~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/README.ccs

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /README.ccs (Version linux-6.11.5) and /README.ccs (Version linux-5.10.228)


  1 Notes for TOMOYO Linux project                      1 Notes for TOMOYO Linux project
  2                                                     2 
  3 This is a handy Mandatory Access Control patch      3 This is a handy Mandatory Access Control patch for Linux kernels.
  4 This patch is released under the GPLv2.             4 This patch is released under the GPLv2.
  5                                                     5 
  6 Project URL: https://tomoyo.sourceforge.net/        6 Project URL: https://tomoyo.sourceforge.net/
  7                                                     7 
  8 The authors of this patch (hereafter, we) don'      8 The authors of this patch (hereafter, we) don't have much experience
  9 in kernel programming. We are worried that thi      9 in kernel programming. We are worried that this patch would contain
 10 some mistakes such as missing hooks, improper      10 some mistakes such as missing hooks, improper location of hooks,
 11 potential deadlocks. There would be better way     11 potential deadlocks. There would be better way of implementation.
 12 All kinds of comments, pointing the errors and     12 All kinds of comments, pointing the errors and suggestions are welcome.
 13                                                    13 
 14 We do hope this patch reduces the labor of ser     14 We do hope this patch reduces the labor of server security management
 15 and you enjoy the life with Linux.                 15 and you enjoy the life with Linux.
 16                                                    16 
 17 This project was very inspired by the comic "C     17 This project was very inspired by the comic "Card Captor SAKURA",
 18 one of the CLAMP's masterworks.                    18 one of the CLAMP's masterworks.
 19                                                    19 
 20 ChangeLog:                                         20 ChangeLog:
 21                                                    21 
 22 Version 1.0   2005/11/11   First release.          22 Version 1.0   2005/11/11   First release.
 23                                                    23 
 24 Fix 2005/11/18                                     24 Fix 2005/11/18
 25                                                    25 
 26     @ Add setattr() missing hook in SYAORAN fs     26     @ Add setattr() missing hook in SYAORAN fs.
 27                                                    27 
 28       setattr() checking for special inode was     28       setattr() checking for special inode was missing.
 29                                                    29 
 30 Fix 2005/11/25                                     30 Fix 2005/11/25
 31                                                    31 
 32     @ Allow initrd.img include /sbin/init .        32     @ Allow initrd.img include /sbin/init .
 33                                                    33 
 34       Since version 1.0 loads policy when /sbi     34       Since version 1.0 loads policy when /sbin/init is called
 35       for the first time, initrd.img without t     35       for the first time, initrd.img without the policy directory
 36       mustn't start /sbin/init . This forced u     36       mustn't start /sbin/init . This forced users not to use
 37       initrd.img that includes /sbin/init .        37       initrd.img that includes /sbin/init .
 38       I modified to delay loading policy if th     38       I modified to delay loading policy if the policy directory
 39       doesn't exist and wait for /sbin/init be     39       doesn't exist and wait for /sbin/init being called again.
 40                                                    40 
 41 Fix 2005/12/02                                     41 Fix 2005/12/02
 42                                                    42 
 43     @ Use lookup_one_len() instead of lookup_h     43     @ Use lookup_one_len() instead of lookup_hash().
 44                                                    44 
 45       Kernel 2.6.15 changed parameters for loo     45       Kernel 2.6.15 changed parameters for lookup_hash().
 46       I modified to use lookup_one_len() to ke     46       I modified to use lookup_one_len() to keep compatibility.
 47                                                    47 
 48 Fix 2005/12/06                                     48 Fix 2005/12/06
 49                                                    49 
 50     @ Add S_ISDIR() check in SYAORAN fs.           50     @ Add S_ISDIR() check in SYAORAN fs.
 51                                                    51 
 52       Malicious configuration file that attemp     52       Malicious configuration file that attempts to create an inode
 53       under non-directory inode caused segment     53       under non-directory inode caused segmentation fault.
 54                                                    54 
 55 Version 1.0.1 2005/12/08   Minor update releas     55 Version 1.0.1 2005/12/08   Minor update release.
 56                                                    56 
 57 Fix 2006/01/04                                     57 Fix 2006/01/04
 58                                                    58 
 59     @ Add CheckWritePermission() check in unix     59     @ Add CheckWritePermission() check in unix_bind().
 60                                                    60 
 61       I modified to check write permission in      61       I modified to check write permission in unix_bind(), for
 62       sys_mknod(S_IFSOCK) checks write permiss     62       sys_mknod(S_IFSOCK) checks write permission.
 63                                                    63 
 64     @ Show hook version in proc_misc_init().       64     @ Show hook version in proc_misc_init().
 65                                                    65 
 66       The hook part of this patch depends on t     66       The hook part of this patch depends on the kernel's version,
 67       while the rest part of this patch doesn'     67       while the rest part of this patch doesn't.
 68       I added the hook version so that the adm     68       I added the hook version so that the administrator can
 69       know the last modified date of the hooks     69       know the last modified date of the hooks.
 70                                                    70 
 71     @ Move permission checks from filp_open()      71     @ Move permission checks from filp_open() to open_namei().
 72                                                    72 
 73       I moved the location of checking MAC's p     73       I moved the location of checking MAC's permission
 74       from filp_open() to open_namei().            74       from filp_open() to open_namei().
 75                                                    75 
 76     @ Fix an error in filp_open().  (only 2.6.     76     @ Fix an error in filp_open().  (only 2.6.15-rc5)
 77                                                    77 
 78       This error was only in the patch 2.6.15-     78       This error was only in the patch 2.6.15-rc5 and
 79       was fixed in the patch for 2.6.15.           79       was fixed in the patch for 2.6.15.
 80                                                    80 
 81 Fix 2006/01/12                                     81 Fix 2006/01/12
 82                                                    82 
 83     @ Add /proc/ccs/info/self_domain.              83     @ Add /proc/ccs/info/self_domain.
 84                                                    84 
 85       I added /proc/ccs/info/self_domain so th     85       I added /proc/ccs/info/self_domain so that the userland programs
 86       can know the name of domain they belong      86       can know the name of domain they belong to if necessary.
 87                                                    87 
 88 Fix 2006/01/13                                     88 Fix 2006/01/13
 89                                                    89 
 90     @ Merge constants for CheckTaskCapability(     90     @ Merge constants for CheckTaskCapability().
 91                                                    91 
 92       I merged *_INHERITABLE_* and *_LOCAL_* t     92       I merged *_INHERITABLE_* and *_LOCAL_* to avoid always
 93       calling CheckTaskCapability() with both      93       calling CheckTaskCapability() with both constants.
 94                                                    94 
 95     @ DropTaskCapability() returns -EAGAIN on      95     @ DropTaskCapability() returns -EAGAIN on success.
 96                                                    96 
 97       DropTaskCapability() must not return 0 o     97       DropTaskCapability() must not return 0 on success, for
 98       DropTaskCapability() is called from do_e     98       DropTaskCapability() is called from do_execve().
 99                                                    99 
100     @ Fix an error for chroot() permission che    100     @ Fix an error for chroot() permission check.
101                                                   101 
102       The chroot() restriction was not working    102       The chroot() restriction was not working due to the following mistake.
103       CheckChRootPermission() || CheckTaskCapa    103       CheckChRootPermission() || CheckTaskCapability() returns 0 or 1, while
104       CheckChRootPermission() | CheckTaskCapab    104       CheckChRootPermission() | CheckTaskCapability() returns 0 or -EPERM.
105                                                   105 
106 Fix 2006/01/17                                    106 Fix 2006/01/17
107                                                   107 
108     @ Suppress some of debug messages in TOMOY    108     @ Suppress some of debug messages in TOMOYO.
109                                                   109 
110       I added KERN_DEBUG to suppress some of d    110       I added KERN_DEBUG to suppress some of debug messages.
111                                                   111 
112 Fix 2006/01/19                                    112 Fix 2006/01/19
113                                                   113 
114     @ Remove isRoot() checks in AddChrootACL()    114     @ Remove isRoot() checks in AddChrootACL() and AddMountACL().
115                                                   115 
116       I found a program that needs to chroot b    116       I found a program that needs to chroot by non-root.
117       So, I stopped checking uid=euid=0 for th    117       So, I stopped checking uid=euid=0 for these functions so that
118       "accept mode" can append ACLs.              118       "accept mode" can append ACLs.
119       The isRoot() is checked at AddChrootPoli    119       The isRoot() is checked at AddChrootPolicy() and AddMountPolicy().
120                                                   120 
121     @ Map NULL device name to "<NULL>" in AddM    121     @ Map NULL device name to "<NULL>" in AddMountACL().
122                                                   122 
123       VMware mounts vmware-hgfs with NULL devi    123       VMware mounts vmware-hgfs with NULL device name.
124       So I mapped NULL device name to "<NULL>"    124       So I mapped NULL device name to "<NULL>".
125                                                   125 
126 Fix 2006/01/20                                    126 Fix 2006/01/20
127                                                   127 
128     @ Suppress some of debug messages in SAKUR    128     @ Suppress some of debug messages in SAKURA.
129                                                   129 
130       I added KERN_DEBUG to suppress some of d    130       I added KERN_DEBUG to suppress some of debug messages.
131                                                   131 
132     @ Call panic() if failed to load given pro    132     @ Call panic() if failed to load given profile.
133                                                   133 
134       Call panic() if profile index was given     134       Call panic() if profile index was given via CCS= parameter
135       but the profile doesn't exist.              135       but the profile doesn't exist.
136       If CCS= parameter is not given, the kern    136       If CCS= parameter is not given, the kernel attempts to load
137       profile 0, but it doesn't call panic() i    137       profile 0, but it doesn't call panic() if profile 0 doesn't exist.
138                                                   138 
139 Fix 2006/01/24                                    139 Fix 2006/01/24
140                                                   140 
141     @ Use full_name_hash() for IsGloballyReada    141     @ Use full_name_hash() for IsGloballyReadableFile().
142                                                   142 
143       I modified to use full_name_hash() for f    143       I modified to use full_name_hash() for faster scan.
144                                                   144 
145     @ Add signal checking condition in CheckSi    145     @ Add signal checking condition in CheckSignalACL().
146                                                   146 
147       The documentation says "if the target do    147       The documentation says "if the target domain's domainname
148       starts with the source domain's domainna    148       starts with the source domain's domainname, it is always granted"
149       but actually it isn't. I'll change the d    149       but actually it isn't. I'll change the documentation instead of
150       changing the source code.                   150       changing the source code.
151                                                   151 
152       Also, checking for pid = -1 was missing.    152       Also, checking for pid = -1 was missing. This error was fixed.
153                                                   153 
154 Fix 2006/02/09                                    154 Fix 2006/02/09
155                                                   155 
156     @ Use mutex_lock()/mutex_unlock instead of    156     @ Use mutex_lock()/mutex_unlock instead of down()/up().
157                                                   157 
158       Kernel 2.6.16 changed members of "struct    158       Kernel 2.6.16 changed members of "struct inode".
159       I modified to use mutex_lock()/mutex_unl    159       I modified to use mutex_lock()/mutex_unlock() for after 2.6.16
160       and down()/up() for before 2.6.16.          160       and down()/up() for before 2.6.16.
161                                                   161 
162 Version 1.0.2 2006/02/14   Many bug-fixes rele    162 Version 1.0.2 2006/02/14   Many bug-fixes release.
163                                                   163 
164 Fix 2006/02/21                                    164 Fix 2006/02/21
165                                                   165 
166     @ Divide generic-write permission into ind    166     @ Divide generic-write permission into individual write permissions.
167                                                   167 
168       Write permission was divided into the fo    168       Write permission was divided into the following permissions.
169                                                   169 
170       'mkdir'     for creating directory.         170       'mkdir'     for creating directory.
171       'rmdir'     for deleting directory.         171       'rmdir'     for deleting directory.
172       'create'    for creating regular file.      172       'create'    for creating regular file.
173       'unlink'    for deleting non-directory.     173       'unlink'    for deleting non-directory.
174       'mksock'    for creating UNIX domain soc    174       'mksock'    for creating UNIX domain socket.
175       'mkfifo'    for creating FIFO.              175       'mkfifo'    for creating FIFO.
176       'mkchar'    for creating character devic    176       'mkchar'    for creating character device.
177       'mkblock'   for creating block device.      177       'mkblock'   for creating block device.
178       'link'      for creating hard link.         178       'link'      for creating hard link.
179       'symlink'   for creating symbolic link.     179       'symlink'   for creating symbolic link.
180       'rename'    for renaming directory or no    180       'rename'    for renaming directory or non-directory.
181       'truncate'  for truncating regular file.    181       'truncate'  for truncating regular file.
182                                                   182 
183       The permission check for opening files i    183       The permission check for opening files is done using
184       conventional read/write/execute permissi    184       conventional read/write/execute permission.
185                                                   185 
186     @ Add /proc/ccs/info/mapping.                 186     @ Add /proc/ccs/info/mapping.
187                                                   187 
188       I added /proc/ccs/info/mapping so that t    188       I added /proc/ccs/info/mapping so that the userland programs
189       can know the mapping of individual write    189       can know the mapping of individual write permissions.
190                                                   190 
191 Fix 2006/02/27                                    191 Fix 2006/02/27
192                                                   192 
193     @ Fix handling of trailing '\*' in PathMat    193     @ Fix handling of trailing '\*' in PathMatchesToPattern().
194                                                   194 
195       PathMatchesToPattern("/tmp/", "/tmp/\*")    195       PathMatchesToPattern("/tmp/", "/tmp/\*") returned true
196       because "\*" matches "zero or more repet    196       because "\*" matches "zero or more repetitions of characters
197       until '/' or end". But since this is a c    197       until '/' or end". But since this is a comparison between
198       directory and non-directory, this should    198       directory and non-directory, this should not match.
199                                                   199 
200       This behavior causes the following secur    200       This behavior causes the following security risks.
201       In enforce mode, allowing "2 /tmp/\*" gr    201       In enforce mode, allowing "2 /tmp/\*" grants
202       "mkdir /tmp/" and "rmdir /tmp/" which sh    202       "mkdir /tmp/" and "rmdir /tmp/" which should be
203       granted only when "2 /tmp/" is allowed.     203       granted only when "2 /tmp/" is allowed.
204       In accept mode, "mkdir /tmp/" or "rmdir     204       In accept mode, "mkdir /tmp/" or "rmdir /tmp/" appends
205       "2 /tmp/\*" into the domain policy if "f    205       "2 /tmp/\*" into the domain policy if "file_pattern /tmp/\*"
206       is in the exception policy.                 206       is in the exception policy.
207                                                   207 
208       I changed not to ignore trailing '\*' in    208       I changed not to ignore trailing '\*' in the pattern
209       if pathname ends with '/'.                  209       if pathname ends with '/'.
210                                                   210 
211 Fix 2006/03/01                                    211 Fix 2006/03/01
212                                                   212 
213     @ Add missing spinlock in GetAbsolutePath(    213     @ Add missing spinlock in GetAbsolutePath().
214                                                   214 
215       vfsmount_lock was missing.                  215       vfsmount_lock was missing.
216                                                   216 
217 Fix 2006/03/08                                    217 Fix 2006/03/08
218                                                   218 
219     @ Add support for "shared subtree" mount o    219     @ Add support for "shared subtree" mount operations.
220                                                   220 
221       Kernel 2.6.15 introduced "shared subtree    221       Kernel 2.6.15 introduced "shared subtree" functionality.
222       But CheckMountPermission() couldn't reco    222       But CheckMountPermission() couldn't recognize flags for
223       do_change_type().                           223       do_change_type().
224                                                   224 
225     @ Add support for more mount flags.           225     @ Add support for more mount flags.
226                                                   226 
227       atime/noatime, diratime/nodiratime, recu    227       atime/noatime, diratime/nodiratime, recurse/norecurse flags
228       are supported.                              228       are supported.
229                                                   229 
230 Fix 2006/03/20                                    230 Fix 2006/03/20
231                                                   231 
232     @ Check port numbers for only AF_INET/AF_I    232     @ Check port numbers for only AF_INET/AF_INET6.
233                                                   233 
234       CheckBindEntry() and CheckConnectEntry()    234       CheckBindEntry() and CheckConnectEntry() should check port numbers
235       only when the given address family is ei    235       only when the given address family is either AF_INET or AF_INET6,
236       for address family such as AF_UNSPEC cou    236       for address family such as AF_UNSPEC could be passed to bind()
237       and connect() for PF_INET/PF_INET6 socke    237       and connect() for PF_INET/PF_INET6 sockets.
238                                                   238 
239 Fix 2006/03/27                                    239 Fix 2006/03/27
240                                                   240 
241     @ Use /proc/self/ rather than /proc/\$/ fo    241     @ Use /proc/self/ rather than /proc/\$/ for current process.
242                                                   242 
243       GetAbsolutePath() now uses "self" instea    243       GetAbsolutePath() now uses "self" instead of pid
244       if current process refers to information    244       if current process refers to information related to itself.
245       This exception violates the rule "TOMOYO    245       This exception violates the rule "TOMOYO Linux's pathnames don't
246       contain symbolic links before the last '    246       contain symbolic links before the last '/'", but I think it worth
247       to do so. The following are the merits g    247       to do so. The following are the merits gained by this exception.
248                                                   248 
249       Prevent administrators from granting red    249       Prevent administrators from granting redundant permissions
250       when a process needs to refer to only cu    250       when a process needs to refer to only current process's information.
251                                                   251 
252       Allow administrators make current proces    252       Allow administrators make current process's information always
253       readable using 'allow_read' directive.      253       readable using 'allow_read' directive.
254                                                   254 
255 Version 1.1   2006/04/01   Functionality enhan    255 Version 1.1   2006/04/01   Functionality enhancement release.
256                                                   256 
257 Fix 2006/04/03                                    257 Fix 2006/04/03
258                                                   258 
259     @ Use queue instead of fixed sized array f    259     @ Use queue instead of fixed sized array for audit log.
260                                                   260 
261       WriteAuditLog() now uses queue to save s    261       WriteAuditLog() now uses queue to save statically allocated memory.
262       Administrators can give any size for aud    262       Administrators can give any size for audit logs at runtime.
263                                                   263 
264     @ Use kzalloc() instead of kmalloc() + mem    264     @ Use kzalloc() instead of kmalloc() + memset().
265                                                   265 
266       kmalloc() + memset() were replaced with     266       kmalloc() + memset() were replaced with kzalloc().
267                                                   267 
268 Fix 2006/04/04                                    268 Fix 2006/04/04
269                                                   269 
270     @ Support "delayed enforcing" mode.           270     @ Support "delayed enforcing" mode.
271                                                   271 
272       Until now, access request was immediatel    272       Until now, access request was immediately rejected
273       if policy doesn't allow that access and     273       if policy doesn't allow that access and the system is
274       running in enforce mode.                    274       running in enforce mode.
275       Sometimes, especially after updating sof    275       Sometimes, especially after updating softwares,
276       some unexpected access requests arise fr    276       some unexpected access requests arise from proper procedure.
277       Such access requests should be granted b    277       Such access requests should be granted because
278       they are not caused by malicious attacks    278       they are not caused by malicious attacks.
279       So I introduced a mechanism to allow adm    279       So I introduced a mechanism to allow administrator some grace
280       to decide to grant or reject such access    280       to decide to grant or reject such access requests.
281       This mechanism is implemented in the fol    281       This mechanism is implemented in the following manner.
282         "Don't return immediately if permissio    282         "Don't return immediately if permission denied."
283         "Sleep for a while waiting administrat    283         "Sleep for a while waiting administrator's decision."
284         "Return successfully if administrator     284         "Return successfully if administrator tells to do so."
285                                                   285 
286 Fix 2006/04/12                                    286 Fix 2006/04/12
287                                                   287 
288     @ Fix handling of prefix in GetAbsolutePat    288     @ Fix handling of prefix in GetAbsolutePath().
289                                                   289 
290       Some objects doesn't have prefix "/".       290       Some objects doesn't have prefix "/".
291       Pipe has prefix "pipe:" and socket has p    291       Pipe has prefix "pipe:" and socket has prefix "socket:".
292       GetAbsolutePath() couldn't handle prefix    292       GetAbsolutePath() couldn't handle prefixes other than '/' properly.
293                                                   293 
294     @ Remove IsCorrectPath() checks for File A    294     @ Remove IsCorrectPath() checks for File Access Control functions.
295                                                   295 
296       File Access Control functions accepted o    296       File Access Control functions accepted only pathnames that start
297       with '/' because these functions assumed    297       with '/' because these functions assumed pathnames returned by
298       GetAbsolutePath() always start with '/'.    298       GetAbsolutePath() always start with '/'.
299       However, I found a program that opens an    299       However, I found a program that opens an unnamed pipe via
300       (probably) /proc/PID/fd/ directory. (You    300       (probably) /proc/PID/fd/ directory. (You can see entries like
301       "pipe:[number]" if you run "ls -l /proc/    301       "pipe:[number]" if you run "ls -l /proc/*/fd/".)
302       Now, File Access Control functions have     302       Now, File Access Control functions have to accept pathnames
303       that don't start with '/'. So, I stopped    303       that don't start with '/'. So, I stopped checking IsCorrectPath().
304                                                   304 
305 Fix 2006/04/19                                    305 Fix 2006/04/19
306                                                   306 
307     @ Fix handling of NULL nameidata in vfs_op    307     @ Fix handling of NULL nameidata in vfs_open().
308                                                   308 
309       In 2.6 kernels, NFS daemon and sys_mq_op    309       In 2.6 kernels, NFS daemon and sys_mq_open() call
310       vfs_create() with NULL nameidata. In suc    310       vfs_create() with NULL nameidata. In such cases,
311       CheckSingleWritePermission() must not be    311       CheckSingleWritePermission() must not be called.
312                                                   312 
313 Version 1.1.1 2006/05/15   Functionality enhan    313 Version 1.1.1 2006/05/15   Functionality enhancement release.
314                                                   314 
315 Fix 2006/05/16                                    315 Fix 2006/05/16
316                                                   316 
317     @ Support program files aggregation.          317     @ Support program files aggregation.
318                                                   318 
319       Until now, programs that have no fixed n    319       Until now, programs that have no fixed names and their
320       parent programs had to be run in a trust    320       parent programs had to be run in a trusted domain
321       since it is impossible to use patterns f    321       since it is impossible to use patterns for granting
322       execute permission and defining domains.    322       execute permission and defining domains.
323       I introduced a mechanism to aggregate si    323       I introduced a mechanism to aggregate similar programs
324       using 'aggregator' directive.               324       using 'aggregator' directive.
325       Some examples:                              325       Some examples:
326                                                   326 
327         'aggregator /tmp/logrotate.\?\?\?\?\?\    327         'aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp'
328         to run all temporary programs for logr    328         to run all temporary programs for logrotate as /tmp/logrotate.tmp
329                                                   329 
330         'aggregator /usr/bin/tac /bin/cat'        330         'aggregator /usr/bin/tac /bin/cat'
331         to run /usr/bin/tac and /bin/cat as /b    331         to run /usr/bin/tac and /bin/cat as /bin/cat
332                                                   332 
333 Fix 2006/05/18                                    333 Fix 2006/05/18
334                                                   334 
335     @ Unlimit max count for audit log.            335     @ Unlimit max count for audit log.
336                                                   336 
337       I forgot to replace MAX_GRANT_LOG and MA    337       I forgot to replace MAX_GRANT_LOG and MAX_REJECT_LOG with INT_MAX
338       so that administrators can give any size    338       so that administrators can give any size for audit logs at runtime.
339                                                   339 
340 Fix 2006/05/22                                    340 Fix 2006/05/22
341                                                   341 
342     @ Support individual domain ACL removal.      342     @ Support individual domain ACL removal.
343                                                   343 
344       Until now, to remove ACLs from a domain,    344       Until now, to remove ACLs from a domain, administrator had to
345       once delete and recreate that domain, wh    345       once delete and recreate that domain, which wastes a lot of memory.
346       I introduced a mechanism to remove domai    346       I introduced a mechanism to remove domain ACL without deleting and
347       recreating domains.                         347       recreating domains.
348       Administrator can delete domains or remo    348       Administrator can delete domains or remove ACLs from domains
349       via /proc/ccs/policy/domain_policy .        349       via /proc/ccs/policy/domain_policy .
350       /proc/ccs/policy/delete_domain and /proc    350       /proc/ccs/policy/delete_domain and /proc/ccs/policy/update_domain
351       were removed.                               351       were removed.
352                                                   352 
353 Fix 2006/05/30                                    353 Fix 2006/05/30
354                                                   354 
355     @ Add missing spinlock in SAKURA_MayMount(    355     @ Add missing spinlock in SAKURA_MayMount().
356                                                   356 
357       vfsmount_lock was missing.                  357       vfsmount_lock was missing.
358                                                   358 
359 Version 1.1.2 2006/06/02   Functionality enhan    359 Version 1.1.2 2006/06/02   Functionality enhancement release.
360                                                   360 
361 Fix 2006/06/13                                    361 Fix 2006/06/13
362                                                   362 
363     @ Merge tomoyo_connect.c and tomoyo_bind.c    363     @ Merge tomoyo_connect.c and tomoyo_bind.c into tomoyo_port.c
364                                                   364 
365       I merged these files that have only diff    365       I merged these files that have only difference CONNECT and BIND,
366       that are likely to be enabled both or ne    366       that are likely to be enabled both or neither.
367                                                   367 
368     @ Add CONFIG_TOMOYO_AUDIT option.             368     @ Add CONFIG_TOMOYO_AUDIT option.
369                                                   369 
370       I made auditing functions as optional be    370       I made auditing functions as optional because some Linux boxes
371       may have not enough disk space to store     371       may have not enough disk space to store audit logs.
372                                                   372 
373 Fix 2006/06/15                                    373 Fix 2006/06/15
374                                                   374 
375     @ Support use of symbolic links for progra    375     @ Support use of symbolic links for program execution.
376                                                   376 
377       Until now, domains for programs executed    377       Until now, domains for programs executed by dereferencing
378       symbolic links were defined using derefe    378       symbolic links were defined using dereferenced pathnames.
379       This was inconvenient for some Linux box    379       This was inconvenient for some Linux boxes who use busybox but
380       can't keep hard links of busybox.           380       can't keep hard links of busybox.
381       I introduced a mechanism to allow using     381       I introduced a mechanism to allow using pathnames of
382       symbolic links using 'alias' directive.     382       symbolic links using 'alias' directive.
383       Some examples:                              383       Some examples:
384                                                   384 
385         'alias /sbin/busybox /bin/ls' to run /    385         'alias /sbin/busybox /bin/ls' to run /bin/ls
386         (which is a symbolic link to /sbin/bus    386         (which is a symbolic link to /sbin/busybox) as /bin/ls
387         if /bin/ls is executed.                   387         if /bin/ls is executed.
388                                                   388 
389         'alias /bin/bash /bin/sh' to run /bin/    389         'alias /bin/bash /bin/sh' to run /bin/sh
390         (which is a symbolic link to /bin/bash    390         (which is a symbolic link to /bin/bash) as /bin/sh
391         if /bin/sh is executed.                   391         if /bin/sh is executed.
392                                                   392 
393 Fix 2006/06/21                                    393 Fix 2006/06/21
394                                                   394 
395     @ Use ccs_alloc() instead of kzalloc().       395     @ Use ccs_alloc() instead of kzalloc().
396                                                   396 
397       To detect memory leaks,                     397       To detect memory leaks,
398       I added a wrapper for tracing kmalloc()     398       I added a wrapper for tracing kmalloc() and kfree().
399       There is no way to detect memory leaks c    399       There is no way to detect memory leaks caused by ccs-*.txt .
400                                                   400 
401 Version 1.1.3 2006/07/13   Functionality enhan    401 Version 1.1.3 2006/07/13   Functionality enhancement release.
402                                                   402 
403 Fix 2006/07/14                                    403 Fix 2006/07/14
404                                                   404 
405     @ Change behavior of pathname pattern matc    405     @ Change behavior of pathname pattern matching.
406                                                   406 
407       Until now, it was impossible to use patt    407       Until now, it was impossible to use patterns like "\*.txt" because
408       "\*" matched zero or more repetitions of    408       "\*" matched zero or more repetitions of characters until next '/'.
409       Now, "\*" matches zero or more repetitio    409       Now, "\*" matches zero or more repetitions of characters.
410                                                   410 
411       Until now, it was impossible to use patt    411       Until now, it was impossible to use patterns like "\$00"
412       because "\$" matched one or more repetit    412       because "\$" matched one or more repetitions of digits until next
413       non digit character.                        413       non digit character.
414       Now, "\$" matches one or more repetition    414       Now, "\$" matches one or more repetitions of digits.
415                                                   415 
416       Also, new patterns "\x" "\X" "\a" "\A" "    416       Also, new patterns "\x" "\X" "\a" "\A" "\@" are added.
417                                                   417 
418 Fix 2006/07/21                                    418 Fix 2006/07/21
419                                                   419 
420     @ Add CONFIG_TOMOYO_NETWORK option.           420     @ Add CONFIG_TOMOYO_NETWORK option.
421                                                   421 
422       Until now, only port numbers for TCP and    422       Until now, only port numbers for TCP and UDP were controllable.
423       Now, the combination of IPv4/IPv6 addres    423       Now, the combination of IPv4/IPv6 address and port numbers
424       for TCP and UDP is controllable.            424       for TCP and UDP is controllable.
425       CONFIG_TOMOYO_NETWORKPORT became obsolet    425       CONFIG_TOMOYO_NETWORKPORT became obsolete.
426                                                   426 
427 Fix 2006/07/25                                    427 Fix 2006/07/25
428                                                   428 
429     @ Change matching rule for CheckFileACL().    429     @ Change matching rule for CheckFileACL().
430                                                   430 
431       Until now, only first entry that matched    431       Until now, only first entry that matched the requested pathname
432       was used for permission checking. For ex    432       was used for permission checking. For example, two entries
433                                                   433 
434       "2 /tmp/file-\$.txt"                        434       "2 /tmp/file-\$.txt"
435       "4 /tmp/fil\?-0.txt"                        435       "4 /tmp/fil\?-0.txt"
436                                                   436 
437       are given in this order and requested pa    437       are given in this order and requested pathname is "/tmp/file-0.txt",
438       the "2 /tmp/file-\$.txt" is used. But if    438       the "2 /tmp/file-\$.txt" is used. But if two entries
439                                                   439 
440       "4 /tmp/fil\?-0.txt"                        440       "4 /tmp/fil\?-0.txt"
441       "2 /tmp/file-\$.txt"                        441       "2 /tmp/file-\$.txt"
442                                                   442 
443       are given in this order, the "4 /tmp/fil    443       are given in this order, the "4 /tmp/fil\?-0.txt" is used.
444       This may potentially cause trouble becau    444       This may potentially cause trouble because the result of
445       permission checks depends on the order o    445       permission checks depends on the order of entries.
446                                                   446 
447       Now, all entries that matched the reques    447       Now, all entries that matched the requested pathname
448       are used for permission checking so that    448       are used for permission checking so that the result of
449       permission checks doesn't depend on the     449       permission checks doesn't depend on the order of entries.
450                                                   450 
451 Fix 2006/07/27                                    451 Fix 2006/07/27
452                                                   452 
453     @ Support RAW IPv4/IPv6 control.              453     @ Support RAW IPv4/IPv6 control.
454                                                   454 
455       Some programs such as 'ping' and 'tracer    455       Some programs such as 'ping' and 'traceroute' use raw IP socket.
456       Now, the combination of IPv4/IPv6 addres    456       Now, the combination of IPv4/IPv6 address and protocol numbers
457       for IP is controllable.                     457       for IP is controllable.
458                                                   458 
459 Fix 2006/08/04                                    459 Fix 2006/08/04
460                                                   460 
461     @ Add filename and argv[0] comparison chec    461     @ Add filename and argv[0] comparison check.
462                                                   462 
463       The domain transition was done based on     463       The domain transition was done based on filename passed to do_execve(),
464       while the behavior was defined based on     464       while the behavior was defined based on argv[0].
465       There is no problem if the filename is a    465       There is no problem if the filename is argv[0]-unaware application.
466       But if argv[0]-aware, access control byp    466       But if argv[0]-aware, access control bypassing happens if the process
467       transits to trusted domain but behaves a    467       transits to trusted domain but behaves as different program.
468       For example, when the administrator spec    468       For example, when the administrator specifies domain for /bin/ls as
469       trusted but both /bin/ls and /bin/cat ar    469       trusted but both /bin/ls and /bin/cat are links to /sbin/busybox ,
470       a cracker can run /bin/cat in a trusted     470       a cracker can run /bin/cat in a trusted domain if the cracker
471       succeeds to invoke do_execve() with file    471       succeeds to invoke do_execve() with filename = "/bin/ls" and
472       argv[0] = "/bin/cat".                       472       argv[0] = "/bin/cat".
473                                                   473 
474       I introduced a directive that permits th    474       I introduced a directive that permits the mismatch of
475       basename of filename and argv[0].           475       basename of filename and argv[0].
476                                                   476 
477 Fix 2006/08/10                                    477 Fix 2006/08/10
478                                                   478 
479     @ Support ID based condition checks.          479     @ Support ID based condition checks.
480                                                   480 
481       It was impossible to use process id (uid    481       It was impossible to use process id (uid and gid and so on) for
482       checking individual domain ACL.             482       checking individual domain ACL.
483                                                   483 
484       Now it became possible to use process id    484       Now it became possible to use process id for checking individual
485       domain ACL. For example,                    485       domain ACL. For example,
486                                                   486 
487         "1 /bin/sh if task.euid!=0"               487         "1 /bin/sh if task.euid!=0"
488                                                   488 
489       allows the domain to execute /bin/sh onl    489       allows the domain to execute /bin/sh only when the process's euid
490       is not 0, and                               490       is not 0, and
491                                                   491 
492         "6 /home/\*/\* if task.uid=path1.uid"     492         "6 /home/\*/\* if task.uid=path1.uid"
493                                                   493 
494       allows the domain to read-write user's h    494       allows the domain to read-write user's home directory
495       only when the file's owner matches the p    495       only when the file's owner matches the process's uid.
496                                                   496 
497 Fix 2006/08/22                                    497 Fix 2006/08/22
498                                                   498 
499     @ Fix ROUNDUP() in fs/realpath.c .            499     @ Fix ROUNDUP() in fs/realpath.c .
500                                                   500 
501       Alignment using sizeof(int) may be inapp    501       Alignment using sizeof(int) may be inappropriate for 64bit environment.
502       I changed to use the larger size of 'voi    502       I changed to use the larger size of 'void *' and 'long'
503       instead of 'int'.                           503       instead of 'int'.
504       For environment where sizeof(int) = size    504       For environment where sizeof(int) = sizeof(long) = sizeof(void *),
505       this change has no effect.                  505       this change has no effect.
506                                                   506 
507 Version 1.2   2006/09/03   Functionality enhan    507 Version 1.2   2006/09/03   Functionality enhancement release.
508                                                   508 
509 Fix 2006/09/30                                    509 Fix 2006/09/30
510                                                   510 
511     @ Fix CheckFilePerm() in fs/tomoyo_file.c     511     @ Fix CheckFilePerm() in fs/tomoyo_file.c .
512                                                   512 
513       The location to call path_release() was     513       The location to call path_release() was too early.
514                                                   514 
515 Fix 2006/10/02                                    515 Fix 2006/10/02
516                                                   516 
517     @ Support per-domain profile.                 517     @ Support per-domain profile.
518                                                   518 
519       It became possible to assign different p    519       It became possible to assign different profiles for different domains.
520       This will help administrators using buil    520       This will help administrators using building up approach.
521                                                   521 
522 Fix 2006/10/05                                    522 Fix 2006/10/05
523                                                   523 
524     @ Change parameters for CheckFilePerm().      524     @ Change parameters for CheckFilePerm().
525                                                   525 
526       I was re-resolving pathnames inside Chec    526       I was re-resolving pathnames inside CheckFilePerm() even though
527       the caller function already resolved the    527       the caller function already resolved them.
528       So I changed to pass dentry and vfsmount    528       So I changed to pass dentry and vfsmount instead of pathname,
529       and removed changes made on 2006/09/30.     529       and removed changes made on 2006/09/30.
530                                                   530 
531 Fix 2006/10/06                                    531 Fix 2006/10/06
532                                                   532 
533     @ Support deny_rewrite and allow_rewrite p    533     @ Support deny_rewrite and allow_rewrite permission.
534                                                   534 
535       It became possible to make regular files    535       It became possible to make regular files append-only
536       using "deny_rewrite" directive in except    536       using "deny_rewrite" directive in exception policy and
537       override it using "allow_rewrite" direct    537       override it using "allow_rewrite" directive in domain policy.
538                                                   538 
539       Regular files specified using "deny_rewr    539       Regular files specified using "deny_rewrite" directive
540         can't be open()ed with O_TRUNC or with    540         can't be open()ed with O_TRUNC or without O_APPEND,
541         can't be truncate()ed or ftruncate()ed    541         can't be truncate()ed or ftruncate()ed,
542         can't be turned O_APPEND flag off usin    542         can't be turned O_APPEND flag off using fcntl(F_SETFL)
543       unless specified using "allow_rewrite" d    543       unless specified using "allow_rewrite" directive.
544                                                   544 
545 Fix 2006/10/12                                    545 Fix 2006/10/12
546                                                   546 
547     @ Enable configuration options by default     547     @ Enable configuration options by default for kernel config.
548                                                   548 
549       CONFIG_SAKURA and CONFIG_TOMOYO are now     549       CONFIG_SAKURA and CONFIG_TOMOYO are now 'y' by default
550       and CONFIG_SYAORAN is now 'm' by default    550       and CONFIG_SYAORAN is now 'm' by default.
551                                                   551 
552 Fix 2006/10/13                                    552 Fix 2006/10/13
553                                                   553 
554     @ Use external policy loader.                 554     @ Use external policy loader.
555                                                   555 
556       Until now, policies are loaded when /sbi    556       Until now, policies are loaded when /sbin/init starts and
557       initial control levels are switched usin    557       initial control levels are switched using CCS= parameter.
558       But since some boxes have to fixate kern    558       But since some boxes have to fixate kernel command line options
559       at compilation time, I think it will bec    559       at compilation time, I think it will become more flexible
560       by running external policy loader using     560       by running external policy loader using init= parameter so that
561       initial control levels can be specified     561       initial control levels can be specified before /sbin/init starts.
562                                                   562 
563       Call panic() if initial control levels a    563       Call panic() if initial control levels are not specified.
564                                                   564 
565 Fix 2006/10/16                                    565 Fix 2006/10/16
566                                                   566 
567     @ Add missing parameter in FindNextDomain(    567     @ Add missing parameter in FindNextDomain().
568                                                   568 
569       'struct file' was needed for allowing 'i    569       'struct file' was needed for allowing 'if path1.*' checks.
570                                                   570 
571 Fix 2006/10/23                                    571 Fix 2006/10/23
572                                                   572 
573     @ Print error messages in CheckFlags().       573     @ Print error messages in CheckFlags().
574                                                   574 
575       Some users seem to have troubles picking    575       Some users seem to have troubles picking up all necessary
576       entries for the configuration file of SY    576       entries for the configuration file of SYAORAN filesystem
577       since makesyaoranconf can't pick up entr    577       since makesyaoranconf can't pick up entries that are
578       nonexistent at the time.                    578       nonexistent at the time.
579       I added error message so that users can     579       I added error message so that users can find missing entries
580       using dmesg.                                580       using dmesg.
581                                                   581 
582 Fix 2006/10/24                                    582 Fix 2006/10/24
583                                                   583 
584     @ Change /proc/ccs/info/self_domain .         584     @ Change /proc/ccs/info/self_domain .
585                                                   585 
586       I changed /proc/ccs/info/self_domain to     586       I changed /proc/ccs/info/self_domain to return
587       the domain of open time rather than firs    587       the domain of open time rather than first read time.
588       This modification makes shell's redirect    588       This modification makes shell's redirection usage
589       more convenient since redirection opens     589       more convenient since redirection opens file
590       but doesn't read at the time.               590       but doesn't read at the time.
591                                                   591 
592       'cat < /proc/ccs/info/self_domain' will     592       'cat < /proc/ccs/info/self_domain' will return
593       the domain of shell, and                    593       the domain of shell, and
594       'cat /proc/ccs/info/self_domain' will re    594       'cat /proc/ccs/info/self_domain' will return
595       the domain of cat .                         595       the domain of cat .
596                                                   596 
597 Fix 2006/11/06                                    597 Fix 2006/11/06
598                                                   598 
599     @ Replace MAX_ENFORCE_GRACE with ALLOW_ENF    599     @ Replace MAX_ENFORCE_GRACE with ALLOW_ENFORCE_GRACE.
600                                                   600 
601       Since it was inconvenient that requests     601       Since it was inconvenient that requests that are waiting for
602       supervisor's decision are rejected autom    602       supervisor's decision are rejected automatically when
603       MAX_ENFORCE_GRACE seconds has elapsed, I    603       MAX_ENFORCE_GRACE seconds has elapsed, I modified WriteAnswer()
604       reset timeout counter whenever a supervi    604       reset timeout counter whenever a supervisor's decision is written
605       and I modified ccs-queryd write a dummy     605       and I modified ccs-queryd write a dummy decision every seconds
606       so that the requests won't be rejected a    606       so that the requests won't be rejected automatically as long as
607       ccs-queryd is running.                      607       ccs-queryd is running.
608       This change made MAX_ENFORCE_GRACE's mea    608       This change made MAX_ENFORCE_GRACE's meaning boolean.
609       So I fixated MAX_ENFORCE_GRACE to 10 sec    609       So I fixated MAX_ENFORCE_GRACE to 10 seconds and removed
610       MAX_ENFORCE_GRACE parameter.                610       MAX_ENFORCE_GRACE parameter.
611       To allow administrators selectively enab    611       To allow administrators selectively enable "delayed enforcing"
612       mode, I added ALLOW_ENFORCE_GRACE parame    612       mode, I added ALLOW_ENFORCE_GRACE parameter.
613       The behavior of "delayed enforcing" mode    613       The behavior of "delayed enforcing" mode is defined
614       in the following order.                     614       in the following order.
615                                                   615 
616       (1) The requests are rejected immediatel    616       (1) The requests are rejected immediately if ALLOW_ENFORCE_GRACE=0.
617       (2) The requests are rejected immediatel    617       (2) The requests are rejected immediately
618           if nobody is opening /proc/ccs/polic    618           if nobody is opening /proc/ccs/policy/query interface.
619       (3) The requests won't be rejected autom    619       (3) The requests won't be rejected automatically
620           if ALLOW_ENFORCE_GRACE=1 and ccs-que    620           if ALLOW_ENFORCE_GRACE=1 and ccs-queryd is running.
621       (4) The requests will be rejected in 10     621       (4) The requests will be rejected in 10 seconds
622           if somebody other than ccs-queryd (s    622           if somebody other than ccs-queryd (such as less(1)) is
623           opening /proc/ccs/policy/query inter    623           opening /proc/ccs/policy/query interface, for
624           such process doesn't write dummy dec    624           such process doesn't write dummy decisions.
625                                                   625 
626 Version 1.3   2006/11/11   First anniversary r    626 Version 1.3   2006/11/11   First anniversary release.
627                                                   627 
628 Fix 2006/11/13                                    628 Fix 2006/11/13
629                                                   629 
630     @ Replace trust_domain with keep_domain.      630     @ Replace trust_domain with keep_domain.
631                                                   631 
632       Since it was troublesome that there are     632       Since it was troublesome that there are two elements that can disable MAC
633       (assigning a profile that doesn't enable    633       (assigning a profile that doesn't enable MAC or registering domains
634       with trust_domain directive), I removed     634       with trust_domain directive), I removed trust_domain directive.
635       Instead, I introduced keep_domain direct    635       Instead, I introduced keep_domain directive to not to transit domains
636       unless a program registered with initial    636       unless a program registered with initializer directive is executed.
637       This change has the following advantages    637       This change has the following advantages.
638                                                   638 
639       (1) Allows administrator use "enforce mo    639       (1) Allows administrator use "enforce mode" for operations after login.
640           Since it was difficult to know what     640           Since it was difficult to know what commands and files are invoked
641           and accessed in what sequences befor    641           and accessed in what sequences beforehand, we had to use trust_domain
642           directive for such domain, allowing     642           directive for such domain, allowing users invoke any commands and
643           access any files in any sequence.       643           access any files in any sequence.
644           But now, we can use keep_domain dire    644           But now, we can use keep_domain directive and assign a profile for
645           "enforce mode" for such domain, forc    645           "enforce mode" for such domain, forcing users invoke only allowed
646           commands and access only allowed fil    646           commands and access only allowed files in any sequence
647           while these operations are kept unde    647           while these operations are kept under the control of "enforce mode".
648                                                   648 
649       (2) Allows administrator determine easil    649       (2) Allows administrator determine easily whether the domain is
650           under MAC or not because only the pr    650           under MAC or not because only the profile currently assigned to
651           the domain determines it.               651           the domain determines it.
652                                                   652 
653       (3) Saves total number of domains and me    653       (3) Saves total number of domains and memory.
654                                                   654 
655 Fix 2006/11/22                                    655 Fix 2006/11/22
656                                                   656 
657     @ Don't allow use of undefined profile.       657     @ Don't allow use of undefined profile.
658                                                   658 
659       To avoid assigning undefined profile to     659       To avoid assigning undefined profile to domains by error,
660       I added checks before assigning profiles    660       I added checks before assigning profiles to domains.
661       Now, profiles have to be defined prior t    661       Now, profiles have to be defined prior to assigning them to domains.
662                                                   662 
663 Version 1.3.1 2006/12/08   Minor update releas    663 Version 1.3.1 2006/12/08   Minor update release.
664                                                   664 
665 Fix 2006/12/10                                    665 Fix 2006/12/10
666                                                   666 
667     @ Allow pathname grouping.                    667     @ Allow pathname grouping.
668                                                   668 
669       To reduce the labor of repeating '/\*' t    669       To reduce the labor of repeating '/\*' to allow access recursively,
670       I introduced a macro 'path_group' to mak    670       I introduced a macro 'path_group' to make group such pathnames.
671       For example, you had to give like           671       For example, you had to give like
672                                                   672 
673         4 /var/www/html/\*                        673         4 /var/www/html/\*
674         4 /var/www/html/\*/\*                     674         4 /var/www/html/\*/\*
675         4 /var/www/html/\*/\*/\*                  675         4 /var/www/html/\*/\*/\*
676         4 /var/www/html/\*/\*/\*/\*               676         4 /var/www/html/\*/\*/\*/\*
677                                                   677 
678       but now, you can give just                  678       but now, you can give just
679                                                   679 
680         4 @WEB-CONTENTS                           680         4 @WEB-CONTENTS
681                                                   681 
682       if you give                                 682       if you give
683                                                   683 
684         path_group WEB-CONTENTS /var/www/html/    684         path_group WEB-CONTENTS /var/www/html/\*
685         path_group WEB-CONTENTS /var/www/html/    685         path_group WEB-CONTENTS /var/www/html/\*/\*
686         path_group WEB-CONTENTS /var/www/html/    686         path_group WEB-CONTENTS /var/www/html/\*/\*/\*
687         path_group WEB-CONTENTS /var/www/html/    687         path_group WEB-CONTENTS /var/www/html/\*/\*/\*/\*
688                                                   688 
689       in the exception policy.                    689       in the exception policy.
690       This macro will be useful when grouping     690       This macro will be useful when grouping different directories.
691                                                   691 
692 Fix 2006/12/15                                    692 Fix 2006/12/15
693                                                   693 
694     @ Use structured pathnames instead for sim    694     @ Use structured pathnames instead for simple 'char *'.
695                                                   695 
696       To reduce the cost of strcmp(), I change    696       To reduce the cost of strcmp(), I changed the return value of
697       SaveName() from 'const char *' to 'const    697       SaveName() from 'const char *' to 'const struct path_info *'.
698       This change will speed up PathMatchesToP    698       This change will speed up PathMatchesToPattern() comparison.
699                                                   699 
700 Fix 2006/12/19                                    700 Fix 2006/12/19
701                                                   701 
702     @ Allow registering policy managers using     702     @ Allow registering policy managers using domainnames.
703                                                   703 
704       It was difficult to restrict programs th    704       It was difficult to restrict programs that can update policies
705       via /proc/ccs/ interfaces using pathname    705       via /proc/ccs/ interfaces using pathnames of these programs, for
706       these programs could be unintendedly inv    706       these programs could be unintendedly invoked.
707       Now, it became possible to restrict doma    707       Now, it became possible to restrict domains that can update policies
708       via /proc/ccs/ interfaces as well as pro    708       via /proc/ccs/ interfaces as well as programs.
709       By restricting using domainnames, it bec    709       By restricting using domainnames, it becomes easier to avoid
710       unintended invocation.                      710       unintended invocation.
711                                                   711 
712 Fix 2006/12/22                                    712 Fix 2006/12/22
713                                                   713 
714     @ Add initialize_domain,no_initizlize_doma    714     @ Add initialize_domain,no_initizlize_domain,no_keep_domain
715                                                   715 
716       To control domain transitions more stric    716       To control domain transitions more strictly,
717       initialize_domain,no_initizlize_domain,n    717       initialize_domain,no_initizlize_domain,no_keep_domain directives
718       were introduced.                            718       were introduced.
719                                                   719 
720       "initialize_domain /some/program" means     720       "initialize_domain /some/program" means
721       jump to "<kernel> /some/program" domain     721       jump to "<kernel> /some/program" domain if /some/program is
722       called from any domain.                     722       called from any domain.
723       This is equivalent to conventional "init    723       This is equivalent to conventional "initializer /some/program".
724                                                   724 
725       "initialize_domain /some/program from so    725       "initialize_domain /some/program from some_domain" means
726       jump to "<kernel> /some/program" domain     726       jump to "<kernel> /some/program" domain only if /some/program is
727       called from "some_domain" domain.           727       called from "some_domain" domain.
728                                                   728 
729       "no_initialize_domain /some/program" mea    729       "no_initialize_domain /some/program" means
730       don't jump to "<kernel> /some/program" d    730       don't jump to "<kernel> /some/program" domain even if
731       "initialize_domain /some/program" or        731       "initialize_domain /some/program" or
732       "initialize_domain /some/program from so    732       "initialize_domain /some/program from some_domain" are given
733       if /some/program is called from any doma    733       if /some/program is called from any domain.
734                                                   734 
735       "no_initialize_domain /some/program from    735       "no_initialize_domain /some/program from some_domain" means
736       don't jump to "<kernel> /some/program" d    736       don't jump to "<kernel> /some/program" domain even if
737       "initialize_domain /some/program" or        737       "initialize_domain /some/program" or
738       "initialize_domain /some/program from so    738       "initialize_domain /some/program from some_domain" are given
739       if /some/program is called from "some_do    739       if /some/program is called from "some_domain" domain.
740                                                   740 
741       "keep_domain some_domain" means don't ju    741       "keep_domain some_domain" means don't jump to child domain
742       if any programs are called from "some_do    742       if any programs are called from "some_domain" domain.
743                                                   743 
744       "keep_domain /some/program from some_dom    744       "keep_domain /some/program from some_domain" means
745       don't jump to child domain only if /some    745       don't jump to child domain only if /some/program is
746       called from "some_domain" domain.           746       called from "some_domain" domain.
747                                                   747 
748       "no_keep_domain some_domain" means          748       "no_keep_domain some_domain" means
749       jump to child domain even if                749       jump to child domain even if
750       "keep_domain /some/program" or              750       "keep_domain /some/program" or
751       "keep_domain /some/program from some_dom    751       "keep_domain /some/program from some_domain" are given
752       if any programs are called from "some_do    752       if any programs are called from "some_domain" domain.
753                                                   753 
754       "no_keep_domain /some/program from some_    754       "no_keep_domain /some/program from some_domain" means
755       jump to child domain even if                755       jump to child domain even if
756       "keep_domain /some/program" or              756       "keep_domain /some/program" or
757       "keep_domain /some/program from some_dom    757       "keep_domain /some/program from some_domain" are given
758       if /some/program is called from "some_do    758       if /some/program is called from "some_domain" domain.
759                                                   759 
760       "some_domain" can be just the last compo    760       "some_domain" can be just the last component of domainname.
761       For example, giving "/bin/mail" as "some    761       For example, giving "/bin/mail" as "some_domain" matches
762       all domains whose domainname ends with "    762       all domains whose domainname ends with "/bin/mail".
763                                                   763 
764 Fix 2007/01/19                                    764 Fix 2007/01/19
765                                                   765 
766     @ Allow reuse of memory allocated for doma    766     @ Allow reuse of memory allocated for domain policy.
767                                                   767 
768       Regarding domain policy, unlike other po    768       Regarding domain policy, unlike other policies, didn't have
769       "is_deleted" flag and new memory were al    769       "is_deleted" flag and new memory were allocated
770       if the deleted entries are given again.     770       if the deleted entries are given again.
771       But to allow administrators switch domai    771       But to allow administrators switch domain policy periodically,
772       I introduced "is_deleted" flag.             772       I introduced "is_deleted" flag.
773                                                   773 
774       Writing "some_domain" to /proc/ccs/polic    774       Writing "some_domain" to /proc/ccs/policy/domain_policy
775       creates "some_domain" using new memory i    775       creates "some_domain" using new memory if it didn't exist.
776                                                   776 
777       Writing "select some_domain" doesn't cre    777       Writing "select some_domain" doesn't create "some_domain"
778       if it didn't exist.                         778       if it didn't exist.
779                                                   779 
780       Writing "delete some_domain" deletes "so    780       Writing "delete some_domain" deletes "some_domain"
781       but does not delete entries in "some_dom    781       but does not delete entries in "some_domain".
782                                                   782 
783       Writing "undelete some_domain" undeletes    783       Writing "undelete some_domain" undeletes "some_domain"
784       if it was deleted by "delete some_domain    784       if it was deleted by "delete some_domain".
785                                                   785 
786 Fix 2007/01/22                                    786 Fix 2007/01/22
787                                                   787 
788     @ Allow getting already deleted pathnames.    788     @ Allow getting already deleted pathnames.
789                                                   789 
790       To allow getting pathnames that are alre    790       To allow getting pathnames that are already deleted,
791       I removed (IS_ROOT(dentry) || !d_unhashe    791       I removed (IS_ROOT(dentry) || !d_unhashed(dentry)) check.
792                                                   792 
793 Fix 2007/01/26                                    793 Fix 2007/01/26
794                                                   794 
795     @ Limit string length to 4000.                795     @ Limit string length to 4000.
796                                                   796 
797       I was using PAGE_SIZE (4096 in many envi    797       I was using PAGE_SIZE (4096 in many environments)
798       as the max length of any string data.       798       as the max length of any string data.
799       But for environments that have larger PA    799       But for environments that have larger PAGE_SIZE,
800       doing memset(ptr, 0, PAGE_SIZE) every ti    800       doing memset(ptr, 0, PAGE_SIZE) every time is too wasteful.
801                                                   801 
802 Fix 2007/01/29                                    802 Fix 2007/01/29
803                                                   803 
804     @ Add garbage collector for domain policy.    804     @ Add garbage collector for domain policy.
805                                                   805 
806       Writing "some_domain" to /proc/ccs/polic    806       Writing "some_domain" to /proc/ccs/policy/domain_policy
807       creates "some_domain" using new memory o    807       creates "some_domain" using new memory only if
808       some process is staying at that deleted     808       some process is staying at that deleted domain.
809       If no process is staying at that deleted    809       If no process is staying at that deleted domain,
810       "some_domain" is undeleted with all ACLs    810       "some_domain" is undeleted with all ACLs deleted.
811                                                   811 
812 Version 1.3.2 2007/02/14   Usability enhanceme    812 Version 1.3.2 2007/02/14   Usability enhancement release.
813                                                   813 
814 Fix 2007/02/20                                    814 Fix 2007/02/20
815                                                   815 
816     @ Allow address grouping.                     816     @ Allow address grouping.
817                                                   817 
818       To reduce the labor of repeating similar    818       To reduce the labor of repeating similar IPv4/IPv6 addresses,
819       I introduced a macro 'address_group' to     819       I introduced a macro 'address_group' to make group such addresses.
820       For example, you had to give like           820       For example, you had to give like
821                                                   821 
822         allow_network TCP accept 10.0.0.0-10.2    822         allow_network TCP accept 10.0.0.0-10.255.255.255 1024-65535
823         allow_network TCP accept 172.16.0.0-17    823         allow_network TCP accept 172.16.0.0-172.31.255.255 1024-65535
824         allow_network TCP accept 192.168.0.0-1    824         allow_network TCP accept 192.168.0.0-192.168.255.255 1024-65535
825                                                   825 
826       but now, you can give just                  826       but now, you can give just
827                                                   827 
828         allow_network TCP accept @localnet 102    828         allow_network TCP accept @localnet 1024-65535
829                                                   829 
830       if you give                                 830       if you give
831                                                   831 
832         address_group localnet 10.0.0.0-10.255    832         address_group localnet 10.0.0.0-10.255.255.255
833         address_group localnet 172.16.0.0-172.    833         address_group localnet 172.16.0.0-172.31.255.255
834         address_group localnet 192.168.0.0-192    834         address_group localnet 192.168.0.0-192.168.255.255
835                                                   835 
836       in the exception policy.                    836       in the exception policy.
837                                                   837 
838 Fix 2007/03/03                                    838 Fix 2007/03/03
839                                                   839 
840     @ Remove obsolete functions.                  840     @ Remove obsolete functions.
841                                                   841 
842     @ Add some hooks.                             842     @ Add some hooks.
843                                                   843 
844       Read permission check is done if open_ex    844       Read permission check is done if open_exec()
845       is called from search_binary_handler().     845       is called from search_binary_handler().
846       Read permission check is not done if ope    846       Read permission check is not done if open_exec()
847       is called from do_execve(), instead,        847       is called from do_execve(), instead,
848       execute permission check is done at         848       execute permission check is done at
849       search_binary_handler_with_transition().    849       search_binary_handler_with_transition().
850                                                   850 
851       I moved the location of calling CheckCap    851       I moved the location of calling CheckCapabilityACL()
852       and CheckMountPermission() from sys_moun    852       and CheckMountPermission() from sys_mount() to do_mount().
853                                                   853 
854 Fix 2007/03/07                                    854 Fix 2007/03/07
855                                                   855 
856     @ Use 'unsigned int' for sscanf().            856     @ Use 'unsigned int' for sscanf().
857                                                   857 
858       I compiled SYAORAN fs on x86_64 environm    858       I compiled SYAORAN fs on x86_64 environment and found
859       the compiler showing warning messages ab    859       the compiler showing warning messages about size of data types.
860       Since size of data types may mismatch fo    860       Since size of data types may mismatch for sscanf(),
861       I replaced some types with 'unsigned int    861       I replaced some types with 'unsigned int'.
862                                                   862 
863 Version 1.4   2007/04/01   x86_64 support rele    863 Version 1.4   2007/04/01   x86_64 support release.
864                                                   864 
865 Fix 2007/04/18                                    865 Fix 2007/04/18
866                                                   866 
867     @ Change argv[0] checking rule.               867     @ Change argv[0] checking rule.
868                                                   868 
869       I was comparing the basename of symbolic    869       I was comparing the basename of symbolic link's pathname and argv[0].
870       Since execute permission check and domai    870       Since execute permission check and domain transition are done
871       based on realpath while argv[0] check is    871       based on realpath while argv[0] check is done based on the symlink's
872       pathname and argv[0], this specification    872       pathname and argv[0], this specification will allow attackers behave
873       as /bin/cat in the domain of /bin/ls if     873       as /bin/cat in the domain of /bin/ls if "/bin/ls and /bin/cat are
874       links to /sbin/busybox" and "the attacke    874       links to /sbin/busybox" and "the attacker is permitted to create
875       a symlink named ~/cat that points to /bi    875       a symlink named ~/cat that points to /bin/ls" and "the attacker is
876       permitted to run /bin/ls".                  876       permitted to run /bin/ls".
877       So, I changed to compare the basename of    877       So, I changed to compare the basename of realpath and argv[0].
878       Also, I moved the location to compare be    878       Also, I moved the location to compare before processing
879       "aggregator" directive so that              879       "aggregator" directive so that
880       "aggregator /tmp/logrotate.\?\?\?\?\?\?     880       "aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp"
881       won't cause the mismatch of the basename    881       won't cause the mismatch of the basename of realpath and argv[0].
882                                                   882 
883       If /bin/ls is a symlink to /sbin/busybox    883       If /bin/ls is a symlink to /sbin/busybox, then
884       creating a symlink named ~/cat that poin    884       creating a symlink named ~/cat that points to /bin/ls and
885       executing ~/cat won't work as expected b    885       executing ~/cat won't work as expected because permission check and
886       domain transition are done using /sbin/b    886       domain transition are done using /sbin/busybox (realpath of /bin/ls)
887       and will be rejected since the administr    887       and will be rejected since the administrator won't grant
888       "1 /sbin/busybox".                          888       "1 /sbin/busybox".
889                                                   889 
890 Fix 2007/05/07                                    890 Fix 2007/05/07
891                                                   891 
892     @ Support pathname subtraction.               892     @ Support pathname subtraction.
893                                                   893 
894       There was no way to exclude specific pat    894       There was no way to exclude specific pathnames when granting
895       permissions using wildcards.                895       permissions using wildcards.
896       There would be a need to exclude specifi    896       There would be a need to exclude specific files and directories.
897       I introduced "\-" as subtraction operato    897       I introduced "\-" as subtraction operator.
898                                                   898 
899         "A\-B" means "A" other than "B".          899         "A\-B" means "A" other than "B".
900         "A\-B\-C" means "A" other than "B" and    900         "A\-B\-C" means "A" other than "B" and "C".
901         "A\-B\-C\-D" means "A" other than "B"     901         "A\-B\-C\-D" means "A" other than "B" and "C" and "D".
902                                                   902 
903       "A", "B", "C", "D" may contain wildcards    903       "A", "B", "C", "D" may contain wildcards.
904                                                   904 
905       An example usage is "/home/\*/\*\-.ssh/\    905       An example usage is "/home/\*/\*\-.ssh/\*", which means
906       "/home/\*/\*/\*" other than "/home/\*/.s    906       "/home/\*/\*/\*" other than "/home/\*/.ssh/\*".
907                                                   907 
908       "A" should contain wildcards because sub    908       "A" should contain wildcards because subtraction from constants
909       (e.g. "/usr\-usr/" or "/usr\-home/") is     909       (e.g. "/usr\-usr/" or "/usr\-home/") is meaningless.
910                                                   910 
911       Don't try "A\-B\+C" because "\+" is not     911       Don't try "A\-B\+C" because "\+" is not addition operator.
912                                                   912 
913 Fix 2007/05/24                                    913 Fix 2007/05/24
914                                                   914 
915     @ Fix autobind hook.                          915     @ Fix autobind hook.
916                                                   916 
917       The location to call SAKURA_MayAutobind(    917       The location to call SAKURA_MayAutobind() in net/ipv4/udp.c
918       and net/ipv6/udp.c were wrong.              918       and net/ipv6/udp.c were wrong.
919                                                   919 
920 Fix 2007/06/03                                    920 Fix 2007/06/03
921                                                   921 
922     @ Add a space in MakeMountOptions().          922     @ Add a space in MakeMountOptions().
923                                                   923 
924       I forgot to add a space after "atime" an    924       I forgot to add a space after "atime" and "noatime".
925                                                   925 
926 Version 1.4.1 2007/06/05   Minor update releas    926 Version 1.4.1 2007/06/05   Minor update release.
927                                                   927 
928 Fix 2007/07/04                                    928 Fix 2007/07/04
929                                                   929 
930     @ Fix ReadAddressGroupPolicy() bug.           930     @ Fix ReadAddressGroupPolicy() bug.
931                                                   931 
932       ReadAddressGroupPolicy() fails if both "    932       ReadAddressGroupPolicy() fails if both "path_group" and "address_group"
933       are used because I forgot to set "head->    933       are used because I forgot to set "head->read_var1 = NULL".
934                                                   934 
935 Fix 2007/07/10                                    935 Fix 2007/07/10
936                                                   936 
937     @ Add compat_sys_stime() hook.                937     @ Add compat_sys_stime() hook.
938                                                   938 
939       Some of 64bit kernels support compat_sys    939       Some of 64bit kernels support compat_sys_stime()
940       but permission check was missing.           940       but permission check was missing.
941                                                   941 
942 Version 1.4.2 2007/07/13   Bug fix release.       942 Version 1.4.2 2007/07/13   Bug fix release.
943                                                   943 
944 Fix 2007/08/06                                    944 Fix 2007/08/06
945                                                   945 
946     @ Remove mount-flags manipulation.            946     @ Remove mount-flags manipulation.
947                                                   947 
948       Until now, administrator is permitted to    948       Until now, administrator is permitted to turn on/off specific mount
949       options regardless of mount options pass    949       options regardless of mount options passed to kernel.
950       I removed this feature because "exact op    950       I removed this feature because "exact option matching" sounds better than
951       "automatic option enabler/disabler".        951       "automatic option enabler/disabler".
952                                                   952 
953     @ Remove /proc/ccs/info/mapping .             953     @ Remove /proc/ccs/info/mapping .
954                                                   954 
955       I removed /proc/ccs/info/mapping because    955       I removed /proc/ccs/info/mapping because nobody seems to use this
956       feature.                                    956       feature.
957                                                   957 
958     @ Call external policy loader automaticall    958     @ Call external policy loader automatically.
959                                                   959 
960       Until now, users had to add init=/.init     960       Until now, users had to add init=/.init parameter to load policy
961       before /sbin/init starts.                   961       before /sbin/init starts.
962       I inserted call_usermodehelper() to call    962       I inserted call_usermodehelper() to call external policy loader when
963       execve("/sbin/init") is requested and ex    963       execve("/sbin/init") is requested and external policy loader exists.
964                                                   964 
965       This change will remove init=/.init para    965       This change will remove init=/.init parameter from most environment,
966       although call_usermodehelper() can't han    966       although call_usermodehelper() can't handle interactive operations.
967                                                   967 
968     @ Move external policy loader from /.init     968     @ Move external policy loader from /.init to /sbin/ccs-init .
969                                                   969 
970       Installing programs in / directory is no    970       Installing programs in / directory is not good for packaging.
971                                                   971 
972 Fix 2007/08/13                                    972 Fix 2007/08/13
973                                                   973 
974     @ Update external policy loader.              974     @ Update external policy loader.
975                                                   975 
976       It turned out that /sbin/ccs-init invoke    976       It turned out that /sbin/ccs-init invoked via call_usermodehelper()
977       can handle interactive operations by ope    977       can handle interactive operations by opening /dev/console .
978       Now, there is no difference between init    978       Now, there is no difference between init=/sbin/ccs-init and
979       call_usermodehelper("/sbin/ccs-init"), a    979       call_usermodehelper("/sbin/ccs-init"), and users no longer need to
980       add init=/sbin/ccs-init parameter to loa    980       add init=/sbin/ccs-init parameter to load policy before /sbin/init
981       starts.                                     981       starts.
982                                                   982 
983 Fix 2007/08/14                                    983 Fix 2007/08/14
984                                                   984 
985     @ Update recvmsg() hooks.                     985     @ Update recvmsg() hooks.
986                                                   986 
987       Until now, it was impossible to apply ne    987       Until now, it was impossible to apply network access control for
988       incoming UDP and RAW packets if they are    988       incoming UDP and RAW packets if they are brought to userland using
989       read() or recvmsg() with NULL address be    989       read() or recvmsg() with NULL address because address buffer is NULL.
990       I moved hooks from sock_recvmsg() to skb    990       I moved hooks from sock_recvmsg() to skb_recv_datagram() so that
991       network access control for incoming UDP     991       network access control for incoming UDP and RAW packets always work.
992                                                   992 
993 Fix 2007/08/16                                    993 Fix 2007/08/16
994                                                   994 
995     @ Return appropriate error code for CheckM    995     @ Return appropriate error code for CheckMountPermission().
996                                                   996 
997       I was returning -EPERM if something is w    997       I was returning -EPERM if something is wrong with CheckMountPermission().
998       But SELinux determines whether selinuxfs    998       But SELinux determines whether selinuxfs is supported by kernel
999       based on whether error code is -ENODEV o    999       based on whether error code is -ENODEV or not.
1000       So I stopped returning -EPERM unconditi    1000       So I stopped returning -EPERM unconditionally.
1001                                                  1001 
1002 Fix 2007/08/17                                   1002 Fix 2007/08/17
1003                                                  1003 
1004     @ Remove initializer directive.              1004     @ Remove initializer directive.
1005                                                  1005 
1006       Use "initialize_domain" instead of "ini    1006       Use "initialize_domain" instead of "initializer".
1007                                                  1007 
1008 Fix 2007/08/21                                   1008 Fix 2007/08/21
1009                                                  1009 
1010     @ Fix "allow_argv0 ... if if ..." bug.       1010     @ Fix "allow_argv0 ... if if ..." bug.
1011                                                  1011 
1012       It was impossible to use a word "if" to    1012       It was impossible to use a word "if" to the second argument of
1013       allow_argv0 if condition part is used.     1013       allow_argv0 if condition part is used.
1014                                                  1014 
1015 Fix 2007/08/24                                   1015 Fix 2007/08/24
1016                                                  1016 
1017     @ Move /proc/ccs/\*/\* to /proc/ccs/\* .     1017     @ Move /proc/ccs/\*/\* to /proc/ccs/\* .
1018                                                  1018 
1019       Some pathnames for /proc/ccs/ interface    1019       Some pathnames for /proc/ccs/ interface were changed.
1020                                                  1020 
1021 Fix 2007/09/05                                   1021 Fix 2007/09/05
1022                                                  1022 
1023     @ Drop MSG_PEEK'ed message before skb_fre    1023     @ Drop MSG_PEEK'ed message before skb_free_datagram().
1024                                                  1024 
1025       I need to remove head message from unwa    1025       I need to remove head message from unwanted source
1026       from socket's receive queue so that the    1026       from socket's receive queue so that the caller can pick up
1027       next message from wanted source with MS    1027       next message from wanted source with MSG_PEEK flags.
1028                                                  1028 
1029 Version 1.5.0 2007/09/20   Usability enhancem    1029 Version 1.5.0 2007/09/20   Usability enhancement release.
1030                                                  1030 
1031 Fix 2007/09/27                                   1031 Fix 2007/09/27
1032                                                  1032 
1033     @ Avoid eating memory after quota exceede    1033     @ Avoid eating memory after quota exceeded.
1034                                                  1034 
1035       Although ACL entries in a domain won't     1035       Although ACL entries in a domain won't be added if the domain's quota
1036       has exceeded, SaveName() in AddFileACL(    1036       has exceeded, SaveName() in AddFileACL() is called anyway.
1037       This caused unneeded memory consumption    1037       This caused unneeded memory consumption.
1038                                                  1038 
1039       Now, quota checking is done before gett    1039       Now, quota checking is done before getting domain_acl_lock lock.
1040       This may exceed quota by one or two ent    1040       This may exceed quota by one or two entries, but that won't matter.
1041                                                  1041 
1042 Fix 2007/10/16                                   1042 Fix 2007/10/16
1043                                                  1043 
1044     @ Add environment variable check.            1044     @ Add environment variable check.
1045                                                  1045 
1046       There are environment variables that ma    1046       There are environment variables that may cause dangerous behavior
1047       like LD_\* .                               1047       like LD_\* .
1048       So I introduced 'allow_env' directive t    1048       So I introduced 'allow_env' directive that allows specified
1049       environment variable inherited to next     1049       environment variable inherited to next domain.
1050       Unlike other permissions, this check is    1050       Unlike other permissions, this check is done at execve() time
1051       using next domain's ACL information.       1051       using next domain's ACL information.
1052                                                  1052 
1053       To manage commonly inherited environmen    1053       To manage commonly inherited environments like PATH ,
1054       you can use 'allow_env' directive in ex    1054       you can use 'allow_env' directive in exception policy
1055       to globally grant specified environment    1055       to globally grant specified environment variable.
1056                                                  1056 
1057 Fix 2007/11/05                                   1057 Fix 2007/11/05
1058                                                  1058 
1059     @ Replace semaphore with mutex.              1059     @ Replace semaphore with mutex.
1060                                                  1060 
1061       I replaced semaphore with mutex.           1061       I replaced semaphore with mutex.
1062                                                  1062 
1063     @ Add missing down() in AddReservedEntry(    1063     @ Add missing down() in AddReservedEntry().
1064                                                  1064 
1065       Mutex debugging capability told me that    1065       Mutex debugging capability told me that I had forgotten to call down()
1066       since TOMOYO version 1.3.2 .               1066       since TOMOYO version 1.3.2 .
1067       This function is not called by learning    1067       This function is not called by learning mode,
1068       so the semaphore's counter will not ove    1068       so the semaphore's counter will not overflow for normal usage.
1069                                                  1069 
1070 Fix 2005/11/27                                   1070 Fix 2005/11/27
1071                                                  1071 
1072     @ Fix ReadTable() truncation bug.            1072     @ Fix ReadTable() truncation bug.
1073                                                  1073 
1074       "snprintf(str, size, format, ...) >= si    1074       "snprintf(str, size, format, ...) >= size" means truncated.
1075       But I was checking for "snprintf(str, s    1075       But I was checking for "snprintf(str, size, format, ...) > size".
1076       As a result, some entries might be dump    1076       As a result, some entries might be dumped without '\n'.
1077                                                  1077 
1078     @ Purge direct "->prev"/"->next" manipula    1078     @ Purge direct "->prev"/"->next" manipulation.
1079                                                  1079 
1080       All list manipulations use "struct list    1080       All list manipulations use "struct list_head" or "struct list1_head".
1081       "struct list1_head" doesn't have "->pre    1081       "struct list1_head" doesn't have "->prev" member to save memory usage.
1082                                                  1082 
1083 Fix 2007/11/29                                   1083 Fix 2007/11/29
1084                                                  1084 
1085     @ Add missing semaphore in GetEXE().         1085     @ Add missing semaphore in GetEXE().
1086                                                  1086 
1087       mm->mmap_sem was missing.                  1087       mm->mmap_sem was missing.
1088                                                  1088 
1089 Fix 2007/12/17                                   1089 Fix 2007/12/17
1090                                                  1090 
1091     @ Remove unused EXPORT_SYMBOL().             1091     @ Remove unused EXPORT_SYMBOL().
1092                                                  1092 
1093       Mark some functions static.                1093       Mark some functions static.
1094                                                  1094 
1095 Fix 2007/12/18                                   1095 Fix 2007/12/18
1096                                                  1096 
1097     @ Fix AddMountACL() rejection bug.           1097     @ Fix AddMountACL() rejection bug.
1098                                                  1098 
1099       To my surprise, "mount --bind source de    1099       To my surprise, "mount --bind source dest" accepts
1100       not only "both source and dest are dire    1100       not only "both source and dest are directory"
1101       but also "both source and dest are non-    1101       but also "both source and dest are non-directory".
1102       I was rejecting if dest is not a direct    1102       I was rejecting if dest is not a directory in AddMountACL().
1103                                                  1103 
1104     @ Change log format.                         1104     @ Change log format.
1105                                                  1105 
1106       Profile number and mode is added in aud    1106       Profile number and mode is added in audit logs.
1107                                                  1107 
1108 Fix 2008/01/03                                   1108 Fix 2008/01/03
1109                                                  1109 
1110     @ Change directive for file's read/write/    1110     @ Change directive for file's read/write/execute permission.
1111                                                  1111 
1112       Directives for file's read/write/execut    1112       Directives for file's read/write/execute permissions were
1113       4/2/1 respectively. But for easier unde    1113       4/2/1 respectively. But for easier understanding, they are now
1114       replaced by read/write/execute (e.g. "a    1114       replaced by read/write/execute (e.g. "allow_read" instead of "4").
1115       But for easier inputting, 4/2/1 are sti    1115       But for easier inputting, 4/2/1 are still accepted instead of
1116       allow_read/allow_write/allow_execute re    1116       allow_read/allow_write/allow_execute respectively.
1117                                                  1117 
1118     @ Change internal data structure.            1118     @ Change internal data structure.
1119                                                  1119 
1120       Since I don't have more than 16 types o    1120       Since I don't have more than 16 types of file permissions,
1121       I combined them using bit-fields.          1121       I combined them using bit-fields.
1122                                                  1122 
1123       Each entry had a field for conditional     1123       Each entry had a field for conditional permission support.
1124       But since this field is unlikely used,     1124       But since this field is unlikely used, I separated the field from
1125       common part.                               1125       common part.
1126                                                  1126 
1127       These changes will reduce memory used b    1127       These changes will reduce memory used by policy.
1128                                                  1128 
1129 Fix 2008/01/15                                   1129 Fix 2008/01/15
1130                                                  1130 
1131     @ Add ptrace() hook.                         1131     @ Add ptrace() hook.
1132                                                  1132 
1133       To prevent attackers from controlling i    1133       To prevent attackers from controlling important processes using
1134       ptrace(), I added a hook for ptrace().     1134       ptrace(), I added a hook for ptrace().
1135       Most programs (except strace(1) and gdb    1135       Most programs (except strace(1) and gdb(1)) won't use ptrace(2).
1136                                                  1136 
1137     @ Fix sleep condition check in CheckSocke    1137     @ Fix sleep condition check in CheckSocketRecvDatagramPermission().
1138                                                  1138 
1139       It seems that correct method to use is     1139       It seems that correct method to use is in_atomic()
1140       rather than in_interrupt() because in_a    1140       rather than in_interrupt() because in_atomic() returns nonzero
1141       whenever scheduling is not allowed.        1141       whenever scheduling is not allowed.
1142                                                  1142 
1143 Fix 2008/02/05                                   1143 Fix 2008/02/05
1144                                                  1144 
1145     @ Use find_task_by_vpid() instead of find    1145     @ Use find_task_by_vpid() instead of find_task_by_pid().
1146                                                  1146 
1147       Kernel 2.6.24 introduced PID namespace.    1147       Kernel 2.6.24 introduced PID namespace.
1148       To search PID given from userland, the     1148       To search PID given from userland, the kernel needs to use
1149       find_task_by_vpid() instead of find_tas    1149       find_task_by_vpid() instead of find_task_by_pid().
1150                                                  1150 
1151 Fix 2008/02/14                                   1151 Fix 2008/02/14
1152                                                  1152 
1153     @ Add execve() parameter checking.           1153     @ Add execve() parameter checking.
1154                                                  1154 
1155       Until now, it was impossible to check a    1155       Until now, it was impossible to check argv[] and envp[] parameters
1156       passed to execve().                        1156       passed to execve().
1157       I expanded conditional permission synta    1157       I expanded conditional permission syntax so that
1158       { argc, envc, argv[] , envp[] } paramet    1158       { argc, envc, argv[] , envp[] } parameters can be checked if needed.
1159       This will allow administrator permit ex    1159       This will allow administrator permit execution of /bin/sh only when
1160       /bin/sh is invoked in the form of "/bin    1160       /bin/sh is invoked in the form of "/bin/sh -c" and environment variable
1161       HOME is set by specifying                  1161       HOME is set by specifying
1162                                                  1162 
1163         allow_execute /bin/sh if exec.argv[1]    1163         allow_execute /bin/sh if exec.argv[1]="-c" exec.envp["HOME"]!=NULL
1164                                                  1164 
1165       in the policy.                             1165       in the policy.
1166       This extension will make exploit codes     1166       This extension will make exploit codes difficult to start /bin/sh because
1167       they unlikely set up environment variab    1167       they unlikely set up environment variables and unlikely specify "-c"
1168       option when invoking /bin/sh , whereas     1168       option when invoking /bin/sh , whereas proper functions likely set up
1169       environment variables and likely specif    1169       environment variables and likely specify "-c" option.
1170                                                  1170 
1171 Fix 2008/02/18                                   1171 Fix 2008/02/18
1172                                                  1172 
1173     @ Add process state checking.                1173     @ Add process state checking.
1174                                                  1174 
1175       Until now, it was impossible to change     1175       Until now, it was impossible to change ACL without executing program.
1176       I added three variables for performing     1176       I added three variables for performing stateful checking within a domain.
1177       You can set current process's state lik    1177       You can set current process's state like:
1178                                                  1178 
1179         allow_network TCP accept @TRUSTED_HOS    1179         allow_network TCP accept @TRUSTED_HOSTS 1024-65535 ; set task.state[0]=1
1180         allow_network TCP accept @UNTRUSTED_H    1180         allow_network TCP accept @UNTRUSTED_HOSTS 1024-65535 ; set task.state[0]=0
1181                                                  1181 
1182       and you can use the state like             1182       and you can use the state like
1183                                                  1183 
1184         allow_read /path/to/important/file if    1184         allow_read /path/to/important/file if task.state[0]=1
1185                                                  1185 
1186       in the policy.                             1186       in the policy.
1187       The state changes when the request was     1187       The state changes when the request was granted by the MAC's policy,
1188       so please be careful with situations wh    1188       so please be careful with situations where the state has changed
1189       successfully but the request was not pr    1189       successfully but the request was not processed because of other reasons
1190       (e.g. out of memory).                      1190       (e.g. out of memory).
1191                                                  1191 
1192 Fix 2008/02/26                                   1192 Fix 2008/02/26
1193                                                  1193 
1194     @ Support /proc/ccs/ access by non-root u    1194     @ Support /proc/ccs/ access by non-root user.
1195                                                  1195 
1196       Until now, only root user can access /p    1196       Until now, only root user can access /proc/ccs/ interface.
1197       But to permit /proc/ccs/ access by non-    1197       But to permit /proc/ccs/ access by non-root user so that it won't require
1198       ssh login by root user when administrat    1198       ssh login by root user when administrating from remote host,
1199       I made "(current->uid == 0 && current->    1199       I made "(current->uid == 0 && current->euid == 0)" requirement optional.
1200       If this requirement is disabled, only "    1200       If this requirement is disabled, only "conventional DAC permission
1201       checks" and "/proc/ccs/manager checks"     1201       checks" and "/proc/ccs/manager checks" are used.
1202                                                  1202 
1203 Fix 2008/02/29                                   1203 Fix 2008/02/29
1204                                                  1204 
1205     @ Add sleep_on_violation feature.            1205     @ Add sleep_on_violation feature.
1206                                                  1206 
1207       Some exploit codes (e.g. trans2open for    1207       Some exploit codes (e.g. trans2open for Samba) continue running
1208       until it achieves the purpose of the ex    1208       until it achieves the purpose of the exploit code (e.g. invoke /bin/sh).
1209                                                  1209 
1210       If such code is injected due to buffer     1210       If such code is injected due to buffer overflow but the kernel
1211       rejects the request, it triggers infini    1211       rejects the request, it triggers infinite "Permission denied" loop.
1212       As a result, the CPU usage becomes 100%    1212       As a result, the CPU usage becomes 100% and gives bad effects to
1213       the rest of processes.                     1213       the rest of processes.
1214       This is a side effect of rejecting the     1214       This is a side effect of rejecting the request from the exploit code
1215       which wouldn't happen if the request fr    1215       which wouldn't happen if the request from the exploit code was granted.
1216                                                  1216 
1217       To avoid such CPU consumption, I added     1217       To avoid such CPU consumption, I added a penalty that forcibly
1218       sleeps for specified period when a requ    1218       sleeps for specified period when a request is rejected.
1219                                                  1219 
1220       This penalty doesn't work if the exploi    1220       This penalty doesn't work if the exploit code does nothing but
1221       continue running, but I think most expl    1221       continue running, but I think most exploit code's purpose is
1222       to start some program rather than to sl    1222       to start some program rather than to slow down the target system.
1223                                                  1223 
1224     @ Add alt_exec feature.                      1224     @ Add alt_exec feature.
1225                                                  1225 
1226       Since TOMOYO Linux's approach is "know     1226       Since TOMOYO Linux's approach is "know all essential requests in advance
1227       and create policy that permits only the    1227       and create policy that permits only them", you can regard anomalous
1228       requests as attacks (if you want to do     1228       requests as attacks (if you want to do so).
1229                                                  1229 
1230       Common MAC implementations merely rejec    1230       Common MAC implementations merely reject requests that violate policy.
1231       But I added a special handler for execv    1231       But I added a special handler for execve() to TOMOYO Linux.
1232                                                  1232 
1233       This handler is triggered when a proces    1233       This handler is triggered when a process requested to execute a program
1234       but the request was rejected by the pol    1234       but the request was rejected by the policy.
1235       This handler executes a program specifi    1235       This handler executes a program specified by the administrator
1236       instead of a program requested by the p    1236       instead of a program requested by the process.
1237                                                  1237 
1238       Most attackers attempt to execute /bin/    1238       Most attackers attempt to execute /bin/sh to start something malicious.
1239       Attackers execute an exploit code using    1239       Attackers execute an exploit code using buffer overflow vulnerability
1240       to steal control of a process. But this    1240       to steal control of a process. But this handler can get back control
1241       if an exploit code requests execve() th    1241       if an exploit code requests execve() that is not permitted by policy.
1242                                                  1242 
1243       By default, this handler does nothing (    1243       By default, this handler does nothing (i.e. merely reject execve()
1244       request). You can specify any program t    1244       request). You can specify any program to start what you want to do.
1245                                                  1245 
1246       You can redirect attackers to somewhere    1246       You can redirect attackers to somewhere else (e.g. honey pot).
1247       This makes it possible to act your Linu    1247       This makes it possible to act your Linux box as an on-demand honey pot
1248       while keeping regular services for your    1248       while keeping regular services for your usage.
1249                                                  1249 
1250       You can collect information of the atta    1250       You can collect information of the attacker (e.g. IP address) and
1251       update firewall configuration.             1251       update firewall configuration.
1252                                                  1252 
1253       You can silently terminate a process wh    1253       You can silently terminate a process who requested execve()
1254       that is not permitted by policy.           1254       that is not permitted by policy.
1255                                                  1255 
1256 Fix 2008/03/03                                   1256 Fix 2008/03/03
1257                                                  1257 
1258     @ Add "force_alt_exec" directive.            1258     @ Add "force_alt_exec" directive.
1259                                                  1259 
1260       To be able to fully utilize "alt_exec"     1260       To be able to fully utilize "alt_exec" feature,
1261       I added "force_alt_exec" directive so t    1261       I added "force_alt_exec" directive so that
1262       all execute requests are replaced by th    1262       all execute requests are replaced by the execute request of a program
1263       specified by alt_exec feature.             1263       specified by alt_exec feature.
1264                                                  1264 
1265       If this directive is specified for a do    1265       If this directive is specified for a domain, the domain no longer
1266       executes any programs regardless of the    1266       executes any programs regardless of the mode of file access control
1267       (i.e. the domain won't execute even if     1267       (i.e. the domain won't execute even if MAC_FOR_FILE=0 ).
1268       Instead, the domain executes the progra    1268       Instead, the domain executes the program specified by alt_exec feature
1269       and the program specified by alt_exec f    1269       and the program specified by alt_exec feature validates the execute
1270       request and executes it if it is approp    1270       request and executes it if it is appropriate to execute.
1271                                                  1271 
1272       If you can tolerate that there is no ch    1272       If you can tolerate that there is no chance to return an error code
1273       to the caller to tell the execute reque    1273       to the caller to tell the execute request was rejected,
1274       this is more flexible approach than in-    1274       this is more flexible approach than in-kernel execve() parameter
1275       checking because we can do argv[] and e    1275       checking because we can do argv[] and envp[] checking easily.
1276                                                  1276 
1277 Fix 2008/03/04                                   1277 Fix 2008/03/04
1278                                                  1278 
1279     @ Use string for access control mode.        1279     @ Use string for access control mode.
1280                                                  1280 
1281       An integer expression for access contro    1281       An integer expression for access control mode sometimes confuses
1282       administrators because profile number i    1282       administrators because profile number is also an integer expression.
1283       To avoid confusion between profile numb    1283       To avoid confusion between profile number and access control mode,
1284       I introduced a string expression for ac    1284       I introduced a string expression for access control mode.
1285                                                  1285 
1286         Modes which take an integer between 0    1286         Modes which take an integer between 0 and 3.
1287                                                  1287 
1288           0 -> disabled                          1288           0 -> disabled
1289           1 -> learning                          1289           1 -> learning
1290           2 -> permissive                        1290           2 -> permissive
1291           3 -> enforcing                         1291           3 -> enforcing
1292                                                  1292 
1293         Modes which take 0 or 1.                 1293         Modes which take 0 or 1.
1294                                                  1294 
1295           0 -> disabled                          1295           0 -> disabled
1296           1 -> enabled                           1296           1 -> enabled
1297                                                  1297 
1298 Fix 2008/03/10                                   1298 Fix 2008/03/10
1299                                                  1299 
1300     @ Rename "force_alt_exec" directive to "e    1300     @ Rename "force_alt_exec" directive to "execute_handler".
1301                                                  1301 
1302       To be able to use different programs fo    1302       To be able to use different programs for validating execve() parameters,
1303       I moved the location to specify the pro    1303       I moved the location to specify the program's pathname from profile
1304       to domain policy.                          1304       to domain policy.
1305                                                  1305 
1306       The "execute_handler" directive takes o    1306       The "execute_handler" directive takes one pathname which is
1307       invoked whenever execve() request is is    1307       invoked whenever execve() request is issued. Thus, any "allow_execute"
1308       directives in a domain with "execute_ha    1308       directives in a domain with "execute_handler" are ignored.
1309       This directive is designed for validati    1309       This directive is designed for validating expected/desirable execve()
1310       requests in userspace, although there i    1310       requests in userspace, although there is no way to tell the caller
1311       that the execve() request was rejected.    1311       that the execve() request was rejected.
1312                                                  1312 
1313     @ Rename "alt_exec" directive to "denied_    1313     @ Rename "alt_exec" directive to "denied_execute_handler".
1314                                                  1314 
1315       The "denied_execute_handler" directive     1315       The "denied_execute_handler" directive takes one pathname which is
1316       invoked only when execve() request was     1316       invoked only when execve() request was rejected. In other words,
1317       this program is invoked only when the f    1317       this program is invoked only when the following conditions are met.
1318                                                  1318 
1319         (1) None of "allow_execute" directive    1319         (1) None of "allow_execute" directives in the domain matched.
1320         (2) The execve() request was rejected    1320         (2) The execve() request was rejected in enforcing mode.
1321         (3) "execute_handler" directive is no    1321         (3) "execute_handler" directive is not used by the domain.
1322                                                  1322 
1323       This directive is designed for handling    1323       This directive is designed for handling unexpected/undesirable execve()
1324       requests, to redirect the process issui    1324       requests, to redirect the process issuing such requests to somewhere.
1325                                                  1325 
1326 Fix 2008/03/18                                   1326 Fix 2008/03/18
1327                                                  1327 
1328     @ Fix wrong/redundant locks in pre-vfs fu    1328     @ Fix wrong/redundant locks in pre-vfs functions.
1329                                                  1329 
1330       lock_kernel()/unlock_kernel() in pre_vf    1330       lock_kernel()/unlock_kernel() in pre_vfs_rename() were redundant for
1331       2.6 kernels.                               1331       2.6 kernels.
1332                                                  1332 
1333       Locking order in pre_vfs_link() and pre    1333       Locking order in pre_vfs_link() and pre_vfs_unlink() for 2.4 kernels
1334       after 2.4.33 were different from before    1334       after 2.4.33 were different from before 2.4.32 .
1335                                                  1335 
1336 Fix 2008/03/28                                   1336 Fix 2008/03/28
1337                                                  1337 
1338     @ Disable execute handler loop.              1338     @ Disable execute handler loop.
1339                                                  1339 
1340       To be able to use "execute_handler" in     1340       To be able to use "execute_handler" in a "keep_domain" domain,
1341       ignore "execute_handler" and "denied_ex    1341       ignore "execute_handler" and "denied_execute_handler" directives
1342       if the current process is executing pro    1342       if the current process is executing programs specified by
1343       "execute_handler" or "denied_execute_ha    1343       "execute_handler" or "denied_execute_handler" directive.
1344                                                  1344 
1345       This exception is needed to avoid infin    1345       This exception is needed to avoid infinite execute handler loop.
1346       If a domain has both "keep_domain" and     1346       If a domain has both "keep_domain" and "execute_handler",
1347       any execute request by that domain is h    1347       any execute request by that domain is handled by an execute handler,
1348       and the execute handler attempts to pro    1348       and the execute handler attempts to process original execute request.
1349       But the original execute request is han    1349       But the original execute request is handled by the same execute handler
1350       unless the execute handler ignores "exe    1350       unless the execute handler ignores "execute_handler".
1351                                                  1351 
1352     @ Update coding style.                       1352     @ Update coding style.
1353                                                  1353 
1354       I rewrote the code to pass scripts/chec    1354       I rewrote the code to pass scripts/checkpatch.pl as much as possible.
1355       Function names were changed to use only    1355       Function names were changed to use only lower letters.
1356                                                  1356 
1357 Version 1.6.0 2008/04/01   Feature enhancemen    1357 Version 1.6.0 2008/04/01   Feature enhancement release.
1358                                                  1358 
1359 Fix 2008/04/14                                   1359 Fix 2008/04/14
1360                                                  1360 
1361     @ Fix "Compilation failures" and "Initial    1361     @ Fix "Compilation failures" and "Initialization ordering bugs"
1362       with kernels before 2.4.30/2.6.11 .        1362       with kernels before 2.4.30/2.6.11 .
1363                                                  1363 
1364       2.6 kernels before 2.6.9 didn't have in    1364       2.6 kernels before 2.6.9 didn't have include/linux/hardirq.h ,
1365       resulting compilation error at #include    1365       resulting compilation error at #include <linux/hardirq.h> .
1366       I added #elif condition.                   1366       I added #elif condition.
1367                                                  1367 
1368       CentOS 4.6's 2.6.9 kernel calls do_exec    1368       CentOS 4.6's 2.6.9 kernel calls do_execve() before initialization of
1369       ccs_alloc(), resulting NULL pointer der    1369       ccs_alloc(), resulting NULL pointer dereference.
1370       I changed __initcall to core_initcall.     1370       I changed __initcall to core_initcall.
1371                                                  1371 
1372       CentOS 4.6's 2.6.9 kernel backported kz    1372       CentOS 4.6's 2.6.9 kernel backported kzalloc() from 2.6.14 ,
1373       resulting compilation error at kzalloc(    1373       resulting compilation error at kzalloc().
1374       I modified prototype of kzalloc().         1374       I modified prototype of kzalloc().
1375                                                  1375 
1376 Fix 2008/04/20                                   1376 Fix 2008/04/20
1377                                                  1377 
1378     @ Fix "Compilation failures" with kernels    1378     @ Fix "Compilation failures" with kernels before 2.4.30/2.6.11 .
1379                                                  1379 
1380       Turbolinux 10 Server's 2.6.8 kernel bac    1380       Turbolinux 10 Server's 2.6.8 kernel backported kzalloc() as an inlined
1381       function, resulting compilation error a    1381       function, resulting compilation error at kzalloc().
1382       I converted kzalloc() from an inlined f    1382       I converted kzalloc() from an inlined function into a macro.
1383                                                  1383 
1384 Fix 2008/04/21                                   1384 Fix 2008/04/21
1385                                                  1385 
1386     @ Add workaround for gcc 3.2.2's inline b    1386     @ Add workaround for gcc 3.2.2's inline bug.
1387                                                  1387 
1388       RedHat Linux 9's gcc 3.2.2 generated a     1388       RedHat Linux 9's gcc 3.2.2 generated a bad code
1389          if ((var_of_u8 & 0x000000BF) & 0x800    1389          if ((var_of_u8 & 0x000000BF) & 0x80000000) { }
1390       where the expected code is                 1390       where the expected code is
1391          if ((var_of_u8 & 0xBF) & 0x80) { }      1391          if ((var_of_u8 & 0xBF) & 0x80) { }
1392       when embedding ccs_acl_type2() into pri    1392       when embedding ccs_acl_type2() into print_entry(),
1393       resulting runtime BUG().                   1393       resulting runtime BUG().
1394       I added the expected code explicitly as    1394       I added the expected code explicitly as a workaround.
1395                                                  1395 
1396 Fix 2008/05/06                                   1396 Fix 2008/05/06
1397                                                  1397 
1398     @ Add memory quota.                          1398     @ Add memory quota.
1399                                                  1399 
1400       1.5.x returns -ENOMEM when FindNextDoma    1400       1.5.x returns -ENOMEM when FindNextDomain() failed to create a new
1401       domain, but I forgot to return -ENOMEM     1401       domain, but I forgot to return -ENOMEM when find_next_domain() failed to
1402       create a new domain.                       1402       create a new domain.
1403                                                  1403 
1404       A domain is automatically created by fi    1404       A domain is automatically created by find_next_domain() only if
1405       the domain for the requested program do    1405       the domain for the requested program doesn't exist.
1406       This behavior is for the administrator'    1406       This behavior is for the administrator's convenience.
1407       The administrator needn't to know how m    1407       The administrator needn't to know how many domains are needed for running
1408       the whole programs in the system before    1408       the whole programs in the system beforehand when developing the policy.
1409       But the administrator does not want the    1409       But the administrator does not want the kernel to reject execution of the
1410       requested program when developing the p    1410       requested program when developing the policy.
1411                                                  1411 
1412       So, I think it is better to grant execu    1412       So, I think it is better to grant execution of programs even if
1413       find_next_domain() failed to create a n    1413       find_next_domain() failed to create a new domain than reject execution.
1414       Thus, I decided not to return -ENOMEM w    1414       Thus, I decided not to return -ENOMEM when find_next_domain() failed to
1415       create a new domain. This exception bre    1415       create a new domain. This exception breaks the domain transition rules,
1416       so I print "transition_failed" warning     1416       so I print "transition_failed" warning in /proc/ccs/domain_policy
1417       when this exception happened.              1417       when this exception happened.
1418                                                  1418 
1419       Also, to prevent the system from being     1419       Also, to prevent the system from being halted by unexpectedly allocating
1420       all kernel memory for the policy, I add    1420       all kernel memory for the policy, I added memory quota.
1421       This quota is configurable via /proc/cc    1421       This quota is configurable via /proc/ccs/meminfo like
1422                                                  1422 
1423         echo Shared:  1048576 > /proc/ccs/mem    1423         echo Shared:  1048576 > /proc/ccs/meminfo
1424         echo Private: 1048576 > /proc/ccs/mem    1424         echo Private: 1048576 > /proc/ccs/meminfo
1425                                                  1425 
1426 Version 1.6.1 2008/05/10   Bug fix release.      1426 Version 1.6.1 2008/05/10   Bug fix release.
1427                                                  1427 
1428 Fix 2008/06/04                                   1428 Fix 2008/06/04
1429                                                  1429 
1430     @ Check open mode of /proc/ccs/ interface    1430     @ Check open mode of /proc/ccs/ interface.
1431                                                  1431 
1432       It turned out that I can avoid allocati    1432       It turned out that I can avoid allocating memory for reading if
1433       FMODE_READ is not set and memory for wr    1433       FMODE_READ is not set and memory for writing if FMODE_WRITE is not set.
1434                                                  1434 
1435     @ Wait for completion of /sbin/ccs-init .    1435     @ Wait for completion of /sbin/ccs-init .
1436                                                  1436 
1437       Since 2.4 kernel's call_usermodehelper(    1437       Since 2.4 kernel's call_usermodehelper() can't wait for termination of
1438       the executed program, I was using the c    1438       the executed program, I was using the close() request of
1439       /proc/ccs/meminfo to indicate that load    1439       /proc/ccs/meminfo to indicate that loading policy has finished.
1440       But since /proc/ccs/meminfo could be ac    1440       But since /proc/ccs/meminfo could be accessed for setting memory quota
1441       by /etc/ccs/ccs-post-init , I stopped u    1441       by /etc/ccs/ccs-post-init , I stopped using the close() request.
1442       The policy loader no longer need to acc    1442       The policy loader no longer need to access /proc/ccs/meminfo to notify
1443       the kernel that loading policy has fini    1443       the kernel that loading policy has finished.
1444                                                  1444 
1445 Fix 2008/06/05                                   1445 Fix 2008/06/05
1446                                                  1446 
1447     @ Fix realpath for pipes and sockets.        1447     @ Fix realpath for pipes and sockets.
1448                                                  1448 
1449       Kernel 2.6.22 and later use different m    1449       Kernel 2.6.22 and later use different method for calculating d_path().
1450       Since fs/realpath.c didn't notice the c    1450       Since fs/realpath.c didn't notice the change, the realpath of pipes
1451       appeared as "pipe:" rather than "pipe:[    1451       appeared as "pipe:" rather than "pipe:[\$]" when they are opened via
1452       /proc/PID/fd/ directory.                   1452       /proc/PID/fd/ directory.
1453                                                  1453 
1454     @ Add process's information into /proc/cc    1454     @ Add process's information into /proc/ccs/query .
1455                                                  1455 
1456       While /proc/ccs/grant_log and /proc/ccs    1456       While /proc/ccs/grant_log and /proc/ccs/reject_log contain process's
1457       information, /proc/ccs/query doesn't co    1457       information, /proc/ccs/query doesn't contain it.
1458       To be able to utilize ccs-queryd and cc    1458       To be able to utilize ccs-queryd and ccs-notifyd more, I added it into
1459       /proc/ccs/query .                          1459       /proc/ccs/query .
1460                                                  1460 
1461 Fix 2008/06/10                                   1461 Fix 2008/06/10
1462                                                  1462 
1463     @ Allow using patterns for globally reada    1463     @ Allow using patterns for globally readable files.
1464                                                  1464 
1465       To allow users specify locale specific     1465       To allow users specify locale specific files to globally readable files,
1466       I relaxed checking in update_globally_r    1466       I relaxed checking in update_globally_readable_entry().
1467                                                  1467 
1468 Fix 2008/06/11                                   1468 Fix 2008/06/11
1469                                                  1469 
1470     @ Remove ALLOW_ENFORCE_GRACE parameter.      1470     @ Remove ALLOW_ENFORCE_GRACE parameter.
1471                                                  1471 
1472       Since unexpected requests caused by doi    1472       Since unexpected requests caused by doing software updates can happen
1473       in all profiles, users likely have to w    1473       in all profiles, users likely have to write ALLOW_ENFORCE_GRACE=enabled
1474       to all profiles. And it makes meaningle    1474       to all profiles. And it makes meaningless to allow users to selectively
1475       enable specific profile's ALLOW_ENFORCE    1475       enable specific profile's ALLOW_ENFORCE_GRACE parameter.
1476       So, I removed ALLOW_ENFORCE_GRACE param    1476       So, I removed ALLOW_ENFORCE_GRACE parameter.
1477       Now, the system behaves as if ALLOW_ENF    1477       Now, the system behaves as if ALLOW_ENFORCE_GRACE=enabled is specified.
1478       The behavior of "delayed enforcing" mod    1478       The behavior of "delayed enforcing" mode is defined in the following
1479       order.                                     1479       order.
1480                                                  1480 
1481       (1) The requests are rejected immediate    1481       (1) The requests are rejected immediately if nobody is opening
1482           /proc/ccs/query interface.             1482           /proc/ccs/query interface.
1483       (2) The requests will be rejected in 10    1483       (2) The requests will be rejected in 10 seconds if somebody other than
1484           ccs-queryd (such as less(1)) is ope    1484           ccs-queryd (such as less(1)) is opening /proc/ccs/query interface,
1485           for such process doesn't write dumm    1485           for such process doesn't write dummy decisions.
1486                                                  1486 
1487 Fix 2008/06/22                                   1487 Fix 2008/06/22
1488                                                  1488 
1489     @ Pass escaped pathname to audit_execute_    1489     @ Pass escaped pathname to audit_execute_handler_log().
1490                                                  1490 
1491       I was passing unescaped pathname to aud    1491       I was passing unescaped pathname to audit_execute_handler_log()
1492       which causes /proc/ccs/grant_log contai    1492       which causes /proc/ccs/grant_log contain whitespace characters
1493       if execute handler's pathname contains     1493       if execute handler's pathname contains whitespace characters.
1494                                                  1494 
1495 Fix 2008/06/25                                   1495 Fix 2008/06/25
1496                                                  1496 
1497     @ Return 0 when ccs_may_umount() succeeds    1497     @ Return 0 when ccs_may_umount() succeeds.
1498                                                  1498 
1499       I forgot to clear error value in ccs_ma    1499       I forgot to clear error value in ccs_may_umount() when the requested
1500       directory didn't match "deny_unmount" d    1500       directory didn't match "deny_unmount" directive. As a result, any umount()
1501       request with RESTRICT_UNMOUNT=enforcing    1501       request with RESTRICT_UNMOUNT=enforcing returned -EPERM error.
1502                                                  1502 
1503 Version 1.6.2 2008/06/25   Usability enhancem    1503 Version 1.6.2 2008/06/25   Usability enhancement release.
1504                                                  1504 
1505 Fix 2008/07/01                                   1505 Fix 2008/07/01
1506                                                  1506 
1507     @ Fix "Compilation failure" with 2.4.20 k    1507     @ Fix "Compilation failure" with 2.4.20 kernel.
1508                                                  1508 
1509       RedHat Linux 9's 2.4.20 kernel backport    1509       RedHat Linux 9's 2.4.20 kernel backported O(1) scheduler patch,
1510       resulting compilation error at ccs_load    1510       resulting compilation error at ccs_load_policy().
1511       I added defined(TASK_DEAD) check.          1511       I added defined(TASK_DEAD) check.
1512                                                  1512 
1513 Fix 2008/07/08                                   1513 Fix 2008/07/08
1514                                                  1514 
1515     @ Don't check permissions if vfsmount is     1515     @ Don't check permissions if vfsmount is NULL.
1516                                                  1516 
1517       Some filesystems (e.g. unionfs) pass NU    1517       Some filesystems (e.g. unionfs) pass NULL vfsmount.
1518       I changed fs/tomoyo_file.c not to try t    1518       I changed fs/tomoyo_file.c not to try to calculate pathnames
1519       if vfsmount is NULL.                       1519       if vfsmount is NULL.
1520                                                  1520 
1521 Version 1.6.3 2008/07/15   Bug fix release.      1521 Version 1.6.3 2008/07/15   Bug fix release.
1522                                                  1522 
1523 Fix 2008/08/21                                   1523 Fix 2008/08/21
1524                                                  1524 
1525     @ Add workaround for gcc 4.3's bug.          1525     @ Add workaround for gcc 4.3's bug.
1526                                                  1526 
1527       In some environments, fs/tomoyo_network    1527       In some environments, fs/tomoyo_network.c could not be compiled
1528       because of gcc 4.3's bug.                  1528       because of gcc 4.3's bug.
1529       I modified save_ipv6_address() to use "    1529       I modified save_ipv6_address() to use "integer literal" value
1530       instead for "static const u8" variable.    1530       instead for "static const u8" variable.
1531                                                  1531 
1532     @ Change prototypes of some functions.       1532     @ Change prototypes of some functions.
1533                                                  1533 
1534       To support 2.6.27 kernels, I replaced "    1534       To support 2.6.27 kernels, I replaced "struct nameidata" with
1535       "struct path" for some functions.          1535       "struct path" for some functions.
1536                                                  1536 
1537     @ Detect distributor specific patches aut    1537     @ Detect distributor specific patches automatically.
1538                                                  1538 
1539       Since kernels with AppArmor patch appli    1539       Since kernels with AppArmor patch applied is increasing,
1540       I introduced a mechanism which determin    1540       I introduced a mechanism which determines whether specific patches
1541       are applied or not, based on "#define"     1541       are applied or not, based on "#define" directives in the patches.
1542                                                  1542 
1543 Fix 2008/08/29                                   1543 Fix 2008/08/29
1544                                                  1544 
1545     @ Remove "-ccs" suffix from Makefile's EX    1545     @ Remove "-ccs" suffix from Makefile's EXTRAVERSION.
1546                                                  1546 
1547       To reduce conflicts on Makefile's EXTRA    1547       To reduce conflicts on Makefile's EXTRAVERSION,
1548       I removed "-ccs" suffix from ccs-patch-    1548       I removed "-ccs" suffix from ccs-patch-2.\*.diff .
1549       Those who build kernels without using s    1549       Those who build kernels without using specs/build-\*.sh ,
1550       please edit EXTRAVERSION tag manually s    1550       please edit EXTRAVERSION tag manually so that original kernels
1551       will not be overwritten by TOMOYO Linux    1551       will not be overwritten by TOMOYO Linux kernels.
1552                                                  1552 
1553 Version 1.6.4 2008/09/03   Minor update relea    1553 Version 1.6.4 2008/09/03   Minor update release.
1554                                                  1554 
1555 Fix 2008/09/09                                   1555 Fix 2008/09/09
1556                                                  1556 
1557     @ Add "try again" response to "delayed en    1557     @ Add "try again" response to "delayed enforcing" mode.
1558                                                  1558 
1559       To be able to handle pathname changes c    1559       To be able to handle pathname changes caused by software updates,
1560       "delayed enforcing" mode was introduced    1560       "delayed enforcing" mode was introduced. It allows administrator to
1561       grant access requests which are about t    1561       grant access requests which are about to be rejected by the kernel.
1562                                                  1562 
1563       To be able to handle pathname changes c    1563       To be able to handle pathname changes caused by software updates better,
1564       I introduced "try again" response. As "    1564       I introduced "try again" response. As "delayed enforcing" mode sleeps
1565       a process which violated policy, admini    1565       a process which violated policy, administrator can update policy while
1566       the process is sleeping. This "try agai    1566       the process is sleeping. This "try again" response allows administrator
1567       to restart policy checks from the begin    1567       to restart policy checks from the beginning after updating policy.
1568                                                  1568 
1569 Fix 2008/09/11                                   1569 Fix 2008/09/11
1570                                                  1570 
1571     @ Remember whether the process is allowed    1571     @ Remember whether the process is allowed to write to /proc/ccs/ interface.
1572                                                  1572 
1573       Since programs for manipulating policy     1573       Since programs for manipulating policy (e.g. ccs-queryd ) are installed
1574       in the form of RPM/DEB packages, these     1574       in the form of RPM/DEB packages, these programs lose the original
1575       pathnames when they are updated by the     1575       pathnames when they are updated by the package manager. The package
1576       manager renames these programs before d    1576       manager renames these programs before deleting these programs so that
1577       the package manager can rollback the op    1577       the package manager can rollback the operation.
1578       This causes a problem when the programs    1578       This causes a problem when the programs are listed into /proc/ccs/manager
1579       using pathnames, as the programs will n    1579       using pathnames, as the programs will no longer be allowed to write to
1580       /proc/ccs/ interface while the process     1580       /proc/ccs/ interface while the process of old version of the program is
1581       alive.                                     1581       alive.
1582                                                  1582 
1583       To solve this problem, I modified to re    1583       To solve this problem, I modified to remember the fact that the process
1584       is once allowed to write to /proc/ccs/     1584       is once allowed to write to /proc/ccs/ interface until the process
1585       attempts to execute a different program    1585       attempts to execute a different program.
1586       This change makes it impossible to revo    1586       This change makes it impossible to revoke permission to write to
1587       /proc/ccs/ interface without killing th    1587       /proc/ccs/ interface without killing the process, but it will be better
1588       than nonfunctioning ccs-queryd program.    1588       than nonfunctioning ccs-queryd program.
1589                                                  1589 
1590 Fix 2008/09/19                                   1590 Fix 2008/09/19
1591                                                  1591 
1592     @ Allow selecting a domain by PID.           1592     @ Allow selecting a domain by PID.
1593                                                  1593 
1594       Sometimes we want to know what ACLs are    1594       Sometimes we want to know what ACLs are given to specific PID, but
1595       finding a domainname for that PID from     1595       finding a domainname for that PID from /proc/ccs/.process_status and
1596       reading ACLs from /proc/ccs/domain_poli    1596       reading ACLs from /proc/ccs/domain_policy by the domainname is very slow.
1597       Thus, I modified /proc/ccs/domain_polic    1597       Thus, I modified /proc/ccs/domain_policy to allow selecting a domain by
1598       PID. For example, to read domain ACL of    1598       PID. For example, to read domain ACL of current process from bash,
1599       run as follows.                            1599       run as follows.
1600                                                  1600 
1601       # exec 100<>/proc/ccs/domain_policy        1601       # exec 100<>/proc/ccs/domain_policy
1602       # echo select pid=$$ >&100                 1602       # echo select pid=$$ >&100
1603       # while read -u 100; do echo $REPLY; do    1603       # while read -u 100; do echo $REPLY; done
1604                                                  1604 
1605       If a domain is once selected by PID, re    1605       If a domain is once selected by PID, reading /proc/ccs/domain_policy will
1606       print only that domain if that PID exis    1606       print only that domain if that PID exists or print nothing otherwise.
1607                                                  1607 
1608     @ Disallow concurrent /proc/ccs/ access u    1608     @ Disallow concurrent /proc/ccs/ access using the same file descriptor.
1609                                                  1609 
1610       Until now, one process can read() from     1610       Until now, one process can read() from /proc/ccs/ while other process
1611       that shares the file descriptor can wri    1611       that shares the file descriptor can write() to /proc/ccs/ .
1612       But to implement "Allow selecting a dom    1612       But to implement "Allow selecting a domain by PID" feature, I disabled
1613       concurrent read()/write() because the f    1613       concurrent read()/write() because the feature need to modify read buffer
1614       while writing.                             1614       while writing.
1615                                                  1615 
1616 Fix 2008/10/01                                   1616 Fix 2008/10/01
1617                                                  1617 
1618     @ Add retry counter into /proc/ccs/query     1618     @ Add retry counter into /proc/ccs/query .
1619                                                  1619 
1620       To be able to handle some of queries fr    1620       To be able to handle some of queries from /proc/ccs/query without user's
1621       interaction, I added retry counter for     1621       interaction, I added retry counter for avoiding infinite loop caused by
1622       "try again" response.                      1622       "try again" response.
1623                                                  1623 
1624 Fix 2008/10/07                                   1624 Fix 2008/10/07
1625                                                  1625 
1626     @ Don't transit to new domain until do_ex    1626     @ Don't transit to new domain until do_execve() succeeds.
1627                                                  1627 
1628       Until now, a process's domain was updat    1628       Until now, a process's domain was updated to new domain which the process
1629       will belong to before do_execve() succe    1629       will belong to before do_execve() succeeds so that the kernel can do
1630       permission checks for interpreters and     1630       permission checks for interpreters and environment variables based on
1631       new domain. But this caused a subtle pr    1631       new domain. But this caused a subtle problem when other process sends
1632       signals to the process, for the process    1632       signals to the process, for the process returns to old domain if
1633       do_execve() failed.                        1633       do_execve() failed.
1634                                                  1634 
1635       So, I modified to pass new domain to fu    1635       So, I modified to pass new domain to functions so that I can avoid
1636       modifying a process's domain before do_    1636       modifying a process's domain before do_execve() succeeds.
1637                                                  1637 
1638     @ Use old task state for audit logs.         1638     @ Use old task state for audit logs.
1639                                                  1639 
1640       Until now, audit logs were generated us    1640       Until now, audit logs were generated using the task state after
1641       processing "; set task.state" part. But    1641       processing "; set task.state" part. But to generate accurate logs,
1642       I modified to save the task state befor    1642       I modified to save the task state before processing "; set task.state"
1643       part and use the saved state for audit     1643       part and use the saved state for audit logs.
1644                                                  1644 
1645     @ Use a structure for passing parameters.    1645     @ Use a structure for passing parameters.
1646                                                  1646 
1647       As the number of parameters is increasi    1647       As the number of parameters is increasing, I modified to use a structure
1648       for passing parameters.                    1648       for passing parameters.
1649                                                  1649 
1650 Fix 2008/10/11                                   1650 Fix 2008/10/11
1651                                                  1651 
1652     @ Remove domain_acl_lock mutex.              1652     @ Remove domain_acl_lock mutex.
1653                                                  1653 
1654       I noticed that I don't need to keep all    1654       I noticed that I don't need to keep all functions that modify an ACL of
1655       a domain mutually exclusive. Since each    1655       a domain mutually exclusive. Since each functions handles different type
1656       of ACL, locking is needed only when the    1656       of ACL, locking is needed only when they append an ACL to a domain.
1657       So, I modified to use local locks.         1657       So, I modified to use local locks.
1658                                                  1658 
1659 Fix 2008/10/14                                   1659 Fix 2008/10/14
1660                                                  1660 
1661     @ Fix ccs_check_condition() bug.             1661     @ Fix ccs_check_condition() bug.
1662                                                  1662 
1663       Due to a bug in ccs_check_condition(),     1663       Due to a bug in ccs_check_condition(), it was impossible to use
1664       task.state[0] task.state[1] task.state[    1664       task.state[0] task.state[1] task.state[2] inside condition part
1665       if the ACL does not treat a pathname. F    1665       if the ACL does not treat a pathname. For example, an ACL like
1666                                                  1666 
1667         allow_network TCP connect @HTTP_SERVE    1667         allow_network TCP connect @HTTP_SERVERS 80 if task.state[0]=100
1668                                                  1668 
1669       didn't work.                               1669       didn't work.
1670                                                  1670 
1671 Fix 2008/10/15                                   1671 Fix 2008/10/15
1672                                                  1672 
1673     @ Show process information in /proc/ccs/.    1673     @ Show process information in /proc/ccs/.process_status .
1674                                                  1674 
1675       To be able to determine a process's typ    1675       To be able to determine a process's type, I added a command "info PID"
1676       which returns process information of th    1676       which returns process information of the specified PID in
1677       "PID manager=\* execute_handler=\* stat    1677       "PID manager=\* execute_handler=\* state[0]=\$ state[1]=\$ state[2]=\$"
1678       format.                                    1678       format.
1679                                                  1679 
1680 Fix 2008/10/20                                   1680 Fix 2008/10/20
1681                                                  1681 
1682     @ Use rcu_dereference() when walking the     1682     @ Use rcu_dereference() when walking the list.
1683                                                  1683 
1684       I was using "dependency ordering" for a    1684       I was using "dependency ordering" for appending an element to a list
1685       without asking the reader to take a loc    1685       without asking the reader to take a lock. But "dependency ordering"
1686       is not respected by DEC Alpha or by som    1686       is not respected by DEC Alpha or by some aggressive value-speculation
1687       compiler optimizations.                    1687       compiler optimizations.
1688                                                  1688 
1689       On such environment, use of "dependency    1689       On such environment, use of "dependency ordering" can lead to system
1690       crash because the reader might read uni    1690       crash because the reader might read uninitialized value of newly
1691       appended element.                          1691       appended element.
1692                                                  1692 
1693       To prevent the reader from reading unin    1693       To prevent the reader from reading uninitialized value of newly appended
1694       element, I inserted rcu_dereference() w    1694       element, I inserted rcu_dereference() when walking the list.
1695                                                  1695 
1696 Fix 2008/11/04                                   1696 Fix 2008/11/04
1697                                                  1697 
1698     @ Use sys_getpid() instead for current->p    1698     @ Use sys_getpid() instead for current->pid.
1699                                                  1699 
1700       Kernel 2.6.24 introduced PID namespace.    1700       Kernel 2.6.24 introduced PID namespace.
1701                                                  1701 
1702       To compare PID given from userland, I c    1702       To compare PID given from userland, I can't use current->pid.
1703       So, I modified to use sys_getpid() inst    1703       So, I modified to use sys_getpid() instead for current->pid.
1704                                                  1704 
1705       I modified to use task_tgid_nr_ns() for    1705       I modified to use task_tgid_nr_ns() for 2.6.25 and later instead for
1706       current->tgid when checking /proc/self/    1706       current->tgid when checking /proc/self/ in get_absolute_path().
1707                                                  1707 
1708 Fix 2008/11/07                                   1708 Fix 2008/11/07
1709                                                  1709 
1710     @ Fix is_alphabet_char().                    1710     @ Fix is_alphabet_char().
1711                                                  1711 
1712       is_alphabet_char() should match 'A' - '    1712       is_alphabet_char() should match 'A' - 'Z' and 'a' - 'z',
1713       but was matching from 'A' - 'F' and 'a'    1713       but was matching from 'A' - 'F' and 'a' - 'f'.
1714                                                  1714 
1715     @ Add /proc/ccs/.execute_handler .           1715     @ Add /proc/ccs/.execute_handler .
1716                                                  1716 
1717       Process information became visible to u    1717       Process information became visible to userspace by
1718       "Show process information in /proc/ccs/    1718       "Show process information in /proc/ccs/.process_status" feature.
1719       However, programs specified by execute_    1719       However, programs specified by execute_handler directive may run as
1720       non root user, making it impossible to     1720       non root user, making it impossible to see process information.
1721                                                  1721 
1722       So, I added a new interface that allows    1722       So, I added a new interface that allows execute handler processes
1723       to see process information. The content    1723       to see process information. The content of /proc/ccs/.execute_handler is
1724       identical to /proc/ccs/.process_status     1724       identical to /proc/ccs/.process_status .
1725                                                  1725 
1726 Version 1.6.5 2008/11/11   Third anniversary     1726 Version 1.6.5 2008/11/11   Third anniversary release.
1727                                                  1727 
1728 Fix 2008/12/01                                   1728 Fix 2008/12/01
1729                                                  1729 
1730     @ Introduce "task.type=execute_handler" c    1730     @ Introduce "task.type=execute_handler" condition.
1731                                                  1731 
1732       The execute_handler directive is very v    1732       The execute_handler directive is very very powerful. You can use this
1733       directive to do anything you want to do    1733       directive to do anything you want to do (e.g. logging and validating and
1734       modifying command line parameters and e    1734       modifying command line parameters and environment variables, opening and
1735       closing and redirecting files, creating    1735       closing and redirecting files, creating pipes to implement antivirus and
1736       spam filtering, deploying a DMZ between    1736       spam filtering, deploying a DMZ between the ssh daemon and the login
1737       shells).                                   1737       shells).
1738                                                  1738 
1739       To be able to use this directive in a d    1739       To be able to use this directive in a domain with keep_domain directive
1740       while limiting access to resources need    1740       while limiting access to resources needed for such purposes to only
1741       programs invoked as an execute handler     1741       programs invoked as an execute handler process, I added a new condition.
1742                                                  1742 
1743       In learning mode, "if task.type=execute    1743       In learning mode, "if task.type=execute_handler" condition part will be
1744       automatically added for requests issued    1744       automatically added for requests issued by an execute_handler process.
1745                                                  1745 
1746     @ Introduce file's type and permissions a    1746     @ Introduce file's type and permissions as conditions.
1747                                                  1747 
1748       To be able to limit file types a proces    1748       To be able to limit file types a process can access, I added
1749       new conditions for checking file's type    1749       new conditions for checking file's type and permissions.
1750       For example,                               1750       For example,
1751                                                  1751 
1752         allow_read /etc/fstab if path1.type=f    1752         allow_read /etc/fstab if path1.type=file path1.perm=0644
1753                                                  1753 
1754       will allow opening /etc/fstab for readi    1754       will allow opening /etc/fstab for reading only if /etc/fstab is a regular
1755       file and it's permission is 0644, and      1755       file and it's permission is 0644, and
1756                                                  1756 
1757         allow_write /dev/null if path1.type=c    1757         allow_write /dev/null if path1.type=char path1.dev_major=1 path1.dev_minor=3
1758                                                  1758 
1759       will allow opening /dev/null for writin    1759       will allow opening /dev/null for writing only if /dev/null is a character
1760       device file with major=1 and minor=3 at    1760       device file with major=1 and minor=3 attributes.
1761                                                  1761 
1762     @ Add memory quota for temporary memory u    1762     @ Add memory quota for temporary memory used for auditing.
1763                                                  1763 
1764       Although there are MAX_GRANT_LOG and MA    1764       Although there are MAX_GRANT_LOG and MAX_REJECT_LOG parameters
1765       which limit the number of entries for a    1765       which limit the number of entries for audit logs so that we can avoid
1766       memory consumption by audit logs, it wo    1766       memory consumption by audit logs, it would be more convenient if we can
1767       also limit the size in bytes.              1767       also limit the size in bytes.
1768       Thus, I added a new quota line.            1768       Thus, I added a new quota line.
1769                                                  1769 
1770         echo Dynamic: 1048576 > /proc/ccs/mem    1770         echo Dynamic: 1048576 > /proc/ccs/meminfo
1771                                                  1771 
1772       This quota is not applied to temporary     1772       This quota is not applied to temporary memory used for permission checks.
1773                                                  1773 
1774 Fix 2008/12/09                                   1774 Fix 2008/12/09
1775                                                  1775 
1776     @ Fix ccs_can_save_audit_log() checks.       1776     @ Fix ccs_can_save_audit_log() checks.
1777                                                  1777 
1778       Due to incorrect statement "if (ccs_can    1778       Due to incorrect statement "if (ccs_can_save_audit_log() < 0)"
1779       while ccs_can_save_audit_log() is boole    1779       while ccs_can_save_audit_log() is boolean, MAX_GRANT_LOG and
1780       MAX_REJECT_LOG were not working.           1780       MAX_REJECT_LOG were not working.
1781                                                  1781 
1782       This bug will trigger OOM killer if /us    1782       This bug will trigger OOM killer if /usr/sbin/ccs-auditd is not working.
1783                                                  1783 
1784 Fix 2008/12/24                                   1784 Fix 2008/12/24
1785                                                  1785 
1786     @ Add "ccs_" prefix.                         1786     @ Add "ccs_" prefix.
1787                                                  1787 
1788       To be able to tell whether a symbol is     1788       To be able to tell whether a symbol is TOMOYO Linux related or not,
1789       I added "ccs_" prefix as much as possib    1789       I added "ccs_" prefix as much as possible.
1790                                                  1790 
1791     @ Fix ccs_check_flags() error message.       1791     @ Fix ccs_check_flags() error message.
1792                                                  1792 
1793       I meant to print SYAORAN-ERROR: message    1793       I meant to print SYAORAN-ERROR: message when error == -EPERM,
1794       but I was printing it when error == 0 s    1794       but I was printing it when error == 0 since 1.6.0 .
1795                                                  1795 
1796 Fix 2009/01/05                                   1796 Fix 2009/01/05
1797                                                  1797 
1798     @ Use kmap_atomic()/kunmap_atomic() for r    1798     @ Use kmap_atomic()/kunmap_atomic() for reading "struct linux_binprm".
1799                                                  1799 
1800       As remove_arg_zero() uses kmap_atomic(K    1800       As remove_arg_zero() uses kmap_atomic(KM_USER0), I modified to use
1801       kmap_atomic(KM_USER0) rather than kmap(    1801       kmap_atomic(KM_USER0) rather than kmap().
1802                                                  1802 
1803 Fix 2009/01/28                                   1803 Fix 2009/01/28
1804                                                  1804 
1805     @ Fix "allow_read" + "allow_write" != "al    1805     @ Fix "allow_read" + "allow_write" != "allow_read/write" problem.
1806                                                  1806 
1807       Since 1.6.0 , due to a bug in ccs_updat    1807       Since 1.6.0 , due to a bug in ccs_update_single_path_acl(),
1808       appending "allow_read/write" entry didn    1808       appending "allow_read/write" entry didn't update internal "allow_read"
1809       and "allow_write" entries. As a result,    1809       and "allow_write" entries. As a result, attempt to open(O_RDWR) succeeds
1810       but open(O_RDONLY) and open(O_WRONLY) f    1810       but open(O_RDONLY) and open(O_WRONLY) fail.
1811                                                  1811 
1812       Workaround is to write an entry twice w    1812       Workaround is to write an entry twice when newly appending that entry.
1813       If written twice, internal "allow_read"    1813       If written twice, internal "allow_read" and "allow_write" entries
1814       are updated.                               1814       are updated.
1815                                                  1815 
1816 Fix 2009/02/26                                   1816 Fix 2009/02/26
1817                                                  1817 
1818     @ Fix profile read error.                    1818     @ Fix profile read error.
1819                                                  1819 
1820       Incorrect profiles were shown in /proc/    1820       Incorrect profiles were shown in /proc/ccs/profile
1821       if either CONFIG_SAKURA or CONFIG_TOMOY    1821       if either CONFIG_SAKURA or CONFIG_TOMOYO is disabled.
1822                                                  1822 
1823 Fix 2009/03/02                                   1823 Fix 2009/03/02
1824                                                  1824 
1825     @ Undelete CONFIG_TOMOYO_AUDIT option.       1825     @ Undelete CONFIG_TOMOYO_AUDIT option.
1826                                                  1826 
1827       While HDD-less systems can use profiles    1827       While HDD-less systems can use profiles with MAX_GRANT_LOG=0 and
1828       MAX_REJECT_LOG=0 , I undeleted CONFIG_T    1828       MAX_REJECT_LOG=0 , I undeleted CONFIG_TOMOYO_AUDIT option for saving
1829       memory used for /proc/ccs/grant_log and    1829       memory used for /proc/ccs/grant_log and /proc/ccs/reject_log interfaces.
1830                                                  1830 
1831 Fix 2009/03/13                                   1831 Fix 2009/03/13
1832                                                  1832 
1833     @ Show only profile entry names ever spec    1833     @ Show only profile entry names ever specified.
1834                                                  1834 
1835       Even if an administrator specifies only    1835       Even if an administrator specifies only COMMENT= and MAC_FOR_FILE=
1836       entries for /proc/ccs/profile , all ava    1836       entries for /proc/ccs/profile , all available profile entries are shown.
1837       This was designed to help administrator    1837       This was designed to help administrators to know what entries are
1838       available, but sometimes makes administ    1838       available, but sometimes makes administrators feel noisy because of
1839       entries showing default values.            1839       entries showing default values.
1840                                                  1840 
1841       Thus, I modified to show only profile e    1841       Thus, I modified to show only profile entry names ever specified.
1842                                                  1842 
1843 Fix 2009/03/18                                   1843 Fix 2009/03/18
1844                                                  1844 
1845     @ Add MAC_FOR_IOCTL functionality.           1845     @ Add MAC_FOR_IOCTL functionality.
1846                                                  1846 
1847       To be able to restrict ioctl() requests    1847       To be able to restrict ioctl() requests, I added MAC_FOR_IOCTL
1848       functionality.                             1848       functionality.
1849                                                  1849 
1850       This functionality requires modificatio    1850       This functionality requires modification of ccs-patch-\*.diff .
1851                                                  1851 
1852     @ Use better name for socket's pathname.     1852     @ Use better name for socket's pathname.
1853                                                  1853 
1854       Until now, socket's pathname was repres    1854       Until now, socket's pathname was represented as "socket:[\$]" format
1855       where \$ is inode's number. But inode's    1855       where \$ is inode's number. But inode's number is useless for name based
1856       access control. Therefore, I modified t    1856       access control. Therefore, I modified to represent socket's pathname as
1857       "socket:[family=\$:type=\$:protocol=\$]    1857       "socket:[family=\$:type=\$:protocol=\$]" format.
1858                                                  1858 
1859       This will help administrator to control    1859       This will help administrator to control ioctl() against sockets more
1860       precisely.                                 1860       precisely.
1861                                                  1861 
1862     @ Fix misplaced ccs_capable() call.  (onl    1862     @ Fix misplaced ccs_capable() call.  (only 2.6.8-\* and 2.6.9-\*)
1863                                                  1863 
1864       Location to insert ccs_capable(TOMOYO_S    1864       Location to insert ccs_capable(TOMOYO_SYS_IOCTL) in sys_ioctl() was
1865       wrong since version 1.1 .                  1865       wrong since version 1.1 .
1866                                                  1866 
1867     @ Insert ccs_check_ioctl_permission() cal    1867     @ Insert ccs_check_ioctl_permission() call.
1868                                                  1868 
1869       To make MAC_FOR_IOCTL functionality wor    1869       To make MAC_FOR_IOCTL functionality working, I inserted
1870       ccs_check_ioctl_permission() call into     1870       ccs_check_ioctl_permission() call into ccs-patch-\*.diff .
1871                                                  1871 
1872 Fix 2009/03/23                                   1872 Fix 2009/03/23
1873                                                  1873 
1874     @ Move sysctl()'s check from ccs-patch-\*    1874     @ Move sysctl()'s check from ccs-patch-\*.diff to fs/tomoyo_file.c .
1875                                                  1875 
1876       Since try_parse_table() in kernel/sysct    1876       Since try_parse_table() in kernel/sysctl.c is almost identical between
1877       all versions, I moved that function to     1877       all versions, I moved that function to fs/tomoyo_file.c .
1878                                                  1878 
1879     @ Relocate definitions and functions.        1879     @ Relocate definitions and functions.
1880                                                  1880 
1881       To reduce exposed symbols, I relocated     1881       To reduce exposed symbols, I relocated some definitions and functions.
1882                                                  1882 
1883 Fix 2009/03/24                                   1883 Fix 2009/03/24
1884                                                  1884 
1885     @ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS     1885     @ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS option.
1886                                                  1886 
1887       Some systems don't have /sbin/modprobe     1887       Some systems don't have /sbin/modprobe and /sbin/hotplug .
1888       Thus, I made these pathnames configurab    1888       Thus, I made these pathnames configurable.
1889                                                  1889 
1890 Version 1.6.7 2009/04/01   Feature enhancemen    1890 Version 1.6.7 2009/04/01   Feature enhancement release.
1891                                                  1891 
1892 Fix 2009/04/06                                   1892 Fix 2009/04/06
1893                                                  1893 
1894     @ Drop "undelete domain" command.            1894     @ Drop "undelete domain" command.
1895                                                  1895 
1896       I added "undelete domain" command on 20    1896       I added "undelete domain" command on 2007/01/19, but never used by policy
1897       management tools. The garbage collector    1897       management tools. The garbage collector I added on 2007/01/29 will
1898       automatically reuse memory and allow ad    1898       automatically reuse memory and allow administrators switch domain policy
1899       periodically, provided that the adminis    1899       periodically, provided that the administrator kills processes in old
1900       domains before recreating new domains w    1900       domains before recreating new domains with the same domainnames.
1901                                                  1901 
1902       Thus, I dropped "undelete domain" comma    1902       Thus, I dropped "undelete domain" command.
1903                                                  1903 
1904     @ Escape invalid characters in ccs_check_    1904     @ Escape invalid characters in ccs_check_mount_permission2().
1905                                                  1905 
1906       ccs_check_mount_permission2() was passi    1906       ccs_check_mount_permission2() was passing unencoded strings to printk()
1907       and ccs_update_mount_acl() and ccs_chec    1907       and ccs_update_mount_acl() and ccs_check_supervisor(). This may cause
1908       /proc/ccs/system_policy and /proc/ccs/q    1908       /proc/ccs/system_policy and /proc/ccs/query to contain invalid
1909       characters within a string.                1909       characters within a string.
1910                                                  1910 
1911 Fix 2009/04/07                                   1911 Fix 2009/04/07
1912                                                  1912 
1913     @ Fix IPv4's "address_group" handling err    1913     @ Fix IPv4's "address_group" handling error.
1914                                                  1914 
1915       Since 1.6.5 , due to lack of ntohl() (b    1915       Since 1.6.5 , due to lack of ntohl() (byte order conversion) in
1916       ccs_update_address_group_entry(), "addr    1916       ccs_update_address_group_entry(), "address_group" with IPv4 address was
1917       not working.                               1917       not working.
1918                                                  1918 
1919       This problem happens on little endian p    1919       This problem happens on little endian platforms (e.g. x86).
1920                                                  1920 
1921 Fix 2009/05/08                                   1921 Fix 2009/05/08
1922                                                  1922 
1923     @ Add condition for symlink's target path    1923     @ Add condition for symlink's target pathname.
1924                                                  1924 
1925       Until now, "allow_symlink" keyword allo    1925       Until now, "allow_symlink" keyword allows creation of a symlink but does
1926       not check the symlink's target. Usually    1926       not check the symlink's target. Usually it is no problem because
1927       permission checks are done using derefe    1927       permission checks are done using dereferenced pathname. But in some
1928       cases, we should restrict the symlink's    1928       cases, we should restrict the symlink's target. For example,
1929       "ln -s .htpasswd /var/www/html/readme.h    1929       "ln -s .htpasswd /var/www/html/readme.html" by CGI program should be
1930       blocked because we will allow Apache to    1930       blocked because we will allow Apache to read both
1931       /var/www/html/readme.html and /var/www/    1931       /var/www/html/readme.html and /var/www/html/.htpasswd .
1932                                                  1932 
1933       Thus, I added new condition, "symlink.t    1933       Thus, I added new condition, "symlink.target".
1934                                                  1934 
1935         allow_symlink /var/www/html/\*.html i    1935         allow_symlink /var/www/html/\*.html if symlink.target="\*.html"
1936                                                  1936 
1937         allow_symlink /var/www/html/\*\-.\* i    1937         allow_symlink /var/www/html/\*\-.\* if symlink.target="\*\-.\*"
1938                                                  1938 
1939     @ Don't return -EAGAIN at ccs_socket_recv    1939     @ Don't return -EAGAIN at ccs_socket_recvmsg_permission().
1940                                                  1940 
1941       It turned out that it is not permitted     1941       It turned out that it is not permitted for accept() and recvmsg() to
1942       return -EAGAIN if poll() said connectio    1942       return -EAGAIN if poll() said connections/datagrams are ready. However,
1943       recvmsg() may return -EAGAIN and potent    1943       recvmsg() may return -EAGAIN and potentially confuse some applications
1944       because ccs_socket_recvmsg_permission()    1944       because ccs_socket_recvmsg_permission() is returning -EAGAIN.
1945                                                  1945 
1946       Thus, I modified ccs_socket_recvmsg_per    1946       Thus, I modified ccs_socket_recvmsg_permission() to return -ENOMEM
1947       rather than -EAGAIN.                       1947       rather than -EAGAIN.
1948                                                  1948 
1949 Fix 2009/05/19                                   1949 Fix 2009/05/19
1950                                                  1950 
1951     @ Don't call get_fs_type() with a mutex h    1951     @ Don't call get_fs_type() with a mutex held.
1952                                                  1952 
1953       Until now, when ccs_update_mount_acl()     1953       Until now, when ccs_update_mount_acl() is called with unsupported
1954       filesystem, /sbin/modprobe is executed     1954       filesystem, /sbin/modprobe is executed from get_fs_type() to load
1955       filesystem module. And get_fs_type() do    1955       filesystem module. And get_fs_type() does not return until /sbin/modprobe
1956       finishes.                                  1956       finishes.
1957                                                  1957 
1958       This means that it will cause deadlock     1958       This means that it will cause deadlock if /sbin/modprobe (which is
1959       executed via get_fs_type() in ccs_updat    1959       executed via get_fs_type() in ccs_update_mount_acl()) calls
1960       ccs_update_mount_acl(); although it won    1960       ccs_update_mount_acl(); although it won't happen unless an administrator
1961       inserts execute_handler to call mount()    1961       inserts execute_handler to call mount() requests in learning mode or to
1962       add "allow_mount" entries to /proc/ccs/    1962       add "allow_mount" entries to /proc/ccs/system_policy .
1963                                                  1963 
1964       I modified to unlock the mutex before c    1964       I modified to unlock the mutex before calling get_fs_type().
1965                                                  1965 
1966 Fix 2009/05/20                                   1966 Fix 2009/05/20
1967                                                  1967 
1968     @ Update recvmsg() hooks.                    1968     @ Update recvmsg() hooks.
1969                                                  1969 
1970       Since 1.5.0, I was doing network access    1970       Since 1.5.0, I was doing network access control for incoming UDP and RAW
1971       packets inside skb_recv_datagram(). But    1971       packets inside skb_recv_datagram(). But to synchronize with LSM version,
1972       I moved ccs_recv_datagram_permission()     1972       I moved ccs_recv_datagram_permission() hook from skb_recv_datagram() to
1973       udp_recvmsg()/udpv6_recvmsg()/raw_recvm    1973       udp_recvmsg()/udpv6_recvmsg()/raw_recvmsg()/rawv6_recvmsg() with name
1974       change to ccs_recvmsg_permission().        1974       change to ccs_recvmsg_permission().
1975                                                  1975 
1976 Version 1.6.8 2009/05/28   Feature enhancemen    1976 Version 1.6.8 2009/05/28   Feature enhancement release.
1977                                                  1977 
1978 Fix 2009/07/03                                   1978 Fix 2009/07/03
1979                                                  1979 
1980     @ Fix buffer overrun when used with CONFI    1980     @ Fix buffer overrun when used with CONFIG_SLOB=y .
1981                                                  1981 
1982       Since 1.6.7 , ccs_allocate_execve_entry    1982       Since 1.6.7 , ccs_allocate_execve_entry() was requesting for only 4000
1983       bytes while the comment says it is 4096    1983       bytes while the comment says it is 4096 bytes. This may lead to buffer
1984       overrun when slob allocator is used, fo    1984       overrun when slob allocator is used, for slob allocator allocates exactly
1985       4000 bytes whereas slab and slub alloca    1985       4000 bytes whereas slab and slub allocators allocate 4096 bytes.
1986                                                  1986 
1987 Fix 2009/09/01                                   1987 Fix 2009/09/01
1988                                                  1988 
1989     @ Add garbage collector support.             1989     @ Add garbage collector support.
1990                                                  1990 
1991       Until now, it was impossible to release    1991       Until now, it was impossible to release memory used by deleted policy.
1992       I added SRCU based garbage collector so    1992       I added SRCU based garbage collector so that memory used by deleted
1993       policy will be automatically released.     1993       policy will be automatically released.
1994                                                  1994 
1995     @ Remove word length limitation and line     1995     @ Remove word length limitation and line length limitation.
1996                                                  1996 
1997       Until now, the max length of a word is     1997       Until now, the max length of a word is 4000 and the max length of a line
1998       is 8192. To be able to handle longer pa    1998       is 8192. To be able to handle longer pathnames, I removed these
1999       limitations. Now, the max length (excep    1999       limitations. Now, the max length (except the domainname and
2000       argv[]/envp[]) is 128K (which is the ma    2000       argv[]/envp[]) is 128K (which is the max amount of memory kmalloc()
2001       can allocate in most environments).        2001       can allocate in most environments).
2002                                                  2002 
2003     @ Support more fine grained profile confi    2003     @ Support more fine grained profile configuration.
2004                                                  2004 
2005       Profile was reconstructed.                 2005       Profile was reconstructed.
2006                                                  2006 
2007     @ Support more fine grained parameters re    2007     @ Support more fine grained parameters restrictions.
2008                                                  2008 
2009       "allow_create", "allow_mkdir", "allow_m    2009       "allow_create", "allow_mkdir", "allow_mkfifo", "allow_mksock" check
2010       create mode. "allow_mkblock" and "allow    2010       create mode. "allow_mkblock" and "allow_mkchar" check create mode and
2011       major/minor device numbers. "allow_chmo    2011       major/minor device numbers. "allow_chmod" check new mode. "allow_chown"
2012       checks new owner. "allow_chgrp" checks     2012       checks new owner. "allow_chgrp" checks new group.
2013                                                  2013 
2014     @ Allow number grouping.                     2014     @ Allow number grouping.
2015                                                  2015 
2016       To help specifying numeric values, a ne    2016       To help specifying numeric values, a new directive "number_group" is
2017       introduced.                                2017       introduced.
2018                                                  2018 
2019     @ Remove "alias" directive and "allow_arg    2019     @ Remove "alias" directive and "allow_argv0" directive.
2020                                                  2020 
2021       Until now, "allow_execute" used derefer    2021       Until now, "allow_execute" used dereferenced pathname if it is a symlink
2022       unless explicitly specified by "alias"     2022       unless explicitly specified by "alias" directive.
2023                                                  2023 
2024       Now, "allow_execute" uses symlink's pat    2024       Now, "allow_execute" uses symlink's pathname if it is a symlink.
2025       "exec.realpath" in "if" clause checks t    2025       "exec.realpath" in "if" clause checks the dereferenced pathname.
2026       "exec.argv[0]" in "if" clause checks th    2026       "exec.argv[0]" in "if" clause checks the invocation name.
2027                                                  2027 
2028     @ Remove /proc/ccs/system_policy and /etc    2028     @ Remove /proc/ccs/system_policy and /etc/ccs/system_policy.conf .
2029                                                  2029 
2030       "deny_autobind" was moved to /proc/ccs/    2030       "deny_autobind" was moved to /proc/ccs/exception_policy and
2031       /etc/ccs/exception_policy.conf . Other     2031       /etc/ccs/exception_policy.conf . Other directives were moved to
2032       /proc/ccs/domain_policy and /etc/ccs/do    2032       /proc/ccs/domain_policy and /etc/ccs/domain_policy.conf .
2033                                                  2033 
2034     @ Remove syaoran filesystem.                 2034     @ Remove syaoran filesystem.
2035                                                  2035 
2036       Since "allow_create"/"allow_mkdir"/"all    2036       Since "allow_create"/"allow_mkdir"/"allow_mkfifo"/"allow_mksock"/
2037       "allow_mkblock"/"allow_mkchar"/"allow_c    2037       "allow_mkblock"/"allow_mkchar"/"allow_chmod"/"allow_chown"/"allow_chgrp"
2038       can restrict mode changes and owner/gro    2038       can restrict mode changes and owner/group changes, there is no need to
2039       restrict these changes at filesystem le    2039       restrict these changes at filesystem level.
2040                                                  2040 
2041       Thus, I removed syaoran filesystem.        2041       Thus, I removed syaoran filesystem.
2042                                                  2042 
2043     @ Reduce spinlocks.                          2043     @ Reduce spinlocks.
2044                                                  2044 
2045       Until now, TOMOYO was using own list fo    2045       Until now, TOMOYO was using own list for detecting memory leak. But as
2046       kernel 2.6.31 introduced memory leak de    2046       kernel 2.6.31 introduced memory leak detection mechanism
2047       ( CONFIG_DEBUG_KMEMLEAK ), TOMOYO no lo    2047       ( CONFIG_DEBUG_KMEMLEAK ), TOMOYO no longer needs to use own list.
2048                                                  2048 
2049       I removed the list to reduce use of spi    2049       I removed the list to reduce use of spinlocks.
2050                                                  2050 
2051     @ Rewrite ccs-patch-2.\*.diff .              2051     @ Rewrite ccs-patch-2.\*.diff .
2052                                                  2052 
2053       ccs-patch-2.\*.diff was rewritten like     2053       ccs-patch-2.\*.diff was rewritten like LSM hooks.
2054                                                  2054 
2055     @ Don't check "allow_read/write" for open    2055     @ Don't check "allow_read/write" for open-for-ioctl-only.
2056                                                  2056 
2057       open(pathname, 3) means open for ioctl(    2057       open(pathname, 3) means open for ioctl() only.
2058       Until now, TOMOYO was checking "allow_r    2058       Until now, TOMOYO was checking "allow_read/write" for open(pathname, 3).
2059       But since TOMOYO checks "allow_ioctl" f    2059       But since TOMOYO checks "allow_ioctl" for ioctl(), I modified not to
2060       require "allow_read/write" for open(pat    2060       require "allow_read/write" for open(pathname, 3).
2061                                                  2061 
2062     @ Add missing sigqueue() and tgsigqueue()    2062     @ Add missing sigqueue() and tgsigqueue() hooks.
2063                                                  2063 
2064       Until now, kill(), tkill(), tgkill() ha    2064       Until now, kill(), tkill(), tgkill() had hooks but sigqueue() and
2065       tgsigqueue() didn't.                       2065       tgsigqueue() didn't.
2066                                                  2066 
2067     @ Move files from fs/ to security/ccsecur    2067     @ Move files from fs/ to security/ccsecurity.
2068                                                  2068 
2069       Config menu section changed from "File     2069       Config menu section changed from "File systems" to "Security options".
2070                                                  2070 
2071       Kernel config symbols changed from CONF    2071       Kernel config symbols changed from CONFIG_SAKURA CONFIG_TOMOYO
2072       CONFIG_SYAORAN to CONFIG_CCSECURITY .      2072       CONFIG_SYAORAN to CONFIG_CCSECURITY .
2073                                                  2073 
2074     @ Add global PID to audit logs.              2074     @ Add global PID to audit logs.
2075                                                  2075 
2076       ccs-queryd was using domainname for rea    2076       ccs-queryd was using domainname for reaching the domain which the process
2077       belongs to, but the domain could be del    2077       belongs to, but the domain could be deleted while ccs-queryd is handling
2078       policy violation. If the domain is dele    2078       policy violation. If the domain is deleted, ccs-queryd no longer can
2079       reach the domain by domainname. Thus, c    2079       reach the domain by domainname. Thus, ccs-queryd now uses PID for
2080       reaching the domain which the process b    2080       reaching the domain which the process belongs to.
2081                                                  2081 
2082       Kernel 2.6.24 introduced PID namespace.    2082       Kernel 2.6.24 introduced PID namespace. The PID in access logs generated
2083       by a process inside a container is usel    2083       by a process inside a container is useless for ccs-queryd for reaching
2084       the domain which the process belongs to    2084       the domain which the process belongs to.
2085                                                  2085 
2086       Thus, I added global PID in audit logs.    2086       Thus, I added global PID in audit logs.
2087                                                  2087 
2088     @ Transit to new domain before do_execve(    2088     @ Transit to new domain before do_execve() succeeds.
2089                                                  2089 
2090       Permission checks for interpreters and     2090       Permission checks for interpreters and environment variables are
2091       done using new domain. In order to allo    2091       done using new domain. In order to allow ccs-queryd to reach the new
2092       domain via global PID, I reverted "Don'    2092       domain via global PID, I reverted "Don't transit to new domain until
2093       do_execve() succeeds." made on 2008/10/    2093       do_execve() succeeds." made on 2008/10/07.
2094                                                  2094 
2095 Version 1.7.0 2009/09/03   Feature enhancemen    2095 Version 1.7.0 2009/09/03   Feature enhancement release.
2096                                                  2096 
2097 Fix 2009/09/04                                   2097 Fix 2009/09/04
2098                                                  2098 
2099     @ Fix wrong ccs_profile() calls.             2099     @ Fix wrong ccs_profile() calls.
2100                                                  2100 
2101       I can't call ccs_profile() for profile     2101       I can't call ccs_profile() for profile existence test because
2102       ccs_profile() never returns NULL.          2102       ccs_profile() never returns NULL.
2103                                                  2103 
2104 Fix 2009/09/06                                   2104 Fix 2009/09/06
2105                                                  2105 
2106     @ Fix wrong error code in ccs_try_alt_exe    2106     @ Fix wrong error code in ccs_try_alt_exec().
2107                                                  2107 
2108       ccs_try_alt_exec() was returning ENOMEM    2108       ccs_try_alt_exec() was returning ENOMEM when kmalloc() failed.
2109       It needs to return -ENOMEM to fail.        2109       It needs to return -ENOMEM to fail.
2110                                                  2110 
2111 Fix 2009/09/10                                   2111 Fix 2009/09/10
2112                                                  2112 
2113     @ Do not check umount() permission for mo    2113     @ Do not check umount() permission for mount(MS_MOVE) requests.
2114                                                  2114 
2115       Until 1.6.x , umount() restriction was     2115       Until 1.6.x , umount() restriction was black listing. In 1.7.0 , it is
2116       white listing. This change caused "moun    2116       white listing. This change caused "mount --move old new" requests to
2117       require "allow_unmount old" permission     2117       require "allow_unmount old" permission in addition to
2118       "allow_mount old new --move 0" permissi    2118       "allow_mount old new --move 0" permission.
2119       But we don't want to allow umount(old)     2119       But we don't want to allow umount(old) requests when we want to allow
2120       only mount(old, new, MS_MOVE) requests.    2120       only mount(old, new, MS_MOVE) requests. Thus, I modified not to check
2121       "allow_unmount old" permission for moun    2121       "allow_unmount old" permission for mount(old, new, MS_MOVE) requests.
2122                                                  2122 
2123 Fix 2009/09/11                                   2123 Fix 2009/09/11
2124                                                  2124 
2125     @ Support recursive match operators.         2125     @ Support recursive match operators.
2126                                                  2126 
2127       Until now, ccs_path_matches_pattern() d    2127       Until now, ccs_path_matches_pattern() did not support recursive
2128       comparison. Thus, users had to repeat "    2128       comparison. Thus, users had to repeat "/\*" when they want to specify
2129       recursively.                               2129       recursively.
2130                                                  2130 
2131       I introduced "\{" and "\}" as repetitio    2131       I introduced "\{" and "\}" as repetition operator.
2132       To ensure consistency with TOMOYO's '/'    2132       To ensure consistency with TOMOYO's '/'-tokenized pattern matching rules
2133       and "\-" operator, only "/\{dir\}/" seq    2133       and "\-" operator, only "/\{dir\}/" sequences (where dir does not contain
2134       '/') is permitted.                         2134       '/') is permitted.
2135                                                  2135 
2136 Fix 2009/09/24                                   2136 Fix 2009/09/24
2137                                                  2137 
2138     @ Don't check chmod/chown capability for     2138     @ Don't check chmod/chown capability for requests from kernel.
2139                                                  2139 
2140       Until now, ccs_setattr_permission() was    2140       Until now, ccs_setattr_permission() was inserted in notify_change().
2141       But notify_change() is also called by r    2141       But notify_change() is also called by requests from kernel (e.g. UnionFS)
2142       and it made difficult to use TOMOYO on     2142       and it made difficult to use TOMOYO on UnionFS.
2143                                                  2143 
2144       Thus, I moved ccs_capable() checks from    2144       Thus, I moved ccs_capable() checks from ccs_setattr_permission() to
2145       ccs_chmod_permission() and ccs_chown_pe    2145       ccs_chmod_permission() and ccs_chown_permission(), and removed
2146       ccs_setattr_permission().                  2146       ccs_setattr_permission().
2147                                                  2147 
2148 Fix 2009/09/25                                   2148 Fix 2009/09/25
2149                                                  2149 
2150     @ Embed more information into audit logs.    2150     @ Embed more information into audit logs.
2151                                                  2151 
2152       Until now, /proc/ccs/grant_log /proc/cc    2152       Until now, /proc/ccs/grant_log /proc/ccs/reject_log /proc/ccs/query were
2153       not printing file's information (e.g. f    2153       not printing file's information (e.g. file's uid/gid/mode).
2154                                                  2154 
2155       Recently, users who started using "if"     2155       Recently, users who started using "if" clause expect that the learning
2156       mode automatically adds various conditi    2156       mode automatically adds various conditions like "if task.uid=path1.uid".
2157                                                  2157 
2158       But the profile will become too complic    2158       But the profile will become too complicated if I support all possible
2159       conditions. Thus, I added all informati    2159       conditions. Thus, I added all information which is enough to generate
2160       "if" clause with all possible condition    2160       "if" clause with all possible conditions from audit logs.
2161                                                  2161 
2162       Now, the learning mode got different us    2162       Now, the learning mode got different usage. Users can specify
2163       "CONFIG::learning={ max_entry=0 }" in t    2163       "CONFIG::learning={ max_entry=0 }" in the profile. All requests which
2164       are not permitted by policy will be sen    2164       are not permitted by policy will be sent to /proc/ccs/reject_log with
2165       "mode=learning" header lines. Users can    2165       "mode=learning" header lines. Users can selectively append conditions
2166       and append to the policy using "/usr/sb    2166       and append to the policy using "/usr/sbin/ccs-loadpolicy -d".
2167       The learning mode with "CONFIG::learnin    2167       The learning mode with "CONFIG::learning={ max_entry=0 }" is almost
2168       the same with the permissive mode, only    2168       the same with the permissive mode, only difference is "mode=learning"
2169       and "mode=permissive".                     2169       and "mode=permissive".
2170                                                  2170 
2171 Fix 2009/10/05                                   2171 Fix 2009/10/05
2172                                                  2172 
2173     @ Fix size truncation bug at ccs_memcmp()    2173     @ Fix size truncation bug at ccs_memcmp().
2174                                                  2174 
2175       ccs_memcmp() was using "u8" for size pa    2175       ccs_memcmp() was using "u8" for size parameter by error. Therefore, when
2176       size >= 256 was passed to ccs_memcmp(),    2176       size >= 256 was passed to ccs_memcmp(), it was doing partial comparison
2177       (incorrect result) or read overrun (CPU    2177       (incorrect result) or read overrun (CPU stall).
2178                                                  2178 
2179       ccs_memcmp() should use "size_t" for si    2179       ccs_memcmp() should use "size_t" for size parameter because size of
2180       "struct ccs_condition" may exceed 256 b    2180       "struct ccs_condition" may exceed 256 bytes if complicated condition was
2181       given.                                     2181       given.
2182                                                  2182 
2183 Fix 2009/10/08                                   2183 Fix 2009/10/08
2184                                                  2184 
2185     @ Add CONFIG_CCSECURITY_DEFAULT_LOADER op    2185     @ Add CONFIG_CCSECURITY_DEFAULT_LOADER option.
2186                                                  2186 
2187       I made the default policy loader's path    2187       I made the default policy loader's pathname ( /sbin/ccs-init )
2188       configurable.                              2188       configurable.
2189                                                  2189 
2190     @ Add CONFIG_CCSECURITY_ALTERNATIVE_TRIGG    2190     @ Add CONFIG_CCSECURITY_ALTERNATIVE_TRIGGER option.
2191                                                  2191 
2192       Some environments do not have /sbin/ini    2192       Some environments do not have /sbin/init . In such environments, we need
2193       to use different program's pathname (e.    2193       to use different program's pathname (e.g. /init or /linuxrc ) as
2194       activation trigger.                        2194       activation trigger.
2195                                                  2195 
2196       Thus, I made the alternative trigger (     2196       Thus, I made the alternative trigger ( /sbin/ccs-start ) configurable.
2197                                                  2197 
2198 Fix 2009/11/02                                   2198 Fix 2009/11/02
2199                                                  2199 
2200     @ Fix buffer contention.                     2200     @ Fix buffer contention.
2201                                                  2201 
2202       A permission like                          2202       A permission like
2203                                                  2203 
2204         allow_env PATH if exec.envp["PATH"]="    2204         allow_env PATH if exec.envp["PATH"]="/"
2205                                                  2205 
2206       was not working since I was using the s    2206       was not working since I was using the same buffer for both environment
2207       variable's name and value.                 2207       variable's name and value.
2208                                                  2208 
2209 Fix 2009/11/03                                   2209 Fix 2009/11/03
2210                                                  2210 
2211     @ Fix memory leak in ccs_write_address_gr    2211     @ Fix memory leak in ccs_write_address_group_policy().
2212                                                  2212 
2213       I forgot to call kfree() if same entry     2213       I forgot to call kfree() if same entry was added.
2214                                                  2214 
2215     @ Reduce mutexes.                            2215     @ Reduce mutexes.
2216                                                  2216 
2217       I was using mutex_lock()/mutex_unlock()    2217       I was using mutex_lock()/mutex_unlock() so that I can use
2218       atomic_dec_and_test() for removing an e    2218       atomic_dec_and_test() for removing an element from a list.
2219       I moved that operation to garbage colle    2219       I moved that operation to garbage collector in order to reduce frequency
2220       of mutex_lock()/mutex_unlock() calls.      2220       of mutex_lock()/mutex_unlock() calls.
2221                                                  2221 
2222     @ Escape from nested loops correctly.        2222     @ Escape from nested loops correctly.
2223                                                  2223 
2224       In ccs_read_address_group_policy(), I w    2224       In ccs_read_address_group_policy(), I was escaping from nested loops
2225       correctly. But in ccs_read_path_group_p    2225       correctly. But in ccs_read_path_group_policy() and
2226       ccs_read_number_group_policy(), I wasn'    2226       ccs_read_number_group_policy(), I wasn't.
2227                                                  2227 
2228       As a result, reading path_group and num    2228       As a result, reading path_group and number_group caused kernel oops
2229       when they were not read atomically.        2229       when they were not read atomically.
2230                                                  2230 
2231 Fix 2009/11/06                                   2231 Fix 2009/11/06
2232                                                  2232 
2233     @ Fix incorrect allow_mount audit log.       2233     @ Fix incorrect allow_mount audit log.
2234                                                  2234 
2235       Audit log for allow_mount was using dec    2235       Audit log for allow_mount was using decimal format.
2236       It needs to use hexadecimal format.        2236       It needs to use hexadecimal format.
2237                                                  2237 
2238 Fix 2009/11/09                                   2238 Fix 2009/11/09
2239                                                  2239 
2240     @ Add profile version check.                 2240     @ Add profile version check.
2241                                                  2241 
2242       To avoid upgrading from TOMOYO 1.6.x to    2242       To avoid upgrading from TOMOYO 1.6.x to TOMOYO 1.7.x without upgrading
2243       /proc/ccs/profile (which results in not    2243       /proc/ccs/profile (which results in not protecting the system at all),
2244       I added a check for PROFILE_VERSION= .     2244       I added a check for PROFILE_VERSION= .
2245                                                  2245 
2246 Version 1.7.1 2009/11/11   Fourth anniversary    2246 Version 1.7.1 2009/11/11   Fourth anniversary release.
2247                                                  2247 
2248 Fix 2009/11/13                                   2248 Fix 2009/11/13
2249                                                  2249 
2250     @ Don't use core_initcall() for initializ    2250     @ Don't use core_initcall() for initializing lock for GC.
2251                                                  2251 
2252      Some kernels call TOMOYO's hooks before     2252      Some kernels call TOMOYO's hooks before processing core_initcall().
2253      Thus, I can't use core_initcall() for in    2253      Thus, I can't use core_initcall() for initializing lock for GC.
2254                                                  2254 
2255 Fix 2009/11/18                                   2255 Fix 2009/11/18
2256                                                  2256 
2257     @ Don't check "allow_write" permission fo    2257     @ Don't check "allow_write" permission for open(O_RDONLY | O_TRUNC).
2258                                                  2258 
2259       Since TOMOYO checks "allow_truncate" pe    2259       Since TOMOYO checks "allow_truncate" permission rather than "allow_write"
2260       permission for O_TRUNC, I need to disti    2260       permission for O_TRUNC, I need to distinguish open(O_RDONLY | O_TRUNC)
2261       and open(O_RDWR | O_TRUNC). But I made     2261       and open(O_RDWR | O_TRUNC). But I made a mistake between TOMOYO 1.7.0 and
2262       1.7.1 which made it impossible for TOMO    2262       1.7.1 which made it impossible for TOMOYO for kernels 2.6.14 and earlier
2263       to distinguish them.                       2263       to distinguish them.
2264                                                  2264 
2265 Fix 2009/11/27                                   2265 Fix 2009/11/27
2266                                                  2266 
2267     @ Use newly created domain's name for dom    2267     @ Use newly created domain's name for domain creation audit log.
2268                                                  2268 
2269       Since 1.7.0 , /proc/ccs/reject_log was     2269       Since 1.7.0 , /proc/ccs/reject_log was by error using existing domain's
2270       name when auditing newly created domain    2270       name when auditing newly created domain's "use_profile" line.
2271                                                  2271 
2272 Fix 2009/12/12                                   2272 Fix 2009/12/12
2273                                                  2273 
2274     @ Use rcu_read_lock() for find_task_by_pi    2274     @ Use rcu_read_lock() for find_task_by_pid().
2275                                                  2275 
2276       Since kernel 2.6.18 , caller of find_ta    2276       Since kernel 2.6.18 , caller of find_task_by_pid() needs to call
2277       rcu_read_lock() rather than read_lock(&    2277       rcu_read_lock() rather than read_lock(&tasklist_lock) because find_pid()
2278       uses RCU primitives but spinlock does n    2278       uses RCU primitives but spinlock does not prevent RCU callback if
2279       preemptive RCU ( CONFIG_PREEMPT_RCU or     2279       preemptive RCU ( CONFIG_PREEMPT_RCU or CONFIG_TREE_PREEMPT_RCU ) is
2280       enabled.                                   2280       enabled.
2281                                                  2281 
2282 Fix 2009/12/15                                   2282 Fix 2009/12/15
2283                                                  2283 
2284     @ Allow deleting "quota_exceeded" and "tr    2284     @ Allow deleting "quota_exceeded" and "transition_failed" entries.
2285                                                  2285 
2286       To notify users of "this domain has too    2286       To notify users of "this domain has too many entries to hold" and "some
2287       process in this domain was not able to     2287       process in this domain was not able to perform domain transition",
2288       "quota_exceeded" and "transition_failed    2288       "quota_exceeded" and "transition_failed" messages are used respectively.
2289       These messages were not deletable. But     2289       These messages were not deletable. But it is more convenient for users
2290       to be notified again if such events occ    2290       to be notified again if such events occurred again after tuning policy.
2291       Thus, I made these messages deletable.     2291       Thus, I made these messages deletable.
2292                                                  2292 
2293 Fix 2009/12/17                                   2293 Fix 2009/12/17
2294                                                  2294 
2295     @ Don't check read permission in ccs_try_    2295     @ Don't check read permission in ccs_try_alt_exec().
2296                                                  2296 
2297       While I was trying to remove ccs_execve    2297       While I was trying to remove ccs_execve_list list for GC optimization
2298       between TOMOYO 1.7.0 and 1.7.1 , I made    2298       between TOMOYO 1.7.0 and 1.7.1 , I made a mistake which made TOMOYO to
2299       check allow_read permission of the prog    2299       check allow_read permission of the programs specified by execute_handler
2300       and denied_execute_handler keywords.       2300       and denied_execute_handler keywords.
2301                                                  2301 
2302     @ Don't check DAC permission if disabled     2302     @ Don't check DAC permission if disabled mode.
2303                                                  2303 
2304       I was checking DAC permissions regardin    2304       I was checking DAC permissions regarding directory entry modification
2305       operations (e.g. mkdir()) even if mode=    2305       operations (e.g. mkdir()) even if mode=disabled . It is a waste of CPU
2306       resource to check DAC permissions when     2306       resource to check DAC permissions when MAC permissions are not checked.
2307       Thus, I modified to skip DAC permission    2307       Thus, I modified to skip DAC permission checks if mode=disabled .
2308                                                  2308 
2309 Fix 2009/12/19                                   2309 Fix 2009/12/19
2310                                                  2310 
2311     @ Fix memory leak in ccs_environ().          2311     @ Fix memory leak in ccs_environ().
2312                                                  2312 
2313       When I fixed a bug that a permission li    2313       When I fixed a bug that a permission like
2314                                                  2314 
2315         allow_env PATH if exec.envp["PATH"]="    2315         allow_env PATH if exec.envp["PATH"]="/"
2316                                                  2316 
2317       was not working (2009/11/02), I allocat    2317       was not working (2009/11/02), I allocated two buffers but only one buffer
2318       was released.                              2318       was released.
2319                                                  2319 
2320       This bug will trigger OOM killer if env    2320       This bug will trigger OOM killer if environment variable checking is
2321       enabled.                                   2321       enabled.
2322                                                  2322 
2323 Fix 2010/01/17                                   2323 Fix 2010/01/17
2324                                                  2324 
2325     @ Use current domain's name for execute_h    2325     @ Use current domain's name for execute_handler audit log.
2326                                                  2326 
2327       Since 1.6.7 , /proc/ccs/grant_log was b    2327       Since 1.6.7 , /proc/ccs/grant_log was by error using next domain's name
2328       when auditing current domain's "execute    2328       when auditing current domain's "execute_handler" line.
2329                                                  2329 
2330 Fix 2010/03/02                                   2330 Fix 2010/03/02
2331                                                  2331 
2332     @ Allow domain transition without execve(    2332     @ Allow domain transition without execve().
2333                                                  2333 
2334       To be able to split permissions for Apa    2334       To be able to split permissions for Apache's CGI programs which are
2335       executed without execve(), I added spec    2335       executed without execve(), I added special domain transition which is
2336       performed by atomically writing '\0'-te    2336       performed by atomically writing '\0'-terminated binary string to
2337       /proc/ccs/.transition interface. For ex    2337       /proc/ccs/.transition interface. For example, a process which belongs to
2338       "<kernel> /usr/sbin/httpd" domain will     2338       "<kernel> /usr/sbin/httpd" domain will transit to
2339       "<kernel> /usr/sbin/httpd //app=cgi1\04    2339       "<kernel> /usr/sbin/httpd //app=cgi1\040id=10000" domain by atomically
2340       writing "app=cgi1 id=10000" + '\0' to /    2340       writing "app=cgi1 id=10000" + '\0' to /proc/ccs/.transition using
2341       Apache's ap_hook_handler() functionalit    2341       Apache's ap_hook_handler() functionality.
2342                                                  2342 
2343       Note that '\0'-terminated binary string    2343       Note that '\0'-terminated binary string is converted to TOMOYO's string
2344       inside kernel and prefix "//" is automa    2344       inside kernel and prefix "//" is automatically added to the string so
2345       that domainname does not conflict with     2345       that domainname does not conflict with domainnames created by execve().
2346       Without this prefix, if "<kernel> /usr/    2346       Without this prefix, if "<kernel> /usr/sbin/sshd /bin/bash" domain is
2347       allowed to open /proc/ccs/.transition f    2347       allowed to open /proc/ccs/.transition for writing and
2348       "<kernel> /usr/sbin/sshd /bin/bash /usr    2348       "<kernel> /usr/sbin/sshd /bin/bash /usr/bin/passwd" domain is allowed to
2349       access /etc/shadow , /bin/bash will be     2349       access /etc/shadow , /bin/bash will be able to access /etc/shadow by
2350       atomically writing "/usr/bin/passwd" +     2350       atomically writing "/usr/bin/passwd" + '\0' to /proc/ccs/.transition .
2351       Allowing /bin/bash to access /etc/shado    2351       Allowing /bin/bash to access /etc/shadow is not what people want.
2352                                                  2352 
2353       Permission for this operation is checke    2353       Permission for this operation is checked by "allow_transit" keyword.
2354       Unlike "allow_execute" keyword, the str    2354       Unlike "allow_execute" keyword, the string parameter for "allow_transit"
2355       keyword does not refer a real file on f    2355       keyword does not refer a real file on filesystem's namespace. Therefore,
2356       you can store any combination of parame    2356       you can store any combination of parameters like LDAP's DN entry in the
2357       string parameter for "allow_transit" ke    2357       string parameter for "allow_transit" keyword.
2358                                                  2358 
2359 Fix 2010/03/08                                   2359 Fix 2010/03/08
2360                                                  2360 
2361     @ Allow building as loadable kernel modul    2361     @ Allow building as loadable kernel module.
2362                                                  2362 
2363       To be able to minimize filesize increme    2363       To be able to minimize filesize increment of vmlinux, I made it
2364       possible to compile TOMOYO Linux as loa    2364       possible to compile TOMOYO Linux as loadable kernel module.
2365       Although patching the kernel source and    2365       Although patching the kernel source and recompiling the kernel are
2366       inevitable, this change will make it ea    2366       inevitable, this change will make it easier to enable TOMOYO Linux
2367       when there is a filesize limitation on     2367       when there is a filesize limitation on vmlinux (e.g. embedded systems).
2368                                                  2368 
2369 Fix 2010/03/25                                   2369 Fix 2010/03/25
2370                                                  2370 
2371     @ Fix ccs_get_ipv6_address() bug.            2371     @ Fix ccs_get_ipv6_address() bug.
2372                                                  2372 
2373       Since 1.7.0 , ccs_get_ipv6_address() wa    2373       Since 1.7.0 , ccs_get_ipv6_address() was by error returning address of
2374       "struct list_head ccs_address_list" if     2374       "struct list_head ccs_address_list" if memory allocation failed.
2375       As a result, ccs_put_ipv6_address() wil    2375       As a result, ccs_put_ipv6_address() will modify memory near
2376       "struct list_head ccs_address_list" if     2376       "struct list_head ccs_address_list" if memory allocation failed.
2377                                                  2377 
2378 Fix 2010/03/26                                   2378 Fix 2010/03/26
2379                                                  2379 
2380     @ Fix ccs_lport_reserved() bug.              2380     @ Fix ccs_lport_reserved() bug.
2381                                                  2381 
2382       Since 1.7.0 , ccs_lport_reserved() was     2382       Since 1.7.0 , ccs_lport_reserved() was by error checking wrong port
2383       number. As a result, "deny_autobind" ke    2383       number. As a result, "deny_autobind" keyword was not working as expected.
2384                                                  2384 
2385 Version 1.7.2 2010/04/01   Feature enhancemen    2385 Version 1.7.2 2010/04/01   Feature enhancement release.
2386                                                  2386 
2387 Fix 2010/04/10                                   2387 Fix 2010/04/10
2388                                                  2388 
2389     @ Fix invalid "struct nameidata" to "stru    2389     @ Fix invalid "struct nameidata" to "struct path" conversion macro.
2390                                                  2390 
2391       Regarding kernels 2.6.24 and earlier, I    2391       Regarding kernels 2.6.24 and earlier, I was converting "struct nameidata"
2392       to "struct path" in caller side so that    2392       to "struct path" in caller side so that I can unify the callee function's
2393       parameter type. But it turned out that     2393       parameter type. But it turned out that the macro I used did not follow C
2394       standards and did not work with gcc 4.x    2394       standards and did not work with gcc 4.x . As a result, "allow_pivot_root"
2395       keyword was not working as expected.       2395       keyword was not working as expected.
2396                                                  2396 
2397 Fix 2010/05/05                                   2397 Fix 2010/05/05
2398                                                  2398 
2399     @ Fix incorrect audit on/off control.        2399     @ Fix incorrect audit on/off control.
2400                                                  2400 
2401       The grant_log= and reject_log= paramete    2401       The grant_log= and reject_log= parameters of CONFIG::misc::env were not
2402       used because I forgot to update request    2402       used because I forgot to update request type. As a result, those of
2403       CONFIG::file::execute were used for CON    2403       CONFIG::file::execute were used for CONFIG::misc::env .
2404                                                  2404 
2405       Those of CONFIG::file::rewrite were not    2405       Those of CONFIG::file::rewrite were not used because I forgot to update
2406       request type. As a result, those of CON    2406       request type. As a result, those of CONFIG::file::truncate were used for
2407       CONFIG::file::rewrite .                    2407       CONFIG::file::rewrite .
2408                                                  2408 
2409 Fix 2010/05/10                                   2409 Fix 2010/05/10
2410                                                  2410 
2411     @ Fix incorrect out of memory warning.       2411     @ Fix incorrect out of memory warning.
2412                                                  2412 
2413       Out of memory warnings were not printed    2413       Out of memory warnings were not printed in some cases by error.
2414                                                  2414 
2415 Fix 2010/05/27                                   2415 Fix 2010/05/27
2416                                                  2416 
2417     @ Add missing rcu_dereference() for ccs_f    2417     @ Add missing rcu_dereference() for ccs_find_execute_handler().
2418                                                  2418 
2419       Since 1.7.0 , ccs_find_execute_handler(    2419       Since 1.7.0 , ccs_find_execute_handler() was by error using
2420       list_for_each_entry() rather than list_    2420       list_for_each_entry() rather than list_for_each_entry_rcu().
2421       This bug affects only Alpha architectur    2421       This bug affects only Alpha architecture.
2422                                                  2422 
2423 Fix 2010/06/03                                   2423 Fix 2010/06/03
2424                                                  2424 
2425     @ Fix missing sanity check for "file_patt    2425     @ Fix missing sanity check for "file_pattern".
2426                                                  2426 
2427       Since 1.7.0 , ccs_write_pattern_policy(    2427       Since 1.7.0 , ccs_write_pattern_policy() was by error accepting
2428       invalid pathname.                          2428       invalid pathname.
2429                                                  2429 
2430 Fix 2010/06/09                                   2430 Fix 2010/06/09
2431                                                  2431 
2432     @ Add missing ccs_put_name() in ccs_parse    2432     @ Add missing ccs_put_name() in ccs_parse_envp().
2433                                                  2433 
2434       Since 1.7.0 , ccs_parse_envp() was not     2434       Since 1.7.0 , ccs_parse_envp() was not calling ccs_put_name() if
2435       environment variable's value ('if exec.    2435       environment variable's value ('if exec.envp["name"]="value"' condition)
2436       was invalid.                               2436       was invalid.
2437                                                  2437 
2438     @ Add missing NULL check in ccs_condition    2438     @ Add missing NULL check in ccs_condition().
2439                                                  2439 
2440       Since 1.7.0 , if 'if symlink.target=' p    2440       Since 1.7.0 , if 'if symlink.target=' part was given against non-file
2441       permissions (e.g. allow_env PATH if sym    2441       permissions (e.g. allow_env PATH if symlink.target="/"), it triggered
2442       NULL pointer dereference.                  2442       NULL pointer dereference.
2443                                                  2443 
2444 Fix 2010/10/28                                   2444 Fix 2010/10/28
2445                                                  2445 
2446     @ Fix umount() pathname calculation.         2446     @ Fix umount() pathname calculation.
2447                                                  2447 
2448       "mount --bind /path/to/file1 /path/to/f    2448       "mount --bind /path/to/file1 /path/to/file2" is legal.
2449       Therefore, "umount /path/to/file2" is a    2449       Therefore, "umount /path/to/file2" is also legal.
2450       Do not automatically append trailing '/    2450       Do not automatically append trailing '/' if pathname to be unmounted
2451       does not end with '/'.                     2451       does not end with '/'.
2452                                                  2452 
2453     @ Add preserve KABI compatibility option.    2453     @ Add preserve KABI compatibility option. (2.6 kernels only)
2454                                                  2454 
2455       TOMOYO needs "struct ccs_domain_info *"    2455       TOMOYO needs "struct ccs_domain_info *" and "u32" for each
2456       "struct task_struct". But embedding the    2456       "struct task_struct". But embedding these variables into
2457       "struct task_struct" breaks KABI for pr    2457       "struct task_struct" breaks KABI for prebuilt kernel modules (which
2458       means that you will need to rebuild pre    2458       means that you will need to rebuild prebuilt kernel modules).
2459                                                  2459 
2460       Since KABI is commonly used (compared t    2460       Since KABI is commonly used (compared to 5 years ago), asking users to
2461       rebuild kernel modules which are not in    2461       rebuild kernel modules which are not included in kernel package is no
2462       longer preferable. Therefore, I added a    2462       longer preferable. Therefore, I added a new option that keeps
2463       "struct task_struct" unmodified in orde    2463       "struct task_struct" unmodified in order to keep KABI.
2464                                                  2464 
2465       Note that you have to use ccs-patch-2.6    2465       Note that you have to use ccs-patch-2.6.\*.diff which patches
2466       kernel/fork.c in order to use this opti    2466       kernel/fork.c in order to use this option. Otherwise, TOMOYO will leak
2467       memory whenever "struct task_struct" is    2467       memory whenever "struct task_struct" is released.
2468                                                  2468 
2469     @ Change directives.                         2469     @ Change directives.
2470                                                  2470 
2471       I removed "allow_" prefix from directiv    2471       I removed "allow_" prefix from directives. New directives for files are
2472       prefixed with "file ". For example, "al    2472       prefixed with "file ". For example, "allow_read" changed to "file read",
2473       "allow_ioctl" changed to "file ioctl".     2473       "allow_ioctl" changed to "file ioctl". New directive for "allow_network
2474       TCP" is "network inet stream", "allow_n    2474       TCP" is "network inet stream", "allow_network UDP" is "network inet
2475       dgram", "allow_network RAW" is "network    2475       dgram", "allow_network RAW" is "network inet raw". New directive for
2476       "allow_env" is "misc env". New directiv    2476       "allow_env" is "misc env". New directive for "allow_signal" is "ipc
2477       signal". New directive for "allow_capab    2477       signal". New directive for "allow_capability" is "capability". These new
2478       directives correspond with keywords use    2478       directives correspond with keywords used by profile's CONFIG lines.
2479                                                  2479 
2480       I removed "deny_rewrite" and "allow_rew    2480       I removed "deny_rewrite" and "allow_rewrite" directives and introduced
2481       "file append" directive. Thus, permissi    2481       "file append" directive. Thus, permission for open(O_WRONLY | O_APPEND)
2482       changed from "allow_write" + "allow_rew    2482       changed from "allow_write" + "allow_rewrite" to "file append".
2483                                                  2483 
2484       I removed "SYS_MOUNT", "SYS_UMOUNT", "S    2484       I removed "SYS_MOUNT", "SYS_UMOUNT", "SYS_CHROOT", "SYS_KILL",
2485       "SYS_LINK", "SYS_SYMLINK", "SYS_RENAME"    2485       "SYS_LINK", "SYS_SYMLINK", "SYS_RENAME", "SYS_UNLINK", "SYS_CHMOD",
2486       "SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_RO    2486       "SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_ROOT" keywords from capabilities
2487       because these permissions can be checke    2487       because these permissions can be checked by other directives (e.g.
2488       "file mount", "ipc signal").               2488       "file mount", "ipc signal").
2489                                                  2489 
2490       I also removed "conceal_mount" keyword     2490       I also removed "conceal_mount" keyword from capabilities because this
2491       check requires hooks in filesystem part    2491       check requires hooks in filesystem part while almost all hooks for
2492       filesystem part have moved to LSM by Li    2492       filesystem part have moved to LSM by Linux 2.6.34.
2493                                                  2493 
2494       New directive for "execute_handler" is     2494       New directive for "execute_handler" is "task auto_execute_handler",
2495       "denied_execute_handler" is "task denie    2495       "denied_execute_handler" is "task denied_execute_handler".
2496                                                  2496 
2497     @ Distinguish send() and recv() operation    2497     @ Distinguish send() and recv() operations.
2498                                                  2498 
2499       Until now, it was impossible for UDP an    2499       Until now, it was impossible for UDP and IP sockets to allow either
2500       only sending or only receiving because     2500       only sending or only receiving because permissions were aggregated with
2501       "connect" keyword. I broke "connect" ke    2501       "connect" keyword. I broke "connect" keyword into "send" and "recv"
2502       keywords so that you can keep access co    2502       keywords so that you can keep access control for send() operation enabled
2503       when you have to disable access control    2503       when you have to disable access control for recv() operation due to
2504       application breakage by discarding inco    2504       application breakage by discarding incoming datagram.
2505                                                  2505 
2506     @ Add Unix domain socket restriction supp    2506     @ Add Unix domain socket restriction support.
2507                                                  2507 
2508       Until now, it was possible to restrict     2508       Until now, it was possible to restrict only inet domain sockets (i.e.
2509       TCP/UDP/RAW). I added restriction for U    2509       TCP/UDP/RAW). I added restriction for Unix domain sockets (i.e. stream/
2510       dgram/seqpacket). New directive "networ    2510       dgram/seqpacket). New directive "network unix" is added as well as
2511       "network inet" directive.                  2511       "network inet" directive.
2512                                                  2512 
2513     @ Allow specifying multiple permissions i    2513     @ Allow specifying multiple permissions in a line.
2514                                                  2514 
2515       Until now, only "allow_read/write" can     2515       Until now, only "allow_read/write" can be specified for combination of
2516       "allow_read" + "allow_write". Now, you     2516       "allow_read" + "allow_write". Now, you can combine other permissions as
2517       long as type of parameters for these pe    2517       long as type of parameters for these permissions is same. For example,
2518       "file read/write/append/execute/unlink/    2518       "file read/write/append/execute/unlink/truncate /tmp/file" is correct
2519       but "file read/write/create /tmp/file"     2519       but "file read/write/create /tmp/file" is wrong because "file create"
2520       requires create mode whereas "file read    2520       requires create mode whereas "file read" and "file write" do not.
2521                                                  2521 
2522     @ Allow wildcard for execute permission a    2522     @ Allow wildcard for execute permission and domainname.
2523                                                  2523 
2524       Until now, to execute programs with tem    2524       Until now, to execute programs with temporary names, "aggregator" is
2525       needed. To simplify code, I modified to    2525       needed. To simplify code, I modified to accept wildcards for execute
2526       permission and domainname. Now, you can    2526       permission and domainname. Now, you can directly specify
2527       "file execute /tmp/logrotate.\?\?\?\?\?    2527       "file execute /tmp/logrotate.\?\?\?\?\?\?" and use
2528       "/tmp/logrotate.\?\?\?\?\?\?" within do    2528       "/tmp/logrotate.\?\?\?\?\?\?" within domainnames.
2529                                                  2529 
2530     @ Change pathname for non-rename()able fi    2530     @ Change pathname for non-rename()able filesystems.
2531                                                  2531 
2532       LSM version of TOMOYO wants to use /pro    2532       LSM version of TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if
2533       $PID matches current thread's process I    2533       $PID matches current thread's process ID in order to prevent current
2534       thread from accessing other process's i    2534       thread from accessing other process's information unless needed.
2535       But since procfs can be mounted on vari    2535       But since procfs can be mounted on various locations (e.g. /proc/ /proc2/
2536       /p/ /tmp/foo/100/p/ ), LSM version of T    2536       /p/ /tmp/foo/100/p/ ), LSM version of TOMOYO cannot tell that whether the
2537       numeric part in the string returned by     2537       numeric part in the string returned by __d_path() represents process ID
2538       or not.                                    2538       or not.
2539                                                  2539 
2540       Therefore, to be able to convert from $    2540       Therefore, to be able to convert from $PID to self no matter where procfs
2541       is mounted, I changed pathname represen    2541       is mounted, I changed pathname representations for filesystems which do
2542       not support rename() operation (e.g. pr    2542       not support rename() operation (e.g. proc, sysfs, securityfs).
2543                                                  2543 
2544       Now, "/proc/self/mounts" changed to "pr    2544       Now, "/proc/self/mounts" changed to "proc:/self/mounts" and
2545       "/sys/kernel/security/" changed to "sys    2545       "/sys/kernel/security/" changed to "sys:/kernel/security/" and
2546       "/dev/pts/0" changed to "devpts:/0".       2546       "/dev/pts/0" changed to "devpts:/0".
2547                                                  2547 
2548     @ Add a new keyword "any" for domain tran    2548     @ Add a new keyword "any" for domain transition control.
2549                                                  2549 
2550       To be able to make it easier to apply a    2550       To be able to make it easier to apply auto_execute_handler on each
2551       domain, I added "any" keyword to domain    2551       domain, I added "any" keyword to domain transition control keywords. Now,
2552       "initialize_domain /usr/sbin/sshd" chan    2552       "initialize_domain /usr/sbin/sshd" changed to
2553       "initialize_domain /usr/sbin/sshd from     2553       "initialize_domain /usr/sbin/sshd from any" and
2554       "keep_domain <kernel> /usr/sbin/sshd /b    2554       "keep_domain <kernel> /usr/sbin/sshd /bin/bash" changed to
2555       "keep_domain any from <kernel> /usr/sbi    2555       "keep_domain any from <kernel> /usr/sbin/sshd /bin/bash".
2556                                                  2556 
2557       "keep_domain /path/to/auto_execute_hand    2557       "keep_domain /path/to/auto_execute_handler from any" will allow you to
2558       apply auto_execute_handler for any doma    2558       apply auto_execute_handler for any domains without creating domains for
2559       auto_execute_handler.                      2559       auto_execute_handler.
2560                                                  2560 
2561     @ Change buffering mode for reading polic    2561     @ Change buffering mode for reading policy.
2562                                                  2562 
2563       To be able to read() very very long lin    2563       To be able to read() very very long lines correctly, I changed the way
2564       TOMOYO buffers policy for reading.         2564       TOMOYO buffers policy for reading.
2565                                                  2565 
2566     @ Introduce "acl_group" keyword.             2566     @ Introduce "acl_group" keyword.
2567                                                  2567 
2568       Until now, it was possible to specify o    2568       Until now, it was possible to specify only "allow_read" and "allow_env"
2569       keywords in the exception policy.          2569       keywords in the exception policy.
2570                                                  2570 
2571       Since some operations like "file read/w    2571       Since some operations like "file read/write/append /dev/null" and
2572       "network UDP send/recv @DNS_SERVER 53"     2572       "network UDP send/recv @DNS_SERVER 53" are very common and should be
2573       permitted to all domains, I introduced     2573       permitted to all domains, I introduced "acl_group" keyword for giving
2574       such permissions.                          2574       such permissions.
2575                                                  2575 
2576       For example, specify "acl_group 0 file     2576       For example, specify "acl_group 0 file read/write/append /dev/null" in
2577       the exception policy and specify "use_g    2577       the exception policy and specify "use_group 0" from the domains in the
2578       domain policy.                             2578       domain policy.
2579                                                  2579 
2580       "ignore_global_allow_read" and "ignore_    2580       "ignore_global_allow_read" and "ignore_global_allow_env" directives were
2581       removed from domain policy and "use_gro    2581       removed from domain policy and "use_group" keyword was added.
2582                                                  2582 
2583     @ Remove "if" and "; set" keyword.           2583     @ Remove "if" and "; set" keyword.
2584                                                  2584 
2585       I removed need for specifying these key    2585       I removed need for specifying these keyword.
2586       You can simply specify like below.         2586       You can simply specify like below.
2587                                                  2587 
2588         file read /etc/shadow task.uid=0         2588         file read /etc/shadow task.uid=0
2589                                                  2589 
2590     @ Remove "file_pattern" keyword.             2590     @ Remove "file_pattern" keyword.
2591                                                  2591 
2592       I removed "file_pattern" keyword becaus    2592       I removed "file_pattern" keyword because it is impossible to predefine
2593       all possible pathname patterns. Also, l    2593       all possible pathname patterns. Also, learning pathnames using incomplete
2594       patterns makes it difficult to later re    2594       patterns makes it difficult to later replace using "path_group" keyword.
2595                                                  2595 
2596     @ Replace verbose= parameter with statist    2596     @ Replace verbose= parameter with statistic interface.
2597                                                  2597 
2598       Since it is noisy if a lot of policy vi    2598       Since it is noisy if a lot of policy violation messages are printed,
2599       I removed printk(). To be able to check    2599       I removed printk(). To be able to check whether policy violation occurred
2600       or not, I introduced /proc/ccs/stat int    2600       or not, I introduced /proc/ccs/stat interface which counts number of
2601       policy violations occurred. You can fir    2601       policy violations occurred. You can firstly check /proc/ccs/stat and then
2602       check /proc/ccs/reject_log .               2602       check /proc/ccs/reject_log .
2603                                                  2603 
2604     @ Remove global preference.                  2604     @ Remove global preference.
2605                                                  2605 
2606       I removed global preference in order to    2606       I removed global preference in order to make code simpler.
2607                                                  2607 
2608     @ Allow controlling generation of access     2608     @ Allow controlling generation of access granted logs for per an entry
2609       basis.                                     2609       basis.
2610                                                  2610 
2611       I added per-entry flag which controls g    2611       I added per-entry flag which controls generation of grant logs because
2612       Xen and KVM issues ioctl requests so fr    2612       Xen and KVM issues ioctl requests so frequently. For example,
2613                                                  2613 
2614         file ioctl /dev/null 0x5401 grant_log    2614         file ioctl /dev/null 0x5401 grant_log=no
2615                                                  2615 
2616       will suppress /proc/ccs/grant_log even     2616       will suppress /proc/ccs/grant_log even if preference says grant_log=yes .
2617                                                  2617 
2618         file ioctl /dev/null 0x5401 grant_log    2618         file ioctl /dev/null 0x5401 grant_log=yes
2619                                                  2619 
2620       will generate /proc/ccs/grant_log even     2620       will generate /proc/ccs/grant_log even if preference says grant_log=no .
2621                                                  2621 
2622         file ioctl /dev/null 0x5401              2622         file ioctl /dev/null 0x5401
2623                                                  2623 
2624       will generate /proc/ccs/grant_log only     2624       will generate /proc/ccs/grant_log only if preference says grant_log=yes .
2625                                                  2625 
2626       This flag is intended for frequently ac    2626       This flag is intended for frequently accessed resources like
2627                                                  2627 
2628         file read /var/www/html/\{\*\}/\*.htm    2628         file read /var/www/html/\{\*\}/\*.html grant_log=no
2629                                                  2629 
2630       .                                          2630       .
2631                                                  2631 
2632     @ Automatically create domain by execve()    2632     @ Automatically create domain by execve() even if enforcing mode.
2633                                                  2633 
2634       Until now, new domains are not created     2634       Until now, new domains are not created if the domain was not defined and
2635       current domain is enforcing mode ("CONF    2635       current domain is enforcing mode ("CONFIG::file::execute=enforcing").
2636                                                  2636 
2637       To be able to restrict shell session wi    2637       To be able to restrict shell session without using "keep_domain",
2638       I changed to create new domains automat    2638       I changed to create new domains automatically even if current domain is
2639       enforcing mode.                            2639       enforcing mode.
2640                                                  2640 
2641     @ Replace "task.state" with "auto_domain_    2641     @ Replace "task.state" with "auto_domain_transition".
2642                                                  2642 
2643       task.state is difficult to use. Thus, I    2643       task.state is difficult to use. Thus, I replaced task.state with
2644       auto_domain_transition which performs d    2644       auto_domain_transition which performs domain transition instead of
2645       changing current process's state variab    2645       changing current process's state variables.
2646                                                  2646 
2647       If domain transition failed, current pr    2647       If domain transition failed, current process will be killed by SIGKILL
2648       signal. This should not happen in norma    2648       signal. This should not happen in normal circumstances, for you know the
2649       domain to transit to and thereby you wi    2649       domain to transit to and thereby you will define the domain beforehand
2650       when you use "auto_domain_transition" k    2650       when you use "auto_domain_transition" keyword.
2651                                                  2651 
2652     @ Replace "allow_transit" with "task manu    2652     @ Replace "allow_transit" with "task manual_domain_transition".
2653                                                  2653 
2654       I changed this directive to specify abs    2654       I changed this directive to specify absolute domainname (e.g.
2655       "<kernel> /usr/sbin/httpd //app=cgi1\04    2655       "<kernel> /usr/sbin/httpd //app=cgi1\040id=10000") rather than virtual
2656       pathname (e.g. "//app=cgi1\040id=10000"    2656       pathname (e.g. "//app=cgi1\040id=10000") because you know the domain to
2657       transit to and thereby you will define     2657       transit to and thereby you will define the domain beforehand when you use
2658       "task manual_domain_transition" directi    2658       "task manual_domain_transition" directive.
2659                                                  2659 
2660       This change allows you to jump to arbit    2660       This change allows you to jump to arbitrary domain.
2661                                                  2661 
2662       Note that this change also reverts "Cha    2662       Note that this change also reverts "Change /proc/ccs/info/self_domain ."
2663       made on 2006/10/24. Now, 'cat < /proc/c    2663       made on 2006/10/24. Now, 'cat < /proc/ccs/info/self_domain' will act like
2664       'cat /proc/ccs/info/self_domain'. Progr    2664       'cat /proc/ccs/info/self_domain'. Programs depending on old assumption
2665       need to be updated.                        2665       need to be updated.
2666                                                  2666 
2667     @ Add "task auto_domain_transition".         2667     @ Add "task auto_domain_transition".
2668                                                  2668 
2669       This is similar to "task manual_domain_    2669       This is similar to "task manual_domain_transition", but is automatically
2670       applied whenever conditions are met. Fo    2670       applied whenever conditions are met. For example,
2671                                                  2671 
2672         task auto_domain_transition <kernel>     2672         task auto_domain_transition <kernel> //./non-root task.uid!=0
2673                                                  2673 
2674       will automatically jump to "<kernel> //    2674       will automatically jump to "<kernel> //./non-root" domain if current
2675       process's UID is not 0 whereas             2675       process's UID is not 0 whereas
2676                                                  2676 
2677         task manual_domain_transition <kernel    2677         task manual_domain_transition <kernel> //./non-root task.uid!=0
2678                                                  2678 
2679       will jump to "<kernel> //./non-root" do    2679       will jump to "<kernel> //./non-root" domain if current process's UID is
2680       not 0 and current process wrote "<kerne    2680       not 0 and current process wrote "<kernel> //./non-root" to
2681       /proc/ccs/self_domain interface.           2681       /proc/ccs/self_domain interface.
2682                                                  2682 
2683       If domain transition failed, current pr    2683       If domain transition failed, current process will be killed by SIGKILL
2684       signal.                                    2684       signal.
2685                                                  2685 
2686     @ Optimize for object's size.                2686     @ Optimize for object's size.
2687                                                  2687 
2688       I merged similar code in order to reduc    2688       I merged similar code in order to reduce object's filesize.
2689                                                  2689 
2690 Version 1.8.0 2010/11/11   Fifth anniversary     2690 Version 1.8.0 2010/11/11   Fifth anniversary release.
2691                                                  2691 
2692 Fix 2010/12/01                                   2692 Fix 2010/12/01
2693                                                  2693 
2694     @ Use same interface for audit logs.         2694     @ Use same interface for audit logs.
2695                                                  2695 
2696       To be able to perform fine grained filt    2696       To be able to perform fine grained filtering by /usr/sbin/ccs-auditd ,
2697       I merged /proc/ccs/grant_log and /proc/    2697       I merged /proc/ccs/grant_log and /proc/ccs/reject_log as
2698       /proc/ccs/audit and added granted=yes o    2698       /proc/ccs/audit and added granted=yes or granted=no to audit logs.
2699                                                  2699 
2700 Fix 2010/12/17                                   2700 Fix 2010/12/17
2701                                                  2701 
2702     @ Split ccs_null_security into ccs_defaul    2702     @ Split ccs_null_security into ccs_default_security and ccs_oom_security.
2703                                                  2703 
2704       ccs_null_security is used by preserve K    2704       ccs_null_security is used by preserve KABI compatibility option and is
2705       used for providing default values again    2705       used for providing default values against threads which have not yet
2706       allocated memory for their security con    2706       allocated memory for their security contexts.
2707                                                  2707 
2708       If current thread failed to allocate me    2708       If current thread failed to allocate memory for current thread's security
2709       context, current thread uses ccs_null_s    2709       context, current thread uses ccs_null_security. Since current thread is
2710       allowed to modify current thread's secu    2710       allowed to modify current thread's security context, current thread might
2711       modify ccs_null_security which should n    2711       modify ccs_null_security which should not be modified for any reason.
2712                                                  2712 
2713       Therefore, I split ccs_null_security in    2713       Therefore, I split ccs_null_security into ccs_default_security and
2714       ccs_oom_security and use ccs_oom_securi    2714       ccs_oom_security and use ccs_oom_security when current thread failed to
2715       allocate memory for current thread's se    2715       allocate memory for current thread's security context.
2716                                                  2716 
2717       Threads which do not share ccs_oom_secu    2717       Threads which do not share ccs_oom_security are not affected by threads
2718       which share ccs_oom_security. Threads w    2718       which share ccs_oom_security. Threads which share ccs_oom_security will
2719       experience temporary inconsistency, but    2719       experience temporary inconsistency, but such threads are about to be
2720       killed by SIGKILL signal.                  2720       killed by SIGKILL signal.
2721                                                  2721 
2722 Fix 2011/01/11                                   2722 Fix 2011/01/11
2723                                                  2723 
2724     @ Use filesystem name for unnamed devices    2724     @ Use filesystem name for unnamed devices when vfsmount is missing.
2725                                                  2725 
2726       "Change pathname for non-rename()able f    2726       "Change pathname for non-rename()able filesystems." changed to use
2727       "$fsname:" if the filesystem does not s    2727       "$fsname:" if the filesystem does not support rename() operation and
2728       "dev($major,$minor):" otherwise when vf    2728       "dev($major,$minor):" otherwise when vfsmount is missing. But it turned
2729       out that it is useless to use "dev($maj    2729       out that it is useless to use "dev($major,$minor):" for unnamed devices
2730       (filesystems with $major == 0). Thus, I    2730       (filesystems with $major == 0). Thus, I changed to use "$fsname:" rather
2731       than "dev($major,$minor):" for filesyst    2731       than "dev($major,$minor):" for filesystems with $major == 0 when vfsmount
2732       is missing.                                2732       is missing.
2733                                                  2733 
2734 Fix 2011/02/07                                   2734 Fix 2011/02/07
2735                                                  2735 
2736     @ Fix infinite loop bug when reading /pro    2736     @ Fix infinite loop bug when reading /proc/ccs/audit or /proc/ccs/query .
2737                                                  2737 
2738       In ccs_flush(), head->r.w[0] holds poin    2738       In ccs_flush(), head->r.w[0] holds pointer to string data to be printed.
2739       But head->r.w[0] was updated only when     2739       But head->r.w[0] was updated only when the string data was partially
2740       printed (because head->r.w[0] will be u    2740       printed (because head->r.w[0] will be updated by head->r.w[1] later if
2741       completely printed). However, regarding    2741       completely printed). However, regarding /proc/ccs/audit and
2742       /proc/ccs/query , an additional '\0' is    2742       /proc/ccs/query , an additional '\0' is printed after the string data was
2743       completely printed. But if free space f    2743       completely printed. But if free space for read buffer became 0 before
2744       printing the additional '\0', ccs_flush    2744       printing the additional '\0', ccs_flush() was returning without updating
2745       head->r.w[0]. As a result, ccs_flush()     2745       head->r.w[0]. As a result, ccs_flush() forever reprints already printed
2746       string data.                               2746       string data.
2747                                                  2747 
2748 Fix 2011/03/01                                   2748 Fix 2011/03/01
2749                                                  2749 
2750     @ Run garbage collector without waiting f    2750     @ Run garbage collector without waiting for /proc/ccs/ users.
2751                                                  2751 
2752       Currently TOMOYO holds SRCU lock upon o    2752       Currently TOMOYO holds SRCU lock upon open() and releases it upon close()
2753       because list elements stored in the "st    2753       because list elements stored in the "struct ccs_io_buffer" instances are
2754       accessed until close() is called. Howev    2754       accessed until close() is called. However, such SRCU usage causes lockdep
2755       to complain about leaving the kernel wi    2755       to complain about leaving the kernel with SRCU lock held. Therefore,
2756       I changed to hold/release SRCU upon eac    2756       I changed to hold/release SRCU upon each read()/write() by selectively
2757       deferring kfree() by keeping track of t    2757       deferring kfree() by keeping track of the "struct ccs_io_buffer"
2758       instances.                                 2758       instances.
2759                                                  2759 
2760 Fix 2011/03/05                                   2760 Fix 2011/03/05
2761                                                  2761 
2762     @ Support built-in policy configuration.     2762     @ Support built-in policy configuration.
2763                                                  2763 
2764       To be able to start using enforcing mod    2764       To be able to start using enforcing mode from the early stage of boot
2765       sequence, I added support for built-in     2765       sequence, I added support for built-in policy configuration and
2766       activating access control without calli    2766       activating access control without calling external policy loader program.
2767                                                  2767 
2768       This will be useful for systems where o    2768       This will be useful for systems where operations which can lead to the
2769       hijacking of the boot sequence are need    2769       hijacking of the boot sequence are needed before loading the policy.
2770       For example, you can activate immediate    2770       For example, you can activate immediately after loading the fixed part of
2771       policy which will allow only operations    2771       policy which will allow only operations needed for mounting a partition
2772       which contains the variant part of poli    2772       which contains the variant part of policy and verifying (e.g. running GPG
2773       check) and loading the variant part of     2773       check) and loading the variant part of policy. Since you can start using
2774       enforcing mode from the beginning, you     2774       enforcing mode from the beginning, you can reduce the possibility of
2775       hijacking the boot sequence.               2775       hijacking the boot sequence.
2776                                                  2776 
2777 Fix 2011/03/10                                   2777 Fix 2011/03/10
2778                                                  2778 
2779     @ Remove /proc/ccs/meminfo interface.        2779     @ Remove /proc/ccs/meminfo interface.
2780                                                  2780 
2781       Please use /proc/ccs/stat interface ins    2781       Please use /proc/ccs/stat interface instead.
2782                                                  2782 
2783 Fix 2011/03/15                                   2783 Fix 2011/03/15
2784                                                  2784 
2785     @ Pack policy when printing via /proc/ccs    2785     @ Pack policy when printing via /proc/ccs/ interface.
2786                                                  2786 
2787       The kernel side is ready for accepting     2787       The kernel side is ready for accepting packed input like
2788                                                  2788 
2789         file read/write/execute /path/to/file    2789         file read/write/execute /path/to/file
2790                                                  2790 
2791       but was using unpacked output like         2791       but was using unpacked output like
2792                                                  2792 
2793         file read /path/to/file                  2793         file read /path/to/file
2794         file write /path/to/file                 2794         file write /path/to/file
2795         file execute /path/to/file               2795         file execute /path/to/file
2796                                                  2796 
2797       because most of userland tools were not    2797       because most of userland tools were not ready for accepting packed input.
2798                                                  2798 
2799       The advantages of using packed policy a    2799       The advantages of using packed policy are that it makes policy files
2800       smaller and it speeds up loading/saving    2800       smaller and it speeds up loading/saving policy files.
2801                                                  2801 
2802       Since most of userland tools are ready     2802       Since most of userland tools are ready for accepting packed input by now,
2803       I changed to use packed policy for both    2803       I changed to use packed policy for both input and output.
2804                                                  2804 
2805 Fix 2011/03/31                                   2805 Fix 2011/03/31
2806                                                  2806 
2807     @ Fix conditional policy parsing.            2807     @ Fix conditional policy parsing.
2808                                                  2808 
2809       Since exec.realpath= and symlink.target    2809       Since exec.realpath= and symlink.target= accept path_group,
2810       symlink.target="@foo" was by error pars    2810       symlink.target="@foo" was by error parsed as symlink.target=@foo .
2811                                                  2811 
2812     @ Serialize updating profile's comment li    2812     @ Serialize updating profile's comment line.
2813                                                  2813 
2814       We need to serialize when updating COMM    2814       We need to serialize when updating COMMENT= line in /proc/ccs/profile .
2815                                                  2815 
2816 Version 1.8.1   2011/04/01   Usability enhanc    2816 Version 1.8.1   2011/04/01   Usability enhancement with "Zettai, Daijoubudayo" release!
2817                                                  2817 
2818 Fix 2011/04/03                                   2818 Fix 2011/04/03
2819                                                  2819 
2820     @ Fix fcntl(F_SETFL, O_APPEND) handling.     2820     @ Fix fcntl(F_SETFL, O_APPEND) handling.
2821                                                  2821 
2822       Since 1.8.0, TOMOYO was by error checki    2822       Since 1.8.0, TOMOYO was by error checking "file write" permission rather
2823       than "file append" permission when chan    2823       than "file append" permission when changing file's writing mode from
2824       "overwriting" to "append".                 2824       "overwriting" to "append".
2825                                                  2825 
2826       This error should impact little (except    2826       This error should impact little (except CentOS 6.0 kernels) because once
2827       a file was opened for "overwriting" mod    2827       a file was opened for "overwriting" mode, changing that file to "append"
2828       mode cannot undo overwriting the file.     2828       mode cannot undo overwriting the file. Regarding CentOS 6.0 kernels,
2829       due to different ACC_MODE definition, T    2829       due to different ACC_MODE definition, TOMOYO was by error needlessly
2830       checking "file read" permission when fc    2830       checking "file read" permission when fcntl() was requested.
2831                                                  2831 
2832 Fix 2011/04/20                                   2832 Fix 2011/04/20
2833                                                  2833 
2834     @ Remove unused "struct inode *" paramete    2834     @ Remove unused "struct inode *" parameter from hooks.
2835                                                  2835 
2836       Since pre-vfs functions were removed on    2836       Since pre-vfs functions were removed on 2010/09/18, "struct inode *"
2837       parameter which was used for checking p    2837       parameter which was used for checking parent directory's DAC permission
2838       is no longer used.                         2838       is no longer used.
2839                                                  2839 
2840       Note that "struct ccsecurity_operations    2840       Note that "struct ccsecurity_operations ccsecurity_ops" has changed.
2841       Loadable kernel modules that depends on    2841       Loadable kernel modules that depends on it need to be rebuilt.
2842                                                  2842 
2843 Fix 2011/05/05                                   2843 Fix 2011/05/05
2844                                                  2844 
2845     @ Fix wrong profile number in audit logs     2845     @ Fix wrong profile number in audit logs for "misc env" permission.
2846                                                  2846 
2847       Profile number used for "file execute"     2847       Profile number used for "file execute" permission was by error reused
2848       when generating audit logs for "misc en    2848       when generating audit logs for "misc env" permission.
2849                                                  2849 
2850 Fix 2011/05/11                                   2850 Fix 2011/05/11
2851                                                  2851 
2852     @ Fix wrong domainname validation.           2852     @ Fix wrong domainname validation.
2853                                                  2853 
2854       "<kernel>" + "/foo/\" + "/bar" was by e    2854       "<kernel>" + "/foo/\" + "/bar" was by error checked when
2855       "<kernel> /foo/\* /bar" was given. As a    2855       "<kernel> /foo/\* /bar" was given. As a result, legal domainnames like
2856       "<kernel> /foo/\* /bar" are rejected.      2856       "<kernel> /foo/\* /bar" are rejected.
2857                                                  2857 
2858 Fix 2011/06/06                                   2858 Fix 2011/06/06
2859                                                  2859 
2860     @ Add policy namespace support.              2860     @ Add policy namespace support.
2861                                                  2861 
2862       To be able to use TOMOYO in LXC environ    2862       To be able to use TOMOYO in LXC environments, I introduced policy
2863       namespace. Each policy namespace has it    2863       namespace. Each policy namespace has its own set of domain policy,
2864       exception policy and profiles, which ar    2864       exception policy and profiles, which are all independent of other
2865       namespaces.                                2865       namespaces.
2866                                                  2866 
2867     @ Remove CONFIG_CCSECURITY_BUILTIN_INITIA    2867     @ Remove CONFIG_CCSECURITY_BUILTIN_INITIALIZERS option.
2868                                                  2868 
2869       From now on, exception policy and manag    2869       From now on, exception policy and manager need to be able to handle
2870       policy namespace (which is a <$namespac    2870       policy namespace (which is a <$namespace> prefix added to each line).
2871       Thus, space-separated list for CONFIG_C    2871       Thus, space-separated list for CONFIG_CCSECURITY_BUILTIN_INITIALIZERS is
2872       no longer suitable for handling policy     2872       no longer suitable for handling policy namespace.
2873                                                  2873 
2874 Fix 2011/06/10                                   2874 Fix 2011/06/10
2875                                                  2875 
2876     @ Allow specifying trigger for activation    2876     @ Allow specifying trigger for activation.
2877                                                  2877 
2878       To be able to use TOMOYO under systemd     2878       To be able to use TOMOYO under systemd environments where init= parameter
2879       is used, I changed to allow overriding     2879       is used, I changed to allow overriding the trigger for calling external
2880       policy loader and activating MAC via ke    2880       policy loader and activating MAC via kernel command line options.
2881                                                  2881 
2882 Fix 2011/06/14                                   2882 Fix 2011/06/14
2883                                                  2883 
2884     @ Remove unused "struct inode *" paramete    2884     @ Remove unused "struct inode *" parameter from ccs-patch-\*.diff .
2885                                                  2885 
2886       To follow changes I made on 2011/04/20,    2886       To follow changes I made on 2011/04/20, I removed "struct inode *" from
2887       ccs_mknod_permission(), ccs_mkdir_permi    2887       ccs_mknod_permission(), ccs_mkdir_permission(), ccs_rmdir_permission(),
2888       ccs_unlink_permission(), ccs_symlink_pe    2888       ccs_unlink_permission(), ccs_symlink_permission(), ccs_link_permission(),
2889       ccs_rename_permission() that are called    2889       ccs_rename_permission() that are called from fs/namei.c
2890       net/unix/af_unix.c include/linux/securi    2890       net/unix/af_unix.c include/linux/security.c security/security.c .
2891       If you have your own ccs-patch-*.diff ,    2891       If you have your own ccs-patch-*.diff , please update accordingly.
2892                                                  2892 
2893 Version 1.8.2   2011/06/20   Usability enhanc    2893 Version 1.8.2   2011/06/20   Usability enhancement release.
2894                                                  2894 
2895 Fix 2011/07/07                                   2895 Fix 2011/07/07
2896                                                  2896 
2897     @ Remove /proc/ccs/.domain_status interfa    2897     @ Remove /proc/ccs/.domain_status interface.
2898                                                  2898 
2899       Writing to /proc/ccs/.domain_status can    2899       Writing to /proc/ccs/.domain_status can be emulated by
2900                                                  2900 
2901         ( echo "select " $domainname; echo "u    2901         ( echo "select " $domainname; echo "use_profile " $profile ) |
2902         /usr/sbin/ccs-loadpolicy -d              2902         /usr/sbin/ccs-loadpolicy -d
2903                                                  2903 
2904       and reading from /proc/ccs/.domain_stat    2904       and reading from /proc/ccs/.domain_status can be emulated by
2905                                                  2905 
2906         grep -A 1 '^<' /proc/ccs/domain_polic    2906         grep -A 1 '^<' /proc/ccs/domain_policy |
2907         awk ' { if ( domainname == "" ) { if     2907         awk ' { if ( domainname == "" ) { if ( substr($1, 1, 1) == "<" )
2908         domainname = $0; } else if ( $1 == "u    2908         domainname = $0; } else if ( $1 == "use_profile" ) {
2909         print $2 " " domainname; domainname =    2909         print $2 " " domainname; domainname = ""; } } ; '
2910                                                  2910 
2911       . Since this interface is used by only     2911       . Since this interface is used by only /usr/sbin/ccs-setprofile ,
2912       remove this interface by updating /usr/    2912       remove this interface by updating /usr/sbin/ccs-setprofile .
2913                                                  2913 
2914 Fix 2011/07/09                                   2914 Fix 2011/07/09
2915                                                  2915 
2916     @ Fix /proc/ccs/stat parser.                 2916     @ Fix /proc/ccs/stat parser.
2917                                                  2917 
2918       For optimization, I changed to use simp    2918       For optimization, I changed to use simple_strtoul() rather than sscanf()
2919       in ccs_write_stat(). But it caused pars    2919       in ccs_write_stat(). But it caused parsing failure if space is inserted
2920       before value (e.g. "Memory used by poli    2920       before value (e.g. "Memory used by policy: $value").
2921                                                  2921 
2922 Fix 2011/07/13                                   2922 Fix 2011/07/13
2923                                                  2923 
2924     @ Accept "::" notation for IPv6 address.     2924     @ Accept "::" notation for IPv6 address.
2925                                                  2925 
2926       In order to add network access restrict    2926       In order to add network access restriction to TOMOYO 2.4, I backported
2927       routines for parsing/printing IPv4/IPv6    2927       routines for parsing/printing IPv4/IPv6 address from kernel 3.0 into
2928       TOMOYO 1.8.2.                              2928       TOMOYO 1.8.2.
2929       Now, IPv6 address accepts "::1" instead    2929       Now, IPv6 address accepts "::1" instead of "0:0:0:0:0:0:0:1".
2930                                                  2930 
2931 Fix 2011/09/03                                   2931 Fix 2011/09/03
2932                                                  2932 
2933     @ Avoid race when retrying "file execute"    2933     @ Avoid race when retrying "file execute" permission check.
2934                                                  2934 
2935       There was a race window that the pathna    2935       There was a race window that the pathname which is subjected to
2936       "file execute" permission check when re    2936       "file execute" permission check when retrying via supervisor's decision
2937       because the pathname was recalculated u    2937       because the pathname was recalculated upon retry. Though, there is an
2938       inevitable race window even without sup    2938       inevitable race window even without supervisor, for we have to calculate
2939       the symbolic link's pathname from "stru    2939       the symbolic link's pathname from "struct linux_binprm"->filename rather
2940       than from "struct linux_binprm"->file b    2940       than from "struct linux_binprm"->file because we cannot back calculate
2941       the symbolic link's pathname from the d    2941       the symbolic link's pathname from the dereferenced pathname.
2942                                                  2942 
2943     @ Remove unneeded daemonize().               2943     @ Remove unneeded daemonize().
2944                                                  2944 
2945       Garbage collector thread is created usi    2945       Garbage collector thread is created using kthread_create() since 2.6.7.
2946       Kernel threads created by kthread_creat    2946       Kernel threads created by kthread_create() does not need to call
2947       daemonize().                               2947       daemonize().
2948                                                  2948 
2949 Fix 2011/09/16                                   2949 Fix 2011/09/16
2950                                                  2950 
2951     @ Allow specifying domain transition pref    2951     @ Allow specifying domain transition preference.
2952                                                  2952 
2953       I got an opinion that it is difficult t    2953       I got an opinion that it is difficult to use exception policy's domain
2954       transition control directives because t    2954       transition control directives because they need to match the pathname
2955       specified to "file execute" directives.    2955       specified to "file execute" directives. For example, if "file execute
2956       /bin/\*\-ls\-cat" is given, correspondi    2956       /bin/\*\-ls\-cat" is given, corresponding domain transition control
2957       directive needs to be like "no_keep_dom    2957       directive needs to be like "no_keep_domain /bin/\*\-ls\-cat from any".
2958                                                  2958 
2959       To solve this difficulty, I introduced     2959       To solve this difficulty, I introduced optional argument that supersedes
2960       exception policy's domain transition co    2960       exception policy's domain transition control directives.
2961                                                  2961 
2962         file execute /bin/ls keep exec.realpa    2962         file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls"
2963         file execute /bin/cat keep exec.realp    2963         file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat"
2964         file execute /bin/\*\-ls\-cat child      2964         file execute /bin/\*\-ls\-cat child
2965         file execute /usr/sbin/httpd <apache>    2965         file execute /usr/sbin/httpd <apache> exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd"
2966                                                  2966 
2967       This argument allows transition to diff    2967       This argument allows transition to different domains based on conditions.
2968                                                  2968 
2969         <kernel> /usr/sbin/sshd                  2969         <kernel> /usr/sbin/sshd
2970         file execute /bin/bash <kernel> /usr/    2970         file execute /bin/bash <kernel> /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c"
2971         file execute /bin/bash <kernel> /usr/    2971         file execute /bin/bash <kernel> /usr/sbin/sshd //root-session task.uid=0
2972         file execute /bin/bash <kernel> /usr/    2972         file execute /bin/bash <kernel> /usr/sbin/sshd //nonroot-session task.uid!=0
2973                                                  2973 
2974 Fix 2011/09/25                                   2974 Fix 2011/09/25
2975                                                  2975 
2976     @ Simplify garbage collector.                2976     @ Simplify garbage collector.
2977                                                  2977 
2978       It turned out that use of batched proce    2978       It turned out that use of batched processing tends to choke garbage
2979       collector when certain pattern of entri    2979       collector when certain pattern of entries are queued. Thus, I replaced it
2980       with sequential processing.                2980       with sequential processing.
2981                                                  2981 
2982 Version 1.8.3   2011/09/29   Usability enhanc    2982 Version 1.8.3   2011/09/29   Usability enhancement release.
2983                                                  2983 
2984 Fix 2011/10/24                                   2984 Fix 2011/10/24
2985                                                  2985 
2986     @ Fix incomplete read after seek.            2986     @ Fix incomplete read after seek.
2987                                                  2987 
2988       ccs_flush() tries to flush data to be r    2988       ccs_flush() tries to flush data to be read as soon as possible.
2989       ccs_select_domain() (which is called by    2989       ccs_select_domain() (which is called by write()) enqueues data which
2990       meant to be read by next read(), but pr    2990       meant to be read by next read(), but previous read()'s read buffer's
2991       size was not cleared. As a result, sinc    2991       size was not cleared. As a result, since 1.8.0, sequence like
2992                                                  2992 
2993         char *cp = "select global-pid=1\n";      2993         char *cp = "select global-pid=1\n";
2994         read(fd, buf1, sizeof(buf1));            2994         read(fd, buf1, sizeof(buf1));
2995         write(fd, cp, strlen(cp));               2995         write(fd, cp, strlen(cp));
2996         read(fd, buf2, sizeof(buf2));            2996         read(fd, buf2, sizeof(buf2));
2997                                                  2997 
2998       causes enqueued data to be flushed to b    2998       causes enqueued data to be flushed to buf1 rather than buf2.
2999                                                  2999 
3000     @ Use query id for reaching target proces    3000     @ Use query id for reaching target process's domain policy.
3001                                                  3001 
3002       Use query id for reaching target proces    3002       Use query id for reaching target process's domain policy rather than
3003       target process's global PID. This is fo    3003       target process's global PID. This is for synchronizing with TOMOYO 2.x,
3004       but this change makes /usr/sbin/ccs-que    3004       but this change makes /usr/sbin/ccs-queryd more reliable because the
3005       kernel will return empty domain policy     3005       kernel will return empty domain policy when the query has expired before
3006       ccs-queryd reaches target process's dom    3006       ccs-queryd reaches target process's domain policy.
3007                                                  3007 
3008     @ Fix quota counting.                        3008     @ Fix quota counting.
3009                                                  3009 
3010       "task manual_domain_transition" should     3010       "task manual_domain_transition" should not be counted for quota as with
3011       "task auto_domain_transition"/"task aut    3011       "task auto_domain_transition"/"task auto_execute_handler"/
3012       "task denied_execute_handler" because t    3012       "task denied_execute_handler" because these are not appended by learning
3013       mode.                                      3013       mode.
3014                                                  3014 
3015 Fix 2011/11/11                                   3015 Fix 2011/11/11
3016                                                  3016 
3017     @ Optimize for object's size.                3017     @ Optimize for object's size.
3018                                                  3018 
3019       I rearranged functions/variables into t    3019       I rearranged functions/variables into three groups in order to reduce
3020       object's filesize. Also, I added kernel    3020       object's filesize. Also, I added kernel config options for reducing more
3021       by excluding unnecessary functionality.    3021       by excluding unnecessary functionality.
3022                                                  3022 
3023 Fix 2011/11/18                                   3023 Fix 2011/11/18
3024                                                  3024 
3025     @ Fix kernel config mapping error.           3025     @ Fix kernel config mapping error.
3026                                                  3026 
3027       Due to a typo in ccs_p2mac definition,     3027       Due to a typo in ccs_p2mac definition, mode for CONFIG::file::execute was
3028       by error used when checking "file getat    3028       by error used when checking "file getattr" permission. Most users will
3029       not be affected by this error because C    3029       not be affected by this error because CONFIG::file::execute and
3030       CONFIG::file::getattr are by default co    3030       CONFIG::file::getattr are by default configured to use CONFIG::file or
3031       CONFIG settings.                           3031       CONFIG settings.
3032                                                  3032 
3033 Fix 2011/12/13                                   3033 Fix 2011/12/13
3034                                                  3034 
3035     @ Follow __d_path() behavior change. (Onl    3035     @ Follow __d_path() behavior change. (Only 2.6.36 and later)
3036                                                  3036 
3037       The behavior of __d_path() has changed     3037       The behavior of __d_path() has changed in 3.2-rc5. __d_path() now returns
3038       NULL when the pathname cannot be calcul    3038       NULL when the pathname cannot be calculated. You must update to this
3039       version when using with 3.2-rc5 and lat    3039       version when using with 3.2-rc5 and later kernels, or the kernel will
3040       panic because ccs_get_absolute_path() t    3040       panic because ccs_get_absolute_path() triggers NULL pointer dereference.
3041                                                  3041 
3042       The patch that changed the behavior of     3042       The patch that changed the behavior of __d_path() might be backported to
3043       2.6.36 to 3.1 kernels. You must update     3043       2.6.36 to 3.1 kernels. You must update to this version if the patch was
3044       backported, or you will experience the     3044       backported, or you will experience the kernel panic as with 3.2-rc5.
3045                                                  3045 
3046       The patch that changed the behavior of     3046       The patch that changed the behavior of __d_path() also changed the way of
3047       handling pathnames under lazy-unmounted    3047       handling pathnames under lazy-unmounted directory. Until now, TOMOYO was
3048       using incomplete pathnames returned by     3048       using incomplete pathnames returned by __d_path() when the pathname is
3049       under lazy-unmounted directory. But fro    3049       under lazy-unmounted directory. But from now on, TOMOYO uses different
3050       pathnames returned by ccs_get_local_pat    3050       pathnames returned by ccs_get_local_path() when the pathname is under
3051       lazy-unmounted directory (because __d_p    3051       lazy-unmounted directory (because __d_path() no longer returns it).
3052                                                  3052 
3053       Since applications unlikely do lazy unm    3053       Since applications unlikely do lazy unmounts, requesting pathnames under
3054       lazy-unmounted directory should not hap    3054       lazy-unmounted directory should not happen unless the administrator
3055       explicitly does lazy unmounts. But path    3055       explicitly does lazy unmounts. But pathnames which is defined for such
3056       conditions in the policy file (if any)     3056       conditions in the policy file (if any) will need to be rewritten.
3057                                                  3057 
3058 Fix 2012/01/20                                   3058 Fix 2012/01/20
3059                                                  3059 
3060     @ Follow changes in 3.3-rc1.                 3060     @ Follow changes in 3.3-rc1.
3061                                                  3061 
3062       Use umode_t rather than mode_t.            3062       Use umode_t rather than mode_t.
3063       Remove ipv6_addr_copy() usage.             3063       Remove ipv6_addr_copy() usage.
3064                                                  3064 
3065 Fix 2012/02/25                                   3065 Fix 2012/02/25
3066                                                  3066 
3067     @ Follow changes in linux-next.              3067     @ Follow changes in linux-next.
3068                                                  3068 
3069       UMH_WAIT_PROC constant (currently 1) is    3069       UMH_WAIT_PROC constant (currently 1) is scheduled for renumbering in 3.4.
3070                                                  3070 
3071       Use UMH_WAIT_PROC constant instead of h    3071       Use UMH_WAIT_PROC constant instead of hardcoded constant in preparation
3072       for backporting call_usermodehelper() r    3072       for backporting call_usermodehelper() related changes. If renumbering was
3073       backported, you will start experiencing    3073       backported, you will start experiencing the kernel panic upon execution
3074       of external policy loader (i.e. /sbin/c    3074       of external policy loader (i.e. /sbin/ccs-init), for the kernel will no
3075       longer wait for completion of external     3075       longer wait for completion of external policy loader process.
3076                                                  3076 
3077       Although I changed to use UMH_WAIT_PROC    3077       Although I changed to use UMH_WAIT_PROC constant, this change could fail
3078       to detect renumbering in 2.6.22 and ear    3078       to detect renumbering in 2.6.22 and earlier kernels, for UMH_WAIT_PROC
3079       constant is currently available to only    3079       constant is currently available to only 2.6.23 and later kernels. If you
3080       started to experience the kernel panic,    3080       started to experience the kernel panic, please check whether renumbering
3081       was backported or not.                     3081       was backported or not.
3082                                                  3082 
3083 Fix 2012/02/29                                   3083 Fix 2012/02/29
3084                                                  3084 
3085     @ Fix mount flags checking order.            3085     @ Fix mount flags checking order.
3086                                                  3086 
3087       Userspace can pass in arbitrary combina    3087       Userspace can pass in arbitrary combinations of MS_* flags to mount().
3088                                                  3088 
3089       If both MS_BIND and one of MS_SHARED/MS    3089       If both MS_BIND and one of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE
3090       are passed, device name which should be    3090       are passed, device name which should be checked for MS_BIND was not
3091       checked because MS_SHARED/MS_PRIVATE/MS    3091       checked because MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE had higher
3092       priority than MS_BIND.                     3092       priority than MS_BIND.
3093                                                  3093 
3094       If both one of MS_BIND/MS_MOVE and MS_R    3094       If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name
3095       which should not be checked for MS_REMO    3095       which should not be checked for MS_REMOUNT was checked because MS_BIND/
3096       MS_MOVE had higher priority than MS_REM    3096       MS_MOVE had higher priority than MS_REMOUNT.
3097                                                  3097 
3098       Fix these bugs by changing priority to     3098       Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND ->
3099       MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBIND    3099       MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount()
3100       does. Also, I changed to unconditionall    3100       does. Also, I changed to unconditionally return -EINVAL if more than one
3101       of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNB    3101       of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE is passed so that TOMOYO
3102       will not generate inaccurate audit logs    3102       will not generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity
3103       check mount flags passed to change_mnt_    3103       check mount flags passed to change_mnt_propagation()" clarified that
3104       these flags must be exclusively passed.    3104       these flags must be exclusively passed.
3105                                                  3105 
3106 Fix 2012/03/08                                   3106 Fix 2012/03/08
3107                                                  3107 
3108     @ Allow returning other errors when ptrac    3108     @ Allow returning other errors when ptrace permission cannot be checked.
3109                                                  3109 
3110       Currently -EPERM is returned when ccs_p    3110       Currently -EPERM is returned when ccs_ptrace_permission() returned an
3111       error code. I changed to return return     3111       error code. I changed to return return value from ccs_ptrace_permission()
3112       so that we can return -ESRCH when targe    3112       so that we can return -ESRCH when target process was not found.
3113                                                  3113 
3114 Fix 2012/03/16                                   3114 Fix 2012/03/16
3115                                                  3115 
3116     @ Return appropriate value to poll().        3116     @ Return appropriate value to poll().
3117                                                  3117 
3118       Return POLLIN | POLLRDNORM | POLLOUT |     3118       Return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM if ready to read/write,
3119       POLLOUT | POLLWRNORM otherwise.            3119       POLLOUT | POLLWRNORM otherwise.
3120                                                  3120 
3121 Fix 2012/04/22                                   3121 Fix 2012/04/22
3122                                                  3122 
3123     @ Readd RHEL_MINOR/AX_MINOR checks.          3123     @ Readd RHEL_MINOR/AX_MINOR checks.
3124                                                  3124 
3125       This check was added in revision 2346 a    3125       This check was added in revision 2346 and was removed in revision 4084.
3126                                                  3126 
3127       Add it back in order to support RHEL 5.    3127       Add it back in order to support RHEL 5.0, 5.1, 5.2 kernels.
3128                                                  3128 
3129     @ Fix skb_kill_datagram() for kernels 2.6    3129     @ Fix skb_kill_datagram() for kernels 2.6.0 - 2.6.11.
3130                                                  3130 
3131       Commit 208d8984 "[IPV4]: Fix BUG() in 2    3131       Commit 208d8984 "[IPV4]: Fix BUG() in 2.6.x, udp_poll(), fragments +
3132       CONFIG_HIGHMEM" clarified that skb_kill    3132       CONFIG_HIGHMEM" clarified that skb_kill_datagram() should use
3133       spin_lock_bh()/spin_unlock_bh() rather     3133       spin_lock_bh()/spin_unlock_bh() rather than
3134       spin_lock_irq()/spin_unlock_irq().         3134       spin_lock_irq()/spin_unlock_irq().
3135                                                  3135 
3136       RHEL 4.9 (2.6.9) kernel has that patch     3136       RHEL 4.9 (2.6.9) kernel has that patch backported. So do I.
3137                                                  3137 
3138     @ Fix missing locks for RHEL 5.2-5.8 kern    3138     @ Fix missing locks for RHEL 5.2-5.8 kernels.
3139                                                  3139 
3140       Since RHEL 5.2 and later kernels have b    3140       Since RHEL 5.2 and later kernels have backported commit 95766fff
3141       "[UDP]: Add memory accounting." patch,     3141       "[UDP]: Add memory accounting." patch, TOMOYO needs to call
3142       lock_sock()/release_sock() around skb_k    3142       lock_sock()/release_sock() around skb_kill_datagram() call when UDP
3143       packet was dropped by TOMOYO.              3143       packet was dropped by TOMOYO.
3144                                                  3144 
3145 Fix 2012/04/28                                   3145 Fix 2012/04/28
3146                                                  3146 
3147     @ Accept manager programs which do not st    3147     @ Accept manager programs which do not start with / .
3148                                                  3148 
3149       The pathname of /usr/sbin/ccs-editpolic    3149       The pathname of /usr/sbin/ccs-editpolicy seen from Ubuntu 12.04 Live
3150       CD is squashfs:/usr/sbin/ccs-editpolicy    3150       CD is squashfs:/usr/sbin/ccs-editpolicy rather than
3151       /usr/sbin/ccs-editpolicy . Therefore, w    3151       /usr/sbin/ccs-editpolicy . Therefore, we need to accept manager
3152       programs which do not start with / .       3152       programs which do not start with / .
3153                                                  3153 
3154 Fix 2012/10/08                                   3154 Fix 2012/10/08
3155                                                  3155 
3156     @ Fix KABI breakage on Ubuntu 12.10.         3156     @ Fix KABI breakage on Ubuntu 12.10.
3157                                                  3157 
3158       I was using include/linux/security.h as    3158       I was using include/linux/security.h as the common path for pulling in
3159       include/linux/ccsecurity.h so that I ca    3159       include/linux/ccsecurity.h so that I can avoid scattering #include line.
3160                                                  3160 
3161       When scripts/genksyms/genksyms calculat    3161       When scripts/genksyms/genksyms calculates hash values for Module.symvers
3162       file, it uses the extracted form of inv    3162       file, it uses the extracted form of involved structures if the structure
3163       layout is known but it instead uses UNK    3163       layout is known but it instead uses UNKNOWN if the structure layout is
3164       not known. Therefore, pulling in includ    3164       not known. Therefore, pulling in include files that define structure's
3165       layout from include/linux/ccsecurity.h     3165       layout from include/linux/ccsecurity.h causes changes in the hash values
3166       and causes KABI breakage, even if no ch    3166       and causes KABI breakage, even if no changes were made to the involved
3167       structures.                                3167       structures.
3168                                                  3168 
3169       Fix this breakage by avoiding pulling i    3169       Fix this breakage by avoiding pulling in include/linux/sched.h and
3170       include/linux/dcache.h from include/lin    3170       include/linux/dcache.h from include/linux/ccsecurity.h where possible.
3171                                                  3171 
3172 Fix 2015/01/01                                   3172 Fix 2015/01/01
3173                                                  3173 
3174     @ Fix missing chmod(-1) check in Linux 3.    3174     @ Fix missing chmod(-1) check in Linux 3.1 and later kernels.
3175                                                  3175 
3176       Commit e57712ebebbb9db7 "merge fchmod()    3176       Commit e57712ebebbb9db7 "merge fchmod() and fchmodat() guts, kill
3177       ancient broken kludge" changed chmod(-1    3177       ancient broken kludge" changed chmod(-1) from no-op to setting to
3178       07777. Therefore, TOMOYO must not ignor    3178       07777. Therefore, TOMOYO must not ignore chmod(-1) case.
3179                                                  3179 
3180     @ Fix potentially using bogus attributes     3180     @ Fix potentially using bogus attributes when stat() fails.
3181                                                  3181 
3182       We should reset attributes information     3182       We should reset attributes information when executing execute_handler
3183       program, or attributes of original prog    3183       program, or attributes of original program could be used when stat()
3184       on execute_handler program failed.         3184       on execute_handler program failed.
3185                                                  3185 
3186 Fix 2015/04/08                                   3186 Fix 2015/04/08
3187                                                  3187 
3188     @ Fix incorrect readdir() permission chec    3188     @ Fix incorrect readdir() permission check.
3189                                                  3189 
3190       CONFIG_CCSECURITY_FILE_READDIR was mean    3190       CONFIG_CCSECURITY_FILE_READDIR was meant for allowing users to control
3191       readdir() permission check. However, CO    3191       readdir() permission check. However, CONFIG_CCSECURITY_FILE_GETATTR was
3192       by error used for controlling readdir()    3192       by error used for controlling readdir() permission check. This fix
3193       should not affect kernels built with de    3193       should not affect kernels built with default configuration, for both
3194       CONFIG_CCSECURITY_FILE_READDIR and CONF    3194       CONFIG_CCSECURITY_FILE_READDIR and CONFIG_CCSECURITY_FILE_GETATTR are
3195       defined by default.                        3195       defined by default.
3196                                                  3196 
3197 Fix 2015/04/15                                   3197 Fix 2015/04/15
3198                                                  3198 
3199     @ Fix incorrect retry request check.         3199     @ Fix incorrect retry request check.
3200                                                  3200 
3201       When a request was asked to retry, acl_    3201       When a request was asked to retry, acl_group referenced by domain's
3202       use_group keyword was by error ignored.    3202       use_group keyword was by error ignored. As a result, retrying was not
3203       able to use permissions defined by acl_    3203       able to use permissions defined by acl_group.
3204                                                  3204 
3205 Fix 2015/05/01                                   3205 Fix 2015/05/01
3206                                                  3206 
3207     @ Support multiple use_group entries.        3207     @ Support multiple use_group entries.
3208                                                  3208 
3209       Until now, each domain can include only    3209       Until now, each domain can include only one use_group entry.
3210       I changed to allow each domain to inclu    3210       I changed to allow each domain to include up to 256 use_group entries.
3211       As a result, you will be able to reduce    3211       As a result, you will be able to reduce duplication of policy by
3212       defining multiple acl_group entries bas    3212       defining multiple acl_group entries based on use cases and including
3213       them from each domain as needed.           3213       them from each domain as needed.
3214                                                  3214 
3215 Version 1.8.4   2015/05/05   Usability enhanc    3215 Version 1.8.4   2015/05/05   Usability enhancement release.
3216                                                  3216 
3217 Fix 2015/11/08                                   3217 Fix 2015/11/08
3218                                                  3218 
3219     @ Use memory allocation flags used by TOM    3219     @ Use memory allocation flags used by TOMOYO 2.x.
3220                                                  3220 
3221       Until now, TOMOYO 1.x was using memory     3221       Until now, TOMOYO 1.x was using memory allocation flags which are weaker
3222       than TOMOYO 2.x in order to make sure t    3222       than TOMOYO 2.x in order to make sure that memory allocation request by
3223       TOMOYO 1.x shall not cause silent livel    3223       TOMOYO 1.x shall not cause silent livelock problem.
3224                                                  3224 
3225       But as I learn about this livelock prob    3225       But as I learn about this livelock problem, I understood that this is
3226       not a problem which TOMOYO can manage.     3226       not a problem which TOMOYO can manage. While hitting a silent livelock
3227       at memory allocation is a problem, refu    3227       at memory allocation is a problem, refusing critical access requests
3228       by critical processes due to memory all    3228       by critical processes due to memory allocation failure caused by use of
3229       weaker memory allocation flags is also     3229       weaker memory allocation flags is also a problem.
3230                                                  3230 
3231       Since situations regarding memory alloc    3231       Since situations regarding memory allocation flags in upstream kernels
3232       are changing, it will be safer to use m    3232       are changing, it will be safer to use memory allocation flags used by
3233       TOMOYO 2.x.                                3233       TOMOYO 2.x.
3234                                                  3234 
3235 Fix 2015/11/10                                   3235 Fix 2015/11/10
3236                                                  3236 
3237     @ Limit wildcard recursion depth.            3237     @ Limit wildcard recursion depth.
3238                                                  3238 
3239       Since wildcards that need recursion con    3239       Since wildcards that need recursion consume kernel stack memory,
3240       we cannot allow infinite recursion.        3240       we cannot allow infinite recursion.
3241                                                  3241 
3242 Version 1.8.5   2015/11/11   Tenth anniversar    3242 Version 1.8.5   2015/11/11   Tenth anniversary release.
3243                                                  3243 
3244 Fix 2017/02/02                                   3244 Fix 2017/02/02
3245                                                  3245 
3246     @ Use for_each_thread() for GC operation.    3246     @ Use for_each_thread() for GC operation.
3247                                                  3247 
3248       while_each_thread() without tasklist_lo    3248       while_each_thread() without tasklist_lock is not safe.
3249       Use for_each_process_thread() if it is     3249       Use for_each_process_thread() if it is available, hold
3250       tasklist_lock otherwise.                   3250       tasklist_lock otherwise.
3251                                                  3251 
3252 Fix 2018/04/01                                   3252 Fix 2018/04/01
3253                                                  3253 
3254     @ Use smb_rmb() when waiting for initiali    3254     @ Use smb_rmb() when waiting for initialization.
3255                                                  3255 
3256       "while (!cond);" is implicitly optimize    3256       "while (!cond);" is implicitly optimized like "if (!cond) while (1);".
3257       Use "while (!cond) smp_rmb();" in order    3257       Use "while (!cond) smp_rmb();" in order to prevent such optimization.
3258                                                  3258 
3259 Fix 2019/07/27                                   3259 Fix 2019/07/27
3260                                                  3260 
3261     @ Change pathname calculation for read-on    3261     @ Change pathname calculation for read-only filesystems.
3262                                                  3262 
3263       Commit 5625f2e3266319fd ("TOMOYO: Chang    3263       Commit 5625f2e3266319fd ("TOMOYO: Change pathname for non-rename()able
3264       filesystems.") intended to be applied t    3264       filesystems.") intended to be applied to filesystems where the content is
3265       not controllable from the userspace (e.    3265       not controllable from the userspace (e.g. proc, sysfs, securityfs), based
3266       on an assumption that such filesystems     3266       on an assumption that such filesystems do not support rename() operation.
3267                                                  3267 
3268       But it turned out that read-only filesy    3268       But it turned out that read-only filesystems also do not support rename()
3269       operation despite the content is contro    3269       operation despite the content is controllable from the userspace, and that
3270       commit is annoying TOMOYO users who wan    3270       commit is annoying TOMOYO users who want to use e.g. squashfs as the root
3271       filesystem due to use of local name whi    3271       filesystem due to use of local name which does not start with '/'.
3272                                                  3272 
3273       Therefore, based on an assumption that     3273       Therefore, based on an assumption that filesystems which require the
3274       device argument upon mount() request is    3274       device argument upon mount() request is an indication that the content
3275       is controllable from the userspace, do     3275       is controllable from the userspace, do not use local name if a filesystem
3276       does not support rename() operation but    3276       does not support rename() operation but requires the device argument upon
3277       mount() request.                           3277       mount() request.
3278                                                  3278 
3279     @ Reject move_mount() system call for now    3279     @ Reject move_mount() system call for now.
3280                                                  3280 
3281       Commit 2db154b3ea8e14b0 ("vfs: syscall:    3281       Commit 2db154b3ea8e14b0 ("vfs: syscall: Add move_mount(2) to move mounts
3282       around") introduced security_move_mount    3282       around") introduced security_move_mount() LSM hook, but we missed that
3283       TOMOYO and AppArmor did not implement h    3283       TOMOYO and AppArmor did not implement hooks for checking move_mount(2).
3284       Since unchecked mount manipulation is n    3284       Since unchecked mount manipulation is not acceptable, for now pretend
3285       as if move_mount(2) is unavailable.        3285       as if move_mount(2) is unavailable.
3286                                                  3286 
3287     @ Don't check open/getattr permission on     3287     @ Don't check open/getattr permission on sockets.
3288                                                  3288 
3289       syzbot found that use of SOCKET_I()->sk    3289       syzbot found that use of SOCKET_I()->sk from open() can result in
3290       use after free problem, for socket's in    3290       use after free problem, for socket's inode is still reachable via
3291       /proc/pid/fd/n despite destruction of S    3291       /proc/pid/fd/n despite destruction of SOCKET_I()->sk already completed.
3292                                                  3292 
3293       But there is no point with calling secu    3293       But there is no point with calling security_file_open() on sockets
3294       because open("/proc/pid/fd/n", !O_PATH)    3294       because open("/proc/pid/fd/n", !O_PATH) on sockets fails with -ENXIO.
3295                                                  3295 
3296       There is some point with calling securi    3296       There is some point with calling security_inode_getattr() on sockets
3297       because stat("/proc/pid/fd/n") and fsta    3297       because stat("/proc/pid/fd/n") and fstat(open("/proc/pid/fd/n", O_PATH))
3298       are valid. But since information which     3298       are valid. But since information which can be protected by checking
3299       security_inode_getattr() on sockets is     3299       security_inode_getattr() on sockets is trivial, let's not check it.
3300                                                  3300 
3301 Version 1.8.6   2019/08/20   Bug fix release.    3301 Version 1.8.6   2019/08/20   Bug fix release.
3302                                                  3302 
3303 Fix 2019/12/07                                   3303 Fix 2019/12/07
3304                                                  3304 
3305     @ Don't use nifty names on sockets.          3305     @ Don't use nifty names on sockets.
3306                                                  3306 
3307       Revert "Don't check open/getattr permis    3307       Revert "Don't check open/getattr permission on sockets.", and then
3308       get rid of special handling of sockets.    3308       get rid of special handling of sockets. As a side effect of this patch,
3309       "socket:[family=\$:type=\$:protocol=\$]    3309       "socket:[family=\$:type=\$:protocol=\$]" in the policy files has to be
3310       rewritten to "socket:[\$]".                3310       rewritten to "socket:[\$]".
3311                                                  3311 
3312 Fix 2020/04/09                                   3312 Fix 2020/04/09
3313                                                  3313 
3314     @ Fix wrong put_page() usage in ccs_dump_    3314     @ Fix wrong put_page() usage in ccs_dump_page().
3315                                                  3315 
3316       ccs_dump_page() for 5.6+ was by error u    3316       ccs_dump_page() for 5.6+ was by error using wrong function to put page.
3317                                                  3317 
3318 Fix 2020/05/01                                   3318 Fix 2020/05/01
3319                                                  3319 
3320     @ Loosen domainname validation and pathna    3320     @ Loosen domainname validation and pathname validation.
3321                                                  3321 
3322       Currently a domainname must start with     3322       Currently a domainname must start with "<$namespace>" followed by
3323       zero or more repetitions of a pathname     3323       zero or more repetitions of a pathname which starts with '/'.
3324                                                  3324 
3325       But situation is getting more and more     3325       But situation is getting more and more difficult to enforce use of
3326       a pathname which starts with '/', for e    3326       a pathname which starts with '/', for execve() request of a pathname
3327       on e.g. some filesystems cause ccs_real    3327       on e.g. some filesystems cause ccs_realpath() to return a pathname
3328       in "$fsname:/$pathname" format.            3328       in "$fsname:/$pathname" format.
3329                                                  3329 
3330       Fortunately, since $fsname must not con    3330       Fortunately, since $fsname must not contain '.' since Linux 2.6.22,
3331       we can recognize a token which appears     3331       we can recognize a token which appears '/' before '.' appears (e.g.
3332       proc:/self/exe ) as a pathname and a to    3332       proc:/self/exe ) as a pathname and a token which appears '.' before
3333       '/' appears (e.g. exec.realpath="/bin/b    3333       '/' appears (e.g. exec.realpath="/bin/bash" ) as a condition parameter,
3334       with an exception that a pathname canno    3334       with an exception that a pathname cannot start with
3335       auto_domain_transition=" because it is     3335       auto_domain_transition=" because it is reserved as a delimiter string
3336       for on-match domain transition. Also, w    3336       for on-match domain transition. Also, we can recognize "<$namespace>"
3337       followed by such tokens (e.g. <kernel>     3337       followed by such tokens (e.g. <kernel> /foo proc:/self/exe /bar ) as
3338       a domainname.                              3338       a domainname.
3339                                                  3339 
3340 Version 1.8.7   2020/05/05   Usability enhanc    3340 Version 1.8.7   2020/05/05   Usability enhancement release.
3341                                                  3341 
3342 Fix 2020/07/22                                   3342 Fix 2020/07/22
3343                                                  3343 
3344     @ Fix domain transition preference.          3344     @ Fix domain transition preference.
3345                                                  3345 
3346       The domain transition preference which     3346       The domain transition preference which was introduced in 1.8.3 is
3347       by error ignored since 1.8.3p4, for ccs    3347       by error ignored since 1.8.3p4, for ccs_update_task_domain() from
3348       ccs_write_log2() from ccs_supervisor()     3348       ccs_write_log2() from ccs_supervisor() from ccs_audit_log() always
3349       resets r->matched_acl to NULL. Change c    3349       resets r->matched_acl to NULL. Change ccs_update_task_domain() not
3350       to reset r->matched_acl to NULL.           3350       to reset r->matched_acl to NULL.
3351                                                  3351 
3352 Fix 2020/08/17                                   3352 Fix 2020/08/17
3353                                                  3353 
3354     @ Fix ccs_realpath() fallback.               3354     @ Fix ccs_realpath() fallback.
3355                                                  3355 
3356       ccs_realpath() for 3.17+ was by error n    3356       ccs_realpath() for 3.17+ was by error not calling ccs_get_local_path()
3357       when ccs_get_absolute_path() returned -    3357       when ccs_get_absolute_path() returned -EINVAL.
3358                                                  3358 
3359 Fix 2020/08/19                                   3359 Fix 2020/08/19
3360                                                  3360 
3361     @ Fix wrong ccs_search_binary_handler() m    3361     @ Fix wrong ccs_search_binary_handler() mapping.
3362                                                  3362 
3363       When support for 5.8 kernel was added,     3363       When support for 5.8 kernel was added, ccs_search_binary_handler() for
3364       3.7- was by error mapped to wrong funct    3364       3.7- was by error mapped to wrong function.
3365                                                  3365 
3366 Fix 2020/10/24                                   3366 Fix 2020/10/24
3367                                                  3367 
3368     @ Fix /proc pathname calculation for Linu    3368     @ Fix /proc pathname calculation for Linux 5.8+ kernels.
3369                                                  3369 
3370       ccs_realpath() for 5.8+ was by error no    3370       ccs_realpath() for 5.8+ was by error not using proc_pid_ns() when
3371       calculating /proc pathname.                3371       calculating /proc pathname.
3372                                                  3372 
3373 Version 1.8.8   2020/11/11   Fifteenth annive    3373 Version 1.8.8   2020/11/11   Fifteenth anniversary release.
3374                                                  3374 
3375 Fix 2021/03/13                                   3375 Fix 2021/03/13
3376                                                  3376 
3377     @ Skip permission checks for fileless exe    3377     @ Skip permission checks for fileless execution requests.
3378                                                  3378 
3379       Kernels from 4.18 to 5.8 are using call    3379       Kernels from 4.18 to 5.8 are using call_usermodehelper_setup_file() for
3380       starting program without a valid pathna    3380       starting program without a valid pathname on a filesystem.
3381       /sbin/modprobe from dockerd process cou    3381       /sbin/modprobe from dockerd process could not load bpfilter.ko module
3382       because ccs_symlink_path() cannot calcu    3382       because ccs_symlink_path() cannot calculate pathname of program without
3383       a valid pathname. Thus, allow call_user    3383       a valid pathname. Thus, allow call_usermodehelper_setup_file() to bypass
3384       permission checks and suppress domain t    3384       permission checks and suppress domain transitions.
3385                                                  3385 
3386     @ Fix ccs_kernel_service().                  3386     @ Fix ccs_kernel_service().
3387                                                  3387 
3388       Kernels from 5.5 to 5.11 are using PF_K    3388       Kernels from 5.5 to 5.11 are using PF_KTHREAD flag for the io_uring
3389       worker threads.                            3389       worker threads.
3390                                                  3390 
3391 Version 1.8.9   2021/04/01   Bug fix release.    3391 Version 1.8.9   2021/04/01   Bug fix release.
3392                                                  3392 
3393 Fix 2021/12/28                                   3393 Fix 2021/12/28
3394                                                  3394 
3395     @ Check exceeded quota early.                3395     @ Check exceeded quota early.
3396                                                  3396 
3397       Backport commit 04e57a2d952bbd34 ("tomo    3397       Backport commit 04e57a2d952bbd34 ("tomoyo: Check exceeded quota early in
3398       tomoyo_domain_quota_is_ok().") and comm    3398       tomoyo_domain_quota_is_ok().") and commit f702e1107601230e ("tomoyo: use
3399       hwight16() in tomoyo_domain_quota_is_ok    3399       hwight16() in tomoyo_domain_quota_is_ok()"), for these help reducing
3400       overhead of the learning mode. Note tha    3400       overhead of the learning mode. Note that the former patch requires you to
3401       explicitly delete "quota_exceeded" entr    3401       explicitly delete "quota_exceeded" entry from the domain policy in order
3402       to resume the learning mode.               3402       to resume the learning mode.
3403                                                  3403 
3404 Fix 2024/03/31                                   3404 Fix 2024/03/31
3405                                                  3405 
3406     @ Fix a UAF bug introduced by an oversigh    3406     @ Fix a UAF bug introduced by an oversight in TOMOYO revision 2930.
3407                                                  3407 
3408       Backport commit 2f03fc340cac ("tomoyo:     3408       Backport commit 2f03fc340cac ("tomoyo: fix UAF write bug in
3409       tomoyo_write_control()").                  3409       tomoyo_write_control()").
3410                                                  3410 
3411 Version 1.8.10   2024/04/01   Security bug fi    3411 Version 1.8.10   2024/04/01   Security bug fix release.
3412                                                  3412 
3413 Fix 2024/06/28                                   3413 Fix 2024/06/28
3414                                                  3414 
3415     @ Unblock move_mount() system call.          3415     @ Unblock move_mount() system call.
3416                                                  3416 
3417       Since util-linux 2.39 started using lib    3417       Since util-linux 2.39 started using libmount-mountfd-support,
3418       implementing appropriate permission che    3418       implementing appropriate permission check for move_mount() became
3419       necessary for successfully booting a Li    3419       necessary for successfully booting a Linux system.
3420                                                  3420 
3421 Version 1.8.11   2024/07/15   Bug fix release    3421 Version 1.8.11   2024/07/15   Bug fix release.
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php