tomoyotitle.png

Chapter 8: Interface permissions

8.1. Register applications

In order for a application or domain to modify policy in the /sys/kernel/security/tomoyo/ interface, it must be listed in /sys/kernel/security/tomoyo/manager. To register an application, you can for example run the following command:

# echo "/usr/sbin/tomoyo-editpolicy" | /usr/sbin/tomoyo-loadpolicy -m

8.2. Managing as non-root user

By default, only processes with UID=0 and EUID=0 (a.k.a. root user) are allowed to modify policy. In order to allow $USER user to modify policy, run this command:

# echo "manage_by_non_root" | /usr/sbin/tomoyo-loadpolicy -m
# chown -R $USER /sys/kernel/security/tomoyo/

This can be reversed by running this command:

# echo "delete manage_by_non_root" | /usr/sbin/tomoyo-loadpolicy -m
# chown -R root /sys/kernel/security/tomoyo/

If you want to have a separate user that is able to modify policy, the file "/etc/tomoyo/tomoyo-post-init" can be used. If this file exists, it is executed by /sbin/tomoyo-init at boot. To allow 'tomoyo' user to modify policy, create "/etc/tomoyo/tomoyo-post-init" with the following contents:

#! /bin/sh
echo manage_by_non_root > /sys/kernel/security/tomoyo/manager
chown -R tomoyo /sys/kernel/security/tomoyo/

Then, make this file executable and make policy directory readable/writable by 'tomoyo' user:

# chmod 755 /etc/tomoyo/tomoyo-post-init
# chown -R tomoyo /etc/tomoyo/

The exception to all of the above is for domains in "Learning Mode". Any of these domains can append access permissions to the domain the process belongs to until max_entry has been reached.