Monitor interactions between processes
secpolmonitor [-acnpqrsv] [-f name] [-i time] [-o file] [-S ability-name]
QNX Neutrino
Use the secpolmonitor utility to trace interactions between processes, and as input to determine requirements for the security policy. It is a target-based utility, monitoring what processes do with regard to attaching to the path space as well as the procmgr abilities they require.
See the Security Developers Guide for more information about:
To run this example, start a system that has no policy installed. After the system boots, compile the following policy with the secpolcompile utility:
type default; allow_attach default /...; allow_link default /...; type fs_t; type fs_user_t; type fs_nonuser_t; allow_attach fs_t { /dev/fsF* / /fsFp0 }; allow fs_t self:ability { RSRCDBMGR IO }; allow fs_t fs_t:channel connect; allow fs_user_t fs_t:channel connect; allow_link fs_nonuser_t /tmp/libc*; allow fs_nonuser_t self:channel connect; allow fs_nonuser_t self:ability io; allow fs_user_t self:ability io;The rules for default in this policy minimize its impact on other components and permit the secpolmonitor utility to be started and stopped. Place the binary policy in /proc/boot/secpol.bin so that the secpol and the secpolmonitor utilities can find it.
Install the policy as follows:
secpol -p
secpolmonitor -apOr, run it to also show successful uses of abilities and path space changes:
secpolmonitor -apsThe first secpolmonitor command helps to debug problems and produces less output, while the second option gives a better idea of all the things that are going on.
Start devf-ram using the wrong type (for example, fsuser_t):
on -T fs_user_t devf-ram -i15
It fails:
unable to attach mounter: Operation not permitted
The following secpolmonitor output indicates that devf-ram is missing the path space ability:
error: sbin/devf-ram (pid:2670618) type fs_user_t lacks ability PATHSPACE as root
However, it is not enough to give the process these abilities. Try the command again with the type fs_nonuser_t (which does have io and pathspace abilities):
on -T fs_nonuser_t devf-ram -i15
The output from on is:
unable to attach mounter: Permission deniedThe secpolmonitor output indicates why:
error: sbin/devf-ram (pid:2773018) of type fs_nonuser_t failed to attach to path /: no rule
To start up devf-ram successfully, use the fs_t type and follow up by running flashctl to initialize and mount its file system:
on -T fs_t devf-ram -i15 on -T fs_t flashctl -p /dev/fsFp0 -e -f -m
Run secpolmonitor with the -s option (to show non-error events). The output shows some of the abilities it has used as well as the path space changes that have occurred:
info: sbin/devf-ram (pid:2809882) type fs_t uses ability IO as root info: sbin/devf-ram (pid:2809882) type fs_t uses ability PUBLIC_CHANNEL as root info: sbin/devf-ram (pid:2809882) type fs_t uses ability PATHSPACE as root info: sbin/devf-ram (pid:2809882) of type fs_t attached channel to path /dev/fsF info: sbin/devf-ram (pid:2809882) of type fs_t attached channel to path /fsFp0 info: sbin/devf-ram (pid:2809882) of type fs_t attached channel to path /dev/fsFp0Now, try to use the file system with fs_nonuser_t:
on -T fs_nonuser_t touch /fsFp0/file
The output from on is:
/fsFp0/file: Operation not permitted
The following secpolmonitor output indicates why:
error: usr/bin/touch (pid:2936859) type fs_nonuser_t lacks ability CHANNEL_CONNECT(1) (fs_t) as root
Try it again, but with the fs_user_t type:
on -T fs_user_t touch /fsFp0/file
It succeeds. The secpolmonitor utility shows the following successful use of the channel_connect ability:
info: usr/bin/touch (pid:2949147) type fs_user_t uses ability CHANNEL_CONNECT(1) (fs_t) as root
If type fs_nonuser_t tries to create procmgr symbolic links, the following on commands succeed (or fail) depending on the path for the symbolic link. For example:
on -T fs_nonuser_t ln -sPf /proc/boot/libc.so.4 /tmp/libc.so.4 on -T fs_nonuser_t ln -sPf /proc/boot/libc.so.4 /tmp/notlibc.so.4
The output from on is:
ln: unable to link. (/proc/boot/libc.so.4 or /tmp/notlibc.so.4): Permission denied
It includes the following output from the secpolmonitor utility:
info: proc/boot/ln (pid:2961435) of type fs_nonuser_t created link to path /tmp/libc.so.4 error: proc/boot/ln (pid:2973723) of type fs_nonuser_t failed to attach to path /tmp/notlibc.so.4: no rule