Tetsuo Handa
from-****@I-lov*****
2006年 7月 27日 (木) 21:52:36 JST
こんにちは、秋元さん。 http://www.n-linux.org/ を見たら TOMOYO Linux 項目がずいぶん増えていますね。 ありがとうございます。 「file_pattern /vfs/proc/\$/\*」の部分はそのまま sed 's:file_pattern /proc/:file_pattern /vfs/proc/:' するのが宜しいかと思います。 次期バージョンでは、ネットワークのアクセス制御機能を強化予定です。 「allow_network プロトコル 操作 アドレス範囲 ポート範囲」という構文 (例:allow_network TCP accept 10.1.0.1-10.1.0.254 1024-65535)を導入し、 ドメイン単位でアドレス範囲を制限できるようになります。 実装は完了しており、現在テスト中です。 ポリシーファイルの場所は #define で指定するようにしました。 現時点の ChangeLog はこんな内容になっています。 Fix 2006/07/14 @ Change behavior of pathname pattern matching. Until now, it was impossible to use patterns like "\*.txt" because "\*" matched to more than 0 characters until next '/'. Now, "\*" matches to more than 0 characters. Until now, it was impossible to use patterns like "\$00" because "\$" matched to more than 1 digits until next non digit character. Now, "\$" matches to more than 1 digits. Also, new patterns "\x" "\X" "\a" "\A" "\@" are added. Fix 2006/07/21 @ Add CONFIG_TOMOYO_NETWORK option. Until now, only port numbers for TCP and UDP were controllable. Now, the combination of IPv4/IPv6 address and port numbers for TCP and UDP is controllable. CONFIG_TOMOYO_NETWORKPORT became obsolete. Fix 2006/07/25 @ Change matching rule for CheckFileACL(). Until now, only first entry that matched to the requested pathname was used for permission checking. For example, two entries "2 /tmp/file-\$.txt" "4 /tmp/fil\?-0.txt" are given in this order and requested pathname is "/tmp/file-0.txt", the "2 /tmp/file-\$.txt" is used. But if two entries "4 /tmp/fil\?-0.txt" "2 /tmp/file-\$.txt" are given in this order, the "4 /tmp/fil\?-0.txt" is used. This may potentially cause trouble because the result of permission checks depends on the order of entries. Now, all entries that matched to the requested pathname are used for permission checking so that the result of permission checks doesn't depend on the order of entries. Fix 2006/07/27 @ Support RAW IPv4/IPv6 control. Some programs such as 'ping' and 'traceroute' use raw IP socket. Now, the combination of IPv4/IPv6 address and protocol numbers for IP is controllable.
TOMOYO
Fork