Info: Version 1.6.x is available.

Japanese Page

Policy Specifications of SYAORAN filesystem

Last modified: $Date: 2019-02-04 20:23:38 +0900 (Mon, 04 Feb 2019) $

1. Types and syntaxes of policy files

Pathname representation rule

SYAORAN uses canonicalized absolute pathnames ("Canonicalized Pathname") seen from kernel process that contain neither symbolic links nor "..".
If a process is running under chroot'ed environment, pathnames are calculated from outside the chroot'ed directory.

Canonicalized directories always end with "/", and canonicalized files never end with "/".

Canonicalized Pathname contains only ASCII printable range (from 0x21 to 0x7E) characters.
Thus, the space character (0x20) is represented as \040, \ character (0x5C) itself is represented as \\, and all other non-printable characters (from 0x01 to 0x20, from 0x7F to 0xFF) are represented using octal expressions(\ooo).
Since spaces and carriage returns and tabs are treated as a delimiter, you need to convert octal representations to include these characters into Canonicalized Pathnames.

Policy specifications for SYAORAN filesystem

The policy file contains a list of entries that the /dev directory has.
There are many device files in the /dev directory, but only a few dozen files are needed for a system to work.
Further, it is mandatory for system security that the device files are always associated with correct devices.
For example, if /dev/null exists with major-8-0 (/dev/sda) attributes instead of char-1-3, the contents of the SCSI HDD will be destroyed at a blow.

The following is the format of this file.

List one entry per a line. An entry has maximum 9 elements.

filename the name of the file seen from the mount point, without leading / .
permission An octal form of permission value for the file, between 000 and 777.
owner A decimal form of owner of the file.
group A decimal form of group of the file.
flags A combination of the following values.
  • 1: Allow creation of the file.
  • 2: Allow deletion of the file.
  • 4: Allow changing permissions of the file.
  • 8: Allow changing owner or group of the file.
  • 16: For internal use. Remembers whether this file is opened or not.
  • 32: Don't create this file at mount time.
type The device type of the file, one of 'd' (directory), 'p' (FIFO), 's' (Socket), 'c' (Character device), 'b' (Block device), 'l' (Symbolic link), 'f' (regular file).
symlink_data The content of the symbolic link that are automatically created when mounted. Not required if type is not 'l'.
major A decimal form of major number. Not required if type is not 'c' nor 'b'.
minor A decimal form of minor number. Not required if type is not 'c' nor 'b'.

Lines are separated by '\n'.

The 'filename' must be canonicalized form, but the trailing / can be omitted for this policy file.

The 'symlink_data' needn't to be a Canonicalized Pathname, but you need to use \\ and \ooo style escapes to include non-printable characters.

How to use:

Step 1 Generate the policy file with 'flags' = 0.
Step 2 Mount the filesystem with accept mode. If this file is at /etc/ccs/syaoran.conf and you want to mount on /dev, run
mount -t syaoran -o accept=/etc/ccs/syaoran.conf none /dev
Step 3 Run the system as usual, and you will get 'flags' value updated according to actual device file access.
Step 4 The result of file access tracing is readable via the file .syaoran which exists just under the mount point, and edit (removing unnecessary symbolic links etc.) and save as /etc/ccs/syaoran.conf
The file access tracing functionality reflects to .syaoran only block and character device files that are actually opened, this functionality is available for removing unnecessary device files. Directories, FIFOs, sockets, symbolic links and regular files are always reflected to .syaoran regardless of they are actually opened or not.
Step 5 Unmount the filesystem.
Step 6 To mount the filesystem with enforce mode, run
mount -t syaoran -o enforce=/etc/ccs/syaoran.conf none /dev
In the enforce mode, 'flags' values are not updated.
Whenever policy violation (caused by missing entry or insufficient flags) occurs, a message that begins with "SYAORAN-ERROR:" appears. You can pick up the messages by the following command.
dmesg | grep ^SYAORAN-ERROR:

You can tell the default mode for this filesystem by giving SYAORAN=accept or SYAORAN=enforce option to the kernel commandline. If you told the default mode to the command line, you can omit 'accept=' or 'enforce=' option at mount time.


2. An example of policy file

The required files depend on your system.

#filename permission owner group flags type [ symlink_data | major minor ]
pts 755 0 0 0 d
shm 755 0 0 0 d
fd 777 0 0 0 l /proc/self/fd
stdin 777 0 0 0 l /proc/self/fd/0
stdout 777 0 0 0 l /proc/self/fd/1
stderr 777 0 0 0 l /proc/self/fd/2
null 666 0 0 0 c 1 3
zero 666 0 0 0 c 1 5
random 644 0 0 0 c 1 8
urandom 644 0 0 0 c 1 9
tty 666 0 0 0 c 5 0
tty0 600 0 0 12 c 4 0
tty1 600 0 0 12 c 4 1
tty2 600 0 0 12 c 4 2
tty3 600 0 0 12 c 4 3
tty4 600 0 0 12 c 4 4
tty5 600 0 0 12 c 4 5
tty6 600 0 0 12 c 4 6
tty7 600 0 0 12 c 4 7
tty8 600 0 0 12 c 4 8
cdrom 777 0 0 3 l /dev/scd0
mouse 777 0 0 3 l psaux
console 600 0 0 1 c 5 1
fd0 660 0 19 0 b 2 0
fd1 660 0 19 0 b 2 1
fd2 660 0 19 0 b 2 2
fd3 660 0 19 0 b 2 3
hda 660 0 6 0 b 3 0
hda1 660 0 6 0 b 3 1
hda2 660 0 6 0 b 3 2
hda3 660 0 6 0 b 3 3
hda5 660 0 6 0 b 3 5
hda6 660 0 6 0 b 3 6
hda7 660 0 6 0 b 3 7
hda8 660 0 6 0 b 3 8
hda9 660 0 6 0 b 3 9
hda10 660 0 6 0 b 3 10
hda11 660 0 6 0 b 3 11
hda12 660 0 6 0 b 3 12
initctl 600 0 0 3 p
log 666 0 0 15 s
rtc 644 0 0 0 c 10 135
ptmx 666 0 0 0 c 5 2
ram 777 0 0 3 l /dev/ram0
ram0 660 0 6 0 b 1 0
ram1 660 0 6 0 b 1 1
sda 660 0 6 0 b 8 0
initrd 660 0 6 1 b 1 250
psaux 600 0 0 0 c 10 1
apm_bios 600 0 0 0 c 10 134
cpu 755 0 0 0 d
cpu/0 755 0 0 0 d
cpu/0/microcode 600 0 0 0 c 10 184
ttyS0 660 0 14 0 c 4 64
ttyS1 660 0 14 0 c 4 65
ttyS2 660 0 14 0 c 4 66
ttyS3 660 0 14 0 c 4 67
ptal-printd 777 0 0 3 l /var/run/ptal-printd
gpmctl 700 0 0 3 s
scd0 660 0 6 0 b 11 0

Return to index


sflogo.php