TOMOYO

Fork

[tomoyo-dev-en 297] Re: allow_execute /proc/PID/exe

Horvath Andras han****@log69*****
Wed Jul 13 23:58:09 JST 2011

• Previous message: [tomoyo-dev-en 296] Re: allow_execute /proc/PID/exe
• Next message: [tomoyo-dev-en 298] Re: mark PID namespace for delete?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thank You.


On Wed, 13 Jul 2011 23:47:22 +0900
Tetsuo Handa <from-****@I-lov*****> wrote:

> "Horvath Andras wrote:
> > > Horvath Andras wrote:
> > > > Is that allowed with "allow_execute" rule?
> > > Please repost with kernel version.
> > 
> > Sorry about the deficient information.
> > 
> > Kernel version is 2.6.38-8 (Ubuntu 11.04) amd64
> > Tomoyo version is 2.3.0-20100820
> > 
> > So my problem with Chromium browser is, that it creates an
> > 
> > allow_execute /proc/$PID/exe
> > 
> > rule, and then a domain is created for this:
> > 
> > <kernel> /usr/lib/chromium-browser/chromium-browser /proc/$PID/exe
> > 
> > where $PID changes with every start.
> > 
> > Could you recommend a solution for this taht which rule and domain
> > name can i use here? Or how i could wildcard it?
> 
> Please map programs with random names using aggregator directive.
> 
>   aggregator /proc/\$/exe /proc/PID/exe
> 
> . Please note that TOMOYO 1.8 and TOMOYO 2.4 treat /proc/self/ as
> proc:/self/ . This means that you will change aggregator entry like
> 
>   aggregator proc:/self/exe /proc/self/exe
> 
> .
> 
> _______________________________________________
> tomoyo-dev-en mailing list
> tomoy****@lists*****
> http://lists.sourceforge.jp/mailman/listinfo/tomoyo-dev-en

• Previous message: [tomoyo-dev-en 296] Re: allow_execute /proc/PID/exe
• Next message: [tomoyo-dev-en 298] Re: mark PID namespace for delete?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]