[tomoyo-dev-en 198] About supporting policy namespace.

アーカイブの一覧に戻る

Tetsuo Handa from-****@I-lov*****
Thu Apr 21 16:57:24 JST 2011


Currently, TOMOYO's policy does not support namespace. This is not convenient
when using TOMOYO on environments that use pivot_root() (e.g. LXC containers,
http://sourceforge.jp/projects/tomoyo/lists/archive/users-en/2011-March/000274.html )
because daemon program's pathnames which are executed inside the containers are
identical with these of outside the containers, and thereby domain transition
control directives are applied in a way the administrator did not wish.
An environment which was created using pivot_root() is almost an independent
standalone system, and should be treated separately. Therefore, I'm thinking
the possibility for supporting namespace for TOMOYO's policy.



Policy namespace is for containers, but would be useful for without containers.
For example, we have "no_initialize_domain" directive which is designed for
calling (e.g.) /usr/sbin/sendmail from (e.g.) CGI programs executed from Apache
so that we can distinguish "for what purpose /usr/sbin/sendmail is executed
(i.e. for sending a mail and exit, or for serving as a daemon)".
If Apache transits to a different policy namespace that is designed for Apache,
we no longer need to use "no_initialize_domain" directive because we know the
purpose of executing /usr/sbin/sendmail from that policy namespace is to send a
mail and exit. If Sendmail transits to a different policy namespace that is
designed for Sendmail, we no longer need to use "no_initialize_domain"
directive because we know the purpose of executing /usr/sbin/sendmail from that
policy namespace is to serve as a daemon. So, I think making daemon programs
transit to dedicated policy namespace will be useful even if we don't use
containers.



We need to discuss specifications. Currently I'm thinking as below.

(1) Policy namespace transition behaves like chroot() whereas domain transition
    behaves like chdir().

    A process in the root policy namespace can transit to a child of the root
    policy namespace, but no process can escape from the child of the root
    policy namespace after once reached.

(2) Policy namespace affects only domain tree and domain transitions.

    Does not block IPC across policy namespaces.

Should we allow policy namespace transition twice (once for pivot_root() and
once more for daemons executed inside the container environment)? In that case,
we will have two levels of policy namespace. I call namespace which transits
from the root namespace to a child of the root namespace as "Lv1 namespace",
and namespace which transits from the child of the root namespace to the child
of that namespace as "Lv2 namespace".

Since policy namespace transition is like domain transition, I think we can do
similar things. For example, since auto_domain_transition= parameter in the
ACL's conditional part transits domain, auto_namespace_transition= parameter
would transit policy namespace. Also, "task auto_namespace_transition" and
"task manual_namespace_transition" would be possible as well as
"task auto_domain_transition" and "task manual_domain_transition".

When policy namespace transition occurred, the process transits to "<kernel>"
domain in that policy namespace. This behavior would be better for cases
running /sbin/init in that policy namespace. I think we can use
"task auto_domain_transition" if we want to automatically transit to (e.g.)
"<kernel> /usr/sbin/httpd" domain when Apache reached the policy namespace for
Apache.

Or, should the process inherit the domainname of the domain in the parent
namespace (i.e. transit to "<kernel> /usr/sbin/sshd /bin/bash" domain in the
child namespace if the process was in "<kernel> /usr/sbin/sshd /bin/bash"
domain in the parent namespace when policy namespace transition occurred)?
This behavior would be better for cases not running /sbin/init in that
policy namespace. I think we can use "initialize_domain /sbin/init from any"
if we want to automatically transit to "<kernel> /sbin/init" domain when
/sbin/init is executed.

Do we want transit_namespace/no_transit_namespace directives like
initialize_domain/no_initialize_domain directives so that namespace
transition automatically occurs upon successful execve(). This might recommend
administrators to specify "transit_namespace /usr/sbin/httpd from any"
in the exception policy for the root namespace (rather than
"initialize_domain /usr/sbin/httpd from any").

What do you think?




More information about the tomoyo-dev-en mailing list
アーカイブの一覧に戻る