I committed changes to SVN (revision 5053). You can start trying namespaces.
Steps for using namespaces (from inside policy editor and from outside policy
editor) are described below.
Directives added for namespaces (i.e. "move_namespace" "no_move_namespace"
"auto_namespace_transition=") will be revised to be more intuitive.
To create a new namespace from policy editor:
(1) Change to "Namespace Selector" screen by pressing "w" -> "n" keys.
(2) Press "a" key and enter the name of namespace in <$namespace> format and
press "Enter" key.
(3) <$namespace> will be printed in addition to <kernel> .
To edit domain policy or exception policy or profile from policy editor:
(1) Change to "Namespace Selector" screen by pressing "w" -> "n" keys.
(2) Choose the name of namespace from the list and press "Enter" key.
(3) Go to the screen you want to edit by pressing "w" -> "d"/"e"/"p" keys.
To edit namespace transition upon successful execve() from policy editor:
(1) Go to "Exception Policy Editor" screen of the namespace you want to
edit.
(2) Enter "move_namespace" line as with "initialize_domain" line.
move_namespace $program from any
or
move_namespace $program from $domainname
or
move_namespace $program from $last_component_of_domainname
Priority (from highest to lowest order) is shown below.
(1) Don't check "move_namespace" entries if matched with one of
"no_move_namespace" entries.
(2) Transit to "<$program>" domain if matched with one of
"move_namespace" entries.
(3) Don't check "initialize_domain" entries if matched with one of
"no_initialize_domain" entries.
(4) Transit to "<$current_namespace> $program" domain if matched with
one of "initialize_domain" entries.
(5) Transit to "$current_domainname $program" domain if matched with
one of "no_keep_domain" entries.
(6) Remain at "$current_domainname" domain if matched with one of
"keep_domain" entries.
(7) Transit to "$current_domainname $program" domain.
To edit namespace transition upon ACL match from policy editor:
(1) Go to "Domain Policy Editor" screen (or "acl_group" lines in
"Exception Policy Editor" screen) of the namespace you want to edit.
(2) Enter an ACL entry with auto_namespace_transition="<$namespace>" part.
For example,
file pivot_root /usr/lxc/lxc1/ /usr/lxc/lxc1/oldroot/
auto_namespace_transition="<lxc1>"
will transit to "<lxc1>" domain if
pivot_root("/usr/lxc/lxc1/", "/usr/lxc/lxc1/oldroot/") is requested.
To edit namespace transition upon condition match or /proc/ccs/self_domain :
(1) Go to "Domain Policy Editor" screen (or "acl_group" lines in
"Exception Policy Editor" screen) of the namespace you want to edit.
(2) Enter "task auto_domain_transition" line or "task manual_domain_transition"
line as usual. This allows transition to arbitrary domains in different
namespaces whereas "move_namespace" and "auto_namespace_transition=" allow
transition to the root domain of different namespaces.
To select namespace from outside policy editor:
(1) Regarding exception policy and profile, add <$namespace> prefix to each
line.
Exception policy example:
<kernel> acl_group 0 file read /etc/ld.so.cache
<lxr1> acl_group 0 file read /etc/ld.so.cache
Profile example:
<kernel> 1-CONFIG={ mode=learning grant_log=no reject_log=yes }
<lxr1> 3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }
(2) Regarding domain policy, nothing to do since the domainname implies
namespace.
<kernel>
use_profile 0
use_group 0
<kernel> /sbin/init
use_profile 0
use_group 0
<lxr1> /sbin/init
use_profile 0
use_group 0
(3) Regarding other files, nothing to do since namespace is not supported.
We are close to finalize the specification of policy namespace support.
Oliver, does this specification satisfy your needs for using TOMOYO in LXC
environments?
_______________________________________________
tomoyo-dev-en mailing list
tomoyo-dev-en@lists.sourceforge.jp
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-dev-en
