Develop and Download Open Source Software

Browse Subversion Repository

Annotation of /tags/htdocs/index.html

Parent Directory Parent Directory | Revision Log Revision Log


Revision 15 - (hide annotations) (download) (as text)
Sat Apr 7 12:45:41 2012 UTC (12 years ago) by kumaneko
File MIME type: text/html
File size: 105391 byte(s)


1 kumaneko 10 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2     <html lang="en-US">
3     <head>
4     <meta http-equiv="content-type" content="text/html; charset=UTF-8">
5 kumaneko 15 <meta http-equiv="content-style-type" content="text/css">
6     <link rel="stylesheet" href="media/caitsith.css" media="all" type="text/css">
7 kumaneko 10 <title>CaitSith Documentation</title>
8     </head>
9     <body>
10    
11     <h1>CaitSith -- A simplified access restriction module for system protection.</h1>
12    
13     <p>CaitSith is an access restriction module for Linux systems. This module gives you ability to restrict access (e.g. opening files, executing programs) at the kernel level. This module is designed for ease of use.</p>
14    
15     <p>Below is documentation and policy syntax but is under construction. Sorry.</p>
16    
17     <hr>
18    
19     <h1><a href="#how_to_use">How to use</a></h1>
20    
21 kumaneko 15 <p><a href="#difference_with_tomoyo">1. Difference with TOMOYO (for existing TOMOYO users)</a></p>
22    
23 kumaneko 10 <ul>
24 kumaneko 15 <li><a href="#1.1">1.1. About pathnames and management programs</a></li>
25     <li><a href="#1.2">1.2. About policy syntax</a></li>
26 kumaneko 10 </ul>
27    
28 kumaneko 15 <p><a href="#how_to_install">2. How to install</a></p>
29    
30     <ul>
31     <li><a href="#2.1">2.1. Install dependencies</a></li>
32     <li><a href="#2.2">2.2. Download and patch the kernel</a></li>
33     <li><a href="#2.3">2.3. Configure the kernel</a></li>
34     <li><a href="#2.4">2.4. Compile and install the kernel</a></li>
35     <li><a href="#2.5">2.5. Install the userspace tools</a></li>
36     <li><a href="#2.6">2.6. Initializing configuration</a></li>
37     <li><a href="#2.7">2.7. Configuring your bootloader</a></li>
38     <li><a href="#2.8">2.8. Rebooting your system</a></li>
39     <li><a href="#2.9">2.9. How can I disable/uninstall CaitSith?</a></li>
40     </ul>
41    
42     <p><a href="#how_to_develop_policy">3. How to develop policy</a></p>
43    
44 kumaneko 10 <h1><a href="#policy_specification">Policy Specification</a></h1>
45    
46     <ul>
47     <li><a href="#available_parameters">1. About parameters which can be handled via policy</a></li>
48     <li><a href="#string_expression">1.1. String parameters representation rule</a></li>
49     <li><a href="#numeric_expression">1.2. Numeric parameters representation rule</a></li>
50     <li><a href="#ipaddress_expression">1.3. IP address parameters representation rule</a></li>
51     <li><a href="#conditions">2. About conditional expressions</a></li>
52     <li><a href="#string_comparison">2.1. Conditional expressions which handle string parameters</a></li>
53     <li><a href="#integer_comparison">2.2. Conditional expressions which handle numeric parameters</a></li>
54     <li><a href="#ipaddr_comparison">2.3. Conditional expressions which handle IP address parameters</a></li>
55     <li><a href="#task_attributes_comparison">2.4. Conditional expressions which handle current thread's attributes</a></li>
56     <li><a href="#argv_comparison">2.5. Conditional expressions which handle command line arguments</a></li>
57     <li><a href="#envp_comparison">2.6. Conditional expressions which handle environment variable arguments</a></li>
58     <li><a href="#dac_permission_comparison">2.7. Conditional expressions which handle file's DAC permissions</a></li>
59     <li><a href="#file_type_comparison">2.8. Conditional expressions which handle file's type</a></li>
60     <li><a href="#file_attributes_comparison">2.9. Conditional expressions which handle file's attributes</a></li>
61     <li><a href="#syntax_list">3. List of syntaxes sorted by operations</a></li>
62     <li><a href="#policy_syntaxes">4. Policy syntaxes</a></li>
63     <li><a href="#policy_structure_definition">4.1. Definition</a></li>
64     <li><a href="#policy_examples">4.2. Examples</a></li>
65     </ul>
66    
67     <hr>
68    
69     <h1><a name="how_to_use">How to use</a></h1>
70    
71     <h2><a name="difference_with_tomoyo">1. Difference with TOMOYO (for existing TOMOYO users)</a></h2>
72    
73 kumaneko 15 <p>CaitSith was derived from TOMOYO Linux, but usage of CaitSith would be too different to imagine that CaitSith was derived from TOMOYO Linux. If you are already using TOMOYO Linux, please read the difference described below.</p>
74 kumaneko 10
75 kumaneko 15 <h3><a name="1.1">1.1. About pathnames and management programs</a></h3>
76 kumaneko 10
77     <p>/proc/ccs/domain_policy /proc/ccs/exception_policy /proc/ccs/profile /proc/ccs/manager /proc/ccs/stat has been aggregated into /proc/caitsith/policy</p>
78    
79     <p>/etc/ccs/policy/current/domain_policy.conf /etc/ccs/policy/current/exception_policy.conf /etc/ccs/policy/current/profile.conf /etc/ccs/policy/current/manager.conf /etc/ccs/policy/current/stat.conf has been aggregated into /etc/caitsith/policy/current</p>
80    
81     <p>Built-in policy files which are located in security/ccsecurity/policy/domain_policy.conf security/ccsecurity/policy/exception_policy.conf security/ccsecurity/policy/profile.conf security/ccsecurity/policy/manager.conf security/ccsecurity/policy/stat.conf under kernel source directory have been aggregated into security/caitsith/policy/policy.conf</p>
82    
83     <p>Only /sbin/caitsith-init /usr/sbin/caitsith-auditd /usr/sbin/caitsith-loadpolicy /usr/sbin/caitsith-notifyd /usr/sbin/caitsith-pstree /usr/sbin/caitsith-queryd /usr/sbin/caitsith-savepolicy /usr/lib/caitsith/audit-exec-param /usr/lib/caitsith/caitsith-agent /usr/lib/caitsith/init_policy are provided for managing policy. (In other words, programs such as /usr/sbin/ccs-editpolicy and /usr/sbin/ccs-setprofile have been removed.)</p>
84    
85     <p>Command line arguments for specifying type of policy to load/save has been removed from /usr/sbin/caitsith-loadpolicy and /usr/sbin/caitsith-savepolicy</p>
86    
87     <p>Command line arguments for specifying profile type has been removed from /usr/lib/caitsith/init_policy</p>
88    
89 kumaneko 15 <h3><a name="1.2">1.2. About policy syntax</a></h3>
90 kumaneko 10
91     <p>Policy syntax has been drastically changed. TOMOYO Linux used process's domainname as a key for grouping permissions to do some operations. In other words, TOMOYO Linux's policy is collection of "which domain can do ..." rules. On the other hand, this version uses operation as a key for checking permission. In other words, this version's policy is collection of "which operation can be done by ..." rules. This change is intended for allowing users to protect resources using blacklisting approach. In this version, process's domainname is nothing but one of optional parameters that can be used for controlling whether to grant or deny specific operations. Users can write rules without managing domainnames unless needed.</p>
92    
93     <p>Process's domainname representation has changed from space delimited multiple words (e.g. "&lt;kernel&gt; /sbin/init /etc/rc.d/rc.sysinit") to a single word (e.g. "/sbin/init").</p>
94    
95     <p>Domain transitions no longer happen unless explicitly specified by policy.</p>
96    
97     <p>Distinction of disabled/learning/permissive/enforcing mode has been removed.</p>
98    
99     <p>"path_group" keyword has been renamed to "string_group", and "address_group" keyword has been renamed to "ip_group".</p>
100    
101     <p>Representation of \ character has been changed from \\ to \134.</p>
102    
103     <p>Distinction between directory's pathname and non-directory's pathname has been removed by removing / character from directory's pathname.</p>
104    
105     <p>A new wildcard /\(dir\)/ has been introduced for helping converting from (e.g.) "/tmp/\{\*\}/" to "/tmp/\(\*\)/\*", for directory's pathname (except the root directory itself) no longer ends with / character which previously matched /\{\*\}/ wildcard.</p>
106    
107     <p>Category keywords (i.e. "file", "network", "ipc", "misc", "capability", "task") have been removed because access control levels which was specified using profile has been removed. Some of operation keywords have been renamed (e.g. "network inet stream connect" became "inet_stream_connect", "misc env" became "environ").</p>
108    
109     <p>"task auto_execute_handler" keyword has been renamed to "handler=" argument of "execute" keyword. This is intended for using execute handler for preprocessing purpose when executing specific programs rather than when executing from specific domains. "task denied_execute_handler" keyword has been removed.</p>
110    
111     <p>Domain argument has been removed from permission to send signals (i.e. "signal" directive), for kill() system call accepts negative number for specifying multiple processes. It is impossible to selectively deny sending signals because it is not permitted to sleep while sending signals.</p>
112    
113     <p>Restriction granularity for ptrace operation has changed from boolean (i.e. "capability SYS_PTRACE") to command number + domainname.</p>
114    
115     <p>Restriction granularity for environment variables has changed from name only to both name and values.</p>
116    
117     <p>Several variables for referencing file's attributes have been added.</p>
118    
119     <p>Local port reserve functionality (i.e. "deny_autobind" keyword) has been removed.</p>
120    
121     <h2><a name="how_to_install">2. How to install</a></h2>
122    
123 kumaneko 15 <p>Since CaitSith is a kernel component, you will have to compile your own kernel.</p>
124 kumaneko 10
125 kumaneko 15 <h3><a name="2.1">2.1. Install dependencies</a></h3>
126 kumaneko 10
127 kumaneko 15 <p>These packages are required for compiling the kernel and the userspace tools:</p>
128 kumaneko 10
129 kumaneko 15 <ul>
130     <li><strong>wget</strong>: to download sources</li>
131     <li><strong>patch</strong>: to patch the kernel</li>
132     <li><strong>gcc</strong>: to build the kernel and tools</li>
133     <li><strong>make</strong>: to build the kernel and tools</li>
134     <li><strong>ncurses-devel</strong> or <strong>libncurses-dev</strong>: to build the tools</li>
135     </ul>
136    
137     <p>These can be installed with the following commands:</p>
138    
139     <p><strong>RedHat distributions</strong></p>
140     <pre class="command">
141     # yum -y install wget patch gcc make ncurses-devel
142     </pre>
143     <p><strong>Debian distributions</strong></p>
144     <pre class="command">
145     # apt-get -y install wget patch gcc make libncurses-dev
146     </pre>
147     <p><strong>SUSE distributions</strong></p>
148     <pre class="command">
149     # yast -i wget patch gcc make ncurses-devel
150     </pre>
151    
152     <h3><a name="2.2">2.2. Download and patch the kernel</a></h3>
153    
154     <p>Download the kernel source from <a href="http://www.kernel.org/pub/linux/kernel/v2.6/">linux-2.6</a> or <a href="http://www.kernel.org/pub/linux/kernel/v3.0/">linux-3</a>.<br>
155     Linux kernel 2.6.27 and later are supported from the linux-2.6 tree.<br>
156     Linux kernel 3.0 and later are supported from the linux-3 tree.</p>
157    
158     <p>Extract the kernel source and go to the extracted directory.<br>
159     In the operations below, "$VERSION.$PATCHLEVEL.diff" should for example be replaced with "3.3.diff" if using Linux kernel 3.3.1 :</p>
160    
161     <pre class="command">
162     $ wget -O caitsith-patch-0.1-20120401.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&amp;f=/caitsith/55464/caitsith-patch-0.1-20120401.tar.gz'
163     $ wget -O caitsith-patch-0.1-20120401.tar.gz.asc 'http://sourceforge.jp/frs/redir.php?m=jaist&amp;f=/caitsith/55464/caitsith-patch-0.1-20120401.tar.gz.asc'
164     $ wget http://I-love.SAKURA.ne.jp/kumaneko-key
165     $ gpg --import kumaneko-key
166     $ gpg caitsith-patch-0.1-20120401.tar.gz.asc
167     $ tar -zxf caitsith-patch-0.1-20120401.tar.gz
168 kumaneko 10 $ cat patches/ccs-patch-$VERSION.$PATCHLEVEL.diff | sed -e 's/CCSECURITY/CAITSITH/g' -e 's/ccsecurity/caitsith/g' | patch -sp1
169 kumaneko 15 </pre>
170 kumaneko 10
171 kumaneko 15 <h3><a name="2.3">2.3. Configure the kernel</a></h3>
172 kumaneko 10
173 kumaneko 15 <pre class="command">
174     $ make -s menuconfig
175     </pre>
176 kumaneko 10
177 kumaneko 15 <p>Choose the following options in "Security options" section:</p>
178 kumaneko 10
179 kumaneko 15 <ul>
180     <li>[*] CaitSith support</li>
181     <li>[ ] &nbsp;&nbsp;Compile as loadable kernel module</li>
182     <li>[ ] &nbsp;&nbsp;Disable by default</li>
183     <li>[ ] &nbsp;&nbsp;Do not modify 'struct task_struct' in order to keep KABI</li>
184     <li>[ ] &nbsp;&nbsp;Activate without calling userspace policy loader.</li>
185     <li>(/sbin/caitsith-init) Location of userspace policy loader</li>
186     <li>(/sbin/init) Trigger for calling userspace policy loader</li>
187     <li>[*] &nbsp;&nbsp;Enable readdir operation restriction.</li>
188     <li>[*] &nbsp;&nbsp;Enable getattr operation restriction.</li>
189     <li>[*] &nbsp;&nbsp;Enable socket operation restriction.</li>
190     <li>[*] &nbsp;&nbsp;Enable non-POSIX capability operation restriction.</li>
191     <li>[*] &nbsp;&nbsp;Enable ptrace operation restriction.</li>
192     <li>[*] &nbsp;&nbsp;Enable kill operation restriction.</li>
193     <li>[*] &nbsp;&nbsp;Enable environment variable names/values restriction.</li>
194     <li>[*] &nbsp;&nbsp;Enable execute handler functionality.</li>
195     <li>[*] &nbsp;&nbsp;Enable domain transition without program execution request.</li>
196     <li>[*] &nbsp;&nbsp;Enable automatic domain transition.</li>
197     </ul>
198    
199     <p><em>"Compile as loadable kernel module"</em> is useful when there is a file size limitation for vmlinux (e.g. embedded systems).</p>
200    
201     <p><em>"Disable by default"</em> will enable CaitSith only when "caitsith=on" is passed to the kernel's command line options. If this option is not selected, "caitsith=off" will disable CaitSith.</p>
202    
203     <p><em>"Do not modify 'struct task_struct' in order to keep KABI"</em> will manage "struct task_struct" variables outside "struct task_struct" in order to avoid Kernel Application Binary Interface (KABI) breakage. Choose this option if wanting to patch against distributor's kernels without breaking KABI. However, since "struct caitsith_operations" must be exported to loadable kernel modules (LKMs) in order to allow them to call CaitSith's functions, build scripts may still print warning messages.</p>
204    
205     <p>There are two types of CaitSith's policy configuration. The former is embedded into the kernel and the latter is saved as files on the filesystems (e.g. /etc/caitsith/ directory). You will need to rebuild the kernel whenever updating the former, but allows you to load policy without using userspace policy loader (e.g. /sbin/caitsith-init ). The latter is loaded by executing userspace policy loader when the access control by CaitSith is about to be activated (e.g. when /sbin/init starts). <em>Activate without calling userspace policy loader.</em> allows you to activate access control by CaitSith as soon as the former is loaded. This option is useful when it is difficult to call policy loader (e.g. embedded systems).</p>
206    
207     <p><em>Location of userspace policy loader</em> is available only when <em>Activate without calling userspace policy loader.</em> is not selected. This option specifies the default pathname of the userspace policy loader. You can override this setting via the "CCS_loader=" kernel command-line option.</p>
208    
209     <p><em>Trigger for calling userspace policy loader</em> is available only when <em>Activate without calling userspace policy loader.</em> is not selected. This option specifies the default pathname of the activation trigger. You can override this setting via the "CCS_trigger=" kernel command-line option. For example, if you pass "init=/bin/systemd" option, you may also want to pass "CCS_trigger=/bin/systemd" option.</p>
210    
211     <h3><a name="2.4">2.4. Compile and install the kernel</a></h3>
212    
213     <p>The policy configuration which will be embedded into the kernel needs to exist as security/caitsith/policy/policy.conf . But you can proceed without creating that file because you don't have the policy configuration to embed as of this step. (You may come back here after you developed policy configuration to embed.)</p>
214    
215     <p>Once the kernel has been configured, compile and install the kernel with the following commands:</p>
216    
217     <pre class="command">
218     $ make -s
219     $ su
220     # make -s modules_install install
221     </pre>
222    
223     <p>Create initrd/initramfs if required.</p>
224    
225     <h3><a name="2.5">2.5. Install the userspace tools</a></h3>
226    
227     <p>Make sure the dependencies described above have been installed. Compile and install the tools with the following commands:</p>
228    
229     <pre class="command">
230     $ wget -O caitsith-tools-0.1-20120401.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&amp;f=/caitsith/55465/caitsith-tools-0.1-20120401.tar.gz'
231     $ wget -O caitsith-tools-0.1-20120401.tar.gz.asc 'http://sourceforge.jp/frs/redir.php?m=jaist&amp;f=/caitsith/55465/caitsith-tools-0.1-20120401.tar.gz.asc'
232     $ gpg caitsith-tools-0.1-20120401.tar.gz.asc
233     $ tar -zxf caitsith-tools-0.1-20120401.tar.gz
234 kumaneko 10 $ cd caitsith-tools/
235 kumaneko 15 $ make -s USRLIBDIR=/usr/lib
236     $ su
237     # make -s USRLIBDIR=/usr/lib install
238     </pre>
239 kumaneko 10
240 kumaneko 15 <p>Please change USRLIBDIR=/usr/lib to USRLIBDIR=/usr/lib64 (for 64bits userspace) or USRLIBDIR=/usr/lib32 (for 32bits userspace) if needed.</p>
241 kumaneko 10
242 kumaneko 15 <p>Programs listed below are main userspace tools used for administrating CaitSith.</p>
243 kumaneko 10
244 kumaneko 15 <ul>
245     <li>/sbin/caitsith-init</li>
246     <li>/usr/sbin/caitsith-auditd</li>
247     <li>/usr/sbin/caitsith-loadpolicy</li>
248     <li>/usr/sbin/caitsith-notifyd</li>
249     <li>/usr/sbin/caitsith-pstree</li>
250     <li>/usr/sbin/caitsith-queryd</li>
251     <li>/usr/sbin/caitsith-savepolicy</li>
252     </ul>
253    
254     <p>You will probably want to add /usr/sbin to your PATH so that the commands can be run easily. If you are using <code>/bin/bash</code>, append the following line to ~/.bashrc:</p>
255    
256     <pre>
257     export PATH=$PATH:/usr/sbin
258     </pre>
259    
260     <h3><a name="2.6">2.6. Initializing configuration</a></h3>
261    
262     <p>Before you can make use of CaitSith, an initialization procedure must take place. This prepares the files in which policy information will be stored. All policy files are <strong>stored in the "/etc/caitsith/" directory</strong>.</p>
263    
264     <p>Run the following command as root user to initialize:</p>
265    
266     <pre class="command">
267     # /usr/lib/caitsith/init_policy
268     </pre>
269     <pre class="output">
270     Creating policy directory... OK
271     Creating configuration directory... OK
272     Creating default policy... OK.
273     Creating module loader... OK.
274     Creating configuration file for caitsith-auditd ... OK.
275     Creating configuration file for caitsith-notifyd ... OK.
276     </pre>
277    
278     <p>CaitSith can generate audit logs and allows you to read them via /proc/caitsith/audit interface. To save /proc/caitsith/audit automatically, start /usr/sbin/caitsith-auditd from somewhere. Default setting (specified in /etc/caitsith/tools/auditd.conf) sends access matched logs to /dev/null, access unmatched logs to /var/log/caitsith/unmatched.log, access denied logs to /var/log/caitsith/denied.log. (The meaning of matched/unmatched/denied are explained later.)</p>
279    
280     <p>CaitSith can ask for your decision about access requests which will be denied unless you grant them via /proc/caitsith/query interface. To notify immediately the occurrence of access requests which CaitSith is about to deny, start /usr/sbin/caitsith-notifyd from somewhere. Default setting (specified in /etc/caitsith/tools/notifyd.conf) sends mails to root@localhost with subject "Notification from caitsith-notifyd" up to once per a minute.</p>
281    
282     <p>Below example launches /usr/sbin/caitsith-auditd and /usr/sbin/caitsith-notifyd from /etc/rc.local script:</p>
283    
284     <pre>
285     #!/bin/sh
286     #
287     # This script will be executed *after* all the other init scripts.
288     # You can put your own initialization stuff in here if you don't
289     # want to do the full Sys V style init stuff.
290    
291     touch /var/lock/subsys/local
292     /usr/sbin/caitsith-auditd
293     /usr/sbin/caitsith-notifyd
294     </pre>
295    
296     <h3><a name="2.7">2.7. Configuring your bootloader</a></h3>
297    
298     <p>Now edit your bootloader (e.g. GRUB) to include the kernel you have just compiled. If the <em>"Disable by default"</em> option was selected during kernel configuration, remember to include "caitsith=on" in the kernel boot options. Consult the documentation for your distribution and bootloader to find out how to boot your CaitSith kernel.</p>
299    
300     <p>CaitSith supports the kernel boot option "CCS_trigger". This is useful for systems that run a program other than <code>/sbin/init</code> on startup, for example when booting using systemd which uses <code>/bin/systemd</code>. In this case, you should include "CCS_trigger=/bin/systemd" in the kernel boot options.</p>
301    
302     <h3><a name="2.8">2.8. Rebooting your system</a></h3>
303    
304     <p>Now you have finished all preparation. Now it's time to make use of your newly installed kernel. Reboot your system and choose the entry with CaitSith kernel at the GRUB screen, or at whatever other bootloader you have installed:</p>
305    
306     <img src="media/grub-screen.png" alt="grub-screen.png" title="Select CaitSith enabled kernel" width="500" height="375">
307    
308     <p>If everything was installed properly and the bootloader was correctly configured, the kernel should boot as normal and CaitSith should be activated:</p>
309    
310     <img src="media/caitsith-activated.png" alt="caitsith-activated.png" title="CaitSith activated" width="675" height="375">
311    
312     <h3><a name="2.9">2.9. How can I disable/uninstall CaitSith?</a></h3>
313    
314     <p>If your system becomes unable to boot during the course of this guide or any time in the future, it may be due to policy configuration or something related to CaitSith. If this is the case, it is possible that the kernel can still be booted by disabling CaitSith. This can be done by appending "caitsith=off" at the kernel command-line parameters.</p>
315    
316     <p>CaitSith fortunately does not require the modification of any existing Linux binaries, libraries or applications. Thus, uninstalling CaitSith is very easy. It is simply a matter of uninstalling the kernel and userspace tools that you installed above. You can reboot with the kernel provided by your distribution and then remove the entry from your bootloader.</p>
317    
318 kumaneko 10 <h2><a name="how_to_develop_policy">3. How to develop policy</a></h2>
319    
320     <p>Please read <a href="#policy_specification">Policy Specification</a> before continue.</p>
321    
322     <p>Firstly, create a "quota audit[$audit_index]" line with non 0 $max_logs_for_unmatched_request value.</p>
323    
324     <table border="1">
325     <tr><td>
326     quota audit[1] allowed=0 unmatched=1024 denied=1024
327     </td></tr>
328     </table>
329    
330     <p>You can use /usr/sbin/caitsith-loadpolicy to update policy.</p>
331    
332     <table border="1">
333     <tr><td>
334     # echo 'quota audit[1] allowed=0 unmatched=1024 denied=1024' | /usr/sbin/caitsith-loadpolicy
335     </td></tr>
336     </table>
337    
338     <p>Then, decide conditions to restrict access. Below example restricts opening /etc/shadow for reading.</p>
339    
340     <table border="1">
341     <tr><td>
342     100 acl read path="/etc/shadow"<br>
343     &nbsp;&nbsp;&nbsp;&nbsp;audit 1
344     </td></tr>
345     </table>
346    
347     <p>By operating the system, access unmatched logs are generated and spooled in /proc/caitsith/audit interface when access request of opening /etc/shadow for reading happens. If /usr/sbin/caitsith-auditd is running , access unmatched logs will be moved to /var/log/caitsith/unmatched.log .</p>
348    
349     <table border="1">
350     <tr><td>
351     #2012/03/02 08:11:51# global-pid=2826 result=unmatched priority=100 / read path="/etc/shadow" task.pid=2826 task.ppid=2814 task.uid=0 task.gid=0 task.euid=0 task.egid=0 task.suid=0 task.sgid=0 task.fsuid=0 task.fsgid=0 task.type!=execute_handler task.exe="/usr/bin/passwd" task.domain="/usr/sbin/sshd" path.uid=0 path.gid=42 path.ino=33708 path.major=8 path.minor=1 path.perm=0640 path.type=file path.fsmagic=0xEF53 path.parent.uid=0 path.parent.gid=0 path.parent.ino=32769 path.parent.major=8 path.parent.minor=1 path.parent.perm=0755 path.parent.type=directory path.parent.fsmagic=0xEF53
352     </td></tr>
353     </table>
354    
355     <p>Examine the log and decide whether to grant this access request or not. To grant this request, add an allow line. Below example grants this request to /usr/bin/passwd program.</p>
356    
357     <table border="1">
358     <tr><td>
359     100 acl read path="/etc/shadow"<br>
360     &nbsp;&nbsp;&nbsp;&nbsp;audit 1<br>
361     &nbsp;&nbsp;&nbsp;&nbsp;100 allow task.exe="/usr/bin/passwd"
362     </td></tr>
363     </table>
364    
365     <p>Operate the system again. For example, /usr/sbin/sshd program and /bin/cat program have requested opening /etc/shadow for reading.</p>
366    
367     <table border="1">
368     <tr><td>
369     #2012/03/02 08:13:06# global-pid=2831 result=unmatched priority=100 / read path="/etc/shadow" task.pid=2831 task.ppid=2691 task.uid=0 task.gid=0 task.euid=0 task.egid=0 task.suid=0 task.sgid=0 task.fsuid=0 task.fsgid=0 task.type!=execute_handler task.exe="/usr/sbin/sshd" task.domain="/usr/sbin/sshd" path.uid=0 path.gid=42 path.ino=33716 path.major=8 path.minor=1 path.perm=0640 path.type=file path.fsmagic=0xEF53 path.parent.uid=0 path.parent.gid=0 path.parent.ino=32769 path.parent.major=8 path.parent.minor=1 path.parent.perm=0755 path.parent.type=directory path.parent.fsmagic=0xEF53<br>
370     #2012/03/02 08:13:12# global-pid=2837 result=unmatched priority=100 / read path="/etc/shadow" task.pid=2837 task.ppid=2833 task.uid=0 task.gid=0 task.euid=0 task.egid=0 task.suid=0 task.sgid=0 task.fsuid=0 task.fsgid=0 task.type!=execute_handler task.exe="/bin/cat" task.domain="/usr/sbin/sshd" path.uid=0 path.gid=42 path.ino=33716 path.major=8 path.minor=1 path.perm=0640 path.type=file path.fsmagic=0xEF53 path.parent.uid=0 path.parent.gid=0 path.parent.ino=32769 path.parent.major=8 path.parent.minor=1 path.parent.perm=0755 path.parent.type=directory path.parent.fsmagic=0xEF53
371     </td></tr>
372     </table>
373    
374     <p>Add an allow line with /usr/sbin/sshd program in order to allow access by /usr/sbin/sshd program. Also, add a deny line with /bin/cat program in order to deny access by /bin/cat program. Give higher priority (i.e. smaller $cond_priority value) to deny line than allow line so that deny lines are checked before allow lines are checked.</p>
375    
376     <table border="1">
377     <tr><td>
378     100 acl read path="/etc/shadow"<br>
379     &nbsp;&nbsp;&nbsp;&nbsp;audit 1<br>
380     &nbsp;&nbsp;&nbsp;&nbsp;10 deny task.exe="/bin/cat"<br>
381     &nbsp;&nbsp;&nbsp;&nbsp;100 allow task.exe="/usr/bin/passwd"<br>
382     &nbsp;&nbsp;&nbsp;&nbsp;100 allow task.exe="/usr/sbin/sshd"
383     </td></tr>
384     </table>
385    
386     <p>From now on, attempt to read /etc/shadow using /bin/cat should be denied and access denied logs should be generated. If /usr/sbin/caitsith-auditd is running , access denied logs will be moved to /var/log/caitsith/denied.log .</p>
387    
388     <table border="1">
389     <tr><td>
390     #2012/03/02 08:14:38# global-pid=2842 result=denied priority=100 / read path="/etc/shadow" task.pid=2842 task.ppid=2833 task.uid=0 task.gid=0 task.euid=0 task.egid=0 task.suid=0 task.sgid=0 task.fsuid=0 task.fsgid=0 task.type!=execute_handler task.exe="/bin/cat" task.domain="/usr/sbin/sshd" path.uid=0 path.gid=42 path.ino=33716 path.major=8 path.minor=1 path.perm=0640 path.type=file path.fsmagic=0xEF53 path.parent.uid=0 path.parent.gid=0 path.parent.ino=32769 path.parent.major=8 path.parent.minor=1 path.parent.perm=0755 path.parent.type=directory path.parent.fsmagic=0xEF53
391     </td></tr>
392     </table>
393    
394     <p>After you have finished enumerating all allow lines and deny lines, add a deny line with lowest priority (i.e. largest $cond_priority value within this block).</p>
395    
396     <table border="1">
397     <tr><td>
398     100 acl read path="/etc/shadow"<br>
399     &nbsp;&nbsp;&nbsp;&nbsp;audit 1<br>
400     &nbsp;&nbsp;&nbsp;&nbsp;10 deny task.exe="/bin/cat"<br>
401     &nbsp;&nbsp;&nbsp;&nbsp;100 allow task.exe="/usr/bin/passwd"<br>
402     &nbsp;&nbsp;&nbsp;&nbsp;100 allow task.exe="/usr/sbin/sshd"<br>
403     &nbsp;&nbsp;&nbsp;&nbsp;10000 deny
404     </td></tr>
405     </table>
406    
407     <p>A rule for restricting /etc/shadow for opening is now completed.</p>
408    
409     <p>Note that the rule explained above alone cannot prevent diverted accesses such as creating a hard link of /etc/shadow . If the resource to protect has characteristic attribute, it is recommended to utilize such attributes. On several distributions, /etc/shadow is owned by shadow group. In that case, this rule can be modified to below. (Below example assumes that shadow group's group ID is 42.)</p>
410    
411     <table border="1">
412     <tr><td>
413     100 acl read path.gid=42<br>
414     &nbsp;&nbsp;&nbsp;&nbsp;audit 1<br>
415     &nbsp;&nbsp;&nbsp;&nbsp;10 deny task.exe="/bin/cat"<br>
416     &nbsp;&nbsp;&nbsp;&nbsp;100 allow task.exe="/usr/bin/passwd"<br>
417     &nbsp;&nbsp;&nbsp;&nbsp;100 allow task.exe="/usr/sbin/sshd"<br>
418     &nbsp;&nbsp;&nbsp;&nbsp;10000 deny
419     </td></tr>
420     </table>
421    
422     <p>On several distributions, /etc/shadow is owned by root user and root group and has DAC permissions 0400. In that case, you might want to use a rule like below. (You should check whether there are other files with such attributes.)</p>
423    
424     <table border="1">
425     <tr><td>
426     100 acl read path.uid=0 path.gid=0 path.perm=0400<br>
427     &nbsp;&nbsp;&nbsp;&nbsp;audit 1<br>
428     &nbsp;&nbsp;&nbsp;&nbsp;10 deny task.exe="/bin/cat"<br>
429     &nbsp;&nbsp;&nbsp;&nbsp;100 allow task.exe="/usr/bin/passwd"<br>
430     &nbsp;&nbsp;&nbsp;&nbsp;100 allow task.exe="/usr/sbin/sshd"<br>
431     &nbsp;&nbsp;&nbsp;&nbsp;10000 deny
432     </td></tr>
433     </table>
434    
435     <p>It is recommended to restrict other operations such as mount, link and rename. For example, a rule to deny creation of hard links which is not owned by the user would look like below. (Note that the variable which refers source pathname of link operation is "old_path" rather than "path" because the operation is "link".)</p>
436    
437     <table border="1">
438     <tr><td>
439     100 acl link old_path.uid!=task.uid<br>
440     &nbsp;&nbsp;&nbsp;&nbsp;audit 1<br>
441     &nbsp;&nbsp;&nbsp;&nbsp;100 deny
442     </td></tr>
443     </table>
444    
445     <p>If you can split files into different filesystems or different partitions, you might be able to utilize more variables. For example, rules for denying creation of hard links on tmpfs filesystem (tmpfs filesystem's magic number is 0x01021994) would look like below.</p>
446    
447     <table border="1">
448     <tr><td>
449     100 acl link old_path.fsmagic=0x01021994<br>
450     &nbsp;&nbsp;&nbsp;&nbsp;audit 1<br>
451     &nbsp;&nbsp;&nbsp;&nbsp;10 deny
452     </td></tr>
453     </table>
454    
455     <p>Splitting into different partitions and defining rules based on partition's attributes will help preventing diverted access via creating hard links, for hard links cannot be created across partitions. Separating /home partition from / partition will be useful when protecting resources in /home partition.</p>
456    
457     <hr>
458    
459     <h1><a name="policy_specification">Policy Specification</a></h1>
460    
461     <h2><a name="available_parameters">1. About parameters which can be handled via policy</a></h2>
462    
463     <p>Each entry in the policy has a keyword that specifies "operation", and can optionally have "conditional expressions".</p>
464    
465     <p>It is possible to check parameters which can be represented as string data or numeric data using "conditional expressions".</p>
466    
467     <h3><a name="string_expression">1.1. String parameters representation rule</a></h3>
468    
469     <p>Parameters such as file's pathnames and command line arguments and environment variables are handled as string data.</p>
470    
471     <p>All ASCII printable characters other than \ character (i.e. from 33 to 91 and from 93 to 126) are represented as is.</p>
472    
473     <p>All other characters (i.e. from 0 to 32, 92 and from 127 to 255) are represented using \ooo style octal form.</p>
474    
475     <table border="1">
476     <tr>
477     <td>
478     <table><tr><td></td><td>Lower 4 bits</td></tr><tr><td>Upper 4 bits</td><td></td></tr></table>
479     </td>
480     <th><p>0x0</p></th>
481     <th><p>0x1</p></th>
482     <th><p>0x2</p></th>
483     <th><p>0x3</p></th>
484     <th><p>0x4</p></th>
485     <th><p>0x5</p></th>
486     <th><p>0x6</p></th>
487     <th><p>0x7</p></th>
488     <th><p>0x8</p></th>
489     <th><p>0x9</p></th>
490     <th><p>0xA</p></th>
491     <th><p>0xB</p></th>
492     <th><p>0xC</p></th>
493     <th><p>0xD</p></th>
494     <th><p>0xE</p></th>
495     <th><p>0xF</p></th>
496     </tr>
497     <tr>
498     <th><p>0x0</p></th>
499     <td><p>\000</p></td>
500     <td><p>\001</p></td>
501     <td><p>\002</p></td>
502     <td><p>\003</p></td>
503     <td><p>\004</p></td>
504     <td><p>\005</p></td>
505     <td><p>\006</p></td>
506     <td><p>\007</p></td>
507     <td><p>\010</p></td>
508     <td><p>\011</p></td>
509     <td><p>\012</p></td>
510     <td><p>\013</p></td>
511     <td><p>\014</p></td>
512     <td><p>\015</p></td>
513     <td><p>\016</p></td>
514     <td><p>\017</p></td>
515     </tr>
516     <tr>
517     <th><p>0x1</p></th>
518     <td><p>\020</p></td>
519     <td><p>\021</p></td>
520     <td><p>\022</p></td>
521     <td><p>\023</p></td>
522     <td><p>\024</p></td>
523     <td><p>\025</p></td>
524     <td><p>\026</p></td>
525     <td><p>\027</p></td>
526     <td><p>\030</p></td>
527     <td><p>\031</p></td>
528     <td><p>\032</p></td>
529     <td><p>\033</p></td>
530     <td><p>\034</p></td>
531     <td><p>\035</p></td>
532     <td><p>\036</p></td>
533     <td><p>\037</p></td>
534     </tr>
535     <tr>
536     <th><p>0x2</p></th>
537     <td><p>\040</p></td>
538     <td><p>!</p></td>
539     <td><p>"</p></td>
540     <td><p>#</p></td>
541     <td><p>$</p></td>
542     <td><p>%</p></td>
543     <td><p>&amp;</p></td>
544     <td><p>'</p></td>
545     <td><p>(</p></td>
546     <td><p>)</p></td>
547     <td><p>*</p></td>
548     <td><p>+</p></td>
549     <td><p>,</p></td>
550     <td><p>-</p></td>
551     <td><p>.</p></td>
552     <td><p>/</p></td>
553     </tr>
554     <tr>
555     <th><p>0x3</p></th>
556     <td><p>0</p></td>
557     <td><p>1</p></td>
558     <td><p>2</p></td>
559     <td><p>3</p></td>
560     <td><p>4</p></td>
561     <td><p>5</p></td>
562     <td><p>6</p></td>
563     <td><p>7</p></td>
564     <td><p>8</p></td>
565     <td><p>9</p></td>
566     <td><p>:</p></td>
567     <td><p>;</p></td>
568     <td><p>&lt;</p></td>
569     <td><p>=</p></td>
570     <td><p>&gt;</p></td>
571     <td><p>?</p></td>
572     </tr>
573     <tr>
574     <th><p>0x4</p></th>
575     <td><p>@</p></td>
576     <td><p>A</p></td>
577     <td><p>B</p></td>
578     <td><p>C</p></td>
579     <td><p>D</p></td>
580     <td><p>E</p></td>
581     <td><p>F</p></td>
582     <td><p>G</p></td>
583     <td><p>H</p></td>
584     <td><p>I</p></td>
585     <td><p>J</p></td>
586     <td><p>K</p></td>
587     <td><p>L</p></td>
588     <td><p>M</p></td>
589     <td><p>N</p></td>
590     <td><p>O</p></td>
591     </tr>
592     <tr>
593     <th><p>0x5</p></th>
594     <td><p>P</p></td>
595     <td><p>Q</p></td>
596     <td><p>R</p></td>
597     <td><p>S</p></td>
598     <td><p>T</p></td>
599     <td><p>U</p></td>
600     <td><p>V</p></td>
601     <td><p>W</p></td>
602     <td><p>X</p></td>
603     <td><p>Y</p></td>
604     <td><p>Z</p></td>
605     <td><p>[</p></td>
606     <td><p>\134</p></td>
607     <td><p>]</p></td>
608     <td><p>^</p></td>
609     <td><p>_</p></td>
610     </tr>
611     <tr>
612     <th><p>0x6</p></th>
613     <td><p>`</p></td>
614     <td><p>a</p></td>
615     <td><p>b</p></td>
616     <td><p>c</p></td>
617     <td><p>d</p></td>
618     <td><p>e</p></td>
619     <td><p>f</p></td>
620     <td><p>g</p></td>
621     <td><p>h</p></td>
622     <td><p>i</p></td>
623     <td><p>j</p></td>
624     <td><p>k</p></td>
625     <td><p>l</p></td>
626     <td><p>m</p></td>
627     <td><p>n</p></td>
628     <td><p>o</p></td>
629     </tr>
630     <tr>
631     <th><p>0x7</p></th>
632     <td><p>p</p></td>
633     <td><p>q</p></td>
634     <td><p>r</p></td>
635     <td><p>s</p></td>
636     <td><p>t</p></td>
637     <td><p>u</p></td>
638     <td><p>v</p></td>
639     <td><p>w</p></td>
640     <td><p>x</p></td>
641     <td><p>y</p></td>
642     <td><p>z</p></td>
643     <td><p>{</p></td>
644     <td><p>|</p></td>
645     <td><p>}</p></td>
646     <td><p>~</p></td>
647     <td><p>\177</p></td>
648     </tr>
649     <tr>
650     <th><p>0x8</p></th>
651     <td><p>\200</p></td>
652     <td><p>\201</p></td>
653     <td><p>\202</p></td>
654     <td><p>\203</p></td>
655     <td><p>\204</p></td>
656     <td><p>\205</p></td>
657     <td><p>\206</p></td>
658     <td><p>\207</p></td>
659     <td><p>\210</p></td>
660     <td><p>\211</p></td>
661     <td><p>\212</p></td>
662     <td><p>\213</p></td>
663     <td><p>\214</p></td>
664     <td><p>\215</p></td>
665     <td><p>\216</p></td>
666     <td><p>\217</p></td>
667     </tr>
668     <tr>
669     <th><p>0x9</p></th>
670     <td><p>\220</p></td>
671     <td><p>\221</p></td>
672     <td><p>\222</p></td>
673     <td><p>\223</p></td>
674     <td><p>\224</p></td>
675     <td><p>\225</p></td>
676     <td><p>\226</p></td>
677     <td><p>\227</p></td>
678     <td><p>\230</p></td>
679     <td><p>\231</p></td>
680     <td><p>\232</p></td>
681     <td><p>\233</p></td>
682     <td><p>\234</p></td>
683     <td><p>\235</p></td>
684     <td><p>\236</p></td>
685     <td><p>\237</p></td>
686     </tr>
687     <tr>
688     <th><p>0xA</p></th>
689     <td><p>\240</p></td>
690     <td><p>\241</p></td>
691     <td><p>\242</p></td>
692     <td><p>\243</p></td>
693     <td><p>\244</p></td>
694     <td><p>\245</p></td>
695     <td><p>\246</p></td>
696     <td><p>\247</p></td>
697     <td><p>\250</p></td>
698     <td><p>\251</p></td>
699     <td><p>\252</p></td>
700     <td><p>\253</p></td>
701     <td><p>\254</p></td>
702     <td><p>\255</p></td>
703     <td><p>\256</p></td>
704     <td><p>\257</p></td>
705     </tr>
706     <tr>
707     <th><p>0xB</p></th>
708     <td><p>\260</p></td>
709     <td><p>\261</p></td>
710     <td><p>\262</p></td>
711     <td><p>\263</p></td>
712     <td><p>\264</p></td>
713     <td><p>\265</p></td>
714     <td><p>\266</p></td>
715     <td><p>\267</p></td>
716     <td><p>\270</p></td>
717     <td><p>\271</p></td>
718     <td><p>\272</p></td>
719     <td><p>\273</p></td>
720     <td><p>\274</p></td>
721     <td><p>\275</p></td>
722     <td><p>\276</p></td>
723     <td><p>\277</p></td>
724     </tr>
725     <tr>
726     <th><p>0xC</p></th>
727     <td><p>\300</p></td>
728     <td><p>\301</p></td>
729     <td><p>\302</p></td>
730     <td><p>\303</p></td>
731     <td><p>\304</p></td>
732     <td><p>\305</p></td>
733     <td><p>\306</p></td>
734     <td><p>\307</p></td>
735     <td><p>\310</p></td>
736     <td><p>\311</p></td>
737     <td><p>\312</p></td>
738     <td><p>\313</p></td>
739     <td><p>\314</p></td>
740     <td><p>\315</p></td>
741     <td><p>\316</p></td>
742     <td><p>\317</p></td>
743     </tr>
744     <tr>
745     <th><p>0xD</p></th>
746     <td><p>\320</p></td>
747     <td><p>\321</p></td>
748     <td><p>\322</p></td>
749     <td><p>\323</p></td>
750     <td><p>\324</p></td>
751     <td><p>\325</p></td>
752     <td><p>\326</p></td>
753     <td><p>\327</p></td>
754     <td><p>\330</p></td>
755     <td><p>\331</p></td>
756     <td><p>\332</p></td>
757     <td><p>\333</p></td>
758     <td><p>\334</p></td>
759     <td><p>\335</p></td>
760     <td><p>\336</p></td>
761     <td><p>\337</p></td>
762     </tr>
763     <tr>
764     <th><p>0xE</p></th>
765     <td><p>\340</p></td>
766     <td><p>\341</p></td>
767     <td><p>\342</p></td>
768     <td><p>\343</p></td>
769     <td><p>\344</p></td>
770     <td><p>\345</p></td>
771     <td><p>\346</p></td>
772     <td><p>\347</p></td>
773     <td><p>\350</p></td>
774     <td><p>\351</p></td>
775     <td><p>\352</p></td>
776     <td><p>\353</p></td>
777     <td><p>\354</p></td>
778     <td><p>\355</p></td>
779     <td><p>\356</p></td>
780     <td><p>\357</p></td>
781     </tr>
782     <tr>
783     <th><p>0xF</p></th>
784     <td><p>\360</p></td>
785     <td><p>\361</p></td>
786     <td><p>\362</p></td>
787     <td><p>\363</p></td>
788     <td><p>\364</p></td>
789     <td><p>\365</p></td>
790     <td><p>\366</p></td>
791     <td><p>\367</p></td>
792     <td><p>\370</p></td>
793     <td><p>\371</p></td>
794     <td><p>\372</p></td>
795     <td><p>\373</p></td>
796     <td><p>\374</p></td>
797     <td><p>\375</p></td>
798     <td><p>\376</p></td>
799     <td><p>\377</p></td>
800     </tr>
801     </table>
802    
803     <p>It is possible to use wildcards listed below in order to match string patterns.</p>
804    
805     <table border="1">
806     <tr>
807     <th><p>Wildcard</p></th>
808     <th><p>Pattern match</p></th>
809     <th><p>Examples</p></th>
810     </tr>
811     <tr>
812     <td><p>\*</p></td>
813     <td><p>0 or more repetitions of characters other than "/"</p></td>
814     <td><p>/var/log/samba/\*</p></td>
815     </tr>
816     <tr>
817     <td><p>\@</p></td>
818     <td><p>0 or more repetitions of characters other than "/" or "."</p></td>
819     <td><p>/var/www/html/\@.html</p></td>
820     </tr>
821     <tr>
822     <td><p>\?</p></td>
823     <td><p>1 byte character other than "/"</p></td>
824     <td><p>/tmp/mail.\?\?\?\?\?\?</p></td>
825     </tr>
826     <tr>
827     <td><p>\$</p></td>
828     <td><p>1 or more repetitions of decimal digits</p></td>
829     <td><p>/proc/\$/cmdline</p></td>
830     </tr>
831     <tr>
832     <td><p>\+</p></td>
833     <td><p>1 decimal digit</p></td>
834     <td><p>/var/tmp/my_work.\+</p></td>
835     </tr>
836     <tr>
837     <td><p>\X</p></td>
838     <td><p>1 or more repetitions of hexadecimal digits</p></td>
839     <td><p>/var/tmp/my-work.\X</p></td>
840     </tr>
841     <tr>
842     <td><p>\x</p></td>
843     <td><p>1 hexadecimal digit</p></td>
844     <td><p>/tmp/my-work.\x</p></td>
845     </tr>
846     <tr>
847     <td><p>\A</p></td>
848     <td><p>1 or more repetitions of alphabet characters</p></td>
849     <td><p>/var/log/my-work/\$-\A-\$.log</p></td>
850     </tr>
851     <tr>
852     <td><p>\a</p></td>
853     <td><p>1 alphabet character</p></td>
854     <td><p>/home/users/\a/\*/public_html/\*.html</p></td>
855     </tr>
856     <tr>
857     <td><p>\-</p></td>
858     <td><p>Pathname subtraction operator (negative match)</p></td>
859     <td>
860     <p>/\*\-proc\-sys</p>
861     <p>This will match /\* except "/proc" and "/sys".</p>
862     </td>
863     </tr>
864     <tr>
865     <td><p>/\{dir\}/</p></td>
866     <td><p>Recursive directory matching operator.</p>
867     <p>Matches "/" and 1 or more repetitions of "dir/".</p></td>
868     <td>
869     <p>/var/www/html/\{\*\}/\*.html</p>
870     <p>This will match all *.html files in subdirectories under /var/www/html/ directory. Note that /var/www/html/\*.html will not match.</p>
871     </td>
872     </tr>
873     <tr>
874     <td><p>/({dir\)/</p></td>
875     <td><p>Recursive directory matching operator.</p>
876     <p>Matches "/" and 0 or more repetitions of "dir/".</p></td>
877     <td>
878     <p>/var/www/html/\(\*\)/\*.html</p>
879     <p>This will match all *.html files under /var/www/html/ directory. Note that /var/www/html/\*.html will match.</p>
880     </td>
881     </tr>
882     </table>
883    
884     <p>It is possible to group string data using "<a href="#string_comparison">string_group</a>" syntax.</p>
885    
886     <h3><a name="numeric_expression">1.2. Numeric parameters representation rule</a></h3>
887    
888     <p>Parameters such as user ID and process ID are handled as numeric data.</p>
889    
890     <p>Decimal form, octal form and hexadecimal form are supported. Octal form is prefixed with 0 and Hexadecimal form is prefixed with 0x. For example, 010 in octal form is equivalent with 8 in decimal form, 0x10 in hexadecimal form is equivalent with 16 in decimal form.</p>
891    
892     <p>Since numeric data is handled using C language's "unsigned long" type, minimal value is 0 and maximal value is 0xFFFFFFFF (for 32 bit environments) or 0xFFFFFFFFFFFFFFFF (for 64 bit environments).</p>
893    
894     <p>It is possible to specify numeric data ranges in $min_value-$max_value form. If specifying in range, $min_value has to be smaller or equals to $max_value. For example, 0-100 is valid but 100-0 is invalid.</p>
895    
896     <p>It is possible to group numeric data or numeric data range using "<a href="#integer_comparison">number_group</a>" syntax.</p>
897    
898     <h3><a name="ipaddress_expression">1.3. IP address parameters representation rule</a></h3>
899    
900     <p>It is possible to handle IPv4 address and IPv6 address. IPv4 address (32 bit) is represented using dot separated decimal form. and IPv6 address (128 bit) is represented using forms defined in RFC 2373.</p>
901    
902     <p>It is possible to specify IP address ranges in $min_address-$max_address form. If specifying in range, $min_address has to be smaller or equals to $max_address. For example, 1.2.3.4-5.6.7.8 is valid but 5.6.7.8-1.2.3.4 is invalid.</p>
903    
904     <p>It is possible to group IP address and IP address range using "<a href="#ipaddr_comparison">ip_group</a>" syntax.</p>
905    
906     <h2><a name="conditions">2. About conditional expressions</a></h2>
907    
908     <p>Valid conditions are determined by "operation". See <a href="#syntax_list">List of syntaxes sorted by operations</a> for "operation".</p>
909    
910     <p>Some examples are shown below. Details of conditions are explained later.</p>
911    
912     <table border="1">
913     <tr><td>Example of policy</td><td>Meaning</td></tr>
914     <tr><td>acl execute</td><td>Execution of any program</td></tr>
915     <tr><td>acl execute task.uid=0</td><td>Execution of any program by current thread's user ID is 0</td></tr>
916     <tr><td>acl execute task.uid=0 task.gid=0</td><td>Execution of any program by current thread's user ID and group ID are both 0</td></tr>
917     <tr><td>acl execute path="/bin/true"</td><td>Execution of any program where normalized pathname is /bin/true .</td></tr>
918     <tr><td>acl execute path="/bin/true" argv[1]="--help"</td><td>Execution of any program where normalized pathname is /bin/true and the first command line argument is --help</td></tr>
919     <tr><td>acl execute task.uid=0 path="/sbin/init"</td><td>Execution of any program where normalized pathname is /sbin/init by current thread's user ID is 0</td></tr>
920     </table>
921    
922     <p>Basically conditions are omissible. But a few "operation" have mandatory conditions and parameters which controls behavior after policy matches. Such conditions/parameters are explained in individual topics.</p>
923    
924     <h3><a name="string_comparison">2.1. Conditional expressions which handle string parameters</a></h3>
925    
926     <p>Number of parameters which is represented as string data depends on "operation". For example, "read" operation has one and "rename" operation has two. Thus, the name of variables which references string data varies on "operation". See <a href="#syntax_list">List of syntaxes sorted by operations</a> for name of variables that handle string data. Below description assumes that the name of variable is "path".</p>
927    
928     <p>Comparison with string data is defined as below.</p>
929    
930     <table border="1">
931     <tr><td>Conditions example</td><td>Value of variable "path"</td><td>Comparison result</td></tr>
932     <tr><td rowspan="5">path="/tmp/\*"</td>
933     <td>/</td><td>Does not match</td></tr>
934     <tr><td>/tmp</td><td>Does not match</td></tr>
935     <tr><td>/tmp/</td><td>Matches</td></tr>
936     <tr><td>/tmp/rt6bh84t</td><td>Matches</td></tr>
937     <tr><td>/tmp/349gy08t/y8024fgf</td><td>Does not match</td></tr>
938     <tr><td rowspan="5">path!="/tmp/\*"</td>
939     <td>/</td><td>Matches</td></tr>
940     <tr><td>/tmp</td><td>Matches</td></tr>
941     <tr><td>/tmp/</td><td>Does not match</td></tr>
942     <tr><td>/tmp/rt6bh84t</td><td>Does not match</td></tr>
943     <tr><td>/tmp/349gy08t/y8024fgf</td><td>Matches</td></tr>
944     </table>
945    
946     <p>If a string_group group named TMPDIR is defined as</p>
947    
948     <table border="1">
949     <tr><td>
950     string_group TMPDIR /tmp<br>
951     string_group TMPDIR /tmp/\(\*\)/\*
952     </td></tr>
953     </table>
954    
955     <p>it is possible to define conditions like below.</p>
956    
957     <table border="1">
958     <tr><td>Conditions example</td><td>Value of variable "path"</td><td>Value of TMPDIR group</td><td>Comparison result</td></tr>
959     <tr><td rowspan="4">path=@TMPDIR</td>
960     <td>/</td><td rowspan="4">/tmp<br>/tmp/\(\*\)/\*</td><td>Does not match</td></tr>
961     <tr><td>/tmp</td><td>Matches</td></tr>
962     <tr><td>/tmp/rt6bh84t</td><td>Matches</td></tr>
963     <tr><td>/tmp/349gy08t/y8024fgf</td><td>Matches</td></tr>
964     <tr><td rowspan="4">path!=@TMPDIR</td>
965     <td>/</td><td rowspan="4">/tmp<br>/tmp/\(\*\)/\*</td><td>Matches</td></tr>
966     <tr><td>/tmp</td><td>Does not match</td></tr>
967     <tr><td>/tmp/rt6bh84t</td><td>Does not match</td></tr>
968     <tr><td>/tmp/349gy08t/y8024fgf</td><td>Does not match</td></tr>
969     </table>
970    
971     <h3><a name="integer_comparison">2.2. Conditional expressions which handle numeric parameters</a></h3>
972    
973     <p>Number of parameters which is represented as numeric data depends on "operation". For example, "create" operation has one and "mkblock" operation has three. Thus, the name of variables which references numeric parameters varies on "operation". See <a href="#syntax_list">List of syntaxes sorted by operations</a> for name of variables that handle numeric data. Below description uses "task.uid" (which references current thread's user ID) and "task.gid" (which references current thread's group ID) as an example.</p>
974    
975     <p>Comparison with numeric value is defined as below.</p>
976    
977     <table border="1">
978     <tr><td>Conditions example</td><td>Value of variable "task.uid"</td><td>Comparison result</td></tr>
979     <tr><td rowspan="3">task.uid=0</td>
980     <td>0</td><td>Matches</td></tr>
981     <tr><td>100</td><td>Does not match</td></tr>
982     <tr><td>500</td><td>Does not match</td></tr>
983     <tr><td rowspan="3">task.uid!=0</td>
984     <td>0</td><td>Does not match</td></tr>
985     <tr><td>100</td><td>Matches</td></tr>
986     <tr><td>500</td><td>Matches</td></tr>
987     </table>
988    
989     <p>Comparison with numeric value range is defined as below.</p>
990    
991     <table border="1">
992     <tr><td>Conditions example</td><td>Value of variable "task.gid"</td><td>Comparison result</td></tr>
993     <tr><td rowspan="3">task.gid=0-100</td>
994     <td>0</td><td>Matches</td></tr>
995     <tr><td>100</td><td>Matches</td></tr>
996     <tr><td>500</td><td>Does not match</td></tr>
997     <tr><td rowspan="3">task.gid!=0-100</td><td>0</td><td>Does not match</td></tr>
998     <tr><td>100</td><td>Does not match</td></tr>
999     <tr><td>500</td><td>Matches</td></tr>
1000     </table>
1001    
1002     <p>It is possible to compare one variable which references numeric value with another variable which references numeric value.</p>
1003    
1004     <table border="1">
1005     <tr><td>Conditions example</td><td>Value of variable "task.uid"</td><td>Value of variable "task.gid"</td><td>Comparison result</td></tr>
1006     <tr><td rowspan="4">task.uid=task.gid</td>
1007     <td>0</td><td>0</td><td>Matches</td></tr>
1008     <tr><td>0</td><td>100</td><td>Does not match</td></tr>
1009     <tr><td>100</td><td>0</td><td>Does not match</td></tr>
1010     <tr><td>100</td><td>100</td><td>Matches</td></tr>
1011     <tr><td rowspan="4">task.uid!=task.gid</td>
1012     <td>0</td><td>0</td><td>Does not match</td></tr>
1013     <tr><td>0</td><td>100</td><td>Matches</td></tr>
1014     <tr><td>100</td><td>0</td><td>Matches</td></tr>
1015     <tr><td>100</td><td>100</td><td>Does not match</td></tr>
1016     </table>
1017    
1018     <p>If a number_group group named ID_GROUP is defined as</p>
1019    
1020     <table border="1">
1021     <tr><td>
1022     number_group ID_GROUP 100<br>
1023     number_group ID_GROUP 200-500
1024     </td></tr>
1025     </table>
1026    
1027     <p>it is possible to define conditions like below.</p>
1028    
1029     <table border="1">
1030     <tr><td>Conditions example</td><td>Value of variable "task.uid"</td><td>Values in ID_GROUP group</td><td>Comparison result</td></tr>
1031     <tr><td rowspan="4">task.uid=@ID_GROUP</td>
1032     <td>0</td><td rowspan="4">100<br>200-500</td><td>Does not match</td></tr>
1033     <tr><td>100</td><td>Matches</td></tr>
1034     <tr><td>500</td><td>Matches</td></tr>
1035     <tr><td>1000</td><td>Does not match</td></tr>
1036     <tr><td rowspan="4">task.uid!=@ID_GROUP</td>
1037     <td>0</td><td rowspan="4">100<br>200-500</td><td>Matches</td></tr>
1038     <tr><td>100</td><td>Does not match</td></tr>
1039     <tr><td>500</td><td>Does not match</td></tr>
1040     <tr><td>1000</td><td>Matches</td></tr>
1041     </table>
1042    
1043     <h3><a name="ipaddr_comparison">2.3. Conditional expressions which handle IP address parameters</a></h3>
1044    
1045     <p>Any "operation" which handles IPv4/IPv6 network address can check IP address using variable "ip". See <a href="#syntax_list">List of syntaxes sorted by operations</a> for operations that can handle IP address.</p>
1046    
1047     <p>Comparison with IP address value is defined as below. Note that comparison between an IPv4 address and an IPv6 address does not match.</p>
1048    
1049     <table border="1">
1050     <tr><td>Conditions example</td><td>Value of variable "ip"</td><td>Comparison result</td></tr>
1051     <tr><td rowspan="4">ip=127.0.0.1</td><td>127.0.0.1</td><td>Matches</td></tr>
1052     <tr><td>0.0.0.0</td><td>Does not match</td></tr>
1053     <tr><td>::1</td><td>Does not match</td></tr>
1054     <tr><td>::ffff:127.0.0.1</td><td>Does not match</td></tr>
1055     <tr><td rowspan="4">ip!=127.0.0.1</td><td>127.0.0.1</td><td>Does not match</td></tr>
1056     <tr><td>0.0.0.0</td><td>Matches</td></tr>
1057     <tr><td>::1</td><td>Does not match</td></tr>
1058     <tr><td>::ffff:127.0.0.1</td><td>Does not match</td></tr>
1059     <tr><td rowspan="4">ip=::1</td><td>127.0.0.1</td><td>Does not match</td></tr>
1060     <tr><td>0.0.0.0</td><td>Does not match</td></tr>
1061     <tr><td>::1</td><td>Matches</td></tr>
1062     <tr><td>::ffff:127.0.0.1</td><td>Does not match</td></tr>
1063     <tr><td rowspan="4">ip!=::1</td><td>127.0.0.1</td><td>Does not match</td></tr>
1064     <tr><td>0.0.0.0</td><td>Does not match</td></tr>
1065     <tr><td>::1</td><td>Does not match</td></tr>
1066     <tr><td>::ffff:127.0.0.1</td><td>Matches</td></tr>
1067     </table>
1068    
1069     <p>Comparison with IP address range is defined as below.</p>
1070    
1071     <table border="1">
1072     <tr><td>Conditions example</td><td>Value of variable "ip"</td><td>Comparison result</td></tr>
1073     <tr><td rowspan="3">ip=127.0.0.0-127.255.255.255</td>
1074     <td>127.0.0.1</td><td>Matches</td></tr>
1075     <tr><td>10.0.0.1</td><td>Does not match</td></tr>
1076     <tr><td>::ffff:127.0.0.1</td><td>Does not match</td></tr>
1077     <tr><td rowspan="3">ip!=127.0.0.0-127.255.255.255</td>
1078     <td>127.0.0.1</td><td>Does not match</td></tr>
1079     <tr><td>10.0.0.1</td><td>Matches</td></tr>
1080     <tr><td>::ffff:127.0.0.1</td><td>Does not match</td></tr>
1081     <tr><td rowspan="3">ip=::-::1</td><td>::ffff:127.0.0.1</td><td>Does not match</td></tr>
1082     <tr><td>127.0.0.1</td><td>Does not match</td></tr>
1083     <tr><td>::1</td><td>Matches</td></tr>
1084     <tr><td rowspan="3">ip!=::-::1</td><td>::ffff:127.0.0.1</td><td>Matches</td></tr>
1085     <tr><td>127.0.0.1</td><td>Does not match</td></tr>
1086     <tr><td>::1</td><td>Does not match</td></tr>
1087     </table>
1088    
1089     <p>If an ip_group group named PRIVATE_ADDRESS is defined as</p>
1090    
1091     <table border="1">
1092     <tr><td>
1093     ip_group PRIVATE_ADDRESS 10.0.0.0-10.255.255.255<br>
1094     ip_group PRIVATE_ADDRESS 172.16.0.0-172.31.255.255<br>
1095     ip_group PRIVATE_ADDRESS 192.168.0.0-192.168.255.255<br>
1096     ip_group PRIVATE_ADDRESS fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
1097     </td></tr>
1098     </table>
1099    
1100     <p>it is possible to define conditions like below.</p>
1101    
1102     <table border="1">
1103     <tr><td>Conditions example</td><td>Value of variable "ip"</td><td>Values in PRIVATE_ADDRESS group</td><td>Comparison result</td></tr>
1104     <tr><td rowspan="5">ip=@PRIVATE_ADDRESS</td>
1105     <td>127.0.0.1</td><td rowspan="5">10.0.0.0-10.255.255.255<br>172.16.0.0-172.31.255.255<br>192.168.0.0-192.168.255.255<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td><td>Does not match</td></tr>
1106     <tr><td>10.0.0.1</td><td>Matches</td></tr>
1107     <tr><td>192.168.0.1</td><td>Matches</td></tr>
1108     <tr><td>::ffff:172.16.0.1</td><td>Does not match</td></tr>
1109     <tr><td>fd01::</td><td>Matches</td></tr>
1110     <tr><td rowspan="5">ip!=@PRIVATE_ADDRESS</td><td>127.0.0.1</td><td rowspan="5">10.0.0.0-10.255.255.255<br>172.16.0.0-172.31.255.255<br>192.168.0.0-192.168.255.255<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td><td>Matches</td></tr>
1111     <tr><td>10.0.0.1</td><td>Does not match</td></tr>
1112     <tr><td>::ffff:192.168.0.1</td><td>Matches</td></tr>
1113     <tr><td>::ffff:127.0.0.1</td><td>Matches</td></tr>
1114     <tr><td>fd01::</td><td>Does not match</td></tr>
1115     </table>
1116    
1117     <h3><a name="task_attributes_comparison">2.4. Conditional expressions which handle current thread's attributes</a></h3>
1118    
1119     <p>It is possible to use current thread's attributes as part of conditions. Below variables are always available.</p>
1120    
1121     <table border="1">
1122     <tr><td>Variable's name</td><td>Comparison method</td><td>Meaning</td><td></td></tr>
1123     <tr><td>task.uid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's user ID</td></tr>
1124     <tr><td>task.gid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's group ID</td></tr>
1125     <tr><td>task.euid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's effective user ID</td></tr>
1126     <tr><td>task.egid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's effective group ID</td></tr>
1127     <tr><td>task.suid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's saved user ID</td></tr>
1128     <tr><td>task.sgid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's saved group ID</td></tr>
1129     <tr><td>task.fsuid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's filesystem user ID</td></tr>
1130     <tr><td>task.fsgid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's filesystem group ID</td></tr>
1131     <tr><td>task.pid</td><td><a href="#integer_comparison">Numeric</a></td><td>Current thread's process ID </td></tr>
1132     <tr><td>task.ppid</td><td><a href="#integer_comparison">Numeric</a></td><td>Process ID of current thread's parent process</td></tr>
1133     <tr><td>task.exe</td><td><a href="#string_comparison">String</a></td><td>Current thread's program name (the content of /proc/self/exe)</td></tr>
1134     <tr><td>task.domain</td><td><a href="#string_comparison">String</a></td><td>Current thread's domainname (the content of /proc/caitsith/self_domain)</td></tr>
1135     <tr><td>task.type</td><td>Literal</td><td>Matches execute_handler if running as an execute handler, does not match execute_handler otherwise</td></tr>
1136     </table>
1137    
1138     <h3><a name="argv_comparison">2.5. Conditional expressions which handle command line arguments</a></h3>
1139    
1140     <p>It is possible to check command line arguments (a.k.a. argv[]) when checking permissions for program execution.</p>
1141    
1142     <table border="1">
1143     <tr><td>Conditions example</td><td>Comparison method</td><td>Meaning</td><td></td></tr>
1144     <tr><td>argv[0]="true"</td><td><a href="#string_comparison">String</a></td><td>argv[0] matches "true"</td></tr>
1145     <tr><td>argv[0]!="false"</td><td><a href="#string_comparison">String</a></td><td>argv[0] does not match "false"</td></tr>
1146     <tr><td>argv[1]=@ARGV1_GROUPS</td><td><a href="#string_comparison">String</a></td><td>argv[0] matches one of strings in string_group ARGV1_GROUPS group</td></tr>
1147     <tr><td>argv[1]!=@ARGV1_GROUPS</td><td><a href="#string_comparison">String</a></td><td>argv[0] matches none of strings in string_group ARGV1_GROUPS group</td></tr>
1148     </table>
1149    
1150     <p>Applications can pass a string data up to 32 * PAGE_SIZE bytes to each argv[]. But due to difficulty of allocating contiguous memory in the kernel, only up to 4085 bytes can be checked using variable "argv[$index]". If you want to check strictly, please consider using handler= argument of "allow " lines in "acl execute" block.</p>
1151    
1152     <h3><a name="envp_comparison">2.6. Conditional expressions which handle environment variable arguments</a></h3>
1153    
1154     <p>It is possible to check environment variables (a.k.a. envp[]) when checking permissions for program execution.</p>
1155    
1156     <table border="1">
1157     <tr><td>Conditions example</td><td>Comparison method</td><td>Meaning</td><td></td></tr>
1158     <tr><td>envp["PATH"]="/"</td><td><a href="#string_comparison">String</a></td><td>Environment variable PATH is defined and its value is "/"</td></tr>
1159     <tr><td>envp["PATH"]!="/"</td><td><a href="#string_comparison">String</a></td><td>Either<br>&nbsp;&nbsp;&nbsp;&nbsp;Environment variable PATH is not defined<br>or<br>&nbsp;&nbsp;&nbsp;&nbsp;Environment variable PATH is defined but its value is not "/"</td></tr>
1160     <tr><td>envp["PATH"]=@ENV_PATH_VALUES</td><td><a href="#string_comparison">String</a></td><td>Environment variable PATH is defined and its value matches one of strings in string_group ENVP_PATH_VALUES group</td></tr>
1161     <tr><td>envp["PATH"]!=@ENV_PATH_VALUES</td><td><a href="#string_comparison">String</a></td><td>Either<br>&nbsp;&nbsp;&nbsp;&nbsp;Environment variable PATH is not defined<br>or<br>&nbsp;&nbsp;&nbsp;&nbsp;Environment variable PATH is defined but its value matches none of strings in string_group ENVP_PATH_VALUES group</td></tr>
1162     <tr><td>envp["PATH"]=NULL</td><td>None</td><td>Environment variable PATH is not defined</td></tr>
1163     <tr><td>envp["PATH"]!=NULL</td><td>None</td><td>Environment variable PATH is not defined</td></tr>
1164     </table>
1165    
1166     <p>Applications can pass a string data up to 32 * PAGE_SIZE bytes to each envp[]. But due to difficulty of allocating contiguous memory in the kernel, only up to 4085 bytes can be checked using variable "envp["$name"]". If you want to check strictly, please consider using handler= argument of "allow " lines in "acl execute" block.</p>
1167    
1168     <h3><a name="dac_permission_comparison">2.7. Conditional expressions which handle file's DAC permissions</a></h3>
1169    
1170     <p>When checking permissions for file related operations, it is possible to check its DAC permissions if the file already exists as of permission check.
1171     Below table assumes that the variable name for referencing the requested pathname is "path".</p>
1172    
1173     <p>Value of DAC permissions can be referenced using variable "path.perm", and its value is between 0 and 07777. Although it is possible to do normal <a href="#integer_comparison">numeric comparison</a>, below constants are provided in order to make it easier to compare whether specific bit is set or not.</p>
1174    
1175     <table border="1">
1176     <tr><td>Constant</td><td>Value ranges that match </td></tr>
1177     <tr><td>setuid</td><td>Values where bitwise AND between path.perm and 04000 are 04000. (i.e. 04000-07777)</td></tr>
1178     <tr><td>setgid</td><td>Values where bitwise AND between path.perm and 02000 are 02000. (i.e. 02000-03777 06000-07777)</td></tr>
1179     <tr><td>sticky</td><td>Values where bitwise AND between path.perm and 01000 are 01000. (i.e. 01000-01777 03000-03777 05000-05777 07000-07777)</td></tr>
1180     <tr><td>owner_read</td><td>Values where bitwise AND between path.perm and 00400 are 00400. (e.g. 00400-00777 01400-01777 02400-02777)</td></tr>
1181     <tr><td>owner_write</td><td>Values where bitwise AND between path.perm and 00200 are 00200. (e.g. 00200-00377 00600-00777 01200-01377)</td></tr>
1182     <tr><td>owner_execute</td><td>Values where bitwise AND between path.perm and 00100 are 00100. (e.g. 00100-00177 00300-00377 00500-00577)</td></tr>
1183     <tr><td>group_read</td><td>Values where bitwise AND between path.perm and 00040 are 00040. (e.g. 00040-00077 00140-00177 00240-00277)</td></tr>
1184     <tr><td>group_write</td><td>Values where bitwise AND between path.perm and 00020 are 00020. (e.g. 00020-00037 00060-00077 00120-00137)</td></tr>
1185     <tr><td>group_execute</td><td>Values where bitwise AND between path.perm and 00010 are 00010. (e.g. 00010-00017 00030-00037 00050-00057)</td></tr>
1186     <tr><td>others_read</td><td>Values where bitwise AND between path.perm and 00004 are 00004. (e.g. 00004-00007 00014-00017 00024-00027)</td></tr>
1187     <tr><td>others_write</td><td>Values where bitwise AND between path.perm and 00002 are 00002. (e.g. 00002-00003 00006-00007 00012-00013)</td></tr>
1188     <tr><td>others_execute</td><td>Values where bitwise AND between path.perm and 00001 are 00001. (e.g. 00001 00003 00005 00007 00011 00013)</td></tr>
1189     </table>
1190    
1191     <p>Below are some examples that use constants.</p>
1192    
1193     <table border="1">
1194     <tr><td>Conditions example</td><td>Permissions of file referenced by variable "path"</td><td>Comparison result</td></tr>
1195     <tr><td>path.perm=setuid</td><td>04755</td><td>Matches</td></tr>
1196     <tr><td>path.perm!=setuid</td><td>04755</td><td>Does not match</td></tr>
1197     <tr><td>path.perm=setuid path.perm=setgid path.perm=sticky</td><td>0755</td><td>Does not match</td></tr>
1198     <tr><td>path.perm!=setuid path.perm!=setgid path.perm!=sticky</td><td>0755</td><td>Matches</td></tr>
1199     </table>
1200    
1201     <h3><a name="file_type_comparison">2.8. Conditional expressions which handle file's type</a></h3>
1202    
1203     <p>When checking permissions for file related operations, it is possible to check its type if the file already exists as of permission check.
1204     Below table assumes that the variable name for referencing the requested pathname is "path".</p>
1205    
1206     <p>Type of a file can be referenced using variable "path.type", and its value takes one of "file", "directory", "socket", "fifo", "block", "char", "symlink".</p>
1207    
1208     <table border="1">
1209     <tr><td>Possible conditions</td><td>Type of file referenced by variable "path"</td><td>Comparison result</td></tr>
1210     <tr><td>path.type=file</td><td>Regular file</td><td>Matches</td></tr>
1211     <tr><td>path.type!=file</td><td>Other than regular file</td><td>Matches</td></tr>
1212     <tr><td>path.type=directory</td><td>Directory</td><td>Matches</td></tr>
1213     <tr><td>path.type!=directory</td><td>Other than directory</td><td>Matches</td></tr>
1214     <tr><td>path.type=socket</td><td>Unix domain socket</td><td>Matches</td></tr>
1215     <tr><td>path.type!=socket</td><td>Other than Unix domain socket</td><td>Matches</td></tr>
1216     <tr><td>path.type=fifo</td><td>FIFO</td><td>Matches</td></tr>
1217     <tr><td>path.type!=fifo</td><td>Other than FIFO</td><td>Matches</td></tr>
1218     <tr><td>path.type=block</td><td>Block device file</td><td>Matches</td></tr>
1219     <tr><td>path.type!=block</td><td>Other than block device file</td><td>Matches</td></tr>
1220     <tr><td>path.type=char</td><td>Character device file</td><td>Matches</td></tr>
1221     <tr><td>path.type!=char</td><td>Other than character device file</td><td>Matches</td></tr>
1222     <tr><td>path.type=symlink</td><td>Symbolic link</td><td>Matches</td></tr>
1223     <tr><td>path.type!=symlink</td><td>Other than symbolic link</td><td>Matches</td></tr>
1224     </table>
1225    
1226     <h3><a name="file_attributes_comparison">2.9. Conditional expressions which handle file's attributes</a></h3>
1227    
1228     <p>When checking permissions for file related operations, it is possible to check its attributes if the file already exists as of permission check.
1229     Below table assumes that the variable name for referencing the requested pathname is "path".</p>
1230    
1231     <table border="1">
1232     <tr><td>Variable's name</td><td>Comparison method</td><td>Meaning</td></tr>
1233     <tr><td>path.uid</td><td><a href="#integer_comparison">Numeric</a></td><td>Owner ID</td></tr>
1234     <tr><td>path.gid</td><td><a href="#integer_comparison">Numeric</a></td><td>Group ID</td></tr>
1235     <tr><td>path.ino</td><td><a href="#integer_comparison">Numeric</a></td><td>i-node number on the filesystem</td></tr>
1236     <tr><td>path.major</td><td><a href="#integer_comparison">Numeric</a></td><td>Device major number on the filesystem</td></tr>
1237     <tr><td>path.minor</td><td><a href="#integer_comparison">Numeric</a></td><td>Device minor number on the filesystem</td></tr>
1238     <tr><td>path.perm</td><td><a href="#dac_permission_comparison">Permission</a></td><td>DAC permissions</td></tr>
1239     <tr><td>path.type</td><td><a href="#file_type_comparison">File's type</a></td><td>Type of the file</td></tr>
1240     <tr><td>path.dev_major</td><td><a href="#integer_comparison">Numeric</a></td><td>Device major number of the file if path.type=block or path.type=char</td></tr>
1241     <tr><td>path.dev_minor</td><td><a href="#integer_comparison">Numeric</a></td><td>Device minor number of the file if path.type=block or path.type=char</td></tr>
1242     <tr><td>path.fsmagic</td><td><a href="#integer_comparison">Numeric</a></td><td>Magic number of filesystem</td></tr>
1243     </table>
1244    
1245     <p>When checking permissions for file related operations, it is possible to also check its parent directory's attributes.
1246     Below table assumes that the variable name for referencing the requested pathname is "path".</p>
1247    
1248     <table border="1">
1249     <tr><td>Variable's name</td><td>Comparison method</td><td>Meaning</td></tr>
1250     <tr><td>path.parent.uid</td><td><a href="#integer_comparison">Numeric</a></td><td>Owner ID</td></tr>
1251     <tr><td>path.parent.gid</td><td><a href="#integer_comparison">Numeric</a></td><td>Group ID</td></tr>
1252     <tr><td>path.parent.ino</td><td><a href="#integer_comparison">Numeric</a></td><td>i-node number on the filesystem</td></tr>
1253     <tr><td>path.parent.major</td><td><a href="#integer_comparison">Numeric</a></td><td>Device major number on the filesystem</td></tr>
1254     <tr><td>path.parent.minor</td><td><a href="#integer_comparison">Numeric</a></td><td>Device minor number on the filesystem</td></tr>
1255     <tr><td>path.parent.perm</td><td><a href="#dac_permission_comparison">Permission</a></td><td>DAC permissions</td></tr>
1256     <tr><td>path.parent.fsmagic</td><td><a href="#integer_comparison">Numeric</a></td><td>Magic number of filesystem</td></tr>
1257     </table>
1258    
1259     <p>It does not make sense to use path.parent.type path.parent.dev_major path.parent.dev_minor because path.parent is always a directory.</p>
1260    
1261     <p>If path refers a mount point (root of directory entry tree within that partition), path.parent refers the same path rather than referring mount point's parent.</p>
1262    
1263     <h2><a name="syntax_list">3. List of syntaxes sorted by operations</a></h2>
1264    
1265     <table border="1">
1266     <tr><td>Operation</td><td>Meaning</td><td>Available variables</td><td>Content of variable</td><td>Related man pages</td></tr>
1267    
1268     <tr><td rowspan="11">execute</td><td rowspan="11">Execute a program</td><td><a href="#string_comparison">path</a></td><td>Requested program's pathname</td><td rowspan="11">execve(2)</td></tr>
1269     <tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr>
1270     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</tr>
1271     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1272     <tr><td><a href="#string_comparison">exec</a></td><td>Requested program's pathname, but maybe a symbolic link</td></tr>
1273     <tr><td><a href="#integer_comparison">argc</a></td><td>Number of command line arguments passed to this request</td></tr>
1274     <tr><td><a href="#integer_comparison">envc</a></td><td>Number of environment variables arguments</td></tr>
1275     <tr><td><a href="#argv_comparison">argv[$index]</a></td><td>$index'th (0 &lt;= $index &lt; argc) value of command line arguments</td></tr>
1276     <tr><td><a href="#envp_comparison">envp["$name"]</a></td><td>Value of environment variable named $name</td></tr>
1277     <tr><td>handler</td><td>Pathname of a wrapper program for preprocessing (available to only "allow" lines)</td></tr>
1278     <tr><td>transition</td><td>New domainname to transit to if operation was successful (available to only "allow" lines)</td></tr>
1279    
1280     <tr><td rowspan="4">read</td><td rowspan="4">Open a pathname for reading</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">open(2)</td></tr>
1281     <tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr>
1282     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1283     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1284    
1285     <tr><td rowspan="4">write</td><td rowspan="4">Open a pathname for writing</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">open(2)</td></tr>
1286     <tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr>
1287     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1288     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1289    
1290     <tr><td rowspan="4">append</td><td rowspan="4">Open a pathname for appending</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">open(2)</td></tr>
1291     <tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr>
1292     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1293     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1294    
1295     <tr><td rowspan="4">create</td><td rowspan="4">Create a regular file</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">open(2), mknod(2)</td></tr>
1296     <tr><td><a href="#integer_comparison">perm</a></td><td>DAC permissions of a new object referenced by variable "path"</td></tr>
1297     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1298     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1299    
1300     <tr><td rowspan="4">unlink</td><td rowspan="4">Delete a non directory pathname</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">unlink(2)</td></tr>
1301     <tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr>
1302     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1303     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1304    
1305     <tr><td rowspan="4">getattr</td><td rowspan="4">Get attributes of a pathname</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">stat(2)</td></tr>
1306     <tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr>
1307     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1308     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1309    
1310     <tr><td rowspan="4">mkdir</td><td rowspan="4">Create a directory</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">mkdir(2)</td></tr>
1311     <tr><td><a href="#integer_comparison">perm</a></td><td>DAC permissions of a new object referenced by variable "path"</td></tr>
1312     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1313     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1314    
1315     <tr><td rowspan="4">rmdir</td><td rowspan="4">Delete a directory pathname</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">rmdir(2)</td></tr>
1316     <tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr>
1317     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1318     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1319    
1320     <tr><td rowspan="4">mkfifo</td><td rowspan="4">Create a FIFO</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">mknod(2)</td></tr>
1321     <tr><td><a href="#integer_comparison">perm</a></td><td>DAC permissions of a new object referenced by variable "path"</td></tr>
1322     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1323     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1324    
1325     <tr><td rowspan="4">mksock</td><td rowspan="4">Create a Unix domain socket</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">mknod(2)</td></tr>
1326     <tr><td><a href="#integer_comparison">perm</a></td><td>DAC permissions of a new object referenced by variable "path"</td></tr>
1327     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1328     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1329    
1330     <tr><td rowspan="4">truncate</td><td rowspan="4">Truncate a regular file</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">open(2), truncate(2)</td></tr>
1331     <tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr>
1332     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1333     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1334    
1335     <tr><td rowspan="4">symlink</td><td rowspan="4">Create a symbolic link</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">symlink(2)</td></tr>
1336     <tr><td><a href="#string_comparison">target</a></td><td>Symbolic link's content</td></tr>
1337     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1338     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1339    
1340     <tr><td rowspan="6">mkblock</td><td rowspan="6">Create a block device file</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="6">mknod(2)</td></tr>
1341     <tr><td><a href="#integer_comparison">perm</a></td><td>DAC permissions of a new object referenced by variable "path"</td></tr>
1342     <tr><td><a href="#integer_comparison">dev_major</a></td><td>Major device number of a new object referenced by variable "path"</td></tr>
1343     <tr><td><a href="#integer_comparison">dev_minor</a></td><td>Minor device number of a new object referenced by variable "path"</td></tr>
1344     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1345     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1346    
1347     <tr><td rowspan="6">mkchar</td><td rowspan="6">Create a character device file</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="6">mknod(2)</td></tr>
1348     <tr><td><a href="#integer_comparison">perm</a></td><td>DAC permissions of a new object referenced by variable "path"</td></tr>
1349     <tr><td><a href="#integer_comparison">dev_major</a></td><td>Major device number of a new object referenced by variable "path"</td></tr>
1350     <tr><td><a href="#integer_comparison">dev_minor</a></td><td>Minor device number of a new object referenced by variable "path"</td></tr>
1351     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1352     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1353    
1354     <tr><td rowspan="6">link</td><td rowspan="6">Create a link</td><td><a href="#string_comparison">old_path</a></td><td>Link source's pathname</td><td rowspan="6">link(2)</td></tr>
1355     <tr><td><a href="#string_comparison">new_path</a></td><td>Link target's pathname</td></tr>
1356     <tr><td><a href="#file_attributes_comparison">old_path.$attribute</a></td><td>Attributes of an object referenced by variable "old_path"</td></tr>
1357     <tr><td><a href="#file_attributes_comparison">old_path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1358     <tr><td><a href="#file_attributes_comparison">new_path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1359     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1360    
1361     <tr><td rowspan="6">rename</td><td rowspan="6">Rename a pathname</td><td><a href="#string_comparison">old_path</a></td><td>Old pathname</td><td rowspan="6">rename(2)</td></tr>
1362     <tr><td><a href="#string_comparison">new_path</a></td><td>New pathname</td></tr>
1363     <tr><td><a href="#file_attributes_comparison">old_path.$attribute</a></td><td>Attributes of an object referenced by variable "old_path"</td></tr>
1364     <tr><td><a href="#file_attributes_comparison">old_path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1365     <tr><td><a href="#file_attributes_comparison">new_path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1366     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1367    
1368     <tr><td rowspan="5">chmod</td><td rowspan="5">Change DAC's permission</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="5">chmod(2)</td></tr>
1369     <tr><td><a href="#integer_comparison">perm</a></td><td>New DAC permissions of an object referenced by variable "path"</td></tr>
1370     <tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr>
1371     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1372     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1373    
1374     <tr><td rowspan="5">chown</td><td rowspan="5">Change DAC's owner ID</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="5">chown(2)</td></tr>
1375     <tr><td><a href="#integer_comparison">uid</a></td><td>New DAC owner ID of an object referenced by variable "path"</td></tr>
1376     <tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr>
1377     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1378     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1379    
1380     <tr><td rowspan="5">chgrp</td><td rowspan="5">Change DAC's group ID</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="5">chown(2)</td></tr>
1381     <tr><td><a href="#integer_comparison">gid</a></td><td>New DAC group ID of an object referenced by variable "path"</td></tr>
1382     <tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr>
1383     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1384     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1385    
1386     <tr><td rowspan="5">ioctl</td><td rowspan="5">Use ioctl request</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="5">ioctl(2)</td></tr>
1387     <tr><td><a href="#integer_comparison">cmd</a></td><td>Command number for ioctl request</td></tr>
1388     <tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr>
1389     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1390     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1391    
1392     <tr><td rowspan="4">chroot</td><td rowspan="4">Change root directory</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="4">chroot(2)</td></tr>
1393     <tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr>
1394     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1395     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1396    
1397     <tr><td rowspan="9">mount</td><td rowspan="9">Mount a filesystem</td><td><a href="#string_comparison">source</a></td><td>Source name if filesystem name is one of "--bind", "--move" or a filesystem that requires device file. Unavailable otherwise.</td><td rowspan="9">mount(2)</td></tr>
1398     <tr><td><a href="#string_comparison">target</a></td><td>Mount point or target name</td></tr>
1399 kumaneko 15 <tr><td><a href="#string_comparison">fstype</a></td><td>Filesystem name, determined by below order.<br>
1400 kumaneko 10 <ol>
1401     <li>"--remount" if mount flags contains MS_REMOUNT flag</li>
1402     <li>"--bind" if mount flags contains MS_BIND flag</li>
1403     <li>"--make-shared" if mount flags contains MS_SHARED flag</li>
1404     <li>"--make-private" if mount flags contains MS_PRIVATE flag</li>
1405     <li>"--make-slave" if mount flags contains MS_SLAVE flag</li>
1406     <li>"--make-unbindable" if mount flags contains MS_UNBINDABLE flag</li>
1407     <li>"--move" if mount flags contains MS_MOVE flag</li>
1408     <li>name of filesystem</li>
1409     </ol>
1410     </td></tr>
1411     <tr><td><a href="#integer_comparison">flags</a></td><td>Mount flags</td></tr>
1412     <tr><td><a href="#string_comparison">data</a></td><td>Mount options not in mount flags argument (e.g. "errors=remount-ro"). This variable is not available to filesystems that require binary mount options (e.g."nfs", "coda", "ncpfs"). Also, this variable is available only if filesystem type is either "--remount" or name of filesystem.</td></tr>
1413     <tr><td><a href="#file_attributes_comparison">source.$attribute</a></td><td>Attributes of an object referenced by variable "source" when variable "source" references a valid pathname</td></tr>
1414     <tr><td><a href="#file_attributes_comparison">source.parent.$attribute</a></td><td>Attributes of parent directory of an object referenced by variable "source" when variable "source" references a valid pathname</td></tr>
1415     <tr><td><a href="#file_attributes_comparison">target.$attribute</a></td><td>Attributes of an object referenced by variable "target"</td></tr>
1416     <tr><td><a href="#file_attributes_comparison">target.parent.$attribute</a></td><td>Attributes of parent directory of an object referenced by variable "target"</td></tr>
1417     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1418    
1419     <tr><td rowspan="5">unmount</td><td rowspan="5">Unmount a filesystem</td><td><a href="#string_comparison">path</a></td><td>Requested pathname</td><td rowspan="5">umount(2)</td></tr>
1420     <tr><td><a href="#integer_comparison">flags</a></td><td>Unmount flags</td></tr>
1421     <tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr>
1422     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</td></tr>
1423     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1424    
1425     <tr><td rowspan="7">pivot_root</td><td rowspan="7">Exchange root directory</td><td><a href="#string_comparison">new_root</a></td><td>New root directory</td><td rowspan="7">pivot_root(2)</td></tr>
1426     <tr><td><a href="#string_comparison">put_old</a></td><td>Location to place old root directory</td></tr>
1427     <tr><td><a href="#file_attributes_comparison">new_root.$attribute</a></td><td>Attributes of an object referenced by variable "new_root"</td></tr>
1428     <tr><td><a href="#file_attributes_comparison">new_root.parent.$attribute</a></td><td>Attributes of parent directory of an object referenced by variable "new_root"</td></tr>
1429     <tr><td><a href="#file_attributes_comparison">put_old.$attribute</a></td><td>Attributes of an object referenced by variable "put_old"</td></tr>
1430     <tr><td><a href="#file_attributes_comparison">put_old.parent.$attribute</a></td><td>Attributes of parent directory of an object referenced by variable "put_old"</td></tr>
1431     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1432    
1433     <tr><td rowspan="3">inet_stream_bind</td><td rowspan="3">Binding PF_INET/PF_INET6+SOCK_STREAM socket</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">bind(2), ip(7), ipv6(7)</td></tr>
1434     <tr><td><a href="#integer_comparison">port</a></td><td>Port number</td></tr>
1435     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1436    
1437     <tr><td rowspan="3">inet_stream_listen</td><td rowspan="3">Listening PF_INET/PF_INET6+SOCK_STREAM socket</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">listen(2), ip(7), ipv6(7)</td></tr>
1438     <tr><td><a href="#integer_comparison">port</a></td><td>Port number</td></tr>
1439     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1440    
1441     <tr><td rowspan="3">inet_stream_connect</td><td rowspan="3">Connecting PF_INET/PF_INET6+SOCK_STREAM socket</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">connect(2), ip(7), ipv6(7)</td></tr>
1442     <tr><td><a href="#integer_comparison">port</a></td><td>Port number</td></tr>
1443     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1444    
1445     <tr><td rowspan="3">inet_stream_accept</td><td rowspan="3">Accepting PF_INET/PF_INET6+SOCK_STREAM socket</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">accept(2), ip(7), ipv6(7)</td></tr>
1446     <tr><td><a href="#integer_comparison">port</a></td><td>Port number</td></tr>
1447     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1448    
1449     <tr><td rowspan="3">inet_dgram_bind</td><td rowspan="3">Binding PF_INET/PF_INET6+SOCK_DGRAM socket</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">bind(2), ip(7), ipv6(7)</td></tr>
1450     <tr><td><a href="#integer_comparison">port</a></td><td>Port number</td></tr>
1451     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1452    
1453     <tr><td rowspan="3">inet_dgram_send</td><td rowspan="3">Sending AF_INET/AF_INET6 datagrams</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">sendmsg(2), ip(7), ipv6(7)</td></tr>
1454     <tr><td><a href="#integer_comparison">port</a></td><td>Port number</td></tr>
1455     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1456    
1457     <tr><td rowspan="3">inet_dgram_recv</td><td rowspan="3">Receiving AF_INET/AF_INET6 datagrams</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">recvmsg(2), ip(7), ipv6(7)</td></tr>
1458     <tr><td><a href="#integer_comparison">port</a></td><td>Port number</td></tr>
1459     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1460    
1461     <tr><td rowspan="3">inet_raw_bind</td><td rowspan="3">Binding PF_INET/PF_INET6+SOCK_RAW socket</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">bind(2), raw(7)</td></tr>
1462     <tr><td><a href="#integer_comparison">proto</a></td><td>Protocol number</td></tr>
1463     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1464    
1465     <tr><td rowspan="3">inet_raw_send</td><td rowspan="3">Sending AF_INET/AF_INET6 packets</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">sendmsg(2), raw(7)</td></tr>
1466     <tr><td><a href="#integer_comparison">proto</a></td><td>Protocol number</td></tr>
1467     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1468    
1469     <tr><td rowspan="3">inet_raw_recv</td><td rowspan="3">Receiving AF_INET/AF_INET6 packets</td><td><a href="#ipaddr_comparison">ip</a></td><td>IPv4 or IPv6 address</td><td rowspan="3">recvmsg(2), raw(7)</td></tr>
1470     <tr><td><a href="#integer_comparison">proto</a></td><td>Protocol number</td></tr>
1471     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1472    
1473     <tr><td rowspan="2">unix_stream_bind</td><td rowspan="2">Binding PF_UNIX+SOCK_STREAM socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">bind(2), unix(7)</td></tr>
1474     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1475    
1476     <tr><td rowspan="2">unix_stream_listen</td><td rowspan="2">Listening PF_UNIX+SOCK_STREAM socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">listen(2), unix(7)</td></tr>
1477     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1478    
1479     <tr><td rowspan="2">unix_stream_connect</td><td rowspan="2">Connecting PF_UNIX+SOCK_STREAM socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">connect(2), unix(7)</td></tr>
1480     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1481    
1482     <tr><td rowspan="2">unix_stream_accept</td><td rowspan="2">Accepting PF_UNIX+SOCK_STREAM socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">accept(2), unix(7)</td></tr>
1483     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1484    
1485     <tr><td rowspan="2">unix_dgram_bind</td><td rowspan="2">Binding PF_UNIX+SOCK_DGRAM socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">bind(2), unix(7)</td></tr>
1486     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1487    
1488     <tr><td rowspan="2">unix_dgram_send</td><td rowspan="2">Sending AF_UNIX datagrams</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">sendmsg(2), unix(7)</td></tr>
1489     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1490    
1491     <tr><td rowspan="2">unix_dgram_recv</td><td rowspan="2">Receiving AF_UNIX datagrams</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">recvmsg(2), unix(7)</td></tr>
1492     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1493    
1494     <tr><td rowspan="2">unix_seqpacket_bind</td><td rowspan="2">Binding PF_UNIX+SOCK_SEQPACKET socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">bind(2), unix(7)</td></tr>
1495     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1496    
1497     <tr><td rowspan="2">unix_seqpacket_listen</td><td rowspan="2">Listening PF_UNIX+SOCK_SEQPACKET socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">listen(2), unix(7)</td></tr>
1498     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1499    
1500     <tr><td rowspan="2">unix_seqpacket_connect</td><td rowspan="2">Connecting PF_UNIX+SOCK_SEQPACKET socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">connect(2), unix(7)</td></tr>
1501     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1502    
1503     <tr><td rowspan="2">unix_seqpacket_accept</td><td rowspan="2">Accepting PF_UNIX+SOCK_SEQPACKET socket</td><td><a href="#string_comparison">addr</a></td><td>Unix domain socket address</td><td rowspan="2">accept(2), unix(7)</td></tr>
1504     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1505    
1506     <tr><td rowspan="3">ptrace</td><td rowspan="3">Call ptrace() system call</td><td><a href="#integer_comparison">cmd</a></td><td>Command number</td><td rowspan="3">ptrace(2)</td></tr>
1507     <tr><td><a href="#string_comparison">domain</a></td><td>Target process's domainname</td></tr>
1508     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1509    
1510     <tr><td rowspan="2">signal</td><td rowspan="2">Send signals</td><td><a href="#integer_comparison">sig</a></td><td>Signal number</td><td rowspan="2">kill(2), tkill(2), tgkill(2), rt_sigqueueinfo(2)</td></tr>
1511     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1512    
1513     <tr><td rowspan="11">environ</td><td rowspan="11">Receive environment variables upon program execution</td><td><a href="#string_comparison">name</a></td><td>Environment variable's name</td><td rowspan="11">execve(2)</td></tr>
1514     <tr><td><a href="#string_comparison">value</a></td><td>Environment variable's value</td></tr>
1515     <tr><td><a href="#string_comparison">path</a></td><td>Requested program's pathname</td></tr>
1516     <tr><td><a href="#file_attributes_comparison">path.$attribute</a></td><td>Attributes of an object referenced by variable "path"</td></tr>
1517     <tr><td><a href="#file_attributes_comparison">path.parent.$attribute</a></td><td>Parent directory's attributes</tr>
1518     <tr><td><a href="#string_comparison">exec</a></td><td>Requested program's pathname, but maybe a symbolic link</td></tr>
1519     <tr><td><a href="#integer_comparison">argc</a></td><td>Number of command line arguments passed to this request</td></tr>
1520     <tr><td><a href="#integer_comparison">envc</a></td><td>Number of environment variables arguments</td></tr>
1521     <tr><td><a href="#argv_comparison">argv[$index]</a></td><td>$index'th (0 &lt;= $index &lt; argc) value of command line arguments</td></tr>
1522     <tr><td><a href="#envp_comparison">envp["$name"]</a></td><td>Value of environment variable named $name</td></tr>
1523     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1524    
1525     <tr><td rowspan="1">modify_policy</td><td rowspan="1">Modify policy configuration</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1"></td></tr>
1526    
1527     <tr><td rowspan="1">use_netlink_socket</td><td rowspan="1">Create PF_NETLINK socket</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">socket(2), netlink(7)</td></tr>
1528    
1529     <tr><td rowspan="1">use_packet_socket</td><td rowspan="1">Create PF_PACKET socket</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">socket(2), packet(7)</td></tr>
1530    
1531     <tr><td rowspan="1">use_reboot</td><td rowspan="1">Call reboot() system call</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">reboot(2)</td></tr>
1532    
1533     <tr><td rowspan="1">use_vhangup</td><td rowspan="1">Call vhangup() system call</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">vhangup(2)</td></tr>
1534    
1535     <tr><td rowspan="1">set_time</td><td rowspan="1">Set system's time</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">stime(2), settimeofday(2), adjtimex(2)</td></tr>
1536    
1537     <tr><td rowspan="1">set_priority</td><td rowspan="1">Change process's priority</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">nice(2), setpriority(2)</td></tr>
1538    
1539     <tr><td rowspan="1">set_hostname</td><td rowspan="1">Set host's name</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">sethostname(2), setdomainname(2)</td></tr>
1540    
1541     <tr><td rowspan="1">use_kernel_module</td><td rowspan="1">Load or unload kernel modules</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">init_module(2), delete_module(2)</td></tr>
1542    
1543     <tr><td rowspan="1">use_new_kernel</td><td rowspan="1">Load a new kernel</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="1">kexec_load(2)</td></tr>
1544    
1545     <tr><td rowspan="2">manual_domain_transition</td><td rowspan="2">Change domains by writing to /proc/caitsith/self_domain</td><td><a href="#string_comparison">domain</a></td><td>Domainname to allow transition to </td><td rowspan="2"></td></tr>
1546     <tr><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td></tr>
1547    
1548     <tr><td rowspan="2">auto_domain_transition</td><td rowspan="2">Change domains automatically upon conditions are met</td><td><a href="#task_attributes_comparison">task.$attribute</a></td><td>Current thread's attributes</td><td rowspan="2"></td></tr>
1549     <tr><td>transition</td><td>New domainname to transit to if conditions are met (available to only "allow" lines)</td></tr>
1550    
1551     </table>
1552    
1553     <h2><a name="policy_syntaxes">4. Policy syntaxes</a></h2>
1554    
1555     <h3><a name="policy_structure_definition">4.1. Definition</a></h3>
1556    
1557     <p>Policy consists with two parts.</p>
1558    
1559     <p>Header part defines below lines.</p>
1560    
1561     <table border="1">
1562     <tr><td>
1563     POLICY_VERSION=20120401<br>
1564     quota memory policy $max_byte_for_policy<br>
1565     quota memory audit $max_byte_for_audit_logs<br>
1566     quota memory query $max_byte_for_query<br>
1567     quota audit[$audit_index] allowed=$max_logs_for_allowed_request unmatched=$max_logs_for_unmatched_request denied=$max_logs_for_denied_request<br>
1568     string_group $string_group_name $string_group_member<br>
1569     number_group $number_group_name $number_group_member<br>
1570     ip_group $ip_group_name $ip_group_member<br>
1571     </td></tr>
1572     </table>
1573    
1574     <ul>
1575     <li>POLICY_VERSION line defines policy version.</li>
1576     <li>$max_byte_for_policy is max amount of memory in byte which can be allocated for policy. Default is unlimited.</li>
1577     <li>$max_byte_for_audit_logs is max amount of memory in byte which can be allocated for audit logs. Default is unlimited. $max_byte_for_audit_logs=16777216 should be sufficient.</li>
1578     <li>$max_byte_for_query is max amount of memory in byte which can be allocated for interactive enforcement. Default is unlimited. $max_byte_for_audit_logs=1048576 should be sufficient.</li>
1579     <li>quota audit[$audit_index] lines (0 &lt;= $audit_index &lt;= 255) are max number of audit logs which can be held in the kernel space. $max_logs_for_allowed_request is for allowed requests. $max_logs_for_unmatched_request is for unmatched requests. $max_logs_for_denied_request is for denied requests. Default is 0. Unless you have special reasons, you should set 0 to $max_logs_for_allowed_request. Regarding $max_logs_for_unmatched_request and $max_logs_for_denied_request, 1024 should be sufficient.</li>
1580     <li>string_group $string_group_name lines define group of strings. $string_group_member is a member for $string_group_name group.</li>
1581     <li>number_group $number_group_name lines define group of numbers. $number_group_member is a member for $number_group_name group.</li>
1582     <li>ip_group $ip_group_name lines define group of IP addresses. $ip_group_member is a member for $ip_group_name group.</li>
1583     </ul>
1584    
1585     <p>ACL part is consists with 0 or more repetitions of below block.</p>
1586    
1587     <table border="1">
1588     <tr><td>
1589     $acl_priority acl $operation $conditions_to_filter<br>
1590     &nbsp;&nbsp;&nbsp;&nbsp;audit $audit_index<br>
1591     &nbsp;&nbsp;&nbsp;&nbsp;$cond_priority $decision $conditions_to_allow_or_deny
1592     </td></tr>
1593     </table>
1594    
1595     <ul>
1596     <li>A block which starts with $acl_priority determines whether to evaluate rules in this block or not.</li>
1597     <li>Blocks which start with $acl_priority can be defined as many as you need.</li>
1598     <li>$acl_priority is a priority (an integer between 0 and 65535) which controls which block should be evaluated first (among all blocks defined in the policy).</li>
1599     <li>Blocks are evaluated from smaller $acl_priority values to larger $acl_priority values.</li>
1600     <li>If two blocks have same $acl_priority value, the block which is defined first is evaluated first.</li>
1601     <li>$operation is "operation".</li>
1602     <li>$conditions_to_filter is "conditional expressions" which can be applied to "operation". Omit $conditions_to_filter to evaluate this block unconditionally.</li>
1603     <li>Access requests will be denied if one of deny lines (among all blocks defined in the policy) matches.</li>
1604     </ul>
1605    
1606     <p>$decision lines in a block is evaluated only when the block's $acl_priority line matched.</p>
1607