TOMOYO

Fork

[tomoyo-users-en 679] Re: [Caitsith] bind wildcard expressions

• Previous message (by thread): [tomoyo-users-en 678] [Caitsith] bind wildcard expressions
• Next message (by thread): [tomoyo-users-en 680] Re: [Caitsith] bind wildcard expressions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Torsten Wortwein wrote:
> Is it possible to bind '\$' for a query occurring during run-time and
> then use it in the rules? With the following, I want to allow only root
> and the current process to read its /proc/\$/mem. Is something
> like this possible with caitsith?

Such binding is not possible, but "/proc/self" is represented as "proc:/self"
rather than "proc:/\$". Thus,

> 
> 10 acl read /proc/\$/mem
>     1 allow task.euid=0
>     10 allow task.pid=\$
>     100 deny

I think you want something like below.

10 acl read path.fsmagic=0x9FA0 path="proc:/\*/mem"
    audit 0
    10 allow path="proc:/self/mem"
    20 allow task.uid=0 task.gid=0 task.euid=0 task.egid=0
    30 deny

This example checks filesystem magic before checking pathnames
so that the kernel does not need to evaluate "proc:/\*/mem" for
pathnames not in proc filesystem.

• Previous message (by thread): [tomoyo-users-en 678] [Caitsith] bind wildcard expressions
• Next message (by thread): [tomoyo-users-en 680] Re: [Caitsith] bind wildcard expressions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]