Info: Version 1.6.x is available.

Japanese Page

Policy Specifications of TOMOYO Linux

Last modified: $Date: 2019-02-04 20:23:38 +0900 (Mon, 04 Feb 2019) $

Index

1. Introduction

1.1 Word definition

1.2 Domain definitions and Domain transitions rule

2. Types and syntaxes of policy files

2.1 Policy Manager Definition (manager.conf)

2.2 Profile Definition (profile.conf)

2.3 System policy (system_policy.conf)

2.4 Domain policy (domain_policy.conf)

2.5 Exception policy (exception_policy.conf)

3. /proc/ccs/ interface

3.1 profile

3.2 system_policy

3.3 domain_policy

3.4 exception_policy

3.5 query

3.6 manager

3.7 .domain_status

3.8 meminfo

3.9 grant_log

3.10 reject_log

3.11 self_domain

3.12 .process_status

3.13 .updates_counter


1. Introduction

1.1 Word definition

Canonicalized Pathname A pathname that begins with "/" and contain neither symbolic links, "/./", "//" nor "/../" . (There is one exception. Process information directory for current process that is accessible via "/proc/self/" directory is represented as is.)
Even if a process is running under chroot'ed environment, Canonicalized Pathname is calculated from outside the chroot'ed environment.
Canonicalized Pathname contains only ASCII printable range (from 0x21 to 0x7E) characters. Thus, "\" character (0x5C) itself is represented as "\\", and all other non-printable characters (from 0x01 to 0x20, from 0x7F to 0xFF) are represented using octal expressions("\ooo") (for example, the space character (0x20) is represented as "\040").
Canonicalized Directory A Canonicalized Pathname that ends with "/".
Canonicalized File A Canonicalized Pathname that doesn't end with "/".
Canonicalized File includes all file types other than directory (i.e. regular file, character device, block device, FIFO, symbolic link, socket).
PROGRAM A Canonicalized File that is executable.
Domain An attribute that is used for MAC (Mandatory Access Control).
Destination Domain A domain that the process will belong to if the process successfully executes a PROGRAM.
Target Domain A domain that the target process belongs to.

1.2 Domain definitions and Domain transitions rule

In TOMOYO Linux, every process belongs to a single domain, and all PROGRAM belong to different domain.
Even the two processes are executing the same PROGRAM, if their previous domains differ, they belong to different domain.

All domains are defined originating from "<kernel>" domain, which the kernel process belongs to.
Since /sbin/init is invoked by the "<kernel>" domain, the domain for /sbin/init is defined as "<kernel> /sbin/init".
Since /etc/rc.d/rc is invoked by /sbin/init invoked by the kernel, the domain for /etc/rc.d/rc is defined as "<kernel> /sbin/init /etc/rc.d/rc".

There are some PROGRAMs that behave differently depending on the invocation name.
For example, /sbin/pidof is a symbolic link to /sbin/killall5 .
Since TOMOYO Linux uses Canonicalized Pathname, if /sbin/pidof is executed, the domain is defined as if /sbin/killall5 is executed.

When a process tries to execute a PROGRAM, the following steps are performed.

StepProcedure
Getting program's name

Get the name of PROGRAM that the process is going to execute and keep it as "Candidate 1". This procedure dereferences if the program is a symbolic link.

Get the name of PROGRAM that the process is going to execute and keep it as "Candidate 2". This procedure does NOT dereference if the program is a symbolic link.

Handling symbolic links

If "Candidate 1" and "Candidate 2" differ, search exception policy for

  • alias "Candidate 1" "Candidate 2"

and if found one, replace "Candidate 1" with "Candidate 2".

Checking argv[0]

If the basename of "Candidate 1" and the basename of argv[0] differ, search domain policy for

  • allow_argv0 "Candidate 1" "the basename of argv[0]"

and deny if not found one.

Aggregating similar programs

Search exception policy for

  • aggregator "Candidate 1" "aggregated name"

and if found one, replace "Candidate 1" with "aggregated name".

Checking permission

Search domain policy for

  • 1 "Candidate 1"
  • 3 "Candidate 1"
  • 5 "Candidate 1"
  • 7 "Candidate 1"
  • 1 @"a pathname group containing Candidate 1"
  • 3 @"a pathname group containing Candidate 1"
  • 5 @"a pathname group containing Candidate 1"
  • 7 @"a pathname group containing Candidate 1"

and deny if not found one.

Deciding Destination domain

(1) Search exception policy for

  • no_initialize_domain "Candidate 1" from "the name of the domain the current process belongs to"
  • no_initialize_domain "Candidate 1" from "the last part of the name of the domain the current process belongs to"
  • no_initialize_domain "Candidate 1"

and if found one, jump to (3).

(2) Search exception policy for

  • initialize_domain "Candidate 1" from "the name of the domain the current process belongs to"
  • initialize_domain "Candidate 1" from "the last part of the name of the domain the current process belongs to"
  • initialize_domain "Candidate 1"

and if found one, concatenate "the name of the domain that the kernel belongs to (i.e. <kernel>)" and "Candidate 1" and keep the result as Destination domain, then jump to (6).

(3) Search exception policy for

  • no_keep_domain "Candidate 1" from "the name of the domain the current process belongs to"
  • no_keep_domain "Candidate 1" from "the last part of the name of the domain the current process belongs to"
  • no_keep_domain "the name of the domain the current process belongs to"
  • no_keep_domain "the last part of the name of the domain the current process belongs to"

and if found one, jump to (5).

(4) Search exception policy for

  • keep_domain "Candidate 1" from "the name of the domain the current process belongs to"
  • keep_domain "Candidate 1" from "the last part of the name of the domain the current process belongs to"
  • keep_domain "the name of the domain the current process belongs to"
  • keep_domain "the last part of the name of the domain the current process belongs to"

and if found one, set "the name of the domain the current process belongs to" as Destination domain, then jump to (6).

(5) Concatenate "the name of the domain the current process belongs to" and "Candidate 1" and keep the result as Destination domain.

(6) Check whether the Destination domain is defined, and deny if not.

(7) Performe regular steps for executing PROGRAM. If successfully completed, the process transits to Destination domain.


2. Types and syntaxes of policy files

All policy files are kept in /etc/ccs/ directory. Files in this directory are loaded just before starting /sbin/init by /sbin/ccs-init .

2.1 Policy Manager Definitions (manager.conf)

Since it is not secure that all processes can modify policies, this file defines PROGRAM or DOMAIN that can do write access to /proc/ccs/ interface.

PROGRAM or DOMAIN that are not declared in this file cannot do write access to /proc/ccs/ interface. If you don't allow policy updates at production state, delete this file.

(Example)
/usr/lib/ccs/loadpolicy
/usr/lib/ccs/editpolicy
/usr/lib/ccs/setlevel
/usr/lib/ccs/setprofile
/usr/lib/ccs/ld-watch
/usr/lib/ccs/ccs-queryd
<kernel> /sbin/mingetty /usr/lib/bin/bash

2.2 Profile Definition (profile.conf)

TOMOYO Linux can perform several MACs besides MAC for files, but to reduce the load of policy managements, you can disable MACs you think unnecessary.

Variable Meaning Learning mode support
MAC_FOR_FILE Enable Mandatory Access Control(MAC) for files. Yes
MAC_FOR_ARGV0 Enable MAC for argv[0] checks. Yes
MAC_FOR_CAPABILITY::*** Enable MAC for capabilities.
The *** matches to values that can be given using allow_capability directive described in Domain policy.
Yes
MAC_FOR_NETWORK Enable MAC for network addresses and ports. Yes
MAC_FOR_SIGNAL Enable MAC for signal. Yes
DENY_CONCEAL_MOUNT Forbid mount requests that hides an existing mount. No
RESTRICT_CHROOT Enable restrictions for chroot directories. Yes
RESTRICT_MOUNT Enable restrictions for mount parameters. Yes
RESTRICT_UNMOUNT Forbid unmount requests for specified directories. No
RESTRICT_PIVOT_ROOT Enable restrictions for pivot_root directories. Yes
RESTRICT_AUTOBIND Forbid selecting specific local port number when automatic local port binding happens. No
MAX_ACCEPT_ENTRY Limits the max number of ACL entries that are automatically appended during learning mode. -
MAX_GRANT_LOG Limits the max number of grant logs that the kernel can hold. -
MAX_REJECT_LOG Limits the max number of reject logs that the kernel can hold. -
TOMOYO_VERBOSE Dump domain policy violation messages to syslog. -
ALLOW_ENFORCE_GRACE Allow administrator judge access requests that violates policy in enforce mode interactively. -

You can give the following values for RESTRICT_AUTOBIND

Value Meaning
0 Off. Works as if regular kernel.
1 On.

You can give the following values for MAX_ACCEPT_ENTRY

Value Meaning
any integer The max number of ACL entries that are automatically appended during learning mode.
The default is given at the kernel compilation time.

You can give the following values for MAX_GRANT_LOG and MAX_REJECT_LOG

Value Meaning
any integer The max number of logs that the kernel can hold.
The default is given at the kernel compilation time.

You can give the following values for TOMOYO_VERBOSE

Value Meaning
0 Don't dump domain policy violation messages.
1 Dump domain policy violation messages.

You can give the following values for ALLOW_ENFORCE_GRACE

Value Meaning
0 Reject immediately if the access requests that violated policy in enforce mode.
1 Allow administrator judge the access requests that violated policy in enforce mode interactively.

You can give the following values for all but listed above.

Value Meaning
0 Disabled. Works as if regular kernel.
1 Learning mode. Not rejected if the request violates policy. Automatically appended to policy.
2 Permissive mode. Not rejected if the request violates policy. Not appended to policy automatically.
3 Enforce mode. Rejected if the request violates policy.

List up functions and their modes in "$number-$variable=$value" format. The $number is profile number between 0 and 255. To switch profiles currently assigned to domains, use "setprofile" command. The currently assigned profile number are kept in the Domain policy (domain_policy.conf) using "use_profile" directive.

2.3 System policy (system_policy.conf)

This file contains permissions that apply to the entire system. The following 4 types of permissions are declared.

Mount permission

To grant mount permission, use allow_mount directive followed by "$devicefile $mountpoint $filesystem $options".
The $devicefile need to be a Canonicalized File if the $filesystem requires device file.
The $mountpoint must be a Canonicalized Directory.
The $options is an integer expression.

To grant "mount -o remount $mountpoint" permission, use allow_mount directive followed by "any $mountpoint --remount $options".

To grant "mount --bind $source_dir $dest_dir" and "mount --move $source_dir $dest_dir" permission, use allow_mount directive followed by "$source_dir $dest_dir --bind $options" and "$source_dir $dest_dir --move $options" respectively. The $source_dir and $dest_dir must be Canonicalized Directory.

Kernel 2.6.15 and later supports "Shared Subtree" functionality.
To grant "mount --make-unbindable $mountpoint" permission, use allow_mount directive followed by "any $mountpoint --make-unbindable $options".
To grant "mount --make-private $mountpoint" permission, use allow_mount directive followed by "any $mountpoint --make-private $options".
To grant "mount --make-slave $mountpoint" permission, use allow_mount directive followed by "any $mountpoint --make-slave $options".
To grant "mount --make-shared $mountpoint" permission, use allow_mount directive followed by "any $mountpoint --make-shared $options".

Directories that don't allow to be unmounted

To reject unmount request, use deny_unmount directive followed by a Canonicalized Directory.

Usually, specify /dev/ directory (that contains /dev/tty? used by /sbin/mingetty) and /dev/pts/ directory (that are used to create pty device files for remote login).

If /dev/ becomes read-only or /dev/pts/ is unmounted, you can't login to the system.
Therefore /dev/ and /dev/pts/ must not be unmounted for systems where / is read-only.

Directories that are allowed to chroot to

To grant chroot permission, use allow_chroot directive followed by a Canonicalized Directory.

Usually, grant /var/empty/sshd/ that sshd uses.
In addition, if you have applications that runs in the chroot'ed environment or applications that uses chroot (for example, /usr/share/empty/ is used by vsftpd), grant such directories too.

Directories that are allowed to exchange

To grant pivot_root permission, use allow_pivot_root directive followed by the new root's Canonicalized Directory and the previous root's Canonicalized Directory.

Usually, you don't need this directive.

Local ports that don't allow to be bound automatically

To prevent specific local port from being selected automatically, use deny_autobind directive followed by local port number.

This directive is intended to prevent specific local port from being bound for temporary use.
For example, some proxy server uses local port 8080, so port 8080 should not be bound by other PROGRAMs for temporary use.

(Example)

allow_mount none /dev/pts/ devpts 0x0
allow_mount /proc /proc/ proc 0x0
allow_mount usbdevfs /proc/bus/usb/ usbdevfs 0x0
allow_mount none /data/ tmpfs 0xE
allow_mount none /dev/shm/ tmpfs 0xE
allow_mount /dev/hdc /var/www/ ext2 0xF
allow_mount any / --remount 0x0
deny_unmount /dev/
deny_unmount /dev/pts/
deny_unmount /proc/
allow_chroot /var/empty/sshd/
allow_chroot /usr/share/empty/
allow_chroot /var/www/html/
allow_chroot /
deny_autobind 1-1023
deny_autobind 8080

2.4 Domain policy (domain_policy.conf)

This file contains permissions that apply to domain. The following 5 types of permissions are declared.

You may specify additional condition for each permissions as needed. The syntax for additional condition is described later.

This file contains all domain definitions. Lines from the next line to a domain definition to the previous line to the next domain definitions are interpreted as access permissions for that domain.

MAC for files

To grant file permission, use the following directives.

DirectiveGranted OperationExample
1Execute1 /bin/ls
2Write2 /dev/null
3Write and Execute 
4Read4 /proc/meminfo
5Read and Execute 
6Read and Write6 /dev/null
7Read and Write and Execute 
allow_createCreate regular fileallow_create /var/lock/subsys/crond
allow_unlinkDelete non-directoryallow_unlink /var/lock/subsys/crond
allow_mkdirCreate directoryallow_mkdir /tmp/logwatch.\*/
allow_rmdirRemove directoryallow_rmdir /tmp/logwatch.\*/
allow_mkfifoCreate FIFOallow_mkfifo /dev/initctl
allow_mksockCreate UNIX domain socketallow_mksock /dev/log
allow_mkblockCreate block device fileallow_mkblock /dev/\*
allow_mkcharCreate character device fileallow_mkchar /dev/\*
allow_truncateTruncate or expandallow_truncate /etc/mtab
allow_symlinkCreate symbolic linkallow_symlink /dev/cdrom
allow_linkCreate hard linkallow_link /etc/mtab~\$ /etc/mtab~
allow_renameRenameallow_rename /etc/mtab.tmp /etc/mtab
allow_rewriteOverwriteallow_rewrite /var/log/messages

You may use wildcards for directives other than 1 3 5 and 7. You should avoid using directives 3 5 and 7 as hard as possible.

MAC for argv[0]

To restrict the contents of argv[0], use allow_argv0 directive followed by "the pathname of PROGRAM" and "the basename part of argv[0]".

The execve() system call, which is used to execute a program, accepts filename and argv[] and envp[]. Some programs (e.g. busybox) behave differently depending on the basename of argv[0]. When invoking a program via a symbolic link, the domain transition of TOMOYO Linux is done based on the Canonicalized Pathname of filename while the behavior of the program is determined based on argv[0] (usually same as filename). For example, in a system that provides /bin/ls and /bin/cat as hard links of busybox, it becomes a loophole that allows programs to behave as cat in the domain of /bin/ls by creating a symbolic link named /tmp/cat that points to /bin/ls and executing /tmp/cat .

The purpose of this directive is to restrict the combinations of filename and argv[0] so that such loopholes won't occur.

MAC for capabilities

To grant capability permission, use allow_capability directive followed by a capability.
The following capabilities are applicable.

Value Meaning
inet_tcp_create Grant socket(PF_INET or PF_INET6, SOCK_STREAM, *)
inet_tcp_listen Grant listen() for PF_INET or PF_INET6, SOCK_STREAM
inet_tcp_connect Grant connect() for PF_INET or PF_INET6, SOCK_STREAM
use_inet_udp Grant socket(PF_INET, SOCK_DGRAM, *)
use_inet_ip Grant socket(PF_INET, SOCK_RAW, *)
use_route Grant socket(PF_ROUTE, *, *)
use_packet Grant socket(PF_PACKET, *, *)
use_kernel_module Grant create_module(2) init_module(2) delete_module(2)
create_fifo Grant mknod(2) for FIFO.
create_block_dev Grant mknod(2) for block device.
create_char_dev Grant mknod(2) for character device.
create_unix_socket Grant mknod(2) for unix domain sockets.
SYS_MOUNT Grant mount(2)
SYS_UMOUNT Grant umount(2)
SYS_REBOOT Grant reboot(2)
SYS_CHROOT Grant chroot(2)
SYS_KILL Grant kill(2) tkill(2) tgkill(2) with non-0 signal.
SYS_VHANGUP Grant vhangup(2)
SYS_TIME Grant stime(2) settimeofday(2) adjtimex(2)
SYS_NICE Grant nice(2) setpriority(2)
SYS_SETHOSTNAME Grant sethostname(2) setdomainname(2)
SYS_LINK Grant link(2)
SYS_SYMLINK Grant symlink(2)
SYS_RENAME Grant rename(2)
SYS_UNLINK Grant unlink(2)
SYS_CHMOD Grant chmod(2) fchmod(2)
SYS_CHOWN Grant chown(2) fchown(2) lchown(2)
SYS_IOCTL Grant ioctl(2) compat_sys_ioctl(2)
SYS_KEXEC_LOAD Grant kexec_load(2)
SYS_PIVOT_ROOT Grant pivot_root(2)

The purpose of allow_capability directive is to restrict system calls that a PROGRAM can call.
You can restrict more strictly with other directives and policy files for some system calls.

MAC for networking addresses and ports

To grant permission for ports, use allow_network directive followed by protocol(TCP or UDP or RAW) and IP address and port number (for TCP or UDP) / protocol number (for RAW). This permission is applicable to IPv4 and IPv6.

DirectiveGranted OperationExample
allow_network TCP bindBind to local TCP address/port.allow_network TCP bind 0.0.0.0 80
allow_network TCP listenListen to local TCP address/port.allow_network TCP listen 0.0.0.0 80
allow_network TCP acceptAccept from and communicate with remote TCP address/port.allow_network TCP accept 10.0.0.0-10.255.255.255 1024-65535
allow_network TCP connectConnect to and communicate with remote TCP address/port.allow_network TCP connect 127.0.0.1 1024-65535
allow_network UDP bindBind to local UDP address/port.allow_network UDP bind 0.0.0.0 53
allow_network UDP connectCommunicate with remote UDP address/port.allow_network UDP connect 127.0.0.1 53
allow_network RAW bindBind to local IP address/protocol.allow_network RAW bind 127.0.0.1 255
allow_network RAW connectCommunicate with remote IP address/protocol.allow_network RAW connect 10.0.0.1 1

Use of "::" for IPv6 address representation is not supported. You need to use "0:0:0:0:0:0:0:1" for "::1".

MAC for signals

To grant permissions for signals, use allow_signal directive followed by signal number and Target domain.

There are two exceptions. If signal number is 0, it is always granted. If the Target domain and the Source domain are the same, it is always granted.

In other cases, signals are granted only when the signal number matches and the Target domain starts with the Target domain declared with this directive.

If only <kernel> is declared as a Target domain, the Source domain can send signals to any domain with that signal number.

Conditional permission

TOMOYO Linux 1.2 supports conditional permission. The condition clause are appended to the tail of each permission using "if" directive.

ExampleMeaning
4 /etc/passwdAllow reading /etc/passwd .
4 /etc/passwd if task.uid=0Allow reading /etc/passwd if the process's UID is 0.
4 /etc/passwd if task.uid!=0Allow reading /etc/passwd if the process's UID is not 0.
allow_network TCP connect 10.0.0.1 80Connect to 10.0.0.1 port 80 using TCP.
allow_network TCP connect 10.0.0.1 80 if task.uid=100Connect to 10.0.0.1 port 80 using TCP if the process's UID is 100.
allow_capability SYS_KILLAllow calling kill(2).
allow_capability SYS_KILL if task.ppid=1 task.uid=0 task.euid=0Allow calling kill(2) if the process is the child of /sbin/init and the process's UID is 0 and the process's EUID is 0.

The following variables are available.

VariableMeaning
task.uidUID of current process
task.euidEUID of current process
task.suidSUID of current process
task.fsuidFSUID of current process
task.gidGID of current process
task.egidEGID of current process
task.sgidSGID of current process
task.fsgidFSGID of current process
task.pidPID of current process
task.ppidPID of parent process
path1.uidUID of object.
path1.gidGID of object.
path1.inoi-node number of object.
path1.parent.uidUID of object's parent directory.
path1.parent.gidGID of object's parent directory.
path1.parent.inoi-node number of object's parent directory.
path2.parent.uidUID of object's parent directory.
path2.parent.gidGID of object's parent directory.
path2.parent.inoi-node number of object's parent directory.

"path1" corresponds to the first pathname of operations that requires pathnames, and "path2" corresponds to the second pathname of operations that requires pathnames. For example, the case of "allow_rename file1 file2", path1 corresponds to file1 and path2 corresponds to file2.

"path1.uid" and "path1.gid" are not available for pathnames that don't exist. Thus, you can't use when creating pathnames (such as allow_create directive).

"path1.parent.uid" and "path1.parent.gid" are always available.

"path2.parent.uid" and "path2.parent.gid" are available only for operations that require 2 pathnames (in other words, allow_link and allow_rename directives).

"path2.uid" and "path2.gid" are not supported. ( If "path2" already exist for "rename" operation, "unlink" or "rmdir" operation is performed implicitly.)

Neither "path1" nor "path2" are supported when accessing via "sysctl" ( i.e. accessing files under /proc/sys/ directories using "sysctl" instead for "open")

2.5 Exception policy (exception_policy.conf)

This file contains exceptions for domain access controls. The following 10 types of permissions are declared.

Pathname pattern

To declare pathname pattern, use file_pattern directive followed by pathname pattern. The pathname pattern must be a Canonicalized Pathname. This directive is not applicable to neither granting execute permissions nor domain definitions.

For example, Canonicalized Pathname that contains a process ID (i.e. /proc/PID/ files) needs to be grouped in order to make access control work well.

The following wildcards are available.

ValueMeaning
\\\ itself.
\*Zero or more repetitions of characters other than '/'.
\@Zero or more repetitions of characters other than '/' or '.'.
\?1 byte character other than '/'.
\$One or more repetitions of decimal digits.
\+1 decimal digit.
\XOne or more repetitions of hexadecimal digits.
\x1 hexadecimal digit.
\AOne or more repetitions of alphabet characters.
\a1 alphabet character.
\-Pathname subtraction operator.

The usage of "\-" is shown below.

ExpressionMeaning
/etc/\*All files in /etc/ directory.
/etc/\*\-\*shadow\*/etc/\* other than /etc/\*shadow\*
/\*\-proc\-sys//\*/ other than /proc/ /sys/

Pathname group

To declare pathname group, use path_group directive followed by name of the group and pathname pattern. For example, if you want to group all files under home directory, you can define

path_group HOME-DIR-FILE /home/\*/\*
path_group HOME-DIR-FILE /home/\*/\*/\*
path_group HOME-DIR-FILE /home/\*/\*/\*/\*
path_group HOME-DIR-FILE /home/\*/\*/\*/\*/\*
path_group HOME-DIR-FILE /home/\*/\*/\*/\*/\*/\*
path_group HOME-DIR-FILE /home/\*/\*/\*/\*/\*/\*/\*

in the exception policy and use like

4 @HOME-DIR-FILE

to grant file access permission.

Address group

To declare address group, use address_group directive followed by name of the group and IP address pattern. For example, if you want to group all local addresses, you can define

address_group local-address 10.0.0.0-10.255.255.255
address_group local-address 172.16.0.0-172.31.255.255
address_group local-address 192.168.0.0-192.168.255.255

in the exception policy and use like

allow_network TCP accept @local-address 1024-65535

to grant network access permission.

Unconditionally readable files

To grant unconditionally readable permissions, use allow_read directive followed by Canonicalized File. This directive is intended to reduce size of Domain policy by granting read access to library files such as GLIBC and locale files. You should not grant password files such as /etc/passwd, for all process can read if DAC is granted.

Files that aren't rewritable by default

To deny overwriting already written contents of file (such as log files) by default, use deny_rewrite directive followed by pathname pattern. Files whose pathname match to the patterns are not permitted to open for writing without append mode or truncate unless the pathnames are explicitly granted using allow_rewrite directive in domain policy.

Programs invocable via symbolic links

To allow executing programs using the name of symbolic links, use alias directive followed by dereferenced pathname and reference pathname. This directive is intended to allow programs that behave differently depending on the name of invocation and that referenced using symbolic links instead of hard links transit domain using the symbolic link's name.

For example, /sbin/pidof is a symbolic link to /sbin/killall5 . In normal case, if /sbin/pidof is executed, the domain is defined as if /sbin/killall5 is executed. By specifying "alias /sbin/killall5 /sbin/pidof", you can run /sbin/pidof in the domain for /sbin/pidof .

Program aggregations

To deal multiple programs as a single program, use aggregator directive followed by name of original program and aggregated program. This directive is intended to aggregate similar programs.

For example, /usr/bin/tac and /bin/cat are similar. By specifying "aggregator /usr/bin/tac /bin/cat", you can run /usr/bin/tac in the domain for /bin/cat .

For example, /usr/sbin/logrotate for Fedora Core 3 generates programs like /tmp/logrotate.\?\?\?\?\?\? and run them, but TOMOYO Linux doesn't allow using patterns for granting execute permission and defining domains. By specifying "aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp", you can run /tmp/logrotate.\?\?\?\?\?\? as if /tmp/logrotate.tmp is running.

Programs that cause domain transition initialization

To initialize domain transition when specific PROGRAM is executed, use initialize_domain directive.

If the part "from" and after is not given, the entry is applied to all DOMAIN. If the "DOMAIN" doesn't start with "<kernel>", the entry is applied to all DOMAIN whose domainname ends with "the last PROGRAM part of DOMAIN".

This directive is intended to aggregate domain transitions for daemon PROGRAM and PROGRAM that are invoked by the kernel on demand, by transiting to different domain.

Programs that prevent domain transition initialization

To deny the effect of "initialize_domain" directive, use "no_initialize_domain" directive.

Use this directive when you don't want to initialize domain transition.

Domains that prevent domain transition

To prevent domain transition when PROGRAM is executed from specific DOMAIN, use keep_domain directive.

If the part "from" and before is not given, this entry is applied to all PROGRAM. If the "DOMAIN" doesn't start with "<kernel>", the entry is applied to all DOMAIN whose domainname ends with "the last PROGRAM part of DOMAIN".

This directive is intended to reduce total number of domains and memory usage by suppressing unneeded domain transitions.

To declare domain keepers, use keep_domain directive followed by domain definition.

Any process that belongs to any domain declared with this directive, the process stays at the same domain unless any program registered with initialize_domain directive is executed.

Domains that cause domain transition

To deny the effect of "keep_domain" directive, use "no_keep_domain" directive.

Use this directive when you want to escape from a DOMAIN that is kept by "keep_domain" directive.


3. /proc/ccs/ interface

This is the interface to read/append/delete policies after boot. Only PROGRAMs that are declared in Policy Manager Definition can append/delete policies.

3.1 profile

This file is to get or set the value of current control status.

(Example)
cat /proc/ccs/profile
echo 'MAC_FOR_FILE=1' > /proc/ccs/profile

3.2 system_policy

This file is to read, append or delete current System policy.

(Example)
echo 'allow_mount /proc /proc/ proc' > /proc/ccs/system_policy
echo 'delete allow_mount /proc /proc/ proc' > /proc/ccs/system_policy
cat /proc/ccs/system_policy

3.3 domain_policy

This file is to read, append or delete current Domain policy.

(Example) Selecting specific domain and appending ACLs. The domain will be created if nonexistent.
printf "<kernel> /sbin/init\n4 /etc/passwd\n" > /proc/ccs/domain_policy

(Example) Selecting specific domain and appending ACLs. The domain won't be created if nonexistent.
printf "select <kernel> /sbin/init\n4 /etc/passwd\n" > /proc/ccs/domain_policy

(Example) Selecting specific domain and removing ACLs.
printf "select <kernel> /sbin/init\ndelete 4 /etc/passwd\ndelete 4 /etc/shadow\n" > /proc/ccs/domain_policy

(Example) Deleting specific domain.
printf "delete <kernel> /sbin/init\n" > /proc/ccs/domain_policy

(Example) Reading current domain policy.
cat /proc/ccs/domain_policy

3.4 exception_policy

This file is to read, append or delete current Exception policy.

(Example)
echo 'file_pattern /proc/\$/status' > /proc/ccs/exception_policy
echo 'delete file_pattern /proc/\$/status' > /proc/ccs/exception_policy
cat /proc/ccs/exception_policy

3.5 query

This file is used to manually grant or reject individual access requests when the policy violation occurs in enforce mode. If a policy violation occur in a process whose domain is assigned a profile for enforce mode and "ALLOW_ENFORCE_GRACE=1", the administrator can judge interactively using "ccs-queryd" command.

3.6 manager

This file is used to read or append the list of PROGRAMS or DOMAINS that can write to /proc/ccs/ interface.

3.7 .domain_status

This is a view (of a DBMS) that contains only profile number and domainnames of domain so that "setprofile" command can do line-oriented processing easily.

3.8 meminfo

This file is to show the total RAM used to keep policy in the kernel by TOMOYO Linux.

(Example)
cat /proc/ccs/meminfo

3.9 grant_log

This file holds the granted log. The reader process returns immediately if no granted logs exists. To wait until a granted log is generated, use select(2) for readability. The max number of logs that the kernel can hold is limited to MAX_GRANT_LOG, so read out timely.

(Example)
cat /proc/ccs/grant_log

3.10 reject_log

This file holds the rejected log. The reader process returns immediately if no violation logs exists. To wait until a violation log is generated, use select(2) for readability. The max number of logs that the kernel can hold is limited to MAX_REJECT_LOG, so read out timely.

(Example)
cat /proc/ccs/reject_log

3.11 self_domain

This file is to show the name of domain the caller process belongs to.

(Example)
cat /proc/ccs/self_domain

3.12 .process_status

This file is used by "ccstree" command to show "list of processes currently running" and "domains which each process belongs to" and "profile number which the domain is currently assigned" like "pstree" command. This file is writable by PROGRAMS that aren't registered as policy manager.

3.13 .updates_counter

This file is a counter used by policy update monitor programs so that they can easily find that the policies may have changed since last check. The counter values are reset to 0 whenever it is referred.


Return to index


sflogo.php