Info: Version 1.4.1 is available.
Last modified: $Date: 2011-07-01 13:55:23 +0900 (Fri, 01 Jul 2011) $
1.2 Domain definitions and Domain transitions rule
2.1 Policy Manager Definition (manager.txt)
2.2 Profile Definition (status.txt)
2.3 System policy (system_policy.txt)
2.4 Domain policy (domain_policy.txt)
2.5 Exception policy (exception_policy.txt)
2.6 Mapping Definition (mapping.txt)
Canonicalized Pathname | A pathname that begins with "/" and contain neither symbolic links, "/./", "//" nor "/../" . (There is one exception. Process information directory for current process that is accessible via "/proc/self/" directory is represented as is.) Even if a process is running under chroot'ed environment, Canonicalized Pathname is calculated from outside the chroot'ed environment. Canonicalized Pathname contains only ASCII printable range (from 0x21 to 0x7E) characters. Thus, "\" character (0x5C) itself is represented as "\\", and all other non-printable characters (from 0x01 to 0x20, from 0x7F to 0xFF) are represented using octal expressions("\ooo") (for example, the space character (0x20) is represented as "\040"). |
Canonicalized Directory | A Canonicalized Pathname that ends with "/". |
Canonicalized File | A Canonicalized Pathname that doesn't end with "/". Canonicalized File includes all file types other than directory (i.e. regular file, character device, block device, FIFO, symbolic link, socket). |
PROGRAM | A Canonicalized File that is executable. |
Domain | An attribute that is used for MAC (Mandatory Access Control). |
Destination Domain | A domain that the process will belong to if the process successfully executes a PROGRAM. |
Target Domain | A domain that the target process belongs to. |
In TOMOYO Linux, every process belongs to a single domain, and all PROGRAM belong to different domain.
Even the two processes are executing the same PROGRAM, if their previous domains differ, they belong to different domain.
All domains are defined originating from "<kernel>" domain, which the kernel process belongs to.
Since /sbin/init is invoked by the "<kernel>" domain, the domain for /sbin/init is defined as "<kernel> /sbin/init".
Since /etc/rc.d/rc is invoked by /sbin/init invoked by the kernel, the domain for /etc/rc.d/rc is defined as "<kernel> /sbin/init /etc/rc.d/rc".
There are some PROGRAMs that behave differently depending on the invocation name.
For example, /sbin/pidof is a symbolic link to /sbin/killall5 .
Since TOMOYO Linux uses Canonicalized Pathname, if /sbin/pidof is executed, the domain is defined as if /sbin/killall5 is executed.
When a process tries to execute a PROGRAM, the following steps are performed.
Step | Procedure |
Getting program's name |
Get the name of PROGRAM that the process is going to execute and keep it as "Candidate 1". This procedure dereferences if the program is a symbolic link. Get the name of PROGRAM that the process is going to execute and keep it as "Candidate 2". This procedure does NOT dereference if the program is a symbolic link. |
Handling symbolic links |
If "Candidate 1" and "Candidate 2" differ, search exception policy for
and if found one, replace "Candidate 1" with "Candidate 2". |
Aggregating similar programs |
Search exception policy for
and if found one, replace "Candidate 1" with "aggregated name". |
Checking argv[0] |
If the basename of "Candidate 2" and the basename of argv[0] differ, search domain policy for
and deny if not found one. |
Checking permission |
Search domain policy for
and deny if not found one. |
Deciding Destination domain |
(1) Search exception policy for
and if found one, jump to (3). (2) Search exception policy for
and if found one, concatenate "the name of the domain that the kernel belongs to (i.e. <kernel>)" and "Candidate 1" and keep the result as Destination domain, then jump to (6). (3) Search exception policy for
and if found one, jump to (5). (4) Search exception policy for
and if found one, set "the name of the domain the current process belongs to" as Destination domain, then jump to (6). (5) Concatenate "the name of the domain the current process belongs to" and "Candidate 1" and keep the result as Destination domain. (6) Check whether the Destination domain is defined, and deny if not. (7) Performe regular steps for executing PROGRAM. If successfully completed, the process transits to Destination domain. |
All policy files are kept in /etc/ccs/ directory. Files in this directory are loaded just before starting /sbin/init by /.init .
Since it is not secure that all processes can modify policies, this file defines PROGRAM or DOMAIN that can do write access to /proc/ccs/ interface.
PROGRAM or DOMAIN that are not declared in this file cannot do write access to /proc/ccs/ interface. If you don't allow policy updates at production state, delete this file.
(Example)
/root/ccstools/loadpolicy
/root/ccstools/editpolicy
/root/ccstools/setlevel
/root/ccstools/setprofile
/root/ccstools/ld-watch
/root/ccstools/ccs-queryd
<kernel> /sbin/mingetty /root/bin/bash
TOMOYO Linux can perform several MACs besides MAC for files, but to reduce the load of policy managements, you can disable MACs you think unnecessary.
Variable | Meaning | Accept mode support |
MAC_FOR_FILE | Enable Mandatory Access Control(MAC) for files. | Yes |
MAC_FOR_ARGV0 | Enable MAC for argv[0] checks. | Yes |
MAC_FOR_CAPABILITY::*** | Enable MAC for capabilities. The *** matches to values that can be given using allow_capability directive described in Domain policy. |
Yes |
MAC_FOR_NETWORK | Enable MAC for network addresses and ports. | Yes |
MAC_FOR_SIGNAL | Enable MAC for signal. | Yes |
DENY_CONCEAL_MOUNT | Forbid mount requests that hides an existing mount. | No |
RESTRICT_CHROOT | Enable restrictions for chroot directories. | Yes |
RESTRICT_MOUNT | Enable restrictions for mount parameters. | Yes |
RESTRICT_UNMOUNT | Forbid unmount requests for specified directories. | No |
RESTRICT_PIVOT_ROOT | Enable restrictions for pivot_root directories. | Yes |
RESTRICT_AUTOBIND | Forbid selecting specific local port number when automatic local port binding happens. | No |
MAX_ACCEPT_ENTRY | Limits the max number of ACL entries that are automatically appended during accept mode. | - |
MAX_GRANT_LOG | Limits the max number of grant logs that the kernel can hold. | - |
MAX_REJECT_LOG | Limits the max number of reject logs that the kernel can hold. | - |
TOMOYO_VERBOSE | Dump domain policy violation messages to syslog. | - |
ALLOW_ENFORCE_GRACE | Allow administrator judge access requests that violates policy in enforce mode interactively. | - |
You can give the following values for RESTRICT_AUTOBIND
Value | Meaning |
0 | Off. Works as if regular kernel. |
1 | On. |
You can give the following values for MAX_ACCEPT_ENTRY
Value | Meaning |
any integer | The max number of ACL entries that are automatically appended during accept mode. The default is given at the kernel compilation time. |
You can give the following values for MAX_GRANT_LOG and MAX_REJECT_LOG
Value | Meaning |
any integer | The max number of logs that the kernel can hold. The default is given at the kernel compilation time. |
You can give the following values for TOMOYO_VERBOSE
Value | Meaning |
0 | Don't dump domain policy violation messages. |
1 | Dump domain policy violation messages. |
You can give the following values for ALLOW_ENFORCE_GRACE
Value | Meaning |
0 | Reject immediately if the access requests that violated policy in enforce mode. |
1 | Allow administrator judge the access requests that violated policy in enforce mode interactively. |
You can give the following values for all but listed above.
Value | Meaning |
0 | Disabled. Works as if regular kernel. |
1 | Accept mode. Not rejected if the request violates policy. Automatically appended to policy. |
2 | Permissive mode. Not rejected if the request violates policy. Not appended to policy automatically. |
3 | Enforce mode. Rejected if the request violates policy. |
List up functions and their modes in "$number-$variable=$value" format. The $number is profile number between 0 and 255. To switch profiles currently assigned to domains, use "setprofile" command. The currently assigned profile number are kept in the Domain policy (domain_policy.txt) using "use_profile" directive.
This file contains permissions that apply to the entire system. The following 4 types of permissions are declared.
To grant mount permission, use allow_mount directive followed by "$devicefile $mountpoint $filesystem $options".
The $devicefile need to be a Canonicalized File if the $filesystem requires device file.
The $mountpoint must be a Canonicalized Directory.
The $options are the choice of dev,nodev,exec,noexec,suid,nosuid,rw,ro,atime,noatime,diratime,nodiratime,recurse,norecurse. The $options overrides the user's requests. For example, if rw is given for $options, the kernel will mount for read-write even if the user requested to mount for read-only. The $options can be omitted.
To grant "mount -o remount $mountpoint" permission, use allow_mount directive followed by "any $mountpoint --remount $options".
To grant "mount --bind $source_dir $dest_dir" and "mount --move $source_dir $dest_dir" permission, use allow_mount directive followed by "$source_dir $dest_dir --bind" and "$source_dir $dest_dir --move" respectively. The $source_dir and $dest_dir must be Canonicalized Directory.
Kernel 2.6.15 and later supports "Shared Subtree" functionality.
To grant "mount --make-unbindable $mountpoint" permission, use allow_mount directive followed by "any $mountpoint --make-unbindable $options".
To grant "mount --make-private $mountpoint" permission, use allow_mount directive followed by "any $mountpoint --make-private $options".
To grant "mount --make-slave $mountpoint" permission, use allow_mount directive followed by "any $mountpoint --make-slave $options".
To grant "mount --make-shared $mountpoint" permission, use allow_mount directive followed by "any $mountpoint --make-shared $options".
The $options are either recurse or norecurse. The $options overrides the user's requests. For example, if recurse is given for $options, the kernel will mount for recurse even if the user requested to mount for norecurse. The $options can be omitted.
To reject unmount request, use deny_unmount directive followed by a Canonicalized Directory.
Usually, specify /dev/ directory (that contains /dev/tty? used by /sbin/mingetty) and /dev/pts/ directory (that are used to create pty device files for remote login).
If /dev/ becomes read-only or /dev/pts/ is unmounted, you can't login to the system.
Therefore /dev/ and /dev/pts/ must not be unmounted for systems where / is read-only.
To grant chroot permission, use allow_chroot directive followed by a Canonicalized Directory.
Usually, grant /var/empty/sshd/ that sshd uses.
In addition, if you have applications that runs in the chroot'ed environment or applications that uses chroot (for example, /usr/share/empty/ is used by vsftpd), grant such directories too.
To grant pivot_root permission, use allow_pivot_root directive followed by the new root's Canonicalized Directory and the previous root's Canonicalized Directory.
Usually, you don't need this directive.
To prevent specific local port from being selected automatically, use deny_autobind directive followed by local port number.
This directive is intended to prevent specific local port from being bound for temporary use.
For example, some proxy server uses local port 8080, so port 8080 should not be bound by other PROGRAMs for temporary use.
allow_mount | none | /dev/pts/ | devpts |
allow_mount | /proc | /proc/ | proc |
allow_mount | usbdevfs | /proc/bus/usb/ | usbdevfs |
allow_mount | none | /data/ | tmpfs nosuid,nodev,noexec |
allow_mount | none | /dev/shm/ | tmpfs nosuid,nodev,noexec |
allow_mount | /dev/hdc | /var/www/ | ext2 ro,nosuid,nodev,noexec |
allow_mount | any | / | --remount |
deny_unmount | /dev/ | ||
deny_unmount | /dev/pts/ | ||
deny_unmount | /proc/ | ||
allow_chroot | /var/empty/sshd/ | ||
allow_chroot | /usr/share/empty/ | ||
allow_chroot | /var/www/html/ | ||
allow_chroot | / | ||
deny_autobind | 1-1023 | ||
deny_autobind | 8080 |
This file contains permissions that apply to domain. The following 5 types of permissions are declared.
You may specify additional condition for each permissions as needed. The syntax for additional condition is described later.
This file contains all domain definitions. Lines from the next line to a domain definition to the previous line to the next domain definitions are interpreted as access permissions for that domain.
To grant file permission, use the following directives.
Directive | Granted Operation | Example |
1 | Execute | 1 /bin/ls |
2 | Write | 2 /dev/null |
3 | Write and Execute | |
4 | Read | 4 /proc/meminfo |
5 | Read and Execute | |
6 | Read and Write | 6 /dev/null |
7 | Read and Write and Execute | |
allow_create | Create regular file | allow_create /var/lock/subsys/crond |
allow_unlink | Delete non-directory | allow_unlink /var/lock/subsys/crond |
allow_mkdir | Create directory | allow_mkdir /tmp/logwatch.\*/ |
allow_rmdir | Remove directory | allow_rmdir /tmp/logwatch.\*/ |
allow_mkfifo | Create FIFO | allow_mkfifo /dev/initctl |
allow_mksock | Create UNIX domain socket | allow_mksock /dev/log |
allow_mkblock | Create block device file | allow_mkblock /dev/\* |
allow_mkchar | Create character device file | allow_mkchar /dev/\* |
allow_truncate | Truncate or expand | allow_truncate /etc/mtab |
allow_symlink | Create symbolic link | allow_symlink /dev/cdrom |
allow_link | Create hard link | allow_link /etc/mtab~\$ /etc/mtab~ |
allow_rename | Rename | allow_rename /etc/mtab.tmp /etc/mtab |
allow_rewrite | Overwrite | allow_rewrite /var/log/messages |
You may use wildcards for directives other than 1 3 5 and 7. You should avoid using directives 3 5 and 7 as hard as possible.
You may use one of directives 2 3 6 or 7 in place with directives that starts with "allow_" via Mapping Definition.
To restrict the contents of argv[0], use allow_argv0 directive followed by "the pathname of program without dereferencing symbolic links" and "the basename part of argv[0]".
The execve() system call, which is used to execute a program, accepts filename and argv[] and envp[], sometimes, there are programs that behave differently depending on the basename of argv[0]. The busybox is an example. The domain transition of TOMOYO Linux is done based on the contents of filename. In most cases, the basename of filename and the basename of argv[0] are identical and are no problem, but there are programs such as binary wrapper that intentionally pass different filename and argv[0]. For example, passing /bin/ls which is a symbolic link to /sbin/busybox as the filename parameter and passing /bin/cat which is a symbolic link to /sbin/busybox as the argv[0] parameter will cause TOMOYO Linux behave as /bin/cat in the domain of /bin/ls, which is a incongruous situation. This means that if an attacker succeeds passing different filename and argv[0] intentionally, this will become a security hole. The purpose of this directive is to restrict the combinations of filename and argv[0] so that such incongruous situation won't occur.
To grant capability permission, use allow_capability directive followed by a capability.
The following capabilities are applicable.
Value | Meaning |
inet_tcp_create | Grant socket(PF_INET or PF_INET6, SOCK_STREAM, *) |
inet_tcp_listen | Grant listen() for PF_INET or PF_INET6, SOCK_STREAM |
inet_tcp_connect | Grant connect() for PF_INET or PF_INET6, SOCK_STREAM |
use_inet_udp | Grant socket(PF_INET, SOCK_DGRAM, *) |
use_inet_ip | Grant socket(PF_INET, SOCK_RAW, *) |
use_route | Grant socket(PF_ROUTE, *, *) |
use_packet | Grant socket(PF_PACKET, *, *) |
use_kernel_module | Grant create_module(2) init_module(2) delete_module(2) |
create_fifo | Grant mknod(2) for FIFO. |
create_block_dev | Grant mknod(2) for block device. |
create_char_dev | Grant mknod(2) for character device. |
create_unix_socket | Grant mknod(2) for unix domain sockets. |
SYS_MOUNT | Grant mount(2) |
SYS_UMOUNT | Grant umount(2) |
SYS_REBOOT | Grant reboot(2) |
SYS_CHROOT | Grant chroot(2) |
SYS_KILL | Grant kill(2) tkill(2) tgkill(2) with non-0 signal. |
SYS_VHANGUP | Grant vhangup(2) |
SYS_TIME | Grant stime(2) settimeofday(2) adjtimex(2) |
SYS_NICE | Grant nice(2) setpriority(2) |
SYS_SETHOSTNAME | Grant sethostname(2) setdomainname(2) |
SYS_LINK | Grant link(2) |
SYS_SYMLINK | Grant symlink(2) |
SYS_RENAME | Grant rename(2) |
SYS_UNLINK | Grant unlink(2) |
SYS_CHMOD | Grant chmod(2) fchmod(2) |
SYS_CHOWN | Grant chown(2) fchown(2) lchown(2) |
SYS_IOCTL | Grant ioctl(2) compat_sys_ioctl(2) |
SYS_KEXEC_LOAD | Grant kexec_load(2) |
SYS_PIVOT_ROOT | Grant pivot_root(2) |
The purpose of allow_capability directive is to restrict system calls that a PROGRAM can call.
You can restrict more strictly with other directives and policy files for some system calls.
To grant permission for ports, use allow_network directive followed by protocol(TCP or UDP or RAW) and IP address and port number (for TCP or UDP) / protocol number (for RAW). This permission is applicable to IPv4 and IPv6.
Directive | Granted Operation | Example |
allow_network TCP bind | Bind to local TCP address/port. | allow_network TCP bind 0.0.0.0 80 |
allow_network TCP listen | Listen to local TCP address/port. | allow_network TCP listen 0.0.0.0 80 |
allow_network TCP accept | Accept from and communicate with remote TCP address/port. | allow_network TCP accept 10.0.0.0-10.255.255.255 1024-65535 |
allow_network TCP connect | Connect to and communicate with remote TCP address/port. | allow_network TCP connect 127.0.0.1 1024-65535 |
allow_network UDP bind | Bind to local UDP address/port. | allow_network UDP bind 0.0.0.0 53 |
allow_network UDP connect | Communicate with remote UDP address/port. | allow_network UDP connect 127.0.0.1 53 |
allow_network RAW bind | Bind to local IP address/protocol. | allow_network RAW bind 127.0.0.1 255 |
allow_network RAW connect | Communicate with remote IP address/protocol. | allow_network RAW connect 10.0.0.1 1 |
Use of "::" for IPv6 address representation is not supported. You need to use "0:0:0:0:0:0:0:1" for "::1".
Permission check is not applied for recvmsg() with msg_name == NULL or read().
To grant permissions for signals, use allow_signal directive followed by signal number and Target domain.
There are two exceptions. If signal number is 0, it is always granted. If the Target domain and the Source domain are the same, it is always granted.
In other cases, signals are granted only when the signal number matches and the Target domain starts with the Target domain declared with this directive.
If only <kernel> is declared as a Target domain, the Source domain can send signals to any domain with that signal number.
TOMOYO Linux 1.2 supports conditional permission. The condition clause are appended to the tail of each permission using "if" directive.
Example | Meaning |
4 /etc/passwd | Allow reading /etc/passwd . |
4 /etc/passwd if task.uid=0 | Allow reading /etc/passwd if the process's UID is 0. |
4 /etc/passwd if task.uid!=0 | Allow reading /etc/passwd if the process's UID is not 0. |
allow_network TCP connect 10.0.0.1 80 | Connect to 10.0.0.1 port 80 using TCP. |
allow_network TCP connect 10.0.0.1 80 if task.uid=100 | Connect to 10.0.0.1 port 80 using TCP if the process's UID is 100. |
allow_capability SYS_KILL | Allow calling kill(2). |
allow_capability SYS_KILL if task.ppid=1 task.uid=0 task.euid=0 | Allow calling kill(2) if the process is the child of /sbin/init and the process's UID is 0 and the process's EUID is 0. |
The following variables are available.
Variable | Meaning |
task.uid | UID of current process |
task.euid | EUID of current process |
task.suid | SUID of current process |
task.fsuid | FSUID of current process |
task.gid | GID of current process |
task.egid | EGID of current process |
task.sgid | SGID of current process |
task.fsgid | FSGID of current process |
task.pid | PID of current process |
task.ppid | PID of parent process |
path1.uid | UID of object. |
path1.gid | GID of object. |
path1.ino | i-node number of object. |
path1.parent.uid | UID of object's parent directory. |
path1.parent.gid | GID of object's parent directory. |
path1.parent.ino | i-node number of object's parent directory. |
path2.parent.uid | UID of object's parent directory. |
path2.parent.gid | GID of object's parent directory. |
path2.parent.ino | i-node number of object's parent directory. |
"path1" corresponds to the first pathname of operations that requires pathnames, and "path2" corresponds to the second pathname of operations that requires pathnames. For example, the case of "allow_rename file1 file2", path1 corresponds to file1 and path2 corresponds to file2.
"path1.uid" and "path1.gid" are not available for pathnames that don't exist. Thus, you can't use when creating pathnames (such as allow_create directive).
"path1.parent.uid" and "path1.parent.gid" are always available.
"path2.parent.uid" and "path2.parent.gid" are available only for operations that require 2 pathnames (in other words, allow_link and allow_rename directives).
"path2.uid" and "path2.gid" are not supported. ( If "path2" already exist for "rename" operation, "unlink" or "rmdir" operation is performed implicitly.)
Neither "path1" nor "path2" are supported when accessing via "sysctl" ( i.e. accessing files under /proc/sys/ directories using "sysctl" instead for "open")
This file contains exceptions for domain access controls. The following 10 types of permissions are declared.
To declare pathname pattern, use file_pattern directive followed by pathname pattern. The pathname pattern must be a Canonicalized Pathname. This directive is not applicable to neither granting execute permissions nor domain definitions.
For example, Canonicalized Pathname that contains a process ID (i.e. /proc/PID/ files) needs to be grouped in order to make access control work well.
The following wildcards are available.
Value | Meaning |
\\ | \ itself. |
\* | Zero or more repetitions of characters other than '/'. |
\@ | Zero or more repetitions of characters other than '/' or '.'. |
\? | 1 byte character other than '/'. |
\$ | One or more repetitions of decimal digits. |
\+ | 1 decimal digit. |
\X | One or more repetitions of hexadecimal digits. |
\x | 1 hexadecimal digit. |
\A | One or more repetitions of alphabet characters. |
\a | 1 alphabet character. |
To declare pathname group, use path_group directive followed by name of the group and pathname pattern. For example, if you want to group all files under home directory, you can define
path_group HOME-DIR-FILE /home/\*/\* path_group HOME-DIR-FILE /home/\*/\*/\* path_group HOME-DIR-FILE /home/\*/\*/\*/\* path_group HOME-DIR-FILE /home/\*/\*/\*/\*/\* path_group HOME-DIR-FILE /home/\*/\*/\*/\*/\*/\* path_group HOME-DIR-FILE /home/\*/\*/\*/\*/\*/\*/\* |
in the exception policy and use like
4 @HOME-DIR-FILE |
to grant file access permission.
To declare address group, use address_group directive followed by name of the group and IP address pattern. For example, if you want to group all local addresses, you can define
address_group local-address 10.0.0.0-10.255.255.255 address_group local-address 172.16.0.0-172.31.255.255 address_group local-address 192.168.0.0-192.168.255.255 |
in the exception policy and use like
allow_network TCP accept @local-address 1024-65535 |
to grant network access permission.
To grant unconditionally readable permissions, use allow_read directive followed by Canonicalized File. This directive is intended to reduce size of Domain policy by granting read access to library files such as GLIBC and locale files. You should not grant password files such as /etc/passwd, for all process can read if DAC is granted.
To deny overwriting already written contents of file (such as log files) by default, use deny_rewrite directive followed by pathname pattern. Files whose pathname match to the patterns are not permitted to open for writing without append mode or truncate unless the pathnames are explicitly granted using allow_rewrite directive in domain policy.
To allow executing programs using the name of symbolic links, use alias directive followed by dereferenced pathname and reference pathname. This directive is intended to allow programs that behave differently depending on the name of invocation and that referenced using symbolic links instead of hard links transit domain using the symbolic link's name.
For example, /sbin/pidof is a symbolic link to /sbin/killall5 . In normal case, if /sbin/pidof is executed, the domain is defined as if /sbin/killall5 is executed. By specifying "alias /sbin/killall5 /sbin/pidof", you can run /sbin/pidof in the domain for /sbin/pidof .
To deal multiple programs as a single program, use aggregator directive followed by name of original program and aggregated program. This directive is intended to aggregate similar programs.
For example, /usr/bin/tac and /bin/cat are similar. By specifying "aggregator /usr/bin/tac /bin/cat", you can run /usr/bin/tac in the domain for /bin/cat .
For example, /usr/sbin/logrotate for Fedora Core 3 generates programs like /tmp/logrotate.\?\?\?\?\?\? and run them, but TOMOYO Linux doesn't allow using patterns for granting execute permission and defining domains. By specifying "aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp", you can run /tmp/logrotate.\?\?\?\?\?\? as if /tmp/logrotate.tmp is running.
To initialize domain transition when specific PROGRAM is executed, use initialize_domain directive.
If the part "from" and after is not given, the entry is applied to all DOMAIN. If the "DOMAIN" doesn't start with "<kernel>", the entry is applied to all DOMAIN whose domainname ends with "the last PROGRAM part of DOMAIN".
This directive is intended to aggregate domain transitions for daemon PROGRAM and PROGRAM that are invoked by the kernel on demand, by transiting to different domain. The directive name until version 1.3.1 was "initializer", and version 1.3.2 renamed to "initialize_domain".
To deny the effect of "initialize_domain" or "initializer" directive, use "no_initialize_domain" directive.
Use this directive when you don't want to initialize domain transition.
To prevent domain transition when PROGRAM is executed from specific DOMAIN, use keep_domain directive.
If the part "from" and before is not given, this entry is applied to all PROGRAM. If the "DOMAIN" doesn't start with "<kernel>", the entry is applied to all DOMAIN whose domainname ends with "the last PROGRAM part of DOMAIN".
This directive is intended to reduce total number of domains and memory usage by suppressing unneeded domain transitions.
To declare domain keepers, use keep_domain directive followed by domain definition.
Any process that belongs to any domain declared with this directive, the process stays at the same domain unless any program registered with initializer directive is executed.
To deny the effect of "keep_domain" directive, use "no_keep_domain" directive.
Use this directive when you want to escape from a DOMAIN that is kept by "keep_domain" directive.
This file defines mappings of write access permission checks for files and directories. This file allows you switching the granularity of write access permission checks based on how fine-grained do you want to control write access permissions for files and directories.
The format of this file is a list of "item=method". An example is shown below.
create=generic-write unlink=generic-write mkdir=mkdir rmdir=rmdir mkfifo=mkfifo mksock=mksock mkblock=mkblock mkchar=mkchar truncate=generic-write symlink=symlink link=link rename=rename rewrite=rewrite |
If "generic-write" is specified as the method, the item is checked using permissions for directive 2 3 6 or 7. If "no-check" is specified as the method, the item is not checked. If a method same as the item's name, the item is checked using permissions for directive of the item.
This file is read only once at boot. You can't switch after boot.
This is the interface to read/append/delete policies after boot. Only PROGRAMs that are declared in Policy Manager Definition can append/delete policies.
This file is to get or set the value of current control status.
(Example)
cat /proc/ccs/status
echo 'MAC_FOR_FILE=1' > /proc/ccs/status
This file is to read, append or delete current System policy.
(Example)
echo 'allow_mount /proc /proc/ proc' > /proc/ccs/policy/system_policy
echo 'delete allow_mount /proc /proc/ proc' > /proc/ccs/policy/system_policy
cat /proc/ccs/policy/system_policy
This file is to read, append or delete current Domain policy.
(Example) Selecting specific domain and appending ACLs. The domain will be created if nonexistent.
printf "<kernel> /sbin/init\n4 /etc/passwd\n" > /proc/ccs/policy/domain_policy
(Example) Selecting specific domain and appending ACLs. The domain won't be created if nonexistent.
printf "select <kernel> /sbin/init\n4 /etc/passwd\n" > /proc/ccs/policy/domain_policy
(Example) Selecting specific domain and removing ACLs.
printf "select <kernel> /sbin/init\ndelete 4 /etc/passwd\ndelete 4 /etc/shadow\n" > /proc/ccs/policy/domain_policy
(Example) Deleting specific domain.
printf "delete <kernel> /sbin/init\n" > /proc/ccs/policy/domain_policy
(Example) Reading current domain policy.
cat /proc/ccs/policy/domain_policy
This file is to read, append or delete current Exception policy.
(Example)
echo 'file_pattern /proc/\$/status' > /proc/ccs/policy/exception_policy
echo 'delete file_pattern /proc/\$/status' > /proc/ccs/policy/exception_policy
cat /proc/ccs/policy/exception_policy
This file is used to manually grant or reject individual access requests when the policy violation occurs in enforce mode. If a policy violation occur in a process whose domain is assigned a profile for enforce mode and "ALLOW_ENFORCE_GRACE=1", the administrator can judge interactively using "ccs-queryd" command.
This file is used to read or append the list of PROGRAMS or DOMAINS that can write to /proc/ccs/ interface.
This is a view (of a DBMS) that contains only profile number and domainnames of policy/domain so that "setprofile" command can do line-oriented processing easily.
This file is to show the total RAM used to keep policy in the kernel by TOMOYO Linux.
(Example)
cat /proc/ccs/info/meminfo
This file holds the granted log. The reader process returns immediately if no granted logs exists. To wait until a granted log is generated, use select(2) for readability. The max number of logs that the kernel can hold is limited to MAX_GRANT_LOG, so read out timely.
(Example)
cat /proc/ccs/info/grant_log
This file holds the rejected log. The reader process returns immediately if no violation logs exists. To wait until a violation log is generated, use select(2) for readability. The max number of logs that the kernel can hold is limited to MAX_REJECT_LOG, so read out timely.
(Example)
cat /proc/ccs/info/reject_log
This file is to show the name of domain the caller process belongs to.
(Example)
cat /proc/ccs/info/self_domain
This file is to show the mapping of write access permission checks.
(Example)
cat /proc/ccs/info/mapping
This file is used by "ccstree" command to show "list of processes currently running" and "domains which each process belongs to" and "profile number which the domain is currently assigned" like "pstree" command. This file is writable by PROGRAMS that aren't registered as policy manager.
This file is a counter used by policy update monitor programs so that they can easily find that the policies may have changed since last check. The counter values are reset to 0 whenever it is referred.