Chapter 9: Advanced profile management
9.1. Profile initialization
The initialization procedure performed using /usr/lib/ccs/init_policy can be modified using command-line options to make development of policy easier depending on what functionality you wish to restrict. For example, for those wishing to restrict only file-related operations can pass the "--file-only-profile" option. The options you pass upon initialization do not constrain how policy can be developed, as the options merely change the default values for files created within the policy directory. These files can be modified using the policy editor at any later date to fit your needs. The following table summarizes the command-line options available:
Option |
Default |
Meaning |
|---|---|---|
--full-profile |
Selected |
Create profiles with all functionality enabled. This is the default unless "--file-only-profile" is specified. |
--file-only-profile |
Not selected |
Create profiles with only file-related functionality enabled. |
--use_profile="$number" |
0 |
Set the profile number for the "<kernel>" domain when creating "/etc/ccs/domain_policy.conf". This value must be an integer between 0 and 255. |
--use_group="$number" |
0 |
Set the ACL group for the "<kernel>" domain when creating "/etc/ccs/domain_policy.conf". This value must be an integer between 0 and 255. |
--root="$rootdir" |
/ |
Change the root directory in which to create configuration files. |
--policy_dir="$configdir" |
/etc/ccs/ |
Change the directory in which to create configuration files. If you specify this option then a symbolic link must be created named "/etc/ccs" that points to "$condigdir". |
--module_name="$name" |
ccsecurity |
Set the name of loadable kernel module when creating "/etc/ccs/ccs-load-module", which is called by "/sbin/ccs-init" if TOMOYO Linux was built as a loadable kernel module (CONFIG_CCSECURITY_LKM=y). |
--grant_log="$bool" |
no |
Set whether grant logs should be audited. This value can be either "yes" or "no". |
--reject_log="$bool" |
yes |
Set whether reject logs should be audited. This value can be either "yes" or "no". |
--max_audit_log="$number" |
1024 |
Set maximum audit log (grant/reject logs) entries that the kernel will spool in the /proc/ccs/audit interface. This value must be an integer, and can be set to "0" if audit logs are not required. Maximum memory used can also be controlled using the /proc/ccs/stat interface. |
--max_learning_entry="$number" |
2048 |
Set the maximum number of ACL entries automatically added to each domain by the kernel when using learning mode. This value must be an integer, and setting to "0" makes the "Learning Mode" as if "Permissive Mode". Maximum memory used can also be controlled using the /proc/ccs/stat interface. |
--enforcing_penalty="$number" |
0 |
Set the sleep penalty in deciseconds (1 decisecond = 0.1 seconds) that occurs when a process violates policy in "Enforcing Mode". This value must be an integer. This is useful to prevent CPU consumption issues. |
If you executed /usr/lib/ccs/init_policy without the "--file-only-profile" option, the CONFIG lines in "/etc/ccs/profile.conf" will look like this:
0-COMMENT=-----Disabled Mode-----
0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
1-COMMENT=-----Learning Mode-----
1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
1-CONFIG={ mode=learning grant_log=no reject_log=yes }
2-COMMENT=-----Permissive Mode-----
2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
3-COMMENT=-----Enforcing Mode-----
3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
If you executed /usr/lib/ccs/init_policy --file-only-profile, the CONFIG lines in "/etc/ccs/profile.conf" will look like this:
0-COMMENT=-----Disabled Mode-----
0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
0-CONFIG::file={ mode=disabled grant_log=no reject_log=yes }
1-COMMENT=-----Learning Mode-----
1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
1-CONFIG::file={ mode=learning grant_log=no reject_log=yes }
2-COMMENT=-----Permissive Mode-----
2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
2-CONFIG::file={ mode=permissive grant_log=no reject_log=yes }
3-COMMENT=-----Enforcing Mode-----
3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
3-CONFIG::file={ mode=enforcing grant_log=no reject_log=yes }
9.2. Profile syntax
9.2.1. Fields
Each profile contains 3 fields:
Name |
Control |
|---|---|
COMMENT |
Description of the profile. |
CONFIG |
Configuration of operation mode. |
PREFERENCE |
Configuration of various options. |
9.2.2. The CONFIG field
The following options are available in the CONFIG field:
Option |
Default |
Meaning |
|---|---|---|
grant_log="$bool" |
no |
Set whether grant logs should be audited. This value can be either "yes" or "no". |
reject_log="$bool" |
yes |
Set whether reject logs should be audited. This value can be either "yes" or "no". |
mode |
disabled |
Set what mode to use. See the table below. |
The "mode" parameter of the CONFIG line can contain one of the following values:
Value |
Meaning |
|---|---|
disabled |
Works as if a regular kernel. |
learning |
Do not reject an access request if the request violates policy. Append the request to policy. |
permissive |
Do not reject an access request if the request violates policy. Do not append the request to policy. |
enforcing |
Reject an access request if the request violates policy. Do not append the request to policy. |
By default, the CONFIG line specifies the default operation mode for all categories and functionalities. The absence of the CONFIG line is equivalent to "mode=disabled". The default configuration can be overwritten by using one or more CONFIG lines per profile and using category-specific configuration:
Name |
Category to specify operation mode for |
|---|---|
CONFIG |
All operations |
CONFIG::capability |
Non-POSIX Capabilities only |
CONFIG::file |
File related operations only |
CONFIG::ipc |
Inter-process communications only |
CONFIG::misc |
Other miscellaneous parameters only |
CONFIG::network |
Network related operations only |
For example, only file and network operations could be restricted by adding a fourth profile:
4-COMMENT=-----Enforcing file and network-----
4-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
4-CONFIG::file={ mode=enforcing grant_log=no reject_log=yes }
4-CONFIG::network={ mode=enforcing grant_log=no reject_log=yes }
It is also possible to mix different restriction modes within a single profile, such as enforcing network operations but staying in "Learning Mode" for file-related operations:
5-COMMENT=-----Learning file and Enforcing network-----
5-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
5-CONFIG::file={ mode=learning grant_log=no reject_log=yes }
5-CONFIG::network={ mode=enforcing grant_log=no reject_log=yes }
Category-specific configuration can be further overwritten by functionality-specific configuration:
Name |
Functionality to specify operation mode for |
|---|---|
CONFIG::capability::use_kernel_module |
Use of the create_module(2), init_module(2) and delete_module(2) syscalls |
CONFIG::capability::use_packet |
Use of PACKET sockets |
CONFIG::capability::use_route |
Use of ROUTE sockets |
CONFIG::capability::SYS_KEXEC_LOAD |
Use of kexec_load(2) syscall |
CONFIG::capability::SYS_NICE |
Use of nice(2) and setpriority(2) syscalls |
CONFIG::capability::SYS_PTRACE |
Use of ptrace(2) syscall |
CONFIG::capability::SYS_REBOOT |
Use of reboot(2) syscall |
CONFIG::capability::SYS_SETHOSTNAME |
Use of sethostname(2) and setdomainname(2) syscalls |
CONFIG::capability::SYS_TIME |
Use of stime(2), settimeofday(2) and adjtimex(2) syscalls |
CONFIG::capability::SYS_VHANGUP |
Use of vhangup(2) syscall |
CONFIG::file::execute |
Program execution and domain transition |
CONFIG::file::open |
Opening files for reading or writing |
CONFIG::file::create |
File creation |
CONFIG::file::unlink |
File deletion |
CONFIG::file::mkdir |
Directory creation. |
CONFIG::file::rmdir |
Directory deletion. |
CONFIG::file::mkfifo |
FIFO creation |
CONFIG::file::mksock |
UNIX domain socket creation |
CONFIG::file::truncate |
File truncation |
CONFIG::file::symlink |
Symlink creation. |
CONFIG::file::mkblock |
Block device file creation |
CONFIG::file::mkchar |
Character device file creation |
CONFIG::file::link |
Link creation |
CONFIG::file::rename |
File or directory renaming |
CONFIG::file::chmod |
File or directory chmod |
CONFIG::file::chown |
File or directory chown |
CONFIG::file::chgrp |
File or directory chgrp |
CONFIG::file::ioctl |
Use of the ioctl system calls |
CONFIG::file::chroot |
Use of chroot |
CONFIG::file::mount |
Use of mount |
CONFIG::file::unmount |
Use of umount |
CONFIG::file::pivot_root |
Use of pivot_root |
CONFIG::network::inet_dgram_bind |
UDP socket local address restriction |
CONFIG::network::inet_dgram_send |
UDP socket remote address restriction for outgoing packets |
CONFIG::network::inet_dgram_recv |
UDP socket remote address restriction for incoming packets |
CONFIG::network::inet_stream_bind |
TCP socket bind() operation |
CONFIG::network::inet_stream_listen |
TCP socket listen() operation |
CONFIG::network::inet_stream_connect |
TCP socket connect() operation |
CONFIG::network::inet_stream_accept |
TCP socket's accept() operation |
CONFIG::network::inet_raw_bind |
RAW socket local address restriction |
CONFIG::network::inet_raw_send |
RAW socket remote address restriction for outgoing packets |
CONFIG::network::inet_raw_recv |
RAW socket remote address restriction for incoming packets |
CONFIG::network::unix_dgram_bind |
UNIX domain datagram socket local address restriction |
CONFIG::network::unix_dgram_send |
UNIX domain datagram socket remote address restriction for outgoing packets |
CONFIG::network::unix_dgram_recv |
UNIX domain datagram socket remote address restriction for incoming packets |
CONFIG::network::unix_stream_bind |
UNIX domain stream socket bind() operation |
CONFIG::network::unix_stream_listen |
UNIX domain stream socket listen() operation |
CONFIG::network::unix_stream_connect |
UNIX domain stream socket connect() operation |
CONFIG::network::unix_stream_accept |
UNIX domain stream socket accept() operation |
CONFIG::network::unix_seqpacket_bind |
UNIX domain seqpacket socket bind() operation |
CONFIG::network::unix_seqpacket_listen |
UNIX domain seqpacket socket listen() operation |
CONFIG::network::unix_seqpacket_connect |
UNIX domain seqpacket socket connect() operation |
CONFIG::network::unix_seqpacket_accept |
UNIX domain seqpacket socket accept() operation |
CONFIG::misc::env |
Environment variable names |
CONFIG::ipc::signal |
Use of signal transmission requests |
For example, you could create a profile for only restricting file execution:
6-COMMENT=-----Enforcing file::execute only-----
6-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
6-CONFIG::file::execute={ mode=enforcing grant_log=no reject_log=yes }
For performance, permission checks for getting attributes for files and directories could be disabled while still enabling other permission checks for files:
7-COMMENT=-----Enforcing file operations without getattr-----
7-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
7-CONFIG::file={ mode=enforcing grant_log=no reject_log=yes }
7-CONFIG::file::getattr={ mode=disabled grant_log=no reject_log=yes }
Note that the settings for "CONFIG::file::getattr" overwrite the settings for "CONFIG::file", which in turn overwrite the settings for "CONFIG" (which in this case has not been set and so is equivalent to "mode=disabled"). This allows fine-grained control over which operations you wish to restrict.
9.2.3. The PREFERENCE field
The PREFERENCE line holds the following options:
Name |
Function |
|---|---|
max_audit_log |
Set maximum audit log (grant/reject logs) entries that the kernel will spool in the /proc/ccs/audit interface. This value must be an integer, and can be set to "0" if audit logs are not required. Maximum memory used can also be controlled using the /proc/ccs/stat interface. |
max_learning_entry |
Set the maximum number of ACL entries automatically added to each domain by the kernel when using learning mode. This value must be an integer, and setting to "0" makes the "Learning Mode" as if "Permissive Mode". Maximum memory used can also be controlled using the /proc/ccs/stat interface. |
enforcing_penalty |
Set the sleep penalty in deciseconds (1 decisecond = 0.1 seconds) that occurs when a process violates policy in "Enforcing Mode". This value must be an integer. This is useful to prevent CPU consumption issues. |