RE: "Reverse" sandbox possible?

Tetsuo Handa (kumaneko) — Sat, 23 Feb 2013 07:35:37 GMT

Hello. > I'm wondering if it's possible to create some kind of reverse sandbox with > tomoyo linux 2.0. > What I want is to deny everything access to one specific folder, except one > program. > Specificlly I only want the bitcoin client and nothing else to be able to > acces ~/.bitcoin/ So far, only \- operator is possible. That is, define a path_group like path_group ALL_BUT_BITCOIN /\*\-home/\* path_group ALL_BUT_BITCOIN /\*\-home/\{\*\}/ path_group ALL_BUT_BITCOIN /\*\-home/\{\*\}/\* path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/ path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/\* path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/\{\*\}/ path_group ALL_BUT_BITCOIN /home/\*\-.bitcoin/\{\*\}/\* and define an acl_group like acl_group 0 file read @ALL_BUT_BITCOIN acl_group 0 file write @ALL_BUT_BITCOIN and let each domain refer that acl_group using use_group keyword. use_group 0 If you can use CaitSith ( http://I-love.SAKURA.ne.jp/tomoyo/CaitSith-en.pdf ) instead of TOMOYO 2.x, then CaitSith would be easier to achieve that. Rules in CaitSith will look like below. 0 acl read path="/home/\*/.bitcoin/$\*$/\*" audit 0 0 allow task.exe="/path/to/bitcoin/client" 1 deny 0 acl write path="/home/\*/.bitcoin/$\*$/\*" audit 0 0 allow task.exe="/path/to/bitcoin/client" 1 deny I demonstrated only read and write operations. But you need to be also careful about pathname manipulation operations like rename/link/mount. If you can move ~/.bitcoin/ directory to a dedicated partition and have a symlink to the dedicated partition, you can use attributes of the dedicated partition (e.g. path.major and path.minor) for conditions to restrict access. 0 acl read path.major=XX path.minor=XX audit 0 0 allow task.exe="/path/to/bitcoin/client" 1 deny 0 acl write path.major=XX path.minor=XX audit 0 0 allow task.exe="/path/to/bitcoin/client" 1 deny

"Reverse" sandbox possible?

(None) — Fri, 22 Feb 2013 23:10:42 GMT

Hi, I'm wondering if it's possible to create some kind of reverse sandbox with tomoyo linux 2.0. What I want is to deny everything access to one specific folder, except one program. Specificlly I only want the bitcoin client and nothing else to be able to acces ~/.bitcon/ Thanks, Anonymous user

RE: How ccsecurity works as loadable kernelmodule

Tetsuo Handa (kumaneko) — Fri, 07 Sep 2012 01:10:15 GMT

I forwarded your question at http://www.spinics.net/linux/fedora/linux-security-module/msg14300.html but got little response. Please see http://vger.kernel.org/vger-lists.html#linux-security-module and post your opinion to linux-security-module ML.

How ccsecurity works as loadable kernelmodule

(None) — Sat, 11 Aug 2012 07:54:27 GMT

how tomoyo 1.7/1.8x work as loadable kernel module? Is it possible to minimize boot time by making tomoyo 2.5 as loadable kernel module ?

RE: tomoyo and 2.6.26

(None) — Mon, 08 Dec 2008 10:10:15 GMT

oh, thank you :> i'm ashamed that i didn't find earlier :~ once again- thank you very much :>

RE: tomoyo and 2.6.26

Tetsuo Handa (kumaneko) — Mon, 08 Dec 2008 05:50:31 GMT

Please see http://lists.sourceforge.jp/mailman/archives/tomoyo-users-en/2008-December/000010.html Thanks.

tomoyo and 2.6.26

(None) — Mon, 08 Dec 2008 02:41:11 GMT

hi. i've got some problems with kernel and tomoyo. i've downloaded the newest version of tomoyo - ccs-patch-1.6.5-20081111 and kernel (well... not the newest) from kernel.org could anyone tell me what I'm doing wrong? root@samantha:/usr/src/linux-2.6.26# patch -p1

RE: subpolicy switchable inside of programs

(None) — Thu, 20 Nov 2008 13:42:01 GMT

Thanks for explanation. I hope that something like chhat with userspace lib will appear in future versions of tomoyo. Note that this feature is optional in apparmor thus doesn't require any apps to be ported if they don't want to use this feature.

RE: subpolicy switchable inside of programs

Tetsuo Handa (kumaneko) — Sat, 15 Nov 2008 06:30:51 GMT

Hello. > apparmor has one very cool feature that allows to define subpolices > (called HATs) for particular program, let say /usr/bin/whatever. > The program with API can switch between these subpolices and return back to > "main" policy. > > This allows for example apache to have "main" policy that has access to > almost nothing and per virtual host subpolicies "virtual1" that gives access > to /home/www/virtual1, "virtual2" that gives access to /home/www/virtual2. > Now apache when serving virtual1 switches to "virtual1" subpolicy, > when finishes it goes back to "main", then when serving virtual2 it switches > to "virtual2" subpolicy. > Yes. That's a practical and useful feature. The key point of AppArmor's way is random values called "magic" which are used for chhat() function. > This is very nice feature. SELinux for example cannot do anything like that. > Right. This is because SELinux thinks that dropped privileges should not be revived by userland. Returning to "main" policy by userland's operation is a kind of privilege escalation which an attacker can use. > How this looks in Tomoyo? Could such feature be implemented (if it's not > already) Regarding TOMOYO, so far there is no API for userland application. There are several reasons. One is that TOMOYO doesn't require modification of userland programs. It is not a good thing to proliferate implementation specific APIs. Forcing application program developers to support SELinux's API and AppArmor's API and TOMOYO's API and more will burden the application developers. The worst result is, application developers stop supporting none of these APIs. Another one is that TOMOYO doesn't have hooks for fork() and exit() operations. This means that TOMOYO can't allocate and free memory for per process storage for storing "magic" value of chhat() function. LSM has been providing hooks (security_task_alloc() and security_task_free()) for such purpose, but these hooks will be removed shortly by merging "Copy on write credentials" patchset. I'm not sure AppArmor and TOMOYO can revive these hooks. By the way, TOMOYO 1.6.x supports process's state values which are controlled by task.state[0] task.state[1] task.state[2] variables. This feature can provide chhat() like functionality, but lacks "magic" values. For example, /usr/sbin/sshd /bin/bash allow_execute /bin/cat if task.uid=0 ; set task.state[0]=0 allow_execute /bin/cat if task.uid!=0 ; set task.state[0]=1 /usr/sbin/sshd /bin/bash /bin/cat allow_read /tmp/file1 if task.state[0]=0 allow_read /tmp/file2 if task.state[0]!=0 will allow root to read /tmp/file1 and non-root to read /tmp/file2 . If you have a chance to insert some secret calls (which corresponds with chhat()) within a process, you can use thse variables within a process.

subpolicy switchable inside of programs

(None) — Thu, 13 Nov 2008 12:40:40 GMT

apparmor has one very cool feature that allows to define subpolices (called HATs) for particular program, let say /usr/bin/whatever. The program with API can switch between these subpolices and return back to "main" policy. This allows for example apache to have "main" policy that has access to almost nothing and per virtual host subpolicies "virtual1" that gives access to /home/www/virtual1, "virtual2" that gives access to /home/www/virtual2. Now apache when serving virtual1 switches to "virtual1" subpolicy, when finishes it goes back to "main", then when serving virtual2 it switches to "virtual2" subpolicy. This is very nice feature. SELinux for example cannot do anything like that. How this looks in Tomoyo? Could such feature be implemented (if it's not already) Thanks

TOMOYO Linux version 1.6.4 released

Toshiharu Harada (haradats) — Wed, 03 Sep 2008 08:51:14 GMT

Version 1.6.4 adds support for the following kernel versions: - vanilla 2.6.27-rc5 kernel - openSUSE 11.0's 2.6.25 kernel - Ubuntu 8.10's 2.6.27 kernel - Mandriva 2009.0's 2.6.27 kenrel Now we have project pages at freshmeat and SourceForge.net. http://freshmeat.net/projects/tomoyo/ http://sourceforge.net/projects/tomoyo/ How to activate TOMOYO Linux on Mandriva - http://tomoyo.sourceforge.jp/en/1.6.x/1st-step/mandriva2008.1/ Release announce (read only) ml, "tomoyo-announce" just created - https://lists.sourceforge.net/lists/listinfo/tomoyo-announce Enjoy!

new ml created for foreign users!

Toshiharu Harada (haradats) — Tue, 29 Jul 2008 10:07:56 GMT

Please subscribe and enjoy! http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

RE: Tomoyo linux cross reference/cypress_m8

Tetsuo Handa (kumaneko) — Thu, 19 Jun 2008 05:40:32 GMT

Please try these packages. http://osdn.dl.sourceforge.jp/tomoyo/30299/linux-image-2.6.24-19-ccs1.6.1_2.6.24-19.33_i386.deb http://osdn.dl.sourceforge.jp/tomoyo/30299/linux-ubuntu-modules-2.6.24-19-ccs1.6.1_2.6.24-19.27_i386.deb http://osdn.dl.sourceforge.jp/tomoyo/30299/linux-restricted-modules-2.6.24-19-ccs1.6.1_2.6.24.13-19.42_i386.deb http://osdn.dl.sourceforge.jp/tomoyo/30299/linux-headers-2.6.24-19-ccs1.6.1_2.6.24-19.33_i386.deb http://osdn.dl.sourceforge.jp/tomoyo/30299/linux-headers-lum-2.6.24-19-ccs1.6.1_2.6.24-19.27_i386.deb

Tomoyo linux cross reference/cypress_m8

duong anh thi (anhthi) — Thu, 19 Jun 2008 05:34:59 GMT

I have a problem with cypress_m8.c. When i build cypress_m8 project, terminal notice that " cant't find *.h in /usr/linux/*.h". I want to install linux-headers-2.6.24-ccsq.6.1. How to install it in my Ubuntu i386. please help me. Thanks a lot...

spamの消し方

Toshiharu Harada (haradats) — Mon, 16 Jun 2008 13:14:15 GMT

数日前からこのフォーラムにspamと思われるメッセージが続けて投稿されています。ここは、誰でも書き込める場所としてあえて認証をかけておらず、できるだけ現状のままで運営したいと思っています。 tomoyo-devの方はスパムを含めてメッセージを削除できるよう設定していますので、この機会に削除方法を説明します。メッセージの削除は、SF.jpにログインした状態で、「フォーラム」のメニューから「管理(admin)」を選ぶと「削除」画面が表示されます。削除は、該当するメッセージの"msg_id"を入力して行います（一度に削除できるのは1メッセージです）。msg_idは5桁の数値で、対象のメッセージを開いた状態で件名にフォーカスをあてると表示されます。存在しないmsg_idを入力するとエラーになります。 SF.jpの設定で「フォーラムをモニターする」を選択すると、該当するフォーラムで新しい発言があった場合にメールで通知されますが（私はこの設定を行っています）、そのメッセージではmsg_idが本文に記入されています。本日(6/16)の夜7時以降スパムを削除しようとしたら、既になくなっており、どなたか削除いただいのだとわかりました。どうもありがとうございました。(_ _)

RE: [BUG]: TOMOYO 1.5.1 ccs-init

Tetsuo Handa (kumaneko) — Tue, 23 Oct 2007 02:01:07 GMT

I uploaded fixed version with same name. Thnak you.

RE: [BUG]: TOMOYO 1.5.1 ccs-init

Tetsuo Handa (kumaneko) — Tue, 23 Oct 2007 00:01:47 GMT

Oops! I lost '!' somewhere. Thank you.

[BUG]: TOMOYO 1.5.1 ccs-init

(None) — Mon, 22 Oct 2007 13:59:58 GMT

select no default profile will kernel panic and stop booting. maybe ! is lost in line 121: elif [ "x$PROFILE" != "xdisable" ]; then

RE: TOMOYO audit logs

Tetsuo Handa (kumaneko) — Mon, 22 Oct 2007 00:29:58 GMT

Hello. Thank you for your opinion. Starting /usr/lib/ccs/ccs-auditd at /sbin/ccs-init would be possible if /var/ partition is mounted read-write and /usr/ partition is mounted read-only, but these partitions have to be mounted read-only at that moment because fsck is called at /etc/rc.d/rc.sysinit . TOMOYO can hold access logs up to MAX_GRANT_LOG and MAX_REJECT_LOG entries in the kernel memory so that access logs won't be lost when these partitions are not ready to write.

TOMOYO audit logs

(None) — Sat, 20 Oct 2007 13:43:07 GMT

# cat > /etc/init.d/ccs-auditd << EOF #!/bin/sh /usr/lib/ccs/ccs-auditd /dev/null /var/log/tomoyo/reject_log.txt EOF # chmod +x /etc/init.d/ccs-auditd And create symbolic links to the script. # update-rc.d ccs-auditd start 99 2 3 4 5 . Adding system startup for /etc/init.d/ccs-auditd ... /etc/rc2.d/S99ccs-auditd -> ../init.d/ccs-auditd /etc/rc3.d/S99ccs-auditd -> ../init.d/ccs-auditd /etc/rc4.d/S99ccs-auditd -> ../init.d/ccs-auditd /etc/rc5.d/S99ccs-auditd -> ../init.d/ccs-auditd it seems that start audit log from /sbin/ccs-init might be better than from init.d . 1. add a simple audit log config file /etc/ccs/log.conf: timestamp=`date %F-%T` permit_log=/var/log/tomoyo/permit_log$timestamp.txt reject_log=/var/log/tomoyo/reject_log$timestamp.txt 2. in ccs-init start autit log: . /etc/ccs/log.conf if touch $permit_log && touch $reject_log; then /usr/lib/ccs/ccs-auditd $permit_log $reject_log fi 3. then start the selected policy 4. if a log file is ordinary file(not /dev/null, /dev/console,etc), and not protected by any deny_rewrite item, automatically add to current Exception policy deny_rewrite /var/log/tomoyo/permit_log$timestamp.txt deny_rewrite /var/log/tomoyo/reject_log$timestamp.txt so that audit logs are complete and protected, and file name could be timestamped for each boot when needed.

added the link to

Toshiharu Harada (haradats) — Tue, 16 Oct 2007 16:37:11 GMT

http://elinux.org/TomoyoLinux thanks!

RE: http://cblfs.cross-lfs.org/index.php/TOMOYO

Toshiharu Harada (haradats) — Tue, 16 Oct 2007 15:43:44 GMT

it's cool! :-)

http://cblfs.cross-lfs.org/index.php/TOMOYO

(None) — Tue, 16 Oct 2007 15:24:47 GMT

http://cblfs.cross-lfs.org/index.php/TOMOYO

RE: RE ask: make TOMOYO boot quickly

Tetsuo Handa (kumaneko) — Mon, 15 Oct 2007 11:33:52 GMT

Updated. http://svn.sourceforge.jp/cgi-bin/viewcvs.cgi?rev=580&root=tomoyo&view=rev

RE: boot messag TOMOYO: 2.1.0-lkml-4 2007/1

Tetsuo Handa (kumaneko) — Mon, 15 Oct 2007 00:20:46 GMT

> 2. after it stops learning mode in this situation, which mode will be started? It is a safeguard to avoid memory consumption. Entries are no longer appended to that domain automatically. That domain behaves as if a profile for permissive mode is assigned although that domain is assigned a profile for learning mode.

RE: boot messag TOMOYO: 2.1.0-lkml-4 2007/1

Tetsuo Handa (kumaneko) — Mon, 15 Oct 2007 00:15:54 GMT

Just ignore. They are harmless. Pathnames for file_pattern directive must contain patterns. But some of automatically generated entries don't contain patterns, and the kernel complains that 'This is not a valid file_pattern entry'. Run 'savepolicy e' to exclude these invalid entries from /etc/tomoyo/exception_policy.conf .

RE: what functions have been excluded?

Tetsuo Handa (kumaneko) — Mon, 15 Oct 2007 00:10:51 GMT

Ability to restrict (1) incoming TCP connection (allow_network TCP accept) (2) incoming UDP datagrams (allow_network UDP connect) (3) incoming IP datagrams (allow_network RAW connect) (4) signal transmission (allow_signal) are excluded.

RE: boot messag TOMOYO: 2.1.0-lkml-4 2007/1

(None) — Sat, 13 Oct 2007 05:30:53 GMT

1. there are many invalid pathname. 2. after it stops learning mode in this situation, which mode will be started?

boot messag TOMOYO: 2.1.0-lkml-4 2007/10/11

(None) — Sat, 13 Oct 2007 05:25:20 GMT

Freeing unused kernel memory: 160k freed Clocksource tsc unstable (delta = 254787654 ns) Time: pit clocksource has been installed. tmy_add_pattern_entry: Invalid pathname '/proc/self/auxv' tmy_add_pattern_entry: Invalid pathname '/proc/self/clear_refs' tmy_add_pattern_entry: Invalid pathname '/proc/self/cmdline' tmy_add_pattern_entry: Invalid pathname '/proc/self/coredump_filter' tmy_add_pattern_entry: Invalid pathname '/proc/self/environ' tmy_add_pattern_entry: Invalid pathname '/proc/self/fdinfo/0' tmy_add_pattern_entry: Invalid pathname '/proc/self/fdinfo/1' tmy_add_pattern_entry: Invalid pathname '/proc/self/fdinfo/2' tmy_add_pattern_entry: Invalid pathname '/proc/self/fdinfo/3' tmy_add_pattern_entry: Invalid pathname '/proc/self/fdinfo/4' tmy_add_pattern_entry: Invalid pathname '/proc/self/fdinfo/5' tmy_add_pattern_entry: Invalid pathname '/proc/self/maps' tmy_add_pattern_entry: Invalid pathname '/proc/self/mem' tmy_add_pattern_entry: Invalid pathname '/proc/self/mounts' tmy_add_pattern_entry: Invalid pathname '/proc/self/mountstats' tmy_add_pattern_entry: Invalid pathname '/proc/self/oom_adj' tmy_add_pattern_entry: Invalid pathname '/proc/self/oom_score' tmy_add_pattern_entry: Invalid pathname '/proc/self/sched' tmy_add_pattern_entry: Invalid pathname '/proc/self/smaps' tmy_add_pattern_entry: Invalid pathname '/proc/self/stat' tmy_add_pattern_entry: Invalid pathname '/proc/self/statm' tmy_add_pattern_entry: Invalid pathname '/proc/self/status' tmy_add_pattern_entry: Invalid pathname '/proc/self/wchan' TOMOYO: 2.1.0-lkml-4 2007/10/11 TOMOYO: Mandatory Access Control activated. . . . pccard: PCMCIA card inserted into slot 1 TOMOYO-WARNING: Domain ' /sbin/udevd' has so many ACLs to hold. Stopped learning mode. cs: IO port probe 0x100-0x3af: excluding 0x130-0x137 0x200-0x207 0x220-0x22f 0x388-0x38f . . .

what functions have been excluded?

(None) — Fri, 12 Oct 2007 14:11:00 GMT

http://lkml.org/lkml/2007/10/11/140 This time, we excluded LSM expansion and related functions.

Forum: Open Discussion - TOMOYO on SourceForge.JP

RE: "Reverse" sandbox possible?

"Reverse" sandbox possible?

RE: How ccsecurity works as loadable kernelmodule

How ccsecurity works as loadable kernelmodule

RE: tomoyo and 2.6.26

RE: tomoyo and 2.6.26

tomoyo and 2.6.26

RE: subpolicy switchable inside of programs

RE: subpolicy switchable inside of programs

subpolicy switchable inside of programs

TOMOYO Linux version 1.6.4 released

new ml created for foreign users!

RE: Tomoyo linux cross reference/cypress_m8

Tomoyo linux cross reference/cypress_m8

spamの消し方

RE: [BUG]: TOMOYO 1.5.1 ccs-init

RE: [BUG]: TOMOYO 1.5.1 ccs-init

[BUG]: TOMOYO 1.5.1 ccs-init

RE: TOMOYO audit logs

TOMOYO audit logs

added the link to

RE: http://cblfs.cross-lfs.org/index.php/TOMOYO

http://cblfs.cross-lfs.org/index.php/TOMOYO

RE: RE ask: make TOMOYO boot quickly

RE: boot messag TOMOYO: 2.1.0-lkml-4 2007/1

RE: boot messag TOMOYO: 2.1.0-lkml-4 2007/1

RE: what functions have been excluded?

RE: boot messag TOMOYO: 2.1.0-lkml-4 2007/1

boot messag TOMOYO: 2.1.0-lkml-4 2007/10/11

what functions have been excluded?