Hello. I and Toshiharu worked at NTT Open Source Software Center for troubleshooting RHEL systems for three years (from April 2012 to March 2015). I mainly had charge of troubles caused by Linux kernels, especially kernel panics, unexpected reboots and hang up. Since I have experienced kernel development via TOMOYO/AKARI/CaitSith, I wrote many trivial programs for reproducing problematic kernel behaviors and collecting information. My experience is summarized at http://events.linuxfoundation.jp/sites/events/files/slides/LCJ2014-en_0.pdf . We are now working at NTT DATA INTELLILINK Corporation for doing something related to OSS security. As we were freed from stress caused by everlasting deadline, I was able to resume development of TOMOYO/AKARI/CaitSith. Today, I uploaded ccs-patch 1.8.3p10 and ccs-tools 1.8.3p9 which enhances usability of ccs-editpolicy and fixes several bugs. (1) Until now, 'o' key (optimize command) did not work on "use_group" entry in the Domain Policy Editor screen. Now, 'o' key works as if repeating 'o' key on each entry "acl_group" of that number contains. (2) Until now, (not yet documented) TAB key was toggling between Exception Policy Editor screen and Domain Transition Editor screen. Now, TAB key switches to previous screen, e.g. from Exception Policy Editor screen to Domain Policy Editor screen. (3) Until now, 'o' key did not work on entries with conditions (e.g. task.uid=0). Now, pressing 'o' key on an entry without conditions will select the same entry with conditions. These changes should save key typing when using optimization command. Also, a prototype for multiple acl_group support is available as a patch for current trunk/1.8.x/ at http://sourceforge.jp/projects/tomoyo/scm/svn/blobs/6407/branches/diff-1.8.4.txt . Currently, each domain can include only one use_group entry. The patch allows each domain to include up to 256 use_group entries. As a result, you will be able to reduce duplication of policy by defining multiple acl_group entries based on use cases and including them from domains. An example domain policy with the patch applied would look like below. <kernel> /path/to/app1 use_profile 3 use_group 0 use_group 1 file read /path/to/file1 file write /path/to/file1 <kernel> /path/to/app2 use_profile 3 use_group 0 use_group 2 use_group 3 file read /path/to/file2 <kernel> /path/to/app3 use_profile 3 use_group 0 use_group 4 file execute /path/to/file3 I was planning to allow specifying acl_group by name than by a number, but as with profile number, I chose numbers which will save a lot of code. For compatibility within TOMOYO 1.8.x series, only white listing syntax is available. If black listing syntax is needed, CaitSith would fit better. If this specification matches your needs, I'd like to release as TOMOYO 1.8.4. Regards.
TOMOYO
Fork