On 5 June 2016 at 13:37, Tetsuo Handa <pengu****@i-lov*****> wrote: > Hello. > > Roman Yeryomin wrote: >> Hello! >> >> I'm trying to build a minimal policy for my embedded system where all >> read/write requests to /dev/mtd* should be blocked except for several >> programs. >> In profile.conf I have: >> >> <kernel> PROFILE_VERSION=20110903 >> <kernel> 0-COMMENT=-----Disabled Mode----- >> <kernel> 0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 >> enforcing_penalty=0 } >> <kernel> 0-CONFIG={ mode=disabled grant_log=no reject_log=yes } >> <kernel> 1-COMMENT=-----Learning Mode----- >> <kernel> 1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 >> enforcing_penalty=0 } >> <kernel> 1-CONFIG={ mode=learning grant_log=no reject_log=yes } >> <kernel> 2-COMMENT=-----Permissive Mode----- >> <kernel> 2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 >> enforcing_penalty=0 } >> <kernel> 2-CONFIG={ mode=permissive grant_log=no reject_log=yes } >> <kernel> 3-COMMENT=-----Enforcing Mode----- >> <kernel> 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 >> enforcing_penalty=0 } >> <kernel> 3-CONFIG={ mode=enforcing grant_log=no reject_log=yes } >> <kernel> 4-COMMENT=-----Enforcing Mode----- >> <kernel> 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 >> enforcing_penalty=0 } >> <kernel> 4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes } >> </bin/dd> PROFILE_VERSION=20110903 >> </bin/dd> 4-COMMENT=-----Enforcing Mode----- >> </bin/dd> 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 >> enforcing_penalty=0 } >> </bin/dd> 4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes } >> </sbin/the-tool> PROFILE_VERSION=20110903 >> </sbin/the-tool> 0-COMMENT=-----Disabled Mode----- >> </sbin/the-tool> 0-PREFERENCE={ max_audit_log=1024 >> max_learning_entry=2048 enforcing_penalty=0 } >> </sbin/the-tool> 0-CONFIG={ mode=disabled grant_log=no reject_log=yes } >> >> in exception_policy.conf: >> >> reset_domain /sbin/the-tool from any >> reset_domain /bin/dd from any >> keep_domain any from </sbin/the-tool> >> keep_domain any from </bin/dd> >> keep_domain any from <kernel> >> path_group ALMOST_ANY_FILE /\* >> path_group ALMOST_ANY_FILE /\*/\*\-mtd\?\* >> path_group ALMOST_ANY_FILE /\*/\*/\*/\* >> path_group ALMOST_ANY_FILE /\*/\*/\{\*\}/\* >> path_group ALMOST_ANY_FILE \*:/\* >> path_group ALMOST_ANY_FILE \*:/\{\*\}/\* >> path_group ALMOST_ANY_FILE \*:[\$] >> path_group ANY_FILE /\* >> path_group ANY_FILE /\{\*\}/\* >> path_group ANY_FILE \*:/\* >> path_group ANY_FILE \*:/\{\*\}/\* >> path_group ANY_FILE \*:[\$] >> path_group ANY_DIR / >> path_group ANY_DIR /\{\*\}/ >> path_group ANY_DIR \*:/ >> path_group ANY_DIR \*:/\{\*\}/ >> >> and in domain_policy.conf >> >> <kernel> >> use_profile 4 >> use_group 0 >> file read/write/append @ANY_DIR >> file read/write/append @ALMOST_ANY_FILE >> file read/write socket:[family=\$:type=\$:protocol=\$] >> >> </bin/dd> >> use_profile 4 >> use_group 0 >> file read/write/append @ANY_DIR >> file read @ANY_FILE >> file write/append @ALMOST_ANY_FILE >> file read/write socket:[family=\$:type=\$:protocol=\$] >> >> </sbin/the-tool> >> use_profile 0 >> use_group 0 >> > > This is a situation where CaitSith will fit better. > > Since Memory Technology Device is a character device with major = 90, > you will be able to define CaitSith's rule like below. > > ---------------------------------------- > 10 read path.type=char path.dev_major=90 > 10 allow task.exe="/bin/dd" > 20 allow task.exe="/sbin/fw-tool" > 30 deny > > 10 write path.type=char path.dev_major=90 > 10 allow task.exe="/sbin/fw-tool" > 20 deny > > 10 append path.type=char path.dev_major=90 > 10 allow task.exe="/sbin/fw-tool" > 20 deny > ---------------------------------------- Thank you for this pointer, I will certainly look closer at CaitSith! > If you need to use TOMOYO 2.5, you can still use file's attributes > like below (though it is less flexible than CaitSith). > > ---------------------------------------- > <kernel> > use_profile 4 > file read @ANY_DIR > file read/write/append @ANY_FILE path1.type!=char > file read/write/append @ANY_FILE path1.type=char path1.dev_major!=90 > > </bin/dd> > use_profile 4 > file read @ANY_DIR > file read @ANY_FILE > file write/append @ANY_FILE path1.type!=char > file write/append @ANY_FILE path1.type=char path1.dev_major!=90 > > </sbin/fw-tool> > use_profile 0 > file read @ANY_DIR > file read/write/append @ANY_FILE > ---------------------------------------- > > Please be aware that the programs you want to allow access to specific > resource (i.e. /bin/dd and /sbin/fw-tool in your case) might be disguised > unless you also restrict operations which modify directory entries and/or > mount namespace. For example, doing > > # mount --bind /bin/cat /sbin/fw-tools > > or > > # mv /sbin/fw-tool /sbin/fw-tool.orig > # ln /bin/cat /sbin/fw-tool > > allows the attacker to run in </sbin/fw-tool> domain while its functionality > would be still /bin/cat . Therefore, it is recommended to restrict operations > which modify directory entries and/or mount namespace in addition to > restricting read/write/append operations. I was going to develop this policy further and restrict ssh (the only access method) to only several configuration files. Would this solve the problem? >> >> As I understand from domain transition logic described here >> http://tomoyo.osdn.jp/2.5/policy-specification/domain-transition-procedure.html.en#transition_by_execute >> it should work >> But neither dd no the-tool don't have even read access to /dev/mtdX >> >> Any pointers on what am I doing wrong? >> Thanks in advance! >> > > I guess that /bin/dd and /sbin/fw-tool are running in the <kernel> domain. It seems you are right. tomoyo-queryd showed that the-tool runs with profile 4 while </sbin/the-tool> domain is configured as profile 0. But then I don't understand how domain transition (exception policy) rules work. Will they always match the most "hungry"/vague rule? not the first one? Like in my config it looks like any /sbin/the-tool instance will match "keep_domain any from <kernel>" not "reset_domain /sbin/the-tool from any" as I was expecting. And adding "no_keep_domain /sbin/the-tool from any" also doesn't help. So I'm confused here. Regards, Roman
TOMOYO
Fork