Tetsuo Handa
from-****@I-lov*****
Wed Jun 8 05:36:39 JST 2011
Horvath Andras wrote: > What i'm trying to do is to create rules for an already running > process, but i'd like to transit it from its original domain to a new > domain on-the-fly if possible. Currently there is no way to do so, for the rule is "only current thread can change the domain where the current thread belongs to". What you want to do will require breaking the rule. > Let's say i have a domain like this: > > <kernel> /sbin/init /bin/bash /bin/myprog > use_profile 0 > > I'd like to have a domain like this by formerly specifying > "initialize_domain /bin/myprog" in exception_policy, then in > domain_policy: > > <kernel> /bin/myprog > use_profile 1 > > I know that after creating this domain, the process will start in this > domain if i restart the process. My question is, is there a way to avoid > to have to restart the process to have my new domain? Is there a > possibility to transform it from the old domain to the new domain > on-the-fly? Currently there is no way to do so. > Or you think the best solution for this is what you wrote, using the > PID? Like, i would create rules for that PID while running, and i would > also create my new domain. So it will have his rules while running, and > also the new domain after restart. Yes. > What i don't see here is, what happens with the PID domain after > closing the process. Does it get removed? If the domain for the PID is marked as deleted, the domain will be removed upon termination of the process (as with a file deleted after open() will become unreachable when the file is close()d). > Couldn't i avoid somehow to have to create double rules? Currently you can't. > What's the easiest method to apply new rules on a running process > without restarting it? select pid=$PID or select global-pid=$PID . Since the rule is "only current thread can change the domain where the current thread belongs to", we can't forcibly change other process's domains (in order to avoid races). But if we can accept the delay (between the moment a manager process asked a process to transit to and the moment the process actually transits to), maybe having a command like migrate_domain pid=$PID from $old_domainname to $new_domainname migrate_domain global-pid=$PID from $old_domainname to $new_domainname might be possible (but we are bothered by the race problem because $PID process might be terminated before the process notices the request from the manager process. Well, rename_domain $old_domainname $new_domainname rename_domain pid=$PID $new_domainname rename_domain global-pid=$PID $new_domainname would be less difficult to implement because a manager process can do it without delay/races.
TOMOYO
Fork