討論區: Open Discussion (Thread #40970)

Binding a group (acl_group) to a profile ? (2019-07-17 23:33 by intika #83255)

Hi,

As always thanks a lot for your amazing work and this amazing software :)

Is it possible to bind/assign an acl_group to a profile with something like `0-CONFIG::use_group::0` under profile.conf?

This would make the profile more configurable or fine-grained...

Otherwise would that feature easy to implement ?

Thanks

回覆 #83255×

You can not use Wiki syntax
You are not logged in. To discriminate your posts from the rest, you need to pick a nickname. (The uniqueness of nickname is not reserved. It is possible that someone else could use the exactly same nickname. If you want assurance of your identity, you are recommended to login before posting.) 登入

Re: Binding a group (acl_group) to a profile ? (2019-07-18 00:45 by kumaneko #83256)

Hello.

Changing "use_group" upon changing "use_profile" is unlikely what people want to do.
Since both "use_profile" and "use_group" will be copied to newly created domains,
I wonder why you want such feature... What is the problem?
回覆: #83255

回覆 #83256×

You can not use Wiki syntax
You are not logged in. To discriminate your posts from the rest, you need to pick a nickname. (The uniqueness of nickname is not reserved. It is possible that someone else could use the exactly same nickname. If you want assurance of your identity, you are recommended to login before posting.) 登入

Re: Binding a group (acl_group) to a profile ? (2019-07-18 01:52 by intika #83257)

Reply To Message #83256
> I wonder why you want such feature... What is the problem?

It's not really a problem just wanted to make things easier... i know that "use_profile" and "use_group" are inherited for new child process/domain...

I am using different profiles to control domain access (profile1=allow, profile2=deny) and i just change the domain profile when needed...

Regarding some managed control access like file::ioctl that monitor a lot of different function call (path/pipe/socket/devpts/anon_inode/proc) i need to fine-grain the level of control let say for instance i want to just control file::ioctl::proc and allow the other calls of ioctl. We can not add such rule to the a profile, so i am using acl_group/use_group to accomplish that ... i don't have a problem it's working fine, i was just wondering if would bind the use_group to use_profile and thus be able to create a fine-grained profile. (currently with the used solution when i change a domain profile i have to change its use_group too...)

Or may be add a feature that would add an additional level to the profile like 2-CONFIG::file::ioctl::proc (right now we are limited to 2-CONFIG::file::ioctl)...

Any way every thing is working i was just wondering how to make it better :)

:)
回覆: #83256

回覆 #83257×

You can not use Wiki syntax
You are not logged in. To discriminate your posts from the rest, you need to pick a nickname. (The uniqueness of nickname is not reserved. It is possible that someone else could use the exactly same nickname. If you want assurance of your identity, you are recommended to login before posting.) 登入

Re: Binding a group (acl_group) to a profile ? (2019-07-18 06:52 by kumaneko #83258)

> Or may be add a feature that would add an additional level to the profile like
> 2-CONFIG::file::ioctl::proc (right now we are limited to 2-CONFIG::file::ioctl)...

OK. You want to control only specific actions on specific targets, don't you?
Then, I think that CaitSith ( https://caitsith.osdn.jp/ ) fits better.
Like described at "Things I struggled" in http://I-love.SAKURA.ne.jp/tomoyo/CaitSith-en.pdf ,
I've considered implementing "profiles on a per filename" basis, but I didn't implement it
in TOMOYO. Instead of doing like 2-CONFIG::file::ioctl::proc , I implemented CaitSith.
回覆: #83257

回覆 #83258×

You can not use Wiki syntax
You are not logged in. To discriminate your posts from the rest, you need to pick a nickname. (The uniqueness of nickname is not reserved. It is possible that someone else could use the exactly same nickname. If you want assurance of your identity, you are recommended to login before posting.) 登入

Re: Binding a group (acl_group) to a profile ? (2019-07-18 09:11 by intika #83259)

> Then, I think that CaitSith ( https://caitsith.osdn.jp/ ) fits better.

Wow yaaay an other cool tool... i read the presentation and the documentation it's a great different way of viewing things compared to tomoyo but to be honest i am in love with tomoyo since i met that peace of software 6 years ago or something... plus i kind a get an expertise using it... i might add caitsith on top of tomoyo later on, or use it on a specific environment.

kumaneko. thank you a lot for you devotion, for what you are bringing to the linux community and for you accessibility it's amazing to be able to communicate with you that easily.

i may help for dev. later on when i finish some ongoing project. ;)
回覆: #83258

回覆 #83259×

You can not use Wiki syntax
You are not logged in. To discriminate your posts from the rest, you need to pick a nickname. (The uniqueness of nickname is not reserved. It is possible that someone else could use the exactly same nickname. If you want assurance of your identity, you are recommended to login before posting.) 登入