I'm evaluating tomyoo 2.3 in debian wheezy. Here are two scripts that I've found useful. Because I'm not sure whether or how this list supports attachments, I'm also pasting the scripts in-line. I have no idea whether these will work for version 2.5, but they are basically awk scripts, and should be easy to modify, as you wish. Hope its helpful. 1 _tomoyo-policy-sort ================ Helps identify what domains are in need of patternizing, and possibly be candidates for domain-transition. Usage hints: 1] No admin privileges are required to run the script. It DOES require read-access to a domain_policy file, and defaults to /etc/tomoyo/domain_policy.conf. 2] run the script with no parameters to see how may rules there are for each domain in /etc/tomoyo/domain_policy.conf, sorted by increasing number of rules,. So, the most likely candidates for patternizing will display at the end of the output. 3] run the script with the -d parameter to get the same output as above, but sorted by the last element of the domains and nicely columnated for display in a browser/editor WITHOUT wordwrap. Use this to easily see duplicate executables, which would be the first step to considering a domain for domain-transition. 2 _tomoyo_patternize_home ===================== Since there are many configuration and other files in users' $HOME directory, and patternizing them manually is cumbersome, this script automates the process. It should be followed with a 'tomoyo-checkpolicy' invocation, of course. ============================== BEGIN SCRIPT #1 - _tomoyo-policy-sort ============================== #!/bin/bash SCRIPT_VERSION="1.0, written for tomoyo v2.3" # # Tomoyo Policy Count / Sort # # Usage: _tomoyo-policy-sort [ [-d|-n] [-r] [file] ] | -v | -h # OPTIONS # -d sort by domain # -n sort by number of policies (default) # -r raw (no columnation, headers, separators) # -v version # -h usage information # The default input file is /etc/tomoyo/domain_policy.conf # This script reads a tomoyo domain.conf file, # counts the number of rules of each policy, and # sorts the output either numerically, by the # number of rules per domain, or alphabetically, # by the final element in the domain path (the # executable). # # When sorting alphabetically by executable, the # output is displayed in a nicely columnated # format for viewing in a non-wordwrap browser # or editor. # # Written by: Boruch Baum <boruc****@user*****> # No warranties ... # Use at your own risk ... # License: OpenGPL2 ... # Include author info when redistributing ... function usage_message { echo -e "\n_tomoyo-policy-sort: count rules and sort a domain.conf file\nUSAGE: _tomoyo-policy-sort [ [-d|-n] [-r] [file] ] | -v | -h\nOPTIONS:\n -d sort by domain\n -n sort by number of policies (default)\n -r raw (no columnation, headers, separators)\n -v version\n -h usage information\n The default input file is /etc/tomoyo/domain_policy.conf\nVERSION: $SCRIPT_VERSION\n" } function error_message { echo "error: a parameter is invalid or file unreadable: "$myparm usage_message } SORT_OPTION="number" DECORATION="TRUE" POLICY_FILENAME="/etc/tomoyo/domain_policy.conf" for myparm in "$@" ;do case $myparm in -h|--help ) usage_message; exit;; -v|--version) echo "version "$SCRIPT_VERSION; exit;; -d ) SORT_OPTION="domain";; -n ) ;; -r ) DECORATION="FALSE";; * ) if [[ -r "$myparm" ]]; then POLICY_FILENAME=$myparm else error_message exit fi ;; esac; done if [[ "$SORT_OPTION" == "domain" ]] ; then awk ' BEGIN {DOMAIN = ""; DOMAIN_PATH = ""; FIRST=1} /^</ {LAST = FNR ; TOTAL = LAST - FIRST if ( TOTAL > 3 ) print DOMAIN, TOTAL-3, DOMAIN_PATH DOMAIN=$NF; DOMAIN_PATH=$0; FIRST=FNR+1 } END {LAST = FNR if ( TOTAL > 3 ) print DOMAIN, TOTAL-3, DOMAIN_PATH } ' $POLICY_FILENAME | sort | \ awk -v decoration="$DECORATION" \ ' BEGIN {if ( decoration == "TRUE" ) { UNDERLINE="------" printf "%6s %s \\ %s\n", "Size", "Executable", "Domain Path" }} decoration == "TRUE" && DOMAIN != $1 { printf "%6s %s \\ %s\n", UNDERLINE, UNDERLINE, UNDERLINE} {DOMAIN=$1; printf "%6i %s \\ %s\n", $2, $1, substr($0,index($0,"<"))} ' | \ column -s"\\" -t else # Sort numerically by number of rules per domain awk ' BEGIN {DOMAIN = ""; FIRST=1} /^</ {LAST = FNR ; TOTAL = LAST - FIRST if ( TOTAL > 3 ) printf("%6i %s\n",TOTAL-3,DOMAIN) DOMAIN=$0; FIRST=FNR+1 } END {LAST = FNR if ( TOTAL > 3 ) printf("%6i %s\n",TOTAL-3,DOMAIN) } ' $POLICY_FILENAME | sort -n fi ============================ END SCRIPT #1 - _tomoyo-policy-sort ============================ ================================ BEGIN SCRIPT # -_tomoyo-patternize-home ================================ #!/bin/bash SCRIPT_VERSION="1.0, written for tomoyo v2.3" # # Tomoyo Policy Patternize $HOME # # USAGE: _tomoyo-patternize-home [ [-i|-a] [-c|-A] [file] | -v | -h ] # OPTIONS # -i interactive (prompts for each action) (default) # -a automatic (no prompting) # -c configuration files only (default) # -A all files # -v version # -h usage information # The default input file is /etc/tomoyo/domain_policy.conf # The default output file is ./domain_policy.conf.new # The idea is to offer a variant on patternizing to account for the special case of user home directories, in which what is desired is to globally or selectively patternize just the user directory name for many (or all) user directory configuration files. I know that last sentence may sound unclear; what I mean is to have a simple way to patternize "/home/\*/foo/bar", without having to tell the script what "foo/bar" is. # Written by: Boruch Baum <boruc****@user*****> # No warranties ... # Use at your own risk ... # License: OpenGPL2 ... # Include author info when redistributing ... function usage_message { echo -e "\nTomoyo Policy Patternize \$HOME: patternize just the \$HOME directory\nUSAGE: _tomoyo-patternize-home [ [-i|-a] [-c|-A] [file] | -v | -h ]\nOPTIONS:\n -i interactive (prompts for each action) (default)\n -a automatic (no prompting)\n -c configuration files only (default)\n -A all files\n -v version\n -h usage information\n The default input file is /etc/tomoyo/domain_policy.conf\n The default output file is ./domain_policy.conf.new\nVERSION: $SCRIPT_VERSION\n" } function error_message { echo "error: a parameter is invalid or file unreadable: "$myparm usage_message } # POLICY_FILENAME="/etc/tomoyo/domain_policy.conf" POLICY_FILENAME="test-data-file" OUTPUT_FILENAME="domain_policy.conf.new" MODE="interactive" FILESPEC="config-only" for myparm in "$@" ;do case $myparm in -h|--help ) usage_message; exit;; -v|--version) echo "version "$SCRIPT_VERSION; exit;; -i ) MODE="interactive";; -a ) MODE="automatic";; -c ) FILESPEC="config-only";; -A ) FILESPEC="all-files";; * ) if [[ -r "$myparm" ]]; then POLICY_FILENAME=$myparm else error_message exit fi ;; esac; done if [[ $MODE == "interactive" ]] ; then exec 3<>$POLICY_FILENAME cat /dev/null > $OUTPUT_FILENAME FINISHED=0 while [[ $FINISHED == 0 ]] ; do read <&3 FINISHED=$? if [[ "$REPLY" =~ (<.*) ]] ; then DOMAIN=$REPLY echo $DOMAIN >> $OUTPUT_FILENAME else RULE=$REPLY REPLY="-" if [[ "$FILESPEC" == "all-files" ]] && $(grep -q " /home/" <<<$RULE) ; then while [[ $REPLY =~ ([^yn]) ]] ; do echo -e "\n\nDOMAIN: $DOMAIN\nRULE: $RULE" read -rs -n 1 -p "Do you want to patternize? y/n" done if [[ $REPLY == "y" ]] ; then RULE=$( sed 's/ \/home\/[^\/]*\// \/home\/\\\*\//g' <<<$RULE ) fi elif [[ "$FILESPEC" == "config-only" ]] && $(grep -q " /home/[^/]*/\." <<<$RULE) ; then while [[ $REPLY =~ ([^yn]) ]] ; do echo -e "\n\nDOMAIN: $DOMAIN\nRULE: $RULE" read -rs -n 1 -p "Do you want to patternize? y/n" done if [[ $REPLY == "y" ]] ; then RULE=$( sed 's/ \/home\/[^\/]*\/\./ \/home\/\\\*\/\./g' <<<$RULE ) fi fi echo $RULE >> $OUTPUT_FILENAME fi done exec 3>&- exit else # [[ $MODE == "automatic" ]] awk -v file_spec="$FILESPEC" ' /^</ { DOMAIN=$0; print; next} !/^</ { if ( $2 !~ /^\/home\// && $3 !~ /^\/home\// ) print else { if ( file_spec == "config-only" ) \ $2 =~ /^\/home\/[^/]*\/\./ { $2 = gensub("^\/home\/[^/]*\/","\/home\/\\\\*\/",1,$2) } $3 =~ /^\/home\/[^/]*\/\./ { $3 = gensub("^\/home\/[^/]*\/","\/home\/\\\\*\/",1,$3) } else { $2 = gensub("^\/home\/[^/]*\/","\/home\/\\\\*\/",1,$2) $3 = gensub("^\/home\/[^/]*\/","\/home\/\\\\*\/",1,$3) } print } } ' $POLICY_FILENAME 2>/dev/null fi =============================== END SCRIPT # -_tomoyo-patternize-home =============================== -------------- next part -------------- A non-text attachment was scrubbed... Name: _tomoyo-policy-sort.sh Type: application/x-shellscript Size: 3227 bytes Desc: not available URL: <https://lists.osdn.me/mailman/archives/tomoyo-users-en/attachments/20111113/4b4c173a/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: _tomoyo_patternize_home.sh Type: application/x-shellscript Size: 4155 bytes Desc: not available URL: <https://lists.osdn.me/mailman/archives/tomoyo-users-en/attachments/20111113/4b4c173a/attachment-0001.bin>
TOMOYO
Fork