[tomoyo-dev-en 120] Re: Updated website

Zurück zum Archiv-Index

Tetsuo Handa from-****@I-lov*****
Sat Feb 5 12:17:35 JST 2011


Jamie Nguyen wrote:
> Tetsuo Handa wrote:
> > But list of filesystems supported by kernel can be found in /proc/filesystems .
> 
> Perfect.

Strictly speaking, "list of filesystems currently supported by kernel can be found in
/proc/filesystems" because "filesystems supported by kernel can be added/removed by
loading/unloading kernel modules".



> By the way, can you give example usage of "task
> auto_domain_transition" and "task manual_domain_transition" and the
> syntax?

Sure.



An example usage of "task manual_domain_transition" in the domain policy:

  <kernel> /usr/sbin/httpd
  task manual_domain_transition <kernel> //apache /www.tomoyo00.com
  task manual_domain_transition <kernel> //apache /www.tomoyo01.com
  task manual_domain_transition <kernel> //apache /www.tomoyo02.com
  task manual_domain_transition <kernel> //apache /www.tomoyo03.com

will transit to corresponding domains if the domainname was written to
/proc/ccs/self_domain interface (e.g.

  echo "<kernel> //apache /www.tomoyo00.com" > /proc/ccs/self_domain

). The mod_ccs Apache module in tags/htdocs/1.8/tutorial-10.html.en is
using this functionality by inserting hooks and creating one-time thread.



An example usage of "task auto_domain_transition" in the domain policy:

  <kernel> /usr/sbin/sshd /bin/bash
  use_profile 3
  use_group 0
  task auto_domain_transition <kernel> //non-root-session task.uid!=0
  task auto_domain_transition <kernel> //root-session task.uid=0
  
  <kernel> //non-root-session
  use_profile 3
  use_group 0
  # ACL entries for non root user comes here.
  
  <kernel> //root-session
  use_profile 3
  use_group 0
  # ACL entries for root user comes here.

will automatically transit to "<kernel> //root-session" domain if current
thread's uid is 0, and automatically  transit to "<kernel> //non-root-session"
domain otherwise. This is equivalent to automatically attempting

  if [ `id -u` != 0 ]
  then
    echo "<kernel> //non-root-session" > /proc/ccs/self_domain
  else
    echo "<kernel> //root-session" > /proc/ccs/self_domain
  fi

with

  task manual_domain_transition <kernel> //non-root-session task.uid!=0
  task manual_domain_transition <kernel> //root-session task.uid=0

.



Since it is too dangerous to allow everyone transit to arbitrary domains by
doing "echo name_of_the_domain_the_user_wants_to_go > /proc/ccs/self_domain",
"task manual_domain_transition" and "task auto_domain_transition" are always
processed as "enforcing mode". (This means that you can't add a line like
"0-CONFIG::task={ mode=learning }" to /proc/ccs/profile .)



Also, there are "task auto_execute_handler" and "task denied_execute_handler"
keywords. For example, add

  acl_group 1 task auto_execute_handler /usr/lib/ccs/audit-exec-param

to the exception policy and use

  use_group 1

in the domain policy ( tags/htdocs/1.8-tmp/tutorial-17.html.en ).

When some programs are executed (i.e. execve() syscall is called), TOMOYO
checks for "task auto_execute_handler" entry, and execute the program specified
by "task auto_execute_handler" entry if found one.

The program specified by "task auto_execute_handler" entry sets up environments
for executing the program originally passed to execve() syscall and then
executes the program originally passed to execve() syscall.
(By using per "struct task_struct" variables, TOMOYO does not check for
"task auto_execute_handler" entry if execve() was called from a program
specified by "task auto_execute_handler" entry.)



If mode for program execution is enforcing and TOMOYO rejected the execution of
requested program, TOMOYO checks for "task denied_execute_handler" entry, and
execute the program specified by "task denied_execute_handler" entry if found
one (rather than rejecting the execve() syscall). For example,

  <kernel> /usr/sbin/smbd
  use_profile 3
  use_group 0
  task denied_execute_handler /bin/false

will replace execute request for /bin/sh from /usr/sbin/smbd (i.e. which can
happen when hijacked by buffer overflow) with execute request for /bin/false .
As a result, the process who requested for /bin/sh from /usr/sbin/smbd will die
instead of letting attacker to do bad things using /bin/sh .



Regards.




More information about the tomoyo-dev-en mailing list
Zurück zum Archiv-Index