The /proc/ccs/ interface

/proc/ccs/audit

This read-only interface contains the audit log. The reader process returns immediately if no audit log exists. To wait until an audit log is generated, use select(2) for readability.

This interface is dependent on how the profiles have been configured in /proc/ccs/profile. The following profile options affect it:

• grant_log
• reject_log
• max_audit_log

Also, /proc/ccs/stat affects how much memory can be assigned for audit logs.

This interface is used primarily by the userspace tool ccs-auditd.

/proc/ccs/domain_policy

This read/write interface contains the policy that is defined for each domain. Any lines starting with "<kernel>" indicate the start of a new block of access permissions.

The associated configuration file is "/etc/ccs/domain_policy.conf".

This interface is used primarily by the userspace tools ccs-editpolicy, ccs-loadpolicy and ccs-savepolicy.

/proc/ccs/exception_policy

This read/write interface contains the exception policy. Each line is an individual entry.

The associated configuration file is "/etc/ccs/exception_policy.conf".

This interface is used primarily by the userspace tools ccs-editpolicy, ccs-loadpolicy and ccs-savepolicy.

/proc/ccs/manager

This read/write interface contains a list of either domains or full pathnames that have been given permission to write to the "/proc/ccs/" interface.

As an exception, all domains can write to below interfaces for restricted purposes.

• /proc/ccs/.process_status for reading information of processes
• /proc/ccs/domain_policy for reading specific domain's (or specific process's) access permissions
• /proc/ccs/self_domain for changing the domain of the caller process

The associated configuration file is "/etc/ccs/manager.conf".

This interface is used primarily by the userspace tools ccs-editpolicy, ccs-loadpolicy and ccs-savepolicy.

# cat /proc/ccs/manager

/usr/sbin/ccs-loadpolicy
/usr/sbin/ccs-editpolicy
/usr/sbin/ccs-setlevel
/usr/sbin/ccs-setprofile
/usr/sbin/ccs-queryd

/proc/ccs/profile

This read/write interface contains the profile configuration.

The associated configuration file is "/etc/ccs/profile.conf".

This interface is used primarily by the userspace tools ccs-editpolicy, ccs-loadpolicy, ccs-savepolicy and ccs-setlevel.

/proc/ccs/query

This read/write interface is used to grant or reject individual access requests that occur within domains in "Enforcing Mode".

This interface is used primarily by the userspace tool ccs-queryd.

/proc/ccs/self_domain

This read/write interface shows the domain of the caller process.

This interface allows the caller to change the domain of the caller process if explicitly permitted by task manual_domain_transition directive.

/proc/ccs/stat

This read/write interface contains information about policy violations and memory usage in bytes.

# cat /proc/ccs/stat

Policy update:                               172 (Last: 2011/02/03 18:03:01)
Policy violation in learning mode:             0
Policy violation in permissive mode:           0
Policy violation in enforcing mode:            0
Memory used by policy:                     41792
Memory used by audit log:                 159328
Memory used by query message:                  0
Total memory used:                        201120

• Policy update shows the total number of policy updates and the last time that policy was updated.
• Policy violation in learning mode shows the total number of policy violations that have occurred in domains set to "Learning Mode" and the last time the violation occurred.
• Policy violation in permissive mode shows the total number of policy violations that have occurred in domains set to "Permissive Mode"and the last time the violation occurred.
• Policy violation in enforcing mode shows the total number of policy violations that have occurred in domains set to "Enforcing Mode"and the last time the violation occurred.
• Memory used by policy shows the memory used for holding access permissions.
• Memory used by audit log shows the memory used for holding audit logs.
• Memory used by query message shows the memory used for waiting for administrator's decision.
• Total memory used shows the total memory used.

This interface allows the administrator to configure memory quota.

The associated configuration file is "/etc/ccs/stat.conf".

This interface is used primarily by the userspace tools ccs-editpolicy, ccs-loadpolicy and ccs-savepolicy.

/proc/ccs/version

This read-only interface contains the currently running version of TOMOYO Linux.

/proc/ccs/.execute_handler

This read/write interface is openable by only processes running as an execute_handler process. The content is identical to "/proc/ccs/.process_status".

This interface is intended to allow programs specified by task auto_execute_handler or task denied_execute_handler directives verify that they are executed as an execute_handler and arguments are passed by the kernel.

/proc/ccs/.process_status

This read/write interface contains a list of domain names and profile numbers that the currently running process belongs to.

This interface is used primarily by the userspace tool ccs-pstree.