I don't want to give server access to all client files (e.g., client private files); I just want to give server access to client's proc files.
Tai On 10/7/13 4:32 PM, "Stephen Smalley" <[email protected]> wrote: >On 10/07/2013 04:18 PM, Tai Nguyen (tainguye) wrote: >> Using domain can restrict access to system_data_file, but it still give >> access to processes' private files. >> Is there a way to tag an attribute to all /proc files that I can use >> instead of domain? > >If you want to restrict the server to only specific client domains, then >as I said before, define a macro that you use to allow the client to >connect to the server domain and as part of that macro assign a new >attribute to all of the client domains that you can use in an allow rule. > >For example, in te_macros, you can add: >define(`client_domain', ` >typeattribute $1 clientdomain; ># any allow rules needed to connect to the server >') > >And in attributes, you can add: >attribute clientdomain; > >Then in each client domain's .te file, you can add: >client_domain(<insert-name-of-client-domain-here>) > >And in the server's .te file, you can add: >r_dir_file(<insert-name-of-server-domain>, clientdomain) > >Then your server can only read /proc/pid files of its clients, not of >all domains. > >If you are worried about being able to read files under /proc/pid other >than /proc/pid/cmdline even for the client domains, then note that >private information files are often already gated by an additional >ptrace check, so if the server is not allowed ptrace permission to the >client domain, it won't be able to read those files even with the allow >rule above. But no, you can't currently label different files under >/proc/pid with different labels; they all get the domain of the >associated process presently and there isn't a way to change that >without a kernel change. > > > -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
