[tomoyo-users-en 423] Re: TOMOYO Policy simplification

Back to archive index
Tetsuo Handa from-****@I-lov*****
Thu Nov 24 07:20:18 JST 2011

Milton Yates wrote:
> If you don't have time, I could start diving in the code to provide a
> patch for this (in a few weeks). Although I am missing kernel coding
> experience, I'm up for challenges - and would love to see this
> functionality come alive.
> I personally believe this would speed up policy writing for TOMOYO, once
> the base groups have been defined.

OK. I'll try. I already wrote an incomplete patch to do this. It was less than
100 lines of addition. But to make the patch complete, I must consider changing
the way how the kernel prints current policy configuration. The length of a
permission line

  operation target condition

may be longer than the buffer size passed to read(), and therefore TOMOYO has a
lot of cookie variables and branches so that TOMOYO can pause at any location
of printing the line. By changing from

  acl_group N operation target condition

(array of 256 elements) to

  acl_group name operation target condition

(list of variable length), TOMOYO needs more cookie variables and branches but
I don't want to add more. Thus, I'm now considering use of kernel thread only
for reading current policy so that I can reduce cookie variables and branches.

More information about the tomoyo-users-en mailing list
Back to archive index