Tetsuo Handa
from-****@I-lov*****
Tue Dec 7 20:41:03 JST 2010
TOMOYO
ForkJamie Nguyen wrote:
> Tetsuo Handa wrote:
> >Maybe we want to unify these syntax like (e.g.)
> >
> > file_pattern proc:/self/fd/\$ proc:/self/fd/\$
> > head_pattern proc:/\$/ proc:/\$/
> > tail_pattern /etc/mtab~\$ /etc/mtab~\$
>
> I think for {file,head,tail}_pattern, it would be simplest and makes
> the most sense to keep as it is:
> file_pattern proc:/self/fd/\$
>
Typical replacement commands (e.g. sed) take both old pattern and new pattern.
But currently {file,head,tail}_pattern does not take old pattern because we
regard new pattern == old pattern.
I removed file_pattern keyword support from TOMOYO 1.8's kernel in order to
implement more flexible replacement commands. I think that taking both old
pattern and new pattern allows use of extended replacement (like sed command's
reference functionality) if ccs-patternize (in the future) supports extended
expressions.
>
> > file_pattern @GROUP1 /tmp/php\?\?\?\?\?\?
> > number_pattern @GROUP2 0-100
> > number_pattern @GROUP2 100-200
> > address_pattern @LOCALHOST 127.0.0.1
> > address_pattern @LOCALHOST 0:0:0:0:0:0:0:1
>
> For {path,number,address}_group there should be consistency with the
> naming in exception policy. Having syntax match exception policy keeps
> things simple. Changes could be made to make syntax more "correct",
> but there is a risk of overcomplicating usage. I prefer keeping in
> line with exception policy:
> path_group GROUP1 /tmp/php\?\?\?\?\?\?
>
We don't need to change {path,number,address}_group in kernel's policy syntax.
These {file,head,tail,number,address}_pattern are proposed for ccs-patternize
in order to unify like "some_keyword new_pattern old_pattern" (or "some_keyword
old_pattern to new_pattern"). We can propose whatever syntax/keyword.
> If I understand correctly, running this:
> # ccs-savepolicy -d | ccs-patternize 'path_group GROUP0 /tmp/\?\?\?\?\?'
> then this is dependent on the following being present in exception policy:
> path_group GROUP0 /tmp/\?\?\?\?\?
> And this will be placed in domain policy:
> file read @GROUP0
>
Right.
> The syntax here makes sense to me. I feel no need to change.
>
>
> >. Also, maybe we want domainname matching like ccs-auditd's sorting rule.
>
> Do you mean so that patternizing only occurs for specified domain?
> Current situation is that all matching entries get patternized
> regardless of domain. If implemented, it could be useful for example
> in the case that there are several domains wanting to access some
> resource that you want to block access to, but want to allow a single
> domain to access this resource. However, policy is reasonably easy to
> manage by hand using diff and editor so I am not urgently requiring
> this feature.
I see. Users can use ccs-selectpolicy for picking up only specific domains.
>
>
> Kind regards
Regards.
To all:
This is a development ML. Discussion in this ML will affect
TOMOYO 1.8/TOMOYO 2.4/AKARI's userland specification and usability.
Feel free to comment.
(If you want to comment in Japanese language, you can post to tomoyo-dev ML.)