Roman Yeryomin
2016-06-05 08:28:22 UTC
Hello!
I'm trying to build a minimal policy for my embedded system where all
read/write requests to /dev/mtd* should be blocked except for several
programs.
In profile.conf I have:
<kernel> PROFILE_VERSION=20110903
<kernel> 0-COMMENT=-----Disabled Mode-----
<kernel> 0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
<kernel> 0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
<kernel> 1-COMMENT=-----Learning Mode-----
<kernel> 1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
<kernel> 1-CONFIG={ mode=learning grant_log=no reject_log=yes }
<kernel> 2-COMMENT=-----Permissive Mode-----
<kernel> 2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
<kernel> 2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
<kernel> 3-COMMENT=-----Enforcing Mode-----
<kernel> 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
<kernel> 3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
<kernel> 4-COMMENT=-----Enforcing Mode-----
<kernel> 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
<kernel> 4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes }
</bin/dd> PROFILE_VERSION=20110903
</bin/dd> 4-COMMENT=-----Enforcing Mode-----
</bin/dd> 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
</bin/dd> 4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes }
</sbin/the-tool> PROFILE_VERSION=20110903
</sbin/the-tool> 0-COMMENT=-----Disabled Mode-----
</sbin/the-tool> 0-PREFERENCE={ max_audit_log=1024
max_learning_entry=2048 enforcing_penalty=0 }
</sbin/the-tool> 0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
in exception_policy.conf:
reset_domain /sbin/the-tool from any
reset_domain /bin/dd from any
keep_domain any from </sbin/the-tool>
keep_domain any from </bin/dd>
keep_domain any from <kernel>
path_group ALMOST_ANY_FILE /\*
path_group ALMOST_ANY_FILE /\*/\*\-mtd\?\*
path_group ALMOST_ANY_FILE /\*/\*/\*/\*
path_group ALMOST_ANY_FILE /\*/\*/\{\*\}/\*
path_group ALMOST_ANY_FILE \*:/\*
path_group ALMOST_ANY_FILE \*:/\{\*\}/\*
path_group ALMOST_ANY_FILE \*:[\$]
path_group ANY_FILE /\*
path_group ANY_FILE /\{\*\}/\*
path_group ANY_FILE \*:/\*
path_group ANY_FILE \*:/\{\*\}/\*
path_group ANY_FILE \*:[\$]
path_group ANY_DIR /
path_group ANY_DIR /\{\*\}/
path_group ANY_DIR \*:/
path_group ANY_DIR \*:/\{\*\}/
and in domain_policy.conf
<kernel>
use_profile 4
use_group 0
file read/write/append @ANY_DIR
file read/write/append @ALMOST_ANY_FILE
file read/write socket:[family=\$:type=\$:protocol=\$]
</bin/dd>
use_profile 4
use_group 0
file read/write/append @ANY_DIR
file read @ANY_FILE
file write/append @ALMOST_ANY_FILE
file read/write socket:[family=\$:type=\$:protocol=\$]
</sbin/the-tool>
use_profile 0
use_group 0
As I understand from domain transition logic described here
http://tomoyo.osdn.jp/2.5/policy-specification/domain-transition-procedure.html.en#transition_by_execute
it should work
But neither dd no the-tool don't have even read access to /dev/mtdX
Any pointers on what am I doing wrong?
Thanks in advance!
Regards,
Roman
I'm trying to build a minimal policy for my embedded system where all
read/write requests to /dev/mtd* should be blocked except for several
programs.
In profile.conf I have:
<kernel> PROFILE_VERSION=20110903
<kernel> 0-COMMENT=-----Disabled Mode-----
<kernel> 0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
<kernel> 0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
<kernel> 1-COMMENT=-----Learning Mode-----
<kernel> 1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
<kernel> 1-CONFIG={ mode=learning grant_log=no reject_log=yes }
<kernel> 2-COMMENT=-----Permissive Mode-----
<kernel> 2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
<kernel> 2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
<kernel> 3-COMMENT=-----Enforcing Mode-----
<kernel> 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
<kernel> 3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
<kernel> 4-COMMENT=-----Enforcing Mode-----
<kernel> 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
<kernel> 4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes }
</bin/dd> PROFILE_VERSION=20110903
</bin/dd> 4-COMMENT=-----Enforcing Mode-----
</bin/dd> 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
</bin/dd> 4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes }
</sbin/the-tool> PROFILE_VERSION=20110903
</sbin/the-tool> 0-COMMENT=-----Disabled Mode-----
</sbin/the-tool> 0-PREFERENCE={ max_audit_log=1024
max_learning_entry=2048 enforcing_penalty=0 }
</sbin/the-tool> 0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
in exception_policy.conf:
reset_domain /sbin/the-tool from any
reset_domain /bin/dd from any
keep_domain any from </sbin/the-tool>
keep_domain any from </bin/dd>
keep_domain any from <kernel>
path_group ALMOST_ANY_FILE /\*
path_group ALMOST_ANY_FILE /\*/\*\-mtd\?\*
path_group ALMOST_ANY_FILE /\*/\*/\*/\*
path_group ALMOST_ANY_FILE /\*/\*/\{\*\}/\*
path_group ALMOST_ANY_FILE \*:/\*
path_group ALMOST_ANY_FILE \*:/\{\*\}/\*
path_group ALMOST_ANY_FILE \*:[\$]
path_group ANY_FILE /\*
path_group ANY_FILE /\{\*\}/\*
path_group ANY_FILE \*:/\*
path_group ANY_FILE \*:/\{\*\}/\*
path_group ANY_FILE \*:[\$]
path_group ANY_DIR /
path_group ANY_DIR /\{\*\}/
path_group ANY_DIR \*:/
path_group ANY_DIR \*:/\{\*\}/
and in domain_policy.conf
<kernel>
use_profile 4
use_group 0
file read/write/append @ANY_DIR
file read/write/append @ALMOST_ANY_FILE
file read/write socket:[family=\$:type=\$:protocol=\$]
</bin/dd>
use_profile 4
use_group 0
file read/write/append @ANY_DIR
file read @ANY_FILE
file write/append @ALMOST_ANY_FILE
file read/write socket:[family=\$:type=\$:protocol=\$]
</sbin/the-tool>
use_profile 0
use_group 0
As I understand from domain transition logic described here
http://tomoyo.osdn.jp/2.5/policy-specification/domain-transition-procedure.html.en#transition_by_execute
it should work
But neither dd no the-tool don't have even read access to /dev/mtdX
Any pointers on what am I doing wrong?
Thanks in advance!
Regards,
Roman