Jamie Nguyen wrote:
> Tetsuo Handa wrote:
> > The "namespace <$namespace>" line and the "namespace <$namespace>" prefix,
> > which do you like to use?
>
> Prefix looks like a good approach to me.
>
OK. I reconsidered the specification a bit.
As of revision 5040, I have diff.txt and diff2.txt .
The former introduced /proc/ccs/namespace for adding new namespaces and
reading namespace list. But as I modify userland tools, I came to feel that
maintaining /etc/ccs/policy/current/namespace.conf that contains only the
list of namespace (e.g. "<kernel>", "<apache>") and implementing
"ccs-loadpolicy -n" and "ccs-savepolicy -n" are wasteful.
Thus, I removed /proc/ccs/namespace from the latter. Instead, I changed to
create a new namespace when new <$namespace> prefix is used for the first time.
> > Well, the "namespace <$namespace>" line/prefix for /proc/ccs/manager might
> > be
> > confusing. But do we want to specify different manager programs/domains for
> > different namespace at all? Is namespace for /proc/ccs/manager useful?
Also, I decided not to introduce namespace support for /proc/ccs/manager .
Now, there is no need to use "namespace <$namespace>" prefix, for regarding
/proc/ccs/exception_policy and /proc/ccs/profile , no line starts with '<'.
"<$namespace>" prefix alone (rather than "namespace <$namespace>") is enough.
To summarize, specification for diff2.txt is:
(1) Allow using "<$namespace>" prefix in addition to conventional "<kernel>"
prefix when creating domains in /proc/ccs/domain_policy.
(2) Domain's namespace is defined as the first word of the domainname.
(3) Allow using "<$namespace>" prefix in /proc/ccs/exception_policy and
/proc/ccs/profile .
(4) Namespace for $namespace is created when "<$namespace>" prefix is used
for the first time. "<kernel>" is the built-in namespace.
(5) If there are namespaces other than "<kernel>" namespace,
/proc/ccs/exception_policy and /proc/ccs/profile add "<$namespace>" prefix
to each line. Otherwise, /proc/ccs/exception_policy and /proc/ccs/profile
do not add "<kernel>" prefix to each line.
(6) Policy editor automatically adds "<$namespace>" prefix to each line when
writing to /proc/ccs/exception_policy and /proc/ccs/profile .
(7) Policy editor automatically filters by "<$namespace>" prefix on each line
when reading from /proc/ccs/exception_policy and /proc/ccs/profile and
/proc/ccs/domain_policy .
(8) Policy editor provides namespace selector screen by collecting all
"<$namespace>" prefix found in /proc/ccs/domain_policy and
/proc/ccs/exception_policy and /proc/ccs/profile .
(9) ccs-loadpolicy and ccs-savepolicy do not implement "-n" option because
/proc/ccs/namespace is not provided.
(10) "move_namespace" and "no_move_namespace" (which take same syntax for
"initialize_namespace" etc.) are introduced for namespace transition upon
execve().
(Do we prefer "change_namespace" or "transit_namespace" ?)
(11) auto_namespace_transition="<$namespace>" (like
auto_domain_transition="/virtual/pathname" ) is introduced for
namespace transition upon permission granted.
(Do we prefer auto_namespace_change="<$namespace>" or
auto_domain_transition="<$namespace>" ?)
(Does it sound strange to allow changing both namespace and domain by
"task auto_domain_transition"/"task manual_domain_transition" ?)
I'll remove diff.txt unless you prefer /proc/ccs/namespace interface.
_______________________________________________
tomoyo-dev-en mailing list
tomoyo-dev-en@lists.sourceforge.jp
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-dev-en
