疑わしいプログラムの動作をブロックしますか? 悪用の脆弱性を軽減しますか? 不正なコード実行を除外しますか?
TOMOYO Linux-Linuxオペレーティングシステムの必須アクセス制御の実装。 デフォルトでカーネルに組み込まれています。 システムの動作を制御し、特定のポリシーのフレームワーク内でそれを厳しく制限できます。
以下では、個々のアプリケーションとシステム全体の両方のポリシーの作成について説明します。
例は、カーネルで利用可能なDebian WheezyおよびTomoyo 2.5に基づいて構築されます。
基本
1.ドメイン。トモヨの作品は、
ドメインなどの概念に基づいています。 ドメインはプロセスであり、ドメイン移行プロセス間の関係です。
ベースドメインは常に
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .
.
<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -
, .
/bin/bash, , sshd .
- .
/sbin/init ..... /bin/bash
/sbin/init ..... /usr/sbin/sshd /bin/bash
.
, bash - . bash - , . Tomoyo.
tomoyo-editpolicy.
tomoyo-editpolicy
. .
W , D (w & d).
2.
. , , , . .
file execute /bin/ls - ls
, .
file execute /bin/ls task.uid=0 - ls .
3. .
, , .
4 .
0 - , .
1 - , .
2 - , 0
3 - , , .
tomoyo-editpolicy (w & p)
- 3
4. .
, - . . . - , . .
tomoyo-editpolicy (w & e)
5.
:
/etc/tomoyo/domain_policy.conf -
/etc/tomoyo/profile.conf -
/etc/tomoyo/exception_policy.conf -
, tomoyo-editpolicy , . . !
.
6.
tomoyo-editpolicy - . .
tomoyo-loadpolicy - .
tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .
tomoyo-checkpolicy - .
, .
Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en
: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en
Tomoyo.
1. GRUB /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"
update-grub
2. :
aptitude install tomoyo-tools
3. :
/usr/lib/tomoyo/init_policy
.
4. !
Tomoyo, . , e grub :
security=tomoyo
security=none
midori.
, , , .
, midori.
initialize_domain.
tomoyo-editpolicy.
Exeption Policy Editor (w & e) A :
initialize_domain /usr/bin/midori from any
.
tomoyo.sourceforge.jp/2.5/chapter-5.html.en
Domain Transition Editor (w & d)
/usr/bin/midori *
S , 1.
midori , . , , .
midori.
Domain Transition Editor Enter Domain Policy Editor, midori .
.
@ . .
. .
.
/home/home/.config/midori/
(append) .
file read/write/unlink/truncate/rename /home/home/.config/midori/\*
.
, D , .
, , /home/home/.config/midori/
file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*
tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
.
, .
network inet stream connect 0.0.0.0-255.255.255.255 80-443 //
, (O & D).
tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet
, .
, , midori /etc/passwd
.
D, .
Domain Transition Editor (w & d), S 1 3.
.
? . ? .
.
tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf
:
tomoyo-savepolicy -d .
tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .
>> /etc/tomoyo/domain_policy.conf .
midori
/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53
.
tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf
, , .
exception_policy.conf
path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*
domain_policy.conf, .
file read/write/append/unlink/truncate @Midoi_Allow
, , Tomoyo.
tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
, - - , .
tomoyo-auditd , /var/log/tomoyo .
wiki.archlinux.org/index.php/skype#TOMOYO
wiki.archlinux.org/index.php/Adobe_Reader
Tomoyo , .
/home /tmp root.
.
.
/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
.
/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any
:
/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0
.
1.
midori \-midori , file execute /usr/bin/medit ?
Tomoyo. , . , .
initialize_domain /usr/bin/midori from any medit, .
2.
file execute @ALLOW_EXEC_ROOT task.uid=0
, , .
.
tomoyo.sourceforge.jp/2.5/chapter-10.html.en
3.
keep_domain any from <kernel>
. .
initialize_domain /usr/bin/midori from any
, . keep_domain.
4.
4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
. use_profile 4, .
.
tomoyo.sourceforge.jp/2.5/chapter-9.html.en
Tomoyo , .
.
ps. mac. Tomoyo, - caitsith.sourceforge.jp
Update!
Tomoyo .
ld-linux.so.2 .
.
:
<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any
, .