tomoyotitle.png

The /proc/ccs/ interface

/proc/ccs/audit

This read-only interface contains the audit log. The reader process returns immediately if no audit log exists. To wait until an audit log is generated, use select(2) for readability.

This interface is dependent on how the profiles have been configured in /proc/ccs/profile. The following profile options affect it:

Also, /proc/ccs/stat affects how much memory can be assigned for audit logs.

This interface is used primarily by the userspace tool ccs-auditd.

/proc/ccs/domain_policy

This read/write interface contains the policy that is defined for each domain. Any lines starting with "<kernel>" indicate the start of a new block of access permissions.

The associated configuration file is "/etc/ccs/domain_policy.conf".

This interface is used primarily by the userspace tools ccs-editpolicy, ccs-loadpolicy and ccs-savepolicy.

/proc/ccs/exception_policy

This read/write interface contains the exception policy. Each line is an individual entry.

The associated configuration file is "/etc/ccs/exception_policy.conf".

This interface is used primarily by the userspace tools ccs-editpolicy, ccs-loadpolicy and ccs-savepolicy.

/proc/ccs/manager

This read/write interface contains a list of either domains or full pathnames that have been given permission to write to the "/proc/ccs/" interface.

As an exception, all domains can write to below interfaces for restricted purposes.

The associated configuration file is "/etc/ccs/manager.conf".

This interface is used primarily by the userspace tools ccs-editpolicy, ccs-loadpolicy and ccs-savepolicy.

# cat /proc/ccs/manager
/usr/sbin/ccs-loadpolicy
/usr/sbin/ccs-editpolicy
/usr/sbin/ccs-setlevel
/usr/sbin/ccs-setprofile
/usr/sbin/ccs-queryd

/proc/ccs/profile

This read/write interface contains the profile configuration.

The associated configuration file is "/etc/ccs/profile.conf".

This interface is used primarily by the userspace tools ccs-editpolicy, ccs-loadpolicy, ccs-savepolicy and ccs-setlevel.

/proc/ccs/query

This read/write interface is used to grant or reject individual access requests that occur within domains in "Enforcing Mode".

This interface is used primarily by the userspace tool ccs-queryd.

/proc/ccs/self_domain

This read/write interface shows the domain of the caller process.

This interface allows the caller to change the domain of the caller process if explicitly permitted by task manual_domain_transition directive.

/proc/ccs/stat

This read/write interface contains information about policy violations and memory usage in bytes.

# cat /proc/ccs/stat
Policy update:                               172 (Last: 2011/02/03 18:03:01)
Policy violation in learning mode:             0
Policy violation in permissive mode:           0
Policy violation in enforcing mode:            0
Memory used by policy:                     41792
Memory used by audit log:                 159328
Memory used by query message:                  0
Total memory used:                        201120

This interface allows the administrator to configure memory quota.

The associated configuration file is "/etc/ccs/stat.conf".

This interface is used primarily by the userspace tools ccs-editpolicy, ccs-loadpolicy and ccs-savepolicy.

/proc/ccs/version

This read-only interface contains the currently running version of TOMOYO Linux.

/proc/ccs/.execute_handler

This read/write interface is openable by only processes running as an execute_handler process. The content is identical to "/proc/ccs/.process_status".

This interface is intended to allow programs specified by task auto_execute_handler or task denied_execute_handler directives verify that they are executed as an execute_handler and arguments are passed by the kernel.

/proc/ccs/.process_status

This read/write interface contains a list of domain names and profile numbers that the currently running process belongs to.

This interface is used primarily by the userspace tool ccs-pstree.