OSDN -- Desarrollar y descargar software de código abierto
Translation Status of Español translation status for es

[tomoyo-dev-en 45] Re: Access Logs

Back to archive index

Tetsuo Handa from-****@I-lov*****
Sat Dec 18 23:39:43 JST 2010 

Jamie Nguyen wrote:
> Yes, something like rewrite seems better.

OK. I renamed it. (Revision 4209)

# Files on proc filesystem.
path_pattern proc:/self/task/\$/fdinfo/\$
rewrite
path_pattern proc:/self/task/\$/fd/\$
rewrite
head_pattern proc:/self/task/\$/
rewrite
path_pattern proc:/self/fdinfo/\$
rewrite
path_pattern proc:/self/fd/\$
rewrite
head_pattern proc:/self/
rewrite
path_pattern proc:/\$/task/\$/fdinfo/\$
rewrite
path_pattern proc:/\$/task/\$/fd/\$
rewrite
head_pattern proc:/\$/task/\$/
rewrite
path_pattern proc:/\$/fdinfo/\$
rewrite
path_pattern proc:/\$/fd/\$
rewrite
head_pattern proc:/\$/
rewrite

It became clearer that 'rewrite' is the last line of a chunk (like 'destination'
is the last line of a chunk for ccs-auditd) and other lines are interpreted as
preconditions.

ccs-patternize requires both one of '{path,head,tail,number,address}_pattern'
line and 'rewrite' line as mandatory whereas ccs-auditd requires only
'destination' line as mandatory. I wrote

  The last line of a chunk is something like "commit" instruction of a SQL
  transaction. Since the evaluation rule is to stop at first chunk which reached
  the last line of that chunk, I think that the last line of the chunk should be
  atomic.
  
  Specifying both 'old_pattern' and 'new_pattern_if_matched_old_pattern' in the
  last line can save total number of lines, but the last line being not atomic
  may not be instinctive.

but I should reconsider it because somebody would wonder why
'{path,head,tail,number,address}_pattern' line can't take the place of
'rewrite' line. This is because current evaluation rule is ambiguous since
it does not say

  whether evaluation continues from next chunk or not if rewrite operation was
  not done in the last line of current chunk

. Surely ccs-patternize should continue evaluation from next chunk if rewrite
operation was not done in the last line of current chunk. Otherwise, only

  rewrite head_pattern proc:/\$/ proc:/\$/

will be evaluated when

  rewrite head_pattern proc:/\$/ proc:/\$/
  rewrite path_pattern /etc/mtab~\$ /etc/mtab~\$

are specified. If we clearly define evaluation rule as

  evaluation stops at first chunk where rewrite operation took place

and specify both 'old_pattern' and 'new_pattern' in the 'rewrite' line,
it will be natural to remain 'rewrite' line as conditional.
In that case (of cource, we can allow users to omit 'new_pattern'
if 'old_pattern' is reused as 'new_pattern') syntax will look like

  rewrite head_pattern proc:/\$/
  rewrite path_pattern proc:/\$/\* @proc_pid_files
  rewrite path_pattern proc:/\$/\{\*\}/\* @proc_pid_files

.





By the way, since we introduced /etc/ccs/tools/ directory for storing
configuration for ccs-tools package, I think it is good opportunity to change
pathnames for policy files.

Current structure:

  /etc/ccs/ is used by TOMOYO Linux 1.x and AKARI. Within the directory...

    domain_policy.YY-MM-DD.hh:mm:ss.conf contains data for /proc/ccs/domain_policy .
    domain_policy.conf is a symlink to domain_policy.YY-MM-DD.hh:mm:ss.conf .
    exception_policy.YY-MM-DD.hh:mm:ss.conf contains data for /proc/ccs/exception_policy .
    exception_policy.conf is a symlink to exception_policy.YY-MM-DD.hh:mm:ss.conf .
    profile.conf contains data for /proc/ccs/profile .
    manager.conf contains data for /proc/ccs/manager .
    meminfo.conf contains data for /proc/ccs/meminfo .
    ccs-load-module is used for loading ccsecurity.ko or akari.ko .
    ccs-post-init is used for doing pre /sbin/init initialization.

Currently, ccs-savepolicy saves domain policy and exception policy with
timestamp embedded into their filenames. This allows users to back up policy
files for all generations.
But we need to update both /etc/ccs/domain_policy.conf and
/etc/ccs/exception_policy.conf in order to use backups.
Also, it would be better to back up profile.conf and manager.conf because
manager.conf is related with domain_policy.conf and domain_policy.conf refers
profile.conf .

Proposed structure:

  /etc/ccs/ is used by TOMOYO Linux 1.x and AKARI. Within the directory...

    domain_policy.conf is a symlink to policy/current/domain_policy.conf .
    exception_policy.conf is a symlink to policy/current/exception_policy.conf .
    profile.conf is a symlink to policy/current/profile.conf .
    manager.conf is a symlink to policy/current/manager.conf .
    meminfo.conf contains data for /proc/ccs/meminfo .
    ccs-load-module is used for loading ccsecurity.ko or akari.ko .
    ccs-post-init is used for doing pre /sbin/init initialization.

    tools/ is for storing ccs-tools configuration.

    policy/ is for storing policy configuration. Within the directory...

      YY-MM-DD.hh:mm:ss/ is for storing domain_policy.conf exception_policy.conf manager.conf profile.conf .

      current is a symlink to YY-MM-DD.hh:mm:ss/ , created by ccs-savepolicy .

      previous is a symlink to YY-MM-DD.hh:mm:ss/ , created by renaming from current when current is created.

With this change, ccs-savepolicy will always save all of domain_policy.conf ,
exception_policy.conf , manager.conf and profile.conf whereas currently saves
by default only domain_policy.conf and exception_policy.conf .



Regards.


More information about the tomoyo-dev-en mailing list
Back to archive index