Hello. AKARI / CaitSith / TOMOYO 2.x cannot control IPC, for LSM hooks for judging "sending signals" are inserted into locations where it is not permitted to sleep. TOMOYO / AKARI / CaitSith support interactive judgement functionality which depends on being able to sleep inside LSM hooks.
TOMOYO 1.x can control IPC, for TOMOYO 1.x is inserting custom hooks for judging "sending signals" into locations where it is permitted to sleep. But even with that approach, it cannot be perfectly precise. Since it is possible to send a signal to multiple processes, TOMOYO 1.x will have to check multiple recipient domains. But since we can't atomically check all recipient domains, TOMOYO 1.x checks only one recipient domain derived from "pid" argument. Thus, basically, please consider ability to restrict only "signal number" argument. Likewise, non-LSM version of CaitSith can restrict only "signal number" argument. _______________________________________________ tomoyo-users-en mailing list tomoyo-users-en@lists.osdn.me https://lists.osdn.me/mailman/listinfo/tomoyo-users-en
