TOMOYO
ForkАк Лк wrote:
> I tried to disable the execution of files in a directory /home using Tomoyo
When using black listing, please be careful with copying programs under /home
to (e.g.) /tmp directory in order to bypass black listing restriction.
Given that said, I think that the easiest way is to use a separate partition
for /home and mount that partition with noexec mount option.
If you allocated a separate partition for /home , you can specify
using major/minor block device numbers.
Using TOMOYO, you can do
acl_group 4 file execute @ANY_PATHNAME path1.major!=8
acl_group 4 file execute @ANY_PATHNAME path1.major=8 path1.minor!=3
and use
use_group 4
to allow execution of programs which are not on /dev/sda3 .
Using CaitSith, you can do
100 acl execute
100 deny path.major=8 path.minor=3
200 allow
to deny execution of programs which are on /dev/sda3 .
> path_group ANY_PATHNAME2 /\{\*\}\-home/
> path_group ANY_PATHNAME2 /\{\*\}\-home/\*
These are invalid usage of /\{ \}/ operator. /\{ \}/ operator is used
like /data/\{\*\-.svn\}/ rather than /data/\{\*\}\-.svn\/ .
> path_group ANY_PATHNAME2 \*\-home:/
> path_group ANY_PATHNAME2 \*\-home:/\*
> path_group ANY_PATHNAME2 \*\-home:/\{\*\}/
> path_group ANY_PATHNAME2 \*\-home:/\{\*\}/\*
> path_group ANY_PATHNAME2 \*\-home:[\$]
I think these are useless lines because fsname:filename format
will not be used for /home .
> But it not working
>
> #kernel panic: switch_root can't execute sbin/init
>
> what was my mistake?
Because /\{\*\}\-home/\* did not match /sbin/init .
Regards.