Tetsuo Handa
from-****@I-lov*****
Fri Apr 29 21:54:12 JST 2011
TOMOYO
Fork(Adding Olivier to To: in case not yet noticed this thread.)
Specification as of revision 4955 is shown below.
(1) Loosen "<kernel>" prefix in domainnames to accept "<$namespace>" format
where $namespace is an arbitrary word (e.g. apache or /usr/sbin/httpd ).
$namespace == kernel is reserved for the built-in namespace.
Namespaces do not have parent-child relationship whereas domains in each
namespace have parent-child relationship.
Each domain belongs to one namespace, and the namespace for the domain is
equals to the first word of the domainname (e.g. "<kernel> /sbin/init"
domain belongs to "<kernel>" namespace, "<apache> /bin/mail" domain belongs
to "<apache>" namespace).
Any process can jump to different namespace's root domain if permitted by
the policy for the namespace where the domain where the process belongs to
belongs to.
(2) Add /proc/ccs/namespace interface that defines list of namespaces.
# echo '<apache>' | ccs-loadpolicy -n
# cat /proc/ccs/namespace
<kernel>
<apache>
As with /proc/ccs/profile , entries once added to /proc/ccs/namespace
cannot be removed. This is for simplification by omitting refcounter.
(3) Allow switching namespace by writing
namespace <$namespace>
line to /proc/ccs/domain_policy /proc/ccs/exception_policy
/proc/ccs/.domain_status /proc/ccs/profile /proc/ccs/manager interfaces.
By having a set of policy files (i.e. domain policy, exception policy,
profile and manager) for each namespace, it will become easier to use
TOMOYO like SELinux/AppArmor because they can be developed/added/removed
without worrying the conflicts with other namespaces (except that
directives for jumping to that namespace need to be added to other
namespace's policy files, as with adding a LoadModule directive to Apache's
configuration file in order to load an Apache's module).
By default, the process can access only the namespace where the process
belonged to as of these interfaces are opened. By writing
"namespace <$namespace>" line to these interfaces after opening them,
the process can thereafter access only the <$namespace> namespace.
/proc/ccs/query /proc/ccs/audit /proc/ccs/.process_status /proc/ccs/stat
/proc/ccs/version /proc/ccs/.execute_handler /proc/ccs/self_domain ignore
"namespace <$namespace>" line.
(4) Namespace transition takes place like domain transition (i.e. one of upon
successful execve(), writing to /proc/ccs/self_domain interface, conditions
are met).
But namespace transition, when it takes place, can transit to
the root of that namespace. For example, jumping to "<apache> /bin/mail"
domain from "<kernel> /usr/sbin/sshd" domain is not permitted. This is for
not inheriting "use_profile" and "use_group" parameters of previous
namespace. By requiring the root domain of a namespace and profile for
the root domain of the namespace upon creating the namespace, "use_profile"
and "use_group" won't be inherited by error from the previous namespace.
To distinguish jumping to a child of current namespace's root domain and
jumping to a different namespace's root domain, "move_namespace" and
"no_move_namespace" directives are added to /proc/ccs/exception_policy .
"move_namespace" might replace "initialize_domain".
What do you think?
Please note that userland tools are temporarily broken because they are not
ready for splitting policy files into each namespace.