On Tue, Sep 28, 2010 at 6:27 PM, Tetsuo Handa <from-****@i-lov*****> wrote: > Radoslaw Szkodzinski wrote: >> >> >> I think ccs-queryd doesn't have the whole ruleset, am I right? >> > >> > ccs-queryd does not have ruleset, but ccs-queryd can fetch it by reading >> > /proc/ccs/domain_policy . A shortcut "select global-pid=$GPID\n" allows >> > ccs-queryd to fetch ruleset for only specific domain. >> > >> >> Good enough for me, but can I push an update in a similar way? > > TOMOYO's policy is manipulated in a way similar to LADP's LDIF file. > All operations are specified in a diff-like format compared to current. Great. :) >> > If DAC allows stat() syscall on some file or directory, TOMOYO will allow >> > stat() syscall on that file or directory. >> >> But it could get the syscall itself, any security_file_stat() in there? > > There is security_inode_getattr() which can reject stat() syscall, but TOMOYO > is not using security_inode_getattr(). > >> > You don't need to specify "allow_stat" keyword for reading access flags, >> > xattrs, file size and so on because TOMOYO cannot prevent stat() syscall. >> >> And I would like it to. Could be used to hide some more information. >> Perhaps allow_read should also allow_stat to make it easier to use. > > Is hiding DAC's mode, filesize, owner/group etc. useful? I don't think so. > Hiding filesize can be in case of certain file-based encrypted filesystems... but why would another user even have such access at all? > If we restrict stat() operation for hiding some more information, we should > restrict readdir() operation as well. Hmm, yes, far less useful without that. >> I'd like then a forced conditional inclusion of a group of rules. Is >> that possible? >> e.g. >> <kernel> /foo >> ... >> include_domain "/uid:1234 /foo" if task.uid=1234 >> >> or some other way to pick a whole set of rules based on an uid, so as >> to not reload the whole ruleset when some user decides to accept >> something forever. Looks far better than many >> allow_read /foo/bar/* if task.uid=1234 >> allow_read /bar/baz/* if task.uid=2345 >> ... >> > I need to make sure why you tried to use allow_transit keyword. > Guessing from what you wrote > > <snip> The problem is of course the ugliness of a large number of allow_* * if task.uid=<uid> especially if they begin to mix. It'd be better if I could branch those into another domain or have some kind of grouping. I'd also be then able to split those off into a separate file. > What happens if /bin/bash is linked to /tmp/bash and /tmp/bash is requested? > /tmp/bash will be executed without letting ccs-qeuryd to ask. > Unless mode=enforcing, blacklisting does not help so much. One can have wide blacklists. Those are more useful in this permissive ask mode (to pick things that should be asked about) and to stop certain highly suspicious behaviors like opening listening sockets or executing things from /tmp... or to stop your web browser from writing history or cookies, ever.
TOMOYO
Fork