On 10/07/2013 03:13 PM, Tai Nguyen (tainguye) wrote:
> This will work, but this will give the server access to all files and dir
> on the system, right? So, it will give the server more privilege that
> needed. We just want to give the server access to the /proc/<pid>/cmdline
> file and not other files.
The domain attribute only expands to the set of domain types, i.e. types
that are assigned to processes. And the only files that are labeled
with domains are the /proc/pid files for those domains. So allow X
domain:file r_file_perms; only allows it to read the /proc/pid files,
not other files on the system.
Also, certain /proc/pid files are further restricted by a ptrace check.
Finally, you can limit it to only being able to read the /proc/pid files
of specific domains by assigning a new type attribute to all of the
client domains and then using that attribute in your allow rule instead
of using "domain".
>
> On 10/7/13 3:01 PM, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
>
>> With regard to allowing it, you can allow it to read /proc/pid/cmdline
>> for all domains by writing allow rules with the domain attribute, e.g.
>> allow server domain:dir r_dir_perms;
>> allow server domain:{ file lnk_file } r_file_perms;
>> Or more succintly using the r_dir_file() macro as:
>> r_dir_file(server, domain)
>>
>> If you want to allow it for just app domains, you can write similar
>> rules using the appdomain attribute rather than domain, e.g.
>> r_dir_file(server, appdomain)
>>
>
>
>
> --
> This message was distributed to subscribers of the seandroid-list mailing
> list.
> If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
> the words "unsubscribe seandroid-list" without quotes as the message.
>
>
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
the words "unsubscribe seandroid-list" without quotes as the message.
