Jamie Nguyen
dysco****@gmail*****
Fri Dec 24 19:34:48 JST 2010
Tetsuo Handa wrote: > After testing uuid module on libvirtd , it turned out that automatically > assigning unique id1 does not work, for libvirtd might be restarted without > restarting qemu-kvm . > > If qemu-kvm was started by libvirtd with id1 = 1, that qemu-kvm has id1 = 1. > When libvirtd get restarted, libvirtd will get id1 = 2. In that case, libvirtd > can't communicate with already running qemu-kvm because qemu-kvm has id1 = 1. > > Therefore, libvirtd needs to explicitly tell uuid module which id to assign. > Thus, I modified uuid module to use uuid. (Saved as uuid2.c in revision 118.) > Usage has changed. There is /proc/uuid interface that assigns uuid for current > thread. For example, doing > > echo hello > /proc/uuid > > from term1 and doing > > echo world > /proc/uuid > > from term2 makes term1 and term2 mutually isolated. > > I'm planning to add open()/execute() restrictions to this module but not > yet implemented. I would just like to check my understanding of both TOMOYO and uuid module. At the moment, TOMOYO is able to restrict access to /proc as long as the process does not need to communicate with other processes. Thus, it can be limited with something like: file execute proc:/self/exe file read proc:/self/\* However, if a process needs to communicate with other (e.g. child) processes, then this policy must be specified: file read proc:/\$/\* path1.uid!=0 This therefore gives it read access to /proc files as long as they are not owned by root. I am not sure in this case how to allow (when using just TOMOYO) to read /proc files only with uid of the current process. uuid module provides a method to limit access to /proc (and ptrace, kill etc.) which is controlled by writing uuid to /proc/uuid . I'm not familiar with using libvirt, but I think if my understanding is correct, chromium browser might be a suitable candidate for the uuid module. Currently, chromium is designed to sandbox as much as possible. Each tab is run in it's own process. The domain sequence is: /usr/bin/chromium (launcher script) /usr/lib/chromium/chromium (core browser) /usr/lib/chromium/chromium-sandbox (sandbox) /usr/lib/chromium/chromium (process for each tab) I have specified in exception policy: initialize_domain /usr/bin/chromium keep_domain any from <kernel> /usr/bin/chromium chromium-sandbox requests read/write access to /proc/self/oom_adj as well as /proc/XXXX where XXXX is pid of each of the /usr/lib/chromium/chromium processes. Thus, I need to specify the following in domain policy: file write proc:/\$/oom_adj path1.uid=0 (the other option is to grant specific pid in real time using ccs-queryd). chromium does not need capability SYS_PTRACE so this is protected against by TOMOYO (I assume libvirt requires this capability and so requires uuid module). However, the above policy allows access to oom_adj of all processes not owned by root. uuid module would therefore allow this access to be limited to only chromium processes if the launch script is modified to add uuid to /proc/uuid before each chromium process is run. I have a feeling that my understanding is a little fuzzy here, and I may not be using TOMOYO correctly. Is my understanding somewhere close to reality? Kind regards