TOMOYO Linux 1.8.x : Policy specification : Domain transition procedure

Domain transition procedure

There are two types of domain transitions. One is domain transition that involves program execution requests (a.k.a. execve() system call). The other is domain transition that does not involve program execution requests.

Transition by program execution requests

This type of domain transition depends on access control modes. When a process in a domain issued a program execution request, the steps below are performed.

Any occurrence of [source] represents either the current domain name (e.g. <kernel> /usr/sbin/sshd /bin/bash ), or the last part of the current domain name (e.g. /bin/bash ).

Any occurrence of [current_domain] represents the current domain name (e.g. <kernel> /usr/sbin/sshd /bin/bash ).

Any occurrence of [current_namespace] represents the current domain's namespace name (e.g. <kernel> if <kernel> /usr/sbin/sshd /bin/bash ).

Any occurrence of [destination] represents domainname to transit to when the program execution request succeeds (e.g. <kernel> /usr/sbin/sshd /bin/bash /bin/cat ).

Any occurrence of [candidate] represents a pathname which is subjected to permission checks (e.g. /bin/cat ).

Step	Procedure
(1) Check for task auto_execute_handler directive	If domain policy contains task auto_execute_handler [pathname] keep then set the [current_domain] as the [destination] and jump to step (7). If domain policy contains task auto_execute_handler [pathname] child then set the [current_domain] [pathname] as the [destination] and jump to step (7). If domain policy contains task auto_execute_handler [pathname] reset then set the <[pathname]> as the [destination] and jump to step (7). If domain policy contains task auto_execute_handler [pathname] initialize then set the [current_namespace] [pathname] as the [destination] and jump to step (7). If domain policy contains task auto_execute_handler [pathname] parent then set the parent of [current_domain] as the [destination] and jump to step (7). If domain policy contains task auto_execute_handler [pathname] [domainname] then set the [domainname] as the [destination] and jump to step (7). If domain policy contains task auto_execute_handler [pathname] [pathname] then set the [current_domain] [pathname] as the [destination] and jump to step (7). If domain policy contains task auto_execute_handler [pathname] then set the [pathname] as the [candidate] and jump to step (6).
(2) Obtain program pathname	Calculate the pathname of the requested program and set the pathname as the [candidate]. To accept programs provided using symbolic links, the last component of the pathname accepts symbolic links.
(3) Check for aggregator directive	If exception policy contains aggregator [candidate] [pathname] then set the [pathname] as the [candidate] .
(4) Check for file execute directive	If domain policy contains file execute [candidate] keep then set the [current_domain] as the [destination] and jump to step (7). If domain policy contains file execute [candidate] child then set the [current_domain] [candidate] as the [destination] and jump to step (7). If domain policy contains file execute [candidate] reset then set the <[candidate]> as the [destination] and jump to step (7). If domain policy contains file execute [candidate] initialize then set the [current_namespace] [candidate] as the [destination] and jump to step (7). If domain policy contains file execute [candidate] parent then set the parent of [current_domain] as the [destination] and jump to step (7). If domain policy contains file execute [candidate] [domainname] then set the [domainname] as the [destination] and jump to step (7). If domain policy contains file execute [candidate] [pathname] then set the [current_domain] [pathname] as the [destination] and jump to step (7). If domain policy contains file execute [candidate] then jump to step (6). Otherwise, jump to step (5) if the profile's CONFIG, or CONFIG::file, or CONFIG::file::execute (with the latter overwriting the previous) is set to "mode=enforcing". Otherwise, jump to step (6).
(5) Check for task denied_execute_handler directive	If domain policy contains task denied_execute_handler [pathname] keep then set the [current_domain] as the [destination] and jump to step (7). If domain policy contains task denied_execute_handler [pathname] child then set the [current_domain] [pathname] as the [destination] and jump to step (7). If domain policy contains task denied_execute_handler [pathname] reset then set the <[pathname]> as the [destination] and jump to step (7). If domain policy contains task denied_execute_handler [pathname] initialize then set the [current_namespace] [pathname] as the [destination] and jump to step (7). If domain policy contains task denied_execute_handler [pathname] parent then set the parent of [current_domain] as the [destination] and jump to step (7). If domain policy contains task denied_execute_handler [pathname] [domainname] then set the [domainname] as the [destination] and jump to step (7). If domain policy contains task denied_execute_handler [pathname] [pathname] then set the [current_domain] [pathname] as the [destination] and jump to step (7). If domain policy contains task denied_execute_handler [pathname] then set the [pathname] as the [candidate] and jump to step (6). Otherwise, the execution request is denied.
(6) Determine default domain transition	Firstly, if exception policy contains one of reset_domain [candidate] from [source] reset_domain any from [source] reset_domain any from any and contains none of no_reset_domain [candidate] from [source] no_reset_domain any from [source] no_reset_domain any from any then set the <[candidate]> as the [destination] and jump to step (7). Secondly, if exception policy contains one of initialize_domain [candidate] from [source] initialize_domain any from [source] initialize_domain any from any and contains none of no_initialize_domain [candidate] from [source] no_initialize_domain any from [source] no_initialize_domain any from any then set the [current_namespace] [candidate] as the [destination] and jump to step (7). Thirdly, if exception policy contains one of keep_domain [candidate] from [source] keep_domain any from [source] keep_domain any from any and cintains none of no_keep_domain [candidate] from [source] no_keep_domain any from [source] no_keep_domain any from any then set the [current_domain] as the [destination] and jump to step (7). Fourthly, set the [current_domain] [candidate] as the [destination] .
(7) Create destination domain	Create the [destination] as determined by step (1) or (4) or (5) or (6) if the [destination] does not exist. If the [destination] as determined by step (1) or (4) or (5) cannot be created, the execution request is denied. If the [destination] as determined by reset_domain entries cannot be created, the execution request is denied. If the [destination] as determined by step (6) cannot be created and the profile's CONFIG, or CONFIG::file, or CONFIG::file::execute (with the latter overwriting the previous) is set to "mode=enforcing", the execution request is denied. Otherwise, the execution is continued without domain transition after marking transition_failed directive.
(8) Check environment variables	If more than one environment variable is rejected in the [destination] and the profile (CONFIG, or CONFIG::misc, or CONFIG::misc::env (with the latter overwriting the previous)) for the [destination] is "mode=enforcing", the execution request is denied.
(9) Check binary loaders	If read permission for the binary loader (if any) is rejected in the [destination] and the profile (CONFIG, or CONFIG::file, or CONFIG::file::open (with the latter overwriting the previous)) for the [destination] is "mode=enforcing", the execution request is denied.
(10) Execute the program	If the current process was successfully replaced by the requested program, the current process transits to the [destination] .

Transition by non program execution requests

This type of domain transition is independent with access control modes. Domain transition requests that are not permitted by the policy are always rejected.

If the domain has the task auto_domain_transition directive, the current process automatically transits to the specified domain whenever conditions specified in the conditional part are met. Note that this transition is checked for not only program execution requests but also all requests such as opening files.

If the domain has the task manual_domain_transition directive and the current process wrote the domainname specified with the directive to /proc/ccs/self_domain interface, the current process transits to the specified domain.

If the domain policy contains an ACL with auto_domain_transition="name" condition and the current process requested for an operation that matches the ACL, the current process transits to the child domain which the domainname is the concatenation of "the name of domain which the current process belongs to" and "name" specified by auto_domain_transition= condition part. Note that there is no warantee that the operation that matched the ACL succeeds even if domain transition taken place. Use with caution.

Prev	Index	Next
A1: The /proc/ccs/ interface	Main Index	A3: Expression rules