with an expectation that policy #3 will be applied to that
particular domain.

Unfortunately, once booted (after tomoyo-init has been envoked), and I
check the current profile setting I see this:

10: 3-COMMENT=-----Enforcing Mode -----
11: 3-CONFIG::file::ioctl={ mode=disabled grant_log=no reject_log=no }
12: 3-CONFIG::file::mount={ mode=disabled grant_log=no reject_log=no }
13: 3-CONFIG::file={ mode=enforcing grant_log=no reject_log=yes }
14: 3-CONFIG::misc::env={ mode=disabled grant_log=no reject_log=no }
15: 3-CONFIG::network={ mode=disabled grant_log=no reject_log=no }
* 16: 3-CONFIG={ mode=disabled grant_log=yes reject_log=yes }*
* 17: 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }*

Notice that upon restart, it seems like the preference gets overwritten and
a mode=disabled (16) entry gets created. So the question is, if according
to the man page for tomoyo-init all that's done is load the
/etc/tomoyo/profile (along with the other policy files) into the kernel
memory, where does these extra entries get added? Does tomoyo disable
enforcement mode by default? Or rather, is it because profile #3 implicitly
includes the syscall types and not explicitly declares the parent it gets
automatically added?

I apologize in advance if this is addressed somewhere.

R2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sourceforge.jp/mailman/archives/tomoyo-users-en/attachments/20140604/035c7a66/attachment.htm
Ак Лк
2014-06-05 14:42:04 UTC
Permalink
Hi!
try to add a new profile for these settings with a new number (4 or other)
Post by Ryan Seu
Hi tomoyo-users,
I'm seeing some quirky behavior that, on retrospect, might make sense but
isn't really documented anywhere.
<kernel> blah/blah/blah
use_profile 3
use_group 1
I've also created it so the profile will selective enforce based on the
3-CONFIG::file={ mode=enforcing grant_log=no reject_log=yes }
3-CONFIG::file::ioctl={ mode=disabled grant_log=no reject_log=no }
3-CONFIG::file::mount={ mode=disabled grant_log=no reject_log=no }
3-CONFIG::misc::env={ mode=disabled grant_log=no reject_log=no }
3-CONFIG::network={ mode=disabled grant_log=no reject_log=no }
*3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }*
I've created the profile and domain policy under /etc/tomoyo and restart
the system, with an expectation that policy #3 will be applied to that
particular domain.
Unfortunately, once booted (after tomoyo-init has been envoked), and I
10: 3-COMMENT=-----Enforcing Mode -----
11: 3-CONFIG::file::ioctl={ mode=disabled grant_log=no reject_log=no }
12: 3-CONFIG::file::mount={ mode=disabled grant_log=no reject_log=no }
13: 3-CONFIG::file={ mode=enforcing grant_log=no reject_log=yes }
14: 3-CONFIG::misc::env={ mode=disabled grant_log=no reject_log=no }
15: 3-CONFIG::network={ mode=disabled grant_log=no reject_log=no }
* 16: 3-CONFIG={ mode=disabled grant_log=yes reject_log=yes }*
* 17: 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }*
Notice that upon restart, it seems like the preference gets overwritten
and a mode=disabled (16) entry gets created. So the question is, if
according to the man page for tomoyo-init all that's done is load the
/etc/tomoyo/profile (along with the other policy files) into the kernel
memory, where does these extra entries get added? Does tomoyo disable
enforcement mode by default? Or rather, is it because profile #3 implicitly
includes the syscall types and not explicitly declares the parent it gets
automatically added?
I apologize in advance if this is addressed somewhere.
R2
_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en at lists.sourceforge.jp
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sourceforge.jp/mailman/archives/tomoyo-users-en/attachments/20140605/07ea2dfb/attachment.htm
Tetsuo Handa
2014-06-05 15:03:39 UTC
Permalink
Hello.
Post by Ryan Seu
Notice that upon restart, it seems like the preference gets overwritten and
a mode=disabled (16) entry gets created. So the question is, if according
to the man page for tomoyo-init all that's done is load the
/etc/tomoyo/profile (along with the other policy files) into the kernel
memory, where does these extra entries get added?
These extra entries are kernel's default configuration.
Post by Ryan Seu
Does tomoyo disable enforcement mode by default?
Kernel's default configuration is mode=disabled.

Please read http://tomoyo.sourceforge.jp/2.5/chapter-9.html for details of
profile settings.

You are specifying only category-specific configuration and
functionality-specific configuration.
You did not specify default configuration which will be used unless overwritten
by category-specific or functionality-specific configuration.
Post by Ryan Seu
Or rather, is it because profile #3 implicitly includes the syscall types
and not explicitly declares the parent it gets automatically added?
Right.

Regards.

Loading...