Tetsuo Handa
from-****@I-lov*****
Mon Sep 5 20:57:16 JST 2011
TOMOYO
ForkJamie Nguyen wrote:
> Might I ask what you personally feel are the disadvantages of your
> proposal?
Disadvantage will be that execve() for CONFIG::file::execute={ mode=disabled }
case becomes a bit slower because (as of revision 5412) I'm checking "file
execute" entries regardless of CONFIG::file::execute settings.
Diffstat of branches/diff-exec.txt in revision 5412.
ccs-patch/security/ccsecurity/audit.c | 3
ccs-patch/security/ccsecurity/condition.c | 54 +++++++-
ccs-patch/security/ccsecurity/domain.c | 68 +++++++++-
ccs-patch/security/ccsecurity/file.c | 38 +++++
ccs-patch/security/ccsecurity/internal.h | 4
ccs-patch/security/ccsecurity/policy_io.c | 6
ccs-tools/ccstools/usr_sbin/editpolicy.c | 151 ++++++++++++++++++++++-
ccs-tools/ccstools/usr_sbin/editpolicy_offline.c | 71 ++++++++++
8 files changed, 366 insertions(+), 29 deletions(-)
You can test this by adding
file execute /bin/cat $transit
where $transit is one of below
keep
child
reset
initialize
parent
$domainname
$pathname
and type
cat /proc/ccs/self_domain
.
"keep" is for keeping current domain. For example,
<kernel> /usr/sbin/sshd /bin/bash
file execute /bin/cat keep
results in that /bin/cat running in "<kernel> /usr/sbin/sshd /bin/bash" domain.
"initialize" is for jumping to child of current namespace's root domain.
<kernel> /usr/sbin/sshd /bin/bash
file execute /bin/cat initialize
results in that /bin/cat running in "<kernel> /bin/cat" domain.
"reset" is for jumping to specified namespace's root domain.
<kernel> /usr/sbin/sshd /bin/bash
file execute /bin/cat reset
results in that /bin/cat running in "</bin/cat>" domain.
"child" is for jumping to child of current domain.
<kernel> /usr/sbin/sshd /bin/bash
file execute /bin/cat child
results in that /bin/cat running in "<kernel> /usr/sbin/sshd /bin/bash /bin/cat"
domain.
"parent" is for jumping to parent of current domain. (If current domain is the
root of namespace (e.g. "<kernel>"), it is interpreted as current domain.)
<kernel> /usr/sbin/sshd /bin/bash
file execute /bin/cat parent
results in that /bin/cat running in "<kernel> /usr/sbin/sshd" domain.
"$domainname" is for jumping to an absolute domainname.
<kernel> /usr/sbin/sshd /bin/bash
file execute /bin/cat <kernel> /usr/sbin/sshd /bin/bash /bin/cat
results in that /bin/cat running in "<kernel> /usr/sbin/sshd /bin/bash /bin/cat"
domain.
"$pathname" is a program's name. (A program's name must start with '/'.)
<kernel> /usr/sbin/sshd /bin/bash
file execute /bin/cat /bin/cat
results in that /bin/cat running in "<kernel> /usr/sbin/sshd /bin/bash /bin/cat"
domain.