Milton Yates wrote: > That's actually nice as CaitSith functionality look great for overall > system hardening, while I have some targetted policies for > Tomoyo/CCS/AKARI that look hard to port to CaitSith and the resulting > policy would be much harder to read/maintain imo. > > Is there any way to have both compiled in?
AKARI and CaitSith (LSM) are both LKM-based LSM but cannot be built into kernel. TOMOYO 1.8 is a superset of AKARI and can be built into kernel. TOMOYO 2.x is a subset of AKARI and can be built into kernel. CaitSith (non-LSM) is a superset of CaitSith (LSM) and can be built into kernel. If you want to build them into kernel, you need to choose either "TOMOYO 2.x (LSM) + CaitSith (non-LSM)" or "TOMOYO 1.8 (non-LSM) + CaitSith (non-LSM)". The former is a lot easier to do. If you can accept "TOMOYO 2.x (LSM) + CaitSith (non-LSM)", then it is nothing but following "Configure the kernel" http://caitsith.sourceforge.jp/#2.3 with [*] TOMOYO Linux Support (2048) Default maximal count for learning mode (1024) Default maximal count for audit log [ ] Activate without calling userspace policy loader. (/sbin/tomoyo-init) Location of userspace policy loader (/sbin/init) Trigger for calling userspace policy loader . If you need to use "TOMOYO 1.8 (non-LSM) + CaitSith (non-LSM)", then you need to combine include/linux/ccsecurity.h and include/linux/caitsith.h (e.g. from static inline int ccs_xxx_permission(xxx) { int (*func) (xxx) = ccsecurity_ops.xxx_permission; return func ? func(xxx) : 0; } static inline int ccs_xxx_permission(xxx) { int (*func) (xxx) = caitsith_ops.xxx_permission; return func ? func(xxx) : 0; } to static inline int ccs_xxx_permission(xxx) { int ret; int (*func1) (xxx) = ccsecurity_ops.xxx_permission; ret = func1 ? func1(xxx) : 0; if (ret) return ret; int (*func2) (xxx) = caitsith_ops.xxx_permission; return func2 ? func(xxx2) : 0; } ) and add a few lines to some other files (e.g. security/Kconfig) in order to include both TOMOYO 1.8 and CaitSith, resolve conflicts on symbol name prefix, and then do menuconfig with both TOMOYO 1.8 and CaitSith enabled. Regards. _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
