From gbf.gmv at gmail.com Wed May 20 16:23:47 2020 From: gbf.gmv at gmail.com (Gabriel Borges Figuera) Date: Wed, 20 May 2020 09:23:47 +0200 Subject: [tomoyo-users-en 731] Akari IPC signals control for bash shell Message-ID: Hello Tetsuo! I Hope everything is fine at this hard moment, Recently, I have been trying to develop an Akari policy but I have encountered a problem when I try to restrict the "kill" comand from the bash shell. If I use /bin/kill or /usr/bin/kill from command line, I can control what happens because these programs have a self domain in domainpolicy, but when I use the shell built-in command "kill" It does not have a self domain, so if the bash shell is permitted in a certain domain it can kill every process without that explicit permission. How can I avoid or prevent that? I have been watching the AKARI documentation pages and I miss the "ipc signal" directive, but in Tomoyo 1.8 It is present. And in the comparison table between AKARI/Tomoyo seems that Akari can control IPC signals. Is there a way to control the ipc signals sended from shell bash? Best Regards. Gabriel Borges. -------------- next part -------------- An HTML attachment was scrubbed... URL: From penguin-kernel at i-love.sakura.ne.jp Wed May 20 19:26:02 2020 From: penguin-kernel at i-love.sakura.ne.jp (Tetsuo Handa) Date: Wed, 20 May 2020 19:26:02 +0900 Subject: [tomoyo-users-en 732] Re: Akari IPC signals control for bash shell In-Reply-To: References: Message-ID: Hello. AKARI / CaitSith / TOMOYO 2.x cannot control IPC, for LSM hooks for judging "sending signals" are inserted into locations where it is not permitted to sleep. TOMOYO / AKARI / CaitSith support interactive judgement functionality which depends on being able to sleep inside LSM hooks. TOMOYO 1.x can control IPC, for TOMOYO 1.x is inserting custom hooks for judging "sending signals" into locations where it is permitted to sleep. But even with that approach, it cannot be perfectly precise. Since it is possible to send a signal to multiple processes, TOMOYO 1.x will have to check multiple recipient domains. But since we can't atomically check all recipient domains, TOMOYO 1.x checks only one recipient domain derived from "pid" argument. Thus, basically, please consider ability to restrict only "signal number" argument. Likewise, non-LSM version of CaitSith can restrict only "signal number" argument.