Domain policy syntax
file execute
This directive allows execution of the specified pathname.
This example allows the domain to execute /bin/ls:
file execute /bin/ls
See also:
file read
This directive allows the domain to open the specified pathname for reading.
This example allows the domain to read "/proc/meminfo":
file read proc:/meminfo
See also:
file write
This directive allows the domain to open the specified pathname for writing.
This example allows the domain to write to "/dev/null":
file write /dev/null
See also:
file append
This directive allows the domain to append to the specified pathname.
This example allows the domain to append to the file "/var/log/auth.log":
file append /var/log/auth.log
See also:
file getattr
This directive allows the domain to get attribute information of the specified pathname.
This example allows the domain to get attribute information of the file "/dev/null":
file getattr /dev/null
See also:
file create
This directive allows the domain to create the specified file with the specified permissions.
This example allows the domain to create the file "/var/lock/subsys/crond":
file create /var/lock/subsys/crond 0644
See also:
file unlink
This directive allows the domain to delete the specified pathname.
This example allows the domain to delete the file "/var/lock/subsys/crond":
file unlink /var/lock/subsys/crond
See also:
file chown
This directive allows the domain to change the user ownership of the specified pathname to the specified UID.
This example allows the domain to change the owner of "/dev/sda" to UID=0:
file chown /dev/sda 0
See also:
file chgrp
This directive allows the domain to change group ownership of the specified pathname to the specified GID.
This example allows the domain to change the GID of "/dev/audio" to 92:
file chgrp /dev/audio 92
See also:
file chmod
This directive allows the domain to change permissions of the specified pathname to the specified octal permissions.
This example allows the domain to change the octal permissions of "/dev/mem" to 0644:
file chmod /dev/mem 0644
See also:
file mkdir
This directive allows the domain to create the specified directory with the specified permissions.
This example allows the domain to create directories that match "/tmp/logwatch.\*/":
file mkdir /tmp/logwatch.\*/ 0755
See also:
file rmdir
This directive allows the domain to delete the specified directory.
This example allows the domain to delete directories that match "/tmp/logwatch.\*/":
file rmdir /tmp/logwatch.\*/
See also:
file mkfifo
This directive allows the domain to create the specified FIFO with the specified permissions.
This example allows the domain to create the FIFO "/dev/initctl":
file mkfifo /dev/initctl 0644
See also:
file mksock
This directive allows the domain to create the specified socket with the specified permissions.
This example allows the domain to create the socket "/dev/log":
file mksock /dev/log 0755
See also:
file mkblock
This directive allows the domain to create the specified block device with the specified permissions, major number and minor number.
This example allows the domain to create the block device "/dev/loop0":
file mkblock /dev/loop0 0600 7 0
See also:
file mkchar
This directive allows the domain to create the specified character device with the specified permissions, major number and minor number.
This example allows the domain to create the character device "/dev/console":
file mkchar /dev/console 0755 5 1
See also:
file truncate
This directive allows the domain to truncate or extend the specified pathname.
This example allows the domain to truncate the contents of "/etc/mtab":
file truncate /etc/mtab
See also:
file symlink
This directive allows the domain to symlink the specified pathname.
This example allows the domain to symlink "/dev/cdrom":
file symlink /dev/cdrom
See also:
file link
This directive allows the domain to create hard link between the first and second specified pathnames.
This example allows a hard link to be created between pathnames that match "/etc/mtab~\$" and "/etc/mtab~":
file link /etc/mtab~\$ /etc/mtab~
See also:
file rename
This directive allows the domain to rename the first specified pathname to the second specified pathname.
This example allows "/etc/mtab.tmp" to be renamed "/etc/mtab":
file rename /etc/mtab.tmp /etc/mtab
See also:
file ioctl
This directive allows the domain to make an ioctl request with the specified command number. For information on the ioctl command numbers, refer to manuals provided by each module with ioctl functionality.
This example allows the domain to issue an ioctl request with command number 0x8915 (i.e. SIOCGIFADDR request) on sockets:
file ioctl socket:[\$] 0x8915
This example allows the domain to issue an ioctl request with command numbers between 10000 and 20000 on "/dev/null":
file ioctl /dev/null 10000-20000
See also:
file mount
This directive allows the domain to mount a filesystem with the specified devices, pathnames and options.
The syntax is: "file mount $DEVICE $MOUNTPOINT $FILESYSTEM $OPTIONS". If $FILESYSTEM requires a device file, a block device file's pathname is specified for $DEVICE. The $OPTIONS is a hexadecimal (or octal or decimal) integer expression. The following options can also be specified for $FILESYSTEM:
- --bind
- --move
- --remount
- --make-unbindable
- --make-private
- --make-slave
- --make-shared
This example allows the domain to remount the / directory:
file mount any / --remount 0x0
This example allows the domain to mount "/dev/hdc" which was formatted as an ext3 filesystem at "/var/www/" directory:
file mount /dev/hdc /var/www/ ext3 0xF
This example allows the domain to mount a tmpfs filesystem at "/dev/shm/" directory:
file mount none /dev/shm/ tmpfs 0xE
See also:
file unmount
This directive allows the domain to unmount a filesystem from the specified pathname.
This example allows the domain to unmount the filesystem mounted at "/mnt/cdrom/" directory:
file unmount /mnt/cdrom/
See also:
file chroot
This directive allows the domain to use the specified pathname as a new / directory.
This example allows the domain to use "/var/empty/sshd/" as a new / directory:
file chroot /var/empty/sshd/
See also:
file pivot_root
This directive allows the domain to use the first specified pathname as a new / directory and bring the old / directory to the second specified pathname.
This functionality is generally used for only once for switching the / directory from initrd/initramfs to the hard drive, which generally occurs before TOMOYO Linux has been activated. It is therefore unlikely that you will need this directive.
This example allows the domain to use "/proc/" as a new / directory and bring the old / directory to "/proc/ccs/" directory:
file pivot_root proc:/ proc:/ccs/
See also:
misc env
This directive allows the domain to read the specified environment variable. Many programs behave differently depending on the environment variables.
This example allows the domain to read the environment variable "LD_PRELOAD":
misc env LD_PRELOAD
capability
This directive allows the domain to make use of the specified non-POSIX Capability.
The syntax is summarised in this table:
Directive |
Function |
|---|---|
capability use_kernel_module |
Use of the create_module(2), init_module(2) and delete_module(2) syscalls |
capability use_packet |
Use of PACKET sockets |
capability use_route |
Use of ROUTE sockets |
capability SYS_KEXEC_LOAD |
Use of kexec_load(2) syscall |
capability SYS_NICE |
Use of nice(2) and setpriority(2) syscalls |
capability SYS_PTRACE |
Use of ptrace(2) syscall |
capability SYS_REBOOT |
Use of reboot(2) syscall |
capability SYS_SETHOSTNAME |
Use of sethostname(2) and setdomainname(2) syscalls |
capability SYS_TIME |
Use of stime(2), settimeofday(2) and adjtimex(2) syscalls |
capability SYS_VHANGUP |
Use of vhangup(2) syscall |
This example allows the domain to use the SYS_REBOOT capability:
capability SYS_REBOOT
ipc signal
This directive allows the domain to use the inter-process communication signal number specified and the target domain specified.
All domains that start with the target domain are matched. Thus, a target domain of "<kernel>" will match all domains. A signal number of 0 is always granted, and if the source and target destination are the same it is always granted.
This example allows the domain to send ipc signal number 10 to the specified domain:
ipc signal 10 <kernel> /sbin/init /etc/rc.sysinit /sbin/udevadm
network inet
This directive allows the domain to perform network socket operations.
IPv4 and IPv6 addresses are both supported.
The syntax is summarised in the following table:
Directive |
Function |
|---|---|
network inet stream bind $ADDRESS $PORT |
Bind TCP sockets to specified local IP address and port |
network inet stream listen $ADDRESS $PORT |
Listen TCP sockets at specified local IP address and port |
network inet stream accept $ADDRESS $PORT |
Accept TCP sockets from specified remote IP address and port |
network inet stream connect $ADDRESS $PORT |
Connect TCP sockets to specified remote IP address and port |
network inet dgram bind $ADDRESS $PORT |
Bind UDP sockets to specified local IP address and port |
network inet dgram recv $ADDRESS $PORT |
Receive UDP packets from specified remote IP address and port |
network inet dgram send $ADDRESS $PORT |
Send UDP packets to specified remote IP address and port |
network inet raw bind $ADDRESS $PROTOCOL |
Bind IP sockets for specified protocol to specified local IP address |
network inet raw recv $ADDRESS $PROTOCOL |
Receive IP packets for specified protocol from specified remote IP address |
network inet raw send $ADDRESS $PROTOCOL |
Send IP packets for specified protocol to specified remote IP address |
This example allows the domain to connect to port 80 on IP address 202.221.179.11:
network inet stream connect 202.221.179.11 80
See also:
network unix
This directive allows the domain to perform unix domain socket operations.
The syntax is summarised in the following table:
Directive |
Function |
|---|---|
network unix stream bind $ADDRESS |
Bind byte stream sockets to specified address |
network unix stream listen $ADDRESS |
Listen byte stream sockets at specified address |
network unix stream accept $ADDRESS |
Accept byte stream sockets from specified address |
network unix stream connect $ADDRESS |
Connect byte stream sockets to specified address |
network unix dgram bind $ADDRESS |
Bind datagram sockets to specified address |
network unix dgram recv $ADDRESS |
Receive datagrams from specified address |
network unix dgram send $ADDRESS |
Send datagrams to specified address |
network unix seqpacket bind $ADDRESS |
Bind seqpacket sockets to specified address |
network unix seqpacket listen $ADDRESS |
Listen seqpacket sockets at specified address |
network unix seqpacket accept $ADDRESS |
Accept seqpacket sockets from specified address |
network unix seqpacket connect $ADDRESS |
Connect seqpacket sockets to specified address |
This example allows the domain to bind to "/tmp/.X11-unix/X0" and "\000/tmp/.X11-unix/X0":
network unix stream bind /tmp/.X11-unix/X0 network unix stream bind \000/tmp/.X11-unix/X0
See also:
use_group
This directive allows the domain to inherit permissions defined for the specified group. These permissions are defined in exception policy.
This example allows the domain to read "/dev/null":
In exception policy:
acl_group 2 file read /dev/null
In domain policy:
use_group 2
use_profile
This directive is changes the profile number of the domain.
This example changes the profile number of the domain to 3:
use_profile 3
task auto_execute_handler
This directive causes executions from the domain to be handled by an external program, as specified by the directive. When an execute request is made within this domain, the specified external program is executed instead. This then decides whether it is appropriate to continue.
This example causes the program /usr/sbin/check-and-exec to be launched whenever the domain makes an execute request:
task auto_execute_handler /usr/sbin/check-and-exec
task denied_execute_handler
This directive causes an external program, as specified by the directive, to be launched when executions within the domain have been rejected by policy. Note that this directive takes effect only when an execute request was rejected by policy in enforcing mode. Even if an execute request was rejected by policy, the request will be accepted unless in enforcing mode. Use task auto_execute_handler (optionally with keep_domain) if you want to execute an external program regardless of access control mode.
This example causes the program /bin/true to be launched whenever an execution request from the domain is rejected by policy:
task denied_execute_handler /bin/true
task manual_domain_transition
This directive causes a domain transition to occur when the application writes a domain name to the "/proc/ccs/self_domain" interface. This can be used to split permissions without requiring an execution, but the application must be modified to write to the interface at the appropriate time.
This example causes a domain transition to the "<kernel> //apache /www.tomoyo00.com" domain to occur when "<kernel> //apache /www.tomoyo00.com" is written to "/proc/ccs/self_domain" by the domain:
task manual_domain_transition <kernel> //apache /www.tomoyo00.com
task auto_domain_transition
This directive causes a domain transition to occur when the specified conditions have been met. This can be used to split permissions without requiring an execution.
This example causes a domain transition to the "<kernel> //non-root-session" domain to occur when the task UID becomes non-root:
task auto_domain_transition <kernel> //non-root-session task.uid!=0
quota_exceeded
This directive indicates that the domain has failed to append an entry while in "Learning Mode" due to the "max_learning_entry" value being reached.
transition_failed
This directive indicates that a process within this domain was not able to undergo a domain transition following an execute request.
This problem occurs, in order to avoid access denials by TOMOYO unless enforcing mode is used, due to TOMOYO accepting program execution requests unless enforcing mode even if domain transition has failed. The cause of this problem is either the name of the domain being too long, or the kernel being unable to allocate memory. To fix this problem, either suppress domain transitions or increase the memory quota which TOMOYO can use.