TOMOYO
ForkHello.
Bettina Herzog wrote:
> I am new to this list, I consider tomoyo as an alternative to AppArmor.
> Before I start patching my kernel, I'd be happy if you could sketch how the
> following would work in tomoyo.
>
> I want to confine some closed source applications such as Adobe Reader, the
> firefox plugins for flash and realplayer, or Skype to some minimal sets of
> rights. The reason is that these programs have network access and scripting
> capabilities and, in case there is a security compromise, I don't want them
> to be able to access all the users' home direcories. As far as the Adobe
> Reader is concerned, I'd prefer to deny it any network access. Skype should
> not see any user files except for its own configuration.
>
> 1) If I want to deny some applications all network access, I need to use
> Tomoyo 1.x.x rather than 2.x.x. Correct?
>
Correct.
> If I run tomoyo in 'learning mode' while I am using, say, firefox, it records
> all capabilities that my firefox needs during that session. Can I
> 2) get a profile for firefox that applies independently of how firefox is
> started, say from KDE, from the shell,.... I.e. can I abstract a profile and
> make it independent of its process execution history as long as the
> /usr/bin/firefox binary is called?
>
Yes. (The "profile" in AppArmor corresponds with "domain policy" in TOMOYO.
The "profile" in TOMOYO means a collection of access control modes.)
For example, regarding Ubuntu 8.04 on i686 environment,
/usr/bin/firefox is a symlink to /usr/bin/firefox-3.0 .
/usr/bin/firefox-3.0 is a symlink to /usr/lib/firefox-3.0.14/firefox.sh .
/usr/lib/firefox-3.0.14/firefox.sh executes /usr/lib/firefox-3.0.14/firefox .
Thus, /usr/lib/firefox-3.0.14/firefox is the program to specify with
"initialize_domain" keyword. But you should not directly add
initialize_domain /usr/lib/firefox-3.0.14/firefox
to the exception policy, or firefox will no longer be protected when
its pathname changed to /usr/lib/firefox-3.0.15/firefox by software updates.
To handle such pathname changes, TOMOYO provides "aggregator" keyword.
You can map program's pathnames to some symbolic pathname. For example,
aggregator /usr/lib/firefox-\*/firefox /usr/lib/firefox/firefox
will make TOMOYO behave as if execution of /usr/lib/firefox/firefox is
requested when execution of
/usr/lib/firefox-3.0.14/firefox
/usr/lib/firefox-3.0.15/firefox
/usr/lib/firefox-3.0.16/firefox
etc. are requested.
Thus, you should add
aggregator /usr/lib/firefox-\*/firefox /usr/lib/firefox/firefox
initialize_domain /usr/lib/firefox/firefox
rather than
initialize_domain /usr/lib/firefox-3.0.14/firefox
to the exception policy.
Also, some programs (e.g. Adobe Reader) might be executed from firefox.
Recently, attacks through opening specially crafted documents are increasing.
Thus, if possible, you should also protect programs executed from firefox.
You can choose from three options.
(1) Run Adobe Reader within Firefox.
You can add "keep_domain <kernel> /usr/lib/firefox/firefox"
to the exception policy if you want to identify Adobe Reader and Firefox.
You won't choose this one because you don't want to allow Adobe Reader
to access the network.
(2) Run Adobe Reader like Firefox.
If you want to ignore process execution history when executing
Adobe Reader, you can add path to Adobe Reader
"initialize_domain /opt/Adobe/Reader8/bin/acroread"
to the exception policy. Adobe Reader will run inside
"<kernel> /opt/Adobe/Reader8/bin/acroread" domain
(likewise Firefox running inside "<kernel> /usr/lib/firefox/firefox").
(3) Run Adobe Reader as a child of Firefox. (Default)
In this case, you will get a domain like
"<kernel> /usr/lib/firefox/firefox /opt/Adobe/Reader8/bin/acroread".
> 3) extract this profile from the system, somehow get an ASCII file, pass this
> ASCII file to another computer that runs tomoyo and enforce the profile on
> the other machine? Thus avoiding learning mode on the other machine, for
> precisely one application such as firefox?
Yes. TOMOYO's configuration is ASCII file. You can pick up blocks starting with
"<kernel> /usr/lib/firefox/firefox" line from the domain policy.
Please be careful with lib/lib32/lib64 differences when copying to different
environment.
Regards.