Using Tomoyo Linux
Block suspicious program behavior? Mitigate exploitation of vulnerabilities? Exclude the execution of unauthorized code?
TOMOYO Linux - implementation of mandatory access control for the Linux operating system. Built into the kernel by default. Allows you to take control of the behavior of the system and severely restrict the framework of a given policy.
The creation of policies for both individual applications and the entire system as a whole will be described below.
The examples will be based on the Debian Wheezy and Tomoyo 2.5 available in the kernel.
The basics
1. Domains.
Tomoyo in its work is guided by such a concept as Domains . Domains are processes and interrelationships between domain transition processes.
')
Base domain is always
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls, .
file execute /bin/ls task.uid=0 - ls .3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf:
tomoyo-savepolicy -d .tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .>> /etc/tomoyo/domain_policy.conf .midori
/etc/tomoyo/domain_policy.conf
<kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf
path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any:
/etc/tomoyo/domain_policy.conf
<kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit,
.
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls, .
file execute /bin/ls task.uid=0 - ls .3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf:
tomoyo-savepolicy -d .tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .>> /etc/tomoyo/domain_policy.conf .midori
/etc/tomoyo/domain_policy.conf
<kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf
path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any:
/etc/tomoyo/domain_policy.conf
<kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit,
.
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls, .
file execute /bin/ls task.uid=0 - ls .3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf:
tomoyo-savepolicy -d .tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .>> /etc/tomoyo/domain_policy.conf .midori
/etc/tomoyo/domain_policy.conf
<kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf
path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any:
/etc/tomoyo/domain_policy.conf
<kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit,
.
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .Source: https://habr.com/ru/post/224335/
All Articles