Torsten Wortwein wrote: > I guess it is easier to find possible parent processes with > tomoyo and then create domain transitions for the identified parent in > caitsith.
Yes, recording possible patterns using TOMOYO and then create rules for CaitSith will be easier. Since you can run TOMOYO and CaitSith in parallel, you can use TOMOYO (or AKARI) for recording possible patterns. Also, there was TaskTracker LSM module dedicated for recording parent/child relations with timestamp at https://www.redhat.com/archives/linux-audit/2014-June/msg00091.html . Since security_task_alloc() hook was revived, it might be time to propose TaskTracker LSM module again. By the way, there was proposal of shebang LSM module which attempts to restrict invocation of python interpreter. You might find some hints from the thread at http://kernsec.org/pipermail/linux-security-module-archive/2017-June/001758.html . _______________________________________________ tomoyo-users-en mailing list tomoyo-users-en@lists.osdn.me http://lists.osdn.me/mailman/listinfo/tomoyo-users-en