Hi folks, I'm playing with tomoyo as a way to not whitelist but blacklist all syscalls from executing on a particular path (/mnt).
The idea is that I want to make sure certain users with root privilege will be forced to gain root via a separate shell script (which will allow me to create an explicit exception policy for that domain) and limit any syscalls being invoked to/from that path. Thankfully since /mnt is a branch off of the root directory, it's reasonably easy to whitelist everything else as most 1_level from root has already been defined/enumerated. I managed to make this work and it's awesome! That said, this can get a bit cumbersome in a use case when you need to blacklist multiple paths in multiple locations. I understand that tomoyo is a MAC, which by philosophy is designed to explicitly enumerate allowed executions but it would be nice if we can create a layer of abstraction on the exception policy / profile where you can switch to a blacklisting or negative assertion where everything is allowed except ones listed. Yes, it can get really tricky but seeing as how the LSM has a pretty contained class of syscalls that we can manage it seems doable. I wonder if anyone's thought about this or discussed this in the past? Ryan
_______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
