[tomoyo-users-en 686] Re: tomoyo with squashfs

Back to archive index
Tetsuo Handa pengu****@I-lov*****
Mon Jul 17 22:41:40 JST 2017


Hello.

Matthias Lay wrote:
> Hi,
> 
> I am playing around with tomoyo rulesets on a system with a RO squashfs
> as root filesystem.
> 
> I noticed all rootfs binaries are prefixed with "squashfs:"
> 
> ..... squashfs:/bin/cat' not defined
> 
> but i cant create a rule with that prefix, as the editor doesnt like
> the prefix in his syntax.
> 
> "squashfs:/bin/cat is an invalid domainname"
> 
> the executed programs dont show up in the editor either.
> 
> the only way to get them to show up and create working rules is to
> create aggregators like
> 
> aggregator squashfs:/bin/cat /bin/cat
> 
> with this set in exception_policies.conf, the /bin/cat shows up in the
> editor and I can create rules for /bin/cat.

Yes, that will be the easiest approach when using learning mode (i.e.
recording possible domain transition patterns).

> 
> is there another way to get this working, without the need to create an
> aggregator for every binary on the system?

Not applicable to learning mode, but I think that you can explicitly specify
to which domain should the current thread transit at "file execute" entry (

  file execute [candidate] [domainname]
  file execute [candidate] [pathname]

in http://tomoyo.osdn.jp/2.5/policy-specification/domain-transition-procedure.html#transition_by_execute ).

If you specify

  keep_domain any from any

in exception policy, domain transition will be suppressed by default
(i.e. no need to enumerate all binaries in squashfs using "aggregator" entry).
You can specify [domainname] or [pathname] as needed in order to force domain
transition.

> 
> 
> Greetz
> 
> Matze
> 

Regards.




More information about the tomoyo-users-en mailing list
Back to archive index