Tetsuo Handa
from-****@I-lov*****
Mon Aug 29 10:16:23 JST 2011
Tetsuo Handa wrote: > This proposal makes it possible to specify domain transition more precisely > without adding domain transition control directives to exception policy. One more thing. It is one of TOMOYO's characteristic features that "any process transits to child of current domain upon execve() unless explicitly specified using domain transition control directives in exception policy (and TOMOYO creates domains automatically if the domain to transit to does not exist in order not to reject execve() requests unless enforcing mode is specified)". This feature is useful when analyzing a system's behavior because it does not ask the user to beforehand have knowledge of what applications are installed in the target system and how they behave. But after the user obtained knowledge of what applications are installed in the target system and how they behave, the user designs how domains (and optionally namespaces) should be divided and modifies domain transition control entries in exception policy. At this moment, the user will be able to specify "how domain transition should be applied upon executing this program" to each "file execute" entry (if my proposal is implemented) instead of modifying domain transition control entries in exception policy. If the user wants to apply enforcing mode to the entire system (e.g. Android), the user will be able to specify "how domain transition should be applied upon execve()" to each "file execute" entry and remove all domain transition control entries in exception policy (because all "file execute" entries and domain transition patterns need to be identified and explicitly specified in order to apply enforcing mode to the entire system). Also, the user will be able to remove all "aggregator" entries in exception policy (because the user can specify like path_group EDITORS /bin/vi path_group EDITORS /usr/bin/emacs file execute @EDITORS <editors> ). We can remove "aggregator"/"reset_domain"/"no_reset_domain"/"initialize_domain" /"no_initialize_domain"/"keep_domain"/"no_keep_domain" if the user is skillful enough to specify all "file execute" entries and enforce them (in other words, figure out all domains and programs for each domain). After all, "aggregator"/"reset_domain"/"no_reset_domain"/"initialize_domain"/ "no_initialize_domain"/"keep_domain"/"no_keep_domain" are essential for users who don't want to specify all "file execute" entries, but are optional for users who can specify all "file execute" entries. I'm not proposing removal of "aggregator"/"reset_domain"/"no_reset_domain"/ "initialize_domain"/"no_initialize_domain"/"keep_domain"/"no_keep_domain" directives. My proposal is for experts who can live without these directives.
TOMOYO
Fork