Tetsuo Handa
from-****@I-lov*****
Sat Nov 27 20:44:31 JST 2010
TOMOYO
ForkJamie Nguyen wrote:
> Tetsuo Handa wrote:
> > Setting
> >
> > max_learning_entry=0
> >
> > in the /proc/ccs/profile and running
> >
> > grep -A 2 -F ' mode=learning (global-pid=' < /proc/ccs/reject_log > /proc/ccs/domain_policy
> >
> > in the background will do what the learning mode can do.
>
> I am having trouble repeating this. For me, grep command needs "-a" as
> well, otherwise it only outputs "Binary file (standard input)
> matches". It also appears that /proc/ccs/domain_policy cannot be
> written to. No matter what I try, the only way I can change the
> contents is through ccs-editpolicy.
Sorry, I didn't mean this line for copy&paste purpose.
I wrote this line for showing "input"/"processing"/"output".
When we implement this line, we will use a standalone program (maybe named
/usr/sbin/ccs-learningd ).
Raw /proc/ccs/reject_log uses '\0' as delimiter.
Since it is dangerous to allow all processes running as "root" user to write to
/proc/ccs/ interface, only programs (or domains) listed in /proc/ccs/manager
are allowed to write to /proc/ccs/ interface.
We will add /usr/sbin/ccs-learningd to /proc/ccs/manager but we won't add
/bin/grep to /proc/ccs/manager .
> > If we do
> >
> > grep -A 2 -F ' mode=learning (global-pid=' < /proc/ccs/reject_log | /usr/lib/ccs/convert-audit-log > /proc/ccs/domain_policy
> >
> > and let /usr/lib/ccs/convert-audit-log manage which conditions to be checked
> > (when adding an entry to the domain policy), we can avoid hardcoding in the
> > kernel and can provide more conditional/flexible policy generation than now.
>
> This sounds good. I assume you are planning to add options to
> convert-audit-log that allow you to manage which conditions are
> checked?
Yes.
I removed file_pattern directive from TOMOYO 1.8 because userland programs can
do more conditional/flexible processing than kernel. We can avoid patternizing
pathnames using /usr/sbin/ccs-editpolicy or /usr/sbin/ccs-patternize because
/usr/sbin/ccs-learningd can do it before appending to /proc/ccs/domain_policy .
We can define up to 256 profiles. Therefore, we can define
0-CONFIG={ mode=disabled }
1-CONFIG={ mode=permissive }
2-CONFIG={ mode=permissive }
3-CONFIG={ mode=enforcing }
and let ccs-learningd process only audit logs from /proc/ccs/reject_log
with "profile=1 mode=permissive".
When we added ccs-learningd , the learning mode becomes no longer useful.
I think that the learning mode will be removed eventually.
Regards.