1. 12 Feb, 2009 7 commits
    • Kentaro Takeda's avatar
      Kconfig and Makefile · 00d7d6f8
      Kentaro Takeda authored
      TOMOYO uses LSM hooks for pathname based access control and securityfs support.
      Signed-off-by: default avatarKentaro Takeda <takedakn@nttdata.co.jp>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      00d7d6f8
    • Kentaro Takeda's avatar
      LSM adapter functions. · f7433243
      Kentaro Takeda authored
      DAC's permissions and TOMOYO's permissions are not one-to-one mapping.
      
      Regarding DAC, there are "read", "write", "execute" permissions.
      Regarding TOMOYO, there are "allow_read", "allow_write", "allow_read/write",
      "allow_execute", "allow_create", "allow_unlink", "allow_mkdir", "allow_rmdir",
      "allow_mkfifo", "allow_mksock", "allow_mkblock", "allow_mkchar",
      "allow_truncate", "allow_symlink", "allow_rewrite", "allow_link",
      "allow_rename" permissions.
      
      +----------------------------------+----------------------------------+
      | requested operation              | required TOMOYO's permission     |
      +----------------------------------+----------------------------------+
      | sys_open(O_RDONLY)               | allow_read                       |
      +----------------------------------+----------------------------------+
      | sys_open(O_WRONLY)               | allow_write                      |
      +----------------------------------+----------------------------------+
      | sys_open(O_RDWR)                 | allow_read/write                 |
      +----------------------------------+----------------------------------+
      | open_exec() from do_execve()     | allow_execute                    |
      +----------------------------------+----------------------------------+
      | open_exec() from !do_execve()    | allow_read                       |
      +----------------------------------+----------------------------------+
      | sys_read()                       | (none)                           |
      +----------------------------------+----------------------------------+
      | sys_write()                      | (none)                           |
      +----------------------------------+----------------------------------+
      | sys_mmap()                       | (none)                           |
      +----------------------------------+----------------------------------+
      | sys_uselib()                     | allow_read                       |
      +----------------------------------+----------------------------------+
      | sys_open(O_CREAT)                | allow_create                     |
      +----------------------------------+----------------------------------+
      | sys_open(O_TRUNC)                | allow_truncate                   |
      +----------------------------------+----------------------------------+
      | sys_truncate()                   | allow_truncate                   |
      +----------------------------------+----------------------------------+
      | sys_ftruncate()                  | allow_truncate                   |
      +----------------------------------+----------------------------------+
      | sys_open() without O_APPEND      | allow_rewrite                    |
      +----------------------------------+----------------------------------+
      | setfl() without O_APPEND         | allow_rewrite                    |
      +----------------------------------+----------------------------------+
      | sys_sysctl() for writing         | allow_write                      |
      +----------------------------------+----------------------------------+
      | sys_sysctl() for reading         | allow_read                       |
      +----------------------------------+----------------------------------+
      | sys_unlink()                     | allow_unlink                     |
      +----------------------------------+----------------------------------+
      | sys_mknod(S_IFREG)               | allow_create                     |
      +----------------------------------+----------------------------------+
      | sys_mknod(0)                     | allow_create                     |
      +----------------------------------+----------------------------------+
      | sys_mknod(S_IFIFO)               | allow_mkfifo                     |
      +----------------------------------+----------------------------------+
      | sys_mknod(S_IFSOCK)              | allow_mksock                     |
      +----------------------------------+----------------------------------+
      | sys_bind(AF_UNIX)                | allow_mksock                     |
      +----------------------------------+----------------------------------+
      | sys_mknod(S_IFBLK)               | allow_mkblock                    |
      +----------------------------------+----------------------------------+
      | sys_mknod(S_IFCHR)               | allow_mkchar                     |
      +----------------------------------+----------------------------------+
      | sys_symlink()                    | allow_symlink                    |
      +----------------------------------+----------------------------------+
      | sys_mkdir()                      | allow_mkdir                      |
      +----------------------------------+----------------------------------+
      | sys_rmdir()                      | allow_rmdir                      |
      +----------------------------------+----------------------------------+
      | sys_link()                       | allow_link                       |
      +----------------------------------+----------------------------------+
      | sys_rename()                     | allow_rename                     |
      +----------------------------------+----------------------------------+
      
      TOMOYO requires "allow_execute" permission of a pathname passed to do_execve()
      but does not require "allow_read" permission of that pathname.
      Let's consider 3 patterns (statically linked, dynamically linked,
      shell script). This description is to some degree simplified.
      
        $ cat hello.c
        #include <stdio.h>
        int main() {
                printf("Hello\n");
                return 0;
        }
        $ cat hello.sh
        #! /bin/sh
        echo "Hello"
        $ gcc -static -o hello-static hello.c
        $ gcc -o hello-dynamic hello.c
        $ chmod 755 hello.sh
      
      Case 1 -- Executing hello-static from bash.
      
        (1) The bash process calls fork() and the child process requests
            do_execve("hello-static").
      
        (2) The kernel checks "allow_execute hello-static" from "bash" domain.
      
        (3) The kernel calculates "bash hello-static" as the domain to transit to.
      
        (4) The kernel overwrites the child process by "hello-static".
      
        (5) The child process transits to "bash hello-static" domain.
      
        (6) The "hello-static" starts and finishes.
      
      Case 2 -- Executing hello-dynamic from bash.
      
        (1) The bash process calls fork() and the child process requests
            do_execve("hello-dynamic").
      
        (2) The kernel checks "allow_execute hello-dynamic" from "bash" domain.
      
        (3) The kernel calculates "bash hello-dynamic" as the domain to transit to.
      
        (4) The kernel checks "allow_read ld-linux.so" from "bash hello-dynamic"
            domain. I think permission to access ld-linux.so should be charged
            hello-dynamic program, for "hello-dynamic needs ld-linux.so" is not
            a fault of bash program.
      
        (5) The kernel overwrites the child process by "hello-dynamic".
      
        (6) The child process transits to "bash hello-dynamic" domain.
      
        (7) The "hello-dynamic" starts and finishes.
      
      Case 3 -- Executing hello.sh from bash.
      
        (1) The bash process calls fork() and the child process requests
            do_execve("hello.sh").
      
        (2) The kernel checks "allow_execute hello.sh" from "bash" domain.
      
        (3) The kernel calculates "bash hello.sh" as the domain to transit to.
      
        (4) The kernel checks "allow_read /bin/sh" from "bash hello.sh" domain.
            I think permission to access /bin/sh should be charged hello.sh program,
            for "hello.sh needs /bin/sh" is not a fault of bash program.
      
        (5) The kernel overwrites the child process by "/bin/sh".
      
        (6) The child process transits to "bash hello.sh" domain.
      
        (7) The "/bin/sh" requests open("hello.sh").
      
        (8) The kernel checks "allow_read hello.sh" from  "bash hello.sh" domain.
      
        (9) The "/bin/sh" starts and finishes.
      
      Whether a file is interpreted as a program or not depends on an application.
      The kernel cannot know whether the file is interpreted as a program or not.
      Thus, TOMOYO treats "hello-static" "hello-dynamic" "ld-linux.so" "hello.sh"
      "/bin/sh" equally as merely files; no distinction between executable and
      non-executable. Therefore, TOMOYO doesn't check DAC's execute permission.
      TOMOYO checks "allow_read" permission instead.
      
      Calling do_execve() is a bold gesture that an old program's instance (i.e.
      current process) is ready to be overwritten by a new program and is ready to
      transfer control to the new program. To split purview of programs, TOMOYO
      requires "allow_execute" permission of the new program against the old
      program's instance and performs domain transition. If do_execve() succeeds,
      the old program is no longer responsible against the consequence of the new
      program's behavior. Only the new program is responsible for all consequences.
      
      But TOMOYO doesn't require "allow_read" permission of the new program.
      If TOMOYO requires "allow_read" permission of the new program, TOMOYO will
      allow an attacker (who hijacked the old program's instance) to open the new
      program and steal data from the new program. Requiring "allow_read" permission
      will widen purview of the old program.
      
      Not requiring "allow_read" permission of the new program against the old
      program's instance is my design for reducing purview of the old program.
      To be able to know whether the current process is in do_execve() or not,
      I want to add in_execve flag to "task_struct".
      Signed-off-by: default avatarKentaro Takeda <takedakn@nttdata.co.jp>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarToshiharu Harada <haradats@nttdata.co.jp>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      f7433243
    • Kentaro Takeda's avatar
      Domain transition handler. · 26a2a1c9
      Kentaro Takeda authored
      This file controls domain creation/deletion/transition.
      
      Every process belongs to a domain in TOMOYO Linux.
      Domain transition occurs when execve(2) is called
      and the domain is expressed as 'process invocation history',
      such as '<kernel> /sbin/init /etc/init.d/rc'.
      Domain information is stored in current->cred->security field.
      Signed-off-by: default avatarKentaro Takeda <takedakn@nttdata.co.jp>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarToshiharu Harada <haradats@nttdata.co.jp>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      26a2a1c9
    • Kentaro Takeda's avatar
      File operation restriction part. · b69a54ee
      Kentaro Takeda authored
      This file controls file related operations of TOMOYO Linux.
      
      tomoyo/tomoyo.c calls the following six functions in this file.
      Each function handles the following access types.
      
       * tomoyo_check_file_perm
      sysctl()'s "read" and "write".
      
       * tomoyo_check_exec_perm
      "execute".
      
       * tomoyo_check_open_permission
      open(2) for "read" and "write".
      
       * tomoyo_check_1path_perm
      "create", "unlink", "mkdir", "rmdir", "mkfifo",
      "mksock", "mkblock", "mkchar", "truncate" and "symlink".
      
       * tomoyo_check_2path_perm
      "rename" and "unlink".
      
       * tomoyo_check_rewrite_permission
      "rewrite".
      ("rewrite" are operations which may lose already recorded data of a file,
      i.e. open(!O_APPEND) || open(O_TRUNC) || truncate() || ftruncate())
      
      The functions which actually checks ACLs are the following three functions.
      Each function handles the following access types.
      ACL directive is expressed by "allow_<access type>".
      
       * tomoyo_check_file_acl
      Open() operation and execve() operation.
      ("read", "write", "read/write" and "execute")
      
       * tomoyo_check_single_write_acl
      Directory modification operations with 1 pathname.
      ("create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock",
       "mkblock", "mkchar", "truncate", "symlink" and "rewrite")
      
       * tomoyo_check_double_write_acl
      Directory modification operations with 2 pathname.
      ("link" and "rename")
      
      Also, this file contains handlers of some utility directives
      for file related operations.
      
       * "allow_read":   specifies globally (for all domains) readable files.
       * "path_group":   specifies pathname macro.
       * "deny_rewrite": restricts rewrite operation.
      Signed-off-by: default avatarKentaro Takeda <takedakn@nttdata.co.jp>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarToshiharu Harada <haradats@nttdata.co.jp>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      b69a54ee
    • Kentaro Takeda's avatar
      Common functions for TOMOYO Linux. · 9590837b
      Kentaro Takeda authored
      This file contains common functions (e.g. policy I/O, pattern matching).
      
      -------------------- About pattern matching --------------------
      
      Since TOMOYO Linux is a name based access control, TOMOYO Linux seriously
      considers "safe" string representation.
      
      TOMOYO Linux's string manipulation functions make reviewers feel crazy,
      but there are reasons why TOMOYO Linux needs its own string manipulation
      functions.
      
      ----- Part 1 : preconditions -----
      
      People definitely want to use wild card.
      
        To support pattern matching, we have to support wild card characters.
      
        In a typical Linux system, filenames are likely consists of only alphabets,
        numbers, and some characters (e.g. + - ~ . / ).
        But theoretically, the Linux kernel accepts all characters but NUL character
        (which is used as a terminator of a string).
      
          Some Linux systems can have filenames which contain * ? ** etc.
      
      Therefore, we have to somehow modify string so that we can distinguish
      wild card characters and normal characters.
      
        It might be possible for some application's configuration files to restrict
        acceptable characters.
        It is impossible for kernel to restrict acceptable characters.
      
          We can't accept approaches which will cause troubles for applications.
      
      ----- Part 2 : commonly used approaches -----
      
      Text formatted strings separated by space character (0x20) and new line
      character (0x0A) is more preferable for users over array of NUL-terminated
      string.
      
        Thus, people use text formatted configuration files separated by space
        character and new line.
      
      We sometimes need to handle non-printable characters.
      
        Thus, people use \ character (0x5C) as escape character and represent
        non-printable characters using octal or hexadecimal format.
      
      At this point, we remind (at least) 3 approaches.
      
        (1) Shell glob style expression
        (2) POSIX regular expression (UNIX style regular expression)
        (3) Maverick wild card expression
      
      On the surface, (1) and (2) sound good choices. But they have a big pitfall.
      All meta-characters in (1) and (2) are legal characters for representing
      a pathname, and users easily write incorrect expression. What is worse, users
      unlikely notice incorrect expressions because characters used for regular
      pathnames unlikely contain meta-characters. This incorrect use of
      meta-characters in pathname representation reveals vulnerability
      (e.g. unexpected results) only when irregular pathname is specified.
      
      The authors of TOMOYO Linux think that approaches which adds some character
      for interpreting meta-characters as normal characters (i.e. (1) and (2)) are
      not suitable for security use.
      
      Therefore, the authors of TOMOYO Linux propose (3).
      
      ----- Part 3: consideration points -----
      
      We need to solve encoding problem.
      
        A single character can be represented in several ways using encodings.
      
          For Japanese language, there are "ShiftJIS", "ISO-2022-JP", "EUC-JP",
          "UTF-8" and more.
      
        Some languages (e.g. Japanese language) supports multi-byte characters
        (where a single character is represented using several bytes).
      
          Some multi-byte characters may match the escape character.
      
          For Japanese language, some characters in "ShiftJIS" encoding match
          \ character, and bothering Web's CGI developers.
      
        It is important that the kernel string is not bothered by encoding problem.
      
          Linus said, "I really would expect that kernel strings don't have
          an encoding. They're just C strings: a NUL-terminated stream of bytes."
          http://lkml.org/lkml/2007/11/6/142
      
          Yes. The kernel strings are just C strings.
          We are talking about how to store and carry "kernel strings" safely.
      
        If we store "kernel string" into policy file as-is, the "kernel string" will
        be interpreted differently depending on application's encoding settings.
        One application may interpret "kernel string" as "UTF-8",
        another application may interpret "kernel string" as "ShiftJIS".
      
          Therefore, we propose to represent strings using ASCII encoding.
          In this way, we are no longer bothered by encoding problems.
      
      We need to avoid information loss caused by display.
      
        It is difficult to input and display non-printable characters, but we have to
        be able to handle such characters because the kernel string is a C string.
      
        If we use only ASCII printable characters (from 0x21 to 0x7E) and space
        character (0x20) and new line character (0x0A), it is easy to input from
        keyboard and display on all terminals which is running Linux.
      
        Therefore, we propose to represent strings using only characters which value
        is one of "from 0x21 to 0x7E", "0x20", "0x0A".
      
      We need to consider ease of splitting strings from a line.
      
        If we use an approach which uses "\ " for representing a space character
        within a string, we have to count the string from the beginning to check
        whether this space character is accompanied with \ character or not.
        As a result, we cannot monotonically split a line using space character.
      
        If we use an approach which uses "\040" for representing a space character
        within a string, we can monotonically split a line using space character.
      
        If we use an approach which uses NUL character as a delimiter, we cannot
        use string manipulation functions for splitting strings from a line.
      
        Therefore, we propose that we represent space character as "\040".
      
      We need to avoid wrong designations (incorrect use of special characters).
      
        Not all users can understand and utilize POSIX's regular expressions
        correctly and perfectly.
      
        If a character acts as a wild card by default, the user will get unexpected
        result if that user didn't know the meaning of that character.
      
          Therefore, we propose that all characters but \ character act as
          a normal character and let the user add \ character to make a character
          act as a wild card.
      
          In this way, users needn't to know all wild card characters beforehand.
          They can learn when they encountered an unseen wild card character
          for their first time.
      
      ----- Part 4: supported wild card expressions -----
      
      At this point, we have wild card expressions listed below.
      
        +-----------+--------------------------------------------------------------+
        | Wild card | Meaning and example                                          |
        +-----------+--------------------------------------------------------------+
        |   \*      | More than or equals to 0 character other than '/'.           |
        |           |           /var/log/samba/\*                                  |
        +-----------+--------------------------------------------------------------+
        |   \@      | More than or equals to 0 character other than '/' or '.'.    |
        |           |           /var/www/html/\@.html                              |
        +-----------+--------------------------------------------------------------+
        |   \?      | 1 byte character other than '/'.                             |
        |           |           /tmp/mail.\?\?\?\?\?\?                             |
        +-----------+--------------------------------------------------------------+
        |   \$      | More than or equals to 1 decimal digit.                      |
        |           |           /proc/\$/cmdline                                   |
        +-----------+--------------------------------------------------------------+
        |   \+      | 1 decimal digit.                                             |
        |           |           /var/tmp/my_work.\+                                |
        +-----------+--------------------------------------------------------------+
        |   \X      | More than or equals to 1 hexadecimal digit.                  |
        |           |           /var/tmp/my-work.\X                                |
        +-----------+--------------------------------------------------------------+
        |   \x      | 1 hexadecimal digit.                                         |
        |           |           /tmp/my-work.\x                                    |
        +-----------+--------------------------------------------------------------+
        |   \A      | More than or equals to 1 alphabet character.                 |
        |           |           /var/log/my-work/\$-\A-\$.log                      |
        +-----------+--------------------------------------------------------------+
        |   \a      | 1 alphabet character.                                        |
        |           |           /home/users/\a/\*/public_html/\*.html              |
        +-----------+--------------------------------------------------------------+
        |   \-      | Pathname subtraction operator.                               |
        |           | +---------------------+------------------------------------+ |
        |           | | Example             | Meaning                            | |
        |           | +---------------------+------------------------------------+ |
        |           | | /etc/\*             | All files in /etc/ directory.      | |
        |           | +---------------------+------------------------------------+ |
        |           | | /etc/\*\-\*shadow\* | /etc/\* other than /etc/\*shadow\* | |
        |           | +---------------------+------------------------------------+ |
        |           | | /\*\-proc\-sys/     | /\*/ other than /proc/ /sys/       | |
        |           | +---------------------+------------------------------------+ |
        +-----------+--------------------------------------------------------------+
      
        +----------------+---------------------------------------------------------+
        | Representation | Meaning and example                                     |
        +----------------+---------------------------------------------------------+
        |   \\           | backslash character itself.                             |
        +----------------+---------------------------------------------------------+
        |   \ooo         | 1 byte character.                                       |
        |                | ooo is 001 <= ooo <= 040 || 177 <= ooo <= 377.          |
        |                |                                                         |
        |                |           \040 for space character.                     |
        |                |           \177 for del character.                       |
        |                |                                                         |
        +----------------+---------------------------------------------------------+
      
      ----- Part 5: Advantages -----
      
      We can obtain extensibility.
      
        Since our proposed approach adds \ to a character to interpret as a wild
        card, we can introduce new wild card in future while maintaining backward
        compatibility.
      
      We can process monotonically.
      
        Since our proposed approach separates strings using a space character,
        we can split strings using existing string manipulation functions.
      
      We can reliably analyze access logs.
      
        It is guaranteed that a string doesn't contain space character (0x20) and
        new line character (0x0A).
      
        It is guaranteed that a string won't be converted by FTP and won't be damaged
        by a terminal's settings.
      
        It is guaranteed that a string won't be affected by encoding converters
        (except encodings which insert NUL character (e.g. UTF-16)).
      
      ----- Part 6: conclusion -----
      
      TOMOYO Linux is using its own encoding with reasons described above.
      There is a disadvantage that we need to introduce a series of new string
      manipulation functions. But TOMOYO Linux's encoding is useful for all users
      (including audit and AppArmor) who want to perform pattern matching and
      safely exchange string information between the kernel and the userspace.
      
      -------------------- About policy interface --------------------
      
      TOMOYO Linux creates the following files on securityfs (normally
      mounted on /sys/kernel/security) as interfaces between kernel and
      userspace. These files are for TOMOYO Linux management tools *only*,
      not for general programs.
      
        * profile
        * exception_policy
        * domain_policy
        * manager
        * meminfo
        * self_domain
        * version
        * .domain_status
        * .process_status
      
      ** /sys/kernel/security/tomoyo/profile **
      
      This file is used to read or write profiles.
      
      "profile" means a running mode of process. A profile lists up
      functions and their modes in "$number-$variable=$value" format. The
      $number is profile number between 0 and 255. Each domain is assigned
      one profile. To assign profile to domains, use "ccs-setprofile" or
      "ccs-editpolicy" or "ccs-loadpolicy" commands.
      
      (Example)
      [root@tomoyo]# cat /sys/kernel/security/tomoyo/profile
      0-COMMENT=-----Disabled Mode-----
      0-MAC_FOR_FILE=disabled
      0-MAX_ACCEPT_ENTRY=2048
      0-TOMOYO_VERBOSE=disabled
      1-COMMENT=-----Learning Mode-----
      1-MAC_FOR_FILE=learning
      1-MAX_ACCEPT_ENTRY=2048
      1-TOMOYO_VERBOSE=disabled
      2-COMMENT=-----Permissive Mode-----
      2-MAC_FOR_FILE=permissive
      2-MAX_ACCEPT_ENTRY=2048
      2-TOMOYO_VERBOSE=enabled
      3-COMMENT=-----Enforcing Mode-----
      3-MAC_FOR_FILE=enforcing
      3-MAX_ACCEPT_ENTRY=2048
      3-TOMOYO_VERBOSE=enabled
      
      - MAC_FOR_FILE:
      Specifies access control level regarding file access requests.
      - MAX_ACCEPT_ENTRY:
      Limits the max number of ACL entries that are automatically appended
      during learning mode. Default is 2048.
      - TOMOYO_VERBOSE:
      Specifies whether to print domain policy violation messages or not.
      
      ** /sys/kernel/security/tomoyo/manager **
      
      This file is used to read or append the list of programs or domains
      that can write to /sys/kernel/security/tomoyo interface. By default,
      only processes with both UID = 0 and EUID = 0 can modify policy via
      /sys/kernel/security/tomoyo interface. You can use keyword
      "manage_by_non_root" to allow policy modification by non root user.
      
      (Example)
      [root@tomoyo]# cat /sys/kernel/security/tomoyo/manager
      /usr/lib/ccs/loadpolicy
      /usr/lib/ccs/editpolicy
      /usr/lib/ccs/setlevel
      /usr/lib/ccs/setprofile
      /usr/lib/ccs/ld-watch
      /usr/lib/ccs/ccs-queryd
      
      ** /sys/kernel/security/tomoyo/exception_policy **
      
      This file is used to read and write system global settings. Each line
      has a directive and operand pair. Directives are listed below.
      
      - initialize_domain:
      To initialize domain transition when specific program is executed,
      use initialize_domain directive.
        * initialize_domain "program" from "domain"
        * initialize_domain "program" from "the last program part of domain"
        * initialize_domain "program"
      If the part "from" and after is not given, the entry is applied to
      all domain. If the "domain" doesn't start with "<kernel>", the entry
      is applied to all domain whose domainname ends with "the last program
      part of domain".
      This directive is intended to aggregate domain transitions for daemon
      program and program that are invoked by the kernel on demand, by
      transiting to different domain.
      
      - keep_domain
      To prevent domain transition when program is executed from specific
      domain, use keep_domain directive.
        * keep_domain "program" from "domain"
        * keep_domain "program" from "the last program part of domain"
        * keep_domain "domain"
        * keep_domain "the last program part of domain"
      If the part "from" and before is not given, this entry is applied to
      all program. If the "domain" doesn't start with "<kernel>", the entry
      is applied to all domain whose domainname ends with "the last program
      part of domain".
      This directive is intended to reduce total number of domains and
      memory usage by suppressing unneeded domain transitions.
      To declare domain keepers, use keep_domain directive followed by
      domain definition.
      Any process that belongs to any domain declared with this directive,
      the process stays at the same domain unless any program registered
      with initialize_domain directive is executed.
      
      In order to control domain transition in detail, you can use
      no_keep_domain/no_initialize_domain keywrods.
      
      - alias:
      To allow executing programs using the name of symbolic links, use
      alias keyword followed by dereferenced pathname and reference
      pathname. For example, /sbin/pidof is a symbolic link to
      /sbin/killall5 . In normal case, if /sbin/pidof is executed, the
      domain is defined as if /sbin/killall5 is executed. By specifying
      "alias /sbin/killall5 /sbin/pidof", you can run /sbin/pidof in the
      domain for /sbin/pidof .
      (Example)
      alias /sbin/killall5 /sbin/pidof
      
      - allow_read:
      To grant unconditionally readable permissions, use allow_read keyword
      followed by canonicalized file. This keyword is intended to reduce
      size of domain policy by granting read access to library files such
      as GLIBC and locale files. Exception is, if ignore_global_allow_read
      keyword is given to a domain, entries specified by this keyword are
      ignored.
      (Example)
      allow_read /lib/libc-2.5.so
      
      - file_pattern:
      To declare pathname pattern, use file_pattern keyword followed by
      pathname pattern. The pathname pattern must be a canonicalized
      Pathname. This keyword is not applicable to neither granting execute
      permissions nor domain definitions.
      For example, canonicalized pathname that contains a process ID
      (i.e. /proc/PID/ files) needs to be grouped in order to make access
      control work well.
      (Example)
      file_pattern /proc/\$/cmdline
      
      - path_group
      To declare pathname group, use path_group keyword followed by name of
      the group and pathname pattern. For example, if you want to group all
      files under home directory, you can define
         path_group HOME-DIR-FILE /home/\*/\*
         path_group HOME-DIR-FILE /home/\*/\*/\*
         path_group HOME-DIR-FILE /home/\*/\*/\*/\*
      in the exception policy and use like
         allow_read @HOME-DIR-FILE
      to grant file access permission.
      
      - deny_rewrite:
      To deny overwriting already written contents of file (such as log
      files) by default, use deny_rewrite keyword followed by pathname
      pattern. Files whose pathname match the patterns are not permitted to
      open for writing without append mode or truncate unless the pathnames
      are explicitly granted using allow_rewrite keyword in domain policy.
      (Example)
      deny_rewrite /var/log/\*
      
      - aggregator
      To deal multiple programs as a single program, use aggregator keyword
      followed by name of original program and aggregated program. This
      keyword is intended to aggregate similar programs.
      For example, /usr/bin/tac and /bin/cat are similar. By specifying
      "aggregator /usr/bin/tac /bin/cat", you can run /usr/bin/tac in the
      domain for /bin/cat .
      For example, /usr/sbin/logrotate for Fedora Core 3 generates programs
      like /tmp/logrotate.\?\?\?\?\?\? and run them, but TOMOYO Linux
      doesn't allow using patterns for granting execute permission and
      defining domains. By specifying
      "aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp", you can
      run /tmp/logrotate.\?\?\?\?\?\? as if /tmp/logrotate.tmp is running.
      
      ** /sys/kernel/security/tomoyo/domain_policy **
      
      This file contains definition of all domains and permissions that are
      granted to each domain.
      
      Lines from the next line to a domain definition ( any lines starting
      with "<kernel>") to the previous line to the next domain definitions
      are interpreted as access permissions for that domain.
      
      ** /sys/kernel/security/tomoyo/meminfo **
      
      This file is to show the total RAM used to keep policy in the kernel
      by TOMOYO Linux in bytes.
      (Example)
      [root@tomoyo]# cat /sys/kernel/security/tomoyo/meminfo
      Shared:       61440
      Private:      69632
      Dynamic:        768
      Total:       131840
      
      You can set memory quota by writing to this file.
      (Example)
      [root@tomoyo]# echo Shared: 2097152 > /sys/kernel/security/tomoyo/meminfo
      [root@tomoyo]# echo Private: 2097152 > /sys/kernel/security/tomoyo/meminfo
      
      ** /sys/kernel/security/tomoyo/self_domain **
      
      This file is to show the name of domain the caller process belongs to.
      (Example)
      [root@etch]# cat /sys/kernel/security/tomoyo/self_domain
      <kernel> /usr/sbin/sshd /bin/zsh /bin/cat
      
      ** /sys/kernel/security/tomoyo/version **
      
      This file is used for getting TOMOYO Linux's version.
      (Example)
      [root@etch]# cat /sys/kernel/security/tomoyo/version
      2.2.0-pre
      
      ** /sys/kernel/security/tomoyo/.domain_status **
      
      This is a view (of a DBMS) that contains only profile number and
      domainnames of domain so that "ccs-setprofile" command can do
      line-oriented processing easily.
      
      ** /sys/kernel/security/tomoyo/.process_status **
      
      This file is used by "ccs-ccstree" command to show "list of processes
      currently running" and "domains which each process belongs to" and
      "profile number which the domain is currently assigned" like "pstree"
      command. This file is writable by programs that aren't registered as
      policy manager.
      Signed-off-by: default avatarKentaro Takeda <takedakn@nttdata.co.jp>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarToshiharu Harada <haradats@nttdata.co.jp>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      9590837b
    • Kentaro Takeda's avatar
      Memory and pathname management functions. · c73bd6d4
      Kentaro Takeda authored
      TOMOYO Linux performs pathname based access control.
      To remove factors that make pathname based access control difficult
      (e.g. symbolic links, "..", "//" etc.), TOMOYO Linux derives realpath
      of requested pathname from "struct dentry" and "struct vfsmount".
      
      The maximum length of string data is limited to 4000 including trailing '\0'.
      Since TOMOYO Linux uses '\ooo' style representation for non ASCII printable
      characters, maybe TOMOYO Linux should be able to support 16336 (which means
      (NAME_MAX * (PATH_MAX / (NAME_MAX + 1)) * 4 + (PATH_MAX / (NAME_MAX + 1)))
      including trailing '\0'), but I think 4000 is enough for practical use.
      
      TOMOYO uses only 0x21 - 0x7E (as printable characters) and 0x20 (as word
      delimiter) and 0x0A (as line delimiter).
      0x01 - 0x20 and 0x80 - 0xFF is handled in \ooo style representation.
      The reason to use \ooo is to guarantee that "%s" won't damage logs.
      Userland program can request
      
       open("/tmp/file granted.\nAccess /tmp/file ", O_WRONLY | O_CREAT, 0600)
      
      and logging such crazy pathname using "Access %s denied.\n" format will cause
      "fabrication of logs" like
      
       Access /tmp/file granted.
       Access /tmp/file denied.
      
      TOMOYO converts such characters to \ooo so that the logs will become
      
       Access /tmp/file\040granted.\012Access\040/tmp/file denied.
      
      and the administrator can read the logs safely using /bin/cat .
      Likewise, a crazy request like
      
       open("/tmp/\x01\x02\x03\x04\x05\x06\x07\x08\x09", O_WRONLY | O_CREAT, 0600)
      
      will be processed safely by converting to
      
       Access /tmp/\001\002\003\004\005\006\007\010\011 denied.
      Signed-off-by: default avatarKentaro Takeda <takedakn@nttdata.co.jp>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarToshiharu Harada <haradats@nttdata.co.jp>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      c73bd6d4
    • Kentaro Takeda's avatar
      Add in_execve flag into task_struct. · f9ce1f1c
      Kentaro Takeda authored
      This patch allows LSM modules to determine whether current process is in an
      execve operation or not so that they can behave differently while an execve
      operation is in progress.
      
      This patch is needed by TOMOYO. Please see another patch titled "LSM adapter
      functions." for backgrounds.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      f9ce1f1c
  2. 11 Feb, 2009 2 commits
  3. 06 Feb, 2009 1 commit
    • James Morris's avatar
      Merge branch 'master' into next · cb5629b1
      James Morris authored
      Conflicts:
      	fs/namei.c
      
      Manually merged per:
      
      diff --cc fs/namei.c
      index 734f2b5,bbc15c2..0000000
      --- a/fs/namei.c
      +++ b/fs/namei.c
      @@@ -860,9 -848,8 +849,10 @@@ static int __link_path_walk(const char
        		nd->flags |= LOOKUP_CONTINUE;
        		err = exec_permission_lite(inode);
        		if (err == -EAGAIN)
      - 			err = vfs_permission(nd, MAY_EXEC);
      + 			err = inode_permission(nd->path.dentry->d_inode,
      + 					       MAY_EXEC);
       +		if (!err)
       +			err = ima_path_check(&nd->path, MAY_EXEC);
         		if (err)
        			break;
      
      @@@ -1525,14 -1506,9 +1509,14 @@@ int may_open(struct path *path, int acc
        		flag &= ~O_TRUNC;
        	}
      
      - 	error = vfs_permission(nd, acc_mode);
      + 	error = inode_permission(inode, acc_mode);
        	if (error)
        		return error;
       +
      - 	error = ima_path_check(&nd->path,
      ++	error = ima_path_check(path,
       +			       acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC));
       +	if (error)
       +		return error;
        	/*
        	 * An append-only file must be opened in append mode for writing.
        	 */
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      cb5629b1
  4. 05 Feb, 2009 30 commits