thank you! I will look into that. On Thu, 25 May 2017 05:43:46 +0900 Tetsuo Handa <penguin-ker...@i-love.sakura.ne.jp> wrote:
> Torsten Wortwein wrote: > > Is it possible to bind '\$' for a query occurring during run-time > > and then use it in the rules? With the following, I want to allow > > only root and the current process to read its /proc/\$/mem. Is > > something like this possible with caitsith? > > Such binding is not possible, but "/proc/self" is represented as > "proc:/self" rather than "proc:/\$". Thus, > > > > > 10 acl read /proc/\$/mem > > 1 allow task.euid=0 > > 10 allow task.pid=\$ > > 100 deny > > I think you want something like below. > > 10 acl read path.fsmagic=0x9FA0 path="proc:/\*/mem" > audit 0 > 10 allow path="proc:/self/mem" > 20 allow task.uid=0 task.gid=0 task.euid=0 task.egid=0 > 30 deny > > This example checks filesystem magic before checking pathnames > so that the kernel does not need to evaluate "proc:/\*/mem" for > pathnames not in proc filesystem. _______________________________________________ tomoyo-users-en mailing list tomoyo-users-en@lists.osdn.me http://lists.osdn.me/mailman/listinfo/tomoyo-users-en
