Tetsuo Handa
from-****@I-lov*****
Sat Aug 27 15:01:53 JST 2011
TOMOYO
ForkToshiharu Harada wrote:
> I assume the new suggestions include several
> different purposes/advantages. What seems to be most
> important to you? >Tetsuo (Eliminating needs to synchronize the
> exception policy? I guess)
Advantage 1:
<kernel> /usr/sbin/sshd
file execute /bin/bash <kernel> /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c"
file execute /bin/bash <kernel> /usr/sbin/sshd //root-session task.uid=0
file execute /bin/bash <kernel> /usr/sbin/sshd //nonroot-session task.uid!=0
will allow transition to different domains based on conditions.
Advantage 2:
file execute /tmp/logrotate.\?\?\?\?\?\? <logrotate.tmp>
will allow executing /tmp/logrotate.\?\?\?\?\?\? in <logrotate.tmp> domain
without defining "aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp".
Advantage 3:
If we use "aggregator" entry, it affects all domains in the same namespace.
It may not be always preferable when the "aggregator" matches many pathnames.
For example, if we want to allow execution of /bin/\* other than /bin/su ,
aggregator /bin/\*\-su //bin-except-su
<kernel> /usr/sbin/sshd /bin/bash
file execute //bin-except-su
will allow it. But, within the same namespace, if we want to allow execution
of /bin/\* other than /bin/su and /bin/ping ,
aggregator /bin/\*\-su\-ping //bin-except-su-and-ping
<kernel> /usr/sbin/sshd /bin/tcsh
file execute //bin-except-su-and-ping
will allow it. However, if the order is
aggregator /bin/\*\-su //bin-except-su
aggregator /bin/\*\-su\-ping //bin-except-su-and-ping
/bin/ls from <kernel> /usr/sbin/sshd /bin/bash domain will succeed whereas
/bin/ls from <kernel> /usr/sbin/sshd /bin/tcsh domain will fail because
/bin/ls will match //bin-except-su . Likewise, if the order is
aggregator /bin/\*\-su\-ping //bin-except-su-and-ping
aggregator /bin/\*\-su //bin-except-su
/bin/ls from <kernel> /usr/sbin/sshd /bin/tcsh domain will succeed whereas
/bin/ls from <kernel> /usr/sbin/sshd /bin/bash domain will fail because
/bin/ls will match //bin-except-su bin-except-su-and-ping .
If we use
<kernel> /usr/sbin/sshd /bin/bash
file execute /bin/\*\-su <kernel> /usr/sbin/sshd /bin/bash //bin-except-su
<kernel> /usr/sbin/sshd /bin/tcsh
file execute /bin/\*\-su\-ping <kernel> /usr/sbin/sshd /bin/tcsh //bin-except-su-and-ping
both /bin/ls from <kernel> /usr/sbin/sshd /bin/tcsh domain and
/bin/ls from <kernel> /usr/sbin/sshd /bin/bash domain will succeed because
we don't need to use "aggregator".
Advantage 4:
Well, advantage 3 may be false because we have "path_group".
path_group group_for_bash /bin/\*\-su
path_group group_for_tcsh /bin/\*\-su\-ping
<kernel> /usr/sbin/sshd /bin/bash
file execute @group_for_bash
<kernel> /usr/sbin/sshd /bin/tcsh
file execute @group_for_tcsh
But
<kernel> /usr/sbin/sshd /bin/bash
file execute @group_for_bash keep
<kernel> /usr/sbin/sshd /bin/tcsh
file execute @group_for_tcsh keep
will save us from writing
no_initialize_domain /bin/\*\-su from <kernel> /usr/sbin/sshd /bin/bash
no_initialize_domain /bin/\*\-su\-ping from <kernel> /usr/sbin/sshd /bin/tcsh
no_reset_domain /bin/\*\-su from <kernel> /usr/sbin/sshd /bin/bash
no_reset_domain /bin/\*\-su\-ping from <kernel> /usr/sbin/sshd /bin/tcsh
delete no_keep_domain /bin/\*\-su from <kernel> /usr/sbin/sshd /bin/bash
delete no_keep_domain /bin/\*\-su\-ping from <kernel> /usr/sbin/sshd /bin/tcsh
keep_domain /bin/\*\-su from <kernel> /usr/sbin/sshd /bin/bash
keep_domain /bin/\*\-su\-ping from <kernel> /usr/sbin/sshd /bin/tcsh
to exception policy.