Tetsuo Handa wrote: > Oh, thanks. I forgot to update Makefile and ccs-tools.spec .
No problem. > I started to implement ccs-patternize logic. > I added /etc/ccs/tools/patternize.conf and registered some patterns. > Steps to patternize (as of revision 4182) would look like > > (1) Save current policy by doing > "ccs-savepolicy -d > /etc/ccs/domain_policy.tmp". > > (2) Browse /etc/ccs/domain_policy.tmp and determine how to patternize. > > (3) Edit /etc/ccs/tools/patternize.conf as needed. > > (4) Convert by doing > "ccs-patternize < /etc/ccs/domain_policy.tmp > /etc/ccs/domain_policy.new". > > (5) Generate diff by doing > "ccs-diffpolicy /etc/ccs/domain_policy.tmp /etc/ccs/domain_policy.new > > /etc/ccs/domain_policy.diff". > > (6) Browse /etc/ccs/domain_policy.diff and commit changes by doing > "ccs-loadpolicy -d < /etc/ccs/domain_policy.diff". > > Currently, I implemented six types. > > Type 1 : Exact pathname match > > file_pattern proc:/self/fd/\$ > > will replace (e.g.) proc:/self/fd/0 with proc:/self/fd/\$ . > This is what it was until TOMOYO 1.7 . > > Type 2 : Heading pathname match > > head_pattern proc:/\$/ > > will replace (e.g.) proc:/123/status with proc:/\$/status . > This is intended for reducing number of file_pattern entries by grouping > pathnames where only directory part needs to be patternized. > > Type 3 : Trailing pathname match > > tail_pattern /etc/mtab~\$ > > will replace (e.g.) dev(8,1):/etc/mtab~456 with dev(8,1):/etc/mtab~\$ . > This is intended for CONFIG_SECURITY_PATH=n kernels where we can't obtain > absolute pathnames regarding directory entry modification operations (e.g. > "file create" and "file rename"). > > Type 4 : Exact pathname match with grouping > > path_group GROUP1 /tmp/php\?\?\?\?\?\? > > will replace (e.g.) /tmp/phpZjk1k3 with @GROUP1 . > This syntax is identical with path_group directive in exception policy. > > Type 5 : Exact number match with grouping > > number_group GROUP2 0-100 > number_group GROUP2 100-200 > > will replace integers between 0-100 or 100-200 with @GROUP2 . > This syntax is identical with number_group directive in exception policy. > > Type 6 : Exact IP address match with grouping > > address_group LOCALHOST 127.0.0.1 > address_group LOCALHOST 0:0:0:0:0:0:0:1 > > will replace IP addresses 127.0.0.1 or 0:0:0:0:0:0:0:1 with @LOCALHOST . > This syntax is identical with address_group directive in exception policy. > > Maybe we want to unify these syntax like (e.g.) > > file_pattern proc:/self/fd/\$ proc:/self/fd/\$ > head_pattern proc:/\$/ proc:/\$/ > tail_pattern /etc/mtab~\$ /etc/mtab~\$ > file_pattern �...@group1 /tmp/php\?\?\?\?\?\? > number_pattern �...@group2 0-100 > number_pattern �...@group2 100-200 > address_pattern @LOCALHOST 127.0.0.1 > address_pattern @LOCALHOST 0:0:0:0:0:0:0:1 > > . Also, maybe we want domainname matching like ccs-auditd's sorting rule. > > Preferences?/Comments?/Suggestions? Sorry, my time has been limited recently. I will have a look at this tomorrow and give some feedback. Also, I have built Arch Linux kernels patched with ccs-patch and will soon be providing pre-built packages via Dropbox :-) Kind regards. _______________________________________________ tomoyo-dev-en mailing list tomoyo-dev-en@lists.sourceforge.jp http://lists.sourceforge.jp/mailman/listinfo/tomoyo-dev-en
