Last modified: $Date: 2006-11-25 10:18:46 +0900 (Sat, 25 Nov 2006) $
SYAORAN uses canonicalized absolute pathnames ("Canonicalized Pathname") seen from kernel process that contain neither symbolic links nor "..".
If a process is running under chroot'ed environment, pathnames are calculated from outside the chroot'ed directory.
Canonicalized directories always end with "/", and canonicalized files never end with "/".
Canonicalized Pathname contains only ASCII printable range (from 0x21 to 0x7E) characters.
Thus, the space character (0x20) is represented as \040, \ character (0x5C) itself is represented as \\, and all other non-printable characters (from 0x01 to 0x20, from 0x7F to 0xFF) are represented using octal expressions(\ooo).
Since spaces and carriage returns and tabs are treated as a delimiter, you need to convert octal representations to include these characters into Canonicalized Pathnames.
The policy file contains a list of entries that the /dev directory has.
There are many device files in the /dev directory, but only a few dozen files are needed for a system to work.
Further, it is mandatory for system security that the device files are always associated with correct devices.
For example, if /dev/null exists with major-8-0 (/dev/sda) attributes instead of char-1-3, the contents of the SCSI HDD will be destroyed at a blow.
The following is the format of this file.
List one entry per a line. An entry has maximum 9 elements.
filename | the name of the file seen from the mount point, without leading / . |
permission | An octal form of permission value for the file, between 000 and 777. |
owner | A decimal form of owner of the file. |
group | A decimal form of group of the file. |
flags | A combination of the following values.
|
type | The device type of the file, one of 'd' (directory), 'p' (FIFO), 's' (Socket), 'c' (Character device), 'b' (Block device), 'l' (Symbolic link), 'f' (regular file). |
symlink_data | The content of the symbolic link that are automatically created when mounted. Not required if type is not 'l'. |
major | A decimal form of major number. Not required if type is not 'c' nor 'b'. |
minor | A decimal form of minor number. Not required if type is not 'c' nor 'b'. |
Lines are separated by '\n'.
The 'filename' must be canonicalized form, but the trailing / can be omitted for this policy file.
The 'symlink_data' needn't to be a Canonicalized Pathname, but you need to use \\ and \ooo style escapes to include non-printable characters.
How to use:
Step 1 | Generate the policy file with 'flags' = 0. |
Step 2 | Mount the filesystem with accept mode. If this file is at /etc/ccs/syaoran.conf and you want to mount on /dev, run mount -t syaoran -o accept=/etc/ccs/syaoran.conf none /dev |
Step 3 | Run the system as usual, and you will get 'flags' value updated according to actual device file access. |
Step 4 | The result of file access tracing is readable via the file .syaoran which exists just under the mount point, and edit (removing unnecessary symbolic links etc.) and save as /etc/ccs/syaoran.conf The file access tracing functionality reflects to .syaoran only block and character device files that are actually opened, this functionality is available for removing unnecessary device files. Directories, FIFOs, sockets, symbolic links and regular files are always reflected to .syaoran regardless of they are actually opened or not. |
Step 5 | Unmount the filesystem. |
Step 6 | To mount the filesystem with enforce mode, run mount -t syaoran -o enforce=/etc/ccs/syaoran.conf none /dev In the enforce mode, 'flags' values are not updated. Whenever policy violation (caused by missing entry or insufficient flags) occurs, a message that begins with "SYAORAN-ERROR:" appears. You can pick up the messages by the following command. dmesg | grep ^SYAORAN-ERROR: |
You can tell the default mode for this filesystem by giving SYAORAN=accept or SYAORAN=enforce option to the kernel commandline. If you told the default mode to the command line, you can omit 'accept=' or 'enforce=' option at mount time.
The required files depend on your system.
#filename | permission | owner | group | flags | type | [ symlink_data | major minor ] | |
pts | 755 | 0 | 0 | 0 | d | ||
shm | 755 | 0 | 0 | 0 | d | ||
fd | 777 | 0 | 0 | 0 | l | /proc/self/fd | |
stdin | 777 | 0 | 0 | 0 | l | /proc/self/fd/0 | |
stdout | 777 | 0 | 0 | 0 | l | /proc/self/fd/1 | |
stderr | 777 | 0 | 0 | 0 | l | /proc/self/fd/2 | |
null | 666 | 0 | 0 | 0 | c | 1 | 3 |
zero | 666 | 0 | 0 | 0 | c | 1 | 5 |
random | 644 | 0 | 0 | 0 | c | 1 | 8 |
urandom | 644 | 0 | 0 | 0 | c | 1 | 9 |
tty | 666 | 0 | 0 | 0 | c | 5 | 0 |
tty0 | 600 | 0 | 0 | 12 | c | 4 | 0 |
tty1 | 600 | 0 | 0 | 12 | c | 4 | 1 |
tty2 | 600 | 0 | 0 | 12 | c | 4 | 2 |
tty3 | 600 | 0 | 0 | 12 | c | 4 | 3 |
tty4 | 600 | 0 | 0 | 12 | c | 4 | 4 |
tty5 | 600 | 0 | 0 | 12 | c | 4 | 5 |
tty6 | 600 | 0 | 0 | 12 | c | 4 | 6 |
tty7 | 600 | 0 | 0 | 12 | c | 4 | 7 |
tty8 | 600 | 0 | 0 | 12 | c | 4 | 8 |
cdrom | 777 | 0 | 0 | 3 | l | /dev/scd0 | |
mouse | 777 | 0 | 0 | 3 | l | psaux | |
console | 600 | 0 | 0 | 1 | c | 5 | 1 |
fd0 | 660 | 0 | 19 | 0 | b | 2 | 0 |
fd1 | 660 | 0 | 19 | 0 | b | 2 | 1 |
fd2 | 660 | 0 | 19 | 0 | b | 2 | 2 |
fd3 | 660 | 0 | 19 | 0 | b | 2 | 3 |
hda | 660 | 0 | 6 | 0 | b | 3 | 0 |
hda1 | 660 | 0 | 6 | 0 | b | 3 | 1 |
hda2 | 660 | 0 | 6 | 0 | b | 3 | 2 |
hda3 | 660 | 0 | 6 | 0 | b | 3 | 3 |
hda5 | 660 | 0 | 6 | 0 | b | 3 | 5 |
hda6 | 660 | 0 | 6 | 0 | b | 3 | 6 |
hda7 | 660 | 0 | 6 | 0 | b | 3 | 7 |
hda8 | 660 | 0 | 6 | 0 | b | 3 | 8 |
hda9 | 660 | 0 | 6 | 0 | b | 3 | 9 |
hda10 | 660 | 0 | 6 | 0 | b | 3 | 10 |
hda11 | 660 | 0 | 6 | 0 | b | 3 | 11 |
hda12 | 660 | 0 | 6 | 0 | b | 3 | 12 |
initctl | 600 | 0 | 0 | 3 | p | ||
log | 666 | 0 | 0 | 15 | s | ||
rtc | 644 | 0 | 0 | 0 | c | 10 | 135 |
ptmx | 666 | 0 | 0 | 0 | c | 5 | 2 |
ram | 777 | 0 | 0 | 3 | l | /dev/ram0 | |
ram0 | 660 | 0 | 6 | 0 | b | 1 | 0 |
ram1 | 660 | 0 | 6 | 0 | b | 1 | 1 |
sda | 660 | 0 | 6 | 0 | b | 8 | 0 |
initrd | 660 | 0 | 6 | 1 | b | 1 | 250 |
psaux | 600 | 0 | 0 | 0 | c | 10 | 1 |
apm_bios | 600 | 0 | 0 | 0 | c | 10 | 134 |
cpu | 755 | 0 | 0 | 0 | d | ||
cpu/0 | 755 | 0 | 0 | 0 | d | ||
cpu/0/microcode | 600 | 0 | 0 | 0 | c | 10 | 184 |
ttyS0 | 660 | 0 | 14 | 0 | c | 4 | 64 |
ttyS1 | 660 | 0 | 14 | 0 | c | 4 | 65 |
ttyS2 | 660 | 0 | 14 | 0 | c | 4 | 66 |
ttyS3 | 660 | 0 | 14 | 0 | c | 4 | 67 |
ptal-printd | 777 | 0 | 0 | 3 | l | /var/run/ptal-printd | |
gpmctl | 700 | 0 | 0 | 3 | s | ||
scd0 | 660 | 0 | 6 | 0 | b | 11 | 0 |