Tetsuo Handa
from-****@I-lov*****
Sat Feb 5 20:49:46 JST 2011
Jamie Nguyen wrote: > I am looking at the table located here: > > http://tomoyo.sourceforge.jp/1.8/policy-reference.html.en#domain_policy_network_inet > > Is this table meant to be a complete table? Yes. > I notice that it is > possible to add entries in domain policy that are not listed in this > table, such as "network inet stream recv 127.0.0.1 53" or "network > inet stream send 127.0.0.1 53". Any combination of the > stream/dgram/raw with bind/listen/accept/connect/send/recv can be > used, but not all combinations are listed in the table. For steam socket, permission is checked on only connect()/accept() time, and permission is not checked on each send()/recv() time. This is similar to checking on only open() time and not checking on each read()/write() time. For datagram socket, permission is checked on each connect()/send()/recv() time because remote address may change after the socket was created. This is similar to checking on each ioctl() time because the ioctl's command number may change after the file was opened. Since protocol and operation are represented using separated fields, http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/security/ccsecurity/internal.h#L1261 it is possible to specify any combination you mentioned. But only combinations listed in http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/security/ccsecurity/network.c#L166 are checked. > I don't have a > strong grasp of network operations, but are these unlisted operations > valid? If they are valid, then I can add them to the table. If they > are invalid then perhaps when a user tries to add them to domain > policy the directive should not be added. Maybe. Although AKARI cannot support CCS_NETWORK_RECV operation, I didn't remove it from the source code in order to keep the diff between TOMOYO and AKARI minimum. > The same applies for "network unix" directive. There is no table here, I thought I've already added it. But seems that I added only "CONFIG::network::unix_\*" table and forgot to add "network unix \*" table. > but I guess that stream and dgram use same syntax as "network inet" > but without the port number. I assume that seqpacket only supports > bind/send/recv. Right, Unix domain socket does not have port number. Permissions checked by TOMOYO 1.8 are unix dgram bind unix dgram send unix dgram recv unix stream bind unix stream listen unix stream connect unix stream accept unix seqpacket bind unix seqpacket listen unix seqpacket connect unix seqpacket accept . Address starts with \000 (rather than / ) for abstract namespace sockets.