On 2019/08/26 17:49, Luigi Tarantino wrote:
> Hello,
> Can tomoyo play nicely with container technologies like docker?
I don't know, for I'm not using container environment. (I'm using VMware
environment.) TOMOYO provides domain namespace for applying different
rules, but I guess that some modification of userspace programs will be
required (in order to switch domain namespace) for playing nicely with
container technologies.
>
> In other words is it possible to deploy a tomoyo policy that only applies
> to a specific container?
> This would mean that a process in the container may for example issue an
> open("/etc/x.conf", ...), in its own mount namespace, and I want to allow
> that open only in that container, but not for instance in the host (where
> "/etc/x.conf" is a different file, if it exists), or in other containers
> running on the same host.
I guess that LSM mailing list ( linux-security-mod...@vger.kernel.org ) is
the better place for querying how well LSM modules can play nicely with
container technologies.
_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en@lists.osdn.me
https://lists.osdn.me/mailman/listinfo/tomoyo-users-en
