Le 11/05/2012 16:48, Tetsuo Handa a écrit :
>> PS: I like tomoyo, I think with better userland tools it could catch on.
>> for example better file / pathname globbing to slim down domain.conf files.
>> (Similar to:
>> http://wiki.apparmor.net/index.php/QuickProfileLanguage#File_Globbing)
>
> TOMOYO thinks basename component of pathnames very important, for multicall
> binary applications decide their default behaviour based on basename component
> (and optionally change their behaviour based on command line arguments).
> It is an advantage of pathname based access control that can restrict
> possible names within a directory. Therefore, TOMOYO's /\{ \}/ operator (oops,
> this operator is not available on Debian Squeeze because it is using 2.6.32:
> http://tomoyo.sourceforge.jp/2.2/policy-reference.html#wildcard_expression_rules
> )
> was designed not to match basename component of pathnames.
>
> However, despite my wish that users benefit from ability to restrict basename
> component, most users do not care basename component; they simply specify
> "foo directory and its descendants". (Only few power users are utilizing
> ability to restrict basename component.)
>
> In CaitSith, I added /\( \)/ operator and removed directory's trailing /
> in order to make it easier to specify "foo directory and its descendants".
If I can add my 2 cents
Yes the current syntax might be improved slightly to avoid having to
write multiple lines to express "all files and folders of /foo", my
understanding is you currently have to write:
/foo/\*
/foo/\{\*\}/
/foo/\{\*\}/\*
but I can live with that, the syntax could be expanded to match all this
with a single wildcard, but I agree the current ones are good in that
they allow very fine grained matching for some cases, which is useful
sometimes indeed. I think they should not be dropped.
Personally I like more the #include feature of AppArmor
http://wiki.apparmor.net/index.php/QuickProfileLanguage#Include_Rules
this gets us back to my previous request on having multiple acl_groups
per domain ;) (yeah yeah here I go again ^^)
You told me some time ago you had a patch on the way for it, I would be
glad to test it and contribute as necessary (even if incomplete).
Regards,
Milton
_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
