| 1 |
kumaneko |
10 |
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> |
| 2 |
|
|
<html lang="en-US"> |
| 3 |
|
|
<head> |
| 4 |
|
|
<meta http-equiv="content-type" content="text/html; charset=UTF-8"> |
| 5 |
|
|
<title>CaitSith Documentation</title> |
| 6 |
|
|
</head> |
| 7 |
|
|
<body> |
| 8 |
|
|
|
| 9 |
|
|
<h1>CaitSith -- A simplified access restriction module for system protection.</h1> |
| 10 |
|
|
|
| 11 |
|
|
<p>CaitSith is an access restriction module for Linux systems. This module gives you ability to restrict access (e.g. opening files, executing programs) at the kernel level. This module is designed for ease of use.</p> |
| 12 |
|
|
|
| 13 |
|
|
<p>Below is documentation and policy syntax but is under construction. Sorry.</p> |
| 14 |
|
|
|
| 15 |
|
|
<hr> |
| 16 |
|
|
|
| 17 |
|
|
<h1><a href="#how_to_use">How to use</a></h1> |
| 18 |
|
|
|
| 19 |
|
|
<ul> |
| 20 |
|
|
<li><a href="#difference_with_tomoyo">1. Difference with TOMOYO (for existing TOMOYO users)</a></li> |
| 21 |
|
|
<li><a href="#how_to_install">2. How to install</a></li> |
| 22 |
|
|
<li><a href="#how_to_develop_policy">3. How to develop policy</a></li> |
| 23 |
|
|
</ul> |
| 24 |
|
|
|
| 25 |
|
|
<h1><a href="#policy_specification">Policy Specification</a></h1> |
| 26 |
|
|
|
| 27 |
|
|
<ul> |
| 28 |
|
|
<li><a href="#available_parameters">1. About parameters which can be handled via policy</a></li> |
| 29 |
|
|
<li><a href="#string_expression">1.1. String parameters representation rule</a></li> |
| 30 |
|
|
<li><a href="#numeric_expression">1.2. Numeric parameters representation rule</a></li> |
| 31 |
|
|
<li><a href="#ipaddress_expression">1.3. IP address parameters representation rule</a></li> |
| 32 |
|
|
<li><a href="#conditions">2. About conditional expressions</a></li> |
| 33 |
|
|
<li><a href="#string_comparison">2.1. Conditional expressions which handle string parameters</a></li> |
| 34 |
|
|
<li><a href="#integer_comparison">2.2. Conditional expressions which handle numeric parameters</a></li> |
| 35 |
|
|
<li><a href="#ipaddr_comparison">2.3. Conditional expressions which handle IP address parameters</a></li> |
| 36 |
|
|
<li><a href="#task_attributes_comparison">2.4. Conditional expressions which handle current thread's attributes</a></li> |
| 37 |
|
|
<li><a href="#argv_comparison">2.5. Conditional expressions which handle command line arguments</a></li> |
| 38 |
|
|
<li><a href="#envp_comparison">2.6. Conditional expressions which handle environment variable arguments</a></li> |
| 39 |
|
|
<li><a href="#dac_permission_comparison">2.7. Conditional expressions which handle file's DAC permissions</a></li> |
| 40 |
|
|
<li><a href="#file_type_comparison">2.8. Conditional expressions which handle file's type</a></li> |
| 41 |
|
|
<li><a href="#file_attributes_comparison">2.9. Conditional expressions which handle file's attributes</a></li> |
| 42 |
|
|
<li><a href="#syntax_list">3. List of syntaxes sorted by operations</a></li> |
| 43 |
|
|
<li><a href="#policy_syntaxes">4. Policy syntaxes</a></li> |
| 44 |
|
|
<li><a href="#policy_structure_definition">4.1. Definition</a></li> |
| 45 |
|
|
<li><a href="#policy_examples">4.2. Examples</a></li> |
| 46 |
|
|
</ul> |
| 47 |
|
|
|
| 48 |
|
|
<hr> |
| 49 |
|
|
|
| 50 |
|
|
<h1><a name="how_to_use">How to use</a></h1> |
| 51 |
|
|
|
| 52 |
|
|
<h2><a name="difference_with_tomoyo">1. Difference with TOMOYO (for existing TOMOYO users)</a></h2> |
| 53 |
|
|
|
| 54 |
|
|
<p>This module was derived from TOMOYO Linux, but usage of this module would be too different to imagine that this module was derived from TOMOYO Linux.</p> |
| 55 |
|
|
|
| 56 |
|
|
<h3>About pathnames and management programs</h3> |
| 57 |
|
|
|
| 58 |
|
|
<p>/proc/ccs/domain_policy /proc/ccs/exception_policy /proc/ccs/profile /proc/ccs/manager /proc/ccs/stat has been aggregated into /proc/caitsith/policy</p> |
| 59 |
|
|
|
| 60 |
|
|
<p>/etc/ccs/policy/current/domain_policy.conf /etc/ccs/policy/current/exception_policy.conf /etc/ccs/policy/current/profile.conf /etc/ccs/policy/current/manager.conf /etc/ccs/policy/current/stat.conf has been aggregated into /etc/caitsith/policy/current</p> |
| 61 |
|
|
|
| 62 |
|
|
<p>Built-in policy files which are located in security/ccsecurity/policy/domain_policy.conf security/ccsecurity/policy/exception_policy.conf security/ccsecurity/policy/profile.conf security/ccsecurity/policy/manager.conf security/ccsecurity/policy/stat.conf under kernel source directory have been aggregated into security/caitsith/policy/policy.conf</p> |
| 63 |
|
|
|
| 64 |
|
|
<p>Only /sbin/caitsith-init /usr/sbin/caitsith-auditd /usr/sbin/caitsith-loadpolicy /usr/sbin/caitsith-notifyd /usr/sbin/caitsith-pstree /usr/sbin/caitsith-queryd /usr/sbin/caitsith-savepolicy /usr/lib/caitsith/audit-exec-param /usr/lib/caitsith/caitsith-agent /usr/lib/caitsith/init_policy are provided for managing policy. (In other words, programs such as /usr/sbin/ccs-editpolicy and /usr/sbin/ccs-setprofile have been removed.)</p> |
| 65 |
|
|
|
| 66 |
|
|
<p>Command line arguments for specifying type of policy to load/save has been removed from /usr/sbin/caitsith-loadpolicy and /usr/sbin/caitsith-savepolicy</p> |
| 67 |
|
|
|
| 68 |
|
|
<p>Command line arguments for specifying profile type has been removed from /usr/lib/caitsith/init_policy</p> |
| 69 |
|
|
|
| 70 |
|
|
<h3>About policy syntax</h3> |
| 71 |
|
|
|
| 72 |
|
|
<p>Policy syntax has been drastically changed. TOMOYO Linux used process's domainname as a key for grouping permissions to do some operations. In other words, TOMOYO Linux's policy is collection of "which domain can do ..." rules. On the other hand, this version uses operation as a key for checking permission. In other words, this version's policy is collection of "which operation can be done by ..." rules. This change is intended for allowing users to protect resources using blacklisting approach. In this version, process's domainname is nothing but one of optional parameters that can be used for controlling whether to grant or deny specific operations. Users can write rules without managing domainnames unless needed.</p> |
| 73 |
|
|
|
| 74 |
|
|
<p>Process's domainname representation has changed from space delimited multiple words (e.g. "<kernel> /sbin/init /etc/rc.d/rc.sysinit") to a single word (e.g. "/sbin/init").</p> |
| 75 |
|
|
|
| 76 |
|
|
<p>Domain transitions no longer happen unless explicitly specified by policy.</p> |
| 77 |
|
|
|
| 78 |
|
|
<p>Distinction of disabled/learning/permissive/enforcing mode has been removed.</p> |
| 79 |
|
|
|
| 80 |
|
|
<p>"path_group" keyword has been renamed to "string_group", and "address_group" keyword has been renamed to "ip_group".</p> |
| 81 |
|
|
|
| 82 |
|
|
<p>Representation of \ character has been changed from \\ to \134.</p> |
| 83 |
|
|
|
| 84 |
|
|
<p>Distinction between directory's pathname and non-directory's pathname has been removed by removing / character from directory's pathname.</p> |
| 85 |
|
|
|
| 86 |
|
|
<p>A new wildcard /\(dir\)/ has been introduced for helping converting from (e.g.) "/tmp/\{\*\}/" to "/tmp/\(\*\)/\*", for directory's pathname (except the root directory itself) no longer ends with / character which previously matched /\{\*\}/ wildcard.</p> |
| 87 |
|
|
|
| 88 |
|
|
<p>Category keywords (i.e. "file", "network", "ipc", "misc", "capability", "task") have been removed because access control levels which was specified using profile has been removed. Some of operation keywords have been renamed (e.g. "network inet stream connect" became "inet_stream_connect", "misc env" became "environ").</p> |
| 89 |
|
|
|
| 90 |
|
|
<p>"task auto_execute_handler" keyword has been renamed to "handler=" argument of "execute" keyword. This is intended for using execute handler for preprocessing purpose when executing specific programs rather than when executing from specific domains. "task denied_execute_handler" keyword has been removed.</p> |
| 91 |
|
|
|
| 92 |
|
|
<p>Domain argument has been removed from permission to send signals (i.e. "signal" directive), for kill() system call accepts negative number for specifying multiple processes. It is impossible to selectively deny sending signals because it is not permitted to sleep while sending signals.</p> |
| 93 |
|
|
|
| 94 |
|
|
<p>Restriction granularity for ptrace operation has changed from boolean (i.e. "capability SYS_PTRACE") to command number + domainname.</p> |
| 95 |
|
|
|
| 96 |
|
|
<p>Restriction granularity for environment variables has changed from name only to both name and values.</p> |
| 97 |
|
|
|
| 98 |
|
|
<p>Several variables for referencing file's attributes have been added.</p> |
| 99 |
|
|
|
| 100 |
|
|
<p>Local port reserve functionality (i.e. "deny_autobind" keyword) has been removed.</p> |
| 101 |
|
|
|
| 102 |
|
|
<h2><a name="how_to_install">2. How to install</a></h2> |
| 103 |
|
|
|
| 104 |
|
|
<p>Same with <a href="http://tomoyo.sourceforge.jp/1.8/chapter-3.html#3.3">http://tomoyo.sourceforge.jp/1.8/chapter-3.html#3.3</a> except that you need to replace</p> |
| 105 |
|
|
|
| 106 |
|
|
<table border="1"> |
| 107 |
|
|
<tr><td> |
| 108 |
|
|
$ wget -O ccs-patch-1.8.3-20120401.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/49684/ccs-patch-1.8.3-20120401.tar.gz'<br> |
| 109 |
|
|
$ wget -O ccs-patch-1.8.3-20120401.tar.gz.asc 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/49684/ccs-patch-1.8.3-20120401.tar.gz.asc'<br> |
| 110 |
|
|
$ gpg ccs-patch-1.8.3-20120401.tar.gz.asc<br> |
| 111 |
|
|
$ tar -zxf ccs-patch-1.8.3-20120401.tar.gz<br> |
| 112 |
|
|
$ patch -sp1 < patches/ccs-patch-$VERSION.$PATCHLEVEL.diff |
| 113 |
|
|
</td></tr> |
| 114 |
|
|
</table> |
| 115 |
|
|
|
| 116 |
|
|
<p>with</p> |
| 117 |
|
|
|
| 118 |
|
|
<table border="1"> |
| 119 |
|
|
<tr><td> |
| 120 |
|
|
$ wget -O caitsith-patch-0.1-20120401.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/caitsith/55464/caitsith-patch-0.1-20120401.tar.gz'<br> |
| 121 |
|
|
$ wget -O caitsith-patch-0.1-20120401.tar.gz.asc 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/caitsith/55464/caitsith-patch-0.1-20120401.tar.gz.asc'<br> |
| 122 |
|
|
$ gpg caitsith-patch-0.1-20120401.tar.gz.asc<br> |
| 123 |
|
|
$ tar -zxf caitsith-patch-0.1-20120401.tar.gz<br> |
| 124 |
|
|
$ cat patches/ccs-patch-$VERSION.$PATCHLEVEL.diff | sed -e 's/CCSECURITY/CAITSITH/g' -e 's/ccsecurity/caitsith/g' | patch -sp1 |
| 125 |
|
|
</td></tr> |
| 126 |
|
|
</table> |
| 127 |
|
|
|
| 128 |
|
|
<p>and replace</p> |
| 129 |
|
|
|
| 130 |
|
|
<table border="1"> |
| 131 |
|
|
<tr><td> |
| 132 |
|
|
$ wget -O ccs-tools-1.8.3-20120301.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/49693/ccs-tools-1.8.3-20120301.tar.gz'<br> |
| 133 |
|
|
$ wget -O ccs-tools-1.8.3-20120301.tar.gz.asc 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/49693/ccs-tools-1.8.3-20120301.tar.gz.asc'<br> |
| 134 |
|
|
$ gpg ccs-tools-1.8.3-20120301.tar.gz.asc<br> |
| 135 |
|
|
$ tar -zxf ccs-tools-1.8.3-20120301.tar.gz<br> |
| 136 |
|
|
$ cd ccstools/ |
| 137 |
|
|
</td></tr> |
| 138 |
|
|
</table> |
| 139 |
|
|
|
| 140 |
|
|
<p>with</p> |
| 141 |
|
|
|
| 142 |
|
|
<table border="1"> |
| 143 |
|
|
<tr><td> |
| 144 |
|
|
$ wget -O caitsith-tools-0.1-20120401.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/caitsith/55465/caitsith-tools-0.1-20120401.tar.gz'<br> |
| 145 |
|
|
$ wget -O caitsith-tools-0.1-20120401.tar.gz.asc 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/caitsith/55465/caitsith-tools-0.1-20120401.tar.gz.asc'<br> |
| 146 |
|
|
$ gpg caitsith-tools-0.1-20120401.tar.gz.asc<br> |
| 147 |
|
|
$ tar -zxf caitsith-tools-0.1-20120401.tar.gz<br> |
| 148 |
|
|
$ cd caitsith-tools/ |
| 149 |
|
|
</td></tr> |
| 150 |
|
|
</table> |
| 151 |
|
|
|
| 152 |
|
|
<p>. To initialize, run /usr/lib/caitsith/init_policy instead of /usr/lib/ccs/init_policy .</p> |
| 153 |
|
|
|
| 154 |
|
|
<p>To save /proc/caitsith/audit automatically, run /usr/sbin/caitsith-auditd from somewhere. Default setting (specified in /etc/caitsith/tools/auditd.conf) sends access matched logs to /dev/null, access unmatched logs to /var/log/caitsith/unmatched.log, access denied logs to /var/log/caitsith/denied.log.</p> |
| 155 |
|
|
|
| 156 |
|
|
<h2><a name="how_to_develop_policy">3. How to develop policy</a></h2> |
| 157 |
|
|
|
| 158 |
|
|
<p>Please read <a href="#policy_specification">Policy Specification</a> before continue.</p> |
| 159 |
|
|
|
| 160 |
|
|
<p>Firstly, create a "quota audit[$audit_index]" line with non 0 $max_logs_for_unmatched_request value.</p> |
| 161 |
|
|
|
| 162 |
|
|
<table border="1"> |
| 163 |
|
|
<tr><td> |
| 164 |
|
|
quota audit[1] allowed=0 unmatched=1024 denied=1024 |
| 165 |
|
|
</td></tr> |
| 166 |
|
|
</table> |
| 167 |
|
|
|
| 168 |
|
|
<p>You can use /usr/sbin/caitsith-loadpolicy to update policy.</p> |
| 169 |
|
|
|
| 170 |
|
|
<table border="1"> |
| 171 |
|
|
<tr><td> |
| 172 |
|
|
# echo 'quota audit[1] allowed=0 unmatched=1024 denied=1024' | /usr/sbin/caitsith-loadpolicy |
| 173 |
|
|
</td></tr> |
| 174 |
|
|
</table> |
| 175 |
|
|
|
| 176 |
|
|
<p>Then, decide conditions to restrict access. Below example restricts opening /etc/shadow for reading.</p> |
| 177 |
|
|
|
| 178 |
|
|
<table border="1"> |
| 179 |
|
|
<tr><td> |
| 180 |
|
|
100 acl read path="/etc/shadow"<br> |
| 181 |
|
|
audit 1 |
| 182 |
|
|
</td></tr> |
| 183 |
|
|
</table> |
| 184 |
|
|
|
| 185 |
|
|
<p>By operating the system, access unmatched logs are generated and spooled in /proc/caitsith/audit interface when access request of opening /etc/shadow for reading happens. If /usr/sbin/caitsith-auditd is running , access unmatched logs will be moved to /var/log/caitsith/unmatched.log .</p> |
| 186 |
|
|
|
| 187 |
|
|
<table border="1"> |
| 188 |
|
|
<tr><td> |
| 189 |
|
|
#2012/03/02 08:11:51# global-pid=2826 result=unmatched priority=100 / read path="/etc/shadow" task.pid=2826 task.ppid=2814 task.uid=0 task.gid=0 task.euid=0 task.egid=0 task.suid=0 task.sgid=0 task.fsuid=0 task.fsgid=0 task.type!=execute_handler task.exe="/usr/bin/passwd" task.domain="/usr/sbin/sshd" path.uid=0 path.gid=42 path.ino=33708 path.major=8 path.minor=1 path.perm=0640 path.type=file path.fsmagic=0xEF53 path.parent.uid=0 path.parent.gid=0 path.parent.ino=32769 path.parent.major=8 path.parent.minor=1 path.parent.perm=0755 path.parent.type=directory path.parent.fsmagic=0xEF53 |
| 190 |
|
|
</td></tr> |
| 191 |
|
|
</table> |
| 192 |
|
|
|
| 193 |
|
|
<p>Examine the log and decide whether to grant this access request or not. To grant this request, add an allow line. Below example grants this request to /usr/bin/passwd program.</p> |
| 194 |
|
|
|
| 195 |
|
|
<table border="1"> |
| 196 |
|
|
<tr><td> |
| 197 |
|
|
100 acl read path="/etc/shadow"<br> |
| 198 |
|
|
audit 1<br> |
| 199 |
|
|
100 allow task.exe="/usr/bin/passwd" |
| 200 |
|
|
</td></tr> |
| 201 |
|
|
</table> |
| 202 |
|
|
|
| 203 |
|
|
<p>Operate the system again. For example, /usr/sbin/sshd program and /bin/cat program have requested opening /etc/shadow for reading.</p> |
| 204 |
|
|
|
| 205 |
|
|
<table border="1"> |
| 206 |
|
|
<tr><td> |
| 207 |
|
|
#2012/03/02 08:13:06# global-pid=2831 result=unmatched priority=100 / read path="/etc/shadow" task.pid=2831 task.ppid=2691 task.uid=0 task.gid=0 task.euid=0 task.egid=0 task.suid=0 task.sgid=0 task.fsuid=0 task.fsgid=0 task.type!=execute_handler task.exe="/usr/sbin/sshd" task.domain="/usr/sbin/sshd" path.uid=0 path.gid=42 path.ino=33716 path.major=8 path.minor=1 path.perm=0640 path.type=file path.fsmagic=0xEF53 path.parent.uid=0 path.parent.gid=0 path.parent.ino=32769 path.parent.major=8 path.parent.minor=1 path.parent.perm=0755 path.parent.type=directory path.parent.fsmagic=0xEF53<br> |
| 208 |
|
|
#2012/03/02 08:13:12# global-pid=2837 result=unmatched priority=100 / read path="/etc/shadow" task.pid=2837 task.ppid=2833 task.uid=0 task.gid=0 task.euid=0 task.egid=0 task.suid=0 task.sgid=0 task.fsuid=0 task.fsgid=0 task.type!=execute_handler task.exe="/bin/cat" task.domain="/usr/sbin/sshd" path.uid=0 path.gid=42 path.ino=33716 path.major=8 path.minor=1 path.perm=0640 path.type=file path.fsmagic=0xEF53 path.parent.uid=0 path.parent.gid=0 path.parent.ino=32769 path.parent.major=8 path.parent.minor=1 path.parent.perm=0755 path.parent.type=directory path.parent.fsmagic=0xEF53 |
| 209 |
|
|
</td></tr> |
| 210 |
|
|
</table> |
| 211 |
|
|
|
| 212 |
|
|
<p>Add an allow line with /usr/sbin/sshd program in order to allow access by /usr/sbin/sshd program. Also, add a deny line with /bin/cat program in order to deny access by /bin/cat program. Give higher priority (i.e. smaller $cond_priority value) to deny line than allow line so that deny lines are checked before allow lines are checked.</p> |
| 213 |
|
|
|
| 214 |
|
|
<table border="1"> |
| 215 |
|
|
<tr><td> |
| 216 |
|
|
100 acl read path="/etc/shadow"<br> |
| 217 |
|
|
audit 1<br> |
| 218 |
|
|
10 deny task.exe="/bin/cat"<br> |
| 219 |
|
|
100 allow task.exe="/usr/bin/passwd"<br> |
| 220 |
|
|
100 allow task.exe="/usr/sbin/sshd" |
| 221 |
|
|
</td></tr> |
| 222 |
|
|
</table> |
| 223 |
|
|
|
| 224 |
|
|
<p>From now on, attempt to read /etc/shadow using /bin/cat should be denied and access denied logs should be generated. If /usr/sbin/caitsith-auditd is running , access denied logs will be moved to /var/log/caitsith/denied.log .</p> |
| 225 |
|
|
|
| 226 |
|
|
<table border="1"> |
| 227 |
|
|
<tr><td> |
| 228 |
|
|
#2012/03/02 08:14:38# global-pid=2842 result=denied priority=100 / read path="/etc/shadow" task.pid=2842 task.ppid=2833 task.uid=0 task.gid=0 task.euid=0 task.egid=0 task.suid=0 task.sgid=0 task.fsuid=0 task.fsgid=0 task.type!=execute_handler task.exe="/bin/cat" task.domain="/usr/sbin/sshd" path.uid=0 path.gid=42 path.ino=33716 path.major=8 path.minor=1 path.perm=0640 path.type=file path.fsmagic=0xEF53 path.parent.uid=0 path.parent.gid=0 path.parent.ino=32769 path.parent.major=8 path.parent.minor=1 path.parent.perm=0755 path.parent.type=directory path.parent.fsmagic=0xEF53 |
| 229 |
|
|
</td></tr> |
| 230 |
|
|
</table> |
| 231 |
|
|
|
| 232 |
|
|
<p>After you have finished enumerating all allow lines and deny lines, add a deny line with lowest priority (i.e. largest $cond_priority value within this block).</p> |
| 233 |
|
|
|
| 234 |
|
|
<table border="1"> |
| 235 |
|
|
<tr><td> |
| 236 |
|
|
100 acl read path="/etc/shadow"<br> |
| 237 |
|
|
audit 1<br> |
| 238 |
|
|
10 deny task.exe="/bin/cat"<br> |
| 239 |
|
|
100 allow task.exe="/usr/bin/passwd"<br> |
| 240 |
|
|
100 allow task.exe="/usr/sbin/sshd"<br> |
| 241 |
|
|
10000 deny |
| 242 |
|
|
</td></tr> |
| 243 |
|
|
</table> |
| 244 |
|
|
|
| 245 |
|
|
<p>A rule for restricting /etc/shadow for opening is now completed.</p> |
| 246 |
|
|
|
| 247 |
|
|
<p>Note that the rule explained above alone cannot prevent diverted accesses such as creating a hard link of /etc/shadow . If the resource to protect has characteristic attribute, it is recommended to utilize such attributes. On several distributions, /etc/shadow is owned by shadow group. In that case, this rule can be modified to below. (Below example assumes that shadow group's group ID is 42.)</p> |
| 248 |
|
|
|
| 249 |
|
|
<table border="1"> |
| 250 |
|
|
<tr><td> |
| 251 |
|
|
100 acl read path.gid=42<br> |
| 252 |
|
|
audit 1<br> |
| 253 |
|
|
10 deny task.exe="/bin/cat"<br> |
| 254 |
|
|
100 allow task.exe="/usr/bin/passwd"<br> |
| 255 |
|
|
100 allow task.exe="/usr/sbin/sshd"<br> |
| 256 |
|
|
10000 deny |
| 257 |
|
|
</td></tr> |
| 258 |
|
|
</table> |
| 259 |
|
|
|
| 260 |
|
|
<p>On several distributions, /etc/shadow is owned by root user and root group and has DAC permissions 0400. In that case, you might want to use a rule like below. (You should check whether there are other files with such attributes.)</p> |
| 261 |
|
|
|
| 262 |
|
|
<table border="1"> |
| 263 |
|
|
<tr><td> |
| 264 |
|
|
100 acl read path.uid=0 path.gid=0 path.perm=0400<br> |
| 265 |
|
|
audit 1<br> |
| 266 |
|
|
10 deny task.exe="/bin/cat"<br> |
| 267 |
|
|
100 allow task.exe="/usr/bin/passwd"<br> |
| 268 |
|
|
100 allow task.exe="/usr/sbin/sshd"<br> |
| 269 |
|
|
10000 deny |
| 270 |
|
|
</td></tr> |
| 271 |
|
|
</table> |
| 272 |
|
|
|
| 273 |
|
|
<p>It is recommended to restrict other operations such as mount, link and rename. For example, a rule to deny creation of hard links which is not owned by the user would look like below. (Note that the variable which refers source pathname of link operation is "old_path" rather than "path" because the operation is "link".)</p> |
| 274 |
|
|
|
| 275 |
|
|
<table border="1"> |
| 276 |
|
|
<tr><td> |
| 277 |
|
|
100 acl link old_path.uid!=task.uid<br> |
| 278 |
|
|
audit 1<br> |
| 279 |
|
|
100 deny |
| 280 |
|
|
</td></tr> |
| 281 |
|
|
</table> |
| 282 |
|
|
|
| 283 |
|
|
<p>If you can split files into different filesystems or different partitions, you might be able to utilize more variables. For example, rules for denying creation of hard links on tmpfs filesystem (tmpfs filesystem's magic number is 0x01021994) would look like below.</p> |
| 284 |
|
|
|
| 285 |
|
|
<table border="1"> |
| 286 |
|
|
<tr><td> |
| 287 |
|
|
100 acl link old_path.fsmagic=0x01021994<br> |
| 288 |
|
|
audit 1<br> |
| 289 |
|
|
10 deny |
| 290 |
|
|
</td></tr> |
| 291 |
|
|
</table> |
| 292 |
|
|
|
| 293 |
|
|
<p>Splitting into different partitions and defining rules based on partition's attributes will help preventing diverted access via creating hard links, for hard links cannot be created across partitions. Separating /home partition from / partition will be useful when protecting resources in /home partition.</p> |
| 294 |
|
|
|
| 295 |
|
|
<hr> |
| 296 |
|
|
|
| 297 |
|
|
<h1><a name="policy_specification">Policy Specification</a></h1> |
| 298 |
|
|
|
| 299 |
|
|
<h2><a name="available_parameters">1. About parameters which can be handled via policy</a></h2> |
| 300 |
|
|
|
| 301 |
|
|
<p>Each entry in the policy has a keyword that specifies "operation", and can optionally have "conditional expressions".</p> |
| 302 |
|
|
|
| 303 |
|
|
<p>It is possible to check parameters which can be represented as string data or numeric data using "conditional expressions".</p> |
| 304 |
|
|
|
| 305 |
|
|
<h3><a name="string_expression">1.1. String parameters representation rule</a></h3> |
| 306 |
|
|
|
| 307 |
|
|
<p>Parameters such as file's pathnames and command line arguments and environment variables are handled as string data.</p> |
| 308 |
|
|
|
| 309 |
|
|
<p>All ASCII printable characters other than \ character (i.e. from 33 to 91 and from 93 to 126) are represented as is.</p> |
| 310 |
|
|
|
| 311 |
|
|
<p>All other characters (i.e. from 0 to 32, 92 and from 127 to 255) are represented using \ooo style octal form.</p> |
| 312 |
|
|
|
| 313 |
|
|
<table border="1"> |
| 314 |
|
|
<tr> |
| 315 |
|
|
<td> |
| 316 |
|
|
<table><tr><td></td><td>Lower 4 bits</td></tr><tr><td>Upper 4 bits</td><td></td></tr></table> |
| 317 |
|
|
</td> |
| 318 |
|
|
<th><p>0x0</p></th> |
| 319 |
|
|
<th><p>0x1</p></th> |
| 320 |
|
|
<th><p>0x2</p></th> |
| 321 |
|
|
<th><p>0x3</p></th> |
| 322 |
|
|
<th><p>0x4</p></th> |
| 323 |
|
|
<th><p>0x5</p></th> |
| 324 |
|
|
<th><p>0x6</p></th> |
| 325 |
|
|
<th><p>0x7</p></th> |
| 326 |
|
|
<th><p>0x8</p></th> |
| 327 |
|
|
<th><p>0x9</p></th> |
| 328 |
|
|
<th><p>0xA</p></th> |
| 329 |
|
|
<th><p>0xB</p></th> |
| 330 |
|
|
<th><p>0xC</p></th> |
| 331 |
|
|
<th><p>0xD</p></th> |
| 332 |
|
|
<th><p>0xE</p></th> |
| 333 |
|
|
<th><p>0xF</p></th> |
| 334 |
|
|
</tr> |
| 335 |
|
|
<tr> |
| 336 |
|
|
<th><p>0x0</p></th> |
| 337 |
|
|
<td><p>\000</p></td> |
| 338 |
|
|
<td><p>\001</p></td> |
| 339 |
|
|
<td><p>\002</p></td> |
| 340 |
|
|
<td><p>\003</p></td> |
| 341 |
|
|
<td><p>\004</p></td> |
| 342 |
|
|
<td><p>\005</p></td> |
| 343 |
|
|
<td><p>\006</p></td> |
| 344 |
|
|
<td><p>\007</p></td> |
| 345 |
|
|
<td><p>\010</p></td> |
| 346 |
|
|
<td><p>\011</p></td> |
| 347 |
|
|
<td><p>\012</p></td> |
| 348 |
|
|
<td><p>\013</p></td> |
| 349 |
|
|
<td><p>\014</p></td> |
| 350 |
|
|
<td><p>\015</p></td> |
| 351 |
|
|
<td><p>\016</p></td> |
| 352 |
|
|
<td><p>\017</p></td> |
| 353 |
|
|
</tr> |
| 354 |
|
|
<tr> |
| 355 |
|
|
<th><p>0x1</p></th> |
| 356 |
|
|
<td><p>\020</p></td> |
| 357 |
|
|
<td><p>\021</p></td> |
| 358 |
|
|
<td><p>\022</p></td> |
| 359 |
|
|
<td><p>\023</p></td> |
| 360 |
|
|
<td><p>\024</p></td> |
| 361 |
|
|
<td><p>\025</p></td> |
| 362 |
|
|
<td><p>\026</p></td> |
| 363 |
|
|
<td><p>\027</p></td> |
| 364 |
|
|
<td><p>\030</p></td> |
| 365 |
|
|
<td><p>\031</p></td> |
| 366 |
|
|
<td><p>\032</p></td> |
| 367 |
|
|
<td><p>\033</p></td> |
| 368 |
|
|
<td><p>\034</p></td> |
| 369 |
|
|
<td><p>\035</p></td> |
| 370 |
|
|
<td><p>\036</p></td> |
| 371 |
|
|
<td><p>\037</p></td> |
| 372 |
|
|
</tr> |
| 373 |
|
|
<tr> |
| 374 |
|
|
<th><p>0x2</p></th> |
| 375 |
|
|
<td><p>\040</p></td> |
| 376 |
|
|
<td><p>!</p></td> |
| 377 |
|
|
<td><p>"</p></td> |
| 378 |
|
|
<td><p>#</p></td> |
| 379 |
|
|
<td><p>$</p></td> |
| 380 |
|
|
<td><p>%</p></td> |
| 381 |
|
|
<td><p>&</p></td> |
| 382 |
|
|
<td><p>'</p></td> |
| 383 |
|
|
<td><p>(</p></td> |
| 384 |
|
|
<td><p>)</p></td> |
| 385 |
|
|
<td><p>*</p></td> |
| 386 |
|
|
<td><p>+</p></td> |
| 387 |
|
|
<td><p>,</p></td> |
| 388 |
|
|
<td><p>-</p></td> |
| 389 |
|
|
<td><p>.</p></td> |
| 390 |
|
|
<td><p>/</p></td> |
| 391 |
|
|
</tr> |
| 392 |
|
|
<tr> |
| 393 |
|
|
<th><p>0x3</p></th> |
| 394 |
|
|
<td><p>0</p></td> |
| 395 |
|
|
<td><p>1</p></td> |
| 396 |
|
|
<td><p>2</p></td> |
| 397 |
|
|
<td><p>3</p></td> |
| 398 |
|
|
<td><p>4</p></td> |
| 399 |
|
|
<td><p>5</p></td> |
| 400 |
|
|
<td><p>6</p></td> |
| 401 |
|
|
<td><p>7</p></td> |
| 402 |
|
|
<td><p>8</p></td> |
| 403 |
|
|
<td><p>9</p></td> |
| 404 |
|
|
<td><p>:</p></td> |
| 405 |
|
|
<td><p>;</p></td> |
| 406 |
|
|
<td><p><</p></td> |
| 407 |
|
|
<td><p>=</p></td> |
| 408 |
|
|
<td><p>></p></td> |
| 409 |
|
|
<td><p>?</p></td> |
| 410 |
|
|
</tr> |
| 411 |
|
|
<tr> |
| 412 |
|
|
<th><p>0x4</p></th> |
| 413 |
|
|
<td><p>@</p></td> |
| 414 |
|
|
<td><p>A</p></td> |
| 415 |
|
|
<td><p>B</p></td> |
| 416 |
|
|
<td><p>C</p></td> |
| 417 |
|
|
<td><p>D</p></td> |
| 418 |
|
|
<td><p>E</p></td> |
| 419 |
|
|
<td><p>F</p></td> |
| 420 |
|
|
<td><p>G</p></td> |
| 421 |
|
|
<td><p>H</p></td> |
| 422 |
|
|
<td><p>I</p></td> |
| 423 |
|
|
<td><p>J</p></td> |
| 424 |
|
|
<td><p>K</p></td> |
| 425 |
|
|
<td><p>L</p></td> |
| 426 |
|
|
<td><p>M</p></td> |
| 427 |
|
|
<td><p>N</p></td> |
| 428 |
|
|
<td><p>O</p></td> |
| 429 |
|
|
</tr> |
| 430 |
|
|
<tr> |
| 431 |
|
|
<th><p>0x5</p></th> |
| 432 |
|
|
<td><p>P</p></td> |
| 433 |
|
|
<td><p>Q</p></td> |
| 434 |
|
|
<td><p>R</p></td> |
| 435 |
|
|
<td><p>S</p></td> |
| 436 |
|
|
<td><p>T</p></td> |
| 437 |
|
|
<td><p>U</p></td> |
| 438 |
|
|
<td><p>V</p></td> |
| 439 |
|
|
<td><p>W</p></td> |
| 440 |
|
|
<td><p>X</p></td> |
| 441 |
|
|
<td><p>Y</p></td> |
| 442 |
|
|
<td><p>Z</p></td> |
| 443 |
|
|
<td><p>[</p></td> |
| 444 |
|
|
<td><p>\134</p></td> |
| 445 |
|
|
<td><p>]</p></td> |
| 446 |
|
|
<td><p>^</p></td> |
| 447 |
|
|
<td><p>_</p></td> |
| 448 |
|
|
</tr> |
| 449 |
|
|
<tr> |
| 450 |
|
|
<th><p>0x6</p></th> |
| 451 |
|
|
<td><p>`</p></td> |
| 452 |
|
|
<td><p>a</p></td> |
| 453 |
|
|
<td><p>b</p></td> |
| 454 |
|
|
<td><p>c</p></td> |
| 455 |
|
|
<td><p>d</p></td> |
| 456 |
|
|
<td><p>e</p></td> |
| 457 |
|
|
<td><p>f</p></td> |
| 458 |
|
|
<td><p>g</p></td> |
| 459 |
|
|
<td><p>h</p></td> |
| 460 |
|
|
<td><p>i</p></td> |
| 461 |
|
|
<td><p>j</p></td> |
| 462 |
|
|
<td><p>k</p></td> |
| 463 |
|
|
<td><p>l</p></td> |
| 464 |
|
|
<td><p>m</p></td> |
| 465 |
|
|
<td><p>n</p></td> |
| 466 |
|
|
<td><p>o</p></td> |
| 467 |
|
|
</tr> |
| 468 |
|
|
<tr> |
| 469 |
|
|
<th><p>0x7</p></th> |
| 470 |
|
|
<td><p>p</p></td> |
| 471 |
|
|
<td><p>q</p></td> |
| 472 |
|
|
<td><p>r</p></td> |
| 473 |
|
|
<td><p>s</p></td> |
| 474 |
|
|
<td><p>t</p></td> |
| 475 |
|
|
<td><p>u</p></td> |
| 476 |
|
|
<td><p>v</p></td> |
| 477 |
|
|
<td><p>w</p></td> |
| 478 |
|
|
<td><p>x</p></td> |
| 479 |
|
|
<td><p>y</p></td> |
| 480 |
|
|
<td><p>z</p></td> |
| 481 |
|
|
<td><p>{</p></td> |
| 482 |
|
|
<td><p>|</p></td> |
| 483 |
|
|
<td><p>}</p></td> |
| 484 |
|
|
<td><p>~</p></td> |
| 485 |
|
|
<td><p>\177</p></td> |
| 486 |
|
|
</tr> |
| 487 |
|
|
<tr> |
| 488 |
|
|
<th><p>0x8</p></th> |
| 489 |
|
|
<td><p>\200</p></td> |
| 490 |
|
|
<td><p>\201</p></td> |
| 491 |
|
|
<td><p>\202</p></td> |
| 492 |
|
|
<td><p>\203</p></td> |
| 493 |
|
|
<td><p>\204</p></td> |
| 494 |
|
|
<td><p>\205</p></td> |
| 495 |
|
|
<td><p>\206</p></td> |
| 496 |
|
|
<td><p>\207</p></td> |
| 497 |
|
|
<td><p>\210</p></td> |
| 498 |
|
|
<td><p>\211</p></td> |
| 499 |
|
|
<td><p>\212</p></td> |
| 500 |
|
|
<td><p>\213</p></td> |
| 501 |
|
|
<td><p>\214</p></td> |
| 502 |
|
|
<td><p>\215</p></td> |
| 503 |
|
|
<td><p>\216</p></td> |
| 504 |
|
|
<td><p>\217</p></td> |
| 505 |
|
|
</tr> |
| 506 |
|
|
<tr> |
| 507 |
|
|
<th><p>0x9</p></th> |
| 508 |
|
|
<td><p>\220</p></td> |
| 509 |
|
|
<td><p>\221</p></td> |
| 510 |
|
|
<td><p>\222</p></td> |
| 511 |
|
|
<td><p>\223</p></td> |
| 512 |
|
|
<td><p>\224</p></td> |
| 513 |
|
|
<td><p>\225</p></td> |
| 514 |
|
|
<td><p>\226</p></td> |
| 515 |
|
|
<td><p>\227</p></td> |
| 516 |
|
|
<td><p>\230</p></td> |
| 517 |
|
|
<td><p>\231</p></td> |
| 518 |
|
|
<td><p>\232</p></td> |
| 519 |
|
|
<td><p>\233</p></td> |
| 520 |
|
|
<td><p>\234</p></td> |
| 521 |
|
|
<td><p>\235</p></td> |
| 522 |
|
|
<td><p>\236</p></td> |
| 523 |
|
|
<td><p>\237</p></td> |
| 524 |
|
|
</tr> |
| 525 |
|
|
<tr> |
| 526 |
|
|
<th><p>0xA</p></th> |
| 527 |
|
|
<td><p>\240</p></td> |
| 528 |
|
|
<td><p>\241</p></td> |
| 529 |
|
|
<td><p>\242</p></td> |
| 530 |
|
|
<td><p>\243</p></td> |
| 531 |
|
|
<td><p>\244</p></td> |
| 532 |
|
|
<td><p>\245</p></td> |
| 533 |
|
|
<td><p>\246</p></td> |
| 534 |
|
|
<td><p>\247</p></td> |
| 535 |
|
|
<td><p>\250</p></td> |
| 536 |
|
|
<td><p>\251</p></td> |
| 537 |
|
|
<td><p>\252</p></td> |
| 538 |
|
|
<td><p>\253</p></td> |
| 539 |
|
|
<td><p>\254</p></td> |
| 540 |
|
|
<td><p>\255</p></td> |
| 541 |
|
|
<td><p>\256</p></td> |
| 542 |
|
|
<td><p>\257</p></td> |
| 543 |
|
|
</tr> |
| 544 |
|
|
<tr> |
| 545 |
|
|
<th><p>0xB</p></th> |
| 546 |
|
|
<td><p>\260</p></td> |
| 547 |
|
|
<td><p>\261</p></td> |
| 548 |
|
|
<td><p>\262</p></td> |
| 549 |
|
|
<td><p>\263</p></td> |
| 550 |
|
|
<td><p>\264</p></td> |
| 551 |
|
|
<td><p>\265</p></td> |
| 552 |
|
|
<td><p>\266</p></td> |
| 553 |
|
|
<td><p>\267</p></td> |
| 554 |
|
|
<td><p>\270</p></td> |
| 555 |
|
|
<td><p>\271</p></td> |
| 556 |
|
|
<td><p>\272</p></td> |
| 557 |
|
|
<td><p>\273</p></td> |
| 558 |
|
|
<td><p>\274</p></td> |
| 559 |
|
|
<td><p>\275</p></td> |
| 560 |
|
|
<td><p>\276</p></td> |
| 561 |
|
|
<td><p>\277</p></td> |
| 562 |
|
|
</tr> |
| 563 |
|
|
<tr> |
| 564 |
|
|
<th><p>0xC</p></th> |
| 565 |
|
|
<td><p>\300</p></td> |
| 566 |
|
|
<td><p>\301</p></td> |
| 567 |
|
|
<td><p>\302</p></td> |
| 568 |
|
|
<td><p>\303</p></td> |
| 569 |
|
|
<td><p>\304</p></td> |
| 570 |
|
|
<td><p>\305</p></td> |
| 571 |
|
|
<td><p>\306</p></td> |
| 572 |
|
|
<td><p>\307</p></td> |
| 573 |
|
|
<td><p>\310</p></td> |
| 574 |
|
|
<td><p>\311</p></td> |
| 575 |
|
|
<td><p>\312</p></td> |
| 576 |
|
|
<td><p>\313</p></td> |
| 577 |
|
|
<td><p>\314</p></td> |
| 578 |
|
|
<td><p>\315</p></td> |
| 579 |
|
|
<td><p>\316</p></td> |
| 580 |
|
|
<td><p>\317</p></td> |
| 581 |
|
|
</tr> |
| 582 |
|
|
<tr> |
| 583 |
|
|
<th><p>0xD</p></th> |
| 584 |
|
|
<td><p>\320</p></td> |
| 585 |
|
|
<td><p>\321</p></td> |
| 586 |
|
|
<td><p>\322</p></td> |
| 587 |
|
|
<td><p>\323</p></td> |
| 588 |
|
|
<td><p>\324</p></td> |
| 589 |
|
|
<td><p>\325</p></td> |
| 590 |
|
|
<td><p>\326</p></td> |
| 591 |
|
|
<td><p>\327</p></td> |
| 592 |
|
|
<td><p>\330</p></td> |
| 593 |
|
|
<td><p>\331</p></td> |
| 594 |
|
|
<td><p>\332</p></td> |
| 595 |
|
|
<td><p>\333</p></td> |
| 596 |
|
|
<td><p>\334</p></td> |
| 597 |
|
|
<td><p>\335</p></td> |
| 598 |
|
|
<td><p>\336</p></td> |
| 599 |
|
|
<td><p>\337</p></td> |
| 600 |
|
|
</tr> |
| 601 |
|
|
<tr> |
| 602 |
|
|
<th><p>0xE</p></th> |
| 603 |
|
|
<td><p>\340</p></td> |
| 604 |
|
|
<td><p>\341</p></td> |
| 605 |
|
|
<td><p>\342</p></td> |
| 606 |
|
|
<td><p>\343</p></td> |
| 607 |
|
|
<td><p>\344</p></td> |
| 608 |
|
|
<td><p>\345</p></td> |
| 609 |
|
|
<td><p>\346</p></td> |
| 610 |
|
|
<td><p>\347</p></td> |
| 611 |
|
|
<td><p>\350</p></td> |
| 612 |
|
|
<td><p>\351</p></td> |
| 613 |
|
|
<td><p>\352</p></td> |
| 614 |
|
|
<td><p>\353</p></td> |
| 615 |
|
|
<td><p>\354</p></td> |
| 616 |
|
|
<td><p>\355</p></td> |
| 617 |
|
|
<td><p>\356</p></td> |
| 618 |
|
|
<td><p>\357</p></td> |
| 619 |
|
|
</tr> |
| 620 |
|
|
<tr> |
| 621 |
|
|
<th><p>0xF</p></th> |
| 622 |
|
|
<td><p>\360</p></td> |
| 623 |
|
|
<td><p>\361</p></td> |
| 624 |
|
|
<td><p>\362</p></td> |
| 625 |
|
|
<td><p>\363</p></td> |
| 626 |
|
|
<td><p>\364</p></td> |
| 627 |
|
|
<td><p>\365</p></td> |
| 628 |
|
|
<td><p>\366</p></td> |
| 629 |
|
|
<td><p>\367</p></td> |
| 630 |
|
|
<td><p>\370</p></td> |
| 631 |
|
|
<td><p>\371</p></td> |
| 632 |
|
|
<td><p>\372</p></td> |
| 633 |
|
|
<td><p>\373</p></td> |
| 634 |
|
|
<td><p>\374</p></td> |
| 635 |
|
|
<td><p>\375</p></td> |
| 636 |
|
|
<td><p>\376</p></td> |
| 637 |
|
|
<td><p>\377</p></td> |
| 638 |
|
|
</tr> |
| 639 |
|
|
</table> |
| 640 |
|
|
|
| 641 |
|
|
<p>It is possible to use wildcards listed below in order to match string patterns.</p> |
| 642 |
|
|
|
| 643 |
|
|
<table border="1"> |
| 644 |
|
|
<tr> |
| 645 |
|
|
<th><p>Wildcard</p></th> |
| 646 |
|
|
<th><p>Pattern match</p></th> |
| 647 |
|
|
<th><p>Examples</p></th> |
| 648 |
|
|
</tr> |
| 649 |
|
|
<tr> |
| 650 |
|
|
<td><p>\*</p></td> |
| 651 |
|
|
<td><p>0 or more repetitions of characters other than "/"</p></td> |
| 652 |
|
|
<td><p>/var/log/samba/\*</p></td> |
| 653 |
|
|
</tr> |
| 654 |
|
|
<tr> |
| 655 |
|
|
<td><p>\@</p></td> |
| 656 |
|
|
<td><p>0 or more repetitions of characters other than "/" or "."</p></td> |
| 657 |
|
|
<td><p>/var/www/html/\@.html</p></td> |
| 658 |
|
|
</tr> |
| 659 |
|
|
<tr> |
| 660 |
|
|
<td><p>\?</p></td> |
| 661 |
|
|
<td><p>1 byte character other than "/"</p></td> |
| 662 |
|
|
<td><p>/tmp/mail.\?\?\?\?\?\?</p></td> |
| 663 |
|
|
</tr> |
| 664 |
|
|
<tr> |
| 665 |
|
|
<td><p>\$</p></td> |
| 666 |
|
|
<td><p>1 or more repetitions of decimal digits</p></td> |
| 667 |
|
|
<td><p>/proc/\$/cmdline</p></td> |
| 668 |
|
|
</tr> |
| 669 |
|
|
<tr> |
| 670 |
|
|
<td><p>\+</p></td> |
| 671 |
|
|
<td><p>1 decimal digit</p></td> |
| 672 |
|
|
<td><p>/var/tmp/my_work.\+</p></td> |
| 673 |
|
|
</tr> |
| 674 |
|
|
<tr> |
| 675 |
|
|
<td><p>\X</p></td> |
| 676 |
|
|
<td><p>1 or more repetitions of hexadecimal digits</p></td> |
| 677 |
|
|
<td><p>/var/tmp/my-work.\X</p></td> |
| 678 |
|
|
</tr> |
| 679 |
|
|
<tr> |
| 680 |
|
|
<td><p>\x</p></td> |
| 681 |
|
|
<td><p>1 hexadecimal digit</p></td> |
| 682 |
|
|
<td><p>/tmp/my-work.\x</p></td> |
| 683 |
|
|
</tr> |
| 684 |
|
|
<tr> |
| 685 |
|
|
<td><p>\A</p></td> |
| 686 |
|
|
<td><p>1 or more repetitions of alphabet characters</p></td> |
| 687 |
|
|
<td><p>/var/log/my-work/\$-\A-\$.log</p></td> |
| 688 |
|
|
</tr> |
| 689 |
|
|
<tr> |
| 690 |
|
|
<td><p>\a</p></td> |
| 691 |
|
|
<td><p>1 alphabet character</p></td> |
| 692 |
|
|
<td><p>/home/users/\a/\*/public_html/\*.html</p></td> |
| 693 |
|
|
</tr> |
| 694 |
|
|
<tr> |
| 695 |
|
|
<td><p>\-</p></td> |
| 696 |
|
|
<td><p>Pathname subtraction operator (negative match)</p></td> |
| 697 |
|
|
<td> |
| 698 |
|
|
<p>/\*\-proc\-sys</p> |
| 699 |
|
|
<p>This will match /\* except "/proc" and "/sys".</p> |
| 700 |
|
|
</td> |
| 701 |
|
|
</tr> |
| 702 |
|
|
<tr> |
| 703 |
|
|
<td><p>/\{dir\}/</p></td> |
| 704 |
|
|
<td><p>Recursive directory matching operator.</p> |
| 705 |
|
|
<p>Matches "/" and 1 or more repetitions of "dir/".</p></td> |
| 706 |
|
|
<td> |
| 707 |
|
|
<p>/var/www/html/\{\*\}/\*.html</p> |
| 708 |
|
|
<p>This will match all *.html files in subdirectories under /var/www/html/ directory. Note that /var/www/html/\*.html will not match.</p> |
| 709 |
|
|
</td> |
| 710 |
|
|
</tr> |
| 711 |
|
|
<tr> |
| 712 |
|
|
<td><p>/({dir\)/</p></td> |
| 713 |
|
|
<td><p>Recursive directory matching operator.</p> |
| 714 |
|
|
<p>Matches "/" and 0 or more repetitions of "dir/".</p></td> |
| 715 |
|
|
<td> |
| 716 |
|
|
<p>/var/www/html/\(\*\)/\*.html</p> |
| 717 |
|
|
<p>This will match all *.html files under /var/www/html/ directory. Note that /var/www/html/\*.html will match.</p> |
| 718 |
|
|
</td> |
| 719 |
|
|
</tr> |
| 720 |
|
|
</table> |
| 721 |
|
|
|
| 722 |
|
|
<p>It is possible to group string data using "<a href="#string_comparison">string_group</a>" syntax.</p> |
| 723 |
|
|
|
| 724 |
|
|
<h3><a name="numeric_expression">1.2. Numeric parameters representation rule</a></h3> |
| 725 |
|
|
|
| 726 |
|
|
<p>Parameters such as user ID and process ID are handled as numeric data.</p> |
| 727 |
|
|
|
| 728 |
|
|
<p>Decimal form, octal form and hexadecimal form are supported. Octal form is prefixed with 0 and Hexadecimal form is prefixed with 0x. For example, 010 in octal form is equivalent with 8 in decimal form, 0x10 in hexadecimal form is equivalent with 16 in decimal form.</p> |
| 729 |
|
|
|
| 730 |
|
|
<p>Since numeric data is handled using C language's "unsigned long" type, minimal value is 0 and maximal value is 0xFFFFFFFF (for 32 bit environments) or 0xFFFFFFFFFFFFFFFF (for 64 bit environments).</p> |
| 731 |
|
|
|
| 732 |
|
|
<p>It is possible to specify numeric data ranges in $min_value-$max_value form. If specifying in range, $min_value has to be smaller or equals to $max_value. For example, 0-100 is valid but 100-0 is invalid.</p> |
| 733 |
|
|
|
| 734 |
|
|
<p>It is possible to group numeric data or numeric data range using "<a href="#integer_comparison">number_group</a>" syntax.</p> |
| 735 |
|
|
|
| 736 |
|
|
<h3><a name="ipaddress_expression">1.3. IP address parameters representation rule</a></h3> |
| 737 |
|
|
|
| 738 |
|
|
<p>It is possible to handle IPv4 address and IPv6 address. IPv4 address (32 bit) is represented using dot separated decimal form. and IPv6 address (128 bit) is represented using forms defined in RFC 2373.</p> |
| 739 |
|
|
|
| 740 |
|
|
<p>It is possible to specify IP address ranges in $min_address-$max_address form. If specifying in range, $min_address has to be smaller or equals to $max_address. For example, 1.2.3.4-5.6.7.8 is valid but 5.6.7.8-1.2.3.4 is invalid.</p> |
| 741 |
|
|
|
| 742 |
|
|
<p>It is possible to group IP address and IP address range using "<a href="#ipaddr_comparison">ip_group</a>" syntax.</p> |
| 743 |
|
|
|
| 744 |
|
|
<h2><a name="conditions">2. About conditional expressions</a></h2> |
| 745 |
|
|
|
| 746 |
|
|
<p>Valid conditions are determined by "operation". See <a href="#syntax_list">List of syntaxes sorted by operations</a> for "operation".</p> |
| 747 |
|
|
|
| 748 |
|
|
<p>Some examples are shown below. Details of conditions are explained later.</p> |
| 749 |
|
|
|
| 750 |
|
|
<table border="1"> |
| 751 |
|
|
<tr><td>Example of policy</td><td>Meaning</td></tr> |
| 752 |
|
|
<tr><td>acl execute</td><td>Execution of any program</td></tr> |
| 753 |
|
|
<tr><td>acl execute task.uid=0</td><td>Execution of any program by current thread's user ID is 0</td></tr> |
| 754 |
|
|
<tr><td>acl execute task.uid=0 task.gid=0</td><td>Execution of any program by current thread's user ID and group ID are both 0</td></tr> |
| 755 |
|
|
<tr><td>acl execute path="/bin/true"</td><td>Execution of any program where normalized pathname is /bin/true .</td></tr> |
| 756 |
|
|
<tr><td>acl execute path="/bin/true" argv[1]="--help"</td><td>Execution of any program where normalized pathname is /bin/true and the first command line argument is --help</td></tr> |
| 757 |
|
|
<tr><td>acl execute task.uid=0 path="/sbin/init"</td><td>Execution of any program where normalized pathname is /sbin/init by current thread's user ID is 0</td></tr> |
| 758 |
|
|
</table> |
| 759 |
|
|
|
| 760 |
|
|
<p>Basically conditions are omissible. But a few "operation" have mandatory conditions and parameters which controls behavior after policy matches. Such conditions/parameters are explained in individual topics.</p> |
| 761 |
|
|
|
| 762 |
|
|
<h3><a name="string_comparison">2.1. Conditional expressions which handle string parameters</a></h3> |
| 763 |
|
|
|
| 764 |
|
|
<p>Number of parameters which is represented as string data depends on "operation". For example, "read" operation has one and "rename" operation has two. Thus, the name of variables which references string data varies on "operation". See <a href="#syntax_list">List of syntaxes sorted by operations</a> for name of variables that handle string data. Below description assumes that the name of variable is "path".</p> |
| 765 |
|
|
|
| 766 |
|
|
<p>Comparison with string data is defined as below.</p> |
| 767 |
|
|
|
| 768 |
|
|
<table border="1"> |
| 769 |
|
|
<tr><td>Conditions example</td><td>Value of variable "path"</td><td>Comparison result</td></tr> |
| 770 |
|
|
<tr><td rowspan="5">path="/tmp/\*"</td> |
| 771 |
|
|
<td>/</td><td>Does not match</td></tr> |
| 772 |
|
|
<tr><td>/tmp</td><td>Does not match</td></tr> |
| 773 |
|
|
<tr><td>/tmp/</td><td>Matches</td></tr> |
| 774 |
|
|
<tr><td>/tmp/rt6bh84t</td><td>Matches</td></tr> |
| 775 |
|
|
<tr><td>/tmp/349gy08t/y8024fgf</td><td>Does not match</td></tr> |
| 776 |
|
|
<tr><td rowspan="5">path!="/tmp/\*"</td> |
| 777 |
|
|
<td>/</td><td>Matches</td></tr> |
| 778 |
|
|
<tr><td>/tmp</td><td>Matches</td></tr> |
| 779 |
|
|
<tr><td>/tmp/</td><td>Does not match</td></tr> |
| 780 |
|
|
<tr><td>/tmp/rt6bh84t</td><td>Does not match</td></tr> |
| 781 |
|
|
<tr><td>/tmp/349gy08t/y8024fgf</td><td>Matches</td></tr> |
| 782 |
|
|
</table> |
| 783 |
|
|
|
| 784 |
|
|
<p>If a string_group group named TMPDIR is defined as</p> |
| 785 |
|
|
|
| 786 |
|
|
<table border="1"> |
| 787 |
|
|
<tr><td> |
| 788 |
|
|
string_group TMPDIR /tmp<br> |
| 789 |
|
|
string_group TMPDIR /tmp/\(\*\)/\* |
| 790 |
|
|
</td></tr> |
| 791 |
|
|
</table> |
| 792 |
|
|
|
| 793 |
|
|
<p>it is possible to define conditions like below.</p> |
| 794 |
|
|
|
| 795 |
|
|
<table border="1"> |
| 796 |
|
|
<tr><td>Conditions example</td><td>Value of variable "path"</td><td>Value of TMPDIR group</td><td>Comparison result</td></tr> |
| 797 |
|
|
<tr><td rowspan="4">path=@TMPDIR</td> |
| 798 |
|
|
<td>/</td><td rowspan="4">/tmp<br>/tmp/\(\*\)/\*</td><td>Does not match</td></tr> |
| 799 |
|
|
<tr><td>/tmp</td><td>Matches</td></tr> |
| 800 |
|
|
<tr><td>/tmp/rt6bh84t</td><td>Matches</td></tr> |
| 801 |
|
|
<tr><td>/tmp/349gy08t/y8024fgf</td><td>Matches</td></tr> |
| 802 |
|
|
<tr><td rowspan="4">path!=@TMPDIR</td> |
| 803 |
|
|
<td>/</td><td rowspan="4">/tmp<br>/tmp/\(\*\)/\*</td><td>Matches</td></tr> |
| 804 |
|
|
<tr><td>/tmp</td><td>Does not match</td></tr> |
| 805 |
|
|
<tr><td>/tmp/rt6bh84t</td><td>Does not match</td></tr> |
| 806 |
|
|
<tr><td>/tmp/349gy08t/y8024fgf</td><td>Does not match</td></tr> |
| 807 |
|
|
</table> |
| 808 |
|
|
|
| 809 |
|
|
<h3><a name="integer_comparison">2.2. Conditional expressions which handle numeric parameters</a></h3> |
| 810 |
|
|
|
| 811 |
|
|
<p>Number of parameters which is represented as numeric data depends on "operation". For example, "create" operation has one and "mkblock" operation has three. Thus, the name of variables which references numeric parameters varies on "operation". See <a href="#syntax_list">List of syntaxes sorted by operations</a> for name of variables that handle numeric data. Below description uses "task.uid" (which references current thread's user ID) and "task.gid" (which references current thread's group ID) as an example.</p> |
| 812 |
|
|
|
| 813 |
|
|
<p>Comparison with numeric value is defined as below.</p> |
| 814 |
|
|
|
| 815 |
|
|
<table border="1"> |
| 816 |
|
|
<tr><td>Conditions example</td><td>Value of variable "task.uid"</td><td>Comparison result</td></tr> |
| 817 |
|
|
<tr><td rowspan="3">task.uid=0</td> |
| 818 |
|
|
<td>0</td><td>Matches</td></tr> |
| 819 |
|
|
<tr><td>100</td><td>Does not match</td></tr> |
| 820 |
|
|
<tr><td>500</td><td>Does not match</td></tr> |
| 821 |
|
|
<tr><td rowspan="3">task.uid!=0</td> |
| 822 |
|
|
<td>0</td><td>Does not match</td></tr> |
| 823 |
|
|
<tr><td>100</td><td>Matches</td></tr> |
| 824 |
|
|
<tr><td>500</td><td>Matches</td></tr> |
| 825 |
|
|
</table> |
| 826 |
|
|
|
| 827 |
|
|
<p>Comparison with numeric value range is defined as below.</p> |
| 828 |
|
|
|
| 829 |
|
|
<table border="1"> |
| 830 |
|
|
<tr><td>Conditions example</td><td>Value of variable "task.gid"</td><td>Comparison result</td></tr> |
| 831 |
|
|
<tr><td rowspan="3">task.gid=0-100</td> |
| 832 |
|
|
<td>0</td><td>Matches</td></tr> |
| 833 |
|
|
<tr><td>100</td><td>Matches</td></tr> |
| 834 |
|
|
<tr><td>500</td><td>Does not match</td></tr> |
| 835 |
|
|
<tr><td rowspan="3">task.gid!=0-100</td><td>0</td><td>Does not match</td></tr> |
| 836 |
|
|
<tr><td>100</td><td>Does not match</td></tr> |
| 837 |
|
|
<tr><td>500</td><td>Matches</td></tr> |
| 838 |
|
|
</table> |
| 839 |
|
|
|
| 840 |
|
|
<p>It is possible to compare one variable which references numeric value with another variable which references numeric value.</p> |
| 841 |
|
|
|
| 842 |
|
|
<table border="1"> |
| 843 |
|
|
<tr><td>Conditions example</td><td>Value of variable "task.uid"</td><td>Value of variable "task.gid"</td><td>Comparison result</td></tr> |
| 844 |
|
|
<tr><td rowspan="4">task.uid=task.gid</td> |
| 845 |
|
|
<td>0</td><td>0</td><td>Matches</td></tr> |
| 846 |
|
|
<tr><td>0</td><td>100</td><td>Does not match</td></tr> |
| 847 |
|
|
<tr><td>100</td><td>0</td><td>Does not match</td></tr> |
| 848 |
|
|
<tr><td>100</td><td>100</td><td>Matches</td></tr> |
| 849 |
|
|
<tr><td rowspan="4">task.uid!=task.gid</td> |
| 850 |
|
|
<td>0</td><td>0</td><td>Does not match</td></tr> |
| 851 |
|
|
<tr><td>0</td><td>100</td><td>Matches</td></tr> |
| 852 |
|
|
<tr><td>100</td><td>0</td><td>Matches</td></tr> |
| 853 |
|
|
<tr><td>100</td><td>100</td><td>Does not match</td></tr> |
| 854 |
|
|
</table> |
| 855 |
|
|
|
| 856 |
|
|
<p>If a number_group group named ID_GROUP is defined as</p> |
| 857 |
|
|
|
| 858 |
|
|
<table border="1"> |
| 859 |
|
|
<tr><td> |
| 860 |
|
|
number_group ID_GROUP 100<br> |
| 861 |
|
|
number_group ID_GROUP 200-500 |
| 862 |
|
|
</td></tr> |
| 863 |
|
|
</table> |
| 864 |
|
|
|
| 865 |
|
|
<p>it is possible to define conditions like below.</p> |
| 866 |
|
|
|
| 867 |
|
|
<table border="1"> |
| 868 |
|
|
<tr><td>Conditions example</td><td>Value of variable "task.uid"</td><td>Values in ID_GROUP group</td><td>Comparison result</td></tr> |
| 869 |
|
|
<tr><td rowspan="4">task.uid=@ID_GROUP</td> |
| 870 |
|
|
<td>0</td><td rowspan="4">100<br>200-500</td><td>Does not match</td></tr> |
| 871 |
|
|
<tr><td>100</td><td>Matches</td></tr> |
| 872 |
|
|
<tr><td>500</td><td>Matches</td></tr> |
| 873 |
|
|
<tr><td>1000</td><td>Does not match</td></tr> |
| 874 |
|
|
<tr><td rowspan="4">task.uid!=@ID_GROUP</td> |
| 875 |
|
|
<td>0</td><td rowspan="4">100<br>200-500</td><td>Matches</td></tr> |
| 876 |
|
|
<tr><td>100</td><td>Does not match</td></tr> |
| 877 |
|
|
<tr><td>500</td><td>Does not match</td></tr> |
| 878 |
|
|
<tr><td>1000</td><td>Matches</td></tr> |
| 879 |
|
|
</table> |
| 880 |
|
|
|
| 881 |
|
|
<h3><a name="ipaddr_comparison">2.3. Conditional expressions which handle IP address parameters</a></h3> |
| 882 |
|
|
|
| 883 |
|
|
<p>Any "operation" which handles IPv4/IPv6 network address can check IP address using variable "ip". See <a href="#syntax_list">List of syntaxes sorted by operations</a> for operations that can handle IP address.</p> |
| 884 |
|
|
|
| 885 |
|
|
<p>Comparison with IP address value is defined as below. Note that comparison between an IPv4 address and an IPv6 address does not match.</p> |
| 886 |
|
|
|
| 887 |
|
|
<table border="1"> |
| 888 |
|
|
<tr><td>Conditions example</td><td>Value of variable "ip"</td><td>Comparison result</td></tr> |
| 889 |
|
|
<tr><td rowspan="4">ip=127.0.0.1</td><td>127.0.0.1</td><td>Matches</td></tr> |
| 890 |
|
|
<tr><td>0.0.0.0</td><td>Does not match</td></tr> |
| 891 |
|
|
<tr><td>::1</td><td>Does not match</td></tr> |
| 892 |
|
|
<tr><td>::ffff:127.0.0.1</td><td>Does not match</td></tr> |
| 893 |
|
|
<tr><td rowspan="4">ip!=127.0.0.1</td><td>127.0.0.1</td><td>Does not match</td></tr> |
| 894 |
|
|
<tr><td>0.0.0.0</td><td>Matches</td></tr> |
| 895 |
|
|
<tr><td>::1</td><td>Does not match</td></tr> |
| 896 |
|
|
<tr><td>::ffff:127.0.0.1</td><td>Does not match</td></tr> |
| 897 |
|
|
<tr><td rowspan="4">ip=::1</td><td>127.0.0.1</td><td>Does not match</td></tr> |
| 898 |
|
|
<tr><td>0.0.0.0</td><td>Does not match</td></tr> |
| 899 |
|
|
<tr><td>::1</td><td>Matches</td></tr> |
| 900 |
|
|
<tr><td>::ffff:127.0.0.1</td><td>Does not match</td></tr> |
| 901 |
|
|
<tr><td rowspan="4">ip!=::1</td><td>127.0.0.1</td><td>Does not match</td></tr> |
| 902 |
|
|
<tr><td>0.0.0.0</td><td>Does not match</td></tr> |
| 903 |
|
|
<tr><td>::1</td><td>Does not match</td></tr> |
| 904 |
|
|
<tr><td>::ffff:127.0.0.1</td><td>Matches</td></tr> |
| 905 |
|
|
</table> |
| 906 |
|
|
|
| 907 |
|
|
<p>Comparison with IP address range is defined as below.</p> |
| 908 |
|
|
|
| 909 |
|
|
<table border="1"> |
| 910 |
|
|
<tr><td>Conditions example</td><td>Value of variable "ip"</td><td>Comparison result</td></tr> |
| 911 |
|
|
<tr><td rowspan="3">ip=127.0.0.0-127.255.255.255</td> |
| 912 |
|
|
<td>127.0.0.1</td><td>Matches</td></tr> |
| 913 |
|
|
<tr><td>10.0.0.1</td><td>Does not match</td></tr> |
| 914 |
|
|
<tr><td>::ffff:127.0.0.1</td><td>Does not match</td></tr> |
| 915 |
|
|
<tr><td rowspan="3">ip!=127.0.0.0-127.255.255.255</td> |
| 916 |
|
|
<td>127.0.0.1</td><td>Does not match</td></tr> |
| 917 |
|
|
<tr><td>10.0.0.1</td><td>Matches</td></tr> |
| 918 |
|
|
<tr><td>::ffff:127.0.0.1</td><td>Does not match</td></tr> |
| 919 |
|
|
<tr><td rowspan="3">ip=::-::1</td><td>::ffff:127.0.0.1</td><td>Does not match</td></tr> |
| 920 |
|
|
<tr><td>127.0.0.1</td><td>Does not match</td></tr> |
| 921 |
|
|
<tr><td>::1</td><td>Matches</td></tr> |
| 922 |
|
|
<tr><td rowspan="3">ip!=::-::1</td><td>::ffff:127.0.0.1</td><td>Matches</td></tr> |
| 923 |
|
|
<tr><td>127.0.0.1</td><td>Does not match</td></tr> |
| 924 |
|
|
<tr><td>::1</td><td>Does not match</td></tr> |
| 925 |
|
|
</table> |
| 926 |
|
|
|
| 927 |
|
|
<p>If an ip_group group named PRIVATE_ADDRESS is defined as</p> |
| 928 |
|
|
|
| 929 |
|
|
<table border="1"> |
| 930 |
|
|
<tr><td> |
| 931 |
|
|
ip_group PRIVATE_ADDRESS 10.0.0.0-10.255.255.255<br> |
| 932 |
|
|
ip_group PRIVATE_ADDRESS 172.16.0.0-172.31.255.255<br> |
| 933 |
|
|
ip_group PRIVATE_ADDRESS 192.168.0.0-192.168.255.255<br> |
| 934 |
|
|
ip_group PRIVATE_ADDRESS fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
| 935 |
|
|
</td></tr> |
| 936 |
|
|
</table> |
| 937 |
|
|
|
| 938 |
|
|
<p>it is possible to define conditions like below.</p> |
| 939 |
|
|
|
| 940 |
|
|
<table border="1"> |
| 941 |
|
|
<tr><td>Conditions example</td><td>Value of variable "ip"</td><td>Values in PRIVATE_ADDRESS group</td><td>Comparison result</td></tr> |
| 942 |
|
|
<tr><td rowspan="5">ip=@PRIVATE_ADDRESS</td> |
| 943 |
|
|
<td>127.0.0.1</td><td rowspan="5">10.0.0.0-10.255.255.255<br>172.16.0.0-172.31.255.255<br>192.168.0.0-192.168.255.255<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td><td>Does not match</td></tr> |
| 944 |
|
|
<tr><td>10.0.0.1</td><td>Matches</td></tr> |
| 945 |
|
|
<tr><td>192.168.0.1</td><td>Matches</td></tr> |
| 946 |
|
|
<tr><td>::ffff:172.16.0.1</td><td>Does not match</td></tr> |
| 947 |
|
|
<tr><td>fd01::</td><td>Matches</td></tr> |
| 948 |
|
|
<tr><td rowspan="5">ip!=@PRIVATE_ADDRESS</td><td>127.0.0.1</td><td rowspan="5">10.0.0.0-10.255.255.255<br>172.16.0.0-172.31.255.255<br>192.168.0.0-192.168.255.255<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td><td>Matches</td></tr> |
| 949 |
|
|
<tr><td>10.0.0.1</td><td>Does not match</td></tr> |
| 950 |
|
|
<tr><td>::ffff:192.168.0.1</td><td>Matches</td></tr> |
| 951 |
|
|
<tr><td>::ffff:127.0.0.1</td><td>Matches</td></tr> |
| 952 |
|
|
<tr><td>fd01::</td><td>Does not match</td></tr> |
| 953 |
|
|
</table> |
| 954 |
|
|
|
| 955 |
|
|
<h3><a name="task_attributes_comparison">2.4. Conditional expressions which handle current thread's attributes</a></h3> |
| 956 |
|
|
|
| 957 |
|
|
<p>It is possible to use current thread's attributes as part of conditions. Below variables are always available.</p> |
| 958 |
|
|
|
| 959 |
|
|
<table border="1"> |
| 960 |
|
|
<tr><td>Variable's name</td><td>Comparison method</td><td>Meaning</td><td></td></tr> |
| 961 |
|
|
<tr><td>task.uid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's user ID</td></tr> |
| 962 |
|
|
<tr><td>task.gid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's group ID</td></tr> |
| 963 |
|
|
<tr><td>task.euid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's effective user ID</td></tr> |
| 964 |
|
|
<tr><td>task.egid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's effective group ID</td></tr> |
| 965 |
|
|
<tr><td>task.suid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's saved user ID</td></tr> |
| 966 |
|
|
<tr><td>task.sgid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's saved group ID</td></tr> |
| 967 |
|
|
<tr><td>task.fsuid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's filesystem user ID</td></tr> |
| 968 |
|
|
<tr><td>task.fsgid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's filesystem group ID</td></tr> |
| 969 |
|
|
<tr><td>task.pid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's process ID </td></tr> |
| 970 |
|
|
<tr><td>task.ppid</td><td><a href="#integer_comparison">Numeric</a></td><td>Process ID of current thread's parent process</td></tr> |
| 971 |
|
|
<tr><td>task.exe</td><td><a href="#string_comparison">String</a></td><td>Current thread's program name (the content of /proc/self/exe)</td></tr> |
| 972 |
|
|
<tr><td>task.domain</td><td><a href="#string_comparison">String</a></td><td>Current thread's domainname (the content of /proc/caitsith/self_domain)</td></tr> |
| 973 |
|
|
<tr><td>task.type</td><td>Literal</td><td>Matches execute_handler if running as an execute handler, does not match execute_handler otherwise</td></tr> |
| 974 |
|
|
</table> |
| 975 |
|
|
|
| 976 |
|
|
<h3><a name="argv_comparison">2.5. Conditional expressions which handle command line arguments</a></h3> |
| 977 |
|
|
|
| 978 |
|
|
<p>It is possible to check command line arguments (a.k.a. argv[]) when checking permissions for program execution.</p> |
| 979 |
|
|
|
| 980 |
|
|
<table border="1"> |
| 981 |
|
|
<tr><td>Conditions example</td><td>Comparison method</td><td>Meaning</td><td></td></tr> |
| 982 |
|
|
<tr><td>argv[0]="true"</td><td><a href="#string_comparison">String</a></td><td>argv[0] matches "true"</td></tr> |
| 983 |
|
|
<tr><td>argv[0]!="false"</td><td><a href="#string_comparison">String</a></td><td>argv[0] does not match "false"</td></tr> |
| 984 |
|
|
<tr><td>argv[1]=@ARGV1_GROUPS</td><td><a href="#string_comparison">String</a></td><td>argv[0] matches one of strings in string_group ARGV1_GROUPS group</td></tr> |
| 985 |
|
|
<tr><td>argv[1]!=@ARGV1_GROUPS</td><td><a href="#string_comparison">String</a></td><td>argv[0] matches none of strings in string_group ARGV1_GROUPS group</td></tr> |
| 986 |
|
|
</table> |
| 987 |
|
|
|
| 988 |
|
|
<p>Applications can pass a string data up to 32 * PAGE_SIZE bytes to each argv[]. But due to difficulty of allocating contiguous memory in the kernel, only up to 4085 bytes can be checked using variable "argv[$index]". If you want to check strictly, please consider using handler= argument of "allow " lines in "acl execute" block.</p> |
| 989 |
|
|
|
| 990 |
|
|
<h3><a name="envp_comparison">2.6. Conditional expressions which handle environment variable arguments</a></h3> |
| 991 |
|
|
|
| 992 |
|
|
<p>It is possible to check environment variables (a.k.a. envp[]) when checking permissions for program execution.</p> |
| 993 |
|
|
|
| 994 |
|
|
<table border="1"> |
| 995 |
|
|
<tr><td>Conditions example</td><td>Comparison method</td><td>Meaning</td><td></td></tr> |
| 996 |
|
|
<tr><td>envp["PATH"]="/"</td><td><a href="#string_comparison">String</a></td><td>Environment variable PATH is defined and its value is "/"</td></tr> |
| 997 |
|
|
<tr><td>envp["PATH"]!="/"</td><td><a href="#string_comparison">String</a></td><td>Either<br> Environment variable PATH is not defined<br>or<br> Environment variable PATH is defined but its value is not "/"</td></tr> |
| 998 |
|
|
<tr><td>envp["PATH"]=@ENV_PATH_VALUES</td><td><a href="#string_comparison">String</a></td><td>Environment variable PATH is defined and its value matches one of strings in string_group ENVP_PATH_VALUES group</td></tr> |
| 999 |
|
|
<tr><td>envp["PATH"]!=@ENV_PATH_VALUES</td><td><a href="#string_comparison">String</a></td><td>Either<br> Environment variable PATH is not defined<br>or<br> Environment variable PATH is defined but its value matches none of strings in string_group ENVP_PATH_VALUES group</td></tr> |
| 1000 |
|
|
<tr><td>envp["PATH"]=NULL</td><td>None</td><td>Environment variable PATH is not defined</td></tr> |
| 1001 |
|
|
<tr><td>envp["PATH"]!=NULL</td><td>None</td><td>Environment variable PATH is not defined</td></tr> |
| 1002 |
|
|
</table> |
| 1003 |
|
|
|
| 1004 |
|
|
<p>Applications can pass a string data up to 32 * PAGE_SIZE bytes to each envp[]. But due to difficulty of allocating contiguous memory in the kernel, only up to 4085 bytes can be checked using variable "envp["$name"]". If you want to check strictly, please consider using handler= argument of "allow " lines in "acl execute" block.</p> |
| 1005 |
|
|
|
| 1006 |
|
|
<h3><a name="dac_permission_comparison">2.7. Conditional expressions which handle file's DAC permissions</a></h3> |
| 1007 |
|
|
|
| 1008 |
|
|
<p>When checking permissions for file related operations, it is possible to check its DAC permissions if the file already exists as of permission check. |
| 1009 |
|
|
Below table assumes that the variable name for referencing the requested pathname is "path".</p> |
| 1010 |
|
|
|
| 1011 |
|
|
<p>Value of DAC permissions can be referenced using variable "path.perm", and its value is between 0 and 07777. Although it is possible to do normal <a href="#integer_comparison">numeric comparison</a>, below constants are provided in order to make it easier to compare whether specific bit is set or not.</p> |
| 1012 |
|
|
|
| 1013 |
|
|
<table border="1"> |
| 1014 |
|
|
<tr><td>Constant</td><td>Value ranges that match </td></tr> |
| 1015 |
|
|
<tr><td>setuid</td><td>Values where bitwise AND between path.perm and 04000 are 04000. (i.e. 04000-07777)</td></tr> |
| 1016 |
|
|
<tr><td>setgid</td><td>Values where bitwise AND between path.perm and 02000 are 02000. (i.e. 02000-03777 06000-07777)</td></tr> |
| 1017 |
|
|
<tr><td>sticky</td><td>Values where bitwise AND between path.perm and 01000 are 01000. (i.e. 01000-01777 03000-03777 05000-05777 07000-07777)</td></tr> |
| 1018 |
|
|
<tr><td>owner_read</td><td>Values where bitwise AND between path.perm and 00400 are 00400. (e.g. 00400-00777 01400-01777 02400-02777)</td></tr> |
| 1019 |
|
|
<tr><td>owner_write</td><td>Values where bitwise AND between path.perm and 00200 are 00200. (e.g. 00200-00377 00600-00777 01200-01377)</td></tr> |
| 1020 |
|
|
<tr><td>owner_execute</td><td>Values where bitwise AND between path.perm and 00100 are 00100. (e.g. 00100-00177 00300-00377 00500-00577)</td></tr> |
| 1021 |
|
|
<tr><td>group_read</td><td>Values where bitwise AND between path.perm and 00040 are 00040. (e.g. 00040-00077 00140-00177 00240-00277)</td></tr> |
| 1022 |
|
|
<tr><td>group_write</td><td>Values where bitwise AND between path.perm and 00020 are 00020. (e.g. 00020-00037 00060-00077 00120-00137)</td></tr> |
| 1023 |
|
|
<tr><td>group_execute</td><td>Values where bitwise AND between path.perm and 00010 are 00010. (e.g. 00010-00017 00030-00037 00050-00057)</td></tr> |
| 1024 |
|
|
<tr><td>others_read</td><td>Values where bitwise AND between path.perm and 00004 are 00004. (e.g. 00004-00007 00014-00017 00024-00027)</td></tr> |
| 1025 |
|
|
<tr><td>others_write</td><td>Values where bitwise AND between path.perm and 00002 are 00002. (e.g. 00002-00003 00006-00007 00012-00013)</td></tr> |
| 1026 |
|
|
<tr><td>others_execute</td><td>Values where bitwise AND between path.perm and 00001 are 00001. (e.g. 00001 00003 00005 00007 00011 00013)</td></tr> |
| 1027 |
|
|
</table> |
| 1028 |
|
|
|
| 1029 |
|
|
<p>Below are some examples that use constants.</p> |
| 1030 |
|
|
|
| 1031 |
|
|
<table border="1"> |
| 1032 |
|
|
<tr><td>Conditions example</td><td>Permissions of file referenced by variable "path"</td><td>Comparison result</td></tr> |
| 1033 |
|
|
<tr><td>path.perm=setuid</td><td>04755</td><td>Matches</td></tr> |
| 1034 |
|
|
<tr><td>path.perm!=setuid</td><td>04755</td><td>Does not match</td></tr> |
| 1035 |
|
|
<tr><td>path.perm=setuid path.perm=setgid path.perm=sticky</td><td>0755</td><td>Does not match</td></tr> |
| 1036 |
|
|
<tr><td>path.perm!=setuid path.perm!=setgid path.perm!=sticky</td><td>0755</td><td>Matches</td></tr> |
| 1037 |
|
|
</table> |
| 1038 |
|
|
|
| 1039 |
|
|
<h3><a name="file_type_comparison">2.8. Conditional expressions which handle file's type</a></h3> |
| 1040 |
|
|
|
| 1041 |
|
|
<p>When checking permissions for file related operations, it is possible to check its type if the file already exists as of permission check. |
| 1042 |
|
|
Below table assumes that the variable name for referencing the requested pathname is "path".</p> |
| 1043 |
|
|
|
| 1044 |
|
|
<p>Type of a file can be referenced using variable "path.type", and its value takes one of "file", "directory", "socket", "fifo", "block", "char", "symlink".</p> |
| 1045 |
|
|
|
| 1046 |
|
|
<table border="1"> |
| 1047 |
|
|
<tr><td>Possible conditions</td><td>Type of file referenced by variable "path"</td><td>Comparison result</td></tr> |
| 1048 |
|
|
<tr><td>path.type=file</td><td>Regular file</td><td>Matches</td></tr> |
| 1049 |
|
|
<tr><td>path.type!=file</td><td>Other than regular file</td><td>Matches</td></tr> |
| 1050 |
|
|
<tr><td>path.type=directory</td><td>Directory</td><td>Matches</td></tr> |
| 1051 |
|
|
<tr><td>path.type!=directory</td><td>Other than directory</td><td>Matches</td></tr> |
| 1052 |
|
|
<tr><td>path.type=socket</td><td>Unix domain socket</td><td>Matches</td></tr> |
| 1053 |
|
|
<tr><td>path.type!=socket</td><td>Other than Unix domain socket</td><td>Matches</td></tr> |
| 1054 |
|
|
<tr><td>path.type=fifo</td><td>FIFO</td><td>Matches</td></tr> |
| 1055 |
|
|
<tr><td>path.type!=fifo</td><td>Other than FIFO</td><td>Matches</td></tr> |
| 1056 |
|
|
<tr><td>path.type=block</td><td>Block device file</td><td>Matches</td></tr> |
| 1057 |
|
|
<tr><td>path.type!=block</td><td>Other than block device file</td><td>Matches</td></tr> |
| 1058 |
|
|
<tr><td>path.type=char</td><td>Character device file</td><td>Matches</td></tr> |
| 1059 |
|
|
<tr><td>path.type!=char</td><td>Other than character device file</td><td>Matches</td></tr> |
| 1060 |
|
|
<tr><td>path.type=symlink</td><td>Symbolic link</td><td>Matches</td></tr> |
| 1061 |
|
|
<tr><td>path.type!=symlink</td><td>Other than symbolic link</td><td>Matches</td></tr> |
| 1062 |
|
|
</table> |
| 1063 |
|
|
|
| 1064 |
|
|
<h3><a name="file_attributes_comparison">2.9. Conditional expressions which handle file's attributes</a></h3> |
| 1065 |
|
|
|
| 1066 |
|
|
<p>When checking permissions for file related operations, it is possible to check its attributes if the file already exists as of permission check. |
| 1067 |
|
|
Below table assumes that the variable name for referencing the requested pathname is "path".</p> |
| 1068 |
|
|
|
| 1069 |
|
|
<table border="1"> |
| 1070 |
|
|
<tr><td>Variable's name</td><td>Comparison method</td><td>Meaning</td></tr> |
| 1071 |
|
|
<tr><td>path.uid</td><td><a href="#integer_comparison">Numeric</a></td><td>Owner ID</td></tr> |
| 1072 |
|
|
<tr><td>path.gid</td><td><a href="#integer_comparison">Numeric</a></td><td>Group ID</td></tr> |
| 1073 |
|
|
<tr><td>path.ino</td><td><a href="#integer_comparison">Numeric</a></td><td>i-node number on the filesystem</td></tr> |
| 1074 |
|
|
<tr><td>path.major</td><td><a href="#integer_comparison">Numeric</a></td><td>Device major number on the filesystem</td></tr> |
| 1075 |
|
|
<tr><td>path.minor</td><td><a href="#integer_comparison">Numeric</a></td><td>Device minor number on the filesystem</td></tr> |
| 1076 |
|
|
<tr><td>path.perm</td><td><a href="#dac_permission_comparison">Permission</a></td><td>DAC permissions</td></tr> |
| 1077 |
|
|
<tr><td>path.type</td><td><a href="#file_type_comparison">File's type</a></td><td>Type of the file</td></tr> |
| 1078 |
|
|
<tr><td>path.dev_major</td><td><a href="#integer_comparison">Numeric</a></td><td>Device major number of the file if path.type=block or path.type=char</td></tr> |
| 1079 |
|
|
<tr><td>path.dev_minor</td><td><a href="#integer_comparison">Numeric</a></td><td>Device minor number of the file if path.type=block or path.type=char</td></tr> |
| 1080 |
|
|
<tr><td>path.fsmagic</td><td><a href="#integer_comparison">Numeric</a></td><td>Magic number of filesystem</td></tr> |
| 1081 |
|
|
</table> |
| 1082 |
|
|
|
| 1083 |
|
|
<p>When checking permissions for file related operations, it is possible to also check its parent directory's attributes. |
| 1084 |
|
|
Below table assumes that the variable name for referencing the requested pathname is "path".</p> |
| 1085 |
|
|
|
| 1086 |
|
|
<table border="1"> |
| 1087 |
|
|
<tr><td>Variable's name</td><td>Comparison method</td><td>Meaning</td></tr> |
| 1088 |
|
|
<tr><td>path.parent.uid</td><td><a href="#integer_comparison">Numeric</a></td><td>Owner ID</td></tr> |
| 1089 |
|
|
<tr><td>path.parent.gid</td><td><a href="#integer_comparison">Numeric</a></td><td>Group ID</td></tr> |
| 1090 |
|
|
<tr><td>path.parent.ino</td><td><a href="#integer_comparison">Numeric</a></td><td>i-node number on the filesystem</td></tr> |
| 1091 |
|
|
<tr><td>path.parent.major</td><td><a href="#integer_comparison">Numeric</a></td><td>Device major number on the filesystem</td></tr> |
| 1092 |
|
|
<tr><td>path.parent.minor</td><td><a href="#integer_comparison">Numeric</a></td><td>Device minor number on the filesystem</td></tr> |
| 1093 |
|
|
<tr><td>path.parent.perm</td><td><a href="#dac_permission_comparison">Permission</a></td><td>DAC permissions</td></tr> |
| 1094 |
|
|
<tr><td>path.parent.fsmagic</td><td><a href="#integer_comparison">Numeric</a></td><td>Magic number of filesystem</td></tr> |
| 1095 |
|
|
</table> |
| 1096 |
|
|
|
| 1097 |
|
|
<p>It does not make sense to use path.parent.type path.parent.dev_major path.parent.dev_minor because path.parent is always a directory.</p> |
| 1098 |
|
|
|
| 1099 |
|
|
<p>If path refers a mount point (root of directory entry tree within that partition), path.parent refers the same path rather than referring mount point's parent.</p> |
| 1100 |
|
|
|
| 1101 |
|
|
<h2><a name="syntax_list">3. List of syntaxes sorted by operations</a></h2> |
| 1102 |
|
|
|
| 1103 |
|
|
<table border="1"> |
| 1104 |
|
|
<tr><td>Operation</td><td>Meaning</td><td>Available variables</td><td>Content of variable</td><td>Related man pages</td></tr> |
| 1105 |
|
|
|
| 1106 |
|
|
<tr><td rowspan="11">execute</td><td rowspan="11">Execute a program</td><td><a href="#string_comparison">path</a></td><td>Requested program's pathname</td><td rowspan="11">execve(2)</td></tr> |
| 1107 |
|
|
<tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr> |
| 1108 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</tr> |
| 1109 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1110 |
|
|
<tr><td><a href="#string_comparison">exec</a></td><td>Requested program's pathname, but maybe a symbolic link</td></tr> |
| 1111 |
|
|
<tr><td><a href="#integer_comparison">argc</a></td><td>Number of command line arguments passed to this request</td></tr> |
| 1112 |
|
|
<tr><td><a href="#integer_comparison">envc</a></td><td>Number of environment variables arguments</td></tr> |
| 1113 |
|
|
<tr><td><a href="#argv_comparison">argv[$index]</a></td><td>$index'th (0 <= $index < argc) value of command line arguments</td></tr> |
| 1114 |
|
|
<tr><td><a href="#envp_comparison">envp["$name"]</a></td><td>Value of environment variable named $name</td></tr> |
| 1115 |
|
|
<tr><td>handler</td><td>Pathname of a wrapper program for preprocessing (available to only "allow" lines)</td></tr> |
| 1116 |
|
|
<tr><td>transition</td><td>New domainname to transit to if operation was successful (available to only "allow" lines)</td></tr> |
| 1117 |
|
|
|
| 1118 |
|
|
<tr><td rowspan="4">read</td><td rowspan="4">Open a pathname for reading</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">open(2)</td></tr> |
| 1119 |
|
|
<tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr> |
| 1120 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1121 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1122 |
|
|
|
| 1123 |
|
|
<tr><td rowspan="4">write</td><td rowspan="4">Open a pathname for writing</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">open(2)</td></tr> |
| 1124 |
|
|
<tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr> |
| 1125 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1126 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1127 |
|
|
|
| 1128 |
|
|
<tr><td rowspan="4">append</td><td rowspan="4">Open a pathname for appending</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">open(2)</td></tr> |
| 1129 |
|
|
<tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr> |
| 1130 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1131 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1132 |
|
|
|
| 1133 |
|
|
<tr><td rowspan="4">create</td><td rowspan="4">Create a regular file</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">open(2), mknod(2)</td></tr> |
| 1134 |
|
|
<tr><td><a href="#integer_comparison">perm</a></td><td>DAC permissions of a new object referenced by variable "path"</td></tr> |
| 1135 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1136 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1137 |
|
|
|
| 1138 |
|
|
<tr><td rowspan="4">unlink</td><td rowspan="4">Delete a non directory pathname</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">unlink(2)</td></tr> |
| 1139 |
|
|
<tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr> |
| 1140 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1141 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1142 |
|
|
|
| 1143 |
|
|
<tr><td rowspan="4">getattr</td><td rowspan="4">Get attributes of a pathname</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">stat(2)</td></tr> |
| 1144 |
|
|
<tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr> |
| 1145 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1146 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1147 |
|
|
|
| 1148 |
|
|
<tr><td rowspan="4">mkdir</td><td rowspan="4">Create a directory</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">mkdir(2)</td></tr> |
| 1149 |
|
|
<tr><td><a href="#integer_comparison">perm</a></td><td>DAC permissions of a new object referenced by variable "path"</td></tr> |
| 1150 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1151 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1152 |
|
|
|
| 1153 |
|
|
<tr><td rowspan="4">rmdir</td><td rowspan="4">Delete a directory pathname</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">rmdir(2)</td></tr> |
| 1154 |
|
|
<tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr> |
| 1155 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1156 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1157 |
|
|
|
| 1158 |
|
|
<tr><td rowspan="4">mkfifo</td><td rowspan="4">Create a FIFO</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">mknod(2)</td></tr> |
| 1159 |
|
|
<tr><td><a href="#integer_comparison">perm</a></td><td>DAC permissions of a new object referenced by variable "path"</td></tr> |
| 1160 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1161 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1162 |
|
|
|
| 1163 |
|
|
<tr><td rowspan="4">mksock</td><td rowspan="4">Create a Unix domain socket</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">mknod(2)</td></tr> |
| 1164 |
|
|
<tr><td><a href="#integer_comparison">perm</a></td><td>DAC permissions of a new object referenced by variable "path"</td></tr> |
| 1165 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1166 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1167 |
|
|
|
| 1168 |
|
|
<tr><td rowspan="4">truncate</td><td rowspan="4">Truncate a regular file</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">open(2), truncate(2)</td></tr> |
| 1169 |
|
|
<tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr> |
| 1170 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1171 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1172 |
|
|
|
| 1173 |
|
|
<tr><td rowspan="4">symlink</td><td rowspan="4">Create a symbolic link</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">symlink(2)</td></tr> |
| 1174 |
|
|
<tr><td><a href="#string_comparison">target</a></td><td>Symbolic link's content</td></tr> |
| 1175 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1176 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1177 |
|
|
|
| 1178 |
|
|
<tr><td rowspan="6">mkblock</td><td rowspan="6">Create a block device file</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="6">mknod(2)</td></tr> |
| 1179 |
|
|
<tr><td><a href="#integer_comparison">perm</a></td><td>DAC permissions of a new object referenced by variable "path"</td></tr> |
| 1180 |
|
|
<tr><td><a href="#integer_comparison">dev_major</a></td><td>Major device number of a new object referenced by variable "path"</td></tr> |
| 1181 |
|
|
<tr><td><a href="#integer_comparison">dev_minor</a></td><td>Minor device number of a new object referenced by variable "path"</td></tr> |
| 1182 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1183 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1184 |
|
|
|
| 1185 |
|
|
<tr><td rowspan="6">mkchar</td><td rowspan="6">Create a character device file</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="6">mknod(2)</td></tr> |
| 1186 |
|
|
<tr><td><a href="#integer_comparison">perm</a></td><td>DAC permissions of a new object referenced by variable "path"</td></tr> |
| 1187 |
|
|
<tr><td><a href="#integer_comparison">dev_major</a></td><td>Major device number of a new object referenced by variable "path"</td></tr> |
| 1188 |
|
|
<tr><td><a href="#integer_comparison">dev_minor</a></td><td>Minor device number of a new object referenced by variable "path"</td></tr> |
| 1189 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1190 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1191 |
|
|
|
| 1192 |
|
|
<tr><td rowspan="6">link</td><td rowspan="6">Create a link</td><td><a href="#string_comparison">old_path</a></td><td>Link source's pathname</td><td rowspan="6">link(2)</td></tr> |
| 1193 |
|
|
<tr><td><a href="#string_comparison">new_path</a></td><td>Link target's pathname</td></tr> |
| 1194 |
|
|
<tr><td><a href="#file_attributes_comparison">old_path.$attribute</a></td><td>Attributes of an object referenced by variable "old_path"</td></tr> |
| 1195 |
|
|
<tr><td><a href="#file_attributes_comparison">old_path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1196 |
|
|
<tr><td><a href="#file_attributes_comparison">new_path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1197 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1198 |
|
|
|
| 1199 |
|
|
<tr><td rowspan="6">rename</td><td rowspan="6">Rename a pathname</td><td><a href="#string_comparison">old_path</a></td><td>Old pathname</td><td rowspan="6">rename(2)</td></tr> |
| 1200 |
|
|
<tr><td><a href="#string_comparison">new_path</a></td><td>New pathname</td></tr> |
| 1201 |
|
|
<tr><td><a href="#file_attributes_comparison">old_path.$attribute</a></td><td>Attributes of an object referenced by variable "old_path"</td></tr> |
| 1202 |
|
|
<tr><td><a href="#file_attributes_comparison">old_path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1203 |
|
|
<tr><td><a href="#file_attributes_comparison">new_path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1204 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1205 |
|
|
|
| 1206 |
|
|
<tr><td rowspan="5">chmod</td><td rowspan="5">Change DAC's permission</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="5">chmod(2)</td></tr> |
| 1207 |
|
|
<tr><td><a href="#integer_comparison">perm</a></td><td>New DAC permissions of an object referenced by variable "path"</td></tr> |
| 1208 |
|
|
<tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr> |
| 1209 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1210 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1211 |
|
|
|
| 1212 |
|
|
<tr><td rowspan="5">chown</td><td rowspan="5">Change DAC's owner ID</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="5">chown(2)</td></tr> |
| 1213 |
|
|
<tr><td><a href="#integer_comparison">uid</a></td><td>New DAC owner ID of an object referenced by variable "path"</td></tr> |
| 1214 |
|
|
<tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr> |
| 1215 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1216 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1217 |
|
|
|
| 1218 |
|
|
<tr><td rowspan="5">chgrp</td><td rowspan="5">Change DAC's group ID</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="5">chown(2)</td></tr> |
| 1219 |
|
|
<tr><td><a href="#integer_comparison">gid</a></td><td>New DAC group ID of an object referenced by variable "path"</td></tr> |
| 1220 |
|
|
<tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr> |
| 1221 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1222 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1223 |
|
|
|
| 1224 |
|
|
<tr><td rowspan="5">ioctl</td><td rowspan="5">Use ioctl request</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="5">ioctl(2)</td></tr> |
| 1225 |
|
|
<tr><td><a href="#integer_comparison">cmd</a></td><td>Command number for ioctl request</td></tr> |
| 1226 |
|
|
<tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr> |
| 1227 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1228 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1229 |
|
|
|
| 1230 |
|
|
<tr><td rowspan="4">chroot</td><td rowspan="4">Change root directory</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">chroot(2)</td></tr> |
| 1231 |
|
|
<tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr> |
| 1232 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1233 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1234 |
|
|
|
| 1235 |
|
|
<tr><td rowspan="9">mount</td><td rowspan="9">Mount a filesystem</td><td><a href="#string_comparison">source</a></td><td>Source name if filesystem name is one of "--bind", "--move" or a filesystem that requires device file. Unavailable otherwise.</td><td rowspan="9">mount(2)</td></tr> |
| 1236 |
|
|
<tr><td><a href="#string_comparison">target</a></td><td>Mount point or target name</td></tr> |
| 1237 |
|
|
<tr><td><a href="#string_comparison">fstype</a></td><td>Filesystem name, determined by below oeder.<br> |
| 1238 |
|
|
<ol> |
| 1239 |
|
|
<li>"--remount" if mount flags contains MS_REMOUNT flag</li> |
| 1240 |
|
|
<li>"--bind" if mount flags contains MS_BIND flag</li> |
| 1241 |
|
|
<li>"--make-shared" if mount flags contains MS_SHARED flag</li> |
| 1242 |
|
|
<li>"--make-private" if mount flags contains MS_PRIVATE flag</li> |
| 1243 |
|
|
<li>"--make-slave" if mount flags contains MS_SLAVE flag</li> |
| 1244 |
|
|
<li>"--make-unbindable" if mount flags contains MS_UNBINDABLE flag</li> |
| 1245 |
|
|
<li>"--move" if mount flags contains MS_MOVE flag</li> |
| 1246 |
|
|
<li>name of filesystem</li> |
| 1247 |
|
|
</ol> |
| 1248 |
|
|
</td></tr> |
| 1249 |
|
|
<tr><td><a href="#integer_comparison">flags</a></td><td>Mount flags</td></tr> |
| 1250 |
|
|
<tr><td><a href="#string_comparison">data</a></td><td>Mount options not in mount flags argument (e.g. "errors=remount-ro"). This variable is not available to filesystems that require binary mount options (e.g."nfs", "coda", "ncpfs"). Also, this variable is available only if filesystem type is either "--remount" or name of filesystem.</td></tr> |
| 1251 |
|
|
<tr><td><a href="#file_attributes_comparison">source.$attribute</a></td><td>Attributes of an object referenced by variable "source" when variable "source" references a valid pathname</td></tr> |
| 1252 |
|
|
<tr><td><a href="#file_attributes_comparison">source.parent.$attribute</a></td><td>Attributes of parent directory of an object referenced by variable "source" when variable "source" references a valid pathname</td></tr> |
| 1253 |
|
|
<tr><td><a href="#file_attributes_comparison">target.$attribute</a></td><td>Attributes of an object referenced by variable "target"</td></tr> |
| 1254 |
|
|
<tr><td><a href="#file_attributes_comparison">target.parent.$attribute</a></td><td>Attributes of parent directory of an object referenced by variable "target"</td></tr> |
| 1255 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1256 |
|
|
|
| 1257 |
|
|
<tr><td rowspan="5">unmount</td><td rowspan="5">Unmount a filesystem</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="5">umount(2)</td></tr> |
| 1258 |
|
|
<tr><td><a href="#integer_comparison">flags</a></td><td>Unmount flags</td></tr> |
| 1259 |
|
|
<tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr> |
| 1260 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr> |
| 1261 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1262 |
|
|
|
| 1263 |
|
|
<tr><td rowspan="7">pivot_root</td><td rowspan="7">Exchange root directory</td><td><a href="#string_comparison">new_root</a></td><td>New root directory</td><td rowspan="7">pivot_root(2)</td></tr> |
| 1264 |
|
|
<tr><td><a href="#string_comparison">put_old</a></td><td>Location to place old root directory</td></tr> |
| 1265 |
|
|
<tr><td><a href="#file_attributes_comparison">new_root.$attribute</a></td><td>Attributes of an object referenced by variable "new_root"</td></tr> |
| 1266 |
|
|
<tr><td><a href="#file_attributes_comparison">new_root.parent.$attribute</a></td><td>Attributes of parent directory of an object referenced by variable "new_root"</td></tr> |
| 1267 |
|
|
<tr><td><a href="#file_attributes_comparison">put_old.$attribute</a></td><td>Attributes of an object referenced by variable "put_old"</td></tr> |
| 1268 |
|
|
<tr><td><a href="#file_attributes_comparison">put_old.parent.$attribute</a></td><td>Attributes of parent directory of an object referenced by variable "put_old"</td></tr> |
| 1269 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1270 |
|
|
|
| 1271 |
|
|
<tr><td rowspan="3">inet_stream_bind</td><td rowspan="3">Binding PF_INET/PF_INET6+SOCK_STREAM socket</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">bind(2), ip(7), ipv6(7)</td></tr> |
| 1272 |
|
|
<tr><td><a href="#integer_comparison">port</a></td><td>Port number</td></tr> |
| 1273 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1274 |
|
|
|
| 1275 |
|
|
<tr><td rowspan="3">inet_stream_listen</td><td rowspan="3">Listening PF_INET/PF_INET6+SOCK_STREAM socket</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">listen(2), ip(7), ipv6(7)</td></tr> |
| 1276 |
|
|
<tr><td><a href="#integer_comparison">port</a></td><td>Port number</td></tr> |
| 1277 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1278 |
|
|
|
| 1279 |
|
|
<tr><td rowspan="3">inet_stream_connect</td><td rowspan="3">Connecting PF_INET/PF_INET6+SOCK_STREAM socket</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">connect(2), ip(7), ipv6(7)</td></tr> |
| 1280 |
|
|
<tr><td><a href="#integer_comparison">port</a></td><td>Port number</td></tr> |
| 1281 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1282 |
|
|
|
| 1283 |
|
|
<tr><td rowspan="3">inet_stream_accept</td><td rowspan="3">Accepting PF_INET/PF_INET6+SOCK_STREAM socket</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">accept(2), ip(7), ipv6(7)</td></tr> |
| 1284 |
|
|
<tr><td><a href="#integer_comparison">port</a></td><td>Port number</td></tr> |
| 1285 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1286 |
|
|
|
| 1287 |
|
|
<tr><td rowspan="3">inet_dgram_bind</td><td rowspan="3">Binding PF_INET/PF_INET6+SOCK_DGRAM socket</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">bind(2), ip(7), ipv6(7)</td></tr> |
| 1288 |
|
|
<tr><td><a href="#integer_comparison">port</a></td><td>Port number</td></tr> |
| 1289 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1290 |
|
|
|
| 1291 |
|
|
<tr><td rowspan="3">inet_dgram_send</td><td rowspan="3">Sending AF_INET/AF_INET6 datagrams</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">sendmsg(2), ip(7), ipv6(7)</td></tr> |
| 1292 |
|
|
<tr><td><a href="#integer_comparison">port</a></td><td>Port number</td></tr> |
| 1293 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1294 |
|
|
|
| 1295 |
|
|
<tr><td rowspan="3">inet_dgram_recv</td><td rowspan="3">Receiving AF_INET/AF_INET6 datagrams</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">recvmsg(2), ip(7), ipv6(7)</td></tr> |
| 1296 |
|
|
<tr><td><a href="#integer_comparison">port</a></td><td>Port number</td></tr> |
| 1297 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1298 |
|
|
|
| 1299 |
|
|
<tr><td rowspan="3">inet_raw_bind</td><td rowspan="3">Binding PF_INET/PF_INET6+SOCK_RAW socket</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">bind(2), raw(7)</td></tr> |
| 1300 |
|
|
<tr><td><a href="#integer_comparison">proto</a></td><td>Protocol number</td></tr> |
| 1301 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1302 |
|
|
|
| 1303 |
|
|
<tr><td rowspan="3">inet_raw_send</td><td rowspan="3">Sending AF_INET/AF_INET6 packets</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">sendmsg(2), raw(7)</td></tr> |
| 1304 |
|
|
<tr><td><a href="#integer_comparison">proto</a></td><td>Protocol number</td></tr> |
| 1305 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1306 |
|
|
|
| 1307 |
|
|
<tr><td rowspan="3">inet_raw_recv</td><td rowspan="3">Receiving AF_INET/AF_INET6 packets</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">recvmsg(2), raw(7)</td></tr> |
| 1308 |
|
|
<tr><td><a href="#integer_comparison">proto</a></td><td>Protocol number</td></tr> |
| 1309 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1310 |
|
|
|
| 1311 |
|
|
<tr><td rowspan="2">unix_stream_bind</td><td rowspan="2">Binding PF_UNIX+SOCK_STREAM socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">bind(2), unix(7)</td></tr> |
| 1312 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1313 |
|
|
|
| 1314 |
|
|
<tr><td rowspan="2">unix_stream_listen</td><td rowspan="2">Listening PF_UNIX+SOCK_STREAM socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">listen(2), unix(7)</td></tr> |
| 1315 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1316 |
|
|
|
| 1317 |
|
|
<tr><td rowspan="2">unix_stream_connect</td><td rowspan="2">Connecting PF_UNIX+SOCK_STREAM socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">connect(2), unix(7)</td></tr> |
| 1318 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1319 |
|
|
|
| 1320 |
|
|
<tr><td rowspan="2">unix_stream_accept</td><td rowspan="2">Accepting PF_UNIX+SOCK_STREAM socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">accept(2), unix(7)</td></tr> |
| 1321 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1322 |
|
|
|
| 1323 |
|
|
<tr><td rowspan="2">unix_dgram_bind</td><td rowspan="2">Binding PF_UNIX+SOCK_DGRAM socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">bind(2), unix(7)</td></tr> |
| 1324 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1325 |
|
|
|
| 1326 |
|
|
<tr><td rowspan="2">unix_dgram_send</td><td rowspan="2">Sending AF_UNIX datagrams</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">sendmsg(2), unix(7)</td></tr> |
| 1327 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1328 |
|
|
|
| 1329 |
|
|
<tr><td rowspan="2">unix_dgram_recv</td><td rowspan="2">Receiving AF_UNIX datagrams</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">recvmsg(2), unix(7)</td></tr> |
| 1330 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1331 |
|
|
|
| 1332 |
|
|
<tr><td rowspan="2">unix_seqpacket_bind</td><td rowspan="2">Binding PF_UNIX+SOCK_SEQPACKET socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">bind(2), unix(7)</td></tr> |
| 1333 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1334 |
|
|
|
| 1335 |
|
|
<tr><td rowspan="2">unix_seqpacket_listen</td><td rowspan="2">Listening PF_UNIX+SOCK_SEQPACKET socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">listen(2), unix(7)</td></tr> |
| 1336 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1337 |
|
|
|
| 1338 |
|
|
<tr><td rowspan="2">unix_seqpacket_connect</td><td rowspan="2">Connecting PF_UNIX+SOCK_SEQPACKET socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">connect(2), unix(7)</td></tr> |
| 1339 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1340 |
|
|
|
| 1341 |
|
|
<tr><td rowspan="2">unix_seqpacket_accept</td><td rowspan="2">Accepting PF_UNIX+SOCK_SEQPACKET socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">accept(2), unix(7)</td></tr> |
| 1342 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1343 |
|
|
|
| 1344 |
|
|
<tr><td rowspan="3">ptrace</td><td rowspan="3">Call ptrace() system call</td><td><a href="#integer_comparison">cmd</a></td><td>Command number</td><td rowspan="3">ptrace(2)</td></tr> |
| 1345 |
|
|
<tr><td><a href="#string_comparison">domain</a></td><td>Target process's domainname</td></tr> |
| 1346 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1347 |
|
|
|
| 1348 |
|
|
<tr><td rowspan="2">signal</td><td rowspan="2">Send signals</td><td><a href="#integer_comparison">sig</a></td><td>Signal number</td><td rowspan="2">kill(2), tkill(2), tgkill(2), rt_sigqueueinfo(2)</td></tr> |
| 1349 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1350 |
|
|
|
| 1351 |
|
|
<tr><td rowspan="11">environ</td><td rowspan="11">Receive environment variables upon program execution</td><td><a href="#string_comparison">name</a></td><td>Environment variable's name</td><td rowspan="11">execve(2)</td></tr> |
| 1352 |
|
|
<tr><td><a href="#string_comparison">value</a></td><td>Environment variable's value</td></tr> |
| 1353 |
|
|
<tr><td><a href="#string_comparison">path</a></td><td>Requested program's pathname</td></tr> |
| 1354 |
|
|
<tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr> |
| 1355 |
|
|
<tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</tr> |
| 1356 |
|
|
<tr><td><a href="#string_comparison">exec</a></td><td>Requested program's pathname, but maybe a symbolic link</td></tr> |
| 1357 |
|
|
<tr><td><a href="#integer_comparison">argc</a></td><td>Number of command line arguments passed to this request</td></tr> |
| 1358 |
|
|
<tr><td><a href="#integer_comparison">envc</a></td><td>Number of environment variables arguments</td></tr> |
| 1359 |
|
|
<tr><td><a href="#argv_comparison">argv[$index]</a></td><td>$index'th (0 <= $index < argc) value of command line arguments</td></tr> |
| 1360 |
|
|
<tr><td><a href="#envp_comparison">envp["$name"]</a></td><td>Value of environment variable named $name</td></tr> |
| 1361 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1362 |
|
|
|
| 1363 |
|
|
<tr><td rowspan="1">modify_policy</td><td rowspan="1">Modify policy configuration</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1"></td></tr> |
| 1364 |
|
|
|
| 1365 |
|
|
<tr><td rowspan="1">use_netlink_socket</td><td rowspan="1">Create PF_NETLINK socket</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">socket(2), netlink(7)</td></tr> |
| 1366 |
|
|
|
| 1367 |
|
|
<tr><td rowspan="1">use_packet_socket</td><td rowspan="1">Create PF_PACKET socket</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">socket(2), packet(7)</td></tr> |
| 1368 |
|
|
|
| 1369 |
|
|
<tr><td rowspan="1">use_reboot</td><td rowspan="1">Call reboot() system call</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">reboot(2)</td></tr> |
| 1370 |
|
|
|
| 1371 |
|
|
<tr><td rowspan="1">use_vhangup</td><td rowspan="1">Call vhangup() system call</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">vhangup(2)</td></tr> |
| 1372 |
|
|
|
| 1373 |
|
|
<tr><td rowspan="1">set_time</td><td rowspan="1">Set system's time</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">stime(2), settimeofday(2), adjtimex(2)</td></tr> |
| 1374 |
|
|
|
| 1375 |
|
|
<tr><td rowspan="1">set_priority</td><td rowspan="1">Change process's priority</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">nice(2), setpriority(2)</td></tr> |
| 1376 |
|
|
|
| 1377 |
|
|
<tr><td rowspan="1">set_hostname</td><td rowspan="1">Set host's name</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">sethostname(2), setdomainname(2)</td></tr> |
| 1378 |
|
|
|
| 1379 |
|
|
<tr><td rowspan="1">use_kernel_module</td><td rowspan="1">Load or unload kernel modules</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">init_module(2), delete_module(2)</td></tr> |
| 1380 |
|
|
|
| 1381 |
|
|
<tr><td rowspan="1">use_new_kernel</td><td rowspan="1">Load a new kernel</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">kexec_load(2)</td></tr> |
| 1382 |
|
|
|
| 1383 |
|
|
<tr><td rowspan="2">manual_domain_transition</td><td rowspan="2">Change domains by writing to /proc/caitsith/self_domain</td><td><a href="#string_comparison">domain</a></td><td>Domainname to allow transition to </td><td rowspan="2"></td></tr> |
| 1384 |
|
|
<tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr> |
| 1385 |
|
|
|
| 1386 |
|
|
<tr><td rowspan="2">auto_domain_transition</td><td rowspan="2">Change domains automatically upon conditions are met</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="2"></td></tr> |
| 1387 |
|
|
<tr><td>transition</td><td>New domainname to transit to if conditions are met (available to only "allow" lines)</td></tr> |
| 1388 |
|
|
|
| 1389 |
|
|
</table> |
| 1390 |
|
|
|
| 1391 |
|
|
<h2><a name="policy_syntaxes">4. Policy syntaxes</a></h2> |
| 1392 |
|
|
|
| 1393 |
|
|
<h3><a name="policy_structure_definition">4.1. Definition</a></h3> |
| 1394 |
|
|
|
| 1395 |
|
|
<p>Policy consists with two parts.</p> |
| 1396 |
|
|
|
| 1397 |
|
|
<p>Header part defines below lines.</p> |
| 1398 |
|
|
|
| 1399 |
|
|
<table border="1"> |
| 1400 |
|
|
<tr><td> |
| 1401 |
|
|
POLICY_VERSION=20120401<br> |
| 1402 |
|
|
quota memory policy $max_byte_for_policy<br> |
| 1403 |
|
|
quota memory audit $max_byte_for_audit_logs<br> |
| 1404 |
|
|
quota memory query $max_byte_for_query<br> |
| 1405 |
|
|
quota audit[$audit_index] allowed=$max_logs_for_allowed_request unmatched=$max_logs_for_unmatched_request denied=$max_logs_for_denied_request<br> |
| 1406 |
|
|
string_group $string_group_name $string_group_member<br> |
| 1407 |
|
|
number_group $number_group_name $number_group_member<br> |
| 1408 |
|
|
ip_group $ip_group_name $ip_group_member<br> |
| 1409 |
|
|
</td></tr> |
| 1410 |
|
|
</table> |
| 1411 |
|
|
|
| 1412 |
|
|
<ul> |
| 1413 |
|
|
<li>POLICY_VERSION line defines policy version.</li> |
| 1414 |
|
|
<li>$max_byte_for_policy is max amount of memory in byte which can be allocated for policy. Default is unlimited.</li> |
| 1415 |
|
|
<li>$max_byte_for_audit_logs is max amount of memory in byte which can be allocated for audit logs. Default is unlimited. $max_byte_for_audit_logs=16777216 should be sufficient.</li> |
| 1416 |
|
|
<li>$max_byte_for_query is max amount of memory in byte which can be allocated for interactive enforcement. Default is unlimited. $max_byte_for_audit_logs=1048576 should be sufficient.</li> |
| 1417 |
|
|
<li>quota audit[$audit_index] lines (0 <= $audit_index <= 255) are max number of audit logs which can be held in the kernel space. $max_logs_for_allowed_request is for allowed requests. $max_logs_for_unmatched_request is for unmatched requests. $max_logs_for_denied_request is for denied requests. Default is 0. Unless you have special reasons, you should set 0 to $max_logs_for_allowed_request. Regarding $max_logs_for_unmatched_request and $max_logs_for_denied_request, 1024 should be sufficient.</li> |
| 1418 |
|
|
<li>string_group $string_group_name lines define group of strings. $string_group_member is a member for $string_group_name group.</li> |
| 1419 |
|
|
<li>number_group $number_group_name lines define group of numbers. $number_group_member is a member for $number_group_name group.</li> |
| 1420 |
|
|
<li>ip_group $ip_group_name lines define group of IP addresses. $ip_group_member is a member for $ip_group_name group.</li> |
| 1421 |
|
|
</ul> |
| 1422 |
|
|
|
| 1423 |
|
|
<p>ACL part is consists with 0 or more repetitions of below block.</p> |
| 1424 |
|
|
|
| 1425 |
|
|
<table border="1"> |
| 1426 |
|
|
<tr><td> |
| 1427 |
|
|
$acl_priority acl $operation $conditions_to_filter<br> |
| 1428 |
|
|
audit $audit_index<br> |
| 1429 |
|
|
$cond_priority $decision $conditions_to_allow_or_deny |
| 1430 |
|
|
</td></tr> |
| 1431 |
|
|
</table> |
| 1432 |
|
|
|
| 1433 |
|
|
<ul> |
| 1434 |
|
|
<li>A block which starts with $acl_priority determines whether to evaluate rules in this block or not.</li> |
| 1435 |
|
|
<li>Blocks which start with $acl_priority can be defined as many as you need.</li> |
| 1436 |
|
|
<li>$acl_priority is a priority (an integer between 0 and 65535) which controls which block should be evaluated first (among all blocks defined in the policy).</li> |
| 1437 |
|
|
<li>Blocks are evaluated from smaller $acl_priority values to larger $acl_priority values.</li> |
| 1438 |
|
|
<li>If two blocks have same $acl_priority value, the block which is defined first is evaluated first.</li> |
| 1439 |
|
|
<li>$operation is "operation".</li> |
| 1440 |
|
|
<li>$conditions_to_filter is "conditional expressions" which can be applied to "operation". Omit $conditions_to_filter to evaluate this block unconditionally.</li> |
| 1441 |
|
|
<li>Access requests will be denied if one of deny lines (among all blocks defined in the policy) matches.</li> |
| 1442 |
|
|
</ul> |
| 1443 |
|
|
|
| 1444 |
|
|
<p>$decision lines in a block is evaluated only when the block's $acl_priority line matched.</p> |
| 1445 |
|
|
|
| 1446 |
|
|
<ul> |
| 1447 |
|
|
<li>A line which starts with $cond_priority determines whether to grant the access request or not.</li> |
| 1448 |
|
|
<li>Lines which start with $cond_priority can be defined as many as you need.</li> |
| 1449 |
|
|
<li>$cond_priority is a priority (an integer between 0 and 65535) which controls which line should be checked first (among all lines defined in the block).</li> |
| 1450 |
|
|
<li>Lines are checked from smaller $cond_priority values to larger priority values.</li> |
| 1451 |
|
|
<li>If two lines have same $cond_priority value, the line which is defined first is checked first.</li> |
| 1452 |
|
|
<li>$decision is either allow or deny.</li> |
| 1453 |
|
|
<li>$conditions_to_allow_or_deny is "conditional expressions" which can be applied to "operation". Omit $conditions_to_allow_or_deny to match this line unconditionally.</li> |
| 1454 |
|
|
</ul> |
| 1455 |
|
|
|
| 1456 |
|
|
<p>Checking of $decision lines in a block lasts until it matches a $decision line or it reaches to the end of block.</p> |
| 1457 |
|
|
|
| 1458 |
|
|
<ul> |
| 1459 |
|
|
<li>If $conditions_to_allow_or_deny of a deny line matches, the access request is denied. At the same time, access denied log is generated if memory used for audit logs is smaller than $max_byte_for_audit_logs bytes and number of denied logs which is in the kernel is smaller than $max_logs_for_denied_request of quota audit[$audit_index] line where $audit_index is specified by audit line of this block.</li> |
| 1460 |
|
|
<li>If $conditions_to_allow_or_deny of an allow line matches, the evaluation of this block ends and proceeds to next block. At the same time, access allowed log is generated if memory used for audit logs is smaller than $max_byte_for_audit_logs bytes and number of allowed logs which is in the kernel is smaller than $max_logs_for_allowed_request of quota audit[$audit_index] line where $audit_index is specified by audit line of this block.</li> |
| 1461 |
|
|
<li>If none of $conditions_to_allow_or_deny matches, the evaluation of this block ends and proceeds to next block. At the same time, access unmatched log is generated if memory used for audit logs is smaller than $max_byte_for_audit_logs bytes and number of unmatched logs which is in the kernel is smaller than $max_logs_for_unmatched_request of quota audit[$audit_index] line where $audit_index is specified by audit line of this block.</li> |
| 1462 |
|
|
</ul> |
| 1463 |
|
|
|
| 1464 |
|
|
<p>Access requests will be denied only when "deny" line of "acl" block matched. There are three exceptions. Regarding permission to modify policy (i.e. "acl modify_policy" blocks), permission to change domains manually (i.e. "acl manual_domain_transition" blocks) and permission to change domains automatically (i.e. "acl auto_domain_transition" blocks), access requests will be granted only when "allow" line of all blocks match, in order to avoid unintended modification of policy or domain transition.</p> |
| 1465 |
|
|
|
| 1466 |
|
|
<p>$acl_priority and $cond_priority values are used for two purposes. One is for selectively deny operations using "deny" lines. For example,</p> |
| 1467 |
|
|
|
| 1468 |
|
|
<table border="1"> |
| 1469 |
|
|
<tr><td> |
| 1470 |
|
|
10 acl write path.fsmagic=0x9FA0<br> |
| 1471 |
|
|
audit 0<br> |
| 1472 |
|
|
10 deny path="proc:/cmdline"<br> |
| 1473 |
|
|
20 allow |
| 1474 |
|
|
</td></tr> |
| 1475 |
|
|
</table> |
| 1476 |
|
|
|
| 1477 |
|
|
<p>denies opening /proc/cmdline on the proc filesystem (proc filesystem's magic number is 0x9FA0) for reading while allowing opening all other files.</p> |
| 1478 |
|
|
|
| 1479 |
|
|
<p>The other is for controlling which "transition=" and "handler=" arguments should be used when these arguments matched more than once. For example, 2 "acl execute" blocks with 5 transition= arguments are defined (conditions$X is <a href="#conditions">"conditional expressions"</a> such as path.uid=task.uid and path.uid!=task.uid).</p> |
| 1480 |
|
|
|
| 1481 |
|
|
<table border="1"> |
| 1482 |
|
|
<tr><td> |
| 1483 |
|
|
10 acl execute conditions1<br> |
| 1484 |
|
|
audit 0<br> |
| 1485 |
|
|
10 allow conditions2 transition="domainname1" <br> |
| 1486 |
|
|
20 allow conditions3<br> |
| 1487 |
|
|
20 allow conditions4 transition="domainname2" <br> |
| 1488 |
|
|
<br> |
| 1489 |
|
|
20 acl execute conditions5<br> |
| 1490 |
|
|
audit 0<br> |
| 1491 |
|
|
10 allow conditions6 transition="domainname3" <br> |
| 1492 |
|
|
20 allow conditions7 transition=NULL<br> |
| 1493 |
|
|
20 allow conditions8 transition="domainname4" |
| 1494 |
|
|
</td></tr> |
| 1495 |
|
|
</table> |
| 1496 |
|
|
|
| 1497 |
|
|
<p>Domain transition is determined from the first matching transition= argument of allow lines, and keeps current domain if none of matching transition= argument was found. In other words,</p> |
| 1498 |
|
|
|
| 1499 |
|
|
<ul> |
| 1500 |
|
|
<li>If conditions1 and conditions2 are met, then transit to domainname1 domain when execute request succeeded.</li> |
| 1501 |
|
|
<li>Otherwise, if conditions1 and conditions3 are met, then proceed to next block.</li> |
| 1502 |
|
|
<li>Otherwise, if conditions1 and conditions4 are met, then transit to domainname3 domain when execute request succeeded.</li> |
| 1503 |
|
|
<li>Otherwise, if conditions5 and conditions6 are met, then transit to domainname5 domain when execute request succeeded.</li> |
| 1504 |
|
|
<li>Otherwise, if conditions5 and conditions7 are met, then keep current domain even if execute request succeeded.</li> |
| 1505 |
|
|
<li>Otherwise, if conditions5 and conditions8 are met, then transit to domainname7 domain when execute request succeeded.</li> |
| 1506 |
|
|
<li>Otherwise, keep current domain even if execute request succeeded.</li> |
| 1507 |
|
|
</ul> |
| 1508 |
|
|
|
| 1509 |
|
|
<p>Same rule applies to handler= argument. That is, execute handler is determined from the first matching handler= argument of allow lines, and does not use execute handler if none of matching handler= argument was found.</p> |
| 1510 |
|
|
|
| 1511 |
|
|
<h3><a name="policy_examples">4.2. Examples</a></h3> |
| 1512 |
|
|
|
| 1513 |
|
|
<p>Below example restricts mount operation to allow by only /bin/mount program with one of</p> |
| 1514 |
|
|
|
| 1515 |
|
|
<ul> |
| 1516 |
|
|
<li>mounting proc filesystem to /proc/ with default mount options</li> |
| 1517 |
|
|
<li>mounting sysfs filesystem to /sys/ with default mount options</li> |
| 1518 |
|
|
<li>mounting devpts filesystem to /dev/pts/ with default mount options</li> |
| 1519 |
|
|
<li>mounting tmpfs filesystem to /dev/shm/ with default mount options</li> |
| 1520 |
|
|
<li>remounting a filesystem which is mounted on / with read-only option</li> |
| 1521 |
|
|
<li>remounting a filesystem which is mounted on / with noatime option</li> |
| 1522 |
|
|
<li>mounting securityfs filesystem to /sys/kernel/security/ with default mount options</li> |
| 1523 |
|
|
</ul> |
| 1524 |
|
|
|
| 1525 |
|
|
<p>combinations. Mount requests by other than /bin/mount program are denied. Mount requests other than combinations not listed is also denied.</p> |
| 1526 |
|
|
|
| 1527 |
|
|
<table border="1"> |
| 1528 |
|
|
<tr><td> |
| 1529 |
|
|
100 acl mount<br> |
| 1530 |
|
|
audit allowed=0 unmatched=0 denied=1024<br> |
| 1531 |
|
|
1 deny task.exe!="/bin/mount"<br> |
| 1532 |
|
|
10 allow target="/proc/" fstype="proc" flags=0x0<br> |
| 1533 |
|
|
10 allow target="/sys/" fstype="sysfs" flags=0x0<br> |
| 1534 |
|
|
10 allow target="/dev/pts/" fstype="devpts" flags=0x0<br> |
| 1535 |
|
|
10 allow target="/dev/shm/" fstype="tmpfs" flags=0x0<br> |
| 1536 |
|
|
10 allow target="/" fstype="--remount" flags=0x1<br> |
| 1537 |
|
|
10 allow target="/" fstype="--remount" flags=0x400<br> |
| 1538 |
|
|
10 allow target="sysfs:/kernel/security/" fstype="securityfs" flags=0x0<br> |
| 1539 |
|
|
10 deny |
| 1540 |
|
|
</td></tr> |
| 1541 |
|
|
</table> |
| 1542 |
|
|
|
| 1543 |
|
|
</body> |
| 1544 |
|
|
</html> |
Parent Directory
Revision Log