Chapter 9: Advanced profile management
9.1. Profile initialization
Profile can be modified to make development of policy easier depending on what functionality you wish to restrict. Profiles can be modified using the policy editor at any later date to fit your needs. The following table summarizes the command-line options available:
Option |
Default |
Meaning |
|---|---|---|
root="$rootdir" |
/ |
Change the root directory in which to create configuration files. |
policy_dir="$configdir" |
/etc/tomoyo/ |
Change the directory in which to create configuration files. If you specify this option then a symbolic link must be created named "/etc/tomoyo" that points to "$condigdir". |
If you executed /usr/lib/tomoyo/init_policy, "/etc/tomoyo/profile.conf" will look like this:
PROFILE_VERSION=20090903
PREFERENCE::enforcing={ verbose=yes }
PREFERENCE::learning={ verbose=no max_entry=2048 }
PREFERENCE::permissive={ verbose=yes }
0-COMMENT=-----Disabled Mode-----
0-CONFIG={ mode=disabled }
1-COMMENT=-----Learning Mode-----
1-CONFIG={ mode=learning }
2-COMMENT=-----Permissive Mode-----
2-CONFIG={ mode=permissive }
3-COMMENT=-----Enforcing Mode-----
3-CONFIG={ mode=enforcing }
9.2. Profile syntax
9.2.1. Fields
Each profile contains 3 fields:
Name |
Control |
|---|---|
COMMENT |
Description of the profile. |
CONFIG |
Configuration of operation mode. |
PREFERENCE |
Configuration of various options. |
9.2.2. The CONFIG field
The following options are available in the CONFIG field:
Option |
Default |
Meaning |
|---|---|---|
mode |
disabled |
Set what mode to use. See the table below. |
The "mode" parameter of the CONFIG line can contain one of the following values:
Value |
Meaning |
|---|---|
disabled |
Works as if a regular kernel. |
learning |
Do not reject an access request if the request violates policy. Append the request to policy. |
permissive |
Do not reject an access request if the request violates policy. Do not append the request to policy. |
enforcing |
Reject an access request if the request violates policy. Do not append the request to policy. |
By default, the CONFIG line specifies the default operation mode for all categories and functionalities. The absence of the CONFIG line is equivalent to "mode=disabled". The default configuration can be overwritten by using one or more CONFIG lines per profile and using category-specific configuration:
Name |
Category to specify operation mode for |
|---|---|
CONFIG |
All operations |
CONFIG::file |
File related operations only |
(But since CONFIG::file is the only category supported as of this version, CONFIG and CONFIG::file refer the same operations.)
Category-specific configuration can be further overwritten by functionality-specific configuration:
Name |
Functionality to specify operation mode for |
|---|---|
CONFIG::file::execute |
Program execution and domain transition |
CONFIG::file::open |
Opening files for reading or writing |
CONFIG::file::create |
File creation |
CONFIG::file::unlink |
File deletion |
CONFIG::file::mkdir |
Directory creation. |
CONFIG::file::rmdir |
Directory deletion. |
CONFIG::file::mkfifo |
FIFO creation |
CONFIG::file::mksock |
UNIX domain socket creation |
CONFIG::file::truncate |
File truncation |
CONFIG::file::symlink |
Symlink creation. |
CONFIG::file::rewrite |
Rewriting file contents |
CONFIG::file::mkblock |
Block device file creation |
CONFIG::file::mkchar |
Character device file creation |
CONFIG::file::link |
Link creation |
CONFIG::file::rename |
File or directory renaming |
CONFIG::file::chmod |
File or directory chmod |
CONFIG::file::chown |
File or directory chown |
CONFIG::file::chgrp |
File or directory chgrp |
CONFIG::file::ioctl |
Use of the ioctl system calls |
CONFIG::file::chroot |
Use of chroot |
CONFIG::file::mount |
Use of mount |
CONFIG::file::unmount |
Use of umount |
CONFIG::file::pivot_root |
Use of pivot_root |
For example, you could create a profile for only restricting file execution:
4-COMMENT=-----Enforcing file::execute only-----
4-CONFIG::file::execute={ mode=enforcing }
Note that the settings for "CONFIG::file::execute" overwrite the settings for "CONFIG::file", which in turn overwrite the settings for "CONFIG" (which in this case has not been set and so is equivalent to "mode=disabled"). This allows fine-grained control over which operations you wish to restrict.
It is also possible to mix different restriction modes within a single profile, such as enforcing program execution operations but staying in "Learning Mode" for other file-related operations:
5-COMMENT=-----Enforcing file::execute and learning other file operations-----
5-CONFIG::file={ mode=learning }
5-CONFIG::file::execute={ mode=enforcing }
9.2.3. The PREFERENCE field
The PREFERENCE line holds the following options:
Name |
Function |
|---|---|
verbose |
Whether to print warning message on console upon policy violation event. This value can be either "yes" or "no". |
max_entry |
Set the maximum number of ACL entries automatically added to each domain by the kernel when using learning mode. This value must be an integer, and setting to "0" makes the "Learning Mode" as if "Permissive Mode". Maximum memory used can also be controlled using the /sys/kernel/security/tomoyo/meminfo interface. |