Jamie Nguyen
dysco****@gmail*****
Tue Dec 7 22:06:23 JST 2010
TOMOYO
ForkTetsuo Handa wrote:
> Typical replacement commands (e.g. sed) take both old pattern and new pattern.
> But currently {file,head,tail}_pattern does not take old pattern because we
> regard new pattern == old pattern.
>
> I removed file_pattern keyword support from TOMOYO 1.8's kernel in order to
> implement more flexible replacement commands. I think that taking both old
> pattern and new pattern allows use of extended replacement (like sed command's
> reference functionality) if ccs-patternize (in the future) supports extended
> expressions.
Can you give example usage?
> We don't need to change {path,number,address}_group in kernel's policy syntax.
> These {file,head,tail,number,address}_pattern are proposed for ccs-patternize
> in order to unify like "some_keyword new_pattern old_pattern" (or "some_keyword
> old_pattern to new_pattern"). We can propose whatever syntax/keyword.
Yes, perhaps the syntax that sed and other replacement commands use
would be appropriate, using "some_keyword old_pattern new_pattern".
"command old new" is the format used by many Linux commands (e.g.
cp, mv, ln, diff and so on). The current situation in exception policy
is "keyword new old" and this works well with what is displayed on
screen. For example, "path_group GROUP0 /tmp/\?\?\?" will be displayed
as written. This is contrary with syntax of other Linux commands, but
changing syntax to "keyword old new" could be confusing as entering:
path_group /tmp/\?\?\? GROUP0
would then be displayed in exception policy editor as:
path_group GROUP0 /tmp/\?\?\?
Might be confusing, but this would provide continuity between
ccs-patternize/exception policy/other Linux command syntax.
The other option is to just keep things as they are for exception
policy syntax and match ccs-patternize syntax to exception policy
syntax "keyword new old". The problem is that for exception policy,
"new" before "old" makes more sense (due to the display in exception
policy editor), but for ccs-patternize, "old" before "new" makes more
sense (due to syntax of other similar replacement commands).
My opinion is that syntax should be "keyword old new" for both
exception policy and ccs-patternize, but to keep exception policy
editor display as it is, without reordering the fields.
>>> Also, maybe we want domainname matching like ccs-auditd's sorting rule.
>>
>> Do you mean so that patternizing only occurs for specified domain?
>> Current situation is that all matching entries get patternized
>> regardless of domain. If implemented, it could be useful for example
>> in the case that there are several domains wanting to access some
>> resource that you want to block access to, but want to allow a single
>> domain to access this resource. However, policy is reasonably easy to
>> manage by hand using diff and editor so I am not urgently requiring
>> this feature.
>
> I see. Users can use ccs-selectpolicy for picking up only specific domains.
Can you provide example usage for domainname matching that you suggested?
Kind regards