)]}' { "log": [ { "commit": "c3fa109a5894077d1eaf8731ea741a15dd117b3c", "tree": "a3d5f58ea878868b48a1493055e6f2cb6dd3c9de", "parents": [ "5bf1692f65c12a8aa359dc883468284ffc3c4587" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Mon Jun 08 12:37:39 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 09 09:30:24 2009 +1000" }, "message": "TOMOYO: Add description of lists and structures.\n\nThis patch adds some descriptions of lists and structures.\nThis patch contains no code changes.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5bf1692f65c12a8aa359dc883468284ffc3c4587", "tree": "bab96097b51791985d6361b6bdfaf0280b0fc995", "parents": [ "0b4ec6e4e01d98e55ae325a41304cccd87fa4c0f" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Fri Jun 05 14:44:58 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 09 09:30:21 2009 +1000" }, "message": "TOMOYO: Remove unused field.\n\nTOMOYO 2.2.0 is not using total_len field of \"struct tomoyo_path_info\".\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7d2948b1248109dbc7f4aaf9867c54b1912d494c", "tree": "24edc8fa319598bc32b7d53c7b61fb3ec9ae9e92", "parents": [ "ab588ccadc80f6ef5495e83e176e88c5c0fc2d0e" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Jun 02 20:42:24 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jun 03 07:51:51 2009 +1000" }, "message": "TOMOYO: Simplify policy reader.\n\nWe can directly assign the result of tomoyo_io_printf() to done flag.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ab588ccadc80f6ef5495e83e176e88c5c0fc2d0e", "tree": "ffb995eba759218fd07795f00a1303518621c119", "parents": [ "850b0cee165576f969363a8c52021b5cf9ecbe67" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Tue Jun 02 14:23:39 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jun 03 07:50:06 2009 +1000" }, "message": "TOMOYO: Remove redundant markers.\n\nRemove \u0027/***** START/STOP *****/\u0027 markers.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e24977d45f45d1675e050dc1a0aaf4bfc4ca9866", "tree": "ee39b590596e9ca6cd18b8ece11a1f6d24278c29", "parents": [ "6b3304b531704711286c3359b06922b83fdba015" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Apr 02 21:17:03 2009 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat May 09 10:49:42 2009 -0400" }, "message": "Reduce path_lookup() abuses\n\n... use kern_path() where possible\n\n[folded a fix from rdd]\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "39826a1e17c1957bd7b5cd7815b83940e5e3a230", "tree": "c1452c0293b7f2f4bce2c36d3b5aea8e4020ff3e", "parents": [ "17a7b7b39056a82c5012539311850f202e6c3cd4" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Wed Apr 08 22:31:28 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 14 09:15:02 2009 +1000" }, "message": "tomoyo: version bump to 2.2.0.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a0558fc3491c0494feb8472cf6c0119e43fd9484", "tree": "e26a2baaa63c07761686f97cde9aa4aaa527f82f", "parents": [ "d508afb437daee7cf07da085b635c44a4ebf9b38" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Apr 06 20:49:14 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 07 16:08:56 2009 +1000" }, "message": "tomoyo: remove \"undelete domain\" command.\n\nSince TOMOYO\u0027s policy management tools does not use the \"undelete domain\"\ncommand, we decided to remove that command.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e5a3b95f581da62e2054ef79d3be2d383e9ed664", "tree": "6a55bf40033c92b2c82fa0643c2511dbe7124b32", "parents": [ "33043cbb9fd49a957089f5948fe814764d7abbd6" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Sat Feb 14 11:46:56 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 16 09:01:48 2009 +1100" }, "message": "TOMOYO: Don\u0027t create securityfs entries unless registered.\n\nTOMOYO should not create /sys/kernel/security/tomoyo/ interface unless\nTOMOYO is registered.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9590837b89aaa4523209ac91c52db5ea0d9142fd", "tree": "0e7e3febb1f6106be0e45c281309078f6c1cd7e6", "parents": [ "c73bd6d473ceb5d643d3afd7e75b7dc2e6918558" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:13 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:04 2009 +1100" }, "message": "Common functions for TOMOYO Linux.\n\nThis file contains common functions (e.g. policy I/O, pattern matching).\n\n-------------------- About pattern matching --------------------\n\nSince TOMOYO Linux is a name based access control, TOMOYO Linux seriously\nconsiders \"safe\" string representation.\n\nTOMOYO Linux\u0027s string manipulation functions make reviewers feel crazy,\nbut there are reasons why TOMOYO Linux needs its own string manipulation\nfunctions.\n\n----- Part 1 : preconditions -----\n\nPeople definitely want to use wild card.\n\n To support pattern matching, we have to support wild card characters.\n\n In a typical Linux system, filenames are likely consists of only alphabets,\n numbers, and some characters (e.g. + - ~ . / ).\n But theoretically, the Linux kernel accepts all characters but NUL character\n (which is used as a terminator of a string).\n\n Some Linux systems can have filenames which contain * ? ** etc.\n\nTherefore, we have to somehow modify string so that we can distinguish\nwild card characters and normal characters.\n\n It might be possible for some application\u0027s configuration files to restrict\n acceptable characters.\n It is impossible for kernel to restrict acceptable characters.\n\n We can\u0027t accept approaches which will cause troubles for applications.\n\n----- Part 2 : commonly used approaches -----\n\nText formatted strings separated by space character (0x20) and new line\ncharacter (0x0A) is more preferable for users over array of NUL-terminated\nstring.\n\n Thus, people use text formatted configuration files separated by space\n character and new line.\n\nWe sometimes need to handle non-printable characters.\n\n Thus, people use \\ character (0x5C) as escape character and represent\n non-printable characters using octal or hexadecimal format.\n\nAt this point, we remind (at least) 3 approaches.\n\n (1) Shell glob style expression\n (2) POSIX regular expression (UNIX style regular expression)\n (3) Maverick wild card expression\n\nOn the surface, (1) and (2) sound good choices. But they have a big pitfall.\nAll meta-characters in (1) and (2) are legal characters for representing\na pathname, and users easily write incorrect expression. What is worse, users\nunlikely notice incorrect expressions because characters used for regular\npathnames unlikely contain meta-characters. This incorrect use of\nmeta-characters in pathname representation reveals vulnerability\n(e.g. unexpected results) only when irregular pathname is specified.\n\nThe authors of TOMOYO Linux think that approaches which adds some character\nfor interpreting meta-characters as normal characters (i.e. (1) and (2)) are\nnot suitable for security use.\n\nTherefore, the authors of TOMOYO Linux propose (3).\n\n----- Part 3: consideration points -----\n\nWe need to solve encoding problem.\n\n A single character can be represented in several ways using encodings.\n\n For Japanese language, there are \"ShiftJIS\", \"ISO-2022-JP\", \"EUC-JP\",\n \"UTF-8\" and more.\n\n Some languages (e.g. Japanese language) supports multi-byte characters\n (where a single character is represented using several bytes).\n\n Some multi-byte characters may match the escape character.\n\n For Japanese language, some characters in \"ShiftJIS\" encoding match\n \\ character, and bothering Web\u0027s CGI developers.\n\n It is important that the kernel string is not bothered by encoding problem.\n\n Linus said, \"I really would expect that kernel strings don\u0027t have\n an encoding. They\u0027re just C strings: a NUL-terminated stream of bytes.\"\n http://lkml.org/lkml/2007/11/6/142\n\n Yes. The kernel strings are just C strings.\n We are talking about how to store and carry \"kernel strings\" safely.\n\n If we store \"kernel string\" into policy file as-is, the \"kernel string\" will\n be interpreted differently depending on application\u0027s encoding settings.\n One application may interpret \"kernel string\" as \"UTF-8\",\n another application may interpret \"kernel string\" as \"ShiftJIS\".\n\n Therefore, we propose to represent strings using ASCII encoding.\n In this way, we are no longer bothered by encoding problems.\n\nWe need to avoid information loss caused by display.\n\n It is difficult to input and display non-printable characters, but we have to\n be able to handle such characters because the kernel string is a C string.\n\n If we use only ASCII printable characters (from 0x21 to 0x7E) and space\n character (0x20) and new line character (0x0A), it is easy to input from\n keyboard and display on all terminals which is running Linux.\n\n Therefore, we propose to represent strings using only characters which value\n is one of \"from 0x21 to 0x7E\", \"0x20\", \"0x0A\".\n\nWe need to consider ease of splitting strings from a line.\n\n If we use an approach which uses \"\\ \" for representing a space character\n within a string, we have to count the string from the beginning to check\n whether this space character is accompanied with \\ character or not.\n As a result, we cannot monotonically split a line using space character.\n\n If we use an approach which uses \"\\040\" for representing a space character\n within a string, we can monotonically split a line using space character.\n\n If we use an approach which uses NUL character as a delimiter, we cannot\n use string manipulation functions for splitting strings from a line.\n\n Therefore, we propose that we represent space character as \"\\040\".\n\nWe need to avoid wrong designations (incorrect use of special characters).\n\n Not all users can understand and utilize POSIX\u0027s regular expressions\n correctly and perfectly.\n\n If a character acts as a wild card by default, the user will get unexpected\n result if that user didn\u0027t know the meaning of that character.\n\n Therefore, we propose that all characters but \\ character act as\n a normal character and let the user add \\ character to make a character\n act as a wild card.\n\n In this way, users needn\u0027t to know all wild card characters beforehand.\n They can learn when they encountered an unseen wild card character\n for their first time.\n\n----- Part 4: supported wild card expressions -----\n\nAt this point, we have wild card expressions listed below.\n\n +-----------+--------------------------------------------------------------+\n | Wild card | Meaning and example |\n +-----------+--------------------------------------------------------------+\n | \\* | More than or equals to 0 character other than \u0027/\u0027. |\n | | /var/log/samba/\\* |\n +-----------+--------------------------------------------------------------+\n | \\@ | More than or equals to 0 character other than \u0027/\u0027 or \u0027.\u0027. |\n | | /var/www/html/\\@.html |\n +-----------+--------------------------------------------------------------+\n | \\? | 1 byte character other than \u0027/\u0027. |\n | | /tmp/mail.\\?\\?\\?\\?\\?\\? |\n +-----------+--------------------------------------------------------------+\n | \\$ | More than or equals to 1 decimal digit. |\n | | /proc/\\$/cmdline |\n +-----------+--------------------------------------------------------------+\n | \\+ | 1 decimal digit. |\n | | /var/tmp/my_work.\\+ |\n +-----------+--------------------------------------------------------------+\n | \\X | More than or equals to 1 hexadecimal digit. |\n | | /var/tmp/my-work.\\X |\n +-----------+--------------------------------------------------------------+\n | \\x | 1 hexadecimal digit. |\n | | /tmp/my-work.\\x |\n +-----------+--------------------------------------------------------------+\n | \\A | More than or equals to 1 alphabet character. |\n | | /var/log/my-work/\\$-\\A-\\$.log |\n +-----------+--------------------------------------------------------------+\n | \\a | 1 alphabet character. |\n | | /home/users/\\a/\\*/public_html/\\*.html |\n +-----------+--------------------------------------------------------------+\n | \\- | Pathname subtraction operator. |\n | | +---------------------+------------------------------------+ |\n | | | Example | Meaning | |\n | | +---------------------+------------------------------------+ |\n | | | /etc/\\* | All files in /etc/ directory. | |\n | | +---------------------+------------------------------------+ |\n | | | /etc/\\*\\-\\*shadow\\* | /etc/\\* other than /etc/\\*shadow\\* | |\n | | +---------------------+------------------------------------+ |\n | | | /\\*\\-proc\\-sys/ | /\\*/ other than /proc/ /sys/ | |\n | | +---------------------+------------------------------------+ |\n +-----------+--------------------------------------------------------------+\n\n +----------------+---------------------------------------------------------+\n | Representation | Meaning and example |\n +----------------+---------------------------------------------------------+\n | \\\\ | backslash character itself. |\n +----------------+---------------------------------------------------------+\n | \\ooo | 1 byte character. |\n | | ooo is 001 \u003c\u003d ooo \u003c\u003d 040 || 177 \u003c\u003d ooo \u003c\u003d 377. |\n | | |\n | | \\040 for space character. |\n | | \\177 for del character. |\n | | |\n +----------------+---------------------------------------------------------+\n\n----- Part 5: Advantages -----\n\nWe can obtain extensibility.\n\n Since our proposed approach adds \\ to a character to interpret as a wild\n card, we can introduce new wild card in future while maintaining backward\n compatibility.\n\nWe can process monotonically.\n\n Since our proposed approach separates strings using a space character,\n we can split strings using existing string manipulation functions.\n\nWe can reliably analyze access logs.\n\n It is guaranteed that a string doesn\u0027t contain space character (0x20) and\n new line character (0x0A).\n\n It is guaranteed that a string won\u0027t be converted by FTP and won\u0027t be damaged\n by a terminal\u0027s settings.\n\n It is guaranteed that a string won\u0027t be affected by encoding converters\n (except encodings which insert NUL character (e.g. UTF-16)).\n\n----- Part 6: conclusion -----\n\nTOMOYO Linux is using its own encoding with reasons described above.\nThere is a disadvantage that we need to introduce a series of new string\nmanipulation functions. But TOMOYO Linux\u0027s encoding is useful for all users\n(including audit and AppArmor) who want to perform pattern matching and\nsafely exchange string information between the kernel and the userspace.\n\n-------------------- About policy interface --------------------\n\nTOMOYO Linux creates the following files on securityfs (normally\nmounted on /sys/kernel/security) as interfaces between kernel and\nuserspace. These files are for TOMOYO Linux management tools *only*,\nnot for general programs.\n\n * profile\n * exception_policy\n * domain_policy\n * manager\n * meminfo\n * self_domain\n * version\n * .domain_status\n * .process_status\n\n** /sys/kernel/security/tomoyo/profile **\n\nThis file is used to read or write profiles.\n\n\"profile\" means a running mode of process. A profile lists up\nfunctions and their modes in \"$number-$variable\u003d$value\" format. The\n$number is profile number between 0 and 255. Each domain is assigned\none profile. To assign profile to domains, use \"ccs-setprofile\" or\n\"ccs-editpolicy\" or \"ccs-loadpolicy\" commands.\n\n(Example)\n[root@tomoyo]# cat /sys/kernel/security/tomoyo/profile\n0-COMMENT\u003d-----Disabled Mode-----\n0-MAC_FOR_FILE\u003ddisabled\n0-MAX_ACCEPT_ENTRY\u003d2048\n0-TOMOYO_VERBOSE\u003ddisabled\n1-COMMENT\u003d-----Learning Mode-----\n1-MAC_FOR_FILE\u003dlearning\n1-MAX_ACCEPT_ENTRY\u003d2048\n1-TOMOYO_VERBOSE\u003ddisabled\n2-COMMENT\u003d-----Permissive Mode-----\n2-MAC_FOR_FILE\u003dpermissive\n2-MAX_ACCEPT_ENTRY\u003d2048\n2-TOMOYO_VERBOSE\u003denabled\n3-COMMENT\u003d-----Enforcing Mode-----\n3-MAC_FOR_FILE\u003denforcing\n3-MAX_ACCEPT_ENTRY\u003d2048\n3-TOMOYO_VERBOSE\u003denabled\n\n- MAC_FOR_FILE:\nSpecifies access control level regarding file access requests.\n- MAX_ACCEPT_ENTRY:\nLimits the max number of ACL entries that are automatically appended\nduring learning mode. Default is 2048.\n- TOMOYO_VERBOSE:\nSpecifies whether to print domain policy violation messages or not.\n\n** /sys/kernel/security/tomoyo/manager **\n\nThis file is used to read or append the list of programs or domains\nthat can write to /sys/kernel/security/tomoyo interface. By default,\nonly processes with both UID \u003d 0 and EUID \u003d 0 can modify policy via\n/sys/kernel/security/tomoyo interface. You can use keyword\n\"manage_by_non_root\" to allow policy modification by non root user.\n\n(Example)\n[root@tomoyo]# cat /sys/kernel/security/tomoyo/manager\n/usr/lib/ccs/loadpolicy\n/usr/lib/ccs/editpolicy\n/usr/lib/ccs/setlevel\n/usr/lib/ccs/setprofile\n/usr/lib/ccs/ld-watch\n/usr/lib/ccs/ccs-queryd\n\n** /sys/kernel/security/tomoyo/exception_policy **\n\nThis file is used to read and write system global settings. Each line\nhas a directive and operand pair. Directives are listed below.\n\n- initialize_domain:\nTo initialize domain transition when specific program is executed,\nuse initialize_domain directive.\n * initialize_domain \"program\" from \"domain\"\n * initialize_domain \"program\" from \"the last program part of domain\"\n * initialize_domain \"program\"\nIf the part \"from\" and after is not given, the entry is applied to\nall domain. If the \"domain\" doesn\u0027t start with \"\u003ckernel\u003e\", the entry\nis applied to all domain whose domainname ends with \"the last program\npart of domain\".\nThis directive is intended to aggregate domain transitions for daemon\nprogram and program that are invoked by the kernel on demand, by\ntransiting to different domain.\n\n- keep_domain\nTo prevent domain transition when program is executed from specific\ndomain, use keep_domain directive.\n * keep_domain \"program\" from \"domain\"\n * keep_domain \"program\" from \"the last program part of domain\"\n * keep_domain \"domain\"\n * keep_domain \"the last program part of domain\"\nIf the part \"from\" and before is not given, this entry is applied to\nall program. If the \"domain\" doesn\u0027t start with \"\u003ckernel\u003e\", the entry\nis applied to all domain whose domainname ends with \"the last program\npart of domain\".\nThis directive is intended to reduce total number of domains and\nmemory usage by suppressing unneeded domain transitions.\nTo declare domain keepers, use keep_domain directive followed by\ndomain definition.\nAny process that belongs to any domain declared with this directive,\nthe process stays at the same domain unless any program registered\nwith initialize_domain directive is executed.\n\nIn order to control domain transition in detail, you can use\nno_keep_domain/no_initialize_domain keywrods.\n\n- alias:\nTo allow executing programs using the name of symbolic links, use\nalias keyword followed by dereferenced pathname and reference\npathname. For example, /sbin/pidof is a symbolic link to\n/sbin/killall5 . In normal case, if /sbin/pidof is executed, the\ndomain is defined as if /sbin/killall5 is executed. By specifying\n\"alias /sbin/killall5 /sbin/pidof\", you can run /sbin/pidof in the\ndomain for /sbin/pidof .\n(Example)\nalias /sbin/killall5 /sbin/pidof\n\n- allow_read:\nTo grant unconditionally readable permissions, use allow_read keyword\nfollowed by canonicalized file. This keyword is intended to reduce\nsize of domain policy by granting read access to library files such\nas GLIBC and locale files. Exception is, if ignore_global_allow_read\nkeyword is given to a domain, entries specified by this keyword are\nignored.\n(Example)\nallow_read /lib/libc-2.5.so\n\n- file_pattern:\nTo declare pathname pattern, use file_pattern keyword followed by\npathname pattern. The pathname pattern must be a canonicalized\nPathname. This keyword is not applicable to neither granting execute\npermissions nor domain definitions.\nFor example, canonicalized pathname that contains a process ID\n(i.e. /proc/PID/ files) needs to be grouped in order to make access\ncontrol work well.\n(Example)\nfile_pattern /proc/\\$/cmdline\n\n- path_group\nTo declare pathname group, use path_group keyword followed by name of\nthe group and pathname pattern. For example, if you want to group all\nfiles under home directory, you can define\n path_group HOME-DIR-FILE /home/\\*/\\*\n path_group HOME-DIR-FILE /home/\\*/\\*/\\*\n path_group HOME-DIR-FILE /home/\\*/\\*/\\*/\\*\nin the exception policy and use like\n allow_read @HOME-DIR-FILE\nto grant file access permission.\n\n- deny_rewrite:\nTo deny overwriting already written contents of file (such as log\nfiles) by default, use deny_rewrite keyword followed by pathname\npattern. Files whose pathname match the patterns are not permitted to\nopen for writing without append mode or truncate unless the pathnames\nare explicitly granted using allow_rewrite keyword in domain policy.\n(Example)\ndeny_rewrite /var/log/\\*\n\n- aggregator\nTo deal multiple programs as a single program, use aggregator keyword\nfollowed by name of original program and aggregated program. This\nkeyword is intended to aggregate similar programs.\nFor example, /usr/bin/tac and /bin/cat are similar. By specifying\n\"aggregator /usr/bin/tac /bin/cat\", you can run /usr/bin/tac in the\ndomain for /bin/cat .\nFor example, /usr/sbin/logrotate for Fedora Core 3 generates programs\nlike /tmp/logrotate.\\?\\?\\?\\?\\?\\? and run them, but TOMOYO Linux\ndoesn\u0027t allow using patterns for granting execute permission and\ndefining domains. By specifying\n\"aggregator /tmp/logrotate.\\?\\?\\?\\?\\?\\? /tmp/logrotate.tmp\", you can\nrun /tmp/logrotate.\\?\\?\\?\\?\\?\\? as if /tmp/logrotate.tmp is running.\n\n** /sys/kernel/security/tomoyo/domain_policy **\n\nThis file contains definition of all domains and permissions that are\ngranted to each domain.\n\nLines from the next line to a domain definition ( any lines starting\nwith \"\u003ckernel\u003e\") to the previous line to the next domain definitions\nare interpreted as access permissions for that domain.\n\n** /sys/kernel/security/tomoyo/meminfo **\n\nThis file is to show the total RAM used to keep policy in the kernel\nby TOMOYO Linux in bytes.\n(Example)\n[root@tomoyo]# cat /sys/kernel/security/tomoyo/meminfo\nShared: 61440\nPrivate: 69632\nDynamic: 768\nTotal: 131840\n\nYou can set memory quota by writing to this file.\n(Example)\n[root@tomoyo]# echo Shared: 2097152 \u003e /sys/kernel/security/tomoyo/meminfo\n[root@tomoyo]# echo Private: 2097152 \u003e /sys/kernel/security/tomoyo/meminfo\n\n** /sys/kernel/security/tomoyo/self_domain **\n\nThis file is to show the name of domain the caller process belongs to.\n(Example)\n[root@etch]# cat /sys/kernel/security/tomoyo/self_domain\n\u003ckernel\u003e /usr/sbin/sshd /bin/zsh /bin/cat\n\n** /sys/kernel/security/tomoyo/version **\n\nThis file is used for getting TOMOYO Linux\u0027s version.\n(Example)\n[root@etch]# cat /sys/kernel/security/tomoyo/version\n2.2.0-pre\n\n** /sys/kernel/security/tomoyo/.domain_status **\n\nThis is a view (of a DBMS) that contains only profile number and\ndomainnames of domain so that \"ccs-setprofile\" command can do\nline-oriented processing easily.\n\n** /sys/kernel/security/tomoyo/.process_status **\n\nThis file is used by \"ccs-ccstree\" command to show \"list of processes\ncurrently running\" and \"domains which each process belongs to\" and\n\"profile number which the domain is currently assigned\" like \"pstree\"\ncommand. This file is writable by programs that aren\u0027t registered as\npolicy manager.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ] }