Jamie Nguyen wrote:
> Tetsuo Handa wrote:
> > OK. Then, you can watch http://tomoyo.sourceforge.jp/incoming/namespace.avi
> > .
>
> Looks great! :-)
OK. I reconsidered the specification a bit.
Since domainname starts with "<$namespace>", /proc/ccs/domain_policy and
/etc/ccs/domain_policy.conf do not require "namespace <$namespace>" separator.
So, I decided to add "namespace <$namespace>" separator to only
/proc/ccs/exception_policy /proc/ccs/profile /proc/ccs/manager and
/etc/ccs/exception_policy.conf /etc/ccs/profile.conf /etc/ccs/manager.conf .
As of revision 4971, the sequence to add new namespace and policy are like
# echo '<apache>' | ccs-loadpolicy -n
# (echo 'namespace <apache>' ; echo '/bin/bash' ) | ccs-loadpolicy -m
# (echo 'namespace <apache>' ; echo '0-COMMENT=hello' ) | ccs-loadpolicy -p
# (echo 'namespace <apache>' ; echo 'acl_group 0 file read /foo' ) |
ccs-loadpolicy -e
and the output after adding these entries looks like
# cat /proc/ccs/manager
namespace <kernel>
/usr/sbin/ccs-loadpolicy
/usr/sbin/ccs-editpolicy
/usr/sbin/ccs-setlevel
/usr/sbin/ccs-setprofile
/usr/sbin/ccs-queryd
namespace <apache>
/bin/bash
# cat /proc/ccs/profile
namespace <kernel>
PROFILE_VERSION=20100903
0-COMMENT=-----Disabled Mode-----
0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
1-COMMENT=-----Learning Mode-----
1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
1-CONFIG={ mode=learning grant_log=no reject_log=yes }
2-COMMENT=-----Permissive Mode-----
2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
3-COMMENT=-----Enforcing Mode-----
3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
namespace <apache>
PROFILE_VERSION=20100903
0-COMMENT=hello
0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 enforcing_penalty=0 }
0-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
# cat /proc/ccs/exception_policy
namespace <kernel>
aggregator /etc/rc.d/rc\?.d/\?\+\+messagebus /etc/rc.d/init.d/messagebus
aggregator /etc/rc.d/rc\?.d/\?\+\+haldaemon /etc/rc.d/init.d/haldaemon
aggregator /etc/rc.d/rc\?.d/\?\+\+dovecot /etc/rc.d/init.d/dovecot
(...snipped...)
acl_group 0 file ioctl @ANY_PATHNAME @COMMON_IOCTL_CMDS
acl_group 0 file read @ANY_DIRECTORY
acl_group 0 file getattr @ANY_PATHNAME
namespace <apache>
acl_group 0 file read /foo
. The "namespace <$namespace>" line serves as namespace separator.
As I said before, if we add "namespace <$namespace>" line to
/proc/ccs/exception_policy /proc/ccs/profile /proc/ccs/manager , these
files becomes no longer sortable by /bin/sort (i.e. stateful) .
But since $namespace is a single word whereas a domainname is multiple words,
we can safely identify "namespace <$namespace>" sequence within a line.
If we add "namespace <$namespace>" prefix to each line of these files like
# echo '<apache>' | ccs-loadpolicy -n
# echo 'namespace <apache> /bin/bash' | ccs-loadpolicy -m
# echo 'namespace <apache> 0-COMMENT=hello' | ccs-loadpolicy -p
# echo 'namespace <apache> acl_group 0 file read /foo' | ccs-loadpolicy -e
and make output like
# cat /proc/ccs/manager
namespace <kernel> /usr/sbin/ccs-loadpolicy
namespace <kernel> /usr/sbin/ccs-editpolicy
namespace <kernel> /usr/sbin/ccs-setlevel
namespace <kernel> /usr/sbin/ccs-setprofile
namespace <kernel> /usr/sbin/ccs-queryd
namespace <apache> /bin/bash
# cat /proc/ccs/profile
namespace <kernel> PROFILE_VERSION=20100903
namespace <kernel> 0-COMMENT=-----Disabled Mode-----
namespace <kernel> 0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
namespace <kernel> 0-CONFIG={ mode=disabled grant_log=no reject_log=yes }
namespace <kernel> 1-COMMENT=-----Learning Mode-----
namespace <kernel> 1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
namespace <kernel> 1-CONFIG={ mode=learning grant_log=no reject_log=yes }
namespace <kernel> 2-COMMENT=-----Permissive Mode-----
namespace <kernel> 2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
namespace <kernel> 2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
namespace <kernel> 3-COMMENT=-----Enforcing Mode-----
namespace <kernel> 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
namespace <kernel> 3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
namespace <apache> PROFILE_VERSION=20100903
namespace <apache> 0-COMMENT=hello
namespace <apache> 0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048
enforcing_penalty=0 }
namespace <apache> 0-CONFIG={ mode=disabled grant_log=yes reject_log=yes }
# cat /proc/ccs/exception_policy
namespace <kernel> aggregator /etc/rc.d/rc\?.d/\?\+\+messagebus
/etc/rc.d/init.d/messagebus
namespace <kernel> aggregator /etc/rc.d/rc\?.d/\?\+\+haldaemon
/etc/rc.d/init.d/haldaemon
namespace <kernel> aggregator /etc/rc.d/rc\?.d/\?\+\+dovecot
/etc/rc.d/init.d/dovecot
(...snipped...)
namespace <kernel> acl_group 0 file ioctl @ANY_PATHNAME @COMMON_IOCTL_CMDS
namespace <kernel> acl_group 0 file read @ANY_DIRECTORY
namespace <kernel> acl_group 0 file getattr @ANY_PATHNAME
namespace <apache> acl_group 0 file read /foo
, these files remains sortable by /bin/sort (i.e. stateless).
The sum of lines in /proc/ccs/exception_policy + /proc/ccs/profile +
/proc/ccs/manager are generally much fewer than the lines in
/proc/ccs/domain_policy . Maybe "namespace <$namespace>" prefix is fine.
Both "namespace <$namespace>" line and "namespace <$namespace>" prefix are
hidden from users when browsing/editing via ccs-editpolicy . Also, we can make
"namespace <$namespace>" prefix omissible when we use only <kernel> namespace.
The "namespace <$namespace>" line and the "namespace <$namespace>" prefix,
which do you like to use?
Well, the "namespace <$namespace>" line/prefix for /proc/ccs/manager might be
confusing. But do we want to specify different manager programs/domains for
different namespace at all? Is namespace for /proc/ccs/manager useful?
_______________________________________________
tomoyo-dev-en mailing list
tomoyo-dev-en@lists.sourceforge.jp
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-dev-en
