file execute transistion policy doesn't seem to apply
I suspect that a domain you defined in the domain policy and a domain you picked up from the audit log are different ones, for the former says "use_profile 0" while the latter says "profile=4".
The domain in TOMOYO resembles Linux's file lifecycle. A file can be unlink()ed while somebody is using that file, and a new file with the same name can be creat()ed while somebody is still using that old file. A domain can be deleted while some process is running in that domain, and a new domain with the same domainname can be created while some process is still running in that old domain.
Please see https://tomoyo.osdn.jp/1.8/tool-editpolicy.html#edit_acl_by_task and check the profile number and the content of the domain policy for the process who tried to run "/lib/systemd/systemd --user" from "<kernel> /lib/systemd/systemd" domain.
Reply To kumaneko
I suspect that a domain you defined in the domain policy and a domain you picked up from the audit log are different ones, for the former says "use_profile 0" while the latter says "profile=4".
The log was taken when I put the domain under profile 4 to log everything. I've since changed the profile back to 0 to avoid having systemd filling up my audit logs. I'm sorry for not making that clear.
Please see https://tomoyo.osdn.jp/1.8/tool-editpolicy.html#edit_acl_by_task and check the profile number and the content of the domain policy for the process who tried to run "/lib/systemd/systemd --user" from "<kernel> /lib/systemd/systemd" domain
I've verified that the domain of systemd matches the defined domain. systemd --user spawns still refuse to follow the policy to create a child domain though.
OK. I confirmed that there is a bug.
Since ccs_update_task_domain() from ccs_write_log2() from ccs_supervisor() from ccs_audit_log() always resets r->matched_acl to NULL, domain transition preference (which was introduced in 1.8.3) could not be retrieved from r->matched_acl.
Basically, the fix will be to carry r->matched_acl as below, but I need to check whether it is safe to unconditionally carry it.
--- permission.c +++ permission.c @@ -820,6 +820,7 @@ retry: r->matched_acl = ptr; r->granted = true; ccs_audit_log(r); + r->matched_acl = ptr; return 0; } for (; i < CCS_MAX_ACL_GROUPS; i++) {
Will you try https://osdn.net/projects/tomoyo/scm/svn/commits/6812 ?
I can confirm that 1.8.7-20200808 fixed this issue. Thanks!
Kernel: 5.6.14
CCS version: 1.8.7-20200505
I'm trying to make systemd split into two domains, one for system services and one for user services. I'm currently using the following policies:
exception policy:
domain policy:
However TOMOYO is still using <kernel> /lib/systemd/systemd for user sessions. Here's the audit log I got with the policy in place (profile 4 is the same as profile 0, only with granted logging).