<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="content-style-type" content="text/css">
<link rel="stylesheet" href="media/caitsith.css" media="all" type="text/css">
<title>CaitSith Documentation</title>
</head>
<body>
<h1>CaitSith -- A simplified access restriction module for system protection.</h1>
<p>CaitSith is an access restriction module for Linux systems. This module gives you ability to restrict access at the kernel level. This module is designed for ease of use.</p>
<p>Note that this page explains a version which is <a href="https://lkml.kernel.org/r/1477054150-4772-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp">currently proposing for mainline kernel</a>. If you want to use other versions, please check <a href="index.html">here</a>.</p>
<hr>
<h2><a name="index">Index</a></h2>
<p><a href="#how_to_install">1. How to install</a></p>
<ul>
<li><a href="#1.1">1.1. Install dependencies</a></li>
<li><a href="#1.2">1.2. Download and patch the kernel</a></li>
<li><a href="#1.3">1.3. Configure the kernel</a></li>
<li><a href="#1.4">1.4. Compile and install the kernel</a></li>
<li><a href="#1.5">1.5. Compile and install the userspace tools</a></li>
<li><a href="#1.6">1.6. Initializing configuration</a></li>
<li><a href="#1.7">1.7. Configuring your bootloader</a></li>
<li><a href="#1.8">1.8. Rebooting your system</a></li>
<li><a href="#1.9">1.9. How can I disable/uninstall CaitSith?</a></li>
</ul>
<p><a href="#how_to_develop_policy">2. How to develop policy</a></p>
<ul>
<li><a href="#2.1">2.1. Policy file structure</a></li>
<li><a href="#2.2">2.2. Understanding two viewpoints</a></li>
<li><a href="#2.3">2.3. Updating policy configuration</a></li>
</ul>
<p><a href="#condition_list">3. List of conditions</a></p>
<ul>
<li><a href="#3.1">3.1. Using string arguments in conditions</a></li>
</ul>
<p><a href="#syntax_list">4. List of syntaxes</a></p>
<ul>
<li><a href="#4.1">4.1. execute</a></li>
<li><a href="#4.2">4.2. modify_policy</a></li>
</ul>
<hr>
<h2><a name="how_to_install">1. How to install</a></h2>
<hr>
<h3><a name="1.1">1.1. Install dependencies</a></h3>
<p>These packages are required for compiling the kernel and the userspace tools:</p>
<ul>
<li><strong>wget</strong>: to download sources</li>
<li><strong>patch</strong>: to patch the kernel</li>
<li><strong>gcc</strong>: to build the kernel and the userspace tools</li>
<li><strong>make</strong>: to build the kernel and the userspace tools</li>
<li><strong>ncurses-devel</strong> or <strong>libncurses-dev</strong>: to configure the kernel and build the userspace tools</li>
</ul>
<p>These can be installed with the following commands:</p>
<p><strong>RedHat distributions</strong></p>
<pre class="command">
# yum -y install wget patch gcc make ncurses-devel
</pre>
<p><strong>Debian distributions</strong></p>
<pre class="command">
# apt-get -y install wget patch gcc make libncurses-dev
</pre>
<p><strong>SUSE distributions</strong></p>
<pre class="command">
# yast -i wget patch gcc make ncurses-devel
</pre>
<hr>
<h3><a name="1.2">1.2. Download and patch the kernel</a></h3>
<p>Download the kernel source from linux-next.git tree.</p>
<p>The patches which are <a href="https://lkml.kernel.org/r/1477054150-4772-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp">currently proposing for mainline kernel</a> will be downloaded and applied by running commands shown below from the kernel source directory:</p>
<pre class="command">
$ mkdir security/caitsith
$ for file in Kconfig Makefile caitsith.h gc.c load_policy.c lsm.c permission.c policy_io.c realpath.c security.diff
do wget -O security/caitsith/$file 'https://osdn.net/projects/caitsith/scm/svn/blobs/head/branches/for-mainline/security/caitsith/'$file'?export=raw'; done
$ patch -p1 < security/caitsith/security.diff
</pre>
<hr>
<h3><a name="1.3">1.3. Configure the kernel</a></h3>
<pre class="command">
$ make -s menuconfig
</pre>
<p>Choose the following options in "Security options" section:</p>
<ul>
<li>[*] Enable different security models</li>
<li>[*] CaitSith support</li>
<li>[ ] Activate without calling userspace policy loader.</li>
<li>(/sbin/caitsith-init) Location of userspace policy loader</li>
<li>(/sbin/init) Trigger for calling userspace policy loader</li>
<li>Default security module (CaitSith) ---></li>
</ul>
<p>There are two types of CaitSith's policy configuration. The former is embedded into the kernel and the latter is saved as files on the filesystems (e.g. /etc/caitsith/ directory). You will need to rebuild the kernel whenever updating the former, but allows you to load policy without using userspace policy loader (e.g. /sbin/caitsith-init). The latter is loaded by executing userspace policy loader when the access control by CaitSith is about to be activated (e.g. when /sbin/init or /usr/lib/systemd/systemd starts). <em>"Activate without calling userspace policy loader."</em> allows you to activate access control by CaitSith as soon as the former is loaded. This option is useful when it is difficult to call policy loader (e.g. embedded systems).</p>
<p><em>"Location of userspace policy loader"</em> is available only when <em>"Activate without calling userspace policy loader."</em> is not selected. This option specifies the default pathname of the userspace policy loader. You can override this setting via the "CS_loader=" kernel boot option.</p>
<p><em>"Trigger for calling userspace policy loader"</em> is available only when <em>"Activate without calling userspace policy loader."</em> is not selected. This option specifies the default pathname of the activation trigger. You can override this setting via the "CS_trigger=" kernel boot option. For example, if you pass "init=/usr/lib/systemd/systemd" option, you may also want to pass "CS_trigger=/usr/lib/systemd/systemd" option.</p>
<hr>
<h3><a name="1.4">1.4. Compile and install the kernel</a></h3>
<p>The policy configuration which will be embedded into the kernel needs to exist as security/caitsith/policy/policy.conf . But you can proceed without creating that file because you don't have the policy configuration to embed as of this step. (You may come back here after you developed policy configuration to embed.)</p>
<p>Once the kernel has been configured, compile and install the kernel with the following commands:</p>
<pre class="command">
$ make -s
$ su
# make -s modules_install install
</pre>
<p>Create initrd/initramfs if required.</p>
<hr>
<h3><a name="1.5">1.5. Compile and install the userspace tools</a></h3>
<p>Make sure the dependencies described above have been installed. Compile and install the tools with the following commands. (Please use USRLIBDIR=/usr/lib or USRLIBDIR=/usr/lib32 if needed):</p>
<pre class="command">
$ wget https://sourceforge.net/projects/tomoyo/files/caitsith-tools/0.2/caitsith-tools-0.2-20210910.tar.gz
$ wget https://sourceforge.net/projects/tomoyo/files/caitsith-tools/0.2/caitsith-tools-0.2-20210910.tar.gz.asc
$ wget https://tomoyo.sourceforge.net/kumaneko-key
$ gpg --import kumaneko-key
$ gpg caitsith-tools-0.2-20210910.tar.gz.asc
$ tar -zxf caitsith-tools-0.2-20210910.tar.gz
$ cd caitsith-tools/
$ make -s USRLIBDIR=/usr/lib64
$ su
# make -s USRLIBDIR=/usr/lib64 install
</pre>
<p>Programs listed below are main userspace tools used for administrating CaitSith.</p>
<ul>
<li>/sbin/caitsith-init</li>
<li>/usr/sbin/caitsith-auditd</li>
<li>/usr/sbin/caitsith-loadpolicy</li>
<li>/usr/sbin/caitsith-notifyd</li>
<li>/usr/sbin/caitsith-pstree</li>
<li>/usr/sbin/caitsith-queryd</li>
<li>/usr/sbin/caitsith-savepolicy</li>
</ul>
<p>FYI: If your system has rpm-build package installed, you can make a tools RPM package with the following commands:</p>
<pre class="command">
$ rpmbuild -tb caitsith-tools-0.2-20210910.tar.gz
</pre>
<p>If your system has alien package installed, you can convert the RPM package into a DEB package with the following commands:</p>
<pre class="command">
$ alien -k --scripts caitsith-tools-0.2-*.rpm
</pre>
<hr>
<h3><a name="1.6">1.6. Initializing configuration</a></h3>
<p>Before you can make use of CaitSith, an initialization procedure must take place. This prepares the files in which policy information will be stored. All policy files are stored in the "/etc/caitsith/" directory.</p>
<p>Run the following command as root user to initialize. (Please use /usr/lib/caitsith/init_policy or /usr/lib32/caitsith/init_policy if needed):</p>
<pre class="command">
# /usr/lib64/caitsith/init_policy
</pre>
<pre class="output">
Creating policy directory... OK
Creating configuration directory... OK
Creating default policy... OK.
Creating module loader... OK.
Creating configuration file for caitsith-auditd ... OK.
Creating configuration file for caitsith-notifyd ... OK.
</pre>
<p>Then, manually overwrite the content of /etc/caitsith/policy/current like shown below. The content of this file will be updated as you develop policy.</p>
<pre>
POLICY_VERSION=20120401
0 acl modify_policy
100 allow task.exe="/usr/sbin/caitsith-loadpolicy"
10000 deny
</pre>
<hr>
<h3><a name="1.7">1.7. Configuring your bootloader</a></h3>
<p>Edit your bootloader (e.g. GRUB) to include the kernel you have just compiled. If the <em>"Default security module (CaitSith)"</em> option was not selected during kernel configuration, remember to include "security=caitsith" in the kernel boot options. Consult the documentation for your distribution and bootloader to find out how to include your CaitSith kernel.</p>
<hr>
<h3><a name="1.8">1.8. Rebooting your system</a></h3>
<p>Now you have finished all preparation. Reboot your system.</p>
<p>If everything was installed properly and the bootloader was correctly configured, the kernel should boot as normal and CaitSith should be activated:</p>
<pre class="command">
$ dmesg | grep -i caitsith
</pre>
<pre class="output">
[ 0.003086] CaitSith initialized
[ 1.688724] Calling /sbin/caitsith-init to load policy. Please wait.
[ 1.740418] CaitSith 2016/09/25
[ 1.740421] CaitSith module activated.
</pre>
<hr>
<h3><a name="1.9">1.9. How can I disable/uninstall CaitSith?</a></h3>
<p>If your system becomes unable to boot during the course of this guide or any time in the future, it may be due to policy configuration or something related to CaitSith. If this is the case, it is possible that the kernel can still be booted by disabling CaitSith. This can be done by appending "security=none" to the kernel boot options.</p>
<p>CaitSith fortunately does not require the modification of any existing Linux binaries, libraries or applications. Thus, uninstalling CaitSith is very easy. It is simply a matter of uninstalling the kernel and the userspace tools that you installed above. You can reboot with the kernel provided by your distribution and then remove the entry from your bootloader.</p>
<hr>
<h2><a name="how_to_develop_policy">2. How to develop policy</a></h2>
<hr>
<h3><a name="2.1">2.1. Policy file structure</a></h3>
<p>CaitSith's policy file consists with "Header part" and "ACL part".</p>
<h4><a name="2.1.1">2.1.1. Header part of policy file</a></h4>
<p>Header part consists with below lines.</p>
<pre>
POLICY_VERSION=20120401
stat $stat_name $stat_value
</pre>
<ul>
<li>POLICY_VERSION line defines policy version.</li>
<li>stat lines are for showing statistics information such as memory usage. $stat_name and $stat_value are simply ignored.</li>
</ul>
<h4><a name="2.1.2">2.1.2. ACL part of policy file</a></h4>
<p>ACL part consists with 0 or more repetitions of below block.</p>
<pre>
$acl_priority acl $operation $conditions_to_filter
$cond_priority $decision $conditions_to_allow_or_deny
</pre>
<ul>
<li>A block which starts with $acl_priority determines whether to evaluate rules in this block or not.</li>
<li>Blocks which start with $acl_priority can be defined as many as you need.</li>
<li>$acl_priority is a priority (an integer between 0 and 65535) which controls which block should be evaluated first (among all blocks defined in the policy).</li>
<li>Blocks are evaluated from smaller $acl_priority values to larger $acl_priority values.</li>
<li>If two blocks have same $acl_priority value, the block which is defined first is evaluated first.</li>
<li>$operation is "operation".</li>
<li>$conditions_to_filter is "conditional expressions" which can be applied to "operation". Omit $conditions_to_filter to evaluate this block unconditionally.</li>
<li>Access requests will be denied if one of deny lines (among all blocks defined in the policy) matches.</li>
</ul>
<p>$decision lines in a block is evaluated only when the block's $acl_priority line matched.</p>
<ul>
<li>A line which starts with $cond_priority determines whether to allow the access request or not.</li>
<li>Lines which start with $cond_priority can be defined as many as you need.</li>
<li>$cond_priority is a priority (an integer between 0 and 65535) which controls which line should be checked first (among all lines defined in the block).</li>
<li>Lines are checked from smaller $cond_priority values to larger priority values.</li>
<li>If two lines have same $cond_priority value, the line which is defined first is checked first.</li>
<li>$decision is either allow or deny.</li>
<li>$conditions_to_allow_or_deny is "conditional expressions" which can be applied to "operation". Omit $conditions_to_allow_or_deny to match this line unconditionally.</li>
</ul>
<p>Checking of $decision lines in a block lasts until it matches a $decision line or it reaches to the end of block.</p>
<ul>
<li>If $conditions_to_allow_or_deny of a deny line matches, the access request is denied.</li>
<li>If $conditions_to_allow_or_deny of an allow line matches, the evaluation of this block ends and proceeds to next block.</li>
<li>If none of $conditions_to_allow_or_deny matches, the evaluation of this block ends and proceeds to next block.</li>
</ul>
<p>Access requests will be denied only when "deny" line of "acl" block matched or access requests could not be evaluated due to memory allocation failures (e.g. pathname was too long).</p>
<p>Rules that have same priority / same operation / same condition are automatically merged. Therefore, for example</p>
<pre>
100 acl execute path="/bin/true"
100 allow task.exe="/usr/sbin/httpd"
100 acl execute path="/bin/true"
1000 deny
</pre>
<p>will be interpreted like shown below.</p>
<pre>
100 acl execute path="/bin/true"
100 allow task.exe="/usr/sbin/httpd"
1000 deny
</pre>
<p>An acl line (which contains "acl " keyword) selects an existing acl block (or creates an acl block if it does not exist).<br>
A decision line (which contains "allow " or "deny " keyword) inserts that line to currently selected / created acl block.<br>
This interpretation allows you to load only delta rules when you modify on-memory policy configuration via /sys/kernel/security/caitsith/policy interface.</p>
<hr>
<h3><a name="2.2">2.2. Understanding two viewpoints</a></h3>
<p>CaitSith supports writing access restriction rules from two viewpoints. One is from the point of view of "subject" (a resource which requests access on object). The other is from the point of view of "object" (a resource which subject requests access).</p>
<p>The advantage of the former approach is that the rules clearly explains and restricts what each subject is allowed to access which object.
This approach is powerful when you can afford identifying all possible subjects and defining the rules for each subject.
But the disadvantage is that it is difficult to identify all possible subjects and define the rules for each subject.
Therefore, in reality, this approach tends to restrict only specific subjects.
If one of subjects which is not restricted by this approach is cracked or misbehaved, nothing can protect objects you want to protect.</p>
<p>The advantage of the latter approach is that the rules clearly explains and restricts what object might be accessed by which subject.
This approach is powerful when you can afford identifying objects you want to protect and defining rules for each object.
This approach can compensate for the disadvantage of the former approach because this approach can restrict access even when it is difficult to
identify all possible subjects and define the rules for each possible subject.</p>
<h4><a name="2.2.1">2.2.1. Writing access restriction rules from the point of view of "subject".</a></h4>
<p>Below entry is an example of restricting programs which can be executed from /usr/sbin/httpd program.</p>
<pre>
0 acl execute task.exe="/usr/sbin/httpd"
1 allow path="/var/www/cgi-bin/counter.cgi"
100 deny
</pre>
<p>The <strong>0 acl execute task.exe="/usr/sbin/httpd"</strong> line means check rules for executing programs from /usr/sbin/httpd program. Since <strong>task.exe="/usr/sbin/httpd"</strong> is specified in this line, this line tells CaitSith <strong>check rules for executing programs only if current thread's program name is /usr/sbin/httpd</strong>.</p>
<p>The line <strong>1 allow path="/var/www/cgi-bin/counter.cgi"</strong> means that allow if the pathname of the program to execute is /var/www/cgi-bin/counter.cgi . This line tells CaitSith "allow execution of /var/www/cgi-bin/counter.cgi".</p>
<p>The line <strong>100 deny</strong> means deny unconditionally. This tells CaitSith "unconditionally deny execution of programs".</p>
<p>Since the line starting with <strong>1 allow</strong> has higher priority than the line starting with <strong>100 deny</strong>, CaitSith will allow execution of /var/www/cgi-bin/counter.cgi .</p>
<p>To summarize this rule, /usr/sbin/httpd can execute <strong>only</strong> /var/www/cgi-bin/counter.cgi .</p>
<h4><a name="2.2.2">2.2.2. Writing access restriction rules from the point of view of "object".</a></h4>
<p>Below entry is an example of restricting programs which can execute /var/www/cgi-bin/counter.cgi program.</p>
<pre>
0 acl execute path="/var/www/cgi-bin/counter.cgi"
1 allow task.exe="/usr/sbin/httpd"
100 deny
</pre>
<p>The <strong>0 acl execute path="/var/www/cgi-bin/counter.cgi"</strong> line means check rules for executing /var/www/cgi-bin/counter.cgi program. Since <strong>path="/var/www/cgi-bin/counter.cgi"</strong> is specified in this line, this line tells CaitSith <strong>check rules for executing programs only if the pathname of the program to execute is /var/www/cgi-bin/counter.cgi</strong>.</p>
<p>The line <strong>1 allow task.exe="/usr/sbin/httpd"</strong> means that allow if current thread's program name is /usr/sbin/httpd . This line tells CaitSith "allow execution by /usr/sbin/httpd".</p>
<p>The line <strong>100 deny</strong> means deny unconditionally. This tells CaitSith "unconditionally deny execution of programs".</p>
<p>Since the line starting with <strong>1 allow</strong> has higher priority than the line starting with <strong>100 deny</strong>, CaitSith will allow execution by /usr/sbin/httpd .</p>
<h4><a name="2.2.3">2.2.3. Precautions when writing access restriction rules.</a></h4>
<p>Note the difference between</p>
<pre>
0 acl execute task.exe="/usr/sbin/httpd"
1 allow path="/var/www/cgi-bin/counter.cgi"
100 deny
</pre>
<p>and</p>
<pre>
0 acl execute path="/var/www/cgi-bin/counter.cgi"
1 allow task.exe="/usr/sbin/httpd"
100 deny
</pre>
<p>. The former means "/usr/sbin/httpd can execute <strong>only</strong> /var/www/cgi-bin/counter.cgi", while the latter means "<strong>only</strong> /usr/sbin/httpd can execute /var/www/cgi-bin/counter.cgi".</p>
<p>It is possible to write access restriction rules like</p>
<pre>
0 acl execute task.exe="/usr/sbin/httpd" path="/var/www/cgi-bin/counter.cgi"
100 deny
</pre>
<p>which means that "/usr/sbin/httpd is not allowed to execute /var/www/cgi-bin/counter.cgi".</p>
<p>It is possible to write access restriction rules like</p>
<pre>
0 acl execute
1 allow task.exe="/usr/sbin/httpd" path="/var/www/cgi-bin/counter.cgi"
100 deny
</pre>
<p>which means that "<strong>only</strong> execution of /var/www/cgi-bin/counter.cgi from /usr/sbin/httpd is allowed (in other words, your system will lock up because any execution request other than /var/www/cgi-bin/counter.cgi by /usr/sbin/httpd is denied)".</p>
<hr>
<h3><a name="2.3">2.3. Updating policy configuration</a></h3>
<p>There are two ways to update policy configuration.</p>
<h4><a name="2.3.1">2.3.1. Using reboot operation.</a></h4>
<p>You configured to automatically call /sbin/caitsith-init (at "Location of userspace policy loader" kernel config option or CS_loader= kernel boot option) when /sbin/init (at "Trigger for calling userspace policy loader" kernel config option or CS_trigger= kernel boot option) starts. /sbin/caitsith-init will read policy from /etc/caitsith/policy/current and appends to /sys/kernel/security/caitsith/policy interface. Therefore, you can update policy configuration by updating /etc/caitsith/policy/current and rebooting your system.</p>
<h4><a name="2.3.2">2.3.2. Using /sys/kernel/security/caitsith/policy interface.</a></h4>
<p>You manually overwrote /etc/caitsith/policy/current like shown below after executing /usr/lib64/caitsith/init_policy command.</p>
<pre>
0 acl modify_policy
100 allow task.exe="/usr/sbin/caitsith-loadpolicy"
10000 deny
</pre>
<p>The <strong>0 acl modify_policy</strong> line means check rules for modifying policy configuration via /sys/kernel/security/caitsith/policy interface. Since no additional conditions are specified in this line, this line tells CaitSith <strong>unconditionally check</strong> rules for modifying policy configuration via /sys/kernel/security/caitsith/policy interface.</p>
<p>The line <strong>100 allow task.exe="/usr/sbin/caitsith-loadpolicy"</strong> means that allow if current thread's program name is /usr/sbin/caitsith-loadpolicy . This tells CaitSith finish evaluation of this block starting with the <strong>0 acl modify_policy</strong> line if current thread's program name is /usr/sbin/caitsith-loadpolicy . If there are more blocks, CaitSith will evaluate them. If there are no more blocks, CaitSith will allow modifying policy configuration via /sys/kernel/security/caitsith/policy interface.</p>
<p>The line <strong>10000 deny</strong> means deny unconditionally. This tells CaitSith "unconditionally deny modification of policy configuration via /sys/kernel/security/caitsith/policy interface".</p>
<p>Since a line starting with <strong>100 allow</strong> have higher priority than a line starting with <strong>10000 deny</strong>, CaitSith will allow modifying policy configuration via /sys/kernel/security/caitsith/policy interface if current thread's program name is /usr/sbin/caitsith-loadpolicy . In other words, other programs such as /bin/sh , /bin/echo , /bin/cat are not allowed to modify policy configuration via /sys/kernel/security/caitsith/policy interface.</p>
<p>To summarize this rule, only /usr/sbin/caitsith-loadpolicy command can modify policy configuration via /sys/kernel/security/caitsith/policy interface.</p>
<p>/usr/sbin/caitsith-loadpolicy reads policy from standard input and appends to /sys/kernel/security/caitsith/policy interface. Therefore, you can use ^D (Ctrl-D) to indicate end of input if you run /usr/sbin/caitsith-loadpolicy from a terminal.</p>
<pre class="command">
# /usr/sbin/caitsith-loadpolicy
</pre>
<pre>
(Lines you want to add come here.)
^D
</pre>
<p>To delete an acl block, you can write an acl line with a keyword "delete " prefixed. For example,</p>
<pre>
100 acl execute path="/bin/true"
100 allow task.exe="/usr/sbin/httpd"
1000 deny
</pre>
<p>will be deleted by writing like shown below.</p>
<pre class="command">
# /usr/sbin/caitsith-loadpolicy
</pre>
<pre>
delete 100 acl execute path="/bin/true"
^D
</pre>
<p>To delete a decision line of an acl block, you can write decision lines with a keyword "delete " prefixed after selecting an acl block. For example,</p>
<pre>
100 acl execute path="/bin/true"
100 allow task.exe="/usr/sbin/httpd"
1000 deny
</pre>
<p>will be modified to</p>
<pre>
100 acl execute path="/bin/true"
100 allow task.exe="/usr/sbin/httpd"
</pre>
<p>by writing like shown below.</p>
<pre class="command">
# /usr/sbin/caitsith-loadpolicy
</pre>
<pre>
100 acl execute path="/bin/true"
delete 1000 deny
^D
</pre>
<p>You may use a temporary file if you worry typos.</p>
<pre class="command">
# cat > ~/policy.tmp
</pre>
<pre>
(Changes you want to make come here.)
^D
</pre>
<pre class="command">
# /usr/sbin/caitsith-loadpolicy < ~/policy.tmp
# rm ~/policy.tmp
</pre>
<p>You can update policy configuration without updating /etc/caitsith/policy/current and rebooting your system. But note that the contents in /sys/kernel/security/caitsith/policy will be lost when your system shuts down or reboots. To save /sys/kernel/security/caitsith/policy as /etc/caitsith/policy/current , run below command:</p>
<pre class="command">
# /usr/sbin/caitsith-savepolicy
</pre>
<p>If you want to browse current /sys/kernel/security/caitsith/policy without saving as /etc/caitsith/policy/current , run below command:</p>
<pre class="command">
# /usr/sbin/caitsith-savepolicy -
</pre>
<h4><a name="2.3.3">2.3.3. Sealing off ability to modify on-memory policy configuration.</a></h4>
<p>If you want to seal off ability to modify on-memory policy configuration until your system shuts down or reboots, you can write like shown below.</p>
<pre class="command">
# /usr/sbin/caitsith-loadpolicy
</pre>
<pre>
delete 0 acl modify_policy
0 acl modify_policy
0 deny
^D
</pre>
<p>If you want to seal off ability to modify on-memory policy configuration until your kernel is replaced, please follow steps explained below.</p>
<ol>
<li>Select "Activate without calling userspace policy loader." at <a href="#1.3">Configure the kernel</a>.</li>
<li>Copy the policy configuration to embed into the kernel (/etc/caitsith/policy/current or /sys/kernel/security/caitsith/policy) to security/caitsith/policy/policy.conf .</li>
<li>Remove all stat lines from security/caitsith/policy/policy.conf if any.
<pre>
stat Policy updated: 4 (Last: 2016/11/23 05:28:30)
stat Requests denied: 0
stat Memory used by policy: 352
</pre></li>
<li>Remove all acl modify_policy blocks from security/caitsith/policy/policy.conf if any.
<pre>
0 acl modify_policy
100 allow task.exe="/usr/sbin/caitsith-loadpolicy"
10000 deny
</pre></li>
<li>Append an acl modify_policy block shown below to security/caitsith/policy/policy.conf .
<pre>
0 acl modify_policy
0 deny
</pre></li>
<li>Recompile the kernel as explained at <a href="#1.4">Compile and install the kernel</a>.</li>
</ol>
<hr>
<h2><a name="condition_list">3. List of conditions</a></h2>
<hr>
<h3><a name="3.1">3.1. Using string arguments in conditions</a></h3>
<p>Arguments such as file's pathnames are handled as string argument.</p>
<h4><a name="3.1.1">3.1.1. About string argument representation rule</a></h4>
<p>All ASCII printable characters other than \ character (i.e. from 33 to 91 and from 93 to 126) are represented as is.</p>
<p>All other characters (i.e. from 0 to 32, 92 and from 127 to 255) are represented using \ooo style octal form.</p>
<table border="1">
<tr>
<td>
<table><tr><td></td><td>Lower 4 bits</td></tr><tr><td>Upper 4 bits</td><td></td></tr></table>
</td>
<th><p>0x0</p></th>
<th><p>0x1</p></th>
<th><p>0x2</p></th>
<th><p>0x3</p></th>
<th><p>0x4</p></th>
<th><p>0x5</p></th>
<th><p>0x6</p></th>
<th><p>0x7</p></th>
<th><p>0x8</p></th>
<th><p>0x9</p></th>
<th><p>0xA</p></th>
<th><p>0xB</p></th>
<th><p>0xC</p></th>
<th><p>0xD</p></th>
<th><p>0xE</p></th>
<th><p>0xF</p></th>
</tr>
<tr>
<th><p>0x0</p></th>
<td><p>\000</p></td>
<td><p>\001</p></td>
<td><p>\002</p></td>
<td><p>\003</p></td>
<td><p>\004</p></td>
<td><p>\005</p></td>
<td><p>\006</p></td>
<td><p>\007</p></td>
<td><p>\010</p></td>
<td><p>\011</p></td>
<td><p>\012</p></td>
<td><p>\013</p></td>
<td><p>\014</p></td>
<td><p>\015</p></td>
<td><p>\016</p></td>
<td><p>\017</p></td>
</tr>
<tr>
<th><p>0x1</p></th>
<td><p>\020</p></td>
<td><p>\021</p></td>
<td><p>\022</p></td>
<td><p>\023</p></td>
<td><p>\024</p></td>
<td><p>\025</p></td>
<td><p>\026</p></td>
<td><p>\027</p></td>
<td><p>\030</p></td>
<td><p>\031</p></td>
<td><p>\032</p></td>
<td><p>\033</p></td>
<td><p>\034</p></td>
<td><p>\035</p></td>
<td><p>\036</p></td>
<td><p>\037</p></td>
</tr>
<tr>
<th><p>0x2</p></th>
<td><p>\040</p></td>
<td><p>!</p></td>
<td><p>"</p></td>
<td><p>#</p></td>
<td><p>$</p></td>
<td><p>%</p></td>
<td><p>&</p></td>
<td><p>'</p></td>
<td><p>(</p></td>
<td><p>)</p></td>
<td><p>*</p></td>
<td><p>+</p></td>
<td><p>,</p></td>
<td><p>-</p></td>
<td><p>.</p></td>
<td><p>/</p></td>
</tr>
<tr>
<th><p>0x3</p></th>
<td><p>0</p></td>
<td><p>1</p></td>
<td><p>2</p></td>
<td><p>3</p></td>
<td><p>4</p></td>
<td><p>5</p></td>
<td><p>6</p></td>
<td><p>7</p></td>
<td><p>8</p></td>
<td><p>9</p></td>
<td><p>:</p></td>
<td><p>;</p></td>
<td><p><</p></td>
<td><p>=</p></td>
<td><p>></p></td>
<td><p>?</p></td>
</tr>
<tr>
<th><p>0x4</p></th>
<td><p>@</p></td>
<td><p>A</p></td>
<td><p>B</p></td>
<td><p>C</p></td>
<td><p>D</p></td>
<td><p>E</p></td>
<td><p>F</p></td>
<td><p>G</p></td>
<td><p>H</p></td>
<td><p>I</p></td>
<td><p>J</p></td>
<td><p>K</p></td>
<td><p>L</p></td>
<td><p>M</p></td>
<td><p>N</p></td>
<td><p>O</p></td>
</tr>
<tr>
<th><p>0x5</p></th>
<td><p>P</p></td>
<td><p>Q</p></td>
<td><p>R</p></td>
<td><p>S</p></td>
<td><p>T</p></td>
<td><p>U</p></td>
<td><p>V</p></td>
<td><p>W</p></td>
<td><p>X</p></td>
<td><p>Y</p></td>
<td><p>Z</p></td>
<td><p>[</p></td>
<td><p>\134</p></td>
<td><p>]</p></td>
<td><p>^</p></td>
<td><p>_</p></td>
</tr>
<tr>
<th><p>0x6</p></th>
<td><p>`</p></td>
<td><p>a</p></td>
<td><p>b</p></td>
<td><p>c</p></td>
<td><p>d</p></td>
<td><p>e</p></td>
<td><p>f</p></td>
<td><p>g</p></td>
<td><p>h</p></td>
<td><p>i</p></td>
<td><p>j</p></td>
<td><p>k</p></td>
<td><p>l</p></td>
<td><p>m</p></td>
<td><p>n</p></td>
<td><p>o</p></td>
</tr>
<tr>
<th><p>0x7</p></th>
<td><p>p</p></td>
<td><p>q</p></td>
<td><p>r</p></td>
<td><p>s</p></td>
<td><p>t</p></td>
<td><p>u</p></td>
<td><p>v</p></td>
<td><p>w</p></td>
<td><p>x</p></td>
<td><p>y</p></td>
<td><p>z</p></td>
<td><p>{</p></td>
<td><p>|</p></td>
<td><p>}</p></td>
<td><p>~</p></td>
<td><p>\177</p></td>
</tr>
<tr>
<th><p>0x8</p></th>
<td><p>\200</p></td>
<td><p>\201</p></td>
<td><p>\202</p></td>
<td><p>\203</p></td>
<td><p>\204</p></td>
<td><p>\205</p></td>
<td><p>\206</p></td>
<td><p>\207</p></td>
<td><p>\210</p></td>
<td><p>\211</p></td>
<td><p>\212</p></td>
<td><p>\213</p></td>
<td><p>\214</p></td>
<td><p>\215</p></td>
<td><p>\216</p></td>
<td><p>\217</p></td>
</tr>
<tr>
<th><p>0x9</p></th>
<td><p>\220</p></td>
<td><p>\221</p></td>
<td><p>\222</p></td>
<td><p>\223</p></td>
<td><p>\224</p></td>
<td><p>\225</p></td>
<td><p>\226</p></td>
<td><p>\227</p></td>
<td><p>\230</p></td>
<td><p>\231</p></td>
<td><p>\232</p></td>
<td><p>\233</p></td>
<td><p>\234</p></td>
<td><p>\235</p></td>
<td><p>\236</p></td>
<td><p>\237</p></td>
</tr>
<tr>
<th><p>0xA</p></th>
<td><p>\240</p></td>
<td><p>\241</p></td>
<td><p>\242</p></td>
<td><p>\243</p></td>
<td><p>\244</p></td>
<td><p>\245</p></td>
<td><p>\246</p></td>
<td><p>\247</p></td>
<td><p>\250</p></td>
<td><p>\251</p></td>
<td><p>\252</p></td>
<td><p>\253</p></td>
<td><p>\254</p></td>
<td><p>\255</p></td>
<td><p>\256</p></td>
<td><p>\257</p></td>
</tr>
<tr>
<th><p>0xB</p></th>
<td><p>\260</p></td>
<td><p>\261</p></td>
<td><p>\262</p></td>
<td><p>\263</p></td>
<td><p>\264</p></td>
<td><p>\265</p></td>
<td><p>\266</p></td>
<td><p>\267</p></td>
<td><p>\270</p></td>
<td><p>\271</p></td>
<td><p>\272</p></td>
<td><p>\273</p></td>
<td><p>\274</p></td>
<td><p>\275</p></td>
<td><p>\276</p></td>
<td><p>\277</p></td>
</tr>
<tr>
<th><p>0xC</p></th>
<td><p>\300</p></td>
<td><p>\301</p></td>
<td><p>\302</p></td>
<td><p>\303</p></td>
<td><p>\304</p></td>
<td><p>\305</p></td>
<td><p>\306</p></td>
<td><p>\307</p></td>
<td><p>\310</p></td>
<td><p>\311</p></td>
<td><p>\312</p></td>
<td><p>\313</p></td>
<td><p>\314</p></td>
<td><p>\315</p></td>
<td><p>\316</p></td>
<td><p>\317</p></td>
</tr>
<tr>
<th><p>0xD</p></th>
<td><p>\320</p></td>
<td><p>\321</p></td>
<td><p>\322</p></td>
<td><p>\323</p></td>
<td><p>\324</p></td>
<td><p>\325</p></td>
<td><p>\326</p></td>
<td><p>\327</p></td>
<td><p>\330</p></td>
<td><p>\331</p></td>
<td><p>\332</p></td>
<td><p>\333</p></td>
<td><p>\334</p></td>
<td><p>\335</p></td>
<td><p>\336</p></td>
<td><p>\337</p></td>
</tr>
<tr>
<th><p>0xE</p></th>
<td><p>\340</p></td>
<td><p>\341</p></td>
<td><p>\342</p></td>
<td><p>\343</p></td>
<td><p>\344</p></td>
<td><p>\345</p></td>
<td><p>\346</p></td>
<td><p>\347</p></td>
<td><p>\350</p></td>
<td><p>\351</p></td>
<td><p>\352</p></td>
<td><p>\353</p></td>
<td><p>\354</p></td>
<td><p>\355</p></td>
<td><p>\356</p></td>
<td><p>\357</p></td>
</tr>
<tr>
<th><p>0xF</p></th>
<td><p>\360</p></td>
<td><p>\361</p></td>
<td><p>\362</p></td>
<td><p>\363</p></td>
<td><p>\364</p></td>
<td><p>\365</p></td>
<td><p>\366</p></td>
<td><p>\367</p></td>
<td><p>\370</p></td>
<td><p>\371</p></td>
<td><p>\372</p></td>
<td><p>\373</p></td>
<td><p>\374</p></td>
<td><p>\375</p></td>
<td><p>\376</p></td>
<td><p>\377</p></td>
</tr>
</table>
<p>Some examples are shown below.</p>
<pre>
/bin/sh
/home/demo/Documents\040and\040Settings
</pre>
<h4><a name="3.1.2">3.1.2. Grouping string arguments using wildcard expressions.</a></h4>
<p>It is possible to use wildcards listed below in order to match string patterns.</p>
<table border="1">
<tr>
<th><p>Wildcard</p></th>
<th><p>Pattern match</p></th>
<th><p>Examples</p></th>
</tr>
<tr>
<td><p>\*</p></td>
<td><p>0 or more repetitions of characters other than "/"</p></td>
<td><p>/var/log/samba/\*</p></td>
</tr>
<tr>
<td><p>\@</p></td>
<td><p>0 or more repetitions of characters other than "/" or "."</p></td>
<td><p>/var/www/html/\@.html</p></td>
</tr>
<tr>
<td><p>\?</p></td>
<td><p>1 byte character other than "/"</p></td>
<td><p>/tmp/mail.\?\?\?\?\?\?</p></td>
</tr>
<tr>
<td><p>\$</p></td>
<td><p>1 or more repetitions of decimal digits</p></td>
<td><p>/proc/\$/cmdline</p></td>
</tr>
<tr>
<td><p>\+</p></td>
<td><p>1 decimal digit</p></td>
<td><p>/var/tmp/my_work.\+</p></td>
</tr>
<tr>
<td><p>\X</p></td>
<td><p>1 or more repetitions of hexadecimal digits</p></td>
<td><p>/var/tmp/my-work.\X</p></td>
</tr>
<tr>
<td><p>\x</p></td>
<td><p>1 hexadecimal digit</p></td>
<td><p>/tmp/my-work.\x</p></td>
</tr>
<tr>
<td><p>\A</p></td>
<td><p>1 or more repetitions of alphabet characters</p></td>
<td><p>/var/log/my-work/\$-\A-\$.log</p></td>
</tr>
<tr>
<td><p>\a</p></td>
<td><p>1 alphabet character</p></td>
<td><p>/home/users/\a/\*/public_html/\*.html</p></td>
</tr>
<tr>
<td><p>\-</p></td>
<td><p>Pathname subtraction operator (negative match)</p></td>
<td>
<p>/\*\-proc\-sys</p>
<p>This will match /\* except "/proc" and "/sys".</p>
</td>
</tr>
<tr>
<td><p>/\{dir\}/</p></td>
<td><p>Recursive directory matching operator.</p>
<p>Matches "/" and 1 or more repetitions of "dir/".</p></td>
<td>
<p>/var/www/html/\{\*\}/\*.html</p>
<p>This will match all *.html files in subdirectories under /var/www/html/ directory. Note that /var/www/html/\*.html will not match.</p>
</td>
</tr>
<tr>
<td><p>/\(dir\)/</p></td>
<td><p>Recursive directory matching operator.</p>
<p>Matches "/" and 0 or more repetitions of "dir/".</p></td>
<td>
<p>/var/www/html/\(\*\)/\*.html</p>
<p>This will match all *.html files under /var/www/html/ directory. Note that /var/www/html/\*.html will match.</p>
</td>
</tr>
</table>
<h4><a name="3.1.4">3.1.4. Example of conditions that use string arguments.</a></h4>
<p>When string argument is specified in condition part, it is quoted by " character in order to clarify that the argument is a string argument rather than name of variable.</p>
<table border="1">
<tr><td>Conditions example</td><td>Value of variable "path"</td><td>Comparison result</td></tr>
<tr><td rowspan="5">path="/tmp/\*"</td>
<td>/</td><td>Does not match</td></tr>
<tr><td>/tmp</td><td>Does not match</td></tr>
<tr><td>/tmp/</td><td>Matches</td></tr>
<tr><td>/tmp/rt6bh84t</td><td>Matches</td></tr>
<tr><td>/tmp/349gy08t/y8024fgf</td><td>Does not match</td></tr>
<tr><td rowspan="5">path!="/tmp/\*"</td>
<td>/</td><td>Matches</td></tr>
<tr><td>/tmp</td><td>Matches</td></tr>
<tr><td>/tmp/</td><td>Does not match</td></tr>
<tr><td>/tmp/rt6bh84t</td><td>Does not match</td></tr>
<tr><td>/tmp/349gy08t/y8024fgf</td><td>Matches</td></tr>
</table>
<p>List of name of variables which reference string data is explained later.</p>
<hr>
<h2><a name="syntax_list">4. List of syntaxes</a></h2>
<hr>
<h3><a name="4.1">4.1. execute</a></h3>
<h4><a name="4.1.1">4.1.1. Description</a></h4>
<p>Execute a program via execve() system call.</p>
<h4><a name="4.1.2">4.1.2. Available variables</a></h4>
<table border="1">
<tr><td><a href="#3.1">path</a></td><td>Requested program's pathname</td></tr>
<tr><td><a href="#3.1">exec</a></td><td>Requested program's pathname, but maybe a symbolic link</td></tr>
<tr><td><a href="#3.1">task.exe</a></td><td>Current thread's program name (the content of /proc/self/exe)</td></tr>
</table>
<hr>
<h3><a name="4.2">4.2. modify_policy</a></h3>
<h4><a name="4.2.1">4.2.1. Description</a></h4>
<p>Modify on-memory policy configuration via /sys/kernel/security/caitsith/policy interface.</p>
<h4><a name="4.2.2">4.2.2. Available variables</a></h4>
<table border="1">
<tr><td><a href="#3.1">task.exe</a></td><td>Current thread's program name (the content of /proc/self/exe)</td></tr>
</table>
<hr>
<a href="#index">Return to index.</a>
</body>
</html>