thiruhari wrote: > My understanding: > > Learning - through this mode i can develop policy for all domain in my > system. > > Enforcing - through this mode i can enforce policy which i have developed > earlier with learning mode Yes. > Now My question: > > I want to restrict process read/write on File System for unknown processes. > > At the time of developing policy i will not be knowing the forked process > which is created from my browser task. > > With the above scenario in my how shall i use tomoyo linux in enforcing > mode? That depends on type of embedded device you are using. Is it an Android? Is it a MeeGo? Neither? If Android, each application runs with its own UID (determined at installation time). Thus, you will restrict access based on current thread's UID. But it depends on an assumption that you know the UID which the application you want to restrict runs with at the time of developing policy. If you can't make this assumption, you will need to patch and recompile zygote application (like mod_tomoyo/mod_ccs module for Apache does) so that TOMOYO can understand that the current thread is about to start an application you want to restrict. If MeeGo, you will restrict access based on pathname of each application. Use of policy namespace will be helpful.
TOMOYO
Fork