TOMOYO Linux 2.4.x : Policy specification : Domain transition procedure

Domain transition procedure

When a process in a domain issued a program execution request, the steps below are performed.

Any occurrence of [source] represents either the current domain name (e.g. <kernel> /usr/sbin/sshd /bin/bash ), or the last part of the current domain name (e.g. /bin/bash ).

Any occurrence of [current_domain] represents the current domain name (e.g. <kernel> /usr/sbin/sshd /bin/bash ).

Any occurrence of [current_namespace] represents the current domain's namespace name (e.g. <kernel> if <kernel> /usr/sbin/sshd /bin/bash ).

Any occurrence of [destination] represents domainname to transit to when the program execution request succeeds (e.g. <kernel> /usr/sbin/sshd /bin/bash /bin/cat ).

Any occurrence of [candidate] represents a pathname which is subjected to permission checks (e.g. /bin/cat ).

Step	Procedure
(1) Obtain program pathname	Calculate the pathname of the requested program and set the pathname as the [candidate]. To accept programs provided using symbolic links, the last component of the pathname accepts symbolic links.
(2) Check for aggregator directive	If exception policy contains aggregator [candidate] [pathname] then set the [pathname] as the [candidate] .
(3) Check for file execute directive	If domain policy contains file execute [candidate] then jump to step (4). Otherwise, the execution request is denied if the profile's CONFIG, or CONFIG::file, or CONFIG::file::execute (with the latter overwriting the previous) is set to "mode=enforcing".
(4) Determine domain transition	Firstly, if exception policy contains one of reset_domain [candidate] from [source] reset_domain any from [source] reset_domain any from any and contains none of no_reset_domain [candidate] from [source] no_reset_domain any from [source] no_reset_domain any from any then set the <[candidate]> as the [destination] and jump to step (5). Secondly, if exception policy contains one of initialize_domain [candidate] from [source] initialize_domain any from [source] initialize_domain any from any and contains none of no_initialize_domain [candidate] from [source] no_initialize_domain any from [source] no_initialize_domain any from any then set the [current_namespace] [candidate] as the [destination] and jump to step (5). Thirdly, if exception policy contains one of keep_domain [candidate] from [source] keep_domain any from [source] keep_domain any from any and cintains none of no_keep_domain [candidate] from [source] no_keep_domain any from [source] no_keep_domain any from any then set the [current_domain] as the [destination] and jump to step (5). Fourthly, set the [current_domain] [candidate] as the [destination] .
(5) Create destination domain	Create the [destination] as determined by step (4) if the [destination] does not exist. If the [destination] as determined by reset_domain entries cannot be created, the execution request is denied. If the [destination] as determined by step (4) cannot be created and the profile's CONFIG, or CONFIG::file, or CONFIG::file::execute (with the latter overwriting the previous) is set to "mode=enforcing", the execution request is denied. Otherwise, the execution is continued without domain transition after marking transition_failed directive.
(6) Check interpreters	If read permission for the interpreter (if any) is rejected in the [destination] and the profile (CONFIG, or CONFIG::file, or CONFIG::file::open (with the latter overwriting the previous)) for the [destination] is "mode=enforcing", the execution request is denied.
(7) Execute the program	If the current process was successfully replaced by the requested program, the current process transits to the [destination] .

Prev	Index	Next
A1: The /sys/kernel/security/tomoyo/ interface	Main Index	A3: Expression rules