[tomoyo-dev-en 115] Re: Updated website

Back to archive index

Tetsuo Handa from-****@I-lov*****
Fri Feb 4 11:13:56 JST 2011


Jamie Nguyen wrote:
> I am working on the (mammoth sized) policy specification at the
> moment.

Thank you.

>         I just wanted to clarify a couple of things. What do you mean
> exactly by canonicalized pathname?

Oops, I didn't notice that I deleted the definition when rewriting
tags/htdocs/en/1.6.x/policy-reference.html .
The definition is in tags/htdocs/en/1.6.x/old-policy-reference.html .

"canonicalized pathname" means an absolute pathname seen from the root of
process's namespace (rather than an absolute pathname seen from the root of
process's root directory). For example,

  touch /var/chroot/file
  chroot /var/chroot/ cat /file

"file create /var/chroot/file 0644" is checked by touch and
"file chroot /var/chroot/" is checked by chroot and
"file read /var/chroot/file" is checked by cat.

Also, "canonicalized pathname" does not contain /../ nor // nor /./ nor
symbolic links. ("file symlink /path/to/symlink" is the exception.)

However, since TOMOYO 1.8 introduced $fsname:/path/to/file notation (e.g.
proc:/meminfo rather than /proc/meminfo), "canonicalized pathname" may no not
starts with '/'.

"canonicalized directory" is a "canonicalized pathname" that ends with '/'.

>                                    And can you give example usage of
> "file pivot_root"?

Users unlikely see "file pivot_root" lines because pivot_root() is called only
once for switching root directory from initrd/initramfs to hdd (that is, before
TOMOYO is activated by executing /sbin/init ).
An example is in trunk/1.8.x/ccs-tools/ccstools/kernel_test/ccs_filesystem_test.c .

  file pivot_root proc:/ proc:/ccs/

will grant

  pivot_root("/proc/", "/proc/ccs/");

.

Regards.




More information about the tomoyo-dev-en mailing list
Back to archive index