Author Topic: [How-To] Application oriented firewall simple and easy using Tomoyo MAC  (Read 585 times)

0 Members and 1 Guest are viewing this topic.

Offline QtAndNiceTopic starter

  • Jr. Mitglied
  • **
  • Posts: 71
  • Kernel: 3.12.13-1-ck piledriver x64
  • Desktop: KDE 4.x.(current stable)
  • Branch: stable
  • GPU Card: nVidia GTX 760
  • GPU driver: non-free (ck repository)
  • Skill: Novice
To edit all the files described below and to execute any of the described commands you need local root access rights.

NOTE:
The firewall setting works as a white list, when you're done with this tutorial, any Internet access to or from any application on your computer will be blocked by default,
you will need to enable it explicitly for selected application by using tomoyo-editpolicy and changing it's profile from 0 to 1 as simple as that.

if you already configured tomoyo, goto step 6.

Step 1:
Edit /boot/grub/grub.cfg

you have to add security=tomoyo TOMOYO_trigger=/sbin/init to your boot entry as shown below:
Quote
### BEGIN /etc/grub.d/10_linux ###
menuentry 'Manjaro Linux (Kernel: 3.9.11-1-MANJARO x64)' --class manjaro --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.9.11-1-MANJARO x64-true-blablablablablablablablabla' {
        savedefault
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_gpt
        insmod ext2
        set root='hd3,gpt2'
        if [ x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint-bios=hd3,gpt2 --hint-efi=hd3,gpt2 --hint-baremetal=ahci3,gpt2  blablablablablablablablabla
        else
          search --no-floppy --fs-uuid --set=root blablablablablablablablabla
        fi
        echo    'Loading Linux 3.9.11-1-MANJARO x64 ...'
        linux   /vmlinuz-39-x86_64 root=UUID=00000000-0000-0BLA00-0000-000000000 rw   resume=UUID=blablablablablablablablatimebla9848944984 security=tomoyo TOMOYO_trigger=/sbin/init
        echo    'Loading initial ramdisk ...'
        initrd  /initramfs-39-x86_64.img
}

Step 2:
Edit /etc/default/grub

add security=tomoyo TOMOYO_trigger=/sbin/init to your boot entry as shown below:
Quote
GRUB_DEFAULT=saved
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Manjaro"
GRUB_CMDLINE_LINUX_DEFAULT=" resume=UUID=00000000-0000-0BLA00-0000-000000000 security=tomoyo TOMOYO_trigger=/sbin/init"
GRUB_CMDLINE_LINUX=""

# If you want to enable the save default function, uncomment the following
# line, and set GRUB_DEFAULT to saved.
GRUB_SAVEDEFAULT=true

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
...

Step 3:
Install tomoyo-tools
type in the terminal:
Code: [Select]
pacman -S tomoyo-tools
Step 4:
Reboot your OS.

Step 5:
Initialize tomoyo default configs and profiles
type in the terminal:
Code: [Select]
/usr/lib/tomoyo/init_policy
Step 6:
edit /etc/tomoyo/policy/current/profile.conf, Import or override your entries with the following code:
Code: [Select]
PROFILE_VERSION=20110903
0-COMMENT=-----block network inet-----
0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
0-CONFIG={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_stream_bind={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_stream_listen={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_stream_connect={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_dgram_bind={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_dgram_send={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_seqpacket_bind={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_seqpacket_listen={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network::unix_seqpacket_connect={ mode=disabled grant_log=no reject_log=no }
0-CONFIG::network={ mode=enforcing grant_log=no reject_log=yes }
1-COMMENT=-----allow all-----
1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
1-CONFIG={ mode=disabled grant_log=no reject_log=no }
2-COMMENT=-----Permissive Mode-----
2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
3-COMMENT=-----Enforcing Mode-----
3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }

Step 7:
Reboot your OS.

USAGE:
you can edit any rule by executing:
Code: [Select]
tomoyo-editpolicythen, by pressing s you can change application's profile 0=block all Internet access, 1=allow all Internet access
you can exit the policy editor by pressing q.

NOTE:
after any changes you made to the policy, you need to save it to the disk, to do so, just type in the terminal:
Code: [Select]
tomoyo-savepolicy
NOTE:
Before you can allow an application you have to run it at least once, that way tomoyo notes the application's existence.
 
NOTE:
to find an application a bit quicker in the tomoyo's policy editor, just press f while in policy editor, and then type the first few letters of the application, after that press enter,
press n to look for the next occurrence of the application in the domain policy list

IF YOU STILL DON'T HAVE A CLUE HOW TO USE TOMOYO's POLICY EDITOR:
READ THE DOCUMENTATION:
http://tomoyo.sourceforge.jp/2.5/index.html.en

« Last Edit: 27. September 2013, 09:48:48 by QtAndNice »