OSDN -- Desarrollar y descargar software de código abierto
Translation Status of Español translation status for es

[tomoyo-dev-en 125] Re: Updated website

Back to archive index

Tetsuo Handa from-****@I-lov*****
Sat Feb 5 20:49:46 JST 2011 

Jamie Nguyen wrote:
> I am looking at the table located here:
> 
> http://tomoyo.sourceforge.jp/1.8/policy-reference.html.en#domain_policy_network_inet
> 
> Is this table meant to be a complete table?

Yes.

>                                             I notice that it is
> possible to add entries in domain policy that are not listed in this
> table, such as "network inet stream recv 127.0.0.1 53" or "network
> inet stream send 127.0.0.1 53". Any combination of the
> stream/dgram/raw with bind/listen/accept/connect/send/recv can be
> used, but not all combinations are listed in the table.

For steam socket, permission is checked on only connect()/accept() time,
and permission is not checked on each send()/recv() time. This is similar to
checking on only open() time and not checking on each read()/write() time.

For datagram socket, permission is checked on each connect()/send()/recv() time
because remote address may change after the socket was created. This is similar
to checking on each ioctl() time because the ioctl's command number may change
after the file was opened.

Since protocol and operation are represented using separated fields,
http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/security/ccsecurity/internal.h#L1261
it is possible to specify any combination you mentioned.
But only combinations listed in
http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/security/ccsecurity/network.c#L166
are checked.

>                                                         I don't have a
> strong grasp of network operations, but are these unlisted operations
> valid? If they are valid, then I can add them to the table. If they
> are invalid then perhaps when a user tries to add them to domain
> policy the directive should not be added.

Maybe. Although AKARI cannot support CCS_NETWORK_RECV operation, I didn't
remove it from the source code in order to keep the diff between TOMOYO and
AKARI minimum.

> The same applies for "network unix" directive. There is no table here,

I thought I've already added it. But seems that I added only
"CONFIG::network::unix_\*" table and forgot to add "network unix \*" table.

> but I guess that stream and dgram use same syntax as "network inet"
> but without the port number. I assume that seqpacket only supports
> bind/send/recv.

Right, Unix domain socket does not have port number.
Permissions checked by TOMOYO 1.8 are

  unix dgram bind
  unix dgram send
  unix dgram recv
  unix stream bind
  unix stream listen
  unix stream connect
  unix stream accept
  unix seqpacket bind
  unix seqpacket listen
  unix seqpacket connect
  unix seqpacket accept

. Address starts with \000 (rather than / ) for abstract namespace sockets.


More information about the tomoyo-dev-en mailing list
Back to archive index