Tetsuo Handa
from-****@I-lov*****
Sat Dec 18 23:39:43 JST 2010
Jamie Nguyen wrote: > Yes, something like rewrite seems better. OK. I renamed it. (Revision 4209) # Files on proc filesystem. path_pattern proc:/self/task/\$/fdinfo/\$ rewrite path_pattern proc:/self/task/\$/fd/\$ rewrite head_pattern proc:/self/task/\$/ rewrite path_pattern proc:/self/fdinfo/\$ rewrite path_pattern proc:/self/fd/\$ rewrite head_pattern proc:/self/ rewrite path_pattern proc:/\$/task/\$/fdinfo/\$ rewrite path_pattern proc:/\$/task/\$/fd/\$ rewrite head_pattern proc:/\$/task/\$/ rewrite path_pattern proc:/\$/fdinfo/\$ rewrite path_pattern proc:/\$/fd/\$ rewrite head_pattern proc:/\$/ rewrite It became clearer that 'rewrite' is the last line of a chunk (like 'destination' is the last line of a chunk for ccs-auditd) and other lines are interpreted as preconditions. ccs-patternize requires both one of '{path,head,tail,number,address}_pattern' line and 'rewrite' line as mandatory whereas ccs-auditd requires only 'destination' line as mandatory. I wrote The last line of a chunk is something like "commit" instruction of a SQL transaction. Since the evaluation rule is to stop at first chunk which reached the last line of that chunk, I think that the last line of the chunk should be atomic. Specifying both 'old_pattern' and 'new_pattern_if_matched_old_pattern' in the last line can save total number of lines, but the last line being not atomic may not be instinctive. but I should reconsider it because somebody would wonder why '{path,head,tail,number,address}_pattern' line can't take the place of 'rewrite' line. This is because current evaluation rule is ambiguous since it does not say whether evaluation continues from next chunk or not if rewrite operation was not done in the last line of current chunk . Surely ccs-patternize should continue evaluation from next chunk if rewrite operation was not done in the last line of current chunk. Otherwise, only rewrite head_pattern proc:/\$/ proc:/\$/ will be evaluated when rewrite head_pattern proc:/\$/ proc:/\$/ rewrite path_pattern /etc/mtab~\$ /etc/mtab~\$ are specified. If we clearly define evaluation rule as evaluation stops at first chunk where rewrite operation took place and specify both 'old_pattern' and 'new_pattern' in the 'rewrite' line, it will be natural to remain 'rewrite' line as conditional. In that case (of cource, we can allow users to omit 'new_pattern' if 'old_pattern' is reused as 'new_pattern') syntax will look like rewrite head_pattern proc:/\$/ rewrite path_pattern proc:/\$/\* @proc_pid_files rewrite path_pattern proc:/\$/\{\*\}/\* @proc_pid_files . By the way, since we introduced /etc/ccs/tools/ directory for storing configuration for ccs-tools package, I think it is good opportunity to change pathnames for policy files. Current structure: /etc/ccs/ is used by TOMOYO Linux 1.x and AKARI. Within the directory... domain_policy.YY-MM-DD.hh:mm:ss.conf contains data for /proc/ccs/domain_policy . domain_policy.conf is a symlink to domain_policy.YY-MM-DD.hh:mm:ss.conf . exception_policy.YY-MM-DD.hh:mm:ss.conf contains data for /proc/ccs/exception_policy . exception_policy.conf is a symlink to exception_policy.YY-MM-DD.hh:mm:ss.conf . profile.conf contains data for /proc/ccs/profile . manager.conf contains data for /proc/ccs/manager . meminfo.conf contains data for /proc/ccs/meminfo . ccs-load-module is used for loading ccsecurity.ko or akari.ko . ccs-post-init is used for doing pre /sbin/init initialization. Currently, ccs-savepolicy saves domain policy and exception policy with timestamp embedded into their filenames. This allows users to back up policy files for all generations. But we need to update both /etc/ccs/domain_policy.conf and /etc/ccs/exception_policy.conf in order to use backups. Also, it would be better to back up profile.conf and manager.conf because manager.conf is related with domain_policy.conf and domain_policy.conf refers profile.conf . Proposed structure: /etc/ccs/ is used by TOMOYO Linux 1.x and AKARI. Within the directory... domain_policy.conf is a symlink to policy/current/domain_policy.conf . exception_policy.conf is a symlink to policy/current/exception_policy.conf . profile.conf is a symlink to policy/current/profile.conf . manager.conf is a symlink to policy/current/manager.conf . meminfo.conf contains data for /proc/ccs/meminfo . ccs-load-module is used for loading ccsecurity.ko or akari.ko . ccs-post-init is used for doing pre /sbin/init initialization. tools/ is for storing ccs-tools configuration. policy/ is for storing policy configuration. Within the directory... YY-MM-DD.hh:mm:ss/ is for storing domain_policy.conf exception_policy.conf manager.conf profile.conf . current is a symlink to YY-MM-DD.hh:mm:ss/ , created by ccs-savepolicy . previous is a symlink to YY-MM-DD.hh:mm:ss/ , created by renaming from current when current is created. With this change, ccs-savepolicy will always save all of domain_policy.conf , exception_policy.conf , manager.conf and profile.conf whereas currently saves by default only domain_policy.conf and exception_policy.conf . Regards.