I forgot to add "acl" keyword in the example above.
Anyway, here is what I guess you want to try if you use CaitSith.

---------- /etc/caitsith/policy/current ----------
quota memory audit 16777216
quota memory query 1048576
quota audit[0] allowed=0 denied=1024 unmatched=0

10 acl read path.type=char path.dev_major=90
audit 0
10 allow task.exe="/usr/bin/dd"
20 allow task.exe="/sbin/the-tool"
30 deny

10 acl read path.fsmagic=0x9FA0 path="proc:/mtd"
audit 0
10 allow task.exe="/sbin/the-tool"
20 deny

10 acl write path.type=char path.dev_major=90
audit 0
10 allow task.exe="/sbin/the-tool"
20 deny

10 acl append path.type=char path.dev_major=90
audit 0
10 allow task.exe="/sbin/the-tool"
20 deny

100 acl mount
audit 1
10 deny task.exe!="/bin/mount"
20 allow target="/proc/" fstype="proc" flags=0x0
30 allow target="/sys/" fstype="sysfs" flags=0x0
40 deny

0 acl modify_policy
audit 0
10 deny
---------- /etc/caitsith/policy/current ----------

Since /proc/mtd is recognized as proc:/mtd (because proc filesystem
does not support rename operation), /\*/\*\-mtd\?\* will not match
/proc/mtd .

The "0 acl modify_policy" block in CaitSith corresponds to
/etc/tomoyo/policy/current/manager.conf in TOMOYO 2.5.
In the above example, no programs can modify policy (i.e.
production state).

The "100 acl mount" block is for preventing attackers from disguising
programs using e.g. "mount --bind" request.
If you can make partitions for programs being mounted as read-only,
you will be able to omit e.g. "acl rename" blocks. If you cannot,
you can define e.g. "acl rename" blocks in order to control ranges
attackers can tamper the system.
Below is similar rule using TOMOYO 2.5.

---------- /etc/tomoyo/policy/current/profile.conf ----------
<kernel> PROFILE_VERSION=20110903
<kernel> 0-COMMENT=-----Disabled Mode-----
<kernel> 0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
<kernel> 0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
<kernel> 1-COMMENT=-----Learning Mode-----
<kernel> 1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
<kernel> 1-CONFIG={ mode=learning grant_log=no reject_log=yes }
<kernel> 2-COMMENT=-----Permissive Mode-----
<kernel> 2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
<kernel> 2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
<kernel> 3-COMMENT=-----Enforcing Mode-----
<kernel> 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
<kernel> 3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
<kernel> 4-COMMENT=-----Enforcing Mode (File Open Only)-----
<kernel> 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
<kernel> 4-CONFIG={ mode=disabled grant_log=no reject_log=no }
<kernel> 4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes }
</usr/bin/dd> PROFILE_VERSION=20110903
</usr/bin/dd> 4-COMMENT=-----Enforcing Mode (File Open Only)-----
</usr/bin/dd> 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
</usr/bin/dd> 4-CONFIG={ mode=disabled grant_log=no reject_log=no }
</usr/bin/dd> 4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes }
</sbin/the-tool> PROFILE_VERSION=20110903
</sbin/the-tool> 0-COMMENT=-----Disabled Mode-----
</sbin/the-tool> 0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
</sbin/the-tool> 0-CONFIG={ mode=disabled grant_log=no reject_log=no }
---------- /etc/tomoyo/policy/current/profile.conf ----------

---------- /etc/tomoyo/policy/current/exception_policy.conf ----------
<kernel> aggregator proc:/self/exe /proc/self/exe
<kernel> reset_domain /sbin/the-tool from any
<kernel> reset_domain /usr/bin/dd from any
<kernel> keep_domain any from any
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD /
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD /\*
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD /\{\*\}/
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD /\{\*\}/\*
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD \*:\-proc:/\*
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD proc:/\*\-mtd
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/\{\*\}/
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/\{\*\}/\*
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD \*:[\$]
<kernel> path_group ANY_PATHNAME_BUT_PROC_MTD socket:[family=\$:type=\$:protocol=\$]
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD /
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD /\*
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD /\{\*\}/
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD /\{\*\}/\*
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD \*:\-proc:/\*
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD proc:/\*\-mtd
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/\{\*\}/
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/\{\*\}/\*
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD \*:[\$]
</usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD socket:[family=\$:type=\$:protocol=\$]
</usr/bin/dd> path_group ANY_PATHNAME /
</usr/bin/dd> path_group ANY_PATHNAME /\*
</usr/bin/dd> path_group ANY_PATHNAME /\{\*\}/
</usr/bin/dd> path_group ANY_PATHNAME /\{\*\}/\*
</usr/bin/dd> path_group ANY_PATHNAME \*:/
</usr/bin/dd> path_group ANY_PATHNAME \*:/\*
</usr/bin/dd> path_group ANY_PATHNAME \*:/\{\*\}/
</usr/bin/dd> path_group ANY_PATHNAME \*:/\{\*\}/\*
</usr/bin/dd> path_group ANY_PATHNAME \*:[\$]
</usr/bin/dd> path_group ANY_PATHNAME socket:[family=\$:type=\$:protocol=\$]
---------- /etc/tomoyo/policy/current/exception_policy.conf ----------

---------- /etc/tomoyo/policy/current/domain_policy.conf ----------
<kernel>
use_profile 4
use_group 0

file read/write/append @ANY_PATHNAME_BUT_PROC_MTD path1.type!=char
file read/write/append @ANY_PATHNAME_BUT_PROC_MTD path1.type=char path1.dev_major!=90

</usr/bin/dd>
use_profile 4
use_group 0

file read @ANY_PATHNAME_BUT_PROC_MTD
file write/append @ANY_PATHNAME path1.type!=char
file write/append @ANY_PATHNAME path1.type=char path1.dev_major!=90

</sbin/the-tool>
use_profile 0
use_group 0
---------- /etc/tomoyo/policy/current/domain_policy.conf ----------
What do you think about other programs which can issue such requests
when exploited? Any process running as root user would be able to issue
above requests (even without using shell, by directly using system calls).
It should match as described in the link above.
I think you can try how domain transition tree would look like, by
removing reset_domain / keep_domain entries and generating via usual
learning steps. You might find that the pathnames you assumed /bin/dd and
/sbin/fw-tool might be recognized as different names (e.g. if /sbin is
a symlink to /usr/sbin , /sbin/fw-tool will be recognized as
/usr/sbin/fw-tool ). After TOMOYO generated domains as detail as possible,
you can design which domains should be compressed.

Also, as far as I saw, you don't need to use policy namespace.
If you don't have reason to use policy namespace, you will be able to
replace reset_domain with initialize_domain .

In retrospect; please disregard what I wrote concerning Tomoyo.
Caitsith seems worth trying.
However, a below a few other potentially useful tips were included.

Although I have not tried; something about use_group might be useful;
as whatever is assigned to a group could be used by multiple domains.
But I haven't tried.

If Linux is configured with:
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/init"
then by /init or whatever runs soon after
the tomoyo domain can be set
by writing the domain to
/sys/kernel/security/tomoyo/self_domain

"<kernel> //tomoyo\n"
By mere program execution the above domain can not be reached.
With Tomoyo rules almost anything must be explicitly enabled,
except domain transition, which can be explicitly disabled.
As an exception rule
keep_domain any from any
Then, to manually enter a domain as a domain rule

<kernel> //tomoyo
task manual_domain_transition <kernel> //other

And now from <kernel> //tomoyo
manual domain transition to <kernel> //other is possible

Keeping at least 1 profile 0 domain, no rules enforced domain, can be
useful.
However, allowing transition from a more restrictive domain to a less
restrictive domain
might not be desirable.
If only someone who used them could explain.
Try the capabilities section 7 manual page.
man 7 capabilities
By man-pages available from
https://www.kernel.org/pub/linux/docs/man-pages
the manual page is provided.
Imagine root account omnipotence as a supreme pizza.
By POSIX capabilities certain pizza toppings can be omitted.
For example, to omit the mushrooms CAP_SYS_BOOT could be discarded.
Then execution of reboot and kexec_load are denied.
While probably not too difficult to manually set;
a libcap library is provided.
http://www.kernel.org//pub/linux/libs/security/linux-privs/libcap2/
http://people.redhat.com/sgrubb/libcap-ng

systemd might use capabilities, but since I do not use it; who knows

One of the most salient sentences of the capabilities manual page follows.
"If a thread drops a capability from its permitted set, it can
never reacquire that capability (unless it execve(2)s either a
set-user-ID-root program, or a program whose associated file
capabilities grant that capability)."

A main gripe concerning security is that
by the proliferation of UID owned SUID executable files
a castle with many secret entrances is created.
With some solid Tomoyo domain rules
a process can be locked in the box
and by SUID escape is not possible.

However, on an embedded system perhaps
many SUID executable files can be omitted or mitigated?

For security enhancement Tomoyo is like a hair net.
Provided nothing is unexpected mount --bind, it works.
Therefore, to mitigate mount --bind
careful rules regarding file mount may be useful.

However, even while within a chroot all rules are checked
as if the root was still the original / rootfs.
For example if access to file /chroot_dir/init is logged
then following chroot /chroot_dir
access to file /chroot_dir/init will still be logged.
That is desirable.

However, for /bin /sbin /lib /etc if rules exist
and if the following two commands are executed:
mount --bind / /chroot_dir; chroot /chroot_dir is executed
then the rules from /bin /sbin /lib /etc within /chroot_dir do not apply.
For fascist rules design to blind a service
a problem does not become.
But for a general purpose domain which can host almost any process
then some consideration might be useful.

For incredibly reasonable memory consumption,
by Tomoyo awesome MAC, mandatory access control, can be provided.
Yet the possibility of mount --bind must be anticipated and/or mitigated.
Something like that.
Deciding exactly where to allow writing is easier.
For any device node type new rules can be added.
However, for device reading, hmmm.
Certain devices probably should not be read.
So some of those can be listed that way
while to those not explicitly listed read permission is granted.
For creating device rules /usr/src/linux/Documentation/devices.txt
and the mounted devtmpfs content are useful.
What was provided above was not intended to be a fantastic perfect rule,
but an example of how to compromise caution and leniency.

Medieval castle defense similar defense Tomoyo rules can be implemented.
For example; in a medieval castle a moat, a main wall, and an inner keep
could exist.
Where service customized Tomoyo domains are not used;
a castle approach can be used where a domain outside of central keep is
used.
While to the keep only;
the very sensitive security matters, such as read/write access to /dev/sd*
to be able to partition and initialize file systems, is delegated.
So for example, a couple layers beyond the keep,
in a domain used by services,
the system installed file system areas are read only.
If a service in that domain is compromised
then root kit installation would not be possible.

The easy cheesy way of accomplishing somethings similar;
that other administrators have done in the past
is to remount file systems or portions as read only.
Of course without Tomoyo; and without a drop of CAP_SYS_ADMIN
by any process those file systems portions could be remounted read/write.
That makes it a bit like security through obscurity,
since if the obstacle is not surmised
then it is not surmounted.
However, if anticipated; it is too easily circumvented.


Since there is only mtdX and mtdblockX using "/\*/\*\-mtd\?\*" is ok
It probably goes without saying, but....

/sbin/\*\-tomoyo-\*\-reboot\-shutdown

If tomoyo-editpolicy can be executed or
if tomoyo-loadpolicy can be executed
then domain and exception rules can be arbitrarily changed.


I'm using OpenWrt as base, with busybox and musl, tomoyo-tools also work.
Not sure. OpenWrt and musl seem new.

If signed modules are used
then arbitrary trojaned module loading can be prevented.
However, module compression ratio suffers, slightly.
If the system will boot and run mostly from rootFS
them within kernel zram could be useful.
For CPIO file compression xz is excellent.
By ordering files by type, as identified by the file command,
by a few percents the compression ratio can improve.

https://caitsith.osdn.jp/
http://i-love.sakura.ne.jp/tomoyo/CaitSith-en.pdf

CaitSith supports a blacklisting approach.
With blacklisting capability an absurd looking rule with all the \- could
be avoided?

Is CaitSith the next evolutionary step?
Should we be changing our domain and exception rules to caitsith?
Sweet work, Tetsuo Handa.

Just read the follow up message regarding:
"The "100 acl mount" block is for preventing attackers from disguising
programs using e.g. "mount --bind" request."
Nice.

In the future, without an additional patch
by the vanilla kernel without an additional patch
will caitsith be provided?
Because caitsith is external;
at least for me caitsith escaped notice.

OpenWrt is firewall/router niche POSIX.

https://www.musl-libc.org/
Excellent, an alternate libc implementation.
http://www.etalabs.net/compare_libcs.html
Wow that looks sweet.

And according to the gcc manual page:
" -mmusl
Use the musl C library. This is the default on *-*-linux-*musl*
targets"

Looks good.
Perhaps a gcc patch will not be required.
Maybe a tool chain also will not be required?
Without a tool chain uClibc also can be used.
However, warning messages print.

Thanks for the info.
How did I not notice it?
I have not been paying attention.
musl looks fun.
Especially, for coreutils, grep, sed and other utilities
that tend to be excessively used by libtool and during compilation
by a faster launch greater performance can be achieved.
And a statically linked /init also can be useful.

The entire POSIX is linked with musl and not glibc?
For any programs does a problem become?
In lieu of glibc; as a complete drop in replacement uClibc does not suffice.
However, for uClibc overall glibc compatibility is good.

After musl is installed; support for unshared name spaces
and other newer Linux fun support can be tested.
Thanks again.

P.S.
By a custom Linux kernel config; a good bit of space can be saved.
And before modules are signed;
module stripping with parameter --strip-unneeded is possible.
The modules load, work, and when loaded and while in file system
for each module file less space is required.
Also by cpio xz compression where module files are not individually
compressed;
a far better overall compression ratio can be achieved.

Technically, after boot with otherwise idle processor cycles;
by lzop individual module files could be rapidly compressed
and some space on the rootFS can be reclaimed.
While doing so might seem backwards at first
the ISO9660 file size will be smaller,
and by the boot loader
the smaller compressed CPIO InitRAMFS can load faster.

Good luck making an awesome embedded POSIX.

If I rudely butted into conversation, please forgive.
I also concur that for Roman Yeryomin's task,
caitsith looks awesome.