Tetsuo Handa
from-****@I-lov*****
Sat Feb 5 12:17:35 JST 2011
TOMOYO
ForkJamie Nguyen wrote:
> Tetsuo Handa wrote:
> > But list of filesystems supported by kernel can be found in /proc/filesystems .
>
> Perfect.
Strictly speaking, "list of filesystems currently supported by kernel can be found in
/proc/filesystems" because "filesystems supported by kernel can be added/removed by
loading/unloading kernel modules".
> By the way, can you give example usage of "task
> auto_domain_transition" and "task manual_domain_transition" and the
> syntax?
Sure.
An example usage of "task manual_domain_transition" in the domain policy:
<kernel> /usr/sbin/httpd
task manual_domain_transition <kernel> //apache /www.tomoyo00.com
task manual_domain_transition <kernel> //apache /www.tomoyo01.com
task manual_domain_transition <kernel> //apache /www.tomoyo02.com
task manual_domain_transition <kernel> //apache /www.tomoyo03.com
will transit to corresponding domains if the domainname was written to
/proc/ccs/self_domain interface (e.g.
echo "<kernel> //apache /www.tomoyo00.com" > /proc/ccs/self_domain
). The mod_ccs Apache module in tags/htdocs/1.8/tutorial-10.html.en is
using this functionality by inserting hooks and creating one-time thread.
An example usage of "task auto_domain_transition" in the domain policy:
<kernel> /usr/sbin/sshd /bin/bash
use_profile 3
use_group 0
task auto_domain_transition <kernel> //non-root-session task.uid!=0
task auto_domain_transition <kernel> //root-session task.uid=0
<kernel> //non-root-session
use_profile 3
use_group 0
# ACL entries for non root user comes here.
<kernel> //root-session
use_profile 3
use_group 0
# ACL entries for root user comes here.
will automatically transit to "<kernel> //root-session" domain if current
thread's uid is 0, and automatically transit to "<kernel> //non-root-session"
domain otherwise. This is equivalent to automatically attempting
if [ `id -u` != 0 ]
then
echo "<kernel> //non-root-session" > /proc/ccs/self_domain
else
echo "<kernel> //root-session" > /proc/ccs/self_domain
fi
with
task manual_domain_transition <kernel> //non-root-session task.uid!=0
task manual_domain_transition <kernel> //root-session task.uid=0
.
Since it is too dangerous to allow everyone transit to arbitrary domains by
doing "echo name_of_the_domain_the_user_wants_to_go > /proc/ccs/self_domain",
"task manual_domain_transition" and "task auto_domain_transition" are always
processed as "enforcing mode". (This means that you can't add a line like
"0-CONFIG::task={ mode=learning }" to /proc/ccs/profile .)
Also, there are "task auto_execute_handler" and "task denied_execute_handler"
keywords. For example, add
acl_group 1 task auto_execute_handler /usr/lib/ccs/audit-exec-param
to the exception policy and use
use_group 1
in the domain policy ( tags/htdocs/1.8-tmp/tutorial-17.html.en ).
When some programs are executed (i.e. execve() syscall is called), TOMOYO
checks for "task auto_execute_handler" entry, and execute the program specified
by "task auto_execute_handler" entry if found one.
The program specified by "task auto_execute_handler" entry sets up environments
for executing the program originally passed to execve() syscall and then
executes the program originally passed to execve() syscall.
(By using per "struct task_struct" variables, TOMOYO does not check for
"task auto_execute_handler" entry if execve() was called from a program
specified by "task auto_execute_handler" entry.)
If mode for program execution is enforcing and TOMOYO rejected the execution of
requested program, TOMOYO checks for "task denied_execute_handler" entry, and
execute the program specified by "task denied_execute_handler" entry if found
one (rather than rejecting the execve() syscall). For example,
<kernel> /usr/sbin/smbd
use_profile 3
use_group 0
task denied_execute_handler /bin/false
will replace execute request for /bin/sh from /usr/sbin/smbd (i.e. which can
happen when hijacked by buffer overflow) with execute request for /bin/false .
As a result, the process who requested for /bin/sh from /usr/sbin/smbd will die
instead of letting attacker to do bad things using /bin/sh .
Regards.