I'm preparing manuals for TOMOYO 1.8 (although specifications may change).
http://tomoyo.sourceforge.jp/1.8/
Major changes since last status report are:
Restriction on UNIX domain sockets is supported.
Process's state variables were replaced by relative domain transition
(transition to child domains).
Absolute domain transition (transition to arbitrary domains) is supported.
Automatic domain transition (transit to arbitrary domains automatically if
conditions are met, for example transit when UID changed from 0 to non-0 ) is
supported.
Below is changelog by now since TOMOYO 1.7.2p2 .
@ Change directives.
I removed "allow_" prefix from directives. New directives for files are
prefixed with "file ". For example, "allow_read" changed to "file read",
"allow_ioctl" changed to "file ioctl". New directive for "allow_network
TCP" is "network inet stream", "allow_network UDP" is "network inet
dgram", "allow_network RAW" is "network inet raw". New directive for
"allow_env" is "misc env". New directive for "allow_signal" is "ipc
signal". New directive for "allow_capability" is "capability". These new
directives correspond with keywords used by profile's CONFIG lines.
I removed "deny_rewrite" and "allow_rewrite" directives and introduced
"file append" directive. Thus, permission for open(O_WRONLY | O_APPEND)
changed from "allow_write" + "allow_rewrite" to "file append".
I removed "SYS_MOUNT", "SYS_UMOUNT", "SYS_CHROOT", "SYS_KILL",
"SYS_LINK", "SYS_SYMLINK", "SYS_RENAME", "SYS_UNLINK", "SYS_CHMOD",
"SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_ROOT" keywords from capabilities
because these permissions can be checked by other directives (e.g.
"file mount", "ipc signal").
I also removed "conceal_mount" keyword from capabilities because this
check requires hooks in filesystem part while almost all hooks for
filesystem part have moved to LSM by Linux 2.6.34.
New directive for "execute_handler" is "task auto_execute_handler",
"denied_execute_handler" is "task denied_execute_handler".
@ Distinguish send() and recv() operations.
Until now, it was impossible for UDP and IP sockets to allow either
only sending or only receiving because permissions were aggregated with
"connect" keyword. I broke "connect" keyword into "send" and "recv"
keywords so that you can keep access control for send() operation enabled
when you have to disable access control for recv() operation due to
application breakage by discarding incoming datagram.
@ Wait for next connection/datagram if current connection/datagram was
discarded.
Regarding "network inet stream accept", "network inet dgram recv",
"network inet raw recv" directives, I modified to wait for next
connection/datagram if current connection/datagram was discarded.
LSM hooks for these directives are currently missing because this
behavior may break applications. If you found applications broken by
this behavior, you can set CONFIG::network::inet_stream_accept and/or
CONFIG::network::inet_dgram_recv and/or CONFIG::network::inet_raw_recv
to mode=disabled in order to only disable filtering for incoming
connection/datagram.
@ Add Unix domain socket restriction support.
Until now, it was possible to restrict only inet domain sockets (i.e.
TCP/UDP/RAW). I added restriction for Unix domain sockets (i.e. stream/
dgram/seqpacket). New directive "network unix" is added as well as
"network inet" directive.
@ Allow specifying multiple permissions in a line.
Until now, only "allow_read/write" can be specified for combination of
"allow_read" + "allow_write". Now, you can combine other permissions as
long as type of parameters for these permissions is same. For example,
"file read/write/append/execute/unlink/truncate /tmp/file" is correct
but "file read/write/create /tmp/file" is wrong because "file create"
requires create mode whereas "file read" and "file write" do not.
@ Allow wildcard for execute permission and domainname.
Until now, to execute programs with temporary names, "aggregator" is
needed. To simplify code, I modified to accept wildcards for execute
permission and domainname. Now, you can directly specify
"file execute /tmp/logrotate.\?\?\?\?\?\?" and use
"/tmp/logrotate.\?\?\?\?\?\?" within domainnames.
@ Change pathname for non-rename()able filesystems.
LSM version of TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if
$PID matches current thread's process ID in order to prevent current
thread from accessing other process's information unless needed.
But since procfs can be mounted on various locations (e.g. /proc/ /proc2/
/p/ /tmp/foo/100/p/ ), LSM version of TOMOYO cannot tell that whether the
numeric part in the string returned by __d_path() represents process ID
or not.
Therefore, to be able to convert from $PID to self no matter where procfs
is mounted, I changed pathname representations for filesystems which do
not support rename() operation (e.g. proc, sysfs, securityfs).
Now, "/proc/self/mounts" changed to "proc:/self/mounts" and
"/sys/kernel/security/" changed to "sys:/kernel/security/" and
"/dev/pts/0" changed to "devpts:/0".
@ Add a new keyword "any" for domain transition control.
To be able to make it easier to apply auto_execute_handler on each
domain, I added "any" keyword to domain transition control keywords. Now,
"initialize_domain /usr/sbin/sshd" changed to
"initialize_domain /usr/sbin/sshd from any" and
"keep_domain <kernel> /usr/sbin/sshd /bin/bash" changed to
"keep_domain any from <kernel> /usr/sbin/sshd /bin/bash".
"keep_domain /path/to/auto_execute_handler from any" will allow you to
apply auto_execute_handler for any domains without creating domains for
auto_execute_handler.
@ Change buffering mode for reading policy.
To be able to read() very very long lines correctly, I changed the way
TOMOYO buffers policy for reading.
@ Introduce "acl_group" keyword.
Until now, it was possible to specify only "allow_read" and "allow_env"
keywords in the exception policy.
Since some operations like "file read/write/append /dev/null" and
"network UDP send/recv @DNS_SERVER 53" are very common and should be
permitted to all domains, I introduced "acl_group" keyword for giving
such permissions.
For example, specify "acl_group 0 file read/write/append /dev/null" in
the exception policy and specify "use_group 0" from the domains in the
domain policy.
"ignore_global_allow_read" and "ignore_global_allow_env" directives were
removed from domain policy and "use_group" keyword was added.
@ Remove "if" and "; set" keyword.
I removed need for specifying these keyword.
You can simply specify like below.
file read /etc/shadow task.uid=0
@ Remove per-profile preference.
I removed per profile preference in order to make code simpler.
@ Allow controlling generation of access granted logs for per an entry
basis.
I added per-entry flag which controls generation of grant logs because
Xen and KVM issues ioctl requests so frequently. For example,
file ioctl /dev/null 0x5401 grant_log=no
will suppress /proc/ccs/grant_log even if preference says grant_log=yes .
file ioctl /dev/null 0x5401 grant_log=yes
will generate /proc/ccs/grant_log even if preference says grant_log=no .
file ioctl /dev/null 0x5401
will generate /proc/ccs/grant_log only if preference says grant_log=yes .
This flag is intended for frequently accessed resources like
file read /var/www/html/\{\*\}/\*.html grant_log=no
.
@ Automatically create domain by execve() even if enforcing mode.
Until now, new domains are not created if the domain was not defined and
current domain is enforcing mode ("CONFIG::file::execute=enforcing").
To be able to restrict shell session without using "keep_domain",
I changed to create new domains automatically even if current domain is
enforcing mode.
@ Replace "task.state" with "auto_domain_transition".
task.state is difficult to use. Thus, I replaced task.state with
auto_domain_transition which performs domain transition instead of
changing current process's state variables.
If domain transition failed, current process will be killed by SIGKILL
signal. This should not happen in normal circumstances, for you know the
domain to transit to and thereby you will define the domain beforehand
when you use "auto_domain_transition" keyword.
@ Replace "allow_transit" with "task manual_domain_transition".
I changed this directive to specify absolute domainname (e.g.
"<kernel> /usr/sbin/httpd //app=cgi1\040id=10000") rather than virtual
pathname (e.g. "//app=cgi1\040id=10000") because you know the domain to
transit to and thereby you will define the domain beforehand when you use
"task manual_domain_transition" directive.
This change allows you to jump to arbitrary domain.
@ Add "task auto_domain_transition".
This is similar to "task manual_domain_transition", but is automatically
applied whenever conditions are met. For example,
task auto_domain_transition <kernel> //./non-root task.uid!=0
will automatically jump to "<kernel> //./non-root" domain if current
process's UID is not 0 whereas
task manual_domain_transition <kernel> //./non-root task.uid!=0
will jump to "<kernel> //./non-root" domain if current process's UID is
not 0 and current process wrote "<kernel> //./non-root" + '\n' to
/proc/ccs/.transition interface.
If domain transition failed, current process will be killed by SIGKILL
signal.
@ Optimize for object's size.
I merged similar code in order to reduce object's filesize.
As of now, max 20% reduced compared to TOMOYO 1.7.2 .
_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
