Roman Yeryomin wrote: > > This is a situation where CaitSith will fit better. > > > > Since Memory Technology Device is a character device with major = 90, > > you will be able to define CaitSith's rule like below. > > > > ---------------------------------------- > > 10 read path.type=char path.dev_major=90 > > 10 allow task.exe="/bin/dd" > > 20 allow task.exe="/sbin/fw-tool" > > 30 deny > > > > 10 write path.type=char path.dev_major=90 > > 10 allow task.exe="/sbin/fw-tool" > > 20 deny > > > > 10 append path.type=char path.dev_major=90 > > 10 allow task.exe="/sbin/fw-tool" > > 20 deny > > ---------------------------------------- > > Thank you for this pointer, I will certainly look closer at CaitSith! > I forgot to add "acl" keyword in the example above. Anyway, here is what I guess you want to try if you use CaitSith. ---------- /etc/caitsith/policy/current ---------- quota memory audit 16777216 quota memory query 1048576 quota audit[0] allowed=0 denied=1024 unmatched=0 10 acl read path.type=char path.dev_major=90 audit 0 10 allow task.exe="/usr/bin/dd" 20 allow task.exe="/sbin/the-tool" 30 deny 10 acl read path.fsmagic=0x9FA0 path="proc:/mtd" audit 0 10 allow task.exe="/sbin/the-tool" 20 deny 10 acl write path.type=char path.dev_major=90 audit 0 10 allow task.exe="/sbin/the-tool" 20 deny 10 acl append path.type=char path.dev_major=90 audit 0 10 allow task.exe="/sbin/the-tool" 20 deny 100 acl mount audit 1 10 deny task.exe!="/bin/mount" 20 allow target="/proc/" fstype="proc" flags=0x0 30 allow target="/sys/" fstype="sysfs" flags=0x0 40 deny 0 acl modify_policy audit 0 10 deny ---------- /etc/caitsith/policy/current ---------- Since /proc/mtd is recognized as proc:/mtd (because proc filesystem does not support rename operation), /\*/\*\-mtd\?\* will not match /proc/mtd . The "0 acl modify_policy" block in CaitSith corresponds to /etc/tomoyo/policy/current/manager.conf in TOMOYO 2.5. In the above example, no programs can modify policy (i.e. production state). The "100 acl mount" block is for preventing attackers from disguising programs using e.g. "mount --bind" request. If you can make partitions for programs being mounted as read-only, you will be able to omit e.g. "acl rename" blocks. If you cannot, you can define e.g. "acl rename" blocks in order to control ranges attackers can tamper the system. > > If you need to use TOMOYO 2.5, you can still use file's attributes > > like below (though it is less flexible than CaitSith). > > > > ---------------------------------------- > > <kernel> > > use_profile 4 > > file read @ANY_DIR > > file read/write/append @ANY_FILE path1.type!=char > > file read/write/append @ANY_FILE path1.type=char path1.dev_major!=90 > > > > </bin/dd> > > use_profile 4 > > file read @ANY_DIR > > file read @ANY_FILE > > file write/append @ANY_FILE path1.type!=char > > file write/append @ANY_FILE path1.type=char path1.dev_major!=90 > > > > </sbin/fw-tool> > > use_profile 0 > > file read @ANY_DIR > > file read/write/append @ANY_FILE > > ---------------------------------------- > > Below is similar rule using TOMOYO 2.5. ---------- /etc/tomoyo/policy/current/profile.conf ---------- <kernel> PROFILE_VERSION=20110903 <kernel> 0-COMMENT=-----Disabled Mode----- <kernel> 0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } <kernel> 0-CONFIG={ mode=disabled grant_log=no reject_log=yes } <kernel> 1-COMMENT=-----Learning Mode----- <kernel> 1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } <kernel> 1-CONFIG={ mode=learning grant_log=no reject_log=yes } <kernel> 2-COMMENT=-----Permissive Mode----- <kernel> 2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } <kernel> 2-CONFIG={ mode=permissive grant_log=no reject_log=yes } <kernel> 3-COMMENT=-----Enforcing Mode----- <kernel> 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } <kernel> 3-CONFIG={ mode=enforcing grant_log=no reject_log=yes } <kernel> 4-COMMENT=-----Enforcing Mode (File Open Only)----- <kernel> 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } <kernel> 4-CONFIG={ mode=disabled grant_log=no reject_log=no } <kernel> 4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes } </usr/bin/dd> PROFILE_VERSION=20110903 </usr/bin/dd> 4-COMMENT=-----Enforcing Mode (File Open Only)----- </usr/bin/dd> 4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } </usr/bin/dd> 4-CONFIG={ mode=disabled grant_log=no reject_log=no } </usr/bin/dd> 4-CONFIG::file::open={ mode=enforcing grant_log=no reject_log=yes } </sbin/the-tool> PROFILE_VERSION=20110903 </sbin/the-tool> 0-COMMENT=-----Disabled Mode----- </sbin/the-tool> 0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 } </sbin/the-tool> 0-CONFIG={ mode=disabled grant_log=no reject_log=no } ---------- /etc/tomoyo/policy/current/profile.conf ---------- ---------- /etc/tomoyo/policy/current/exception_policy.conf ---------- <kernel> aggregator proc:/self/exe /proc/self/exe <kernel> reset_domain /sbin/the-tool from any <kernel> reset_domain /usr/bin/dd from any <kernel> keep_domain any from any <kernel> path_group ANY_PATHNAME_BUT_PROC_MTD / <kernel> path_group ANY_PATHNAME_BUT_PROC_MTD /\* <kernel> path_group ANY_PATHNAME_BUT_PROC_MTD /\{\*\}/ <kernel> path_group ANY_PATHNAME_BUT_PROC_MTD /\{\*\}/\* <kernel> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/ <kernel> path_group ANY_PATHNAME_BUT_PROC_MTD \*:\-proc:/\* <kernel> path_group ANY_PATHNAME_BUT_PROC_MTD proc:/\*\-mtd <kernel> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/\{\*\}/ <kernel> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/\{\*\}/\* <kernel> path_group ANY_PATHNAME_BUT_PROC_MTD \*:[\$] <kernel> path_group ANY_PATHNAME_BUT_PROC_MTD socket:[family=\$:type=\$:protocol=\$] </usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD / </usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD /\* </usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD /\{\*\}/ </usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD /\{\*\}/\* </usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/ </usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD \*:\-proc:/\* </usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD proc:/\*\-mtd </usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/\{\*\}/ </usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD \*:/\{\*\}/\* </usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD \*:[\$] </usr/bin/dd> path_group ANY_PATHNAME_BUT_PROC_MTD socket:[family=\$:type=\$:protocol=\$] </usr/bin/dd> path_group ANY_PATHNAME / </usr/bin/dd> path_group ANY_PATHNAME /\* </usr/bin/dd> path_group ANY_PATHNAME /\{\*\}/ </usr/bin/dd> path_group ANY_PATHNAME /\{\*\}/\* </usr/bin/dd> path_group ANY_PATHNAME \*:/ </usr/bin/dd> path_group ANY_PATHNAME \*:/\* </usr/bin/dd> path_group ANY_PATHNAME \*:/\{\*\}/ </usr/bin/dd> path_group ANY_PATHNAME \*:/\{\*\}/\* </usr/bin/dd> path_group ANY_PATHNAME \*:[\$] </usr/bin/dd> path_group ANY_PATHNAME socket:[family=\$:type=\$:protocol=\$] ---------- /etc/tomoyo/policy/current/exception_policy.conf ---------- ---------- /etc/tomoyo/policy/current/domain_policy.conf ---------- <kernel> use_profile 4 use_group 0 file read/write/append @ANY_PATHNAME_BUT_PROC_MTD path1.type!=char file read/write/append @ANY_PATHNAME_BUT_PROC_MTD path1.type=char path1.dev_major!=90 </usr/bin/dd> use_profile 4 use_group 0 file read @ANY_PATHNAME_BUT_PROC_MTD file write/append @ANY_PATHNAME path1.type!=char file write/append @ANY_PATHNAME path1.type=char path1.dev_major!=90 </sbin/the-tool> use_profile 0 use_group 0 ---------- /etc/tomoyo/policy/current/domain_policy.conf ---------- > > Please be aware that the programs you want to allow access to specific > > resource (i.e. /bin/dd and /sbin/fw-tool in your case) might be disguised > > unless you also restrict operations which modify directory entries and/or > > mount namespace. For example, doing > > > > # mount --bind /bin/cat /sbin/fw-tools > > > > or > > > > # mv /sbin/fw-tool /sbin/fw-tool.orig > > # ln /bin/cat /sbin/fw-tool > > > > allows the attacker to run in </sbin/fw-tool> domain while its functionality > > would be still /bin/cat . Therefore, it is recommended to restrict operations > > which modify directory entries and/or mount namespace in addition to > > restricting read/write/append operations. > > I was going to develop this policy further and restrict ssh (the only > access method) to only several configuration files. > Would this solve the problem? > What do you think about other programs which can issue such requests when exploited? Any process running as root user would be able to issue above requests (even without using shell, by directly using system calls). > >> > >> As I understand from domain transition logic described here > >> http://tomoyo.osdn.jp/2.5/policy-specification/domain-transition-procedure.html.en#transition_by_execute > >> it should work > >> But neither dd no the-tool don't have even read access to /dev/mtdX > >> > >> Any pointers on what am I doing wrong? > >> Thanks in advance! > >> > > > > I guess that /bin/dd and /sbin/fw-tool are running in the <kernel> domain. > > It seems you are right. > tomoyo-queryd showed that the-tool runs with profile 4 while > </sbin/the-tool> domain is configured as profile 0. > But then I don't understand how domain transition (exception policy) rules work. > Will they always match the most "hungry"/vague rule? not the first one? It should match as described in the link above. > Like in my config it looks like any /sbin/the-tool instance will match > "keep_domain any from <kernel>" not "reset_domain /sbin/the-tool from > any" as I was expecting. > And adding "no_keep_domain /sbin/the-tool from any" also doesn't help. > So I'm confused here. > I think you can try how domain transition tree would look like, by removing reset_domain / keep_domain entries and generating via usual learning steps. You might find that the pathnames you assumed /bin/dd and /sbin/fw-tool might be recognized as different names (e.g. if /sbin is a symlink to /usr/sbin , /sbin/fw-tool will be recognized as /usr/sbin/fw-tool ). After TOMOYO generated domains as detail as possible, you can design which domains should be compressed. Also, as far as I saw, you don't need to use policy namespace. If you don't have reason to use policy namespace, you will be able to replace reset_domain with initialize_domain . > > Regards, > Roman > > _______________________________________________ > tomoyo-users-en mailing list > tomoy****@lists***** > http://lists.osdn.me/mailman/listinfo/tomoyo-users-en >