Hello.
(1) I added per-entry flag which controls generation of grant logs because
Xen and KVM issues ioctl requests so frequently. For example,
allow_ioctl /dev/null 0x5401 ; set audit=no
will suppress /proc/ccs/grant_log even if profile says grant_log=yes .
allow_ioctl /dev/null 0x5401 ; set audit=yes
will generate /proc/ccs/grant_log even if profile says grant_log=no .
allow_ioctl /dev/null 0x5401
will generate /proc/ccs/grant_log only if profile says grant_log=yes .
This flag is intended for frequently accessed resources like
allow_read /var/www/html/\{\*\}/\*.html ; set audit=no
.
(2) To be able to control generation of grant logs for "allow_read" and
"allow_env" entries in /proc/ccs/exception_policy as well as these entries
in /proc/ccs/domain_policy , I made it possible to specify "; set audit=yes"
or "; set audit=no" part to these entries in /proc/ccs/exception_policy .
As of 1.7.2, only "allow_read" and "allow_env" entries can be specified in
/proc/ccs/exception_policy . But I came to feel that some entries like
"allow_write /dev/null" "allow_ioctl foo 0x5401" "allow_network UCP connect
@DNS_SERVERS 53" are very common and should be permitted to specify in
/proc/ccs/exception_policy . Thus, I made it possible to specify all
entries which may appear in /proc/ccs/domain_policy in
/proc/ccs/exception_policy .
(3) I introduced new syntax "keep_domain /path/to/program from any" so that
users need not to create domain for execute_handler when they want to apply
execute_handler on all domains.
(4) To be able to read() very very long lines correctly, I changed the way
TOMOYO buffers policy for reading.
(5) I'm also trying to reduce code size.
Currently 17% reduced compared to TOMOYO 1.7.2 .
ccsecurity.ko (revision 3780) 105,817 bytes
ccsecurity.ko (TOMOYO 1.7.2) 128,584 bytes
(6) And now, I'm standing at a crossroad.
After I made changes in (2), I came to feel that entries specified in
/proc/ccs/exception_policy should support grouping. For example, specify
acl_group 0 allow_rwrite /tmp/foo
acl_group 0 allow_read /etc/bar
acl_group 1 allow_execute /bin/pwd
in /proc/ccs/exception_policy and specify
<kernel> /usr/sbin/sshd
use_profile 3
use_group 0
allow_read /etc/shadow
allow_network TCP accept @LAN 1024-65535
<kernel> /usr/sbin/httpd
use_profile 3
use_group 1
allow_read /etc/
allow_network TCP accept @LAN 1024-65535
in /proc/ccs/domain_policy .
Something like #include directive in AppArmor .
I think this grouping is useful for splitting domains into several
categories. For example, "domains for Android's dalvik VM
( /usr/bin/app_process and its children) which will need ioctl on
/dev/binder" and "domains for the rest of Android system which will not
need ioctl on /dev/binder". For example, "domains for KVM which will need
ioctl on /dev/kvm" and "domains for the rest of system which will not need
ioctl on /dev/kvm".
This grouping removes the need for
ignore_global_allow_read/ignore_global_allow_env (and ignore_global_write
etc.) keywords because users can create groups as they like.
What do you think?
_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
