tomoyotitle.png

Chapter 9: Advanced profile management

9.1. Profile initialization

The initialization procedure performed using /usr/lib/tomoyo/init_policy can be modified using command-line options to make development of policy easier depending on what functionality you wish to restrict. For example, for those wishing to restrict only file-related operations can pass the "--file-only-profile" option. The options you pass upon initialization do not constrain how policy can be developed, as the options merely change the default values for files created within the policy directory. These files can be modified using the policy editor at any later date to fit your needs. The following table summarizes the command-line options available:

Option

Default

Meaning

--full-profile

Selected

Create profiles with all functionality enabled. This is the default unless "--file-only-profile" is specified.

--file-only-profile

Not selected

Create profiles with only file-related functionality enabled.

--use_profile="$number"

0

Set the profile number for the "<kernel>" domain when creating "/etc/tomoyo/domain_policy.conf". This value must be an integer between 0 and 255.

--use_group="$number"

0

Set the ACL group for the "<kernel>" domain when creating "/etc/tomoyo/domain_policy.conf". This value must be an integer between 0 and 255.

--root="$rootdir"

/

Change the root directory in which to create configuration files.

--policy_dir="$configdir"

/etc/tomoyo/

Change the directory in which to create configuration files. If you specify this option then a symbolic link must be created named "/etc/tomoyo" that points to "$condigdir".

--grant_log="$bool"

no

Set whether grant logs should be audited. This value can be either "yes" or "no".

--reject_log="$bool"

yes

Set whether reject logs should be audited. This value can be either "yes" or "no".

--max_audit_log="$number"

1024

Set maximum audit log (grant/reject logs) entries that the kernel will spool in the /sys/kernel/security/tomoyo/audit interface. This value must be an integer, and can be set to "0" if audit logs are not required. Maximum memory used can also be controlled using the /sys/kernel/security/tomoyo/stat interface.

--max_learning_entry="$number"

2048

Set the maximum number of ACL entries automatically added to each domain by the kernel when using learning mode. This value must be an integer, and setting to "0" makes the "Learning Mode" as if "Permissive Mode". Maximum memory used can also be controlled using the /sys/kernel/security/tomoyo/stat interface.

If you executed /usr/lib/tomoyo/init_policy without the "--file-only-profile" option, the CONFIG lines in "/etc/tomoyo/profile.conf" will look like this:

0-COMMENT=-----Disabled Mode-----
0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
1-COMMENT=-----Learning Mode-----
1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
1-CONFIG={ mode=learning grant_log=no reject_log=yes }
2-COMMENT=-----Permissive Mode-----
2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
3-COMMENT=-----Enforcing Mode-----
3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }

If you executed /usr/lib/tomoyo/init_policy --file-only-profile, the CONFIG lines in "/etc/tomoyo/profile.conf" will look like this:

0-COMMENT=-----Disabled Mode-----
0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
0-CONFIG::file={ mode=disabled grant_log=no reject_log=yes }
1-COMMENT=-----Learning Mode-----
1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
1-CONFIG::file={ mode=learning grant_log=no reject_log=yes }
2-COMMENT=-----Permissive Mode-----
2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
2-CONFIG::file={ mode=permissive grant_log=no reject_log=yes }
3-COMMENT=-----Enforcing Mode-----
3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
3-CONFIG::file={ mode=enforcing grant_log=no reject_log=yes }

9.2. Profile syntax

9.2.1. Fields

Each profile contains 3 fields:

Name

Control

COMMENT

Description of the profile.

CONFIG

Configuration of operation mode.

PREFERENCE

Configuration of various options.

9.2.2. The CONFIG field

The following options are available in the CONFIG field:

Option

Default

Meaning

grant_log="$bool"

no

Set whether grant logs should be audited. This value can be either "yes" or "no".

reject_log="$bool"

yes

Set whether reject logs should be audited. This value can be either "yes" or "no".

mode

disabled

Set what mode to use. See the table below.

The "mode" parameter of the CONFIG line can contain one of the following values:

Value

Meaning

disabled

Works as if a regular kernel.

learning

Do not reject an access request if the request violates policy. Append the request to policy.

permissive

Do not reject an access request if the request violates policy. Do not append the request to policy.

enforcing

Reject an access request if the request violates policy. Do not append the request to policy.

By default, the CONFIG line specifies the default operation mode for all categories and functionalities. The absence of the CONFIG line is equivalent to "mode=disabled". The default configuration can be overwritten by using one or more CONFIG lines per profile and using category-specific configuration:

Name

Category to specify operation mode for

CONFIG

All operations

CONFIG::file

File related operations only

Category-specific configuration can be further overwritten by functionality-specific configuration:

Name

Functionality to specify operation mode for

CONFIG::file::execute

Program execution and domain transition

CONFIG::file::open

Opening files for reading or writing

CONFIG::file::create

File creation

CONFIG::file::unlink

File deletion

CONFIG::file::mkdir

Directory creation.

CONFIG::file::rmdir

Directory deletion.

CONFIG::file::mkfifo

FIFO creation

CONFIG::file::mksock

UNIX domain socket creation

CONFIG::file::truncate

File truncation

CONFIG::file::symlink

Symlink creation.

CONFIG::file::mkblock

Block device file creation

CONFIG::file::mkchar

Character device file creation

CONFIG::file::link

Link creation

CONFIG::file::rename

File or directory renaming

CONFIG::file::chmod

File or directory chmod

CONFIG::file::chown

File or directory chown

CONFIG::file::chgrp

File or directory chgrp

CONFIG::file::ioctl

Use of the ioctl system calls

CONFIG::file::chroot

Use of chroot

CONFIG::file::mount

Use of mount

CONFIG::file::unmount

Use of umount

CONFIG::file::pivot_root

Use of pivot_root

For example, you could create a profile for only restricting file execution:

6-COMMENT=-----Enforcing file::execute only-----
6-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
6-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }

For performance, permission checks for getting attributes for files and directories could be disabled while still enabling other permission checks for files:

7-COMMENT=-----Enforcing file operations without getattr-----
7-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
7-CONFIG::file={ mode=enforcing grant_log=no reject_log=yes }
7-CONFIG::file::getattr={ mode=disabled grant_log=no reject_log=yes }

Note that the settings for "CONFIG::file::getattr" overwrite the settings for "CONFIG::file", which in turn overwrite the settings for "CONFIG" (which in this case has not been set and so is equivalent to "mode=disabled"). This allows fine-grained control over which operations you wish to restrict.

9.2.3. The PREFERENCE field

The PREFERENCE line holds the following options:

Name

Function

max_audit_log

Set maximum audit log (grant/reject logs) entries that the kernel will spool in the /sys/kernel/security/tomoyo/audit interface. This value must be an integer, and can be set to "0" if audit logs are not required. Maximum memory used can also be controlled using the /sys/kernel/security/tomoyo/stat interface.

max_learning_entry

Set the maximum number of ACL entries automatically added to each domain by the kernel when using learning mode. This value must be an integer, and setting to "0" makes the "Learning Mode" as if "Permissive Mode". Maximum memory used can also be controlled using the /sys/kernel/security/tomoyo/stat interface.