akarititle.png

Domain policy syntax

file execute

This directive allows execution of the specified pathname.

This example allows the domain to execute /bin/ls:

file execute /bin/ls

See also:

file read

This directive allows the domain to open the specified pathname for reading.

This example allows the domain to read "/proc/meminfo":

file read proc:/meminfo

See also:

file write

This directive allows the domain to open the specified pathname for writing.

This example allows the domain to write to "/dev/null":

file write /dev/null

See also:

file append

This directive allows the domain to append to the specified pathname.

This example allows the domain to append to the file "/var/log/auth.log":

file append /var/log/auth.log

See also:

file getattr

This directive allows the domain to get attribute information of the specified pathname.

This example allows the domain to get attribute information of the file "/dev/null":

file getattr /dev/null

See also:

file create

This directive allows the domain to create the specified file with the specified permissions.

This example allows the domain to create the file "/var/lock/subsys/crond":

file create /var/lock/subsys/crond 0644

See also:

file unlink

This directive allows the domain to delete the specified pathname.

This example allows the domain to delete the file "/var/lock/subsys/crond":

file unlink /var/lock/subsys/crond

See also:

file chown

This directive allows the domain to change the user ownership of the specified pathname to the specified UID.

This example allows the domain to change the owner of "/dev/sda" to UID=0:

file chown /dev/sda 0

See also:

file chgrp

This directive allows the domain to change group ownership of the specified pathname to the specified GID.

This example allows the domain to change the GID of "/dev/audio" to 92:

file chgrp /dev/audio 92

See also:

file chmod

This directive allows the domain to change permissions of the specified pathname to the specified octal permissions.

This example allows the domain to change the octal permissions of "/dev/mem" to 0644:

file chmod /dev/mem 0644

See also:

file mkdir

This directive allows the domain to create the specified directory with the specified permissions.

This example allows the domain to create directories that match "/tmp/logwatch.\*/":

file mkdir /tmp/logwatch.\*/ 0755

See also:

file rmdir

This directive allows the domain to delete the specified directory.

This example allows the domain to delete directories that match "/tmp/logwatch.\*/":

file rmdir /tmp/logwatch.\*/

See also:

file mkfifo

This directive allows the domain to create the specified FIFO with the specified permissions.

This example allows the domain to create the FIFO "/dev/initctl":

file mkfifo /dev/initctl 0644

See also:

file mksock

This directive allows the domain to create the specified socket with the specified permissions.

This example allows the domain to create the socket "/dev/log":

file mksock /dev/log 0755

See also:

file mkblock

This directive allows the domain to create the specified block device with the specified permissions, major number and minor number.

This example allows the domain to create the block device "/dev/loop0":

file mkblock /dev/loop0 0600 7 0

See also:

file mkchar

This directive allows the domain to create the specified character device with the specified permissions, major number and minor number.

This example allows the domain to create the character device "/dev/console":

file mkchar /dev/console 0755 5 1

See also:

file truncate

This directive allows the domain to truncate or extend the specified pathname.

This example allows the domain to truncate the contents of "/etc/mtab":

file truncate /etc/mtab

See also:

file symlink

This directive allows the domain to symlink the specified pathname.

This example allows the domain to symlink "/dev/cdrom":

file symlink /dev/cdrom

See also:

file link

This directive allows the domain to create hard link between the first and second specified pathnames.

This example allows a hard link to be created between pathnames that match "/etc/mtab~\$" and "/etc/mtab~":

file link /etc/mtab~\$ /etc/mtab~

See also:

file rename

This directive allows the domain to rename the first specified pathname to the second specified pathname.

This example allows "/etc/mtab.tmp" to be renamed "/etc/mtab":

file rename /etc/mtab.tmp /etc/mtab

See also:

file ioctl

This directive allows the domain to make an ioctl request with the specified command number. For information on the ioctl command numbers, refer to manuals provided by each module with ioctl functionality.

This example allows the domain to issue an ioctl request with command number 0x8915 (i.e. SIOCGIFADDR request) on sockets with family = 2, type = 2, protocol = 17 (i.e. UDP/IPv4 sockets):

file ioctl socket:[family=2:type=2:protocol=17] 0x8915

This example allows the domain to issue an ioctl request with command numbers between 10000 and 20000 on "/dev/null":

file ioctl /dev/null 10000-20000

See also:

file mount

This directive allows the domain to mount a filesystem with the specified devices, pathnames and options.

The syntax is: "file mount $DEVICE $MOUNTPOINT $FILESYSTEM $OPTIONS". If $FILESYSTEM requires a device file, a block device file's pathname is specified for $DEVICE. The $OPTIONS is a hexadecimal (or octal or decimal) integer expression. The following options can also be specified for $FILESYSTEM:

This example allows the domain to remount the / directory:

file mount any / --remount 0x0

This example allows the domain to mount "/dev/hdc" which was formatted as an ext3 filesystem at "/var/www/" directory:

file mount /dev/hdc /var/www/ ext3 0xF

This example allows the domain to mount a tmpfs filesystem at "/dev/shm/" directory:

file mount none /dev/shm/ tmpfs 0xE

See also:

file unmount

This directive allows the domain to unmount a filesystem from the specified pathname.

This example allows the domain to unmount the filesystem mounted at "/mnt/cdrom/" directory:

file unmount /mnt/cdrom/

See also:

file chroot

This directive allows the domain to use the specified pathname as a new / directory.

This example allows the domain to use "/var/empty/sshd/" as a new / directory:

file chroot /var/empty/sshd/

See also:

file pivot_root

This directive allows the domain to use the first specified pathname as a new / directory and bring the old / directory to the second specified pathname.

This functionality is generally used for only once for switching the / directory from initrd/initramfs to the hard drive, which generally occurs before AKARI has been activated. It is therefore unlikely that you will need this directive.

This example allows the domain to use "/proc/" as a new / directory and bring the old / directory to "/proc/ccs/" directory:

file pivot_root proc:/ proc:/ccs/

See also:

misc env

This directive allows the domain to read the specified environment variable. Many programs behave differently depending on the environment variables.

This example allows the domain to read the environment variable "LD_PRELOAD":

misc env LD_PRELOAD

network inet

This directive allows the domain to perform network socket operations.

IPv4 and IPv6 addresses are both supported.

The syntax is summarised in the following table:

Directive

Function

network inet stream bind $ADDRESS $PORT

Bind TCP sockets to specified local IP address and port

network inet stream listen $ADDRESS $PORT

Listen TCP sockets at specified local IP address and port

network inet stream accept $ADDRESS $PORT

Accept TCP sockets from specified remote IP address and port

network inet stream connect $ADDRESS $PORT

Connect TCP sockets to specified remote IP address and port

network inet dgram bind $ADDRESS $PORT

Bind UDP sockets to specified local IP address and port

network inet dgram send $ADDRESS $PORT

Send UDP packets to specified remote IP address and port

network inet raw bind $ADDRESS $PROTOCOL

Bind IP sockets for specified protocol to specified local IP address

network inet raw send $ADDRESS $PROTOCOL

Send IP packets for specified protocol to specified remote IP address

This example allows the domain to connect to port 80 on IP address 202.221.179.11:

network inet stream connect 202.221.179.11 80

See also:

network unix

This directive allows the domain to perform unix domain socket operations.

The syntax is summarised in the following table:

Directive

Function

network unix stream bind $ADDRESS

Bind byte stream sockets to specified address

network unix stream listen $ADDRESS

Listen byte stream sockets at specified address

network unix stream accept $ADDRESS

Accept byte stream sockets from specified address

network unix stream connect $ADDRESS

Connect byte stream sockets to specified address

network unix dgram bind $ADDRESS

Bind datagram sockets to specified address

network unix dgram send $ADDRESS

Send datagrams to specified address

network unix seqpacket bind $ADDRESS

Bind seqpacket sockets to specified address

network unix seqpacket listen $ADDRESS

Listen seqpacket sockets at specified address

network unix seqpacket accept $ADDRESS

Accept seqpacket sockets from specified address

network unix seqpacket connect $ADDRESS

Connect seqpacket sockets to specified address

This example allows the domain to bind to "/tmp/.X11-unix/X0" and "\000/tmp/.X11-unix/X0":

network unix stream bind /tmp/.X11-unix/X0
network unix stream bind \000/tmp/.X11-unix/X0

See also:

use_group

This directive allows the domain to inherit permissions defined for the specified group. These permissions are defined in exception policy.

This example allows the domain to read "/dev/null":

In exception policy:

acl_group 2 file read /dev/null

In domain policy:

use_group 2

use_profile

This directive is changes the profile number of the domain.

This example changes the profile number of the domain to 3:

use_profile 3

task auto_execute_handler

This directive causes executions from the domain to be handled by an external program, as specified by the directive. When an execute request is made within this domain, the specified external program is executed instead. This then decides whether it is appropriate to continue.

This example causes the program /usr/sbin/check-and-exec to be launched whenever the domain makes an execute request:

task auto_execute_handler /usr/sbin/check-and-exec

task denied_execute_handler

This directive causes an external program, as specified by the directive, to be launched when executions within the domain have been rejected by policy. Note that this directive takes effect only when an execute request was rejected by policy in enforcing mode. Even if an execute request was rejected by policy, the request will be accepted unless in enforcing mode. Use task auto_execute_handler (optionally with keep_domain) if you want to execute an external program regardless of access control mode.

This example causes the program /bin/true to be launched whenever an execution request from the domain is rejected by policy:

task denied_execute_handler /bin/true

task manual_domain_transition

This directive causes a domain transition to occur when the application writes a domain name to the "/proc/ccs/self_domain" interface. This can be used to split permissions without requiring an execution, but the application must be modified to write to the interface at the appropriate time.

This example causes a domain transition to the "<kernel> //apache /www.tomoyo00.com" domain to occur when "<kernel> //apache /www.tomoyo00.com" is written to "/proc/ccs/self_domain" by the domain:

task manual_domain_transition <kernel> //apache /www.tomoyo00.com

task auto_domain_transition

This directive causes a domain transition to occur when the specified conditions have been met. This can be used to split permissions without requiring an execution.

This example causes a domain transition to the "<kernel> //non-root-session" domain to occur when the task UID becomes non-root:

task auto_domain_transition <kernel> //non-root-session task.uid!=0

quota_exceeded

This directive indicates that the domain has failed to append an entry while in "Learning Mode" due to the "max_learning_entry" value being reached.

transition_failed

This directive indicates that a process within this domain was not able to undergo a domain transition following an execute request.

This problem occurs, in order to avoid access denials by AKARI unless enforcing mode is used, due to AKARI accepting program execution requests unless enforcing mode even if domain transition has failed. The cause of this problem is either the name of the domain being too long, or the kernel being unable to allocate memory. To fix this problem, either suppress domain transitions or increase the memory quota which AKARI can use.