From han at log69.com Wed Jul 13 19:07:46 2011 From: han at log69.com (Horvath Andras) Date: Wed, 13 Jul 2011 12:07:46 +0200 Subject: [tomoyo-dev-en 295] allow_execute /proc/PID/exe Message-ID: <20110713120746.7cc967df@dell.andras> Hi, I'd like to ask some help. Chromium-browser is creating rules like the following in learning mode: allow_execute /proc/$PID/exe And of course the $PID changes everytime chromium is restarted. If i replace that line with this: allow_execute /proc/\$/exe ..then it will disappear from the rules after reloading it. Is that allowed with "allow_execute" rule? Shouldn't it work as i expect that with that rule chromium will be able to execute any running processes' executable? Thanks in advance! Andras Horvath From from-tomoyo-dev-en at I-love.SAKURA.ne.jp Wed Jul 13 23:47:22 2011 From: from-tomoyo-dev-en at I-love.SAKURA.ne.jp (Tetsuo Handa) Date: Wed, 13 Jul 2011 23:47:22 +0900 Subject: [tomoyo-dev-en 296] Re: allow_execute /proc/PID/exe In-Reply-To: <20110713125409.48fb7b5d@dell.andras> References: <20110713120746.7cc967df@dell.andras> <201107131948.EFI48448.ENFPtWUPPOZSGFNPtt@I-love.SAKURA.ne.jp> <20110713125409.48fb7b5d@dell.andras> Message-ID: <201107132347.JGB90189.FFGOPPZNPWNtPUtStE@I-love.SAKURA.ne.jp> "Horvath Andras wrote: > > Horvath Andras wrote: > > > Is that allowed with "allow_execute" rule? > > Please repost with kernel version. > > Sorry about the deficient information. > > Kernel version is 2.6.38-8 (Ubuntu 11.04) amd64 > Tomoyo version is 2.3.0-20100820 > > So my problem with Chromium browser is, that it creates an > > allow_execute /proc/$PID/exe > > rule, and then a domain is created for this: > > /usr/lib/chromium-browser/chromium-browser /proc/$PID/exe > > where $PID changes with every start. > > Could you recommend a solution for this taht which rule and domain name > can i use here? Or how i could wildcard it? Please map programs with random names using aggregator directive. aggregator /proc/\$/exe /proc/PID/exe . Please note that TOMOYO 1.8 and TOMOYO 2.4 treat /proc/self/ as proc:/self/ . This means that you will change aggregator entry like aggregator proc:/self/exe /proc/self/exe . From han at log69.com Wed Jul 13 23:58:09 2011 From: han at log69.com (Horvath Andras) Date: Wed, 13 Jul 2011 16:58:09 +0200 Subject: [tomoyo-dev-en 297] Re: allow_execute /proc/PID/exe In-Reply-To: <201107132347.JGB90189.FFGOPPZNPWNtPUtStE@I-love.SAKURA.ne.jp> References: <20110713120746.7cc967df@dell.andras> <201107131948.EFI48448.ENFPtWUPPOZSGFNPtt@I-love.SAKURA.ne.jp> <20110713125409.48fb7b5d@dell.andras> <201107132347.JGB90189.FFGOPPZNPWNtPUtStE@I-love.SAKURA.ne.jp> Message-ID: <20110713165809.47cc3b56@dell.andras> Thank You. On Wed, 13 Jul 2011 23:47:22 +0900 Tetsuo Handa wrote: > "Horvath Andras wrote: > > > Horvath Andras wrote: > > > > Is that allowed with "allow_execute" rule? > > > Please repost with kernel version. > > > > Sorry about the deficient information. > > > > Kernel version is 2.6.38-8 (Ubuntu 11.04) amd64 > > Tomoyo version is 2.3.0-20100820 > > > > So my problem with Chromium browser is, that it creates an > > > > allow_execute /proc/$PID/exe > > > > rule, and then a domain is created for this: > > > > /usr/lib/chromium-browser/chromium-browser /proc/$PID/exe > > > > where $PID changes with every start. > > > > Could you recommend a solution for this taht which rule and domain > > name can i use here? Or how i could wildcard it? > > Please map programs with random names using aggregator directive. > > aggregator /proc/\$/exe /proc/PID/exe > > . Please note that TOMOYO 1.8 and TOMOYO 2.4 treat /proc/self/ as > proc:/self/ . This means that you will change aggregator entry like > > aggregator proc:/self/exe /proc/self/exe > > . > > _______________________________________________ > tomoyo-dev-en mailing list > tomoyo-dev-en at lists.sourceforge.jp > http://lists.sourceforge.jp/mailman/listinfo/tomoyo-dev-en From han at log69.com Mon Jul 18 18:15:11 2011 From: han at log69.com (Horvath Andras) Date: Mon, 18 Jul 2011 11:15:11 +0200 Subject: [tomoyo-dev-en 298] Re: mark PID namespace for delete? In-Reply-To: <201106111647.DFH00567.NtPPtPNGZOtEFWPFSU@I-love.SAKURA.ne.jp> References: <20110609152004.6c808945@dell.andras> <201106092235.GBD54702.FOPtPUWPZNttPNFEGS@I-love.SAKURA.ne.jp> <20110609153833.47604583@dell.andras> <201106092259.EDJ34853.tNPtNPPEFtFOPSZWGU@I-love.SAKURA.ne.jp> <20110609174822.1b54d68d@dell.andras> <201106111647.DFH00567.NtPPtPNGZOtEFWPFSU@I-love.SAKURA.ne.jp> Message-ID: <20110718111511.0de440e5@dell.andras> Dear Sir, Could you kindly help me with one of our topic that i got stuck at? On Sat, 11 Jun 2011 16:47:36 +0900 Tetsuo Handa wrote: > To update rules in an existing domain, please feed the diff data > > select $domainname > $newrule1 > $newrule2 > delete $rule1 > delete $rule2 > delete $rule3 I wrote my algorithm for creating the diff and i've been using it since then. It seems to work fine for domain policy. Only, as i understood corretly, i add select tag only for domain policy. And i wrote it not to add any select while creating the diff for exception policy. Is that ok? Let's say my exception policy looks like this: initialize_domain /usr/sbin/exim4 initialize_domain /usr/sbin/unbound initialize_domain /usr/bin/ssh And i want to add this: initialize_domain /usr/bin/lftp So the diff that i upload to exception policy would look like this: initialize_domain /usr/bin/lftp Is that right? Sometimes it's not working. Probably i got it wrong and surely i'm doing something wrongly. Would i need some kind of select tag here too? Thanks again! Andras Horvath From from-tomoyo-dev-en at I-love.SAKURA.ne.jp Mon Jul 18 20:20:10 2011 From: from-tomoyo-dev-en at I-love.SAKURA.ne.jp (Tetsuo Handa) Date: Mon, 18 Jul 2011 20:20:10 +0900 Subject: [tomoyo-dev-en 299] Re: mark PID namespace for delete? In-Reply-To: <20110718111511.0de440e5@dell.andras> References: <20110609153833.47604583@dell.andras> <201106092259.EDJ34853.tNPtNPPEFtFOPSZWGU@I-love.SAKURA.ne.jp> <20110609174822.1b54d68d@dell.andras> <201106111647.DFH00567.NtPPtPNGZOtEFWPFSU@I-love.SAKURA.ne.jp> <20110718111511.0de440e5@dell.andras> Message-ID: <201107182020.EBI57385.EZFNtPFNOWtPUPtSPG@I-love.SAKURA.ne.jp> Horvath Andras wrote: > Only, as i understood corretly, i add select tag only for domain > policy. And i wrote it not to add any select while creating the diff > for exception policy. Is that ok? Right. > Let's say my exception policy looks like this: > > initialize_domain /usr/sbin/exim4 > initialize_domain /usr/sbin/unbound > initialize_domain /usr/bin/ssh > > And i want to add this: > > initialize_domain /usr/bin/lftp > > So the diff that i upload to exception policy would look like this: > > initialize_domain /usr/bin/lftp > > Is that right? Right. > Sometimes it's not working. Probably i got it wrong and > surely i'm doing something wrongly. Be sure to add trailing '\n'. You can dump what string was written by your program using strace. > Would i need some kind of select tag here too? No. "select" is for only domain policy. From han at log69.com Mon Jul 18 20:31:31 2011 From: han at log69.com (Horvath Andras) Date: Mon, 18 Jul 2011 13:31:31 +0200 Subject: [tomoyo-dev-en 300] Re: mark PID namespace for delete? In-Reply-To: <201107182020.EBI57385.EZFNtPFNOWtPUPtSPG@I-love.SAKURA.ne.jp> References: <20110609153833.47604583@dell.andras> <201106092259.EDJ34853.tNPtNPPEFtFOPSZWGU@I-love.SAKURA.ne.jp> <20110609174822.1b54d68d@dell.andras> <201106111647.DFH00567.NtPPtPNGZOtEFWPFSU@I-love.SAKURA.ne.jp> <20110718111511.0de440e5@dell.andras> <201107182020.EBI57385.EZFNtPFNOWtPUPtSPG@I-love.SAKURA.ne.jp> Message-ID: <20110718133131.1dd40f21@dell.andras> On Mon, 18 Jul 2011 20:20:10 +0900 Tetsuo Handa wrote: > Horvath Andras wrote: > > Only, as i understood corretly, i add select tag only for domain > > policy. And i wrote it not to add any select while creating the diff > > for exception policy. Is that ok? > > Right. > > > Let's say my exception policy looks like this: > > > > initialize_domain /usr/sbin/exim4 > > initialize_domain /usr/sbin/unbound > > initialize_domain /usr/bin/ssh > > > > And i want to add this: > > > > initialize_domain /usr/bin/lftp > > > > So the diff that i upload to exception policy would look like this: > > > > initialize_domain /usr/bin/lftp > > > > Is that right? > > Right. > > > Sometimes it's not working. Probably i got it wrong and > > surely i'm doing something wrongly. > > Be sure to add trailing '\n'. > You can dump what string was written by your program using strace. > > > Would i need some kind of select tag here too? > No. > > "select" is for only domain policy. I must be having some bug in my code. Thanks You. From han at log69.com Wed Jul 27 00:13:30 2011 From: han at log69.com (Horvath Andras) Date: Tue, 26 Jul 2011 17:13:30 +0200 Subject: [tomoyo-dev-en 301] aggregator / Tomoyo 2.2 Message-ID: <20110726171330.4c3a588c@dell.andras> Dear Sir, I'd like to ask help for the aggregator directive. When i create an exception policy like this: initialize_domain /sbin/init aggregator /proc/\$/exe /proc/PID/exe ..and save it to /etc/tomoyo/exception_policy.conf file and i run: tomoyo-loadpolicy fe ; tomoyo-savepolicy fe ; cat e I get: initialize_domain /sbin/init So the line with the aggregator directive gets removed. This happens on kernel 2.6.32 with Tomoyo 2.2 (Debian 6), but doesn't happen on 2.6.38 with Tomoyo 2.3 (Ubuntu 11.04), both amd64 platforms. The documentation here mentions the aggregator for Tomoyo 2.2: http://tomoyo.sourceforge.jp/2.2/initialize.html.en What am I missing here? Could you kindly help me with this? Thank You, Andras Horvath From from-tomoyo-dev-en at I-love.SAKURA.ne.jp Wed Jul 27 06:34:28 2011 From: from-tomoyo-dev-en at I-love.SAKURA.ne.jp (Tetsuo Handa) Date: Wed, 27 Jul 2011 06:34:28 +0900 Subject: [tomoyo-dev-en 302] Re: aggregator / Tomoyo 2.2 In-Reply-To: <20110726171330.4c3a588c@dell.andras> References: <20110726171330.4c3a588c@dell.andras> Message-ID: <201107270634.BIC05752.PZSOPPFtPUGNEtWFNt@I-love.SAKURA.ne.jp> Horvath Andras wrote: > The documentation here mentions the aggregator for Tomoyo 2.2: > http://tomoyo.sourceforge.jp/2.2/initialize.html.en > As "Allow execution of programs with temporary names?" in http://tomoyo.sourceforge.jp/comparison.html says, "aggregator" is not available to TOMOYO 2.2. It's a documentation error of initialize.html . Thanks. From han at log69.com Wed Jul 27 14:43:39 2011 From: han at log69.com (Horvath Andras) Date: Wed, 27 Jul 2011 07:43:39 +0200 Subject: [tomoyo-dev-en 303] Re: aggregator / Tomoyo 2.2 In-Reply-To: <201107270634.BIC05752.PZSOPPFtPUGNEtWFNt@I-love.SAKURA.ne.jp> References: <20110726171330.4c3a588c@dell.andras> <201107270634.BIC05752.PZSOPPFtPUGNEtWFNt@I-love.SAKURA.ne.jp> Message-ID: <20110727074339.0a7c178a@dell.andras> Thank You. On Wed, 27 Jul 2011 06:34:28 +0900 Tetsuo Handa wrote: > Horvath Andras wrote: > > The documentation here mentions the aggregator for Tomoyo 2.2: > > http://tomoyo.sourceforge.jp/2.2/initialize.html.en > > > > As "Allow execution of programs with temporary names?" in > http://tomoyo.sourceforge.jp/comparison.html says, > "aggregator" is not available to TOMOYO 2.2. > > It's a documentation error of initialize.html . Thanks. > > _______________________________________________ > tomoyo-dev-en mailing list > tomoyo-dev-en at lists.sourceforge.jp > http://lists.sourceforge.jp/mailman/listinfo/tomoyo-dev-en