On tomoyo-dev-en ML, a discussion for supporting policy namespace is in progress. http://sourceforge.jp/projects/tomoyo/lists/archive/dev-en/2011-May/thread.html Currently, TOMOYO's policy does not support namespace. This is not convenient when using TOMOYO on environments that use pivot_root() (e.g. LXC containers) because daemon program's pathnames which are executed inside the containers are identical with these of outside the containers, and thereby domain transition control directives are applied in a way the administrator did not wish. An environment which was created using pivot_root() is almost an independent standalone system, and should be treated separately. Therefore, I'm thinking the possibility for supporting namespace for TOMOYO's policy. As of [tomoyo-dev-en 221], the direction is (1) Extend domainname to accept <$namespace> prefix (e.g. <apache>) in addition to conventional <kernel> prefix, and use the prefix as the name of namespace. (2) Let each namespace to use its own /proc/ccs/{domain_policy,exception_policy,profile} in order to avoid interference across namespaces. (3) Add "namespace <$namespace>" prefix to each line in /proc/ccs/{exception_policy,profile} for specifying namespaces. I would like to hear opinions on this. Feel free to post comments to tomoyo-dev-en ML.
TOMOYO
Fork