On 6 June 2016 at 15:52, Tetsuo Handa <pengu****@i-lov*****> wrote: > Roman Yeryomin wrote: >> > This is a situation where CaitSith will fit better. >> > >> > Since Memory Technology Device is a character device with major = 90, >> > you will be able to define CaitSith's rule like below. >> > >> > ---------------------------------------- >> > 10 read path.type=char path.dev_major=90 >> > 10 allow task.exe="/bin/dd" >> > 20 allow task.exe="/sbin/fw-tool" >> > 30 deny >> > >> > 10 write path.type=char path.dev_major=90 >> > 10 allow task.exe="/sbin/fw-tool" >> > 20 deny >> > >> > 10 append path.type=char path.dev_major=90 >> > 10 allow task.exe="/sbin/fw-tool" >> > 20 deny >> > ---------------------------------------- >> >> Thank you for this pointer, I will certainly look closer at CaitSith! >> > > I forgot to add "acl" keyword in the example above. > Anyway, here is what I guess you want to try if you use CaitSith. > > ---------- /etc/caitsith/policy/current ---------- > quota memory audit 16777216 > quota memory query 1048576 > quota audit[0] allowed=0 denied=1024 unmatched=0 > > 10 acl read path.type=char path.dev_major=90 > audit 0 > 10 allow task.exe="/usr/bin/dd" > 20 allow task.exe="/sbin/the-tool" > 30 deny > > 10 acl read path.fsmagic=0x9FA0 path="proc:/mtd" > audit 0 > 10 allow task.exe="/sbin/the-tool" > 20 deny > > 10 acl write path.type=char path.dev_major=90 > audit 0 > 10 allow task.exe="/sbin/the-tool" > 20 deny > > 10 acl append path.type=char path.dev_major=90 > audit 0 > 10 allow task.exe="/sbin/the-tool" > 20 deny > > 100 acl mount > audit 1 > 10 deny task.exe!="/bin/mount" > 20 allow target="/proc/" fstype="proc" flags=0x0 > 30 allow target="/sys/" fstype="sysfs" flags=0x0 > 40 deny > > 0 acl modify_policy > audit 0 > 10 deny > ---------- /etc/caitsith/policy/current ---------- Just tried CaitSith on 4.1 kernel and getting this: [ 10.403615] ------------[ cut here ]------------ [ 10.408411] WARNING: CPU: 0 PID: 1 at mm/page_alloc.c:2668 __alloc_pages_nodemask+0x164/0x624() [ 10.417430] Modules linked in: ohci_platform ohci_hcd ehci_platform ehci_hcd gpio_button_hotplug usbcore nls_base usb_common crc16 aead crypto_hash [ 10.431202] CPU: 0 PID: 1 Comm: procd Not tainted 4.1.16 #46 [ 10.437037] Stack : 803a6480 00000000 00000001 803f0000 87828278 803e6b0b 80386024 00000001 8045357c 87454f68 87ba0c00 00400000 87b29988 800a689c 803f6304 803e0000 00000003 87454f68 80389894 8781782c 87b29988 800a4eb0 00000000 00000000 00000001 80450000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 ... [ 10.474068] Call Trace: [ 10.476610] [<800720bc>] show_stack+0x50/0x84 [ 10.481127] [<800817b4>] warn_slowpath_common+0xa0/0xd0 [ 10.486519] [<80081868>] warn_slowpath_null+0x18/0x24 [ 10.491743] [<800d3cdc>] __alloc_pages_nodemask+0x164/0x624 [ 10.497500] [<800e646c>] kmalloc_order+0x14/0x48 [ 10.502280] [<801862a8>] cs_realpath+0x90/0x380 [ 10.506976] [<8017dfb4>] cs_populate_patharg+0x60/0xc4 [ 10.512289] [<8017e2c4>] cs_cond2arg+0x2ac/0x644 [ 10.517056] [<8017e700>] cs_condition+0xa4/0x6c8 [ 10.521831] [<8017edc8>] cs_check_acl+0xa4/0x21c [ 10.526604] [<8018055c>] cs_open_permission+0xdc/0x108 [ 10.531939] [<8017b684>] security_file_open+0x40/0xac [ 10.537171] [<800fe8fc>] do_dentry_open+0x198/0x358 [ 10.542219] [<800ffc50>] dentry_open+0x58/0xac [ 10.546818] [<8017015c>] ovl_dir_open+0x54/0xb0 [ 10.551507] [<800fe984>] do_dentry_open+0x220/0x358 [ 10.556548] [<8010dc80>] do_last.isra.11+0x974/0xc2c [ 10.561683] [<8010e120>] path_openat+0x1e8/0x530 [ 10.566453] [<8010f508>] do_filp_open+0x3c/0xa4 [ 10.571139] [<800fffe4>] do_sys_open+0x18c/0x234 [ 10.575912] [<80062b3c>] handle_sys+0x11c/0x140 [ 10.580588] [ 10.582136] ---[ end trace cc67026967ada591 ]--- [ 10.586902] ERROR: Out of memory at cs_realpath. [ 10.591679] CaitSith: Rejecting access request due to out of memory. Any idea why? Didn't have this problem with Tomoyo Regards, Roman
TOMOYO
Fork