Radoslaw Szkodzinski wrote: > This is exactly what I want then. :D That's good. I implemented these features for Android (which executes applications by changing UID instead of calling execve()).
> The question is, does this transition after current domain rules are > checked or before? > (I'd prefer the former.) "task auto_domain_transition" is applied BEFORE checking current domain rules. ;-) TOMOYO 1.8 also provides automatic domain transition which is applied AFTER checking current domain rules. <kernel> /usr/sbin/sshd network inet stream accept @trusted_hosts @ports auto_domain_transition="//trusted" network inet stream accept @untrusted_hosts @ports auto_domain_transition="//untrusted" will transit to "<kernel> /usr/sbin/sshd //trusted" domain if accepted TCP connection from @trusted_hosts @ports and transit to "<kernel> /usr/sbin/sshd //untrusted" domain if accepted TCP connection from @untrusted_hosts @ports . TOMOYO 1.8 also provides "task manual_domain_transition". <kernel> /foo allow_transit /bar in TOMOYO 1.7.2 allows transition to only "<kernel> /foo //bar" domain, but <kernel> /foo task manual_domain_transition <kernel> /bar /buz in TOMOYO 1.8 allows transition to "<kernel> /bar /buz" domain. Regards. _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
