Re: [TOMOYO 14/15] Conditional permission support.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: <pavel@...>

Cc: <linux-kernel@...>, <linux-security-module@...>, <chrisw@...>

Subject: Re: [TOMOYO 14/15] Conditional permission support.

Date: Saturday, August 25, 2007 - 10:13 pm

Hello.

Pavel Machek wrote:
quoted text> What is that? Language parser in kernel?

Yes. This is a policy parser in kernel.

TOMOYO Linux' policy is passed from/to the kernel as a plain text
(i.e. ASCII printable) file via /proc/tomoyo interface.

For example, to add a permission to allow /usr/sbin/sshd
to execute /bin/bash if the authenticated user's uid = 500,
the administrator runs

# /bin/cat > /proc/tomoyo/domain_policy << EOF
select <kernel> /usr/sbin/sshd
1 /bin/bash if task.uid=500
EOF

and to remove this permission, the administrator runs

# /bin/cat > /proc/tomoyo/domain_policy << EOF
select <kernel> /usr/sbin/sshd
delete 1 /bin/bash if task.uid=500
EOF

The patch [TOMOYO 14/15] handles "if task.uid=500" part.

No compilation at userspace and
only difference between old and new policy is written.
This is similar to LDAP manipulation using LDIF format.

(To be exact, only programs that are registered in
/proc/tomoyo/manager can modify policy via /proc/tomoyo interface.
You need to use /usr/lib/ccs/loadpolicy or something
instead of /bin/cat .)
-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[TOMOYO 00/15] TOMOYO Linux - MAC based on process invocatio..., Kentaro Takeda, (Fri Aug 24, 8:41 am)

[TOMOYO 15/15] LSM expansion for TOMOYO Linux., Kentaro Takeda, (Fri Aug 24, 8:58 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Paul Moore, (Mon Aug 27, 10:49 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Tetsuo Handa, (Tue Aug 28, 6:39 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Paul Moore, (Tue Aug 28, 9:21 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Tetsuo Handa, (Mon Sep 3, 9:15 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Paul Moore, (Tue Sep 4, 7:53 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Tetsuo Handa, (Tue Sep 4, 10:02 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Paul Moore, (Wed Sep 5, 10:06 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Tetsuo Handa, (Thu Sep 6, 9:04 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Paul Moore, (Thu Sep 6, 11:25 am)

Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux., Kyle Moffett, (Tue Sep 4, 10:13 am)

[TOMOYO 14/15] Conditional permission support., Kentaro Takeda, (Fri Aug 24, 8:57 am)

Re: [TOMOYO 14/15] Conditional permission support., Pavel Machek, (Sat Aug 25, 7:08 am)

Re: [TOMOYO 14/15] Conditional permission support., Tetsuo Handa, (Sat Aug 25, 10:13 pm)

Re: [TOMOYO 14/15] Conditional permission support., Kyle Moffett, (Mon Aug 27, 8:11 am)

Re: [TOMOYO 14/15] Conditional permission support., Tetsuo Handa, (Tue Aug 28, 9:00 am)

Re: [TOMOYO 14/15] Conditional permission support., Toshiharu Harada, (Sat Aug 25, 6:46 pm)

[TOMOYO 13/15] LSM adapter for TOMOYO., Kentaro Takeda, (Fri Aug 24, 8:56 am)

[TOMOYO 12/15] Signal transmission control functions., Kentaro Takeda, (Fri Aug 24, 8:56 am)

[TOMOYO 11/15] Namespace manipulation control functions., Kentaro Takeda, (Fri Aug 24, 8:55 am)

[TOMOYO 10/15] Networking access control functions., Kentaro Takeda, (Fri Aug 24, 8:54 am)

[TOMOYO 09/15] Argv[0] access control functions., Kentaro Takeda, (Fri Aug 24, 8:53 am)

[TOMOYO 08/15] File access control functions., Kentaro Takeda, (Fri Aug 24, 8:53 am)

[TOMOYO 07/15] Auditing interface., Kentaro Takeda, (Fri Aug 24, 8:52 am)

[TOMOYO 06/15] Domain transition handler functions., Kentaro Takeda, (Fri Aug 24, 8:50 am)

[TOMOYO 05/15] Utility functions and /proc interface for pol..., Kentaro Takeda, (Fri Aug 24, 8:49 am)

[TOMOYO 04/15] Memory and pathname management functions., Kentaro Takeda, (Fri Aug 24, 8:48 am)

[TOMOYO 03/15] Data structures and prototypes definition., Kentaro Takeda, (Fri Aug 24, 8:46 am)

[TOMOYO 02/15] Kconfig and Makefile for TOMOYO Linux., Kentaro Takeda, (Fri Aug 24, 8:45 am)

Re: [TOMOYO 02/15] Kconfig and Makefile for TOMOYO Linux., Jiri Kosina, (Fri Aug 24, 8:50 am)

[TOMOYO 01/15] Allow use of namespace_sem from LSM module., Kentaro Takeda, (Fri Aug 24, 8:44 am)


linux-kernel:
Srivatsa Vaddagiri	Re: [PATCH, RFC] reimplement flush_workqueue()
Greg KH	[GIT PATCH] driver core patches against 2.6.24
debian developer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Rafael J. Wysocki	2.6.26-rc7-git2: Reported regressions from 2.6.25
linux-netdev:
Alexey Dobriyan	Re: [GIT]: Networking
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Ilpo Järvinen	Re: [bug] stuck localhost TCP connections, v2.6.26-rc3+
git:

openbsd-misc:

Re: [TOMOYO 14/15] Conditional permission support.

Online users