2144 |
Thus, I moved ccs_capable() checks from ccs_setattr_permission() to |
Thus, I moved ccs_capable() checks from ccs_setattr_permission() to |
2145 |
ccs_chmod_permission() and ccs_chown_permission(), and removed |
ccs_chmod_permission() and ccs_chown_permission(), and removed |
2146 |
ccs_setattr_permission(). |
ccs_setattr_permission(). |
2147 |
|
|
2148 |
|
Fix 2009/09/25 |
2149 |
|
|
2150 |
|
@ Embed more information into audit logs. |
2151 |
|
|
2152 |
|
Until now, /proc/ccs/grant_log /proc/ccs/reject_log /proc/ccs/query were |
2153 |
|
not printing file's information (e.g. file's uid/gid/mode). |
2154 |
|
|
2155 |
|
Recently, users who started using "if" clause expect that the learning |
2156 |
|
mode automatically adds various conditions like "if task.uid=path1.uid". |
2157 |
|
|
2158 |
|
But the profile will become too complicated if I support all possible |
2159 |
|
conditions. Thus, I added all information which is enough to generate |
2160 |
|
"if" clause with all possible conditions from audit logs. |
2161 |
|
|
2162 |
|
Now, the learning mode got different usage. Users can specify |
2163 |
|
"CONFIG::learning={ max_entry=0 }" in the profile. All requests which |
2164 |
|
are not permitted by policy will be sent to /proc/ccs/reject_log with |
2165 |
|
"mode=learning" header lines. Users can selectively append conditions |
2166 |
|
and append to the policy using "/usr/sbin/ccs-loadpolicy -d". |
2167 |
|
The learning mode with "CONFIG::learning={ max_entry=0 }" is almost |
2168 |
|
the same with the permissive mode, only difference is "mode=learning" |
2169 |
|
and "mode=permissive". |