hi all at tomoyo. thank you for this amazing software. i am using custom patched kernel with 1.8 but i was thinking about a few questions. is it insecure to allow a domain to 'file read' all files in /usr/lib and /usr/share and subdirectories? or even all files in /usr and subdirectories? what i thought is that even if a domain can read a file in /usr/, it is no use if it cannot be executed/written/deleted by that domain so there is no risk. also, for some programs there are large number of 'file ioctl', especially for sound and video related things. is there a way to allow all ioctl numbers for a specific file. i tried 'file ioctl /dev/snd/\* \*' but it doesn't work. it is kind of a lot of work to manage many ioctl numbers. even if this is possible, is it a risk to do so? and final question. is it a problem to disable protection for 'misc env'? i am the only user to use my desktop and i am behind a router, so i'm not afraid of remote attackers changing LD_PRELOAD and others. still risky? sorry if the answers are obvious. thanks in advance. chris
TOMOYO
Fork