Tetsuo Handa
from-****@I-lov*****
Mon May 2 00:11:16 JST 2011
TOMOYO
ForkJamie Nguyen wrote:
> Just to make sure we understand each other, do I understand correctly
> that you want to remove "initialize_domain" directive and replace with
> "initialize_namespace"? Or do you intend them to exist together?
I won't remove "initialize_domain" directive.
"initialize_domain" and "initialize_namespace" directives coexist.
> Sorry, I'm not sure I understand completely. You posted this question earlier:
>
> > If we want to use different keywords (like 'auto_namespace_transition="httpd"'
> > and 'task auto_namespace_transition apache' ) for easier understanding,
> > I can do so.
>
> This was the first time I saw that you introduced these directives.
> Are you saying that these directives are optional, and we could
> implement without them?
>
These directives will not be used by users who can satisfy their needs within
only <kernel> namespacce.
> Could you also explain the difference between
> "auto_domain_transition=<httpd>" and "task auto_domain_transition
> <httpd>". I am familiar with "task ....." but not the other.
Sure. "auto_domain_transition=" is used as conditional ACL (case (g) below).
Currently 7 directives are defined.
(a) initialize_domain /usr/sbin/httpd from any
Jump to "<kernel> /usr/sbin/httpd" domain.
(b) no_initialize_domain /bin/mail from any
Don't jump to "<kernel> /usr/sbin/httpd" domain.
(c) keep_domain any from <kernel> /usr/sbin/httpd /bin/bash
Don't transit to child domain from "<kernel> /usr/sbin/httpd /bin/bash" domain.
(d) no_keep_domain /usr/bin/passwd from any
Transit to "current domain's name" + "/usr/bin/passwd" domain.
(e) task manual_domain_transition <kernel> /usr/sbin/httpd //some/host
Jump to "<kernel> /usr/sbin/httpd //some/host" domain by "echo <kernel> /usr/sbin/httpd //some/host > /proc/ccs/self_domain".
(f) task auto_domain_transition <kernel> //lockdown task.uid=1000
Jump to "<kernel> //lockdown" domain when process's uid became 1000.
(g) file read /foo auto_domain_transition="/foo"
Jump to "current domain's name" + "/foo" domain when /foo is opened for reading.
These directives work within the same namespace.
I'm considering introducing 5 more directives in order to support namespaces.
(h) initialize_namespace /usr/sbin/httpd from any
Jump to "</usr/sbin/httpd>" domain.
(i) no_initialize_namespace /usr/sbin/httpd from any
Don't jump to "</usr/sbin/httpd>" domain.
(j) task manual_namespace_transition apache
Jump to "<apache>" domain by "echo apache > /proc/ccs/self_domain".
(k) task auto_namespace_transition apache task.uid=48
Jump to "<apache>" domain when process's uid became 48.
(l) file read /foo auto_namespace_transition="foo"
Jump to "<foo>" domain when /foo is opened for reading.
When namespace is added, (a) - (g) works with the current namespace.
For example,
initialize_domain /bin/sh from any
in <apache> namespace means
Jump to "<apache> /bin/sh" domain when /bin/sh is executed.
and
initialize_domain /bin/sh from any
in <sshd> namespace means
Jump to "<sshd> /bin/sh" domain when /bin/sh is executed.
.