Tetsuo Handa
from-****@I-lov*****
Sat Dec 4 00:38:18 JST 2010
Jamie Nguyen wrote: > I've compiled and installed ccs-patch and ccs-tools revision 4171. I > had to apply this patch to build ccs-tools [1]. Oh, thanks. I forgot to update Makefile and ccs-tools.spec . Tetsuo Handa wrote (before this thread has moved to this ML): > Jamie Nguyen wrote: > > Congratulations on the 1.8 release :) > > Thank you. > > > I just wanted to mention that the link found on > > http://tomoyo.sourceforge.jp/ to the 1.x series documentation still > > links to the 1.7 branch. If this is because 1.8 documentation is not > > yet complete, then ignore me! But I just wanted to mention this in > > case it was an oversight. > > Yes. http://tomoyo.sourceforge.jp/1.8/tuning.html needs updates on > how to tune patterns. In 1.8, file_pattern was removed. > One is for simplifying kernel code. The other is for handling relative > pathnames from mount point (i.e. AKARI without CONFIG_SECURITY_PATH=y). > > In 1.8, converting pathnames using wildcards is up to users. > ccs-patternize needs some modification for handling relative > pathnames from mount point. For example, > > dev(8,1)=/boot/ > dev(8,2)=/ > dev(8,3)=/home/ > dev(8,4)=/tmp/ > dev(8,5)=/var/ > dev(0,11)=/dev/ > > for handling > > file create dev(8,5):/tmp/fileA8cF93 0600 > file write /var/tmp/fileA8cF93 > file unlink dev(8,5):/tmp/fileA8cF93 > > . > > Also, I want to support patternizing only directory part. For example, > > dir_pattern proc:/\$/ > > rather than > > file_pattern proc:/\$/stat > file_pattern proc:/\$/status > file_pattern proc:/\$/cmdline > file_pattern proc:/\$/exe > > etc. I'm considering string manipulation logic now. I started to implement ccs-patternize logic. I added /etc/ccs/tools/patternize.conf and registered some patterns. Steps to patternize (as of revision 4182) would look like (1) Save current policy by doing "ccs-savepolicy -d > /etc/ccs/domain_policy.tmp". (2) Browse /etc/ccs/domain_policy.tmp and determine how to patternize. (3) Edit /etc/ccs/tools/patternize.conf as needed. (4) Convert by doing "ccs-patternize < /etc/ccs/domain_policy.tmp > /etc/ccs/domain_policy.new". (5) Generate diff by doing "ccs-diffpolicy /etc/ccs/domain_policy.tmp /etc/ccs/domain_policy.new > /etc/ccs/domain_policy.diff". (6) Browse /etc/ccs/domain_policy.diff and commit changes by doing "ccs-loadpolicy -d < /etc/ccs/domain_policy.diff". Currently, I implemented six types. Type 1 : Exact pathname match file_pattern proc:/self/fd/\$ will replace (e.g.) proc:/self/fd/0 with proc:/self/fd/\$ . This is what it was until TOMOYO 1.7 . Type 2 : Heading pathname match head_pattern proc:/\$/ will replace (e.g.) proc:/123/status with proc:/\$/status . This is intended for reducing number of file_pattern entries by grouping pathnames where only directory part needs to be patternized. Type 3 : Trailing pathname match tail_pattern /etc/mtab~\$ will replace (e.g.) dev(8,1):/etc/mtab~456 with dev(8,1):/etc/mtab~\$ . This is intended for CONFIG_SECURITY_PATH=n kernels where we can't obtain absolute pathnames regarding directory entry modification operations (e.g. "file create" and "file rename"). Type 4 : Exact pathname match with grouping path_group GROUP1 /tmp/php\?\?\?\?\?\? will replace (e.g.) /tmp/phpZjk1k3 with @GROUP1 . This syntax is identical with path_group directive in exception policy. Type 5 : Exact number match with grouping number_group GROUP2 0-100 number_group GROUP2 100-200 will replace integers between 0-100 or 100-200 with @GROUP2 . This syntax is identical with number_group directive in exception policy. Type 6 : Exact IP address match with grouping address_group LOCALHOST 127.0.0.1 address_group LOCALHOST 0:0:0:0:0:0:0:1 will replace IP addresses 127.0.0.1 or 0:0:0:0:0:0:0:1 with @LOCALHOST . This syntax is identical with address_group directive in exception policy. Maybe we want to unify these syntax like (e.g.) file_pattern proc:/self/fd/\$ proc:/self/fd/\$ head_pattern proc:/\$/ proc:/\$/ tail_pattern /etc/mtab~\$ /etc/mtab~\$ file_pattern @GROUP1 /tmp/php\?\?\?\?\?\? number_pattern @GROUP2 0-100 number_pattern @GROUP2 100-200 address_pattern @LOCALHOST 127.0.0.1 address_pattern @LOCALHOST 0:0:0:0:0:0:0:1 . Also, maybe we want domainname matching like ccs-auditd's sorting rule. Preferences?/Comments?/Suggestions? Regards.
TOMOYO
Fork