Tomoyo Linuxを使用する





疑わしいプログラムの動作をブロックしますか? 悪用の脆弱性を軽減しますか? 不正なコード実行を除外しますか?

TOMOYO Linux-Linuxオペレーティングシステムの必須アクセス制御の実装。 デフォルトでカーネルに組み込まれています。 システムの動作を制御し、特定のポリシーのフレームワーク内でそれを厳しく制限できます。



以下では、個々のアプリケーションとシステム全体の両方のポリシーの作成について説明します。

例は、カーネルで利用可能なDebian WheezyおよびTomoyo 2.5に基づいて構築されます。



基本


1.ドメイン。

トモヨの作品は、 ドメインなどの概念に基づいています。 ドメインはプロセスであり、ドメイン移行プロセス間の関係です。



ベースドメインは常に
 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls



, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .



3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any







.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*



.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*





tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443 //



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf



:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d .

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' , .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf .



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf



, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow



, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0

, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>

. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any

, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }

. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .














.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .








 
      

.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .










.

<kernel> - <kernel> /sbin/init - <kernel> /sbin/init /etc/rc.d/rc - <kernel> /etc/init.d/gdm3 /sbin/start-stop-daemon /usr/sbin/gdm3 -








, .



/bin/bash, , sshd .

- .

/sbin/init ..... /bin/bash

/sbin/init ..... /usr/sbin/sshd /bin/bash



.

, bash - . bash - , . Tomoyo.



tomoyo-editpolicy.



tomoyo-editpolicy







. .







W , D (w & d).



2.



. , , , . .



file execute /bin/ls - ls







, .



file execute /bin/ls task.uid=0 - ls .







3. .

, , .



4 .

0 - , .

1 - , .

2 - , 0

3 - , , .



tomoyo-editpolicy (w & p)







- 3



4. .

, - . . . - , . .



tomoyo-editpolicy (w & e)







5.



:



/etc/tomoyo/domain_policy.conf -

/etc/tomoyo/profile.conf -

/etc/tomoyo/exception_policy.conf -



, tomoyo-editpolicy , . . !



.



6.



tomoyo-editpolicy - . .

tomoyo-loadpolicy - .

tomoyo-savepolicy - , . ! - tomoyo-editpolicy. , .

tomoyo-checkpolicy - .



, .



Tomoyo: tomoyo.sourceforge.jp/2.5/chapter-4.html.en



: tomoyo.sourceforge.jp/2.5/man-pages/index.html.en



Tomoyo.

1. GRUB /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo"



update-grub



2. :

aptitude install tomoyo-tools



3. :

/usr/lib/tomoyo/init_policy

.



4. !

Tomoyo, . , e grub :

security=tomoyo



security=none





midori.

, , , .

, midori.



initialize_domain.



tomoyo-editpolicy.

Exeption Policy Editor (w & e) A :



initialize_domain /usr/bin/midori from any











.

tomoyo.sourceforge.jp/2.5/chapter-5.html.en




Domain Transition Editor (w & d)



/usr/bin/midori *



S , 1.







midori , . , , .

midori.



Domain Transition Editor Enter Domain Policy Editor, midori .







.



@ . .



. .



.







/home/home/.config/midori/



(append) .



file read/write/unlink/truncate/rename /home/home/.config/midori/\*







.



, D , .



, , /home/home/.config/midori/



file read/write/append/unlink/truncate /home/home/.config/midori/\{\*\}/\*









tomoyo.sourceforge.jp/2.5/policy-specification/expression-rules.html.en#wildcard



tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en




.







, .



network inet stream connect 0.0.0.0-255.255.255.255 80-443



//



, (O & D).





tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en#network_inet




, .



, , midori /etc/passwd







.



D, .

Domain Transition Editor (w & d), S 1 3.

.

? . ? .



.



tomoyo-savepolicy -d | tomoyo-selectpolicy -r '<kernel> /usr/bin/midori' >> /etc/tomoyo/domain_policy.conf







:

tomoyo-savepolicy -d



.

tomoyo-selectpolicy -r '<kernel> /usr/bin/midori'



, .

>> /etc/tomoyo/domain_policy.conf



.



midori



/etc/tomoyo/domain_policy.conf <kernel> /usr/bin/midori use_profile 3 use_group 0 misc env GNOME_KEYRING_PID misc env USER misc env SSH_AGENT_PID misc env HOME misc env DESKTOP_SESSION misc env XDG_SESSION_COOKIE misc env DBUS_SESSION_BUS_ADDRESS misc env GNOME_KEYRING_CONTROL misc env LOGNAME misc env USERNAME misc env WINDOWPATH misc env PATH misc env DISPLAY misc env LANG misc env XAUTHORITY misc env SSH_AUTH_SOCK misc env SHELL misc env GDMSESSION misc env PWD misc env XDG_DATA_DIRS misc env GNOME_DESKTOP_SESSION_ID misc env SESSION_MANAGER misc env GPG_AGENT_INFO misc env GIO_LAUNCHED_DESKTOP_FILE misc env GIO_LAUNCHED_DESKTOP_FILE_PID misc env DESKTOP_STARTUP_ID file read proc:/filesystems file read /usr/lib/locale/locale-archive file read /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache network unix stream connect /var/run/nscd/socket file read /etc/nsswitch.conf network unix stream connect \000/tmp/.X11-unix/X0 file read /run/gdm3/auth-for-home-WxYaIE/database file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libclearlooks.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcanberra-gtk-module.so network unix stream connect \000/tmp/dbus-BKDp9V4Rww file read /usr/lib/x86_64-linux-gnu/gio/modules/giomodule.cache file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognomeproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiolibproxy.so file read /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so file read /etc/xdg/midori/search file read /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so file read proc:/sys/crypto/fips_enabled file read /dev/urandom file read /etc/pkcs11/modules/gnome-keyring-module file read /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so network unix stream connect /home/home/.cache/keyring-XULOQY/pkcs11 file read /etc/ssl/certs/ca-certificates.crt file read /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so file read /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so file read /usr/lib/midori/libaddons.so file read /usr/lib/midori/libtoolbar-editor.so file read /usr/lib/midori/libtab-panel.so file read /usr/lib/midori/libadblock.so file read /usr/lib/midori/libcookie-manager.so file read /usr/lib/midori/libstatusbar-features.so file read /usr/lib/midori/libweb-cache.so file read /usr/lib/midori/libshortcuts.so file read /usr/lib/midori/libformhistory.so file read /usr/lib/midori/libstatus-clock.so file read /usr/lib/midori/libcolorful-tabs.so file read /usr/lib/midori/libfeed-panel.so file read /usr/lib/midori/libhistory-list.so file read /usr/lib/midori/libmouse-gestures.so file read /usr/lib/midori/libcopy-tabs.so file read /usr/lib/midori/libtabs-minimized.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders.cache file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/module-files.d/libpango1.0-0.modules file read /etc/fonts/fonts.conf file read /usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so file read /usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/gtk.immodules file read /usr/lib/enchant/libenchant_hspell.so file read /usr/lib/enchant/libenchant_aspell.so file read /usr/lib/enchant/libenchant_myspell.so file read /usr/lib/enchant/libenchant_ispell.so file read /usr/lib/x86_64-linux-gnu/gconv/KOI8-R.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so file read /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so file read /etc/host.conf file read /etc/resolv.conf file read /etc/hosts file ioctl socket:[family=2:type=2:protocol=17] 0x541B file read /etc/gai.conf file read /usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so file ioctl anon_inode:inotify 0x541B file read /etc/gnome/defaults.list file read /usr/lib/libreoffice/share/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\{\*\}/\* file read/write/append/unlink/truncate /home/home/\* file create/chmod /home/home/\* 0-0666 file create/chmod /home/home/\{\*\}/\* 0-0666 file rename /home/home/\* /home/home/\* file rename /home/home/\{\*\}/\* /home/home/\{\*\}/\* file rename /home/\{\*\}/\* /home/home/\{\*\}/\* file read /etc/fonts/\{\*\}/\* file read /usr/share/\{\*\}/\* file read /var/cache/\{\*\}/\* network inet stream connect 0.0.0.0-255.255.255.255 80-443 network inet dgram send 192.168.1.1 53









.



tomoyo-savepolicy -e > /etc/tomoyo/exception_policy.conf







, , .



exception_policy.conf



path_group Midoi_Allow /home/\*/midory/\{\*\}/\* path_group Midoi_Allow /home/\*/.config/midori/\{\*\}/\* path_group Midoi_Allow /home/home/.config/midori/\*







domain_policy.conf, .



file read/write/append/unlink/truncate @Midoi_Allow







, , Tomoyo.



tomoyo-checkpolicy d < /etc/tomoyo/domain_policy.conf tomoyo-checkpolicy e < /etc/tomoyo/exception_policy.conf







, - - , .



tomoyo-auditd , /var/log/tomoyo .





wiki.archlinux.org/index.php/skype#TOMOYO

wiki.archlinux.org/index.php/Adobe_Reader






Tomoyo , .



/home /tmp root.

.



.



/etc/tomoyo/profile.conf 4-COMMENT=-----Enforcing file::execute only-----

4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }

4-CONFIG={ mode=disabled grant_log=yes reject_log=yes }

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }



.



/etc/tomoyo/exception_policy.conf path_group ALLOW_EXEC /\* path_group ALLOW_EXEC /bin/\{\*\}/\* path_group ALLOW_EXEC /etc/\{\*\}/\* path_group ALLOW_EXEC /sbin/\{\*\}/\* path_group ALLOW_EXEC /sys/\{\*\}/\* path_group ALLOW_EXEC /boot/\{\*\}/\* path_group ALLOW_EXEC /usr/\{\*\}/\*\-medit\-midori path_group ALLOW_EXEC /run/\{\*\}/\* path_group ALLOW_EXEC /bin/\* path_group ALLOW_EXEC /etc/\* path_group ALLOW_EXEC /sbin/\* path_group ALLOW_EXEC /sys/\* path_group ALLOW_EXEC /boot/\* path_group ALLOW_EXEC /usr/\* path_group ALLOW_EXEC /run/\* path_group ALLOW_EXEC_ROOT /lib/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib64/\{\*\}/\* path_group ALLOW_EXEC_ROOT /home/\{\*\}/\* path_group ALLOW_EXEC_ROOT /opt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /tmp/\{\*\}/\* path_group ALLOW_EXEC_ROOT /var/\{\*\}/\* path_group ALLOW_EXEC_ROOT /mnt/\{\*\}/\* path_group ALLOW_EXEC_ROOT /media/\{\*\}/\* path_group ALLOW_EXEC_ROOT /lib/\* path_group ALLOW_EXEC_ROOT /lib64/\* path_group ALLOW_EXEC_ROOT /home/\* path_group ALLOW_EXEC_ROOT /opt/\* path_group ALLOW_EXEC_ROOT /tmp/\* path_group ALLOW_EXEC_ROOT /var/\* path_group ALLOW_EXEC_ROOT /mnt/\* path_group ALLOW_EXEC_ROOT /media/\* keep_domain any from <kernel> initialize_domain /usr/bin/midori from any









:



/etc/tomoyo/domain_policy.conf <kernel> use_profile 4 use_group 0 file execute @ALLOW_EXEC file execute @ALLOW_EXEC_ROOT task.uid=0 file execute /usr/bin/medit file execute /usr/bin/midori <kernel> /usr/bin/midori use_profile 3 use_group 0







.



1.

midori \-midori , file execute /usr/bin/medit ?



Tomoyo. , . , .



initialize_domain /usr/bin/midori from any medit, .



2.

file execute @ALLOW_EXEC_ROOT task.uid=0






, , .



.

tomoyo.sourceforge.jp/2.5/chapter-10.html.en




3.

keep_domain any from <kernel>





. .



initialize_domain /usr/bin/midori from any





, . keep_domain.



4.

4-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }





. use_profile 4, .



.

tomoyo.sourceforge.jp/2.5/chapter-9.html.en






Tomoyo , .

.



ps. mac. Tomoyo, - caitsith.sourceforge.jp



Update!



Tomoyo .

ld-linux.so.2 .



.



:



<kernel> /lib/x86_64-linux-gnu/ld-2.13.so use_profile 3 use_group 0 initialize_domain /lib/x86_64-linux-gnu/ld-2.13.so from any





, .











All Articles