Jamie Nguyen
jamie****@tomoy*****
Wed Aug 31 17:48:30 JST 2011
Tetsuo Handa wrote: > It is one of TOMOYO's characteristic features that "any process transits to > child of current domain upon execve() unless explicitly specified using domain > transition control directives in exception policy (and TOMOYO creates domains > automatically if the domain to transit to does not exist in order not to reject > execve() requests unless enforcing mode is specified)". This feature is useful > when analyzing a system's behavior because it does not ask the user to > beforehand have knowledge of what applications are installed in the target > system and how they behave. > > But after the user obtained knowledge of what applications are installed in the > target system and how they behave, the user designs how domains (and optionally > namespaces) should be divided and modifies domain transition control entries > in exception policy. At this moment, the user will be able to specify "how > domain transition should be applied upon executing this program" to each "file > execute" entry (if my proposal is implemented) instead of modifying domain > transition control entries in exception policy. > > If the user wants to apply enforcing mode to the entire system (e.g. Android), > the user will be able to specify "how domain transition should be applied upon > execve()" to each "file execute" entry and remove all domain transition control > entries in exception policy (because all "file execute" entries and domain > transition patterns need to be identified and explicitly specified in order to > apply enforcing mode to the entire system). Also, the user will be able to > remove all "aggregator" entries in exception policy (because the user can > specify like > > path_group EDITORS /bin/vi > path_group EDITORS /usr/bin/emacs > > file execute @EDITORS <editors> > > ). > > We can remove "aggregator"/"reset_domain"/"no_reset_domain"/"initialize_domain" > /"no_initialize_domain"/"keep_domain"/"no_keep_domain" if the user is skillful > enough to specify all "file execute" entries and enforce them (in other words, > figure out all domains and programs for each domain). > > After all, "aggregator"/"reset_domain"/"no_reset_domain"/"initialize_domain"/ > "no_initialize_domain"/"keep_domain"/"no_keep_domain" are essential for users > who don't want to specify all "file execute" entries, but are optional for > users who can specify all "file execute" entries. > > I'm not proposing removal of "aggregator"/"reset_domain"/"no_reset_domain"/ > "initialize_domain"/"no_initialize_domain"/"keep_domain"/"no_keep_domain" > directives. My proposal is for experts who can live without these directives. Your proposal is growing on me. I think I can see this being put to good use. Might I ask what you personally feel are the disadvantages of your proposal? If you see no major problems, then I have no firm objections. In your first post you seemed maybe a little unsure, but now you seem very sure. I trust your opinion here, and you've fought your side of the debate well :-)
TOMOYO
Fork