Tetsuo Handa wrote: > Ben Ward wrote: >> This resulted in a domain "/usr/bin/chromium". Which I >> put into learning mode and played about surfing on the web for half an >> hour, bookmarking things, using it as a file browser, all the common >> stuff I do usually, and then put it into enforcing mode. But then >> underneath the domain appeared "/usr/lib/chromium/chromium ( -> 266)".
I have set up policy for chromium in the past and it is a little harder than setting up for firefox. Delete the entry you added to exception policy and try adding this instead: initialize_domain /usr/bin/chromium from any Add the "<kernel> /usr/bin/chromium" domain and set to learning mode. Once you run chromium, you will end up with a domain tree that looks something like this: 1 * /usr/bin/chromium 1 /usr/lib/chromium/chromium 1 /bin/sh 1 /bin/grep 1 /bin/ps 1 /usr/bin/xdg-settings 1 /bin/grep 1 /usr/bin/dbus-send 1 /usr/lib/chromium/chromium-sandbox 1 /usr/lib/chromium/chromium What happens in your setup is that /usr/lib/chromium/chromium calls /usr/lib/chromium/chromium-sandbox, which then calls /usr/lib/chromium/chromium. This causes it to transit to itself since you added "initialize_domain /usr/lib/chromium/chromium from any" to exception policy. Chromium creates a new process for every tab, so too many domain transitions may cause TOMOYO policy to fail from lack of memory. The definition of "transition_failed" directive can be found here: http://tomoyo.sourceforge.jp/1.8/policy-specification/domain-policy-syntax.html.en#transition_failed You will therefore probably want to keep permissions separate for the main /usr/lib/chromium/chromium domain and the sandboxed /usr/lib/chromium/chromium domain, like I have shown above. The majority of the permissions you will have to set will be in the main /usr/lib/chromium/chromium domain. From brief usage, it appears that the sandboxed /usr/lib/chromium/chromium domain does not need many permission, as Google have limited the scope of what this sandboxed domain is able to perform. I have not tested what domains are created when running flash player, but you will probably want to lock that down as much as possible. It will probably be created as a domain under the /usr/lib/chromium/chromium-sandbox domain. Also, if you keep these domains separate then even if a process breaks out of Google's sandbox, TOMOYO will still be able to limit what it can do and prevent further damage. >> Should I also include >> some option or polict to allow me to visit websites and basically >> anything I type in the address bar in the future - as I can't visit >> every webpage I will ever visit (something like patterning?). This chapter is particularly useful: http://tomoyo.sourceforge.jp/1.8/chapter-6.html.en#6.4 And the policy specification is also useful to refer to: http://tomoyo.sourceforge.jp/1.8/policy-specification/index.html.en For example, you could put the following in exception policy: address_group ANY_IPV4 0.0.0.0-255.255.255.255 number_group ANY_PORT 1-65535 And then put something like this in domain policy for /usr/lib/chromium/chromium (may be missing some network related permissions here): network inet dgram send @ANY_IPV4 0 network inet stream connect @ANY_IPV4 @ANY_PORT Of course, this is rather liberal, and you may want to cut down these permissions, for example to allow only specific ports. Make sure to also deal with temporary files. The main /usr/lib/chromium/chromium domain deals with many temporary files, and it is important to patternize these files according to Chapter 6. Kind regards, Jamie _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
