Horvath Andras
han****@log69*****
Thu Jun 9 23:04:58 JST 2011
On Thu, 9 Jun 2011 22:59:57 +0900 Tetsuo Handa <from-****@I-lov*****> wrote: > It would be possible to add such command, but I doubt the usefulness > of such command. Say, there are > > <kernel> /bin/foo /bin/bar /bin/yourdaemon > <kernel> /bin/foo /bin/bar /bin/yourdaemon /bin/sh > <kernel> /bin/foo /bin/bar /bin/yourdaemon /bin/sh /bin/cat > > domains and the process is running at > > <kernel> /bin/foo /bin/bar /bin/yourdaemon > > . In this case, users likely want to delete not only > > <kernel> /bin/foo /bin/bar /bin/yourdaemon > > domain but also > > <kernel> /bin/foo /bin/bar /bin/yourdaemon /bin/sh > <kernel> /bin/foo /bin/bar /bin/yourdaemon /bin/sh /bin/cat > > domains. > > When deleting a domain, I think users should be aware of > "What domains are there?". I think i just understood what i need to do, please tell me if i think it correctly. Recently we talked about this thing, that i want to apply rules on processes on-the-fly too, while in the meantime prepare them their domain to enter after their restart by adding "initialize_domain" to exception policy. So if i apply rules on the current process by selecting pid=$PID, then i just thought i don't have to delete anything, right? Because the domain and its rules will be referred by Tomoyo by name, and not by pid. So let's say, if a new process start with the same PID that belonged to my former process, then this new process - if it's a different binary - it won't have the same domain than the former one, right? So if i get it right, then selecting the pid only just refers to the domain by name anyway, not by pid. So i won't have any problem leaving the domains of these PIDs untouched.
TOMOYO
Fork