[tomoyo-dev-en 361] Re: how to port the TOMOYO to a embedded device?

Tue, 26 Jun 2012 06:21:03 -0700 

casinee app wrote:
> #insmod akari.ko
> The output is:
> one_wire_status: 4
> security_ops=c0799ca4
> find_task_by_vpid=c019be10
> find_task_by_pid_ns=c019bdfc
> __d_path=c01f6664
> AKARI: 1.0.27   2012/05/05
> Access Keeping And Regulating Instrument registered.
> 
> Is this correct???

Yes, this is correct.
(I assume you loaded akari.ko into your embedded device's kernel.)

> After the kernel module, i compiled the usrspace tools
> ccs-tools-1.8.3-20120414.tar.gz.
> When i executed the command:
> # /usr/lib/ccs/init_policy --module_name=akari
> it work correctly, the output is:
> Creating policy directory... OK
> Creating configuration directory... OK
> Creating exception policy... OK
> Creating domain policy... OK
> Creating manager policy... OK
> Creating default profile... OK
> Creating stat policy... OK
> Creating module loader... OK
> Creating configuration file for ccs-editpolicy ... OK
> Creating configuration file for ccs-auditd ... OK
> Creating configuration file for ccs-patternize ... OK
> Creating configuration file for ccs-notifyd ... OK
> 
> But when i use the ccs-editpolicy, there always is only the <kernel>
> domain. Does the AKARI is not work correctly?

AKARI is working correctly, but AKARI is not yet activated.

Regarding TOMOYO 1.x, since policy loader code (load_policy.c) is embedded into
the vmlinux, the kernel can automatically call /sbin/ccs-init and activate
TOMOYO 1.x when /sbin/init starts.

But regarding AKARI, policy loader code is not embedded into the vmlinux.
Since it is impossible to tell the kernel that "the kernel should call
/sbin/ccs-init and activate AKARI when /sbin/init starts" until loading
akari.ko module, AKARI needs init=/sbin/ccs-init boot parameter.

The reason you see only the <kernel> domain is that AKARI is not yet activated
because /sbin/ccs-init (or /sbin/akari-init) is not yet called when /sbin/init
starts. Until AKARI is activated, domain transition is suppressed by default.

Try loading akari.ko when /sbin/init on your embedded device starts,
by passing init=/sbin/akari-init . /sbin/akari-init would look something like

  #! /bin/sh
  /sbin/modprobe akari && exec /sbin/init "$@"

.

_______________________________________________
tomoyo-dev-en mailing list
tomoyo-dev-en@lists.sourceforge.jp
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-dev-en

Reply via email to