Tetsuo Handa
from-****@I-lov*****
Wed Jun 1 20:56:54 JST 2011
Tetsuo Handa wrote: > I added a page for using namespace. > http://tomoyo.sourceforge.jp/1.8/chapter-15.html > > (0) Do you see problems with this specification? I thought it would be nice if transition to "</path/to/program>" namespace is automatically taken place upon program execution even if the source namespace did not have "move_namespace /path/to/program from any" entry. For example, when /usr/bin/firefox is executed from <kernel> namespace, transition to </usr/bin/firefox> namespace is taken place without adding "move_namespace /usr/bin/firefox from any" to <kernel> namespace. I wished that this will provide usability like AppArmor since policy developer for </usr/bin/firefox> namespace does not need to ask other namespaces to add "move_namespace /usr/bin/firefox from any". Today, I implemented it (r5075) by changing how "move_namespace" is interpreted; I changed to evaluate all "move_namespace" entries in all namespaces so that adding "move_namespace /usr/bin/firefox from any" to </usr/bin/firefox> namespace will act as if every namespaces have "move_namespace /usr/bin/firefox from any". This is an invitation style way. If we use such style, and users want to use like AppArmor, exception policy for <kernel> namespace can remain empty (because invitation from other namespaces acts like as if exception policy for <kernel> namespace has such entry). But then, I realized that such style will cause confusion, and I reverted it (r5077). For example, <kernel> namespace wants to use it but <lxc1> namespace may not want to use it. Users have to be aware of such entries distributed in all namespaces and tell "I'll use it" or "I don't use it", which can be more complicated and difficult; reducing the usability. Do we want invitation style directives so that <kernel> namespace's exception policy can remain empty? If yes, how can we safely cancel invitation style directives? Releasing TOMOYO 1.8.2 without invitation style directives seems to be better even though it entails users to add "move_namespace /usr/bin/firefox from any" to (e.g.) <kernel> namespace's exception policy.
TOMOYO
Fork