tomoyotitle.png

Chapter 11: Using ACL groups

11.1. The acl_group and use_group directives

The acl_group directive in exception policy and use_group directive in domain policy can provide a powerful and easy way to manage certain aspects of policy.

In the default exception policy created using /usr/lib/tomoyo/init_policy, some entries are created such as the following:

initialize_domain /sbin/modprobe from any
initialize_domain /sbin/hotplug from any
initialize_domain /sbin/init from any
initialize_domain /sbin/udevd from any
initialize_domain /usr/bin/dbus-daemon from any
initialize_domain /usr/sbin/crond from any
initialize_domain /usr/sbin/gpm from any
initialize_domain /usr/sbin/logrotate from any
initialize_domain /usr/sbin/sshd from any
path_group ANY_PATHNAME /
path_group ANY_PATHNAME /\*
path_group ANY_PATHNAME /\{\*\}/
path_group ANY_PATHNAME /\{\*\}/\*
path_group ANY_PATHNAME \*:/
path_group ANY_PATHNAME \*:/\*
path_group ANY_PATHNAME \*:/\{\*\}/
path_group ANY_PATHNAME \*:/\{\*\}/\*
path_group ANY_PATHNAME \*:[\$]
path_group ANY_DIRECTORY /
path_group ANY_DIRECTORY /\{\*\}/
path_group ANY_DIRECTORY \*:/
path_group ANY_DIRECTORY \*:/\{\*\}/
number_group COMMON_IOCTL_CMDS 0x5401
acl_group 0 file read /etc/ld.so.cache
acl_group 0 file read proc:/meminfo
acl_group 0 file read proc:/sys/kernel/version
acl_group 0 file read /etc/localtime
acl_group 0 file read /usr/share/locale/locale.alias
acl_group 0 file read proc:/self/\*
acl_group 0 file read proc:/self/\{\*\}/\*
acl_group 0 file read /lib/lib\*.so\*
acl_group 0 file read /usr/lib/lib\*.so\*
acl_group 0 file read /lib64/lib\*.so\*
acl_group 0 file read /lib/ld-2.\*.so
acl_group 0 file ioctl @ANY_PATHNAME @COMMON_IOCTL_CMDS
acl_group 0 file read @ANY_DIRECTORY
acl_group 0 file getattr @ANY_PATHNAME

Below permissions are given to the group 0 using the acl_group directive:

Permissions defined using "acl_group 0" are given to all domains that have the "use_group 0" entry. Since the default group number is 0, above permissions are by default given to all domains. Above permissions are considered acceptable for granting by default. But you can delete above permissions if you want stricter restriction.

11.2. Splitting access restriction

Each acl_group entry can be attributed to a different group, and thus will apply to different domains. This provides a way to split access restrictions and simplify domain policy. For example, you could put the following in exception policy:

acl_group 0 file read /etc/passwd
acl_group 0 file read /home/\{\*\-.\*}/\*
acl_group 0 file write /dev/null
acl_group 1 file read /etc/passwd
acl_group 1 file read /etc/shadow
acl_group 1 file create /etc/shadow.\$ 0600
acl_group 1 file write /etc/shadow.\$
acl_group 1 file rename /etc/shadow.\$ /etc/shadow
acl_group 2 file read /usr/lib/xulrunner-1.9.2/libmozjs.so
acl_group 2 file read /usr/lib/xulrunner-1.9.2/libxpcom.so
acl_group 2 file read /usr/lib/xulrunner-1.9.2/libxul.so

The use_group keyword can then be added to domains. Consider a domain with the following entry:

use_group 2

This domain would inherit the ability to read the xulrunner shared objects specified by the "acl_group 2" directive. The use_group directive can be used for as many domains as you want and each domain will inherit the entries specified in exception policy that match the group number.

If you wish to restrict certain domains from reading directory entries, you can either remove this ability from "acl_group 0" or create another "acl_group" that does not have this ability. Note that if you remove this ability from "acl_group 0", you may need to add this entry individually to each "use_group 0" domain that needs to read directories.