Radoslaw Szkodzinski wrote: > >> I'd like then a forced conditional inclusion of a group of rules. Is > >> that possible? > >> e.g. > >> <kernel> /foo > >> ... > >> include_domain "/uid:1234 /foo" if task.uid=1234 > >> > >> or some other way to pick a whole set of rules based on an uid, so as > >> to not reload the whole ruleset when some user decides to accept > >> something forever. Looks far better than many > >> allow_read /foo/bar/* if task.uid=1234 > >> allow_read /bar/baz/* if task.uid=2345 > >> ... > >> > > I need to make sure why you tried to use allow_transit keyword. > > Guessing from what you wrote > > > > <snip> > > The problem is of course the ugliness of a large number of > allow_* * if task.uid=<uid> > especially if they begin to mix. > > It'd be better if I could branch those into another domain or have > some kind of grouping. > I'd also be then able to split those off into a separate file. > OK. You are the first user who wants to try TOMOYO 1.8 for that purpose.
In TOMOYO 1.8, automatic domain transition is provided. <kernel> /foo use_profile 3 use_group 0 task auto_domain_transition <kernel> /foo /uid=1234 task.uid=1234 task auto_domain_transition <kernel> /foo /uid=5678 task.uid=5678 task auto_domain_transition <kernel> /foo /uid=9012 task.uid=9012 <kernel> /foo /uid=1234 use_profile 4 use_group 1 file read /etc/fstab <kernel> /foo /uid=5678 use_profile 4 use_group 1 file read /etc/passwd <kernel> /foo /uid=9012 use_profile 4 use_group 1 file read /etc/resolv.conf Unlike "allow_transit" in TOMOYO 1.7.2, "task auto_domain_transition" is applied automatically when conditions are met. This means that if a user transits to "<kernel> /foo" domain (typically by executing /foo ), the user will automatically redirected to "<kernel> /foo /uid=1234" domain if the user's uid is 1234 (or redirected to "<kernel> /foo /uid=5678" domain if uid is 5678, or redirected to "<kernel> /foo /uid=9012" domain if uid is 9012, or remain in that domain otherwise ). TOMOYO 1.8 also provides acl grouping for grouping commonly used entries. In the exception policy, you can define acl_group 1 file read @cookies acl_group 1 file write @cookies acl_group 1 network inet stream connect @servers @ports acl_group 1 file execute /usr/lib/firefox/plugin-container in the exception policy and include it like use_group 1 in the domain policy, Group number is an integer between 0 and 255. You can try TOMOYO 1.8 at http://tomoyo.sourceforge.jp/1.8/ (although it is still under development and specifications will change). Regards. _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
