Hello. On 2024/08/02 0:47, Esteban Gil wrote: > Hello, > I am developing an ACL with Akari for my server that is running several > Docker containers and I wanna be able to clearly differentiate the domains > from the host machine from the ones in containers. > Since I have it configured to always initialize new domains > (initialize_domain any from any) because I find it easier to work with, I > thought of using namespaces to achieve this.
I can see you want to do something for processes run in containers. But I can't see why you are using "initialize_domain any from any". Please enumerate what you want to do using bullet point. Do you want to apply some restrictions for processes outside of docker? If no, I wonder why you want to split domains for processes outside of docker; I guess that keep_domain would fit better for such processes (and in that case it is possible that you don't need to use namespaces at all). Do you want to apply some restrictions for processes inside of docker? If yes, I wonder why you have troubles with splitting namespaces for processes inside of docker. > However, by reading the docs I understood that you also need to define new > exception and profile policies for every new namespace you introduce. In my > case that would mean duplicating the existing ones for each namespace and > adding the appropriate namespace prefix. I was wondering if there is a way > of telling Akari/Tomoyo to ignore namespaces in exception and profile > policies and just use the built-in one. If not, what would be the code > changes necessary to achieve this? I can't interpret "ignore namespaces in exception and profile policies and just use the built-in one". But I'm not going to modify AKARI/TOMOYO possible to use exception policy and profile policy in different namespaces, for a namespace is by definition an independent set of policy that can be migrated using domain transition control directives. Please see https://tomoyo.sourceforge.net/akari/1.0/chapter-15.html.en#15.4 . Duplicating policy for namespaces is basically a matter of s/<source_namespace>/<dest_namespace>/ of existing/template policy. Why is that difficult? Are you trying to create unpredictable number of namespaces at run time because you want to assign a dedicated namespace for each container instance at run time? _______________________________________________ tomoyo-users-en mailing list tomoyo-users-en@lists.osdn.me https://lists.osdn.me/mailman/listinfo/tomoyo-users-en
