Hello.
I'm planning to support domain transition without program execution requests.
As I think how domain transition without program execution requests should
behave, I came to feel that current behavior of CONFIG::file::execute is
something confusing.
TOMOYO Linux can create domains by simply executing programs.
Currently, TOMOYO Linux does the following behavior depending on the mode of
CONFIG::file::execute (or CONFIG::file if CONFIG::file::execute is unspecified,
CONFIG if CONFIG::file::execute and CONFIG::file are unspecified).
CONFIG::file::execute={ mode=disabled } or
CONFIG::file::execute={ mode=learning } or
CONFIG::file::execute={ mode=permissive }
Create a new domain automatically if the domain to transit to after execve()
succeeds is missing.
Don't make execve() fail if the domain to transit to after execve() succeeds
is missing and was not created. In other words, accept continuing execution
without domain transition.
CONFIG::file::execute={ mode=enforcing }
Don't create a new domain if the domain to transit to after execve() succeeds
is missing.
Make execve() fail if the domain to transit to after execve() succeeds is
missing and was not created. In other words, reject continuing execution
without domain transition.
The description of TOMOYO's disabled mode is that
Works as if regular kernel.
and the description of TOMOYO's permissive mode is that
An access request is not rejected even if the request violates policy.
But, the permission to allow the request is not added to policy.
This sounds that /proc/ccs/domain_policy won't be updated automatically if
CONFIG::file::execute={ mode=disabled } or
CONFIG::file::execute={ mode=permissive } .
But actual behavior is that new domain is automatically added to
/proc/ccs/domain_policy so that program execution request won't be rejected.
Some people may think this behavior is inconsistent. Thus, I'm thinking that
I should split CONFIG::file::execute into two parts, one is for checking
allow_execute permission and the other is for creating the domain to transit to
after execve() succeeds.
I'm thinking to change /proc/ccs/profile from
PREFERENCE::audit={ max_grant_log=1024 max_reject_log=1024 task_info=yes
path_info=yes }
PREFERENCE::enforcing={ verbose=yes penalty=0 }
PREFERENCE::learning={ verbose=no max_entry=2048 exec.realpath=yes
exec.argv0=yes symlink.target=yes }
PREFERENCE::permissive={ verbose=yes }
0-COMMENT=-----Disabled Mode-----
0-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
1-COMMENT=-----Learning Mode-----
1-CONFIG={ mode=learning grant_log=yes reject_log=yes }
2-COMMENT=-----Permissive Mode-----
2-CONFIG={ mode=permissive grant_log=yes reject_log=yes }
3-COMMENT=-----Enforcing Mode-----
3-CONFIG={ mode=enforcing grant_log=yes reject_log=yes }
to something like
PREFERENCE::audit={ max_grant_log=1024 max_reject_log=1024 task_info=yes
path_info=yes }
PREFERENCE::enforcing={ verbose=yes penalty=0 }
PREFERENCE::learning={ verbose=no max_entry=2048 exec.realpath=yes
exec.argv0=yes symlink.target=yes }
PREFERENCE::permissive={ verbose=yes }
0-COMMENT=-----Disabled Mode-----
0-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
0-PREFERENCE::domain={ auto_create=yes fail_exec=no }
1-COMMENT=-----Learning Mode-----
1-CONFIG={ mode=learning grant_log=yes reject_log=yes }
1-PREFERENCE::domain={ auto_create=yes fail_exec=no }
2-COMMENT=-----Permissive Mode-----
2-CONFIG={ mode=permissive grant_log=yes reject_log=yes }
2-PREFERENCE::domain={ auto_create=yes fail_exec=no }
3-COMMENT=-----Enforcing Mode-----
3-CONFIG={ mode=enforcing grant_log=yes reject_log=yes }
3-PREFERENCE::domain={ auto_create=no fail_exec=yes }
where "auto_create" means "Automatically create domain to transit to when
the domain was not found" and "fail_exec" means "Let program execution
requests fail when the domain to transit to was not found nor created".
What do you think about this change?
_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
