In progress of refining the Tomoyo policies for process jailing; will define a set...
[iot2.git] / localconfig / tomoyo / LabRoom.tomoyo.pol
index 2267a14..050f52a 100644 (file)
@@ -1,4 +1,4 @@
-<kernel> /usr/sbin/sshd /bin/bash /home/iotuser/iot2/iotjava/iotruntime/LabRoom<object-id>.sh /usr/bin/java
+<kernel> /usr/sbin/sshd /bin/bash /home/iotuser/iot2/iotjava/iotruntime/<object-name>.sh /usr/bin/java
 use_profile 3
 use_group 0
 
@@ -18,121 +18,35 @@ misc env SHELL
 misc env PWD
 misc env SSH_CONNECTION
 file read /etc/ld.so.preload
-file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/arm/jli/libjli.so
-file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/arm/jvm.cfg
-file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/arm/client/libjvm.so
-file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/arm/libverify.so
-file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/arm/libjava.so
+file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/arm/\*.so
+file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/arm/\*.cfg
+file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/arm/client/\*.so
+file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/\*
+file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/\*.jar
+file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/ext/\*
+file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/security/\*
+file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/arm/jli/\*.so
+file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/\*.jar
 network unix stream connect /var/run/nscd/socket
 file read /etc/nsswitch.conf
 file read /etc/passwd
 file create /tmp/hsperfdata_iotuser/\* 0600
 file read/write/unlink/truncate /tmp/hsperfdata_iotuser/\*
-file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/arm/libzip.so
-file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/meta-index
-file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/rt.jar
 file read /sys/devices/system/cpu/online
 file read /usr/lib/locale/locale-archive
-file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/ext/meta-index
-file write/truncate /home/iotuser/.oracle_jre_usage/81970c018e7540cf.timestamp
-file read /usr/share/java/servlet-api-2.5.jar
-file read /usr/share/java/asm-all-5.0.3.jar
-file read /usr/share/java/BoofCV-WebcamCapture-0.21.jar
-file read /usr/share/java/core-0.28.jar
-file read /usr/share/java/jurt-4.3.3.jar
-file read /usr/share/java/ridl-4.3.3.jar
-file read /usr/share/java/unoloader.jar
-file read /usr/share/java/BoofCV-xuggler-0.21-sources.jar
-file read /usr/share/java/xpp3_min-1.1.4c.jar
-file read /usr/share/java/simple-0.29.jar
-file read /usr/share/java/BoofCV-recognition-0.21-sources.jar
-file read /usr/share/java/BoofCV-feature-0.21.jar
-file read /usr/share/java/jsp-api-2.1.jar
-file read /usr/share/java/mysql-connector-java-5.1.39.jar
-file read /usr/share/java/BoofCV-jcodec-0.21-sources.jar
-file read /usr/share/java/BoofCV-visualize-0.21-sources.jar
-file read /usr/share/java/BoofCV-WebcamCapture-0.21-sources.jar
-file read /usr/share/java/GeoRegression-georegression-0.9-sources.jar
-file read /usr/share/java/el-api-2.1.jar
-file read /usr/share/java/unoil-4.3.3.jar
-file read /usr/share/java/GeoRegression-experimental-0.9-sources.jar
-file read /usr/share/java/xmlpull-1.1.3.1.jar
-file read /usr/share/java/georegression-0.10.jar
-file read /usr/share/java/BoofCV-android-0.21.jar
-file read /usr/share/java/BoofCV-ip-0.21.jar
-file read /usr/share/java/BoofCV-android-0.21-sources.jar
-file read /usr/share/java/hsqldb1.8.0-1.8.0.10+dfsg.jar
-file read /usr/share/java/BoofCV-sfm-0.21.jar
-file read /usr/share/java/BoofCV-visualize-0.21.jar
-file read /usr/share/java/BoofCV-geo-0.21-sources.jar
-file read /usr/share/java/core-0.29.jar
-file read /usr/share/java/libintl.jar
-file read /usr/share/java/BoofCV-io-0.21-sources.jar
-file read /usr/share/java/BoofCV-io-0.21.jar
-file read /usr/share/java/hsqldbutil1.8.0-1.8.0.10+dfsg.jar
-file read /usr/share/java/dense64-0.28.jar
-file read /usr/share/java/BoofCV-xuggler-0.21.jar
-file read /usr/share/java/BoofCV-learning-0.21.jar
-file read /usr/share/java/BoofCV-sfm-0.21-sources.jar
-file read /usr/share/java/zip4j_1.3.2.jar
-file read /usr/share/java/ddogleg-0.8-SNAPSHOT.jar
-file read /usr/share/java/BoofCV-openkinect-0.21.jar
-file read /usr/share/java/dense64-0.29.jar
-file read /usr/share/java/juh-4.3.3.jar
-file read /usr/share/java/jl1.0.1.jar
-file read /usr/share/java/BoofCV-jcodec-0.21.jar
-file read /usr/share/java/BoofCV-ip-0.21-sources.jar
-file read /usr/share/java/GeoRegression-experimental-0.9.jar
-file read /usr/share/java/GeoRegression-georegression-0.9.jar
-file read /usr/share/java/java-json.jar
-file read /usr/share/java/ddogleg-0.9.jar
-file read /usr/share/java/xstream-1.4.7.jar
-file read /usr/share/java/BoofCV-geo-0.21.jar
-file read /usr/share/java/java_uno.jar
-file read /usr/share/java/BoofCV-calibration-0.21.jar
-file read /usr/share/java/javac.jar
-file read /usr/share/java/BoofCV-recognition-0.21.jar
-file read /usr/share/java/checker.jar
-file read /usr/share/java/BoofCV-feature-0.21-sources.jar
-file read /usr/share/java/BoofCV-openkinect-0.21-sources.jar
-file read /usr/share/java/equation-0.29.jar
-file read /usr/share/java/simple-0.28.jar
-file read /usr/share/java/BoofCV-learning-0.21-sources.jar
-file read /usr/share/java/equation-0.28.jar
-file read /usr/share/java/BoofCV-calibration-0.21-sources.jar
-file read /home/iotuser/iot2/iotjava/iotruntime/slave/IoTSlave.class
-file read /home/iotuser/iot2/iotjava/iotruntime/IoTSlave.config
-file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/arm/libnet.so
-file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/net.properties
+file write/truncate /home/iotuser/.oracle_jre_usage/\*cf.timestamp
+file read /usr/share/java/\*.jar
+file read /home/iotuser/iot2/iotjava/iotruntime/\*.class
+file read /home/iotuser/iot2/iotjava/iotruntime/slave/\*.class
+file read /home/iotuser/iot2/iotjava/iotruntime/\*.config
 network inet stream connect ::ffff:<master-ip-address> <master-com-port>
-file read /home/iotuser/iot2/iotjava/iotruntime/master/RuntimeOutput.class
-file read /home/iotuser/iot2/iotjava/iotruntime/messages/MessageSendFile.class
-file read /home/iotuser/iot2/iotjava/iotruntime/messages/Message.class
-file read /home/iotuser/iot2/iotjava/iotruntime/messages/IoTCommCode.class
-file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/security/java.security
-file read /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/jsse.jar
+file read /home/iotuser/iot2/iotjava/iotruntime/master/\*.class
+file read /home/iotuser/iot2/iotjava/iotruntime/messages/\*.class
 file read /dev/random
 file read /dev/urandom
-file read /home/iotuser/iot2/iotjava/iotruntime/slave/IoTSlave$3.class
-file read /home/iotuser/iot2/iotjava/iotruntime/messages/MessageSimple.class
 file create /home/iotuser/iot2/iotjava/iotruntime/LabRoom.jar 0666
 file read/write /home/iotuser/iot2/iotjava/iotruntime/LabRoom.jar
-file read /home/iotuser/iot2/iotjava/iotruntime/messages/MessageCreateObject.class
-file read /home/iotuser/iot2/iotjava/iotcode/LabRoom/LabRoom.class
-file read /home/iotuser/iot2/iotjava/iotcode/LabRoom/Room_Skeleton.class
-file read /home/iotuser/iot2/iotjava/iotrmi/Java/IoTRMIComm.class
-file read /home/iotuser/iot2/iotjava/iotrmi/Java/IoTRMICommServer.class
-file read /home/iotuser/iot2/iotjava/iotcode/LabRoom/Room_Skeleton$1.class
-file read /home/iotuser/iot2/iotjava/iotruntime/slave/IoTSlave$1.class
-file read /home/iotuser/iot2/iotjava/iotrmi/Java/IoTRMIComm$1.class
-file read /home/iotuser/iot2/iotjava/iotrmi/Java/IoTRMIComm$2.class
-file read /home/iotuser/iot2/iotjava/iotrmi/Java/IoTRMICommServer$1.class
-file read /home/iotuser/iot2/iotjava/iotrmi/Java/IoTRMICommServer$2.class
-file read /home/iotuser/iot2/iotjava/iotrmi/Java/IoTRMICommServer$3.class
-file read /home/iotuser/iot2/iotjava/iotrmi/Java/IoTRMIUtil.class
-file read /home/iotuser/iot2/iotjava/iotrmi/Java/IoTRMITypes.class
-file read /home/iotuser/iot2/iotjava/iotrmi/Java/IoTSocketServer.class
-file read /home/iotuser/iot2/iotjava/iotrmi/Java/IoTSocket.class
+file read /home/iotuser/iot2/iotjava/iotrmi/Java/\*.class
 network inet stream bind/listen :: <rmi-stub-port>
 network inet stream bind/listen :: <rmi-reg-port>
 file ioctl socket:[family=10:type=1:protocol=6] 0x541B