TOMOYO

Fork

[tomoyo-users-en 507] Feature-request-for-exception-policy-and-bug-in-tomoyo-checkpolicy?

• Previous message (by thread): [tomoyo-users-en 508] Re: re-re-re-About syscalls
• Next message (by thread): [tomoyo-users-en 509] Re: Feature-request-for-exception-policy-and-bug-in-tomoyo-checkpolicy?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear Tomoyo-Developers,

I want to restrict all programs, which were executing from /home/*/ but
something like

exception_policy.conf
<kernel> initialize_domain /home/\*/\*\-.xinitrc from any
<kernel> initialize_domain /home/\*/\{\*\}/\* from any

does not work, it seems as if there are no wildcards allowed
in exception_policy.conf


and secondly it looks like tomoyo-checkpolicy has a bug while checking
the exception_policy.conf

# tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf
1: ERROR: '<kernel>' is a bad argument.
2: ERROR: '<kernel>' is a bad argument.
3: ERROR: '<kernel>' is a bad argument.
...
35: ERROR: '<kernel>' is a bad argument.
36: ERROR: '<kernel>' is a bad argument.
37: ERROR: '<kernel>' is a bad argument.
Total:   37 Lines   37 Errors   0 Warning

the only two line I added are the first two

# cat /etc/tomoyo/exception_policy.conf
<kernel> initialize_domain /opt/i2p/i2prouter from any
<kernel> initialize_domain /usr/bin/mpd from any
<kernel> path_group ANY_PATHNAME /
<kernel> path_group ANY_PATHNAME /\*
<kernel> path_group ANY_PATHNAME /\{\*\}/
<kernel> path_group ANY_PATHNAME /\{\*\}/\*
<kernel> path_group ANY_PATHNAME \*:/
<kernel> path_group ANY_PATHNAME \*:/\*
<kernel> path_group ANY_PATHNAME \*:/\{\*\}/
<kernel> path_group ANY_PATHNAME \*:/\{\*\}/\*
<kernel> path_group ANY_PATHNAME \*:[\$]
<kernel> path_group ANY_PATHNAME socket:[family=\$:type=\$:protocol=\$]
<kernel> path_group ANY_DIRECTORY /
<kernel> path_group ANY_DIRECTORY /\{\*\}/
<kernel> path_group ANY_DIRECTORY \*:/
<kernel> path_group ANY_DIRECTORY \*:/\{\*\}/
<kernel> number_group COMMON_IOCTL_CMDS 0x5401
<kernel> acl_group 0 file read /etc/ld.so.cache
<kernel> acl_group 0 file read proc:/meminfo
<kernel> acl_group 0 file read proc:/sys/kernel/version
<kernel> acl_group 0 file read /usr/share/zoneinfo/Europe/Berlin
<kernel> acl_group 0 file read /usr/share/locale/locale.alias
<kernel> acl_group 0 file read proc:/self/\*
<kernel> acl_group 0 file read proc:/self/\{\*\}/\*
<kernel> acl_group 0 file read /lib/lib\*.so\*
<kernel> acl_group 0 file read /usr/lib/lib\*.so\*
<kernel> acl_group 0 file read /lib64/lib\*.so\*
<kernel> acl_group 0 file read /usr/lib/perl5/core_perl/CORE/libperl.so
<kernel> acl_group 0 file read
/usr/lib/device-mapper/libdevmapper-event-lvm2snapshot.so
<kernel> acl_group 0 file read
/usr/lib/device-mapper/libdevmapper-event-lvm2raid.so
<kernel> acl_group 0 file read
/usr/lib/device-mapper/libdevmapper-event-lvm2mirror.so
<kernel> acl_group 0 file read
/usr/lib/ADM_plugins/videoEncoder/libADM_vidEnc_x264.so
<kernel> acl_group 0 file read
/usr/lib/ADM_plugins/videoEncoder/libADM_vidEnc_xvid.so
<kernel> acl_group 0 file read /lib/ld-2.\*.so
<kernel> acl_group 0 file ioctl @ANY_PATHNAME @COMMON_IOCTL_CMDS
<kernel> acl_group 0 file read @ANY_DIRECTORY
<kernel> acl_group 0 file getattr @ANY_PATHNAME

some information about the operating system:

# uname -a
Linux jellyfish 3.4.5-netbook #1 SMP PREEMPT Sat Jul 28 14:02:33 CEST 2012
x86_64 GNU/Linux

tomoyo-tools 2.5.0.20111025-1 (Archlinux)

Regards
Torsten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.osdn.me/mailman/archives/tomoyo-users-en/attachments/20120730/71a4cd98/attachment.html>

• Previous message (by thread): [tomoyo-users-en 508] Re: re-re-re-About syscalls
• Next message (by thread): [tomoyo-users-en 509] Re: Feature-request-for-exception-policy-and-bug-in-tomoyo-checkpolicy?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]