Ryan Seu
2014-06-05 06:29:06 UTC
Hi tomoyo-users,
I'm seeing some quirky behavior that, on retrospect, might make sense but
isn't really documented anywhere.
I have a domain policy that I've applied an acl group and profile on:
<kernel> blah/blah/blah
use_profile 3
use_group 1
I've also created it so the profile will selective enforce based on the
syscall types:
3-CONFIG::file={ mode=enforcing grant_log=no reject_log=yes }
3-CONFIG::file::ioctl={ mode=disabled grant_log=no reject_log=no }
3-CONFIG::file::mount={ mode=disabled grant_log=no reject_log=no }
3-CONFIG::misc::env={ mode=disabled grant_log=no reject_log=no }
3-CONFIG::network={ mode=disabled grant_log=no reject_log=no }
*3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }*
I've created the profile and domain policy under /etc/tomoyo and restart
the system, with an expectation that policy #3 will be applied to that
particular domain.
Unfortunately, once booted (after tomoyo-init has been envoked), and I
check the current profile setting I see this:
10: 3-COMMENT=-----Enforcing Mode -----
11: 3-CONFIG::file::ioctl={ mode=disabled grant_log=no reject_log=no }
12: 3-CONFIG::file::mount={ mode=disabled grant_log=no reject_log=no }
13: 3-CONFIG::file={ mode=enforcing grant_log=no reject_log=yes }
14: 3-CONFIG::misc::env={ mode=disabled grant_log=no reject_log=no }
15: 3-CONFIG::network={ mode=disabled grant_log=no reject_log=no }
* 16: 3-CONFIG={ mode=disabled grant_log=yes reject_log=yes }*
* 17: 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }*
Notice that upon restart, it seems like the preference gets overwritten and
a mode=disabled (16) entry gets created. So the question is, if according
to the man page for tomoyo-init all that's done is load the
/etc/tomoyo/profile (along with the other policy files) into the kernel
memory, where does these extra entries get added? Does tomoyo disable
enforcement mode by default? Or rather, is it because profile #3 implicitly
includes the syscall types and not explicitly declares the parent it gets
automatically added?
I apologize in advance if this is addressed somewhere.
R2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sourceforge.jp/mailman/archives/tomoyo-users-en/attachments/20140604/035c7a66/attachment.htm
I'm seeing some quirky behavior that, on retrospect, might make sense but
isn't really documented anywhere.
I have a domain policy that I've applied an acl group and profile on:
<kernel> blah/blah/blah
use_profile 3
use_group 1
I've also created it so the profile will selective enforce based on the
syscall types:
3-CONFIG::file={ mode=enforcing grant_log=no reject_log=yes }
3-CONFIG::file::ioctl={ mode=disabled grant_log=no reject_log=no }
3-CONFIG::file::mount={ mode=disabled grant_log=no reject_log=no }
3-CONFIG::misc::env={ mode=disabled grant_log=no reject_log=no }
3-CONFIG::network={ mode=disabled grant_log=no reject_log=no }
*3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }*
I've created the profile and domain policy under /etc/tomoyo and restart
the system, with an expectation that policy #3 will be applied to that
particular domain.
Unfortunately, once booted (after tomoyo-init has been envoked), and I
check the current profile setting I see this:
10: 3-COMMENT=-----Enforcing Mode -----
11: 3-CONFIG::file::ioctl={ mode=disabled grant_log=no reject_log=no }
12: 3-CONFIG::file::mount={ mode=disabled grant_log=no reject_log=no }
13: 3-CONFIG::file={ mode=enforcing grant_log=no reject_log=yes }
14: 3-CONFIG::misc::env={ mode=disabled grant_log=no reject_log=no }
15: 3-CONFIG::network={ mode=disabled grant_log=no reject_log=no }
* 16: 3-CONFIG={ mode=disabled grant_log=yes reject_log=yes }*
* 17: 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }*
Notice that upon restart, it seems like the preference gets overwritten and
a mode=disabled (16) entry gets created. So the question is, if according
to the man page for tomoyo-init all that's done is load the
/etc/tomoyo/profile (along with the other policy files) into the kernel
memory, where does these extra entries get added? Does tomoyo disable
enforcement mode by default? Or rather, is it because profile #3 implicitly
includes the syscall types and not explicitly declares the parent it gets
automatically added?
I apologize in advance if this is addressed somewhere.
R2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sourceforge.jp/mailman/archives/tomoyo-users-en/attachments/20140604/035c7a66/attachment.htm