Exception policy syntax
aggregator
This directive allows multiple applications to be aggregated together. This directive is intended to aggregate similar programs whose behaviours are very similar.
This example causes the application /usr/bin/tac to be treated as /usr/bin/cat:
aggregator /usr/bin/tac /usr/bin/cat
allow_read
This directive by default allows every domain to open the specified pathname for reading, unless the domain is marked as "ignore_global_allow_read" directive.
This example by default allows every domain to read "/proc/meminfo":
allow_read /proc/meminfo
See also:
deny_rewrite
This directive by default disallows every domain to rewrite the specified pathname's contents, unless the domain is marked as "allow_rewrite" directive.
This example by default disallows every domain to rewrite "/var/log/\*":
deny_rewrite /var/log/\*
See also:
file_pattern
This directive lets TOMOYO to learn entries using pathname patterns if the pathname to learn matched the pathname pattern specified by this directive.
This example lets TOMOYO to learn /proc/$PID/status (where $PID is an integer) as /proc/\$/status:
file_pattern /proc/\$/status
initialize_domain
This directive causes programs to run in a child of "<kernel>" domain.
Possible entries:
- initialize_domain "program"
- initialize_domain "program" from "last_pathname_of_domain"
- initialize_domain "program" from "domain"
This example causes all executions of /usr/sbin/sshd to be reinitialized to "<kernel> /usr/sbin/sshd" domain:
initialize_domain /usr/sbin/sshd
no_initialize_domain
This directive cancels the effect of initialize_domain directive.
Possible entries:
- no_initialize_domain "program"
- no_initialize_domain "program" from "last_pathname_of_domain"
- no_initialize_domain "program" from "domain"
This example causes all executions of /usr/sbin/sendmail.sendmail not to be reinitialized to "<kernel> /usr/sbin/sendmail.sendmail" domain when /usr/sbin/sendmail.sendmail is executed from domains which the name of domains end with "/bin/mail":
initialize_domain /usr/sbin/sendmail.sendmail no_initialize_domain /usr/sbin/sendmail.sendmail from /bin/mail
keep_domain
This directive prevents any domain transitions from occurring from a particular domain.
Possible entries:
- keep_domain "program" from "last_pathname_of_domain"
- keep_domain "program" from "domain"
- keep_domain "last_pathname_of_domain"
- keep_domain "domain"
This example causes domain transition not to occur when programs are executed from "<kernel> /usr/sbin/sshd /bin/bash" domain:
keep_domain <kernel> /usr/sbin/sshd /bin/bash
no_keep_domain
This directive cancels the effect of keep_domain directive.
Possible entries:
- no_keep_domain "program" from "last_pathname_of_domain"
- no_keep_domain "program" from "domain"
- no_keep_domain "last_pathname_of_domain"
- no_keep_domain "domain"
This example causes domain transition to occur when /bin/cat is executed from "<kernel> /usr/sbin/sshd /bin/bash" domain:
keep_domain <kernel> /usr/sbin/sshd /bin/bash no_keep_domain /bin/cat from <kernel> /usr/sbin/sshd /bin/bash
number_group
This directive declares a group name that can be used in domain policy to refer to a range of numbers.
For example, if suppose the following are defined in exception policy:
number_group CREATE-MODES 0644 number_group CREATE-MODES 0664
The following can then be defined in domain policy:
allow_create /tmp/file @CREATE-MODES
path_group
This directive declares a group name that can be used in domain policy to refer to a range of pathnames.
For example, if suppose the following are defined in exception policy:
path_group HOME-DIR-FILE /home/\*/\*
path_group HOME-DIR-FILE /home/\*/\{\*\}/\*
The following can then be defined in domain policy:
allow_read @HOME-DIR-FILE