Hi folks, I'm playing with tomoyo as a way to not whitelist but blacklist all syscalls from executing on a particular path (/mnt). The idea is that I want to make sure certain users with root privilege will be forced to gain root via a separate shell script (which will allow me to create an explicit exception policy for that domain) and limit any syscalls being invoked to/from that path. Thankfully since /mnt is a branch off of the root directory, it's reasonably easy to whitelist everything else as most 1_level from root has already been defined/enumerated. I managed to make this work and it's awesome! That said, this can get a bit cumbersome in a use case when you need to blacklist multiple paths in multiple locations. I understand that tomoyo is a MAC, which by philosophy is designed to explicitly enumerate allowed executions but it would be nice if we can create a layer of abstraction on the exception policy / profile where you can switch to a blacklisting or negative assertion where everything is allowed except ones listed. Yes, it can get really tricky but seeing as how the LSM has a pretty contained class of syscalls that we can manage it seems doable. I wonder if anyone's thought about this or discussed this in the past? Ryan -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.osdn.me/mailman/archives/tomoyo-users-en/attachments/20140325/c3792d6a/attachment.html>
TOMOYO
Fork