[tomoyo-users-en 132] Re: allow_execute by pattern

Wed, 27 Jan 2010 12:34:14 -0800 

> Hello.

Hello and thank you for responding.

> Lee Worden wrote:
>> Is there any way to create a sandbox such that a user can create programs in
>> a particular directory, and run them (with the appropriate profile, of
>> course), but not run programs in the rest of the filesystem?
>
> Yes. You can use "aggregator" syntax.

Yes, this seems to solve the problem.   Thank you.

> For example, if the user creates programs under /home/user/sandbox/ directory
> (e.g. /home/user/sandbox/my_app1 /home/user/sandbox/my_app2 ), you can add
>
>  aggregator /home/user/sandbox/\* /home/user/sandbox_app
>
> to /proc/ccs/exception_policy and give
>
>  allow_execute /home/user/sandbox_app
>
> to /proc/ccs/domain_policy . (You would find some "aggregator" usage by doing
> "grep ^aggregator /proc/ccs/exception_policy".) You might want to also give
>
>  keep_domain /home/user/sandbox_app
>
> to /proc/ccs/exception_policy so that the user-created applications remain in
> the same domain when user-created applications executed some other programs.

Yes, these rules apply within a domain with transitions suppressed.

> If you want to apply to all non-privileged users, you can use
>
>  aggregator /home/\*/sandbox/\* /home/user/sandbox_app
>
> rather than
>
>  aggregator /home/user/sandbox/\* /home/user/sandbox_app
>
> and tell users to create user-created applications under ~/sandbox_app/
> directory.
>
>
> If you want to allow locating user-created applications under subdirectory of
> ~/sandbox_app/ directory, you can use recursive matching operator.
>
>  aggregator /home/\*/sandbox/\* /home/user/sandbox_app
>  aggregator /home/\*/sandbox/\{\*\}/\* /home/user/sandbox_app
>
>
>
> Notes for TOMOYO 2.x users:
>
>  As of TOMOYO 2.2.0 , "aggregator" directive is not supported.
>  Since I had to minimize the amount of source code,   I removed "aggregator"
>  directive syntax from TOMOYO 2.2.0 .
>
>  Kernel 2.6.33 will have recursive matching operator support.
>
>
>
> Regards.
>
> _______________________________________________
> tomoyo-users-en mailing list
> [email protected]
> http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
>

_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

Reply via email to