1 Notes for TOMOYO Linux project 1 Notes for TOMOYO Linux project 2 2 3 This is a handy Mandatory Access Control patch 3 This is a handy Mandatory Access Control patch for Linux kernels. 4 This patch is released under the GPLv2. 4 This patch is released under the GPLv2. 5 5 6 Project URL: https://tomoyo.sourceforge.net/ !! 6 Project URL: https://tomoyo.osdn.jp/ 7 7 8 The authors of this patch (hereafter, we) don' 8 The authors of this patch (hereafter, we) don't have much experience 9 in kernel programming. We are worried that thi 9 in kernel programming. We are worried that this patch would contain 10 some mistakes such as missing hooks, improper 10 some mistakes such as missing hooks, improper location of hooks, 11 potential deadlocks. There would be better way 11 potential deadlocks. There would be better way of implementation. 12 All kinds of comments, pointing the errors and 12 All kinds of comments, pointing the errors and suggestions are welcome. 13 13 14 We do hope this patch reduces the labor of ser 14 We do hope this patch reduces the labor of server security management 15 and you enjoy the life with Linux. 15 and you enjoy the life with Linux. 16 16 17 This project was very inspired by the comic "C 17 This project was very inspired by the comic "Card Captor SAKURA", 18 one of the CLAMP's masterworks. 18 one of the CLAMP's masterworks. 19 19 20 ChangeLog: 20 ChangeLog: 21 21 22 Version 1.0 2005/11/11 First release. 22 Version 1.0 2005/11/11 First release. 23 23 24 Fix 2005/11/18 24 Fix 2005/11/18 25 25 26 @ Add setattr() missing hook in SYAORAN fs 26 @ Add setattr() missing hook in SYAORAN fs. 27 27 28 setattr() checking for special inode was 28 setattr() checking for special inode was missing. 29 29 30 Fix 2005/11/25 30 Fix 2005/11/25 31 31 32 @ Allow initrd.img include /sbin/init . 32 @ Allow initrd.img include /sbin/init . 33 33 34 Since version 1.0 loads policy when /sbi 34 Since version 1.0 loads policy when /sbin/init is called 35 for the first time, initrd.img without t 35 for the first time, initrd.img without the policy directory 36 mustn't start /sbin/init . This forced u 36 mustn't start /sbin/init . This forced users not to use 37 initrd.img that includes /sbin/init . 37 initrd.img that includes /sbin/init . 38 I modified to delay loading policy if th 38 I modified to delay loading policy if the policy directory 39 doesn't exist and wait for /sbin/init be 39 doesn't exist and wait for /sbin/init being called again. 40 40 41 Fix 2005/12/02 41 Fix 2005/12/02 42 42 43 @ Use lookup_one_len() instead of lookup_h 43 @ Use lookup_one_len() instead of lookup_hash(). 44 44 45 Kernel 2.6.15 changed parameters for loo 45 Kernel 2.6.15 changed parameters for lookup_hash(). 46 I modified to use lookup_one_len() to ke 46 I modified to use lookup_one_len() to keep compatibility. 47 47 48 Fix 2005/12/06 48 Fix 2005/12/06 49 49 50 @ Add S_ISDIR() check in SYAORAN fs. 50 @ Add S_ISDIR() check in SYAORAN fs. 51 51 52 Malicious configuration file that attemp 52 Malicious configuration file that attempts to create an inode 53 under non-directory inode caused segment 53 under non-directory inode caused segmentation fault. 54 54 55 Version 1.0.1 2005/12/08 Minor update releas 55 Version 1.0.1 2005/12/08 Minor update release. 56 56 57 Fix 2006/01/04 57 Fix 2006/01/04 58 58 59 @ Add CheckWritePermission() check in unix 59 @ Add CheckWritePermission() check in unix_bind(). 60 60 61 I modified to check write permission in 61 I modified to check write permission in unix_bind(), for 62 sys_mknod(S_IFSOCK) checks write permiss 62 sys_mknod(S_IFSOCK) checks write permission. 63 63 64 @ Show hook version in proc_misc_init(). 64 @ Show hook version in proc_misc_init(). 65 65 66 The hook part of this patch depends on t 66 The hook part of this patch depends on the kernel's version, 67 while the rest part of this patch doesn' 67 while the rest part of this patch doesn't. 68 I added the hook version so that the adm 68 I added the hook version so that the administrator can 69 know the last modified date of the hooks 69 know the last modified date of the hooks. 70 70 71 @ Move permission checks from filp_open() 71 @ Move permission checks from filp_open() to open_namei(). 72 72 73 I moved the location of checking MAC's p 73 I moved the location of checking MAC's permission 74 from filp_open() to open_namei(). 74 from filp_open() to open_namei(). 75 75 76 @ Fix an error in filp_open(). (only 2.6. 76 @ Fix an error in filp_open(). (only 2.6.15-rc5) 77 77 78 This error was only in the patch 2.6.15- 78 This error was only in the patch 2.6.15-rc5 and 79 was fixed in the patch for 2.6.15. 79 was fixed in the patch for 2.6.15. 80 80 81 Fix 2006/01/12 81 Fix 2006/01/12 82 82 83 @ Add /proc/ccs/info/self_domain. 83 @ Add /proc/ccs/info/self_domain. 84 84 85 I added /proc/ccs/info/self_domain so th 85 I added /proc/ccs/info/self_domain so that the userland programs 86 can know the name of domain they belong 86 can know the name of domain they belong to if necessary. 87 87 88 Fix 2006/01/13 88 Fix 2006/01/13 89 89 90 @ Merge constants for CheckTaskCapability( 90 @ Merge constants for CheckTaskCapability(). 91 91 92 I merged *_INHERITABLE_* and *_LOCAL_* t 92 I merged *_INHERITABLE_* and *_LOCAL_* to avoid always 93 calling CheckTaskCapability() with both 93 calling CheckTaskCapability() with both constants. 94 94 95 @ DropTaskCapability() returns -EAGAIN on 95 @ DropTaskCapability() returns -EAGAIN on success. 96 96 97 DropTaskCapability() must not return 0 o 97 DropTaskCapability() must not return 0 on success, for 98 DropTaskCapability() is called from do_e 98 DropTaskCapability() is called from do_execve(). 99 99 100 @ Fix an error for chroot() permission che 100 @ Fix an error for chroot() permission check. 101 101 102 The chroot() restriction was not working 102 The chroot() restriction was not working due to the following mistake. 103 CheckChRootPermission() || CheckTaskCapa 103 CheckChRootPermission() || CheckTaskCapability() returns 0 or 1, while 104 CheckChRootPermission() | CheckTaskCapab 104 CheckChRootPermission() | CheckTaskCapability() returns 0 or -EPERM. 105 105 106 Fix 2006/01/17 106 Fix 2006/01/17 107 107 108 @ Suppress some of debug messages in TOMOY 108 @ Suppress some of debug messages in TOMOYO. 109 109 110 I added KERN_DEBUG to suppress some of d 110 I added KERN_DEBUG to suppress some of debug messages. 111 111 112 Fix 2006/01/19 112 Fix 2006/01/19 113 113 114 @ Remove isRoot() checks in AddChrootACL() 114 @ Remove isRoot() checks in AddChrootACL() and AddMountACL(). 115 115 116 I found a program that needs to chroot b 116 I found a program that needs to chroot by non-root. 117 So, I stopped checking uid=euid=0 for th 117 So, I stopped checking uid=euid=0 for these functions so that 118 "accept mode" can append ACLs. 118 "accept mode" can append ACLs. 119 The isRoot() is checked at AddChrootPoli 119 The isRoot() is checked at AddChrootPolicy() and AddMountPolicy(). 120 120 121 @ Map NULL device name to "<NULL>" in AddM 121 @ Map NULL device name to "<NULL>" in AddMountACL(). 122 122 123 VMware mounts vmware-hgfs with NULL devi 123 VMware mounts vmware-hgfs with NULL device name. 124 So I mapped NULL device name to "<NULL>" 124 So I mapped NULL device name to "<NULL>". 125 125 126 Fix 2006/01/20 126 Fix 2006/01/20 127 127 128 @ Suppress some of debug messages in SAKUR 128 @ Suppress some of debug messages in SAKURA. 129 129 130 I added KERN_DEBUG to suppress some of d 130 I added KERN_DEBUG to suppress some of debug messages. 131 131 132 @ Call panic() if failed to load given pro 132 @ Call panic() if failed to load given profile. 133 133 134 Call panic() if profile index was given 134 Call panic() if profile index was given via CCS= parameter 135 but the profile doesn't exist. 135 but the profile doesn't exist. 136 If CCS= parameter is not given, the kern 136 If CCS= parameter is not given, the kernel attempts to load 137 profile 0, but it doesn't call panic() i 137 profile 0, but it doesn't call panic() if profile 0 doesn't exist. 138 138 139 Fix 2006/01/24 139 Fix 2006/01/24 140 140 141 @ Use full_name_hash() for IsGloballyReada 141 @ Use full_name_hash() for IsGloballyReadableFile(). 142 142 143 I modified to use full_name_hash() for f 143 I modified to use full_name_hash() for faster scan. 144 144 145 @ Add signal checking condition in CheckSi 145 @ Add signal checking condition in CheckSignalACL(). 146 146 147 The documentation says "if the target do 147 The documentation says "if the target domain's domainname 148 starts with the source domain's domainna 148 starts with the source domain's domainname, it is always granted" 149 but actually it isn't. I'll change the d 149 but actually it isn't. I'll change the documentation instead of 150 changing the source code. 150 changing the source code. 151 151 152 Also, checking for pid = -1 was missing. 152 Also, checking for pid = -1 was missing. This error was fixed. 153 153 154 Fix 2006/02/09 154 Fix 2006/02/09 155 155 156 @ Use mutex_lock()/mutex_unlock instead of 156 @ Use mutex_lock()/mutex_unlock instead of down()/up(). 157 157 158 Kernel 2.6.16 changed members of "struct 158 Kernel 2.6.16 changed members of "struct inode". 159 I modified to use mutex_lock()/mutex_unl 159 I modified to use mutex_lock()/mutex_unlock() for after 2.6.16 160 and down()/up() for before 2.6.16. 160 and down()/up() for before 2.6.16. 161 161 162 Version 1.0.2 2006/02/14 Many bug-fixes rele 162 Version 1.0.2 2006/02/14 Many bug-fixes release. 163 163 164 Fix 2006/02/21 164 Fix 2006/02/21 165 165 166 @ Divide generic-write permission into ind 166 @ Divide generic-write permission into individual write permissions. 167 167 168 Write permission was divided into the fo 168 Write permission was divided into the following permissions. 169 169 170 'mkdir' for creating directory. 170 'mkdir' for creating directory. 171 'rmdir' for deleting directory. 171 'rmdir' for deleting directory. 172 'create' for creating regular file. 172 'create' for creating regular file. 173 'unlink' for deleting non-directory. 173 'unlink' for deleting non-directory. 174 'mksock' for creating UNIX domain soc 174 'mksock' for creating UNIX domain socket. 175 'mkfifo' for creating FIFO. 175 'mkfifo' for creating FIFO. 176 'mkchar' for creating character devic 176 'mkchar' for creating character device. 177 'mkblock' for creating block device. 177 'mkblock' for creating block device. 178 'link' for creating hard link. 178 'link' for creating hard link. 179 'symlink' for creating symbolic link. 179 'symlink' for creating symbolic link. 180 'rename' for renaming directory or no 180 'rename' for renaming directory or non-directory. 181 'truncate' for truncating regular file. 181 'truncate' for truncating regular file. 182 182 183 The permission check for opening files i 183 The permission check for opening files is done using 184 conventional read/write/execute permissi 184 conventional read/write/execute permission. 185 185 186 @ Add /proc/ccs/info/mapping. 186 @ Add /proc/ccs/info/mapping. 187 187 188 I added /proc/ccs/info/mapping so that t 188 I added /proc/ccs/info/mapping so that the userland programs 189 can know the mapping of individual write 189 can know the mapping of individual write permissions. 190 190 191 Fix 2006/02/27 191 Fix 2006/02/27 192 192 193 @ Fix handling of trailing '\*' in PathMat 193 @ Fix handling of trailing '\*' in PathMatchesToPattern(). 194 194 195 PathMatchesToPattern("/tmp/", "/tmp/\*") 195 PathMatchesToPattern("/tmp/", "/tmp/\*") returned true 196 because "\*" matches "zero or more repet 196 because "\*" matches "zero or more repetitions of characters 197 until '/' or end". But since this is a c 197 until '/' or end". But since this is a comparison between 198 directory and non-directory, this should 198 directory and non-directory, this should not match. 199 199 200 This behavior causes the following secur 200 This behavior causes the following security risks. 201 In enforce mode, allowing "2 /tmp/\*" gr 201 In enforce mode, allowing "2 /tmp/\*" grants 202 "mkdir /tmp/" and "rmdir /tmp/" which sh 202 "mkdir /tmp/" and "rmdir /tmp/" which should be 203 granted only when "2 /tmp/" is allowed. 203 granted only when "2 /tmp/" is allowed. 204 In accept mode, "mkdir /tmp/" or "rmdir 204 In accept mode, "mkdir /tmp/" or "rmdir /tmp/" appends 205 "2 /tmp/\*" into the domain policy if "f 205 "2 /tmp/\*" into the domain policy if "file_pattern /tmp/\*" 206 is in the exception policy. 206 is in the exception policy. 207 207 208 I changed not to ignore trailing '\*' in 208 I changed not to ignore trailing '\*' in the pattern 209 if pathname ends with '/'. 209 if pathname ends with '/'. 210 210 211 Fix 2006/03/01 211 Fix 2006/03/01 212 212 213 @ Add missing spinlock in GetAbsolutePath( 213 @ Add missing spinlock in GetAbsolutePath(). 214 214 215 vfsmount_lock was missing. 215 vfsmount_lock was missing. 216 216 217 Fix 2006/03/08 217 Fix 2006/03/08 218 218 219 @ Add support for "shared subtree" mount o 219 @ Add support for "shared subtree" mount operations. 220 220 221 Kernel 2.6.15 introduced "shared subtree 221 Kernel 2.6.15 introduced "shared subtree" functionality. 222 But CheckMountPermission() couldn't reco 222 But CheckMountPermission() couldn't recognize flags for 223 do_change_type(). 223 do_change_type(). 224 224 225 @ Add support for more mount flags. 225 @ Add support for more mount flags. 226 226 227 atime/noatime, diratime/nodiratime, recu 227 atime/noatime, diratime/nodiratime, recurse/norecurse flags 228 are supported. 228 are supported. 229 229 230 Fix 2006/03/20 230 Fix 2006/03/20 231 231 232 @ Check port numbers for only AF_INET/AF_I 232 @ Check port numbers for only AF_INET/AF_INET6. 233 233 234 CheckBindEntry() and CheckConnectEntry() 234 CheckBindEntry() and CheckConnectEntry() should check port numbers 235 only when the given address family is ei 235 only when the given address family is either AF_INET or AF_INET6, 236 for address family such as AF_UNSPEC cou 236 for address family such as AF_UNSPEC could be passed to bind() 237 and connect() for PF_INET/PF_INET6 socke 237 and connect() for PF_INET/PF_INET6 sockets. 238 238 239 Fix 2006/03/27 239 Fix 2006/03/27 240 240 241 @ Use /proc/self/ rather than /proc/\$/ fo 241 @ Use /proc/self/ rather than /proc/\$/ for current process. 242 242 243 GetAbsolutePath() now uses "self" instea 243 GetAbsolutePath() now uses "self" instead of pid 244 if current process refers to information 244 if current process refers to information related to itself. 245 This exception violates the rule "TOMOYO 245 This exception violates the rule "TOMOYO Linux's pathnames don't 246 contain symbolic links before the last ' 246 contain symbolic links before the last '/'", but I think it worth 247 to do so. The following are the merits g 247 to do so. The following are the merits gained by this exception. 248 248 249 Prevent administrators from granting red 249 Prevent administrators from granting redundant permissions 250 when a process needs to refer to only cu 250 when a process needs to refer to only current process's information. 251 251 252 Allow administrators make current proces 252 Allow administrators make current process's information always 253 readable using 'allow_read' directive. 253 readable using 'allow_read' directive. 254 254 255 Version 1.1 2006/04/01 Functionality enhan 255 Version 1.1 2006/04/01 Functionality enhancement release. 256 256 257 Fix 2006/04/03 257 Fix 2006/04/03 258 258 259 @ Use queue instead of fixed sized array f 259 @ Use queue instead of fixed sized array for audit log. 260 260 261 WriteAuditLog() now uses queue to save s 261 WriteAuditLog() now uses queue to save statically allocated memory. 262 Administrators can give any size for aud 262 Administrators can give any size for audit logs at runtime. 263 263 264 @ Use kzalloc() instead of kmalloc() + mem 264 @ Use kzalloc() instead of kmalloc() + memset(). 265 265 266 kmalloc() + memset() were replaced with 266 kmalloc() + memset() were replaced with kzalloc(). 267 267 268 Fix 2006/04/04 268 Fix 2006/04/04 269 269 270 @ Support "delayed enforcing" mode. 270 @ Support "delayed enforcing" mode. 271 271 272 Until now, access request was immediatel 272 Until now, access request was immediately rejected 273 if policy doesn't allow that access and 273 if policy doesn't allow that access and the system is 274 running in enforce mode. 274 running in enforce mode. 275 Sometimes, especially after updating sof 275 Sometimes, especially after updating softwares, 276 some unexpected access requests arise fr 276 some unexpected access requests arise from proper procedure. 277 Such access requests should be granted b 277 Such access requests should be granted because 278 they are not caused by malicious attacks 278 they are not caused by malicious attacks. 279 So I introduced a mechanism to allow adm 279 So I introduced a mechanism to allow administrator some grace 280 to decide to grant or reject such access 280 to decide to grant or reject such access requests. 281 This mechanism is implemented in the fol 281 This mechanism is implemented in the following manner. 282 "Don't return immediately if permissio 282 "Don't return immediately if permission denied." 283 "Sleep for a while waiting administrat 283 "Sleep for a while waiting administrator's decision." 284 "Return successfully if administrator 284 "Return successfully if administrator tells to do so." 285 285 286 Fix 2006/04/12 286 Fix 2006/04/12 287 287 288 @ Fix handling of prefix in GetAbsolutePat 288 @ Fix handling of prefix in GetAbsolutePath(). 289 289 290 Some objects doesn't have prefix "/". 290 Some objects doesn't have prefix "/". 291 Pipe has prefix "pipe:" and socket has p 291 Pipe has prefix "pipe:" and socket has prefix "socket:". 292 GetAbsolutePath() couldn't handle prefix 292 GetAbsolutePath() couldn't handle prefixes other than '/' properly. 293 293 294 @ Remove IsCorrectPath() checks for File A 294 @ Remove IsCorrectPath() checks for File Access Control functions. 295 295 296 File Access Control functions accepted o 296 File Access Control functions accepted only pathnames that start 297 with '/' because these functions assumed 297 with '/' because these functions assumed pathnames returned by 298 GetAbsolutePath() always start with '/'. 298 GetAbsolutePath() always start with '/'. 299 However, I found a program that opens an 299 However, I found a program that opens an unnamed pipe via 300 (probably) /proc/PID/fd/ directory. (You 300 (probably) /proc/PID/fd/ directory. (You can see entries like 301 "pipe:[number]" if you run "ls -l /proc/ 301 "pipe:[number]" if you run "ls -l /proc/*/fd/".) 302 Now, File Access Control functions have 302 Now, File Access Control functions have to accept pathnames 303 that don't start with '/'. So, I stopped 303 that don't start with '/'. So, I stopped checking IsCorrectPath(). 304 304 305 Fix 2006/04/19 305 Fix 2006/04/19 306 306 307 @ Fix handling of NULL nameidata in vfs_op 307 @ Fix handling of NULL nameidata in vfs_open(). 308 308 309 In 2.6 kernels, NFS daemon and sys_mq_op 309 In 2.6 kernels, NFS daemon and sys_mq_open() call 310 vfs_create() with NULL nameidata. In suc 310 vfs_create() with NULL nameidata. In such cases, 311 CheckSingleWritePermission() must not be 311 CheckSingleWritePermission() must not be called. 312 312 313 Version 1.1.1 2006/05/15 Functionality enhan 313 Version 1.1.1 2006/05/15 Functionality enhancement release. 314 314 315 Fix 2006/05/16 315 Fix 2006/05/16 316 316 317 @ Support program files aggregation. 317 @ Support program files aggregation. 318 318 319 Until now, programs that have no fixed n 319 Until now, programs that have no fixed names and their 320 parent programs had to be run in a trust 320 parent programs had to be run in a trusted domain 321 since it is impossible to use patterns f 321 since it is impossible to use patterns for granting 322 execute permission and defining domains. 322 execute permission and defining domains. 323 I introduced a mechanism to aggregate si 323 I introduced a mechanism to aggregate similar programs 324 using 'aggregator' directive. 324 using 'aggregator' directive. 325 Some examples: 325 Some examples: 326 326 327 'aggregator /tmp/logrotate.\?\?\?\?\?\ 327 'aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp' 328 to run all temporary programs for logr 328 to run all temporary programs for logrotate as /tmp/logrotate.tmp 329 329 330 'aggregator /usr/bin/tac /bin/cat' 330 'aggregator /usr/bin/tac /bin/cat' 331 to run /usr/bin/tac and /bin/cat as /b 331 to run /usr/bin/tac and /bin/cat as /bin/cat 332 332 333 Fix 2006/05/18 333 Fix 2006/05/18 334 334 335 @ Unlimit max count for audit log. 335 @ Unlimit max count for audit log. 336 336 337 I forgot to replace MAX_GRANT_LOG and MA 337 I forgot to replace MAX_GRANT_LOG and MAX_REJECT_LOG with INT_MAX 338 so that administrators can give any size 338 so that administrators can give any size for audit logs at runtime. 339 339 340 Fix 2006/05/22 340 Fix 2006/05/22 341 341 342 @ Support individual domain ACL removal. 342 @ Support individual domain ACL removal. 343 343 344 Until now, to remove ACLs from a domain, 344 Until now, to remove ACLs from a domain, administrator had to 345 once delete and recreate that domain, wh 345 once delete and recreate that domain, which wastes a lot of memory. 346 I introduced a mechanism to remove domai 346 I introduced a mechanism to remove domain ACL without deleting and 347 recreating domains. 347 recreating domains. 348 Administrator can delete domains or remo 348 Administrator can delete domains or remove ACLs from domains 349 via /proc/ccs/policy/domain_policy . 349 via /proc/ccs/policy/domain_policy . 350 /proc/ccs/policy/delete_domain and /proc 350 /proc/ccs/policy/delete_domain and /proc/ccs/policy/update_domain 351 were removed. 351 were removed. 352 352 353 Fix 2006/05/30 353 Fix 2006/05/30 354 354 355 @ Add missing spinlock in SAKURA_MayMount( 355 @ Add missing spinlock in SAKURA_MayMount(). 356 356 357 vfsmount_lock was missing. 357 vfsmount_lock was missing. 358 358 359 Version 1.1.2 2006/06/02 Functionality enhan 359 Version 1.1.2 2006/06/02 Functionality enhancement release. 360 360 361 Fix 2006/06/13 361 Fix 2006/06/13 362 362 363 @ Merge tomoyo_connect.c and tomoyo_bind.c 363 @ Merge tomoyo_connect.c and tomoyo_bind.c into tomoyo_port.c 364 364 365 I merged these files that have only diff 365 I merged these files that have only difference CONNECT and BIND, 366 that are likely to be enabled both or ne 366 that are likely to be enabled both or neither. 367 367 368 @ Add CONFIG_TOMOYO_AUDIT option. 368 @ Add CONFIG_TOMOYO_AUDIT option. 369 369 370 I made auditing functions as optional be 370 I made auditing functions as optional because some Linux boxes 371 may have not enough disk space to store 371 may have not enough disk space to store audit logs. 372 372 373 Fix 2006/06/15 373 Fix 2006/06/15 374 374 375 @ Support use of symbolic links for progra 375 @ Support use of symbolic links for program execution. 376 376 377 Until now, domains for programs executed 377 Until now, domains for programs executed by dereferencing 378 symbolic links were defined using derefe 378 symbolic links were defined using dereferenced pathnames. 379 This was inconvenient for some Linux box 379 This was inconvenient for some Linux boxes who use busybox but 380 can't keep hard links of busybox. 380 can't keep hard links of busybox. 381 I introduced a mechanism to allow using 381 I introduced a mechanism to allow using pathnames of 382 symbolic links using 'alias' directive. 382 symbolic links using 'alias' directive. 383 Some examples: 383 Some examples: 384 384 385 'alias /sbin/busybox /bin/ls' to run / 385 'alias /sbin/busybox /bin/ls' to run /bin/ls 386 (which is a symbolic link to /sbin/bus 386 (which is a symbolic link to /sbin/busybox) as /bin/ls 387 if /bin/ls is executed. 387 if /bin/ls is executed. 388 388 389 'alias /bin/bash /bin/sh' to run /bin/ 389 'alias /bin/bash /bin/sh' to run /bin/sh 390 (which is a symbolic link to /bin/bash 390 (which is a symbolic link to /bin/bash) as /bin/sh 391 if /bin/sh is executed. 391 if /bin/sh is executed. 392 392 393 Fix 2006/06/21 393 Fix 2006/06/21 394 394 395 @ Use ccs_alloc() instead of kzalloc(). 395 @ Use ccs_alloc() instead of kzalloc(). 396 396 397 To detect memory leaks, 397 To detect memory leaks, 398 I added a wrapper for tracing kmalloc() 398 I added a wrapper for tracing kmalloc() and kfree(). 399 There is no way to detect memory leaks c 399 There is no way to detect memory leaks caused by ccs-*.txt . 400 400 401 Version 1.1.3 2006/07/13 Functionality enhan 401 Version 1.1.3 2006/07/13 Functionality enhancement release. 402 402 403 Fix 2006/07/14 403 Fix 2006/07/14 404 404 405 @ Change behavior of pathname pattern matc 405 @ Change behavior of pathname pattern matching. 406 406 407 Until now, it was impossible to use patt 407 Until now, it was impossible to use patterns like "\*.txt" because 408 "\*" matched zero or more repetitions of 408 "\*" matched zero or more repetitions of characters until next '/'. 409 Now, "\*" matches zero or more repetitio 409 Now, "\*" matches zero or more repetitions of characters. 410 410 411 Until now, it was impossible to use patt 411 Until now, it was impossible to use patterns like "\$00" 412 because "\$" matched one or more repetit 412 because "\$" matched one or more repetitions of digits until next 413 non digit character. 413 non digit character. 414 Now, "\$" matches one or more repetition 414 Now, "\$" matches one or more repetitions of digits. 415 415 416 Also, new patterns "\x" "\X" "\a" "\A" " 416 Also, new patterns "\x" "\X" "\a" "\A" "\@" are added. 417 417 418 Fix 2006/07/21 418 Fix 2006/07/21 419 419 420 @ Add CONFIG_TOMOYO_NETWORK option. 420 @ Add CONFIG_TOMOYO_NETWORK option. 421 421 422 Until now, only port numbers for TCP and 422 Until now, only port numbers for TCP and UDP were controllable. 423 Now, the combination of IPv4/IPv6 addres 423 Now, the combination of IPv4/IPv6 address and port numbers 424 for TCP and UDP is controllable. 424 for TCP and UDP is controllable. 425 CONFIG_TOMOYO_NETWORKPORT became obsolet 425 CONFIG_TOMOYO_NETWORKPORT became obsolete. 426 426 427 Fix 2006/07/25 427 Fix 2006/07/25 428 428 429 @ Change matching rule for CheckFileACL(). 429 @ Change matching rule for CheckFileACL(). 430 430 431 Until now, only first entry that matched 431 Until now, only first entry that matched the requested pathname 432 was used for permission checking. For ex 432 was used for permission checking. For example, two entries 433 433 434 "2 /tmp/file-\$.txt" 434 "2 /tmp/file-\$.txt" 435 "4 /tmp/fil\?-0.txt" 435 "4 /tmp/fil\?-0.txt" 436 436 437 are given in this order and requested pa 437 are given in this order and requested pathname is "/tmp/file-0.txt", 438 the "2 /tmp/file-\$.txt" is used. But if 438 the "2 /tmp/file-\$.txt" is used. But if two entries 439 439 440 "4 /tmp/fil\?-0.txt" 440 "4 /tmp/fil\?-0.txt" 441 "2 /tmp/file-\$.txt" 441 "2 /tmp/file-\$.txt" 442 442 443 are given in this order, the "4 /tmp/fil 443 are given in this order, the "4 /tmp/fil\?-0.txt" is used. 444 This may potentially cause trouble becau 444 This may potentially cause trouble because the result of 445 permission checks depends on the order o 445 permission checks depends on the order of entries. 446 446 447 Now, all entries that matched the reques 447 Now, all entries that matched the requested pathname 448 are used for permission checking so that 448 are used for permission checking so that the result of 449 permission checks doesn't depend on the 449 permission checks doesn't depend on the order of entries. 450 450 451 Fix 2006/07/27 451 Fix 2006/07/27 452 452 453 @ Support RAW IPv4/IPv6 control. 453 @ Support RAW IPv4/IPv6 control. 454 454 455 Some programs such as 'ping' and 'tracer 455 Some programs such as 'ping' and 'traceroute' use raw IP socket. 456 Now, the combination of IPv4/IPv6 addres 456 Now, the combination of IPv4/IPv6 address and protocol numbers 457 for IP is controllable. 457 for IP is controllable. 458 458 459 Fix 2006/08/04 459 Fix 2006/08/04 460 460 461 @ Add filename and argv[0] comparison chec 461 @ Add filename and argv[0] comparison check. 462 462 463 The domain transition was done based on 463 The domain transition was done based on filename passed to do_execve(), 464 while the behavior was defined based on 464 while the behavior was defined based on argv[0]. 465 There is no problem if the filename is a 465 There is no problem if the filename is argv[0]-unaware application. 466 But if argv[0]-aware, access control byp 466 But if argv[0]-aware, access control bypassing happens if the process 467 transits to trusted domain but behaves a 467 transits to trusted domain but behaves as different program. 468 For example, when the administrator spec 468 For example, when the administrator specifies domain for /bin/ls as 469 trusted but both /bin/ls and /bin/cat ar 469 trusted but both /bin/ls and /bin/cat are links to /sbin/busybox , 470 a cracker can run /bin/cat in a trusted 470 a cracker can run /bin/cat in a trusted domain if the cracker 471 succeeds to invoke do_execve() with file 471 succeeds to invoke do_execve() with filename = "/bin/ls" and 472 argv[0] = "/bin/cat". 472 argv[0] = "/bin/cat". 473 473 474 I introduced a directive that permits th 474 I introduced a directive that permits the mismatch of 475 basename of filename and argv[0]. 475 basename of filename and argv[0]. 476 476 477 Fix 2006/08/10 477 Fix 2006/08/10 478 478 479 @ Support ID based condition checks. 479 @ Support ID based condition checks. 480 480 481 It was impossible to use process id (uid 481 It was impossible to use process id (uid and gid and so on) for 482 checking individual domain ACL. 482 checking individual domain ACL. 483 483 484 Now it became possible to use process id 484 Now it became possible to use process id for checking individual 485 domain ACL. For example, 485 domain ACL. For example, 486 486 487 "1 /bin/sh if task.euid!=0" 487 "1 /bin/sh if task.euid!=0" 488 488 489 allows the domain to execute /bin/sh onl 489 allows the domain to execute /bin/sh only when the process's euid 490 is not 0, and 490 is not 0, and 491 491 492 "6 /home/\*/\* if task.uid=path1.uid" 492 "6 /home/\*/\* if task.uid=path1.uid" 493 493 494 allows the domain to read-write user's h 494 allows the domain to read-write user's home directory 495 only when the file's owner matches the p 495 only when the file's owner matches the process's uid. 496 496 497 Fix 2006/08/22 497 Fix 2006/08/22 498 498 499 @ Fix ROUNDUP() in fs/realpath.c . 499 @ Fix ROUNDUP() in fs/realpath.c . 500 500 501 Alignment using sizeof(int) may be inapp 501 Alignment using sizeof(int) may be inappropriate for 64bit environment. 502 I changed to use the larger size of 'voi 502 I changed to use the larger size of 'void *' and 'long' 503 instead of 'int'. 503 instead of 'int'. 504 For environment where sizeof(int) = size 504 For environment where sizeof(int) = sizeof(long) = sizeof(void *), 505 this change has no effect. 505 this change has no effect. 506 506 507 Version 1.2 2006/09/03 Functionality enhan 507 Version 1.2 2006/09/03 Functionality enhancement release. 508 508 509 Fix 2006/09/30 509 Fix 2006/09/30 510 510 511 @ Fix CheckFilePerm() in fs/tomoyo_file.c 511 @ Fix CheckFilePerm() in fs/tomoyo_file.c . 512 512 513 The location to call path_release() was 513 The location to call path_release() was too early. 514 514 515 Fix 2006/10/02 515 Fix 2006/10/02 516 516 517 @ Support per-domain profile. 517 @ Support per-domain profile. 518 518 519 It became possible to assign different p 519 It became possible to assign different profiles for different domains. 520 This will help administrators using buil 520 This will help administrators using building up approach. 521 521 522 Fix 2006/10/05 522 Fix 2006/10/05 523 523 524 @ Change parameters for CheckFilePerm(). 524 @ Change parameters for CheckFilePerm(). 525 525 526 I was re-resolving pathnames inside Chec 526 I was re-resolving pathnames inside CheckFilePerm() even though 527 the caller function already resolved the 527 the caller function already resolved them. 528 So I changed to pass dentry and vfsmount 528 So I changed to pass dentry and vfsmount instead of pathname, 529 and removed changes made on 2006/09/30. 529 and removed changes made on 2006/09/30. 530 530 531 Fix 2006/10/06 531 Fix 2006/10/06 532 532 533 @ Support deny_rewrite and allow_rewrite p 533 @ Support deny_rewrite and allow_rewrite permission. 534 534 535 It became possible to make regular files 535 It became possible to make regular files append-only 536 using "deny_rewrite" directive in except 536 using "deny_rewrite" directive in exception policy and 537 override it using "allow_rewrite" direct 537 override it using "allow_rewrite" directive in domain policy. 538 538 539 Regular files specified using "deny_rewr 539 Regular files specified using "deny_rewrite" directive 540 can't be open()ed with O_TRUNC or with 540 can't be open()ed with O_TRUNC or without O_APPEND, 541 can't be truncate()ed or ftruncate()ed 541 can't be truncate()ed or ftruncate()ed, 542 can't be turned O_APPEND flag off usin 542 can't be turned O_APPEND flag off using fcntl(F_SETFL) 543 unless specified using "allow_rewrite" d 543 unless specified using "allow_rewrite" directive. 544 544 545 Fix 2006/10/12 545 Fix 2006/10/12 546 546 547 @ Enable configuration options by default 547 @ Enable configuration options by default for kernel config. 548 548 549 CONFIG_SAKURA and CONFIG_TOMOYO are now 549 CONFIG_SAKURA and CONFIG_TOMOYO are now 'y' by default 550 and CONFIG_SYAORAN is now 'm' by default 550 and CONFIG_SYAORAN is now 'm' by default. 551 551 552 Fix 2006/10/13 552 Fix 2006/10/13 553 553 554 @ Use external policy loader. 554 @ Use external policy loader. 555 555 556 Until now, policies are loaded when /sbi 556 Until now, policies are loaded when /sbin/init starts and 557 initial control levels are switched usin 557 initial control levels are switched using CCS= parameter. 558 But since some boxes have to fixate kern 558 But since some boxes have to fixate kernel command line options 559 at compilation time, I think it will bec 559 at compilation time, I think it will become more flexible 560 by running external policy loader using 560 by running external policy loader using init= parameter so that 561 initial control levels can be specified 561 initial control levels can be specified before /sbin/init starts. 562 562 563 Call panic() if initial control levels a 563 Call panic() if initial control levels are not specified. 564 564 565 Fix 2006/10/16 565 Fix 2006/10/16 566 566 567 @ Add missing parameter in FindNextDomain( 567 @ Add missing parameter in FindNextDomain(). 568 568 569 'struct file' was needed for allowing 'i 569 'struct file' was needed for allowing 'if path1.*' checks. 570 570 571 Fix 2006/10/23 571 Fix 2006/10/23 572 572 573 @ Print error messages in CheckFlags(). 573 @ Print error messages in CheckFlags(). 574 574 575 Some users seem to have troubles picking 575 Some users seem to have troubles picking up all necessary 576 entries for the configuration file of SY 576 entries for the configuration file of SYAORAN filesystem 577 since makesyaoranconf can't pick up entr 577 since makesyaoranconf can't pick up entries that are 578 nonexistent at the time. 578 nonexistent at the time. 579 I added error message so that users can 579 I added error message so that users can find missing entries 580 using dmesg. 580 using dmesg. 581 581 582 Fix 2006/10/24 582 Fix 2006/10/24 583 583 584 @ Change /proc/ccs/info/self_domain . 584 @ Change /proc/ccs/info/self_domain . 585 585 586 I changed /proc/ccs/info/self_domain to 586 I changed /proc/ccs/info/self_domain to return 587 the domain of open time rather than firs 587 the domain of open time rather than first read time. 588 This modification makes shell's redirect 588 This modification makes shell's redirection usage 589 more convenient since redirection opens 589 more convenient since redirection opens file 590 but doesn't read at the time. 590 but doesn't read at the time. 591 591 592 'cat < /proc/ccs/info/self_domain' will 592 'cat < /proc/ccs/info/self_domain' will return 593 the domain of shell, and 593 the domain of shell, and 594 'cat /proc/ccs/info/self_domain' will re 594 'cat /proc/ccs/info/self_domain' will return 595 the domain of cat . 595 the domain of cat . 596 596 597 Fix 2006/11/06 597 Fix 2006/11/06 598 598 599 @ Replace MAX_ENFORCE_GRACE with ALLOW_ENF 599 @ Replace MAX_ENFORCE_GRACE with ALLOW_ENFORCE_GRACE. 600 600 601 Since it was inconvenient that requests 601 Since it was inconvenient that requests that are waiting for 602 supervisor's decision are rejected autom 602 supervisor's decision are rejected automatically when 603 MAX_ENFORCE_GRACE seconds has elapsed, I 603 MAX_ENFORCE_GRACE seconds has elapsed, I modified WriteAnswer() 604 reset timeout counter whenever a supervi 604 reset timeout counter whenever a supervisor's decision is written 605 and I modified ccs-queryd write a dummy 605 and I modified ccs-queryd write a dummy decision every seconds 606 so that the requests won't be rejected a 606 so that the requests won't be rejected automatically as long as 607 ccs-queryd is running. 607 ccs-queryd is running. 608 This change made MAX_ENFORCE_GRACE's mea 608 This change made MAX_ENFORCE_GRACE's meaning boolean. 609 So I fixated MAX_ENFORCE_GRACE to 10 sec 609 So I fixated MAX_ENFORCE_GRACE to 10 seconds and removed 610 MAX_ENFORCE_GRACE parameter. 610 MAX_ENFORCE_GRACE parameter. 611 To allow administrators selectively enab 611 To allow administrators selectively enable "delayed enforcing" 612 mode, I added ALLOW_ENFORCE_GRACE parame 612 mode, I added ALLOW_ENFORCE_GRACE parameter. 613 The behavior of "delayed enforcing" mode 613 The behavior of "delayed enforcing" mode is defined 614 in the following order. 614 in the following order. 615 615 616 (1) The requests are rejected immediatel 616 (1) The requests are rejected immediately if ALLOW_ENFORCE_GRACE=0. 617 (2) The requests are rejected immediatel 617 (2) The requests are rejected immediately 618 if nobody is opening /proc/ccs/polic 618 if nobody is opening /proc/ccs/policy/query interface. 619 (3) The requests won't be rejected autom 619 (3) The requests won't be rejected automatically 620 if ALLOW_ENFORCE_GRACE=1 and ccs-que 620 if ALLOW_ENFORCE_GRACE=1 and ccs-queryd is running. 621 (4) The requests will be rejected in 10 621 (4) The requests will be rejected in 10 seconds 622 if somebody other than ccs-queryd (s 622 if somebody other than ccs-queryd (such as less(1)) is 623 opening /proc/ccs/policy/query inter 623 opening /proc/ccs/policy/query interface, for 624 such process doesn't write dummy dec 624 such process doesn't write dummy decisions. 625 625 626 Version 1.3 2006/11/11 First anniversary r 626 Version 1.3 2006/11/11 First anniversary release. 627 627 628 Fix 2006/11/13 628 Fix 2006/11/13 629 629 630 @ Replace trust_domain with keep_domain. 630 @ Replace trust_domain with keep_domain. 631 631 632 Since it was troublesome that there are 632 Since it was troublesome that there are two elements that can disable MAC 633 (assigning a profile that doesn't enable 633 (assigning a profile that doesn't enable MAC or registering domains 634 with trust_domain directive), I removed 634 with trust_domain directive), I removed trust_domain directive. 635 Instead, I introduced keep_domain direct 635 Instead, I introduced keep_domain directive to not to transit domains 636 unless a program registered with initial 636 unless a program registered with initializer directive is executed. 637 This change has the following advantages 637 This change has the following advantages. 638 638 639 (1) Allows administrator use "enforce mo 639 (1) Allows administrator use "enforce mode" for operations after login. 640 Since it was difficult to know what 640 Since it was difficult to know what commands and files are invoked 641 and accessed in what sequences befor 641 and accessed in what sequences beforehand, we had to use trust_domain 642 directive for such domain, allowing 642 directive for such domain, allowing users invoke any commands and 643 access any files in any sequence. 643 access any files in any sequence. 644 But now, we can use keep_domain dire 644 But now, we can use keep_domain directive and assign a profile for 645 "enforce mode" for such domain, forc 645 "enforce mode" for such domain, forcing users invoke only allowed 646 commands and access only allowed fil 646 commands and access only allowed files in any sequence 647 while these operations are kept unde 647 while these operations are kept under the control of "enforce mode". 648 648 649 (2) Allows administrator determine easil 649 (2) Allows administrator determine easily whether the domain is 650 under MAC or not because only the pr 650 under MAC or not because only the profile currently assigned to 651 the domain determines it. 651 the domain determines it. 652 652 653 (3) Saves total number of domains and me 653 (3) Saves total number of domains and memory. 654 654 655 Fix 2006/11/22 655 Fix 2006/11/22 656 656 657 @ Don't allow use of undefined profile. 657 @ Don't allow use of undefined profile. 658 658 659 To avoid assigning undefined profile to 659 To avoid assigning undefined profile to domains by error, 660 I added checks before assigning profiles 660 I added checks before assigning profiles to domains. 661 Now, profiles have to be defined prior t 661 Now, profiles have to be defined prior to assigning them to domains. 662 662 663 Version 1.3.1 2006/12/08 Minor update releas 663 Version 1.3.1 2006/12/08 Minor update release. 664 664 665 Fix 2006/12/10 665 Fix 2006/12/10 666 666 667 @ Allow pathname grouping. 667 @ Allow pathname grouping. 668 668 669 To reduce the labor of repeating '/\*' t 669 To reduce the labor of repeating '/\*' to allow access recursively, 670 I introduced a macro 'path_group' to mak 670 I introduced a macro 'path_group' to make group such pathnames. 671 For example, you had to give like 671 For example, you had to give like 672 672 673 4 /var/www/html/\* 673 4 /var/www/html/\* 674 4 /var/www/html/\*/\* 674 4 /var/www/html/\*/\* 675 4 /var/www/html/\*/\*/\* 675 4 /var/www/html/\*/\*/\* 676 4 /var/www/html/\*/\*/\*/\* 676 4 /var/www/html/\*/\*/\*/\* 677 677 678 but now, you can give just 678 but now, you can give just 679 679 680 4 @WEB-CONTENTS 680 4 @WEB-CONTENTS 681 681 682 if you give 682 if you give 683 683 684 path_group WEB-CONTENTS /var/www/html/ 684 path_group WEB-CONTENTS /var/www/html/\* 685 path_group WEB-CONTENTS /var/www/html/ 685 path_group WEB-CONTENTS /var/www/html/\*/\* 686 path_group WEB-CONTENTS /var/www/html/ 686 path_group WEB-CONTENTS /var/www/html/\*/\*/\* 687 path_group WEB-CONTENTS /var/www/html/ 687 path_group WEB-CONTENTS /var/www/html/\*/\*/\*/\* 688 688 689 in the exception policy. 689 in the exception policy. 690 This macro will be useful when grouping 690 This macro will be useful when grouping different directories. 691 691 692 Fix 2006/12/15 692 Fix 2006/12/15 693 693 694 @ Use structured pathnames instead for sim 694 @ Use structured pathnames instead for simple 'char *'. 695 695 696 To reduce the cost of strcmp(), I change 696 To reduce the cost of strcmp(), I changed the return value of 697 SaveName() from 'const char *' to 'const 697 SaveName() from 'const char *' to 'const struct path_info *'. 698 This change will speed up PathMatchesToP 698 This change will speed up PathMatchesToPattern() comparison. 699 699 700 Fix 2006/12/19 700 Fix 2006/12/19 701 701 702 @ Allow registering policy managers using 702 @ Allow registering policy managers using domainnames. 703 703 704 It was difficult to restrict programs th 704 It was difficult to restrict programs that can update policies 705 via /proc/ccs/ interfaces using pathname 705 via /proc/ccs/ interfaces using pathnames of these programs, for 706 these programs could be unintendedly inv 706 these programs could be unintendedly invoked. 707 Now, it became possible to restrict doma 707 Now, it became possible to restrict domains that can update policies 708 via /proc/ccs/ interfaces as well as pro 708 via /proc/ccs/ interfaces as well as programs. 709 By restricting using domainnames, it bec 709 By restricting using domainnames, it becomes easier to avoid 710 unintended invocation. 710 unintended invocation. 711 711 712 Fix 2006/12/22 712 Fix 2006/12/22 713 713 714 @ Add initialize_domain,no_initizlize_doma 714 @ Add initialize_domain,no_initizlize_domain,no_keep_domain 715 715 716 To control domain transitions more stric 716 To control domain transitions more strictly, 717 initialize_domain,no_initizlize_domain,n 717 initialize_domain,no_initizlize_domain,no_keep_domain directives 718 were introduced. 718 were introduced. 719 719 720 "initialize_domain /some/program" means 720 "initialize_domain /some/program" means 721 jump to "<kernel> /some/program" domain 721 jump to "<kernel> /some/program" domain if /some/program is 722 called from any domain. 722 called from any domain. 723 This is equivalent to conventional "init 723 This is equivalent to conventional "initializer /some/program". 724 724 725 "initialize_domain /some/program from so 725 "initialize_domain /some/program from some_domain" means 726 jump to "<kernel> /some/program" domain 726 jump to "<kernel> /some/program" domain only if /some/program is 727 called from "some_domain" domain. 727 called from "some_domain" domain. 728 728 729 "no_initialize_domain /some/program" mea 729 "no_initialize_domain /some/program" means 730 don't jump to "<kernel> /some/program" d 730 don't jump to "<kernel> /some/program" domain even if 731 "initialize_domain /some/program" or 731 "initialize_domain /some/program" or 732 "initialize_domain /some/program from so 732 "initialize_domain /some/program from some_domain" are given 733 if /some/program is called from any doma 733 if /some/program is called from any domain. 734 734 735 "no_initialize_domain /some/program from 735 "no_initialize_domain /some/program from some_domain" means 736 don't jump to "<kernel> /some/program" d 736 don't jump to "<kernel> /some/program" domain even if 737 "initialize_domain /some/program" or 737 "initialize_domain /some/program" or 738 "initialize_domain /some/program from so 738 "initialize_domain /some/program from some_domain" are given 739 if /some/program is called from "some_do 739 if /some/program is called from "some_domain" domain. 740 740 741 "keep_domain some_domain" means don't ju 741 "keep_domain some_domain" means don't jump to child domain 742 if any programs are called from "some_do 742 if any programs are called from "some_domain" domain. 743 743 744 "keep_domain /some/program from some_dom 744 "keep_domain /some/program from some_domain" means 745 don't jump to child domain only if /some 745 don't jump to child domain only if /some/program is 746 called from "some_domain" domain. 746 called from "some_domain" domain. 747 747 748 "no_keep_domain some_domain" means 748 "no_keep_domain some_domain" means 749 jump to child domain even if 749 jump to child domain even if 750 "keep_domain /some/program" or 750 "keep_domain /some/program" or 751 "keep_domain /some/program from some_dom 751 "keep_domain /some/program from some_domain" are given 752 if any programs are called from "some_do 752 if any programs are called from "some_domain" domain. 753 753 754 "no_keep_domain /some/program from some_ 754 "no_keep_domain /some/program from some_domain" means 755 jump to child domain even if 755 jump to child domain even if 756 "keep_domain /some/program" or 756 "keep_domain /some/program" or 757 "keep_domain /some/program from some_dom 757 "keep_domain /some/program from some_domain" are given 758 if /some/program is called from "some_do 758 if /some/program is called from "some_domain" domain. 759 759 760 "some_domain" can be just the last compo 760 "some_domain" can be just the last component of domainname. 761 For example, giving "/bin/mail" as "some 761 For example, giving "/bin/mail" as "some_domain" matches 762 all domains whose domainname ends with " 762 all domains whose domainname ends with "/bin/mail". 763 763 764 Fix 2007/01/19 764 Fix 2007/01/19 765 765 766 @ Allow reuse of memory allocated for doma 766 @ Allow reuse of memory allocated for domain policy. 767 767 768 Regarding domain policy, unlike other po 768 Regarding domain policy, unlike other policies, didn't have 769 "is_deleted" flag and new memory were al 769 "is_deleted" flag and new memory were allocated 770 if the deleted entries are given again. 770 if the deleted entries are given again. 771 But to allow administrators switch domai 771 But to allow administrators switch domain policy periodically, 772 I introduced "is_deleted" flag. 772 I introduced "is_deleted" flag. 773 773 774 Writing "some_domain" to /proc/ccs/polic 774 Writing "some_domain" to /proc/ccs/policy/domain_policy 775 creates "some_domain" using new memory i 775 creates "some_domain" using new memory if it didn't exist. 776 776 777 Writing "select some_domain" doesn't cre 777 Writing "select some_domain" doesn't create "some_domain" 778 if it didn't exist. 778 if it didn't exist. 779 779 780 Writing "delete some_domain" deletes "so 780 Writing "delete some_domain" deletes "some_domain" 781 but does not delete entries in "some_dom 781 but does not delete entries in "some_domain". 782 782 783 Writing "undelete some_domain" undeletes 783 Writing "undelete some_domain" undeletes "some_domain" 784 if it was deleted by "delete some_domain 784 if it was deleted by "delete some_domain". 785 785 786 Fix 2007/01/22 786 Fix 2007/01/22 787 787 788 @ Allow getting already deleted pathnames. 788 @ Allow getting already deleted pathnames. 789 789 790 To allow getting pathnames that are alre 790 To allow getting pathnames that are already deleted, 791 I removed (IS_ROOT(dentry) || !d_unhashe 791 I removed (IS_ROOT(dentry) || !d_unhashed(dentry)) check. 792 792 793 Fix 2007/01/26 793 Fix 2007/01/26 794 794 795 @ Limit string length to 4000. 795 @ Limit string length to 4000. 796 796 797 I was using PAGE_SIZE (4096 in many envi 797 I was using PAGE_SIZE (4096 in many environments) 798 as the max length of any string data. 798 as the max length of any string data. 799 But for environments that have larger PA 799 But for environments that have larger PAGE_SIZE, 800 doing memset(ptr, 0, PAGE_SIZE) every ti 800 doing memset(ptr, 0, PAGE_SIZE) every time is too wasteful. 801 801 802 Fix 2007/01/29 802 Fix 2007/01/29 803 803 804 @ Add garbage collector for domain policy. 804 @ Add garbage collector for domain policy. 805 805 806 Writing "some_domain" to /proc/ccs/polic 806 Writing "some_domain" to /proc/ccs/policy/domain_policy 807 creates "some_domain" using new memory o 807 creates "some_domain" using new memory only if 808 some process is staying at that deleted 808 some process is staying at that deleted domain. 809 If no process is staying at that deleted 809 If no process is staying at that deleted domain, 810 "some_domain" is undeleted with all ACLs 810 "some_domain" is undeleted with all ACLs deleted. 811 811 812 Version 1.3.2 2007/02/14 Usability enhanceme 812 Version 1.3.2 2007/02/14 Usability enhancement release. 813 813 814 Fix 2007/02/20 814 Fix 2007/02/20 815 815 816 @ Allow address grouping. 816 @ Allow address grouping. 817 817 818 To reduce the labor of repeating similar 818 To reduce the labor of repeating similar IPv4/IPv6 addresses, 819 I introduced a macro 'address_group' to 819 I introduced a macro 'address_group' to make group such addresses. 820 For example, you had to give like 820 For example, you had to give like 821 821 822 allow_network TCP accept 10.0.0.0-10.2 822 allow_network TCP accept 10.0.0.0-10.255.255.255 1024-65535 823 allow_network TCP accept 172.16.0.0-17 823 allow_network TCP accept 172.16.0.0-172.31.255.255 1024-65535 824 allow_network TCP accept 192.168.0.0-1 824 allow_network TCP accept 192.168.0.0-192.168.255.255 1024-65535 825 825 826 but now, you can give just 826 but now, you can give just 827 827 828 allow_network TCP accept @localnet 102 828 allow_network TCP accept @localnet 1024-65535 829 829 830 if you give 830 if you give 831 831 832 address_group localnet 10.0.0.0-10.255 832 address_group localnet 10.0.0.0-10.255.255.255 833 address_group localnet 172.16.0.0-172. 833 address_group localnet 172.16.0.0-172.31.255.255 834 address_group localnet 192.168.0.0-192 834 address_group localnet 192.168.0.0-192.168.255.255 835 835 836 in the exception policy. 836 in the exception policy. 837 837 838 Fix 2007/03/03 838 Fix 2007/03/03 839 839 840 @ Remove obsolete functions. 840 @ Remove obsolete functions. 841 841 842 @ Add some hooks. 842 @ Add some hooks. 843 843 844 Read permission check is done if open_ex 844 Read permission check is done if open_exec() 845 is called from search_binary_handler(). 845 is called from search_binary_handler(). 846 Read permission check is not done if ope 846 Read permission check is not done if open_exec() 847 is called from do_execve(), instead, 847 is called from do_execve(), instead, 848 execute permission check is done at 848 execute permission check is done at 849 search_binary_handler_with_transition(). 849 search_binary_handler_with_transition(). 850 850 851 I moved the location of calling CheckCap 851 I moved the location of calling CheckCapabilityACL() 852 and CheckMountPermission() from sys_moun 852 and CheckMountPermission() from sys_mount() to do_mount(). 853 853 854 Fix 2007/03/07 854 Fix 2007/03/07 855 855 856 @ Use 'unsigned int' for sscanf(). 856 @ Use 'unsigned int' for sscanf(). 857 857 858 I compiled SYAORAN fs on x86_64 environm 858 I compiled SYAORAN fs on x86_64 environment and found 859 the compiler showing warning messages ab 859 the compiler showing warning messages about size of data types. 860 Since size of data types may mismatch fo 860 Since size of data types may mismatch for sscanf(), 861 I replaced some types with 'unsigned int 861 I replaced some types with 'unsigned int'. 862 862 863 Version 1.4 2007/04/01 x86_64 support rele 863 Version 1.4 2007/04/01 x86_64 support release. 864 864 865 Fix 2007/04/18 865 Fix 2007/04/18 866 866 867 @ Change argv[0] checking rule. 867 @ Change argv[0] checking rule. 868 868 869 I was comparing the basename of symbolic 869 I was comparing the basename of symbolic link's pathname and argv[0]. 870 Since execute permission check and domai 870 Since execute permission check and domain transition are done 871 based on realpath while argv[0] check is 871 based on realpath while argv[0] check is done based on the symlink's 872 pathname and argv[0], this specification 872 pathname and argv[0], this specification will allow attackers behave 873 as /bin/cat in the domain of /bin/ls if 873 as /bin/cat in the domain of /bin/ls if "/bin/ls and /bin/cat are 874 links to /sbin/busybox" and "the attacke 874 links to /sbin/busybox" and "the attacker is permitted to create 875 a symlink named ~/cat that points to /bi 875 a symlink named ~/cat that points to /bin/ls" and "the attacker is 876 permitted to run /bin/ls". 876 permitted to run /bin/ls". 877 So, I changed to compare the basename of 877 So, I changed to compare the basename of realpath and argv[0]. 878 Also, I moved the location to compare be 878 Also, I moved the location to compare before processing 879 "aggregator" directive so that 879 "aggregator" directive so that 880 "aggregator /tmp/logrotate.\?\?\?\?\?\? 880 "aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp" 881 won't cause the mismatch of the basename 881 won't cause the mismatch of the basename of realpath and argv[0]. 882 882 883 If /bin/ls is a symlink to /sbin/busybox 883 If /bin/ls is a symlink to /sbin/busybox, then 884 creating a symlink named ~/cat that poin 884 creating a symlink named ~/cat that points to /bin/ls and 885 executing ~/cat won't work as expected b 885 executing ~/cat won't work as expected because permission check and 886 domain transition are done using /sbin/b 886 domain transition are done using /sbin/busybox (realpath of /bin/ls) 887 and will be rejected since the administr 887 and will be rejected since the administrator won't grant 888 "1 /sbin/busybox". 888 "1 /sbin/busybox". 889 889 890 Fix 2007/05/07 890 Fix 2007/05/07 891 891 892 @ Support pathname subtraction. 892 @ Support pathname subtraction. 893 893 894 There was no way to exclude specific pat 894 There was no way to exclude specific pathnames when granting 895 permissions using wildcards. 895 permissions using wildcards. 896 There would be a need to exclude specifi 896 There would be a need to exclude specific files and directories. 897 I introduced "\-" as subtraction operato 897 I introduced "\-" as subtraction operator. 898 898 899 "A\-B" means "A" other than "B". 899 "A\-B" means "A" other than "B". 900 "A\-B\-C" means "A" other than "B" and 900 "A\-B\-C" means "A" other than "B" and "C". 901 "A\-B\-C\-D" means "A" other than "B" 901 "A\-B\-C\-D" means "A" other than "B" and "C" and "D". 902 902 903 "A", "B", "C", "D" may contain wildcards 903 "A", "B", "C", "D" may contain wildcards. 904 904 905 An example usage is "/home/\*/\*\-.ssh/\ 905 An example usage is "/home/\*/\*\-.ssh/\*", which means 906 "/home/\*/\*/\*" other than "/home/\*/.s 906 "/home/\*/\*/\*" other than "/home/\*/.ssh/\*". 907 907 908 "A" should contain wildcards because sub 908 "A" should contain wildcards because subtraction from constants 909 (e.g. "/usr\-usr/" or "/usr\-home/") is 909 (e.g. "/usr\-usr/" or "/usr\-home/") is meaningless. 910 910 911 Don't try "A\-B\+C" because "\+" is not 911 Don't try "A\-B\+C" because "\+" is not addition operator. 912 912 913 Fix 2007/05/24 913 Fix 2007/05/24 914 914 915 @ Fix autobind hook. 915 @ Fix autobind hook. 916 916 917 The location to call SAKURA_MayAutobind( 917 The location to call SAKURA_MayAutobind() in net/ipv4/udp.c 918 and net/ipv6/udp.c were wrong. 918 and net/ipv6/udp.c were wrong. 919 919 920 Fix 2007/06/03 920 Fix 2007/06/03 921 921 922 @ Add a space in MakeMountOptions(). 922 @ Add a space in MakeMountOptions(). 923 923 924 I forgot to add a space after "atime" an 924 I forgot to add a space after "atime" and "noatime". 925 925 926 Version 1.4.1 2007/06/05 Minor update releas 926 Version 1.4.1 2007/06/05 Minor update release. 927 927 928 Fix 2007/07/04 928 Fix 2007/07/04 929 929 930 @ Fix ReadAddressGroupPolicy() bug. 930 @ Fix ReadAddressGroupPolicy() bug. 931 931 932 ReadAddressGroupPolicy() fails if both " 932 ReadAddressGroupPolicy() fails if both "path_group" and "address_group" 933 are used because I forgot to set "head-> 933 are used because I forgot to set "head->read_var1 = NULL". 934 934 935 Fix 2007/07/10 935 Fix 2007/07/10 936 936 937 @ Add compat_sys_stime() hook. 937 @ Add compat_sys_stime() hook. 938 938 939 Some of 64bit kernels support compat_sys 939 Some of 64bit kernels support compat_sys_stime() 940 but permission check was missing. 940 but permission check was missing. 941 941 942 Version 1.4.2 2007/07/13 Bug fix release. 942 Version 1.4.2 2007/07/13 Bug fix release. 943 943 944 Fix 2007/08/06 944 Fix 2007/08/06 945 945 946 @ Remove mount-flags manipulation. 946 @ Remove mount-flags manipulation. 947 947 948 Until now, administrator is permitted to 948 Until now, administrator is permitted to turn on/off specific mount 949 options regardless of mount options pass 949 options regardless of mount options passed to kernel. 950 I removed this feature because "exact op 950 I removed this feature because "exact option matching" sounds better than 951 "automatic option enabler/disabler". 951 "automatic option enabler/disabler". 952 952 953 @ Remove /proc/ccs/info/mapping . 953 @ Remove /proc/ccs/info/mapping . 954 954 955 I removed /proc/ccs/info/mapping because 955 I removed /proc/ccs/info/mapping because nobody seems to use this 956 feature. 956 feature. 957 957 958 @ Call external policy loader automaticall 958 @ Call external policy loader automatically. 959 959 960 Until now, users had to add init=/.init 960 Until now, users had to add init=/.init parameter to load policy 961 before /sbin/init starts. 961 before /sbin/init starts. 962 I inserted call_usermodehelper() to call 962 I inserted call_usermodehelper() to call external policy loader when 963 execve("/sbin/init") is requested and ex 963 execve("/sbin/init") is requested and external policy loader exists. 964 964 965 This change will remove init=/.init para 965 This change will remove init=/.init parameter from most environment, 966 although call_usermodehelper() can't han 966 although call_usermodehelper() can't handle interactive operations. 967 967 968 @ Move external policy loader from /.init 968 @ Move external policy loader from /.init to /sbin/ccs-init . 969 969 970 Installing programs in / directory is no 970 Installing programs in / directory is not good for packaging. 971 971 972 Fix 2007/08/13 972 Fix 2007/08/13 973 973 974 @ Update external policy loader. 974 @ Update external policy loader. 975 975 976 It turned out that /sbin/ccs-init invoke 976 It turned out that /sbin/ccs-init invoked via call_usermodehelper() 977 can handle interactive operations by ope 977 can handle interactive operations by opening /dev/console . 978 Now, there is no difference between init 978 Now, there is no difference between init=/sbin/ccs-init and 979 call_usermodehelper("/sbin/ccs-init"), a 979 call_usermodehelper("/sbin/ccs-init"), and users no longer need to 980 add init=/sbin/ccs-init parameter to loa 980 add init=/sbin/ccs-init parameter to load policy before /sbin/init 981 starts. 981 starts. 982 982 983 Fix 2007/08/14 983 Fix 2007/08/14 984 984 985 @ Update recvmsg() hooks. 985 @ Update recvmsg() hooks. 986 986 987 Until now, it was impossible to apply ne 987 Until now, it was impossible to apply network access control for 988 incoming UDP and RAW packets if they are 988 incoming UDP and RAW packets if they are brought to userland using 989 read() or recvmsg() with NULL address be 989 read() or recvmsg() with NULL address because address buffer is NULL. 990 I moved hooks from sock_recvmsg() to skb 990 I moved hooks from sock_recvmsg() to skb_recv_datagram() so that 991 network access control for incoming UDP 991 network access control for incoming UDP and RAW packets always work. 992 992 993 Fix 2007/08/16 993 Fix 2007/08/16 994 994 995 @ Return appropriate error code for CheckM 995 @ Return appropriate error code for CheckMountPermission(). 996 996 997 I was returning -EPERM if something is w 997 I was returning -EPERM if something is wrong with CheckMountPermission(). 998 But SELinux determines whether selinuxfs 998 But SELinux determines whether selinuxfs is supported by kernel 999 based on whether error code is -ENODEV o 999 based on whether error code is -ENODEV or not. 1000 So I stopped returning -EPERM unconditi 1000 So I stopped returning -EPERM unconditionally. 1001 1001 1002 Fix 2007/08/17 1002 Fix 2007/08/17 1003 1003 1004 @ Remove initializer directive. 1004 @ Remove initializer directive. 1005 1005 1006 Use "initialize_domain" instead of "ini 1006 Use "initialize_domain" instead of "initializer". 1007 1007 1008 Fix 2007/08/21 1008 Fix 2007/08/21 1009 1009 1010 @ Fix "allow_argv0 ... if if ..." bug. 1010 @ Fix "allow_argv0 ... if if ..." bug. 1011 1011 1012 It was impossible to use a word "if" to 1012 It was impossible to use a word "if" to the second argument of 1013 allow_argv0 if condition part is used. 1013 allow_argv0 if condition part is used. 1014 1014 1015 Fix 2007/08/24 1015 Fix 2007/08/24 1016 1016 1017 @ Move /proc/ccs/\*/\* to /proc/ccs/\* . 1017 @ Move /proc/ccs/\*/\* to /proc/ccs/\* . 1018 1018 1019 Some pathnames for /proc/ccs/ interface 1019 Some pathnames for /proc/ccs/ interface were changed. 1020 1020 1021 Fix 2007/09/05 1021 Fix 2007/09/05 1022 1022 1023 @ Drop MSG_PEEK'ed message before skb_fre 1023 @ Drop MSG_PEEK'ed message before skb_free_datagram(). 1024 1024 1025 I need to remove head message from unwa 1025 I need to remove head message from unwanted source 1026 from socket's receive queue so that the 1026 from socket's receive queue so that the caller can pick up 1027 next message from wanted source with MS 1027 next message from wanted source with MSG_PEEK flags. 1028 1028 1029 Version 1.5.0 2007/09/20 Usability enhancem 1029 Version 1.5.0 2007/09/20 Usability enhancement release. 1030 1030 1031 Fix 2007/09/27 1031 Fix 2007/09/27 1032 1032 1033 @ Avoid eating memory after quota exceede 1033 @ Avoid eating memory after quota exceeded. 1034 1034 1035 Although ACL entries in a domain won't 1035 Although ACL entries in a domain won't be added if the domain's quota 1036 has exceeded, SaveName() in AddFileACL( 1036 has exceeded, SaveName() in AddFileACL() is called anyway. 1037 This caused unneeded memory consumption 1037 This caused unneeded memory consumption. 1038 1038 1039 Now, quota checking is done before gett 1039 Now, quota checking is done before getting domain_acl_lock lock. 1040 This may exceed quota by one or two ent 1040 This may exceed quota by one or two entries, but that won't matter. 1041 1041 1042 Fix 2007/10/16 1042 Fix 2007/10/16 1043 1043 1044 @ Add environment variable check. 1044 @ Add environment variable check. 1045 1045 1046 There are environment variables that ma 1046 There are environment variables that may cause dangerous behavior 1047 like LD_\* . 1047 like LD_\* . 1048 So I introduced 'allow_env' directive t 1048 So I introduced 'allow_env' directive that allows specified 1049 environment variable inherited to next 1049 environment variable inherited to next domain. 1050 Unlike other permissions, this check is 1050 Unlike other permissions, this check is done at execve() time 1051 using next domain's ACL information. 1051 using next domain's ACL information. 1052 1052 1053 To manage commonly inherited environmen 1053 To manage commonly inherited environments like PATH , 1054 you can use 'allow_env' directive in ex 1054 you can use 'allow_env' directive in exception policy 1055 to globally grant specified environment 1055 to globally grant specified environment variable. 1056 1056 1057 Fix 2007/11/05 1057 Fix 2007/11/05 1058 1058 1059 @ Replace semaphore with mutex. 1059 @ Replace semaphore with mutex. 1060 1060 1061 I replaced semaphore with mutex. 1061 I replaced semaphore with mutex. 1062 1062 1063 @ Add missing down() in AddReservedEntry( 1063 @ Add missing down() in AddReservedEntry(). 1064 1064 1065 Mutex debugging capability told me that 1065 Mutex debugging capability told me that I had forgotten to call down() 1066 since TOMOYO version 1.3.2 . 1066 since TOMOYO version 1.3.2 . 1067 This function is not called by learning 1067 This function is not called by learning mode, 1068 so the semaphore's counter will not ove 1068 so the semaphore's counter will not overflow for normal usage. 1069 1069 1070 Fix 2005/11/27 1070 Fix 2005/11/27 1071 1071 1072 @ Fix ReadTable() truncation bug. 1072 @ Fix ReadTable() truncation bug. 1073 1073 1074 "snprintf(str, size, format, ...) >= si 1074 "snprintf(str, size, format, ...) >= size" means truncated. 1075 But I was checking for "snprintf(str, s 1075 But I was checking for "snprintf(str, size, format, ...) > size". 1076 As a result, some entries might be dump 1076 As a result, some entries might be dumped without '\n'. 1077 1077 1078 @ Purge direct "->prev"/"->next" manipula 1078 @ Purge direct "->prev"/"->next" manipulation. 1079 1079 1080 All list manipulations use "struct list 1080 All list manipulations use "struct list_head" or "struct list1_head". 1081 "struct list1_head" doesn't have "->pre 1081 "struct list1_head" doesn't have "->prev" member to save memory usage. 1082 1082 1083 Fix 2007/11/29 1083 Fix 2007/11/29 1084 1084 1085 @ Add missing semaphore in GetEXE(). 1085 @ Add missing semaphore in GetEXE(). 1086 1086 1087 mm->mmap_sem was missing. 1087 mm->mmap_sem was missing. 1088 1088 1089 Fix 2007/12/17 1089 Fix 2007/12/17 1090 1090 1091 @ Remove unused EXPORT_SYMBOL(). 1091 @ Remove unused EXPORT_SYMBOL(). 1092 1092 1093 Mark some functions static. 1093 Mark some functions static. 1094 1094 1095 Fix 2007/12/18 1095 Fix 2007/12/18 1096 1096 1097 @ Fix AddMountACL() rejection bug. 1097 @ Fix AddMountACL() rejection bug. 1098 1098 1099 To my surprise, "mount --bind source de 1099 To my surprise, "mount --bind source dest" accepts 1100 not only "both source and dest are dire 1100 not only "both source and dest are directory" 1101 but also "both source and dest are non- 1101 but also "both source and dest are non-directory". 1102 I was rejecting if dest is not a direct 1102 I was rejecting if dest is not a directory in AddMountACL(). 1103 1103 1104 @ Change log format. 1104 @ Change log format. 1105 1105 1106 Profile number and mode is added in aud 1106 Profile number and mode is added in audit logs. 1107 1107 1108 Fix 2008/01/03 1108 Fix 2008/01/03 1109 1109 1110 @ Change directive for file's read/write/ 1110 @ Change directive for file's read/write/execute permission. 1111 1111 1112 Directives for file's read/write/execut 1112 Directives for file's read/write/execute permissions were 1113 4/2/1 respectively. But for easier unde 1113 4/2/1 respectively. But for easier understanding, they are now 1114 replaced by read/write/execute (e.g. "a 1114 replaced by read/write/execute (e.g. "allow_read" instead of "4"). 1115 But for easier inputting, 4/2/1 are sti 1115 But for easier inputting, 4/2/1 are still accepted instead of 1116 allow_read/allow_write/allow_execute re 1116 allow_read/allow_write/allow_execute respectively. 1117 1117 1118 @ Change internal data structure. 1118 @ Change internal data structure. 1119 1119 1120 Since I don't have more than 16 types o 1120 Since I don't have more than 16 types of file permissions, 1121 I combined them using bit-fields. 1121 I combined them using bit-fields. 1122 1122 1123 Each entry had a field for conditional 1123 Each entry had a field for conditional permission support. 1124 But since this field is unlikely used, 1124 But since this field is unlikely used, I separated the field from 1125 common part. 1125 common part. 1126 1126 1127 These changes will reduce memory used b 1127 These changes will reduce memory used by policy. 1128 1128 1129 Fix 2008/01/15 1129 Fix 2008/01/15 1130 1130 1131 @ Add ptrace() hook. 1131 @ Add ptrace() hook. 1132 1132 1133 To prevent attackers from controlling i 1133 To prevent attackers from controlling important processes using 1134 ptrace(), I added a hook for ptrace(). 1134 ptrace(), I added a hook for ptrace(). 1135 Most programs (except strace(1) and gdb 1135 Most programs (except strace(1) and gdb(1)) won't use ptrace(2). 1136 1136 1137 @ Fix sleep condition check in CheckSocke 1137 @ Fix sleep condition check in CheckSocketRecvDatagramPermission(). 1138 1138 1139 It seems that correct method to use is 1139 It seems that correct method to use is in_atomic() 1140 rather than in_interrupt() because in_a 1140 rather than in_interrupt() because in_atomic() returns nonzero 1141 whenever scheduling is not allowed. 1141 whenever scheduling is not allowed. 1142 1142 1143 Fix 2008/02/05 1143 Fix 2008/02/05 1144 1144 1145 @ Use find_task_by_vpid() instead of find 1145 @ Use find_task_by_vpid() instead of find_task_by_pid(). 1146 1146 1147 Kernel 2.6.24 introduced PID namespace. 1147 Kernel 2.6.24 introduced PID namespace. 1148 To search PID given from userland, the 1148 To search PID given from userland, the kernel needs to use 1149 find_task_by_vpid() instead of find_tas 1149 find_task_by_vpid() instead of find_task_by_pid(). 1150 1150 1151 Fix 2008/02/14 1151 Fix 2008/02/14 1152 1152 1153 @ Add execve() parameter checking. 1153 @ Add execve() parameter checking. 1154 1154 1155 Until now, it was impossible to check a 1155 Until now, it was impossible to check argv[] and envp[] parameters 1156 passed to execve(). 1156 passed to execve(). 1157 I expanded conditional permission synta 1157 I expanded conditional permission syntax so that 1158 { argc, envc, argv[] , envp[] } paramet 1158 { argc, envc, argv[] , envp[] } parameters can be checked if needed. 1159 This will allow administrator permit ex 1159 This will allow administrator permit execution of /bin/sh only when 1160 /bin/sh is invoked in the form of "/bin 1160 /bin/sh is invoked in the form of "/bin/sh -c" and environment variable 1161 HOME is set by specifying 1161 HOME is set by specifying 1162 1162 1163 allow_execute /bin/sh if exec.argv[1] 1163 allow_execute /bin/sh if exec.argv[1]="-c" exec.envp["HOME"]!=NULL 1164 1164 1165 in the policy. 1165 in the policy. 1166 This extension will make exploit codes 1166 This extension will make exploit codes difficult to start /bin/sh because 1167 they unlikely set up environment variab 1167 they unlikely set up environment variables and unlikely specify "-c" 1168 option when invoking /bin/sh , whereas 1168 option when invoking /bin/sh , whereas proper functions likely set up 1169 environment variables and likely specif 1169 environment variables and likely specify "-c" option. 1170 1170 1171 Fix 2008/02/18 1171 Fix 2008/02/18 1172 1172 1173 @ Add process state checking. 1173 @ Add process state checking. 1174 1174 1175 Until now, it was impossible to change 1175 Until now, it was impossible to change ACL without executing program. 1176 I added three variables for performing 1176 I added three variables for performing stateful checking within a domain. 1177 You can set current process's state lik 1177 You can set current process's state like: 1178 1178 1179 allow_network TCP accept @TRUSTED_HOS 1179 allow_network TCP accept @TRUSTED_HOSTS 1024-65535 ; set task.state[0]=1 1180 allow_network TCP accept @UNTRUSTED_H 1180 allow_network TCP accept @UNTRUSTED_HOSTS 1024-65535 ; set task.state[0]=0 1181 1181 1182 and you can use the state like 1182 and you can use the state like 1183 1183 1184 allow_read /path/to/important/file if 1184 allow_read /path/to/important/file if task.state[0]=1 1185 1185 1186 in the policy. 1186 in the policy. 1187 The state changes when the request was 1187 The state changes when the request was granted by the MAC's policy, 1188 so please be careful with situations wh 1188 so please be careful with situations where the state has changed 1189 successfully but the request was not pr 1189 successfully but the request was not processed because of other reasons 1190 (e.g. out of memory). 1190 (e.g. out of memory). 1191 1191 1192 Fix 2008/02/26 1192 Fix 2008/02/26 1193 1193 1194 @ Support /proc/ccs/ access by non-root u 1194 @ Support /proc/ccs/ access by non-root user. 1195 1195 1196 Until now, only root user can access /p 1196 Until now, only root user can access /proc/ccs/ interface. 1197 But to permit /proc/ccs/ access by non- 1197 But to permit /proc/ccs/ access by non-root user so that it won't require 1198 ssh login by root user when administrat 1198 ssh login by root user when administrating from remote host, 1199 I made "(current->uid == 0 && current-> 1199 I made "(current->uid == 0 && current->euid == 0)" requirement optional. 1200 If this requirement is disabled, only " 1200 If this requirement is disabled, only "conventional DAC permission 1201 checks" and "/proc/ccs/manager checks" 1201 checks" and "/proc/ccs/manager checks" are used. 1202 1202 1203 Fix 2008/02/29 1203 Fix 2008/02/29 1204 1204 1205 @ Add sleep_on_violation feature. 1205 @ Add sleep_on_violation feature. 1206 1206 1207 Some exploit codes (e.g. trans2open for 1207 Some exploit codes (e.g. trans2open for Samba) continue running 1208 until it achieves the purpose of the ex 1208 until it achieves the purpose of the exploit code (e.g. invoke /bin/sh). 1209 1209 1210 If such code is injected due to buffer 1210 If such code is injected due to buffer overflow but the kernel 1211 rejects the request, it triggers infini 1211 rejects the request, it triggers infinite "Permission denied" loop. 1212 As a result, the CPU usage becomes 100% 1212 As a result, the CPU usage becomes 100% and gives bad effects to 1213 the rest of processes. 1213 the rest of processes. 1214 This is a side effect of rejecting the 1214 This is a side effect of rejecting the request from the exploit code 1215 which wouldn't happen if the request fr 1215 which wouldn't happen if the request from the exploit code was granted. 1216 1216 1217 To avoid such CPU consumption, I added 1217 To avoid such CPU consumption, I added a penalty that forcibly 1218 sleeps for specified period when a requ 1218 sleeps for specified period when a request is rejected. 1219 1219 1220 This penalty doesn't work if the exploi 1220 This penalty doesn't work if the exploit code does nothing but 1221 continue running, but I think most expl 1221 continue running, but I think most exploit code's purpose is 1222 to start some program rather than to sl 1222 to start some program rather than to slow down the target system. 1223 1223 1224 @ Add alt_exec feature. 1224 @ Add alt_exec feature. 1225 1225 1226 Since TOMOYO Linux's approach is "know 1226 Since TOMOYO Linux's approach is "know all essential requests in advance 1227 and create policy that permits only the 1227 and create policy that permits only them", you can regard anomalous 1228 requests as attacks (if you want to do 1228 requests as attacks (if you want to do so). 1229 1229 1230 Common MAC implementations merely rejec 1230 Common MAC implementations merely reject requests that violate policy. 1231 But I added a special handler for execv 1231 But I added a special handler for execve() to TOMOYO Linux. 1232 1232 1233 This handler is triggered when a proces 1233 This handler is triggered when a process requested to execute a program 1234 but the request was rejected by the pol 1234 but the request was rejected by the policy. 1235 This handler executes a program specifi 1235 This handler executes a program specified by the administrator 1236 instead of a program requested by the p 1236 instead of a program requested by the process. 1237 1237 1238 Most attackers attempt to execute /bin/ 1238 Most attackers attempt to execute /bin/sh to start something malicious. 1239 Attackers execute an exploit code using 1239 Attackers execute an exploit code using buffer overflow vulnerability 1240 to steal control of a process. But this 1240 to steal control of a process. But this handler can get back control 1241 if an exploit code requests execve() th 1241 if an exploit code requests execve() that is not permitted by policy. 1242 1242 1243 By default, this handler does nothing ( 1243 By default, this handler does nothing (i.e. merely reject execve() 1244 request). You can specify any program t 1244 request). You can specify any program to start what you want to do. 1245 1245 1246 You can redirect attackers to somewhere 1246 You can redirect attackers to somewhere else (e.g. honey pot). 1247 This makes it possible to act your Linu 1247 This makes it possible to act your Linux box as an on-demand honey pot 1248 while keeping regular services for your 1248 while keeping regular services for your usage. 1249 1249 1250 You can collect information of the atta 1250 You can collect information of the attacker (e.g. IP address) and 1251 update firewall configuration. 1251 update firewall configuration. 1252 1252 1253 You can silently terminate a process wh 1253 You can silently terminate a process who requested execve() 1254 that is not permitted by policy. 1254 that is not permitted by policy. 1255 1255 1256 Fix 2008/03/03 1256 Fix 2008/03/03 1257 1257 1258 @ Add "force_alt_exec" directive. 1258 @ Add "force_alt_exec" directive. 1259 1259 1260 To be able to fully utilize "alt_exec" 1260 To be able to fully utilize "alt_exec" feature, 1261 I added "force_alt_exec" directive so t 1261 I added "force_alt_exec" directive so that 1262 all execute requests are replaced by th 1262 all execute requests are replaced by the execute request of a program 1263 specified by alt_exec feature. 1263 specified by alt_exec feature. 1264 1264 1265 If this directive is specified for a do 1265 If this directive is specified for a domain, the domain no longer 1266 executes any programs regardless of the 1266 executes any programs regardless of the mode of file access control 1267 (i.e. the domain won't execute even if 1267 (i.e. the domain won't execute even if MAC_FOR_FILE=0 ). 1268 Instead, the domain executes the progra 1268 Instead, the domain executes the program specified by alt_exec feature 1269 and the program specified by alt_exec f 1269 and the program specified by alt_exec feature validates the execute 1270 request and executes it if it is approp 1270 request and executes it if it is appropriate to execute. 1271 1271 1272 If you can tolerate that there is no ch 1272 If you can tolerate that there is no chance to return an error code 1273 to the caller to tell the execute reque 1273 to the caller to tell the execute request was rejected, 1274 this is more flexible approach than in- 1274 this is more flexible approach than in-kernel execve() parameter 1275 checking because we can do argv[] and e 1275 checking because we can do argv[] and envp[] checking easily. 1276 1276 1277 Fix 2008/03/04 1277 Fix 2008/03/04 1278 1278 1279 @ Use string for access control mode. 1279 @ Use string for access control mode. 1280 1280 1281 An integer expression for access contro 1281 An integer expression for access control mode sometimes confuses 1282 administrators because profile number i 1282 administrators because profile number is also an integer expression. 1283 To avoid confusion between profile numb 1283 To avoid confusion between profile number and access control mode, 1284 I introduced a string expression for ac 1284 I introduced a string expression for access control mode. 1285 1285 1286 Modes which take an integer between 0 1286 Modes which take an integer between 0 and 3. 1287 1287 1288 0 -> disabled 1288 0 -> disabled 1289 1 -> learning 1289 1 -> learning 1290 2 -> permissive 1290 2 -> permissive 1291 3 -> enforcing 1291 3 -> enforcing 1292 1292 1293 Modes which take 0 or 1. 1293 Modes which take 0 or 1. 1294 1294 1295 0 -> disabled 1295 0 -> disabled 1296 1 -> enabled 1296 1 -> enabled 1297 1297 1298 Fix 2008/03/10 1298 Fix 2008/03/10 1299 1299 1300 @ Rename "force_alt_exec" directive to "e 1300 @ Rename "force_alt_exec" directive to "execute_handler". 1301 1301 1302 To be able to use different programs fo 1302 To be able to use different programs for validating execve() parameters, 1303 I moved the location to specify the pro 1303 I moved the location to specify the program's pathname from profile 1304 to domain policy. 1304 to domain policy. 1305 1305 1306 The "execute_handler" directive takes o 1306 The "execute_handler" directive takes one pathname which is 1307 invoked whenever execve() request is is 1307 invoked whenever execve() request is issued. Thus, any "allow_execute" 1308 directives in a domain with "execute_ha 1308 directives in a domain with "execute_handler" are ignored. 1309 This directive is designed for validati 1309 This directive is designed for validating expected/desirable execve() 1310 requests in userspace, although there i 1310 requests in userspace, although there is no way to tell the caller 1311 that the execve() request was rejected. 1311 that the execve() request was rejected. 1312 1312 1313 @ Rename "alt_exec" directive to "denied_ 1313 @ Rename "alt_exec" directive to "denied_execute_handler". 1314 1314 1315 The "denied_execute_handler" directive 1315 The "denied_execute_handler" directive takes one pathname which is 1316 invoked only when execve() request was 1316 invoked only when execve() request was rejected. In other words, 1317 this program is invoked only when the f 1317 this program is invoked only when the following conditions are met. 1318 1318 1319 (1) None of "allow_execute" directive 1319 (1) None of "allow_execute" directives in the domain matched. 1320 (2) The execve() request was rejected 1320 (2) The execve() request was rejected in enforcing mode. 1321 (3) "execute_handler" directive is no 1321 (3) "execute_handler" directive is not used by the domain. 1322 1322 1323 This directive is designed for handling 1323 This directive is designed for handling unexpected/undesirable execve() 1324 requests, to redirect the process issui 1324 requests, to redirect the process issuing such requests to somewhere. 1325 1325 1326 Fix 2008/03/18 1326 Fix 2008/03/18 1327 1327 1328 @ Fix wrong/redundant locks in pre-vfs fu 1328 @ Fix wrong/redundant locks in pre-vfs functions. 1329 1329 1330 lock_kernel()/unlock_kernel() in pre_vf 1330 lock_kernel()/unlock_kernel() in pre_vfs_rename() were redundant for 1331 2.6 kernels. 1331 2.6 kernels. 1332 1332 1333 Locking order in pre_vfs_link() and pre 1333 Locking order in pre_vfs_link() and pre_vfs_unlink() for 2.4 kernels 1334 after 2.4.33 were different from before 1334 after 2.4.33 were different from before 2.4.32 . 1335 1335 1336 Fix 2008/03/28 1336 Fix 2008/03/28 1337 1337 1338 @ Disable execute handler loop. 1338 @ Disable execute handler loop. 1339 1339 1340 To be able to use "execute_handler" in 1340 To be able to use "execute_handler" in a "keep_domain" domain, 1341 ignore "execute_handler" and "denied_ex 1341 ignore "execute_handler" and "denied_execute_handler" directives 1342 if the current process is executing pro 1342 if the current process is executing programs specified by 1343 "execute_handler" or "denied_execute_ha 1343 "execute_handler" or "denied_execute_handler" directive. 1344 1344 1345 This exception is needed to avoid infin 1345 This exception is needed to avoid infinite execute handler loop. 1346 If a domain has both "keep_domain" and 1346 If a domain has both "keep_domain" and "execute_handler", 1347 any execute request by that domain is h 1347 any execute request by that domain is handled by an execute handler, 1348 and the execute handler attempts to pro 1348 and the execute handler attempts to process original execute request. 1349 But the original execute request is han 1349 But the original execute request is handled by the same execute handler 1350 unless the execute handler ignores "exe 1350 unless the execute handler ignores "execute_handler". 1351 1351 1352 @ Update coding style. 1352 @ Update coding style. 1353 1353 1354 I rewrote the code to pass scripts/chec 1354 I rewrote the code to pass scripts/checkpatch.pl as much as possible. 1355 Function names were changed to use only 1355 Function names were changed to use only lower letters. 1356 1356 1357 Version 1.6.0 2008/04/01 Feature enhancemen 1357 Version 1.6.0 2008/04/01 Feature enhancement release. 1358 1358 1359 Fix 2008/04/14 1359 Fix 2008/04/14 1360 1360 1361 @ Fix "Compilation failures" and "Initial 1361 @ Fix "Compilation failures" and "Initialization ordering bugs" 1362 with kernels before 2.4.30/2.6.11 . 1362 with kernels before 2.4.30/2.6.11 . 1363 1363 1364 2.6 kernels before 2.6.9 didn't have in 1364 2.6 kernels before 2.6.9 didn't have include/linux/hardirq.h , 1365 resulting compilation error at #include 1365 resulting compilation error at #include <linux/hardirq.h> . 1366 I added #elif condition. 1366 I added #elif condition. 1367 1367 1368 CentOS 4.6's 2.6.9 kernel calls do_exec 1368 CentOS 4.6's 2.6.9 kernel calls do_execve() before initialization of 1369 ccs_alloc(), resulting NULL pointer der 1369 ccs_alloc(), resulting NULL pointer dereference. 1370 I changed __initcall to core_initcall. 1370 I changed __initcall to core_initcall. 1371 1371 1372 CentOS 4.6's 2.6.9 kernel backported kz 1372 CentOS 4.6's 2.6.9 kernel backported kzalloc() from 2.6.14 , 1373 resulting compilation error at kzalloc( 1373 resulting compilation error at kzalloc(). 1374 I modified prototype of kzalloc(). 1374 I modified prototype of kzalloc(). 1375 1375 1376 Fix 2008/04/20 1376 Fix 2008/04/20 1377 1377 1378 @ Fix "Compilation failures" with kernels 1378 @ Fix "Compilation failures" with kernels before 2.4.30/2.6.11 . 1379 1379 1380 Turbolinux 10 Server's 2.6.8 kernel bac 1380 Turbolinux 10 Server's 2.6.8 kernel backported kzalloc() as an inlined 1381 function, resulting compilation error a 1381 function, resulting compilation error at kzalloc(). 1382 I converted kzalloc() from an inlined f 1382 I converted kzalloc() from an inlined function into a macro. 1383 1383 1384 Fix 2008/04/21 1384 Fix 2008/04/21 1385 1385 1386 @ Add workaround for gcc 3.2.2's inline b 1386 @ Add workaround for gcc 3.2.2's inline bug. 1387 1387 1388 RedHat Linux 9's gcc 3.2.2 generated a 1388 RedHat Linux 9's gcc 3.2.2 generated a bad code 1389 if ((var_of_u8 & 0x000000BF) & 0x800 1389 if ((var_of_u8 & 0x000000BF) & 0x80000000) { } 1390 where the expected code is 1390 where the expected code is 1391 if ((var_of_u8 & 0xBF) & 0x80) { } 1391 if ((var_of_u8 & 0xBF) & 0x80) { } 1392 when embedding ccs_acl_type2() into pri 1392 when embedding ccs_acl_type2() into print_entry(), 1393 resulting runtime BUG(). 1393 resulting runtime BUG(). 1394 I added the expected code explicitly as 1394 I added the expected code explicitly as a workaround. 1395 1395 1396 Fix 2008/05/06 1396 Fix 2008/05/06 1397 1397 1398 @ Add memory quota. 1398 @ Add memory quota. 1399 1399 1400 1.5.x returns -ENOMEM when FindNextDoma 1400 1.5.x returns -ENOMEM when FindNextDomain() failed to create a new 1401 domain, but I forgot to return -ENOMEM 1401 domain, but I forgot to return -ENOMEM when find_next_domain() failed to 1402 create a new domain. 1402 create a new domain. 1403 1403 1404 A domain is automatically created by fi 1404 A domain is automatically created by find_next_domain() only if 1405 the domain for the requested program do 1405 the domain for the requested program doesn't exist. 1406 This behavior is for the administrator' 1406 This behavior is for the administrator's convenience. 1407 The administrator needn't to know how m 1407 The administrator needn't to know how many domains are needed for running 1408 the whole programs in the system before 1408 the whole programs in the system beforehand when developing the policy. 1409 But the administrator does not want the 1409 But the administrator does not want the kernel to reject execution of the 1410 requested program when developing the p 1410 requested program when developing the policy. 1411 1411 1412 So, I think it is better to grant execu 1412 So, I think it is better to grant execution of programs even if 1413 find_next_domain() failed to create a n 1413 find_next_domain() failed to create a new domain than reject execution. 1414 Thus, I decided not to return -ENOMEM w 1414 Thus, I decided not to return -ENOMEM when find_next_domain() failed to 1415 create a new domain. This exception bre 1415 create a new domain. This exception breaks the domain transition rules, 1416 so I print "transition_failed" warning 1416 so I print "transition_failed" warning in /proc/ccs/domain_policy 1417 when this exception happened. 1417 when this exception happened. 1418 1418 1419 Also, to prevent the system from being 1419 Also, to prevent the system from being halted by unexpectedly allocating 1420 all kernel memory for the policy, I add 1420 all kernel memory for the policy, I added memory quota. 1421 This quota is configurable via /proc/cc 1421 This quota is configurable via /proc/ccs/meminfo like 1422 1422 1423 echo Shared: 1048576 > /proc/ccs/mem 1423 echo Shared: 1048576 > /proc/ccs/meminfo 1424 echo Private: 1048576 > /proc/ccs/mem 1424 echo Private: 1048576 > /proc/ccs/meminfo 1425 1425 1426 Version 1.6.1 2008/05/10 Bug fix release. 1426 Version 1.6.1 2008/05/10 Bug fix release. 1427 1427 1428 Fix 2008/06/04 1428 Fix 2008/06/04 1429 1429 1430 @ Check open mode of /proc/ccs/ interface 1430 @ Check open mode of /proc/ccs/ interface. 1431 1431 1432 It turned out that I can avoid allocati 1432 It turned out that I can avoid allocating memory for reading if 1433 FMODE_READ is not set and memory for wr 1433 FMODE_READ is not set and memory for writing if FMODE_WRITE is not set. 1434 1434 1435 @ Wait for completion of /sbin/ccs-init . 1435 @ Wait for completion of /sbin/ccs-init . 1436 1436 1437 Since 2.4 kernel's call_usermodehelper( 1437 Since 2.4 kernel's call_usermodehelper() can't wait for termination of 1438 the executed program, I was using the c 1438 the executed program, I was using the close() request of 1439 /proc/ccs/meminfo to indicate that load 1439 /proc/ccs/meminfo to indicate that loading policy has finished. 1440 But since /proc/ccs/meminfo could be ac 1440 But since /proc/ccs/meminfo could be accessed for setting memory quota 1441 by /etc/ccs/ccs-post-init , I stopped u 1441 by /etc/ccs/ccs-post-init , I stopped using the close() request. 1442 The policy loader no longer need to acc 1442 The policy loader no longer need to access /proc/ccs/meminfo to notify 1443 the kernel that loading policy has fini 1443 the kernel that loading policy has finished. 1444 1444 1445 Fix 2008/06/05 1445 Fix 2008/06/05 1446 1446 1447 @ Fix realpath for pipes and sockets. 1447 @ Fix realpath for pipes and sockets. 1448 1448 1449 Kernel 2.6.22 and later use different m 1449 Kernel 2.6.22 and later use different method for calculating d_path(). 1450 Since fs/realpath.c didn't notice the c 1450 Since fs/realpath.c didn't notice the change, the realpath of pipes 1451 appeared as "pipe:" rather than "pipe:[ 1451 appeared as "pipe:" rather than "pipe:[\$]" when they are opened via 1452 /proc/PID/fd/ directory. 1452 /proc/PID/fd/ directory. 1453 1453 1454 @ Add process's information into /proc/cc 1454 @ Add process's information into /proc/ccs/query . 1455 1455 1456 While /proc/ccs/grant_log and /proc/ccs 1456 While /proc/ccs/grant_log and /proc/ccs/reject_log contain process's 1457 information, /proc/ccs/query doesn't co 1457 information, /proc/ccs/query doesn't contain it. 1458 To be able to utilize ccs-queryd and cc 1458 To be able to utilize ccs-queryd and ccs-notifyd more, I added it into 1459 /proc/ccs/query . 1459 /proc/ccs/query . 1460 1460 1461 Fix 2008/06/10 1461 Fix 2008/06/10 1462 1462 1463 @ Allow using patterns for globally reada 1463 @ Allow using patterns for globally readable files. 1464 1464 1465 To allow users specify locale specific 1465 To allow users specify locale specific files to globally readable files, 1466 I relaxed checking in update_globally_r 1466 I relaxed checking in update_globally_readable_entry(). 1467 1467 1468 Fix 2008/06/11 1468 Fix 2008/06/11 1469 1469 1470 @ Remove ALLOW_ENFORCE_GRACE parameter. 1470 @ Remove ALLOW_ENFORCE_GRACE parameter. 1471 1471 1472 Since unexpected requests caused by doi 1472 Since unexpected requests caused by doing software updates can happen 1473 in all profiles, users likely have to w 1473 in all profiles, users likely have to write ALLOW_ENFORCE_GRACE=enabled 1474 to all profiles. And it makes meaningle 1474 to all profiles. And it makes meaningless to allow users to selectively 1475 enable specific profile's ALLOW_ENFORCE 1475 enable specific profile's ALLOW_ENFORCE_GRACE parameter. 1476 So, I removed ALLOW_ENFORCE_GRACE param 1476 So, I removed ALLOW_ENFORCE_GRACE parameter. 1477 Now, the system behaves as if ALLOW_ENF 1477 Now, the system behaves as if ALLOW_ENFORCE_GRACE=enabled is specified. 1478 The behavior of "delayed enforcing" mod 1478 The behavior of "delayed enforcing" mode is defined in the following 1479 order. 1479 order. 1480 1480 1481 (1) The requests are rejected immediate 1481 (1) The requests are rejected immediately if nobody is opening 1482 /proc/ccs/query interface. 1482 /proc/ccs/query interface. 1483 (2) The requests will be rejected in 10 1483 (2) The requests will be rejected in 10 seconds if somebody other than 1484 ccs-queryd (such as less(1)) is ope 1484 ccs-queryd (such as less(1)) is opening /proc/ccs/query interface, 1485 for such process doesn't write dumm 1485 for such process doesn't write dummy decisions. 1486 1486 1487 Fix 2008/06/22 1487 Fix 2008/06/22 1488 1488 1489 @ Pass escaped pathname to audit_execute_ 1489 @ Pass escaped pathname to audit_execute_handler_log(). 1490 1490 1491 I was passing unescaped pathname to aud 1491 I was passing unescaped pathname to audit_execute_handler_log() 1492 which causes /proc/ccs/grant_log contai 1492 which causes /proc/ccs/grant_log contain whitespace characters 1493 if execute handler's pathname contains 1493 if execute handler's pathname contains whitespace characters. 1494 1494 1495 Fix 2008/06/25 1495 Fix 2008/06/25 1496 1496 1497 @ Return 0 when ccs_may_umount() succeeds 1497 @ Return 0 when ccs_may_umount() succeeds. 1498 1498 1499 I forgot to clear error value in ccs_ma 1499 I forgot to clear error value in ccs_may_umount() when the requested 1500 directory didn't match "deny_unmount" d 1500 directory didn't match "deny_unmount" directive. As a result, any umount() 1501 request with RESTRICT_UNMOUNT=enforcing 1501 request with RESTRICT_UNMOUNT=enforcing returned -EPERM error. 1502 1502 1503 Version 1.6.2 2008/06/25 Usability enhancem 1503 Version 1.6.2 2008/06/25 Usability enhancement release. 1504 1504 1505 Fix 2008/07/01 1505 Fix 2008/07/01 1506 1506 1507 @ Fix "Compilation failure" with 2.4.20 k 1507 @ Fix "Compilation failure" with 2.4.20 kernel. 1508 1508 1509 RedHat Linux 9's 2.4.20 kernel backport 1509 RedHat Linux 9's 2.4.20 kernel backported O(1) scheduler patch, 1510 resulting compilation error at ccs_load 1510 resulting compilation error at ccs_load_policy(). 1511 I added defined(TASK_DEAD) check. 1511 I added defined(TASK_DEAD) check. 1512 1512 1513 Fix 2008/07/08 1513 Fix 2008/07/08 1514 1514 1515 @ Don't check permissions if vfsmount is 1515 @ Don't check permissions if vfsmount is NULL. 1516 1516 1517 Some filesystems (e.g. unionfs) pass NU 1517 Some filesystems (e.g. unionfs) pass NULL vfsmount. 1518 I changed fs/tomoyo_file.c not to try t 1518 I changed fs/tomoyo_file.c not to try to calculate pathnames 1519 if vfsmount is NULL. 1519 if vfsmount is NULL. 1520 1520 1521 Version 1.6.3 2008/07/15 Bug fix release. 1521 Version 1.6.3 2008/07/15 Bug fix release. 1522 1522 1523 Fix 2008/08/21 1523 Fix 2008/08/21 1524 1524 1525 @ Add workaround for gcc 4.3's bug. 1525 @ Add workaround for gcc 4.3's bug. 1526 1526 1527 In some environments, fs/tomoyo_network 1527 In some environments, fs/tomoyo_network.c could not be compiled 1528 because of gcc 4.3's bug. 1528 because of gcc 4.3's bug. 1529 I modified save_ipv6_address() to use " 1529 I modified save_ipv6_address() to use "integer literal" value 1530 instead for "static const u8" variable. 1530 instead for "static const u8" variable. 1531 1531 1532 @ Change prototypes of some functions. 1532 @ Change prototypes of some functions. 1533 1533 1534 To support 2.6.27 kernels, I replaced " 1534 To support 2.6.27 kernels, I replaced "struct nameidata" with 1535 "struct path" for some functions. 1535 "struct path" for some functions. 1536 1536 1537 @ Detect distributor specific patches aut 1537 @ Detect distributor specific patches automatically. 1538 1538 1539 Since kernels with AppArmor patch appli 1539 Since kernels with AppArmor patch applied is increasing, 1540 I introduced a mechanism which determin 1540 I introduced a mechanism which determines whether specific patches 1541 are applied or not, based on "#define" 1541 are applied or not, based on "#define" directives in the patches. 1542 1542 1543 Fix 2008/08/29 1543 Fix 2008/08/29 1544 1544 1545 @ Remove "-ccs" suffix from Makefile's EX 1545 @ Remove "-ccs" suffix from Makefile's EXTRAVERSION. 1546 1546 1547 To reduce conflicts on Makefile's EXTRA 1547 To reduce conflicts on Makefile's EXTRAVERSION, 1548 I removed "-ccs" suffix from ccs-patch- 1548 I removed "-ccs" suffix from ccs-patch-2.\*.diff . 1549 Those who build kernels without using s 1549 Those who build kernels without using specs/build-\*.sh , 1550 please edit EXTRAVERSION tag manually s 1550 please edit EXTRAVERSION tag manually so that original kernels 1551 will not be overwritten by TOMOYO Linux 1551 will not be overwritten by TOMOYO Linux kernels. 1552 1552 1553 Version 1.6.4 2008/09/03 Minor update relea 1553 Version 1.6.4 2008/09/03 Minor update release. 1554 1554 1555 Fix 2008/09/09 1555 Fix 2008/09/09 1556 1556 1557 @ Add "try again" response to "delayed en 1557 @ Add "try again" response to "delayed enforcing" mode. 1558 1558 1559 To be able to handle pathname changes c 1559 To be able to handle pathname changes caused by software updates, 1560 "delayed enforcing" mode was introduced 1560 "delayed enforcing" mode was introduced. It allows administrator to 1561 grant access requests which are about t 1561 grant access requests which are about to be rejected by the kernel. 1562 1562 1563 To be able to handle pathname changes c 1563 To be able to handle pathname changes caused by software updates better, 1564 I introduced "try again" response. As " 1564 I introduced "try again" response. As "delayed enforcing" mode sleeps 1565 a process which violated policy, admini 1565 a process which violated policy, administrator can update policy while 1566 the process is sleeping. This "try agai 1566 the process is sleeping. This "try again" response allows administrator 1567 to restart policy checks from the begin 1567 to restart policy checks from the beginning after updating policy. 1568 1568 1569 Fix 2008/09/11 1569 Fix 2008/09/11 1570 1570 1571 @ Remember whether the process is allowed 1571 @ Remember whether the process is allowed to write to /proc/ccs/ interface. 1572 1572 1573 Since programs for manipulating policy 1573 Since programs for manipulating policy (e.g. ccs-queryd ) are installed 1574 in the form of RPM/DEB packages, these 1574 in the form of RPM/DEB packages, these programs lose the original 1575 pathnames when they are updated by the 1575 pathnames when they are updated by the package manager. The package 1576 manager renames these programs before d 1576 manager renames these programs before deleting these programs so that 1577 the package manager can rollback the op 1577 the package manager can rollback the operation. 1578 This causes a problem when the programs 1578 This causes a problem when the programs are listed into /proc/ccs/manager 1579 using pathnames, as the programs will n 1579 using pathnames, as the programs will no longer be allowed to write to 1580 /proc/ccs/ interface while the process 1580 /proc/ccs/ interface while the process of old version of the program is 1581 alive. 1581 alive. 1582 1582 1583 To solve this problem, I modified to re 1583 To solve this problem, I modified to remember the fact that the process 1584 is once allowed to write to /proc/ccs/ 1584 is once allowed to write to /proc/ccs/ interface until the process 1585 attempts to execute a different program 1585 attempts to execute a different program. 1586 This change makes it impossible to revo 1586 This change makes it impossible to revoke permission to write to 1587 /proc/ccs/ interface without killing th 1587 /proc/ccs/ interface without killing the process, but it will be better 1588 than nonfunctioning ccs-queryd program. 1588 than nonfunctioning ccs-queryd program. 1589 1589 1590 Fix 2008/09/19 1590 Fix 2008/09/19 1591 1591 1592 @ Allow selecting a domain by PID. 1592 @ Allow selecting a domain by PID. 1593 1593 1594 Sometimes we want to know what ACLs are 1594 Sometimes we want to know what ACLs are given to specific PID, but 1595 finding a domainname for that PID from 1595 finding a domainname for that PID from /proc/ccs/.process_status and 1596 reading ACLs from /proc/ccs/domain_poli 1596 reading ACLs from /proc/ccs/domain_policy by the domainname is very slow. 1597 Thus, I modified /proc/ccs/domain_polic 1597 Thus, I modified /proc/ccs/domain_policy to allow selecting a domain by 1598 PID. For example, to read domain ACL of 1598 PID. For example, to read domain ACL of current process from bash, 1599 run as follows. 1599 run as follows. 1600 1600 1601 # exec 100<>/proc/ccs/domain_policy 1601 # exec 100<>/proc/ccs/domain_policy 1602 # echo select pid=$$ >&100 1602 # echo select pid=$$ >&100 1603 # while read -u 100; do echo $REPLY; do 1603 # while read -u 100; do echo $REPLY; done 1604 1604 1605 If a domain is once selected by PID, re 1605 If a domain is once selected by PID, reading /proc/ccs/domain_policy will 1606 print only that domain if that PID exis 1606 print only that domain if that PID exists or print nothing otherwise. 1607 1607 1608 @ Disallow concurrent /proc/ccs/ access u 1608 @ Disallow concurrent /proc/ccs/ access using the same file descriptor. 1609 1609 1610 Until now, one process can read() from 1610 Until now, one process can read() from /proc/ccs/ while other process 1611 that shares the file descriptor can wri 1611 that shares the file descriptor can write() to /proc/ccs/ . 1612 But to implement "Allow selecting a dom 1612 But to implement "Allow selecting a domain by PID" feature, I disabled 1613 concurrent read()/write() because the f 1613 concurrent read()/write() because the feature need to modify read buffer 1614 while writing. 1614 while writing. 1615 1615 1616 Fix 2008/10/01 1616 Fix 2008/10/01 1617 1617 1618 @ Add retry counter into /proc/ccs/query 1618 @ Add retry counter into /proc/ccs/query . 1619 1619 1620 To be able to handle some of queries fr 1620 To be able to handle some of queries from /proc/ccs/query without user's 1621 interaction, I added retry counter for 1621 interaction, I added retry counter for avoiding infinite loop caused by 1622 "try again" response. 1622 "try again" response. 1623 1623 1624 Fix 2008/10/07 1624 Fix 2008/10/07 1625 1625 1626 @ Don't transit to new domain until do_ex 1626 @ Don't transit to new domain until do_execve() succeeds. 1627 1627 1628 Until now, a process's domain was updat 1628 Until now, a process's domain was updated to new domain which the process 1629 will belong to before do_execve() succe 1629 will belong to before do_execve() succeeds so that the kernel can do 1630 permission checks for interpreters and 1630 permission checks for interpreters and environment variables based on 1631 new domain. But this caused a subtle pr 1631 new domain. But this caused a subtle problem when other process sends 1632 signals to the process, for the process 1632 signals to the process, for the process returns to old domain if 1633 do_execve() failed. 1633 do_execve() failed. 1634 1634 1635 So, I modified to pass new domain to fu 1635 So, I modified to pass new domain to functions so that I can avoid 1636 modifying a process's domain before do_ 1636 modifying a process's domain before do_execve() succeeds. 1637 1637 1638 @ Use old task state for audit logs. 1638 @ Use old task state for audit logs. 1639 1639 1640 Until now, audit logs were generated us 1640 Until now, audit logs were generated using the task state after 1641 processing "; set task.state" part. But 1641 processing "; set task.state" part. But to generate accurate logs, 1642 I modified to save the task state befor 1642 I modified to save the task state before processing "; set task.state" 1643 part and use the saved state for audit 1643 part and use the saved state for audit logs. 1644 1644 1645 @ Use a structure for passing parameters. 1645 @ Use a structure for passing parameters. 1646 1646 1647 As the number of parameters is increasi 1647 As the number of parameters is increasing, I modified to use a structure 1648 for passing parameters. 1648 for passing parameters. 1649 1649 1650 Fix 2008/10/11 1650 Fix 2008/10/11 1651 1651 1652 @ Remove domain_acl_lock mutex. 1652 @ Remove domain_acl_lock mutex. 1653 1653 1654 I noticed that I don't need to keep all 1654 I noticed that I don't need to keep all functions that modify an ACL of 1655 a domain mutually exclusive. Since each 1655 a domain mutually exclusive. Since each functions handles different type 1656 of ACL, locking is needed only when the 1656 of ACL, locking is needed only when they append an ACL to a domain. 1657 So, I modified to use local locks. 1657 So, I modified to use local locks. 1658 1658 1659 Fix 2008/10/14 1659 Fix 2008/10/14 1660 1660 1661 @ Fix ccs_check_condition() bug. 1661 @ Fix ccs_check_condition() bug. 1662 1662 1663 Due to a bug in ccs_check_condition(), 1663 Due to a bug in ccs_check_condition(), it was impossible to use 1664 task.state[0] task.state[1] task.state[ 1664 task.state[0] task.state[1] task.state[2] inside condition part 1665 if the ACL does not treat a pathname. F 1665 if the ACL does not treat a pathname. For example, an ACL like 1666 1666 1667 allow_network TCP connect @HTTP_SERVE 1667 allow_network TCP connect @HTTP_SERVERS 80 if task.state[0]=100 1668 1668 1669 didn't work. 1669 didn't work. 1670 1670 1671 Fix 2008/10/15 1671 Fix 2008/10/15 1672 1672 1673 @ Show process information in /proc/ccs/. 1673 @ Show process information in /proc/ccs/.process_status . 1674 1674 1675 To be able to determine a process's typ 1675 To be able to determine a process's type, I added a command "info PID" 1676 which returns process information of th 1676 which returns process information of the specified PID in 1677 "PID manager=\* execute_handler=\* stat 1677 "PID manager=\* execute_handler=\* state[0]=\$ state[1]=\$ state[2]=\$" 1678 format. 1678 format. 1679 1679 1680 Fix 2008/10/20 1680 Fix 2008/10/20 1681 1681 1682 @ Use rcu_dereference() when walking the 1682 @ Use rcu_dereference() when walking the list. 1683 1683 1684 I was using "dependency ordering" for a 1684 I was using "dependency ordering" for appending an element to a list 1685 without asking the reader to take a loc 1685 without asking the reader to take a lock. But "dependency ordering" 1686 is not respected by DEC Alpha or by som 1686 is not respected by DEC Alpha or by some aggressive value-speculation 1687 compiler optimizations. 1687 compiler optimizations. 1688 1688 1689 On such environment, use of "dependency 1689 On such environment, use of "dependency ordering" can lead to system 1690 crash because the reader might read uni 1690 crash because the reader might read uninitialized value of newly 1691 appended element. 1691 appended element. 1692 1692 1693 To prevent the reader from reading unin 1693 To prevent the reader from reading uninitialized value of newly appended 1694 element, I inserted rcu_dereference() w 1694 element, I inserted rcu_dereference() when walking the list. 1695 1695 1696 Fix 2008/11/04 1696 Fix 2008/11/04 1697 1697 1698 @ Use sys_getpid() instead for current->p 1698 @ Use sys_getpid() instead for current->pid. 1699 1699 1700 Kernel 2.6.24 introduced PID namespace. 1700 Kernel 2.6.24 introduced PID namespace. 1701 1701 1702 To compare PID given from userland, I c 1702 To compare PID given from userland, I can't use current->pid. 1703 So, I modified to use sys_getpid() inst 1703 So, I modified to use sys_getpid() instead for current->pid. 1704 1704 1705 I modified to use task_tgid_nr_ns() for 1705 I modified to use task_tgid_nr_ns() for 2.6.25 and later instead for 1706 current->tgid when checking /proc/self/ 1706 current->tgid when checking /proc/self/ in get_absolute_path(). 1707 1707 1708 Fix 2008/11/07 1708 Fix 2008/11/07 1709 1709 1710 @ Fix is_alphabet_char(). 1710 @ Fix is_alphabet_char(). 1711 1711 1712 is_alphabet_char() should match 'A' - ' 1712 is_alphabet_char() should match 'A' - 'Z' and 'a' - 'z', 1713 but was matching from 'A' - 'F' and 'a' 1713 but was matching from 'A' - 'F' and 'a' - 'f'. 1714 1714 1715 @ Add /proc/ccs/.execute_handler . 1715 @ Add /proc/ccs/.execute_handler . 1716 1716 1717 Process information became visible to u 1717 Process information became visible to userspace by 1718 "Show process information in /proc/ccs/ 1718 "Show process information in /proc/ccs/.process_status" feature. 1719 However, programs specified by execute_ 1719 However, programs specified by execute_handler directive may run as 1720 non root user, making it impossible to 1720 non root user, making it impossible to see process information. 1721 1721 1722 So, I added a new interface that allows 1722 So, I added a new interface that allows execute handler processes 1723 to see process information. The content 1723 to see process information. The content of /proc/ccs/.execute_handler is 1724 identical to /proc/ccs/.process_status 1724 identical to /proc/ccs/.process_status . 1725 1725 1726 Version 1.6.5 2008/11/11 Third anniversary 1726 Version 1.6.5 2008/11/11 Third anniversary release. 1727 1727 1728 Fix 2008/12/01 1728 Fix 2008/12/01 1729 1729 1730 @ Introduce "task.type=execute_handler" c 1730 @ Introduce "task.type=execute_handler" condition. 1731 1731 1732 The execute_handler directive is very v 1732 The execute_handler directive is very very powerful. You can use this 1733 directive to do anything you want to do 1733 directive to do anything you want to do (e.g. logging and validating and 1734 modifying command line parameters and e 1734 modifying command line parameters and environment variables, opening and 1735 closing and redirecting files, creating 1735 closing and redirecting files, creating pipes to implement antivirus and 1736 spam filtering, deploying a DMZ between 1736 spam filtering, deploying a DMZ between the ssh daemon and the login 1737 shells). 1737 shells). 1738 1738 1739 To be able to use this directive in a d 1739 To be able to use this directive in a domain with keep_domain directive 1740 while limiting access to resources need 1740 while limiting access to resources needed for such purposes to only 1741 programs invoked as an execute handler 1741 programs invoked as an execute handler process, I added a new condition. 1742 1742 1743 In learning mode, "if task.type=execute 1743 In learning mode, "if task.type=execute_handler" condition part will be 1744 automatically added for requests issued 1744 automatically added for requests issued by an execute_handler process. 1745 1745 1746 @ Introduce file's type and permissions a 1746 @ Introduce file's type and permissions as conditions. 1747 1747 1748 To be able to limit file types a proces 1748 To be able to limit file types a process can access, I added 1749 new conditions for checking file's type 1749 new conditions for checking file's type and permissions. 1750 For example, 1750 For example, 1751 1751 1752 allow_read /etc/fstab if path1.type=f 1752 allow_read /etc/fstab if path1.type=file path1.perm=0644 1753 1753 1754 will allow opening /etc/fstab for readi 1754 will allow opening /etc/fstab for reading only if /etc/fstab is a regular 1755 file and it's permission is 0644, and 1755 file and it's permission is 0644, and 1756 1756 1757 allow_write /dev/null if path1.type=c 1757 allow_write /dev/null if path1.type=char path1.dev_major=1 path1.dev_minor=3 1758 1758 1759 will allow opening /dev/null for writin 1759 will allow opening /dev/null for writing only if /dev/null is a character 1760 device file with major=1 and minor=3 at 1760 device file with major=1 and minor=3 attributes. 1761 1761 1762 @ Add memory quota for temporary memory u 1762 @ Add memory quota for temporary memory used for auditing. 1763 1763 1764 Although there are MAX_GRANT_LOG and MA 1764 Although there are MAX_GRANT_LOG and MAX_REJECT_LOG parameters 1765 which limit the number of entries for a 1765 which limit the number of entries for audit logs so that we can avoid 1766 memory consumption by audit logs, it wo 1766 memory consumption by audit logs, it would be more convenient if we can 1767 also limit the size in bytes. 1767 also limit the size in bytes. 1768 Thus, I added a new quota line. 1768 Thus, I added a new quota line. 1769 1769 1770 echo Dynamic: 1048576 > /proc/ccs/mem 1770 echo Dynamic: 1048576 > /proc/ccs/meminfo 1771 1771 1772 This quota is not applied to temporary 1772 This quota is not applied to temporary memory used for permission checks. 1773 1773 1774 Fix 2008/12/09 1774 Fix 2008/12/09 1775 1775 1776 @ Fix ccs_can_save_audit_log() checks. 1776 @ Fix ccs_can_save_audit_log() checks. 1777 1777 1778 Due to incorrect statement "if (ccs_can 1778 Due to incorrect statement "if (ccs_can_save_audit_log() < 0)" 1779 while ccs_can_save_audit_log() is boole 1779 while ccs_can_save_audit_log() is boolean, MAX_GRANT_LOG and 1780 MAX_REJECT_LOG were not working. 1780 MAX_REJECT_LOG were not working. 1781 1781 1782 This bug will trigger OOM killer if /us 1782 This bug will trigger OOM killer if /usr/sbin/ccs-auditd is not working. 1783 1783 1784 Fix 2008/12/24 1784 Fix 2008/12/24 1785 1785 1786 @ Add "ccs_" prefix. 1786 @ Add "ccs_" prefix. 1787 1787 1788 To be able to tell whether a symbol is 1788 To be able to tell whether a symbol is TOMOYO Linux related or not, 1789 I added "ccs_" prefix as much as possib 1789 I added "ccs_" prefix as much as possible. 1790 1790 1791 @ Fix ccs_check_flags() error message. 1791 @ Fix ccs_check_flags() error message. 1792 1792 1793 I meant to print SYAORAN-ERROR: message 1793 I meant to print SYAORAN-ERROR: message when error == -EPERM, 1794 but I was printing it when error == 0 s 1794 but I was printing it when error == 0 since 1.6.0 . 1795 1795 1796 Fix 2009/01/05 1796 Fix 2009/01/05 1797 1797 1798 @ Use kmap_atomic()/kunmap_atomic() for r 1798 @ Use kmap_atomic()/kunmap_atomic() for reading "struct linux_binprm". 1799 1799 1800 As remove_arg_zero() uses kmap_atomic(K 1800 As remove_arg_zero() uses kmap_atomic(KM_USER0), I modified to use 1801 kmap_atomic(KM_USER0) rather than kmap( 1801 kmap_atomic(KM_USER0) rather than kmap(). 1802 1802 1803 Fix 2009/01/28 1803 Fix 2009/01/28 1804 1804 1805 @ Fix "allow_read" + "allow_write" != "al 1805 @ Fix "allow_read" + "allow_write" != "allow_read/write" problem. 1806 1806 1807 Since 1.6.0 , due to a bug in ccs_updat 1807 Since 1.6.0 , due to a bug in ccs_update_single_path_acl(), 1808 appending "allow_read/write" entry didn 1808 appending "allow_read/write" entry didn't update internal "allow_read" 1809 and "allow_write" entries. As a result, 1809 and "allow_write" entries. As a result, attempt to open(O_RDWR) succeeds 1810 but open(O_RDONLY) and open(O_WRONLY) f 1810 but open(O_RDONLY) and open(O_WRONLY) fail. 1811 1811 1812 Workaround is to write an entry twice w 1812 Workaround is to write an entry twice when newly appending that entry. 1813 If written twice, internal "allow_read" 1813 If written twice, internal "allow_read" and "allow_write" entries 1814 are updated. 1814 are updated. 1815 1815 1816 Fix 2009/02/26 1816 Fix 2009/02/26 1817 1817 1818 @ Fix profile read error. 1818 @ Fix profile read error. 1819 1819 1820 Incorrect profiles were shown in /proc/ 1820 Incorrect profiles were shown in /proc/ccs/profile 1821 if either CONFIG_SAKURA or CONFIG_TOMOY 1821 if either CONFIG_SAKURA or CONFIG_TOMOYO is disabled. 1822 1822 1823 Fix 2009/03/02 1823 Fix 2009/03/02 1824 1824 1825 @ Undelete CONFIG_TOMOYO_AUDIT option. 1825 @ Undelete CONFIG_TOMOYO_AUDIT option. 1826 1826 1827 While HDD-less systems can use profiles 1827 While HDD-less systems can use profiles with MAX_GRANT_LOG=0 and 1828 MAX_REJECT_LOG=0 , I undeleted CONFIG_T 1828 MAX_REJECT_LOG=0 , I undeleted CONFIG_TOMOYO_AUDIT option for saving 1829 memory used for /proc/ccs/grant_log and 1829 memory used for /proc/ccs/grant_log and /proc/ccs/reject_log interfaces. 1830 1830 1831 Fix 2009/03/13 1831 Fix 2009/03/13 1832 1832 1833 @ Show only profile entry names ever spec 1833 @ Show only profile entry names ever specified. 1834 1834 1835 Even if an administrator specifies only 1835 Even if an administrator specifies only COMMENT= and MAC_FOR_FILE= 1836 entries for /proc/ccs/profile , all ava 1836 entries for /proc/ccs/profile , all available profile entries are shown. 1837 This was designed to help administrator 1837 This was designed to help administrators to know what entries are 1838 available, but sometimes makes administ 1838 available, but sometimes makes administrators feel noisy because of 1839 entries showing default values. 1839 entries showing default values. 1840 1840 1841 Thus, I modified to show only profile e 1841 Thus, I modified to show only profile entry names ever specified. 1842 1842 1843 Fix 2009/03/18 1843 Fix 2009/03/18 1844 1844 1845 @ Add MAC_FOR_IOCTL functionality. 1845 @ Add MAC_FOR_IOCTL functionality. 1846 1846 1847 To be able to restrict ioctl() requests 1847 To be able to restrict ioctl() requests, I added MAC_FOR_IOCTL 1848 functionality. 1848 functionality. 1849 1849 1850 This functionality requires modificatio 1850 This functionality requires modification of ccs-patch-\*.diff . 1851 1851 1852 @ Use better name for socket's pathname. 1852 @ Use better name for socket's pathname. 1853 1853 1854 Until now, socket's pathname was repres 1854 Until now, socket's pathname was represented as "socket:[\$]" format 1855 where \$ is inode's number. But inode's 1855 where \$ is inode's number. But inode's number is useless for name based 1856 access control. Therefore, I modified t 1856 access control. Therefore, I modified to represent socket's pathname as 1857 "socket:[family=\$:type=\$:protocol=\$] 1857 "socket:[family=\$:type=\$:protocol=\$]" format. 1858 1858 1859 This will help administrator to control 1859 This will help administrator to control ioctl() against sockets more 1860 precisely. 1860 precisely. 1861 1861 1862 @ Fix misplaced ccs_capable() call. (onl 1862 @ Fix misplaced ccs_capable() call. (only 2.6.8-\* and 2.6.9-\*) 1863 1863 1864 Location to insert ccs_capable(TOMOYO_S 1864 Location to insert ccs_capable(TOMOYO_SYS_IOCTL) in sys_ioctl() was 1865 wrong since version 1.1 . 1865 wrong since version 1.1 . 1866 1866 1867 @ Insert ccs_check_ioctl_permission() cal 1867 @ Insert ccs_check_ioctl_permission() call. 1868 1868 1869 To make MAC_FOR_IOCTL functionality wor 1869 To make MAC_FOR_IOCTL functionality working, I inserted 1870 ccs_check_ioctl_permission() call into 1870 ccs_check_ioctl_permission() call into ccs-patch-\*.diff . 1871 1871 1872 Fix 2009/03/23 1872 Fix 2009/03/23 1873 1873 1874 @ Move sysctl()'s check from ccs-patch-\* 1874 @ Move sysctl()'s check from ccs-patch-\*.diff to fs/tomoyo_file.c . 1875 1875 1876 Since try_parse_table() in kernel/sysct 1876 Since try_parse_table() in kernel/sysctl.c is almost identical between 1877 all versions, I moved that function to 1877 all versions, I moved that function to fs/tomoyo_file.c . 1878 1878 1879 @ Relocate definitions and functions. 1879 @ Relocate definitions and functions. 1880 1880 1881 To reduce exposed symbols, I relocated 1881 To reduce exposed symbols, I relocated some definitions and functions. 1882 1882 1883 Fix 2009/03/24 1883 Fix 2009/03/24 1884 1884 1885 @ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS 1885 @ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS option. 1886 1886 1887 Some systems don't have /sbin/modprobe 1887 Some systems don't have /sbin/modprobe and /sbin/hotplug . 1888 Thus, I made these pathnames configurab 1888 Thus, I made these pathnames configurable. 1889 1889 1890 Version 1.6.7 2009/04/01 Feature enhancemen 1890 Version 1.6.7 2009/04/01 Feature enhancement release. 1891 1891 1892 Fix 2009/04/06 1892 Fix 2009/04/06 1893 1893 1894 @ Drop "undelete domain" command. 1894 @ Drop "undelete domain" command. 1895 1895 1896 I added "undelete domain" command on 20 1896 I added "undelete domain" command on 2007/01/19, but never used by policy 1897 management tools. The garbage collector 1897 management tools. The garbage collector I added on 2007/01/29 will 1898 automatically reuse memory and allow ad 1898 automatically reuse memory and allow administrators switch domain policy 1899 periodically, provided that the adminis 1899 periodically, provided that the administrator kills processes in old 1900 domains before recreating new domains w 1900 domains before recreating new domains with the same domainnames. 1901 1901 1902 Thus, I dropped "undelete domain" comma 1902 Thus, I dropped "undelete domain" command. 1903 1903 1904 @ Escape invalid characters in ccs_check_ 1904 @ Escape invalid characters in ccs_check_mount_permission2(). 1905 1905 1906 ccs_check_mount_permission2() was passi 1906 ccs_check_mount_permission2() was passing unencoded strings to printk() 1907 and ccs_update_mount_acl() and ccs_chec 1907 and ccs_update_mount_acl() and ccs_check_supervisor(). This may cause 1908 /proc/ccs/system_policy and /proc/ccs/q 1908 /proc/ccs/system_policy and /proc/ccs/query to contain invalid 1909 characters within a string. 1909 characters within a string. 1910 1910 1911 Fix 2009/04/07 1911 Fix 2009/04/07 1912 1912 1913 @ Fix IPv4's "address_group" handling err 1913 @ Fix IPv4's "address_group" handling error. 1914 1914 1915 Since 1.6.5 , due to lack of ntohl() (b 1915 Since 1.6.5 , due to lack of ntohl() (byte order conversion) in 1916 ccs_update_address_group_entry(), "addr 1916 ccs_update_address_group_entry(), "address_group" with IPv4 address was 1917 not working. 1917 not working. 1918 1918 1919 This problem happens on little endian p 1919 This problem happens on little endian platforms (e.g. x86). 1920 1920 1921 Fix 2009/05/08 1921 Fix 2009/05/08 1922 1922 1923 @ Add condition for symlink's target path 1923 @ Add condition for symlink's target pathname. 1924 1924 1925 Until now, "allow_symlink" keyword allo 1925 Until now, "allow_symlink" keyword allows creation of a symlink but does 1926 not check the symlink's target. Usually 1926 not check the symlink's target. Usually it is no problem because 1927 permission checks are done using derefe 1927 permission checks are done using dereferenced pathname. But in some 1928 cases, we should restrict the symlink's 1928 cases, we should restrict the symlink's target. For example, 1929 "ln -s .htpasswd /var/www/html/readme.h 1929 "ln -s .htpasswd /var/www/html/readme.html" by CGI program should be 1930 blocked because we will allow Apache to 1930 blocked because we will allow Apache to read both 1931 /var/www/html/readme.html and /var/www/ 1931 /var/www/html/readme.html and /var/www/html/.htpasswd . 1932 1932 1933 Thus, I added new condition, "symlink.t 1933 Thus, I added new condition, "symlink.target". 1934 1934 1935 allow_symlink /var/www/html/\*.html i 1935 allow_symlink /var/www/html/\*.html if symlink.target="\*.html" 1936 1936 1937 allow_symlink /var/www/html/\*\-.\* i 1937 allow_symlink /var/www/html/\*\-.\* if symlink.target="\*\-.\*" 1938 1938 1939 @ Don't return -EAGAIN at ccs_socket_recv 1939 @ Don't return -EAGAIN at ccs_socket_recvmsg_permission(). 1940 1940 1941 It turned out that it is not permitted 1941 It turned out that it is not permitted for accept() and recvmsg() to 1942 return -EAGAIN if poll() said connectio 1942 return -EAGAIN if poll() said connections/datagrams are ready. However, 1943 recvmsg() may return -EAGAIN and potent 1943 recvmsg() may return -EAGAIN and potentially confuse some applications 1944 because ccs_socket_recvmsg_permission() 1944 because ccs_socket_recvmsg_permission() is returning -EAGAIN. 1945 1945 1946 Thus, I modified ccs_socket_recvmsg_per 1946 Thus, I modified ccs_socket_recvmsg_permission() to return -ENOMEM 1947 rather than -EAGAIN. 1947 rather than -EAGAIN. 1948 1948 1949 Fix 2009/05/19 1949 Fix 2009/05/19 1950 1950 1951 @ Don't call get_fs_type() with a mutex h 1951 @ Don't call get_fs_type() with a mutex held. 1952 1952 1953 Until now, when ccs_update_mount_acl() 1953 Until now, when ccs_update_mount_acl() is called with unsupported 1954 filesystem, /sbin/modprobe is executed 1954 filesystem, /sbin/modprobe is executed from get_fs_type() to load 1955 filesystem module. And get_fs_type() do 1955 filesystem module. And get_fs_type() does not return until /sbin/modprobe 1956 finishes. 1956 finishes. 1957 1957 1958 This means that it will cause deadlock 1958 This means that it will cause deadlock if /sbin/modprobe (which is 1959 executed via get_fs_type() in ccs_updat 1959 executed via get_fs_type() in ccs_update_mount_acl()) calls 1960 ccs_update_mount_acl(); although it won 1960 ccs_update_mount_acl(); although it won't happen unless an administrator 1961 inserts execute_handler to call mount() 1961 inserts execute_handler to call mount() requests in learning mode or to 1962 add "allow_mount" entries to /proc/ccs/ 1962 add "allow_mount" entries to /proc/ccs/system_policy . 1963 1963 1964 I modified to unlock the mutex before c 1964 I modified to unlock the mutex before calling get_fs_type(). 1965 1965 1966 Fix 2009/05/20 1966 Fix 2009/05/20 1967 1967 1968 @ Update recvmsg() hooks. 1968 @ Update recvmsg() hooks. 1969 1969 1970 Since 1.5.0, I was doing network access 1970 Since 1.5.0, I was doing network access control for incoming UDP and RAW 1971 packets inside skb_recv_datagram(). But 1971 packets inside skb_recv_datagram(). But to synchronize with LSM version, 1972 I moved ccs_recv_datagram_permission() 1972 I moved ccs_recv_datagram_permission() hook from skb_recv_datagram() to 1973 udp_recvmsg()/udpv6_recvmsg()/raw_recvm 1973 udp_recvmsg()/udpv6_recvmsg()/raw_recvmsg()/rawv6_recvmsg() with name 1974 change to ccs_recvmsg_permission(). 1974 change to ccs_recvmsg_permission(). 1975 1975 1976 Version 1.6.8 2009/05/28 Feature enhancemen 1976 Version 1.6.8 2009/05/28 Feature enhancement release. 1977 1977 1978 Fix 2009/07/03 1978 Fix 2009/07/03 1979 1979 1980 @ Fix buffer overrun when used with CONFI 1980 @ Fix buffer overrun when used with CONFIG_SLOB=y . 1981 1981 1982 Since 1.6.7 , ccs_allocate_execve_entry 1982 Since 1.6.7 , ccs_allocate_execve_entry() was requesting for only 4000 1983 bytes while the comment says it is 4096 1983 bytes while the comment says it is 4096 bytes. This may lead to buffer 1984 overrun when slob allocator is used, fo 1984 overrun when slob allocator is used, for slob allocator allocates exactly 1985 4000 bytes whereas slab and slub alloca 1985 4000 bytes whereas slab and slub allocators allocate 4096 bytes. 1986 1986 1987 Fix 2009/09/01 1987 Fix 2009/09/01 1988 1988 1989 @ Add garbage collector support. 1989 @ Add garbage collector support. 1990 1990 1991 Until now, it was impossible to release 1991 Until now, it was impossible to release memory used by deleted policy. 1992 I added SRCU based garbage collector so 1992 I added SRCU based garbage collector so that memory used by deleted 1993 policy will be automatically released. 1993 policy will be automatically released. 1994 1994 1995 @ Remove word length limitation and line 1995 @ Remove word length limitation and line length limitation. 1996 1996 1997 Until now, the max length of a word is 1997 Until now, the max length of a word is 4000 and the max length of a line 1998 is 8192. To be able to handle longer pa 1998 is 8192. To be able to handle longer pathnames, I removed these 1999 limitations. Now, the max length (excep 1999 limitations. Now, the max length (except the domainname and 2000 argv[]/envp[]) is 128K (which is the ma 2000 argv[]/envp[]) is 128K (which is the max amount of memory kmalloc() 2001 can allocate in most environments). 2001 can allocate in most environments). 2002 2002 2003 @ Support more fine grained profile confi 2003 @ Support more fine grained profile configuration. 2004 2004 2005 Profile was reconstructed. 2005 Profile was reconstructed. 2006 2006 2007 @ Support more fine grained parameters re 2007 @ Support more fine grained parameters restrictions. 2008 2008 2009 "allow_create", "allow_mkdir", "allow_m 2009 "allow_create", "allow_mkdir", "allow_mkfifo", "allow_mksock" check 2010 create mode. "allow_mkblock" and "allow 2010 create mode. "allow_mkblock" and "allow_mkchar" check create mode and 2011 major/minor device numbers. "allow_chmo 2011 major/minor device numbers. "allow_chmod" check new mode. "allow_chown" 2012 checks new owner. "allow_chgrp" checks 2012 checks new owner. "allow_chgrp" checks new group. 2013 2013 2014 @ Allow number grouping. 2014 @ Allow number grouping. 2015 2015 2016 To help specifying numeric values, a ne 2016 To help specifying numeric values, a new directive "number_group" is 2017 introduced. 2017 introduced. 2018 2018 2019 @ Remove "alias" directive and "allow_arg 2019 @ Remove "alias" directive and "allow_argv0" directive. 2020 2020 2021 Until now, "allow_execute" used derefer 2021 Until now, "allow_execute" used dereferenced pathname if it is a symlink 2022 unless explicitly specified by "alias" 2022 unless explicitly specified by "alias" directive. 2023 2023 2024 Now, "allow_execute" uses symlink's pat 2024 Now, "allow_execute" uses symlink's pathname if it is a symlink. 2025 "exec.realpath" in "if" clause checks t 2025 "exec.realpath" in "if" clause checks the dereferenced pathname. 2026 "exec.argv[0]" in "if" clause checks th 2026 "exec.argv[0]" in "if" clause checks the invocation name. 2027 2027 2028 @ Remove /proc/ccs/system_policy and /etc 2028 @ Remove /proc/ccs/system_policy and /etc/ccs/system_policy.conf . 2029 2029 2030 "deny_autobind" was moved to /proc/ccs/ 2030 "deny_autobind" was moved to /proc/ccs/exception_policy and 2031 /etc/ccs/exception_policy.conf . Other 2031 /etc/ccs/exception_policy.conf . Other directives were moved to 2032 /proc/ccs/domain_policy and /etc/ccs/do 2032 /proc/ccs/domain_policy and /etc/ccs/domain_policy.conf . 2033 2033 2034 @ Remove syaoran filesystem. 2034 @ Remove syaoran filesystem. 2035 2035 2036 Since "allow_create"/"allow_mkdir"/"all 2036 Since "allow_create"/"allow_mkdir"/"allow_mkfifo"/"allow_mksock"/ 2037 "allow_mkblock"/"allow_mkchar"/"allow_c 2037 "allow_mkblock"/"allow_mkchar"/"allow_chmod"/"allow_chown"/"allow_chgrp" 2038 can restrict mode changes and owner/gro 2038 can restrict mode changes and owner/group changes, there is no need to 2039 restrict these changes at filesystem le 2039 restrict these changes at filesystem level. 2040 2040 2041 Thus, I removed syaoran filesystem. 2041 Thus, I removed syaoran filesystem. 2042 2042 2043 @ Reduce spinlocks. 2043 @ Reduce spinlocks. 2044 2044 2045 Until now, TOMOYO was using own list fo 2045 Until now, TOMOYO was using own list for detecting memory leak. But as 2046 kernel 2.6.31 introduced memory leak de 2046 kernel 2.6.31 introduced memory leak detection mechanism 2047 ( CONFIG_DEBUG_KMEMLEAK ), TOMOYO no lo 2047 ( CONFIG_DEBUG_KMEMLEAK ), TOMOYO no longer needs to use own list. 2048 2048 2049 I removed the list to reduce use of spi 2049 I removed the list to reduce use of spinlocks. 2050 2050 2051 @ Rewrite ccs-patch-2.\*.diff . 2051 @ Rewrite ccs-patch-2.\*.diff . 2052 2052 2053 ccs-patch-2.\*.diff was rewritten like 2053 ccs-patch-2.\*.diff was rewritten like LSM hooks. 2054 2054 2055 @ Don't check "allow_read/write" for open 2055 @ Don't check "allow_read/write" for open-for-ioctl-only. 2056 2056 2057 open(pathname, 3) means open for ioctl( 2057 open(pathname, 3) means open for ioctl() only. 2058 Until now, TOMOYO was checking "allow_r 2058 Until now, TOMOYO was checking "allow_read/write" for open(pathname, 3). 2059 But since TOMOYO checks "allow_ioctl" f 2059 But since TOMOYO checks "allow_ioctl" for ioctl(), I modified not to 2060 require "allow_read/write" for open(pat 2060 require "allow_read/write" for open(pathname, 3). 2061 2061 2062 @ Add missing sigqueue() and tgsigqueue() 2062 @ Add missing sigqueue() and tgsigqueue() hooks. 2063 2063 2064 Until now, kill(), tkill(), tgkill() ha 2064 Until now, kill(), tkill(), tgkill() had hooks but sigqueue() and 2065 tgsigqueue() didn't. 2065 tgsigqueue() didn't. 2066 2066 2067 @ Move files from fs/ to security/ccsecur 2067 @ Move files from fs/ to security/ccsecurity. 2068 2068 2069 Config menu section changed from "File 2069 Config menu section changed from "File systems" to "Security options". 2070 2070 2071 Kernel config symbols changed from CONF 2071 Kernel config symbols changed from CONFIG_SAKURA CONFIG_TOMOYO 2072 CONFIG_SYAORAN to CONFIG_CCSECURITY . 2072 CONFIG_SYAORAN to CONFIG_CCSECURITY . 2073 2073 2074 @ Add global PID to audit logs. 2074 @ Add global PID to audit logs. 2075 2075 2076 ccs-queryd was using domainname for rea 2076 ccs-queryd was using domainname for reaching the domain which the process 2077 belongs to, but the domain could be del 2077 belongs to, but the domain could be deleted while ccs-queryd is handling 2078 policy violation. If the domain is dele 2078 policy violation. If the domain is deleted, ccs-queryd no longer can 2079 reach the domain by domainname. Thus, c 2079 reach the domain by domainname. Thus, ccs-queryd now uses PID for 2080 reaching the domain which the process b 2080 reaching the domain which the process belongs to. 2081 2081 2082 Kernel 2.6.24 introduced PID namespace. 2082 Kernel 2.6.24 introduced PID namespace. The PID in access logs generated 2083 by a process inside a container is usel 2083 by a process inside a container is useless for ccs-queryd for reaching 2084 the domain which the process belongs to 2084 the domain which the process belongs to. 2085 2085 2086 Thus, I added global PID in audit logs. 2086 Thus, I added global PID in audit logs. 2087 2087 2088 @ Transit to new domain before do_execve( 2088 @ Transit to new domain before do_execve() succeeds. 2089 2089 2090 Permission checks for interpreters and 2090 Permission checks for interpreters and environment variables are 2091 done using new domain. In order to allo 2091 done using new domain. In order to allow ccs-queryd to reach the new 2092 domain via global PID, I reverted "Don' 2092 domain via global PID, I reverted "Don't transit to new domain until 2093 do_execve() succeeds." made on 2008/10/ 2093 do_execve() succeeds." made on 2008/10/07. 2094 2094 2095 Version 1.7.0 2009/09/03 Feature enhancemen 2095 Version 1.7.0 2009/09/03 Feature enhancement release. 2096 2096 2097 Fix 2009/09/04 2097 Fix 2009/09/04 2098 2098 2099 @ Fix wrong ccs_profile() calls. 2099 @ Fix wrong ccs_profile() calls. 2100 2100 2101 I can't call ccs_profile() for profile 2101 I can't call ccs_profile() for profile existence test because 2102 ccs_profile() never returns NULL. 2102 ccs_profile() never returns NULL. 2103 2103 2104 Fix 2009/09/06 2104 Fix 2009/09/06 2105 2105 2106 @ Fix wrong error code in ccs_try_alt_exe 2106 @ Fix wrong error code in ccs_try_alt_exec(). 2107 2107 2108 ccs_try_alt_exec() was returning ENOMEM 2108 ccs_try_alt_exec() was returning ENOMEM when kmalloc() failed. 2109 It needs to return -ENOMEM to fail. 2109 It needs to return -ENOMEM to fail. 2110 2110 2111 Fix 2009/09/10 2111 Fix 2009/09/10 2112 2112 2113 @ Do not check umount() permission for mo 2113 @ Do not check umount() permission for mount(MS_MOVE) requests. 2114 2114 2115 Until 1.6.x , umount() restriction was 2115 Until 1.6.x , umount() restriction was black listing. In 1.7.0 , it is 2116 white listing. This change caused "moun 2116 white listing. This change caused "mount --move old new" requests to 2117 require "allow_unmount old" permission 2117 require "allow_unmount old" permission in addition to 2118 "allow_mount old new --move 0" permissi 2118 "allow_mount old new --move 0" permission. 2119 But we don't want to allow umount(old) 2119 But we don't want to allow umount(old) requests when we want to allow 2120 only mount(old, new, MS_MOVE) requests. 2120 only mount(old, new, MS_MOVE) requests. Thus, I modified not to check 2121 "allow_unmount old" permission for moun 2121 "allow_unmount old" permission for mount(old, new, MS_MOVE) requests. 2122 2122 2123 Fix 2009/09/11 2123 Fix 2009/09/11 2124 2124 2125 @ Support recursive match operators. 2125 @ Support recursive match operators. 2126 2126 2127 Until now, ccs_path_matches_pattern() d 2127 Until now, ccs_path_matches_pattern() did not support recursive 2128 comparison. Thus, users had to repeat " 2128 comparison. Thus, users had to repeat "/\*" when they want to specify 2129 recursively. 2129 recursively. 2130 2130 2131 I introduced "\{" and "\}" as repetitio 2131 I introduced "\{" and "\}" as repetition operator. 2132 To ensure consistency with TOMOYO's '/' 2132 To ensure consistency with TOMOYO's '/'-tokenized pattern matching rules 2133 and "\-" operator, only "/\{dir\}/" seq 2133 and "\-" operator, only "/\{dir\}/" sequences (where dir does not contain 2134 '/') is permitted. 2134 '/') is permitted. 2135 2135 2136 Fix 2009/09/24 2136 Fix 2009/09/24 2137 2137 2138 @ Don't check chmod/chown capability for 2138 @ Don't check chmod/chown capability for requests from kernel. 2139 2139 2140 Until now, ccs_setattr_permission() was 2140 Until now, ccs_setattr_permission() was inserted in notify_change(). 2141 But notify_change() is also called by r 2141 But notify_change() is also called by requests from kernel (e.g. UnionFS) 2142 and it made difficult to use TOMOYO on 2142 and it made difficult to use TOMOYO on UnionFS. 2143 2143 2144 Thus, I moved ccs_capable() checks from 2144 Thus, I moved ccs_capable() checks from ccs_setattr_permission() to 2145 ccs_chmod_permission() and ccs_chown_pe 2145 ccs_chmod_permission() and ccs_chown_permission(), and removed 2146 ccs_setattr_permission(). 2146 ccs_setattr_permission(). 2147 2147 2148 Fix 2009/09/25 2148 Fix 2009/09/25 2149 2149 2150 @ Embed more information into audit logs. 2150 @ Embed more information into audit logs. 2151 2151 2152 Until now, /proc/ccs/grant_log /proc/cc 2152 Until now, /proc/ccs/grant_log /proc/ccs/reject_log /proc/ccs/query were 2153 not printing file's information (e.g. f 2153 not printing file's information (e.g. file's uid/gid/mode). 2154 2154 2155 Recently, users who started using "if" 2155 Recently, users who started using "if" clause expect that the learning 2156 mode automatically adds various conditi 2156 mode automatically adds various conditions like "if task.uid=path1.uid". 2157 2157 2158 But the profile will become too complic 2158 But the profile will become too complicated if I support all possible 2159 conditions. Thus, I added all informati 2159 conditions. Thus, I added all information which is enough to generate 2160 "if" clause with all possible condition 2160 "if" clause with all possible conditions from audit logs. 2161 2161 2162 Now, the learning mode got different us 2162 Now, the learning mode got different usage. Users can specify 2163 "CONFIG::learning={ max_entry=0 }" in t 2163 "CONFIG::learning={ max_entry=0 }" in the profile. All requests which 2164 are not permitted by policy will be sen 2164 are not permitted by policy will be sent to /proc/ccs/reject_log with 2165 "mode=learning" header lines. Users can 2165 "mode=learning" header lines. Users can selectively append conditions 2166 and append to the policy using "/usr/sb 2166 and append to the policy using "/usr/sbin/ccs-loadpolicy -d". 2167 The learning mode with "CONFIG::learnin 2167 The learning mode with "CONFIG::learning={ max_entry=0 }" is almost 2168 the same with the permissive mode, only 2168 the same with the permissive mode, only difference is "mode=learning" 2169 and "mode=permissive". 2169 and "mode=permissive". 2170 2170 2171 Fix 2009/10/05 2171 Fix 2009/10/05 2172 2172 2173 @ Fix size truncation bug at ccs_memcmp() 2173 @ Fix size truncation bug at ccs_memcmp(). 2174 2174 2175 ccs_memcmp() was using "u8" for size pa 2175 ccs_memcmp() was using "u8" for size parameter by error. Therefore, when 2176 size >= 256 was passed to ccs_memcmp(), 2176 size >= 256 was passed to ccs_memcmp(), it was doing partial comparison 2177 (incorrect result) or read overrun (CPU 2177 (incorrect result) or read overrun (CPU stall). 2178 2178 2179 ccs_memcmp() should use "size_t" for si 2179 ccs_memcmp() should use "size_t" for size parameter because size of 2180 "struct ccs_condition" may exceed 256 b 2180 "struct ccs_condition" may exceed 256 bytes if complicated condition was 2181 given. 2181 given. 2182 2182 2183 Fix 2009/10/08 2183 Fix 2009/10/08 2184 2184 2185 @ Add CONFIG_CCSECURITY_DEFAULT_LOADER op 2185 @ Add CONFIG_CCSECURITY_DEFAULT_LOADER option. 2186 2186 2187 I made the default policy loader's path 2187 I made the default policy loader's pathname ( /sbin/ccs-init ) 2188 configurable. 2188 configurable. 2189 2189 2190 @ Add CONFIG_CCSECURITY_ALTERNATIVE_TRIGG 2190 @ Add CONFIG_CCSECURITY_ALTERNATIVE_TRIGGER option. 2191 2191 2192 Some environments do not have /sbin/ini 2192 Some environments do not have /sbin/init . In such environments, we need 2193 to use different program's pathname (e. 2193 to use different program's pathname (e.g. /init or /linuxrc ) as 2194 activation trigger. 2194 activation trigger. 2195 2195 2196 Thus, I made the alternative trigger ( 2196 Thus, I made the alternative trigger ( /sbin/ccs-start ) configurable. 2197 2197 2198 Fix 2009/11/02 2198 Fix 2009/11/02 2199 2199 2200 @ Fix buffer contention. 2200 @ Fix buffer contention. 2201 2201 2202 A permission like 2202 A permission like 2203 2203 2204 allow_env PATH if exec.envp["PATH"]=" 2204 allow_env PATH if exec.envp["PATH"]="/" 2205 2205 2206 was not working since I was using the s 2206 was not working since I was using the same buffer for both environment 2207 variable's name and value. 2207 variable's name and value. 2208 2208 2209 Fix 2009/11/03 2209 Fix 2009/11/03 2210 2210 2211 @ Fix memory leak in ccs_write_address_gr 2211 @ Fix memory leak in ccs_write_address_group_policy(). 2212 2212 2213 I forgot to call kfree() if same entry 2213 I forgot to call kfree() if same entry was added. 2214 2214 2215 @ Reduce mutexes. 2215 @ Reduce mutexes. 2216 2216 2217 I was using mutex_lock()/mutex_unlock() 2217 I was using mutex_lock()/mutex_unlock() so that I can use 2218 atomic_dec_and_test() for removing an e 2218 atomic_dec_and_test() for removing an element from a list. 2219 I moved that operation to garbage colle 2219 I moved that operation to garbage collector in order to reduce frequency 2220 of mutex_lock()/mutex_unlock() calls. 2220 of mutex_lock()/mutex_unlock() calls. 2221 2221 2222 @ Escape from nested loops correctly. 2222 @ Escape from nested loops correctly. 2223 2223 2224 In ccs_read_address_group_policy(), I w 2224 In ccs_read_address_group_policy(), I was escaping from nested loops 2225 correctly. But in ccs_read_path_group_p 2225 correctly. But in ccs_read_path_group_policy() and 2226 ccs_read_number_group_policy(), I wasn' 2226 ccs_read_number_group_policy(), I wasn't. 2227 2227 2228 As a result, reading path_group and num 2228 As a result, reading path_group and number_group caused kernel oops 2229 when they were not read atomically. 2229 when they were not read atomically. 2230 2230 2231 Fix 2009/11/06 2231 Fix 2009/11/06 2232 2232 2233 @ Fix incorrect allow_mount audit log. 2233 @ Fix incorrect allow_mount audit log. 2234 2234 2235 Audit log for allow_mount was using dec 2235 Audit log for allow_mount was using decimal format. 2236 It needs to use hexadecimal format. 2236 It needs to use hexadecimal format. 2237 2237 2238 Fix 2009/11/09 2238 Fix 2009/11/09 2239 2239 2240 @ Add profile version check. 2240 @ Add profile version check. 2241 2241 2242 To avoid upgrading from TOMOYO 1.6.x to 2242 To avoid upgrading from TOMOYO 1.6.x to TOMOYO 1.7.x without upgrading 2243 /proc/ccs/profile (which results in not 2243 /proc/ccs/profile (which results in not protecting the system at all), 2244 I added a check for PROFILE_VERSION= . 2244 I added a check for PROFILE_VERSION= . 2245 2245 2246 Version 1.7.1 2009/11/11 Fourth anniversary 2246 Version 1.7.1 2009/11/11 Fourth anniversary release. 2247 2247 2248 Fix 2009/11/13 2248 Fix 2009/11/13 2249 2249 2250 @ Don't use core_initcall() for initializ 2250 @ Don't use core_initcall() for initializing lock for GC. 2251 2251 2252 Some kernels call TOMOYO's hooks before 2252 Some kernels call TOMOYO's hooks before processing core_initcall(). 2253 Thus, I can't use core_initcall() for in 2253 Thus, I can't use core_initcall() for initializing lock for GC. 2254 2254 2255 Fix 2009/11/18 2255 Fix 2009/11/18 2256 2256 2257 @ Don't check "allow_write" permission fo 2257 @ Don't check "allow_write" permission for open(O_RDONLY | O_TRUNC). 2258 2258 2259 Since TOMOYO checks "allow_truncate" pe 2259 Since TOMOYO checks "allow_truncate" permission rather than "allow_write" 2260 permission for O_TRUNC, I need to disti 2260 permission for O_TRUNC, I need to distinguish open(O_RDONLY | O_TRUNC) 2261 and open(O_RDWR | O_TRUNC). But I made 2261 and open(O_RDWR | O_TRUNC). But I made a mistake between TOMOYO 1.7.0 and 2262 1.7.1 which made it impossible for TOMO 2262 1.7.1 which made it impossible for TOMOYO for kernels 2.6.14 and earlier 2263 to distinguish them. 2263 to distinguish them. 2264 2264 2265 Fix 2009/11/27 2265 Fix 2009/11/27 2266 2266 2267 @ Use newly created domain's name for dom 2267 @ Use newly created domain's name for domain creation audit log. 2268 2268 2269 Since 1.7.0 , /proc/ccs/reject_log was 2269 Since 1.7.0 , /proc/ccs/reject_log was by error using existing domain's 2270 name when auditing newly created domain 2270 name when auditing newly created domain's "use_profile" line. 2271 2271 2272 Fix 2009/12/12 2272 Fix 2009/12/12 2273 2273 2274 @ Use rcu_read_lock() for find_task_by_pi 2274 @ Use rcu_read_lock() for find_task_by_pid(). 2275 2275 2276 Since kernel 2.6.18 , caller of find_ta 2276 Since kernel 2.6.18 , caller of find_task_by_pid() needs to call 2277 rcu_read_lock() rather than read_lock(& 2277 rcu_read_lock() rather than read_lock(&tasklist_lock) because find_pid() 2278 uses RCU primitives but spinlock does n 2278 uses RCU primitives but spinlock does not prevent RCU callback if 2279 preemptive RCU ( CONFIG_PREEMPT_RCU or 2279 preemptive RCU ( CONFIG_PREEMPT_RCU or CONFIG_TREE_PREEMPT_RCU ) is 2280 enabled. 2280 enabled. 2281 2281 2282 Fix 2009/12/15 2282 Fix 2009/12/15 2283 2283 2284 @ Allow deleting "quota_exceeded" and "tr 2284 @ Allow deleting "quota_exceeded" and "transition_failed" entries. 2285 2285 2286 To notify users of "this domain has too 2286 To notify users of "this domain has too many entries to hold" and "some 2287 process in this domain was not able to 2287 process in this domain was not able to perform domain transition", 2288 "quota_exceeded" and "transition_failed 2288 "quota_exceeded" and "transition_failed" messages are used respectively. 2289 These messages were not deletable. But 2289 These messages were not deletable. But it is more convenient for users 2290 to be notified again if such events occ 2290 to be notified again if such events occurred again after tuning policy. 2291 Thus, I made these messages deletable. 2291 Thus, I made these messages deletable. 2292 2292 2293 Fix 2009/12/17 2293 Fix 2009/12/17 2294 2294 2295 @ Don't check read permission in ccs_try_ 2295 @ Don't check read permission in ccs_try_alt_exec(). 2296 2296 2297 While I was trying to remove ccs_execve 2297 While I was trying to remove ccs_execve_list list for GC optimization 2298 between TOMOYO 1.7.0 and 1.7.1 , I made 2298 between TOMOYO 1.7.0 and 1.7.1 , I made a mistake which made TOMOYO to 2299 check allow_read permission of the prog 2299 check allow_read permission of the programs specified by execute_handler 2300 and denied_execute_handler keywords. 2300 and denied_execute_handler keywords. 2301 2301 2302 @ Don't check DAC permission if disabled 2302 @ Don't check DAC permission if disabled mode. 2303 2303 2304 I was checking DAC permissions regardin 2304 I was checking DAC permissions regarding directory entry modification 2305 operations (e.g. mkdir()) even if mode= 2305 operations (e.g. mkdir()) even if mode=disabled . It is a waste of CPU 2306 resource to check DAC permissions when 2306 resource to check DAC permissions when MAC permissions are not checked. 2307 Thus, I modified to skip DAC permission 2307 Thus, I modified to skip DAC permission checks if mode=disabled . 2308 2308 2309 Fix 2009/12/19 2309 Fix 2009/12/19 2310 2310 2311 @ Fix memory leak in ccs_environ(). 2311 @ Fix memory leak in ccs_environ(). 2312 2312 2313 When I fixed a bug that a permission li 2313 When I fixed a bug that a permission like 2314 2314 2315 allow_env PATH if exec.envp["PATH"]=" 2315 allow_env PATH if exec.envp["PATH"]="/" 2316 2316 2317 was not working (2009/11/02), I allocat 2317 was not working (2009/11/02), I allocated two buffers but only one buffer 2318 was released. 2318 was released. 2319 2319 2320 This bug will trigger OOM killer if env 2320 This bug will trigger OOM killer if environment variable checking is 2321 enabled. 2321 enabled. 2322 2322 2323 Fix 2010/01/17 2323 Fix 2010/01/17 2324 2324 2325 @ Use current domain's name for execute_h 2325 @ Use current domain's name for execute_handler audit log. 2326 2326 2327 Since 1.6.7 , /proc/ccs/grant_log was b 2327 Since 1.6.7 , /proc/ccs/grant_log was by error using next domain's name 2328 when auditing current domain's "execute 2328 when auditing current domain's "execute_handler" line. 2329 2329 2330 Fix 2010/03/02 2330 Fix 2010/03/02 2331 2331 2332 @ Allow domain transition without execve( 2332 @ Allow domain transition without execve(). 2333 2333 2334 To be able to split permissions for Apa 2334 To be able to split permissions for Apache's CGI programs which are 2335 executed without execve(), I added spec 2335 executed without execve(), I added special domain transition which is 2336 performed by atomically writing '\0'-te 2336 performed by atomically writing '\0'-terminated binary string to 2337 /proc/ccs/.transition interface. For ex 2337 /proc/ccs/.transition interface. For example, a process which belongs to 2338 "<kernel> /usr/sbin/httpd" domain will 2338 "<kernel> /usr/sbin/httpd" domain will transit to 2339 "<kernel> /usr/sbin/httpd //app=cgi1\04 2339 "<kernel> /usr/sbin/httpd //app=cgi1\040id=10000" domain by atomically 2340 writing "app=cgi1 id=10000" + '\0' to / 2340 writing "app=cgi1 id=10000" + '\0' to /proc/ccs/.transition using 2341 Apache's ap_hook_handler() functionalit 2341 Apache's ap_hook_handler() functionality. 2342 2342 2343 Note that '\0'-terminated binary string 2343 Note that '\0'-terminated binary string is converted to TOMOYO's string 2344 inside kernel and prefix "//" is automa 2344 inside kernel and prefix "//" is automatically added to the string so 2345 that domainname does not conflict with 2345 that domainname does not conflict with domainnames created by execve(). 2346 Without this prefix, if "<kernel> /usr/ 2346 Without this prefix, if "<kernel> /usr/sbin/sshd /bin/bash" domain is 2347 allowed to open /proc/ccs/.transition f 2347 allowed to open /proc/ccs/.transition for writing and 2348 "<kernel> /usr/sbin/sshd /bin/bash /usr 2348 "<kernel> /usr/sbin/sshd /bin/bash /usr/bin/passwd" domain is allowed to 2349 access /etc/shadow , /bin/bash will be 2349 access /etc/shadow , /bin/bash will be able to access /etc/shadow by 2350 atomically writing "/usr/bin/passwd" + 2350 atomically writing "/usr/bin/passwd" + '\0' to /proc/ccs/.transition . 2351 Allowing /bin/bash to access /etc/shado 2351 Allowing /bin/bash to access /etc/shadow is not what people want. 2352 2352 2353 Permission for this operation is checke 2353 Permission for this operation is checked by "allow_transit" keyword. 2354 Unlike "allow_execute" keyword, the str 2354 Unlike "allow_execute" keyword, the string parameter for "allow_transit" 2355 keyword does not refer a real file on f 2355 keyword does not refer a real file on filesystem's namespace. Therefore, 2356 you can store any combination of parame 2356 you can store any combination of parameters like LDAP's DN entry in the 2357 string parameter for "allow_transit" ke 2357 string parameter for "allow_transit" keyword. 2358 2358 2359 Fix 2010/03/08 2359 Fix 2010/03/08 2360 2360 2361 @ Allow building as loadable kernel modul 2361 @ Allow building as loadable kernel module. 2362 2362 2363 To be able to minimize filesize increme 2363 To be able to minimize filesize increment of vmlinux, I made it 2364 possible to compile TOMOYO Linux as loa 2364 possible to compile TOMOYO Linux as loadable kernel module. 2365 Although patching the kernel source and 2365 Although patching the kernel source and recompiling the kernel are 2366 inevitable, this change will make it ea 2366 inevitable, this change will make it easier to enable TOMOYO Linux 2367 when there is a filesize limitation on 2367 when there is a filesize limitation on vmlinux (e.g. embedded systems). 2368 2368 2369 Fix 2010/03/25 2369 Fix 2010/03/25 2370 2370 2371 @ Fix ccs_get_ipv6_address() bug. 2371 @ Fix ccs_get_ipv6_address() bug. 2372 2372 2373 Since 1.7.0 , ccs_get_ipv6_address() wa 2373 Since 1.7.0 , ccs_get_ipv6_address() was by error returning address of 2374 "struct list_head ccs_address_list" if 2374 "struct list_head ccs_address_list" if memory allocation failed. 2375 As a result, ccs_put_ipv6_address() wil 2375 As a result, ccs_put_ipv6_address() will modify memory near 2376 "struct list_head ccs_address_list" if 2376 "struct list_head ccs_address_list" if memory allocation failed. 2377 2377 2378 Fix 2010/03/26 2378 Fix 2010/03/26 2379 2379 2380 @ Fix ccs_lport_reserved() bug. 2380 @ Fix ccs_lport_reserved() bug. 2381 2381 2382 Since 1.7.0 , ccs_lport_reserved() was 2382 Since 1.7.0 , ccs_lport_reserved() was by error checking wrong port 2383 number. As a result, "deny_autobind" ke 2383 number. As a result, "deny_autobind" keyword was not working as expected. 2384 2384 2385 Version 1.7.2 2010/04/01 Feature enhancemen 2385 Version 1.7.2 2010/04/01 Feature enhancement release. 2386 2386 2387 Fix 2010/04/10 2387 Fix 2010/04/10 2388 2388 2389 @ Fix invalid "struct nameidata" to "stru 2389 @ Fix invalid "struct nameidata" to "struct path" conversion macro. 2390 2390 2391 Regarding kernels 2.6.24 and earlier, I 2391 Regarding kernels 2.6.24 and earlier, I was converting "struct nameidata" 2392 to "struct path" in caller side so that 2392 to "struct path" in caller side so that I can unify the callee function's 2393 parameter type. But it turned out that 2393 parameter type. But it turned out that the macro I used did not follow C 2394 standards and did not work with gcc 4.x 2394 standards and did not work with gcc 4.x . As a result, "allow_pivot_root" 2395 keyword was not working as expected. 2395 keyword was not working as expected. 2396 2396 2397 Fix 2010/05/05 2397 Fix 2010/05/05 2398 2398 2399 @ Fix incorrect audit on/off control. 2399 @ Fix incorrect audit on/off control. 2400 2400 2401 The grant_log= and reject_log= paramete 2401 The grant_log= and reject_log= parameters of CONFIG::misc::env were not 2402 used because I forgot to update request 2402 used because I forgot to update request type. As a result, those of 2403 CONFIG::file::execute were used for CON 2403 CONFIG::file::execute were used for CONFIG::misc::env . 2404 2404 2405 Those of CONFIG::file::rewrite were not 2405 Those of CONFIG::file::rewrite were not used because I forgot to update 2406 request type. As a result, those of CON 2406 request type. As a result, those of CONFIG::file::truncate were used for 2407 CONFIG::file::rewrite . 2407 CONFIG::file::rewrite . 2408 2408 2409 Fix 2010/05/10 2409 Fix 2010/05/10 2410 2410 2411 @ Fix incorrect out of memory warning. 2411 @ Fix incorrect out of memory warning. 2412 2412 2413 Out of memory warnings were not printed 2413 Out of memory warnings were not printed in some cases by error. 2414 2414 2415 Fix 2010/05/27 2415 Fix 2010/05/27 2416 2416 2417 @ Add missing rcu_dereference() for ccs_f 2417 @ Add missing rcu_dereference() for ccs_find_execute_handler(). 2418 2418 2419 Since 1.7.0 , ccs_find_execute_handler( 2419 Since 1.7.0 , ccs_find_execute_handler() was by error using 2420 list_for_each_entry() rather than list_ 2420 list_for_each_entry() rather than list_for_each_entry_rcu(). 2421 This bug affects only Alpha architectur 2421 This bug affects only Alpha architecture. 2422 2422 2423 Fix 2010/06/03 2423 Fix 2010/06/03 2424 2424 2425 @ Fix missing sanity check for "file_patt 2425 @ Fix missing sanity check for "file_pattern". 2426 2426 2427 Since 1.7.0 , ccs_write_pattern_policy( 2427 Since 1.7.0 , ccs_write_pattern_policy() was by error accepting 2428 invalid pathname. 2428 invalid pathname. 2429 2429 2430 Fix 2010/06/09 2430 Fix 2010/06/09 2431 2431 2432 @ Add missing ccs_put_name() in ccs_parse 2432 @ Add missing ccs_put_name() in ccs_parse_envp(). 2433 2433 2434 Since 1.7.0 , ccs_parse_envp() was not 2434 Since 1.7.0 , ccs_parse_envp() was not calling ccs_put_name() if 2435 environment variable's value ('if exec. 2435 environment variable's value ('if exec.envp["name"]="value"' condition) 2436 was invalid. 2436 was invalid. 2437 2437 2438 @ Add missing NULL check in ccs_condition 2438 @ Add missing NULL check in ccs_condition(). 2439 2439 2440 Since 1.7.0 , if 'if symlink.target=' p 2440 Since 1.7.0 , if 'if symlink.target=' part was given against non-file 2441 permissions (e.g. allow_env PATH if sym 2441 permissions (e.g. allow_env PATH if symlink.target="/"), it triggered 2442 NULL pointer dereference. 2442 NULL pointer dereference. 2443 2443 2444 Fix 2010/10/28 2444 Fix 2010/10/28 2445 2445 2446 @ Fix umount() pathname calculation. 2446 @ Fix umount() pathname calculation. 2447 2447 2448 "mount --bind /path/to/file1 /path/to/f 2448 "mount --bind /path/to/file1 /path/to/file2" is legal. 2449 Therefore, "umount /path/to/file2" is a 2449 Therefore, "umount /path/to/file2" is also legal. 2450 Do not automatically append trailing '/ 2450 Do not automatically append trailing '/' if pathname to be unmounted 2451 does not end with '/'. 2451 does not end with '/'. 2452 2452 2453 @ Add preserve KABI compatibility option. 2453 @ Add preserve KABI compatibility option. (2.6 kernels only) 2454 2454 2455 TOMOYO needs "struct ccs_domain_info *" 2455 TOMOYO needs "struct ccs_domain_info *" and "u32" for each 2456 "struct task_struct". But embedding the 2456 "struct task_struct". But embedding these variables into 2457 "struct task_struct" breaks KABI for pr 2457 "struct task_struct" breaks KABI for prebuilt kernel modules (which 2458 means that you will need to rebuild pre 2458 means that you will need to rebuild prebuilt kernel modules). 2459 2459 2460 Since KABI is commonly used (compared t 2460 Since KABI is commonly used (compared to 5 years ago), asking users to 2461 rebuild kernel modules which are not in 2461 rebuild kernel modules which are not included in kernel package is no 2462 longer preferable. Therefore, I added a 2462 longer preferable. Therefore, I added a new option that keeps 2463 "struct task_struct" unmodified in orde 2463 "struct task_struct" unmodified in order to keep KABI. 2464 2464 2465 Note that you have to use ccs-patch-2.6 2465 Note that you have to use ccs-patch-2.6.\*.diff which patches 2466 kernel/fork.c in order to use this opti 2466 kernel/fork.c in order to use this option. Otherwise, TOMOYO will leak 2467 memory whenever "struct task_struct" is 2467 memory whenever "struct task_struct" is released. 2468 2468 2469 @ Change directives. 2469 @ Change directives. 2470 2470 2471 I removed "allow_" prefix from directiv 2471 I removed "allow_" prefix from directives. New directives for files are 2472 prefixed with "file ". For example, "al 2472 prefixed with "file ". For example, "allow_read" changed to "file read", 2473 "allow_ioctl" changed to "file ioctl". 2473 "allow_ioctl" changed to "file ioctl". New directive for "allow_network 2474 TCP" is "network inet stream", "allow_n 2474 TCP" is "network inet stream", "allow_network UDP" is "network inet 2475 dgram", "allow_network RAW" is "network 2475 dgram", "allow_network RAW" is "network inet raw". New directive for 2476 "allow_env" is "misc env". New directiv 2476 "allow_env" is "misc env". New directive for "allow_signal" is "ipc 2477 signal". New directive for "allow_capab 2477 signal". New directive for "allow_capability" is "capability". These new 2478 directives correspond with keywords use 2478 directives correspond with keywords used by profile's CONFIG lines. 2479 2479 2480 I removed "deny_rewrite" and "allow_rew 2480 I removed "deny_rewrite" and "allow_rewrite" directives and introduced 2481 "file append" directive. Thus, permissi 2481 "file append" directive. Thus, permission for open(O_WRONLY | O_APPEND) 2482 changed from "allow_write" + "allow_rew 2482 changed from "allow_write" + "allow_rewrite" to "file append". 2483 2483 2484 I removed "SYS_MOUNT", "SYS_UMOUNT", "S 2484 I removed "SYS_MOUNT", "SYS_UMOUNT", "SYS_CHROOT", "SYS_KILL", 2485 "SYS_LINK", "SYS_SYMLINK", "SYS_RENAME" 2485 "SYS_LINK", "SYS_SYMLINK", "SYS_RENAME", "SYS_UNLINK", "SYS_CHMOD", 2486 "SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_RO 2486 "SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_ROOT" keywords from capabilities 2487 because these permissions can be checke 2487 because these permissions can be checked by other directives (e.g. 2488 "file mount", "ipc signal"). 2488 "file mount", "ipc signal"). 2489 2489 2490 I also removed "conceal_mount" keyword 2490 I also removed "conceal_mount" keyword from capabilities because this 2491 check requires hooks in filesystem part 2491 check requires hooks in filesystem part while almost all hooks for 2492 filesystem part have moved to LSM by Li 2492 filesystem part have moved to LSM by Linux 2.6.34. 2493 2493 2494 New directive for "execute_handler" is 2494 New directive for "execute_handler" is "task auto_execute_handler", 2495 "denied_execute_handler" is "task denie 2495 "denied_execute_handler" is "task denied_execute_handler". 2496 2496 2497 @ Distinguish send() and recv() operation 2497 @ Distinguish send() and recv() operations. 2498 2498 2499 Until now, it was impossible for UDP an 2499 Until now, it was impossible for UDP and IP sockets to allow either 2500 only sending or only receiving because 2500 only sending or only receiving because permissions were aggregated with 2501 "connect" keyword. I broke "connect" ke 2501 "connect" keyword. I broke "connect" keyword into "send" and "recv" 2502 keywords so that you can keep access co 2502 keywords so that you can keep access control for send() operation enabled 2503 when you have to disable access control 2503 when you have to disable access control for recv() operation due to 2504 application breakage by discarding inco 2504 application breakage by discarding incoming datagram. 2505 2505 2506 @ Add Unix domain socket restriction supp 2506 @ Add Unix domain socket restriction support. 2507 2507 2508 Until now, it was possible to restrict 2508 Until now, it was possible to restrict only inet domain sockets (i.e. 2509 TCP/UDP/RAW). I added restriction for U 2509 TCP/UDP/RAW). I added restriction for Unix domain sockets (i.e. stream/ 2510 dgram/seqpacket). New directive "networ 2510 dgram/seqpacket). New directive "network unix" is added as well as 2511 "network inet" directive. 2511 "network inet" directive. 2512 2512 2513 @ Allow specifying multiple permissions i 2513 @ Allow specifying multiple permissions in a line. 2514 2514 2515 Until now, only "allow_read/write" can 2515 Until now, only "allow_read/write" can be specified for combination of 2516 "allow_read" + "allow_write". Now, you 2516 "allow_read" + "allow_write". Now, you can combine other permissions as 2517 long as type of parameters for these pe 2517 long as type of parameters for these permissions is same. For example, 2518 "file read/write/append/execute/unlink/ 2518 "file read/write/append/execute/unlink/truncate /tmp/file" is correct 2519 but "file read/write/create /tmp/file" 2519 but "file read/write/create /tmp/file" is wrong because "file create" 2520 requires create mode whereas "file read 2520 requires create mode whereas "file read" and "file write" do not. 2521 2521 2522 @ Allow wildcard for execute permission a 2522 @ Allow wildcard for execute permission and domainname. 2523 2523 2524 Until now, to execute programs with tem 2524 Until now, to execute programs with temporary names, "aggregator" is 2525 needed. To simplify code, I modified to 2525 needed. To simplify code, I modified to accept wildcards for execute 2526 permission and domainname. Now, you can 2526 permission and domainname. Now, you can directly specify 2527 "file execute /tmp/logrotate.\?\?\?\?\? 2527 "file execute /tmp/logrotate.\?\?\?\?\?\?" and use 2528 "/tmp/logrotate.\?\?\?\?\?\?" within do 2528 "/tmp/logrotate.\?\?\?\?\?\?" within domainnames. 2529 2529 2530 @ Change pathname for non-rename()able fi 2530 @ Change pathname for non-rename()able filesystems. 2531 2531 2532 LSM version of TOMOYO wants to use /pro 2532 LSM version of TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if 2533 $PID matches current thread's process I 2533 $PID matches current thread's process ID in order to prevent current 2534 thread from accessing other process's i 2534 thread from accessing other process's information unless needed. 2535 But since procfs can be mounted on vari 2535 But since procfs can be mounted on various locations (e.g. /proc/ /proc2/ 2536 /p/ /tmp/foo/100/p/ ), LSM version of T 2536 /p/ /tmp/foo/100/p/ ), LSM version of TOMOYO cannot tell that whether the 2537 numeric part in the string returned by 2537 numeric part in the string returned by __d_path() represents process ID 2538 or not. 2538 or not. 2539 2539 2540 Therefore, to be able to convert from $ 2540 Therefore, to be able to convert from $PID to self no matter where procfs 2541 is mounted, I changed pathname represen 2541 is mounted, I changed pathname representations for filesystems which do 2542 not support rename() operation (e.g. pr 2542 not support rename() operation (e.g. proc, sysfs, securityfs). 2543 2543 2544 Now, "/proc/self/mounts" changed to "pr 2544 Now, "/proc/self/mounts" changed to "proc:/self/mounts" and 2545 "/sys/kernel/security/" changed to "sys 2545 "/sys/kernel/security/" changed to "sys:/kernel/security/" and 2546 "/dev/pts/0" changed to "devpts:/0". 2546 "/dev/pts/0" changed to "devpts:/0". 2547 2547 2548 @ Add a new keyword "any" for domain tran 2548 @ Add a new keyword "any" for domain transition control. 2549 2549 2550 To be able to make it easier to apply a 2550 To be able to make it easier to apply auto_execute_handler on each 2551 domain, I added "any" keyword to domain 2551 domain, I added "any" keyword to domain transition control keywords. Now, 2552 "initialize_domain /usr/sbin/sshd" chan 2552 "initialize_domain /usr/sbin/sshd" changed to 2553 "initialize_domain /usr/sbin/sshd from 2553 "initialize_domain /usr/sbin/sshd from any" and 2554 "keep_domain <kernel> /usr/sbin/sshd /b 2554 "keep_domain <kernel> /usr/sbin/sshd /bin/bash" changed to 2555 "keep_domain any from <kernel> /usr/sbi 2555 "keep_domain any from <kernel> /usr/sbin/sshd /bin/bash". 2556 2556 2557 "keep_domain /path/to/auto_execute_hand 2557 "keep_domain /path/to/auto_execute_handler from any" will allow you to 2558 apply auto_execute_handler for any doma 2558 apply auto_execute_handler for any domains without creating domains for 2559 auto_execute_handler. 2559 auto_execute_handler. 2560 2560 2561 @ Change buffering mode for reading polic 2561 @ Change buffering mode for reading policy. 2562 2562 2563 To be able to read() very very long lin 2563 To be able to read() very very long lines correctly, I changed the way 2564 TOMOYO buffers policy for reading. 2564 TOMOYO buffers policy for reading. 2565 2565 2566 @ Introduce "acl_group" keyword. 2566 @ Introduce "acl_group" keyword. 2567 2567 2568 Until now, it was possible to specify o 2568 Until now, it was possible to specify only "allow_read" and "allow_env" 2569 keywords in the exception policy. 2569 keywords in the exception policy. 2570 2570 2571 Since some operations like "file read/w 2571 Since some operations like "file read/write/append /dev/null" and 2572 "network UDP send/recv @DNS_SERVER 53" 2572 "network UDP send/recv @DNS_SERVER 53" are very common and should be 2573 permitted to all domains, I introduced 2573 permitted to all domains, I introduced "acl_group" keyword for giving 2574 such permissions. 2574 such permissions. 2575 2575 2576 For example, specify "acl_group 0 file 2576 For example, specify "acl_group 0 file read/write/append /dev/null" in 2577 the exception policy and specify "use_g 2577 the exception policy and specify "use_group 0" from the domains in the 2578 domain policy. 2578 domain policy. 2579 2579 2580 "ignore_global_allow_read" and "ignore_ 2580 "ignore_global_allow_read" and "ignore_global_allow_env" directives were 2581 removed from domain policy and "use_gro 2581 removed from domain policy and "use_group" keyword was added. 2582 2582 2583 @ Remove "if" and "; set" keyword. 2583 @ Remove "if" and "; set" keyword. 2584 2584 2585 I removed need for specifying these key 2585 I removed need for specifying these keyword. 2586 You can simply specify like below. 2586 You can simply specify like below. 2587 2587 2588 file read /etc/shadow task.uid=0 2588 file read /etc/shadow task.uid=0 2589 2589 2590 @ Remove "file_pattern" keyword. 2590 @ Remove "file_pattern" keyword. 2591 2591 2592 I removed "file_pattern" keyword becaus 2592 I removed "file_pattern" keyword because it is impossible to predefine 2593 all possible pathname patterns. Also, l 2593 all possible pathname patterns. Also, learning pathnames using incomplete 2594 patterns makes it difficult to later re 2594 patterns makes it difficult to later replace using "path_group" keyword. 2595 2595 2596 @ Replace verbose= parameter with statist 2596 @ Replace verbose= parameter with statistic interface. 2597 2597 2598 Since it is noisy if a lot of policy vi 2598 Since it is noisy if a lot of policy violation messages are printed, 2599 I removed printk(). To be able to check 2599 I removed printk(). To be able to check whether policy violation occurred 2600 or not, I introduced /proc/ccs/stat int 2600 or not, I introduced /proc/ccs/stat interface which counts number of 2601 policy violations occurred. You can fir 2601 policy violations occurred. You can firstly check /proc/ccs/stat and then 2602 check /proc/ccs/reject_log . 2602 check /proc/ccs/reject_log . 2603 2603 2604 @ Remove global preference. 2604 @ Remove global preference. 2605 2605 2606 I removed global preference in order to 2606 I removed global preference in order to make code simpler. 2607 2607 2608 @ Allow controlling generation of access 2608 @ Allow controlling generation of access granted logs for per an entry 2609 basis. 2609 basis. 2610 2610 2611 I added per-entry flag which controls g 2611 I added per-entry flag which controls generation of grant logs because 2612 Xen and KVM issues ioctl requests so fr 2612 Xen and KVM issues ioctl requests so frequently. For example, 2613 2613 2614 file ioctl /dev/null 0x5401 grant_log 2614 file ioctl /dev/null 0x5401 grant_log=no 2615 2615 2616 will suppress /proc/ccs/grant_log even 2616 will suppress /proc/ccs/grant_log even if preference says grant_log=yes . 2617 2617 2618 file ioctl /dev/null 0x5401 grant_log 2618 file ioctl /dev/null 0x5401 grant_log=yes 2619 2619 2620 will generate /proc/ccs/grant_log even 2620 will generate /proc/ccs/grant_log even if preference says grant_log=no . 2621 2621 2622 file ioctl /dev/null 0x5401 2622 file ioctl /dev/null 0x5401 2623 2623 2624 will generate /proc/ccs/grant_log only 2624 will generate /proc/ccs/grant_log only if preference says grant_log=yes . 2625 2625 2626 This flag is intended for frequently ac 2626 This flag is intended for frequently accessed resources like 2627 2627 2628 file read /var/www/html/\{\*\}/\*.htm 2628 file read /var/www/html/\{\*\}/\*.html grant_log=no 2629 2629 2630 . 2630 . 2631 2631 2632 @ Automatically create domain by execve() 2632 @ Automatically create domain by execve() even if enforcing mode. 2633 2633 2634 Until now, new domains are not created 2634 Until now, new domains are not created if the domain was not defined and 2635 current domain is enforcing mode ("CONF 2635 current domain is enforcing mode ("CONFIG::file::execute=enforcing"). 2636 2636 2637 To be able to restrict shell session wi 2637 To be able to restrict shell session without using "keep_domain", 2638 I changed to create new domains automat 2638 I changed to create new domains automatically even if current domain is 2639 enforcing mode. 2639 enforcing mode. 2640 2640 2641 @ Replace "task.state" with "auto_domain_ 2641 @ Replace "task.state" with "auto_domain_transition". 2642 2642 2643 task.state is difficult to use. Thus, I 2643 task.state is difficult to use. Thus, I replaced task.state with 2644 auto_domain_transition which performs d 2644 auto_domain_transition which performs domain transition instead of 2645 changing current process's state variab 2645 changing current process's state variables. 2646 2646 2647 If domain transition failed, current pr 2647 If domain transition failed, current process will be killed by SIGKILL 2648 signal. This should not happen in norma 2648 signal. This should not happen in normal circumstances, for you know the 2649 domain to transit to and thereby you wi 2649 domain to transit to and thereby you will define the domain beforehand 2650 when you use "auto_domain_transition" k 2650 when you use "auto_domain_transition" keyword. 2651 2651 2652 @ Replace "allow_transit" with "task manu 2652 @ Replace "allow_transit" with "task manual_domain_transition". 2653 2653 2654 I changed this directive to specify abs 2654 I changed this directive to specify absolute domainname (e.g. 2655 "<kernel> /usr/sbin/httpd //app=cgi1\04 2655 "<kernel> /usr/sbin/httpd //app=cgi1\040id=10000") rather than virtual 2656 pathname (e.g. "//app=cgi1\040id=10000" 2656 pathname (e.g. "//app=cgi1\040id=10000") because you know the domain to 2657 transit to and thereby you will define 2657 transit to and thereby you will define the domain beforehand when you use 2658 "task manual_domain_transition" directi 2658 "task manual_domain_transition" directive. 2659 2659 2660 This change allows you to jump to arbit 2660 This change allows you to jump to arbitrary domain. 2661 2661 2662 Note that this change also reverts "Cha 2662 Note that this change also reverts "Change /proc/ccs/info/self_domain ." 2663 made on 2006/10/24. Now, 'cat < /proc/c 2663 made on 2006/10/24. Now, 'cat < /proc/ccs/info/self_domain' will act like 2664 'cat /proc/ccs/info/self_domain'. Progr 2664 'cat /proc/ccs/info/self_domain'. Programs depending on old assumption 2665 need to be updated. 2665 need to be updated. 2666 2666 2667 @ Add "task auto_domain_transition". 2667 @ Add "task auto_domain_transition". 2668 2668 2669 This is similar to "task manual_domain_ 2669 This is similar to "task manual_domain_transition", but is automatically 2670 applied whenever conditions are met. Fo 2670 applied whenever conditions are met. For example, 2671 2671 2672 task auto_domain_transition <kernel> 2672 task auto_domain_transition <kernel> //./non-root task.uid!=0 2673 2673 2674 will automatically jump to "<kernel> // 2674 will automatically jump to "<kernel> //./non-root" domain if current 2675 process's UID is not 0 whereas 2675 process's UID is not 0 whereas 2676 2676 2677 task manual_domain_transition <kernel 2677 task manual_domain_transition <kernel> //./non-root task.uid!=0 2678 2678 2679 will jump to "<kernel> //./non-root" do 2679 will jump to "<kernel> //./non-root" domain if current process's UID is 2680 not 0 and current process wrote "<kerne 2680 not 0 and current process wrote "<kernel> //./non-root" to 2681 /proc/ccs/self_domain interface. 2681 /proc/ccs/self_domain interface. 2682 2682 2683 If domain transition failed, current pr 2683 If domain transition failed, current process will be killed by SIGKILL 2684 signal. 2684 signal. 2685 2685 2686 @ Optimize for object's size. 2686 @ Optimize for object's size. 2687 2687 2688 I merged similar code in order to reduc 2688 I merged similar code in order to reduce object's filesize. 2689 2689 2690 Version 1.8.0 2010/11/11 Fifth anniversary 2690 Version 1.8.0 2010/11/11 Fifth anniversary release. 2691 2691 2692 Fix 2010/12/01 2692 Fix 2010/12/01 2693 2693 2694 @ Use same interface for audit logs. 2694 @ Use same interface for audit logs. 2695 2695 2696 To be able to perform fine grained filt 2696 To be able to perform fine grained filtering by /usr/sbin/ccs-auditd , 2697 I merged /proc/ccs/grant_log and /proc/ 2697 I merged /proc/ccs/grant_log and /proc/ccs/reject_log as 2698 /proc/ccs/audit and added granted=yes o 2698 /proc/ccs/audit and added granted=yes or granted=no to audit logs. 2699 2699 2700 Fix 2010/12/17 2700 Fix 2010/12/17 2701 2701 2702 @ Split ccs_null_security into ccs_defaul 2702 @ Split ccs_null_security into ccs_default_security and ccs_oom_security. 2703 2703 2704 ccs_null_security is used by preserve K 2704 ccs_null_security is used by preserve KABI compatibility option and is 2705 used for providing default values again 2705 used for providing default values against threads which have not yet 2706 allocated memory for their security con 2706 allocated memory for their security contexts. 2707 2707 2708 If current thread failed to allocate me 2708 If current thread failed to allocate memory for current thread's security 2709 context, current thread uses ccs_null_s 2709 context, current thread uses ccs_null_security. Since current thread is 2710 allowed to modify current thread's secu 2710 allowed to modify current thread's security context, current thread might 2711 modify ccs_null_security which should n 2711 modify ccs_null_security which should not be modified for any reason. 2712 2712 2713 Therefore, I split ccs_null_security in 2713 Therefore, I split ccs_null_security into ccs_default_security and 2714 ccs_oom_security and use ccs_oom_securi 2714 ccs_oom_security and use ccs_oom_security when current thread failed to 2715 allocate memory for current thread's se 2715 allocate memory for current thread's security context. 2716 2716 2717 Threads which do not share ccs_oom_secu 2717 Threads which do not share ccs_oom_security are not affected by threads 2718 which share ccs_oom_security. Threads w 2718 which share ccs_oom_security. Threads which share ccs_oom_security will 2719 experience temporary inconsistency, but 2719 experience temporary inconsistency, but such threads are about to be 2720 killed by SIGKILL signal. 2720 killed by SIGKILL signal. 2721 2721 2722 Fix 2011/01/11 2722 Fix 2011/01/11 2723 2723 2724 @ Use filesystem name for unnamed devices 2724 @ Use filesystem name for unnamed devices when vfsmount is missing. 2725 2725 2726 "Change pathname for non-rename()able f 2726 "Change pathname for non-rename()able filesystems." changed to use 2727 "$fsname:" if the filesystem does not s 2727 "$fsname:" if the filesystem does not support rename() operation and 2728 "dev($major,$minor):" otherwise when vf 2728 "dev($major,$minor):" otherwise when vfsmount is missing. But it turned 2729 out that it is useless to use "dev($maj 2729 out that it is useless to use "dev($major,$minor):" for unnamed devices 2730 (filesystems with $major == 0). Thus, I 2730 (filesystems with $major == 0). Thus, I changed to use "$fsname:" rather 2731 than "dev($major,$minor):" for filesyst 2731 than "dev($major,$minor):" for filesystems with $major == 0 when vfsmount 2732 is missing. 2732 is missing. 2733 2733 2734 Fix 2011/02/07 2734 Fix 2011/02/07 2735 2735 2736 @ Fix infinite loop bug when reading /pro 2736 @ Fix infinite loop bug when reading /proc/ccs/audit or /proc/ccs/query . 2737 2737 2738 In ccs_flush(), head->r.w[0] holds poin 2738 In ccs_flush(), head->r.w[0] holds pointer to string data to be printed. 2739 But head->r.w[0] was updated only when 2739 But head->r.w[0] was updated only when the string data was partially 2740 printed (because head->r.w[0] will be u 2740 printed (because head->r.w[0] will be updated by head->r.w[1] later if 2741 completely printed). However, regarding 2741 completely printed). However, regarding /proc/ccs/audit and 2742 /proc/ccs/query , an additional '\0' is 2742 /proc/ccs/query , an additional '\0' is printed after the string data was 2743 completely printed. But if free space f 2743 completely printed. But if free space for read buffer became 0 before 2744 printing the additional '\0', ccs_flush 2744 printing the additional '\0', ccs_flush() was returning without updating 2745 head->r.w[0]. As a result, ccs_flush() 2745 head->r.w[0]. As a result, ccs_flush() forever reprints already printed 2746 string data. 2746 string data. 2747 2747 2748 Fix 2011/03/01 2748 Fix 2011/03/01 2749 2749 2750 @ Run garbage collector without waiting f 2750 @ Run garbage collector without waiting for /proc/ccs/ users. 2751 2751 2752 Currently TOMOYO holds SRCU lock upon o 2752 Currently TOMOYO holds SRCU lock upon open() and releases it upon close() 2753 because list elements stored in the "st 2753 because list elements stored in the "struct ccs_io_buffer" instances are 2754 accessed until close() is called. Howev 2754 accessed until close() is called. However, such SRCU usage causes lockdep 2755 to complain about leaving the kernel wi 2755 to complain about leaving the kernel with SRCU lock held. Therefore, 2756 I changed to hold/release SRCU upon eac 2756 I changed to hold/release SRCU upon each read()/write() by selectively 2757 deferring kfree() by keeping track of t 2757 deferring kfree() by keeping track of the "struct ccs_io_buffer" 2758 instances. 2758 instances. 2759 2759 2760 Fix 2011/03/05 2760 Fix 2011/03/05 2761 2761 2762 @ Support built-in policy configuration. 2762 @ Support built-in policy configuration. 2763 2763 2764 To be able to start using enforcing mod 2764 To be able to start using enforcing mode from the early stage of boot 2765 sequence, I added support for built-in 2765 sequence, I added support for built-in policy configuration and 2766 activating access control without calli 2766 activating access control without calling external policy loader program. 2767 2767 2768 This will be useful for systems where o 2768 This will be useful for systems where operations which can lead to the 2769 hijacking of the boot sequence are need 2769 hijacking of the boot sequence are needed before loading the policy. 2770 For example, you can activate immediate 2770 For example, you can activate immediately after loading the fixed part of 2771 policy which will allow only operations 2771 policy which will allow only operations needed for mounting a partition 2772 which contains the variant part of poli 2772 which contains the variant part of policy and verifying (e.g. running GPG 2773 check) and loading the variant part of 2773 check) and loading the variant part of policy. Since you can start using 2774 enforcing mode from the beginning, you 2774 enforcing mode from the beginning, you can reduce the possibility of 2775 hijacking the boot sequence. 2775 hijacking the boot sequence. 2776 2776 2777 Fix 2011/03/10 2777 Fix 2011/03/10 2778 2778 2779 @ Remove /proc/ccs/meminfo interface. 2779 @ Remove /proc/ccs/meminfo interface. 2780 2780 2781 Please use /proc/ccs/stat interface ins 2781 Please use /proc/ccs/stat interface instead. 2782 2782 2783 Fix 2011/03/15 2783 Fix 2011/03/15 2784 2784 2785 @ Pack policy when printing via /proc/ccs 2785 @ Pack policy when printing via /proc/ccs/ interface. 2786 2786 2787 The kernel side is ready for accepting 2787 The kernel side is ready for accepting packed input like 2788 2788 2789 file read/write/execute /path/to/file 2789 file read/write/execute /path/to/file 2790 2790 2791 but was using unpacked output like 2791 but was using unpacked output like 2792 2792 2793 file read /path/to/file 2793 file read /path/to/file 2794 file write /path/to/file 2794 file write /path/to/file 2795 file execute /path/to/file 2795 file execute /path/to/file 2796 2796 2797 because most of userland tools were not 2797 because most of userland tools were not ready for accepting packed input. 2798 2798 2799 The advantages of using packed policy a 2799 The advantages of using packed policy are that it makes policy files 2800 smaller and it speeds up loading/saving 2800 smaller and it speeds up loading/saving policy files. 2801 2801 2802 Since most of userland tools are ready 2802 Since most of userland tools are ready for accepting packed input by now, 2803 I changed to use packed policy for both 2803 I changed to use packed policy for both input and output. 2804 2804 2805 Fix 2011/03/31 2805 Fix 2011/03/31 2806 2806 2807 @ Fix conditional policy parsing. 2807 @ Fix conditional policy parsing. 2808 2808 2809 Since exec.realpath= and symlink.target 2809 Since exec.realpath= and symlink.target= accept path_group, 2810 symlink.target="@foo" was by error pars 2810 symlink.target="@foo" was by error parsed as symlink.target=@foo . 2811 2811 2812 @ Serialize updating profile's comment li 2812 @ Serialize updating profile's comment line. 2813 2813 2814 We need to serialize when updating COMM 2814 We need to serialize when updating COMMENT= line in /proc/ccs/profile . 2815 2815 2816 Version 1.8.1 2011/04/01 Usability enhanc 2816 Version 1.8.1 2011/04/01 Usability enhancement with "Zettai, Daijoubudayo" release! 2817 2817 2818 Fix 2011/04/03 2818 Fix 2011/04/03 2819 2819 2820 @ Fix fcntl(F_SETFL, O_APPEND) handling. 2820 @ Fix fcntl(F_SETFL, O_APPEND) handling. 2821 2821 2822 Since 1.8.0, TOMOYO was by error checki 2822 Since 1.8.0, TOMOYO was by error checking "file write" permission rather 2823 than "file append" permission when chan 2823 than "file append" permission when changing file's writing mode from 2824 "overwriting" to "append". 2824 "overwriting" to "append". 2825 2825 2826 This error should impact little (except 2826 This error should impact little (except CentOS 6.0 kernels) because once 2827 a file was opened for "overwriting" mod 2827 a file was opened for "overwriting" mode, changing that file to "append" 2828 mode cannot undo overwriting the file. 2828 mode cannot undo overwriting the file. Regarding CentOS 6.0 kernels, 2829 due to different ACC_MODE definition, T 2829 due to different ACC_MODE definition, TOMOYO was by error needlessly 2830 checking "file read" permission when fc 2830 checking "file read" permission when fcntl() was requested. 2831 2831 2832 Fix 2011/04/20 2832 Fix 2011/04/20 2833 2833 2834 @ Remove unused "struct inode *" paramete 2834 @ Remove unused "struct inode *" parameter from hooks. 2835 2835 2836 Since pre-vfs functions were removed on 2836 Since pre-vfs functions were removed on 2010/09/18, "struct inode *" 2837 parameter which was used for checking p 2837 parameter which was used for checking parent directory's DAC permission 2838 is no longer used. 2838 is no longer used. 2839 2839 2840 Note that "struct ccsecurity_operations 2840 Note that "struct ccsecurity_operations ccsecurity_ops" has changed. 2841 Loadable kernel modules that depends on 2841 Loadable kernel modules that depends on it need to be rebuilt. 2842 2842 2843 Fix 2011/05/05 2843 Fix 2011/05/05 2844 2844 2845 @ Fix wrong profile number in audit logs 2845 @ Fix wrong profile number in audit logs for "misc env" permission. 2846 2846 2847 Profile number used for "file execute" 2847 Profile number used for "file execute" permission was by error reused 2848 when generating audit logs for "misc en 2848 when generating audit logs for "misc env" permission. 2849 2849 2850 Fix 2011/05/11 2850 Fix 2011/05/11 2851 2851 2852 @ Fix wrong domainname validation. 2852 @ Fix wrong domainname validation. 2853 2853 2854 "<kernel>" + "/foo/\" + "/bar" was by e 2854 "<kernel>" + "/foo/\" + "/bar" was by error checked when 2855 "<kernel> /foo/\* /bar" was given. As a 2855 "<kernel> /foo/\* /bar" was given. As a result, legal domainnames like 2856 "<kernel> /foo/\* /bar" are rejected. 2856 "<kernel> /foo/\* /bar" are rejected. 2857 2857 2858 Fix 2011/06/06 2858 Fix 2011/06/06 2859 2859 2860 @ Add policy namespace support. 2860 @ Add policy namespace support. 2861 2861 2862 To be able to use TOMOYO in LXC environ 2862 To be able to use TOMOYO in LXC environments, I introduced policy 2863 namespace. Each policy namespace has it 2863 namespace. Each policy namespace has its own set of domain policy, 2864 exception policy and profiles, which ar 2864 exception policy and profiles, which are all independent of other 2865 namespaces. 2865 namespaces. 2866 2866 2867 @ Remove CONFIG_CCSECURITY_BUILTIN_INITIA 2867 @ Remove CONFIG_CCSECURITY_BUILTIN_INITIALIZERS option. 2868 2868 2869 From now on, exception policy and manag 2869 From now on, exception policy and manager need to be able to handle 2870 policy namespace (which is a <$namespac 2870 policy namespace (which is a <$namespace> prefix added to each line). 2871 Thus, space-separated list for CONFIG_C 2871 Thus, space-separated list for CONFIG_CCSECURITY_BUILTIN_INITIALIZERS is 2872 no longer suitable for handling policy 2872 no longer suitable for handling policy namespace. 2873 2873 2874 Fix 2011/06/10 2874 Fix 2011/06/10 2875 2875 2876 @ Allow specifying trigger for activation 2876 @ Allow specifying trigger for activation. 2877 2877 2878 To be able to use TOMOYO under systemd 2878 To be able to use TOMOYO under systemd environments where init= parameter 2879 is used, I changed to allow overriding 2879 is used, I changed to allow overriding the trigger for calling external 2880 policy loader and activating MAC via ke 2880 policy loader and activating MAC via kernel command line options. 2881 2881 2882 Fix 2011/06/14 2882 Fix 2011/06/14 2883 2883 2884 @ Remove unused "struct inode *" paramete 2884 @ Remove unused "struct inode *" parameter from ccs-patch-\*.diff . 2885 2885 2886 To follow changes I made on 2011/04/20, 2886 To follow changes I made on 2011/04/20, I removed "struct inode *" from 2887 ccs_mknod_permission(), ccs_mkdir_permi 2887 ccs_mknod_permission(), ccs_mkdir_permission(), ccs_rmdir_permission(), 2888 ccs_unlink_permission(), ccs_symlink_pe 2888 ccs_unlink_permission(), ccs_symlink_permission(), ccs_link_permission(), 2889 ccs_rename_permission() that are called 2889 ccs_rename_permission() that are called from fs/namei.c 2890 net/unix/af_unix.c include/linux/securi 2890 net/unix/af_unix.c include/linux/security.c security/security.c . 2891 If you have your own ccs-patch-*.diff , 2891 If you have your own ccs-patch-*.diff , please update accordingly. 2892 2892 2893 Version 1.8.2 2011/06/20 Usability enhanc 2893 Version 1.8.2 2011/06/20 Usability enhancement release. 2894 2894 2895 Fix 2011/07/07 2895 Fix 2011/07/07 2896 2896 2897 @ Remove /proc/ccs/.domain_status interfa 2897 @ Remove /proc/ccs/.domain_status interface. 2898 2898 2899 Writing to /proc/ccs/.domain_status can 2899 Writing to /proc/ccs/.domain_status can be emulated by 2900 2900 2901 ( echo "select " $domainname; echo "u 2901 ( echo "select " $domainname; echo "use_profile " $profile ) | 2902 /usr/sbin/ccs-loadpolicy -d 2902 /usr/sbin/ccs-loadpolicy -d 2903 2903 2904 and reading from /proc/ccs/.domain_stat 2904 and reading from /proc/ccs/.domain_status can be emulated by 2905 2905 2906 grep -A 1 '^<' /proc/ccs/domain_polic 2906 grep -A 1 '^<' /proc/ccs/domain_policy | 2907 awk ' { if ( domainname == "" ) { if 2907 awk ' { if ( domainname == "" ) { if ( substr($1, 1, 1) == "<" ) 2908 domainname = $0; } else if ( $1 == "u 2908 domainname = $0; } else if ( $1 == "use_profile" ) { 2909 print $2 " " domainname; domainname = 2909 print $2 " " domainname; domainname = ""; } } ; ' 2910 2910 2911 . Since this interface is used by only 2911 . Since this interface is used by only /usr/sbin/ccs-setprofile , 2912 remove this interface by updating /usr/ 2912 remove this interface by updating /usr/sbin/ccs-setprofile . 2913 2913 2914 Fix 2011/07/09 2914 Fix 2011/07/09 2915 2915 2916 @ Fix /proc/ccs/stat parser. 2916 @ Fix /proc/ccs/stat parser. 2917 2917 2918 For optimization, I changed to use simp 2918 For optimization, I changed to use simple_strtoul() rather than sscanf() 2919 in ccs_write_stat(). But it caused pars 2919 in ccs_write_stat(). But it caused parsing failure if space is inserted 2920 before value (e.g. "Memory used by poli 2920 before value (e.g. "Memory used by policy: $value"). 2921 2921 2922 Fix 2011/07/13 2922 Fix 2011/07/13 2923 2923 2924 @ Accept "::" notation for IPv6 address. 2924 @ Accept "::" notation for IPv6 address. 2925 2925 2926 In order to add network access restrict 2926 In order to add network access restriction to TOMOYO 2.4, I backported 2927 routines for parsing/printing IPv4/IPv6 2927 routines for parsing/printing IPv4/IPv6 address from kernel 3.0 into 2928 TOMOYO 1.8.2. 2928 TOMOYO 1.8.2. 2929 Now, IPv6 address accepts "::1" instead 2929 Now, IPv6 address accepts "::1" instead of "0:0:0:0:0:0:0:1". 2930 2930 2931 Fix 2011/09/03 2931 Fix 2011/09/03 2932 2932 2933 @ Avoid race when retrying "file execute" 2933 @ Avoid race when retrying "file execute" permission check. 2934 2934 2935 There was a race window that the pathna 2935 There was a race window that the pathname which is subjected to 2936 "file execute" permission check when re 2936 "file execute" permission check when retrying via supervisor's decision 2937 because the pathname was recalculated u 2937 because the pathname was recalculated upon retry. Though, there is an 2938 inevitable race window even without sup 2938 inevitable race window even without supervisor, for we have to calculate 2939 the symbolic link's pathname from "stru 2939 the symbolic link's pathname from "struct linux_binprm"->filename rather 2940 than from "struct linux_binprm"->file b 2940 than from "struct linux_binprm"->file because we cannot back calculate 2941 the symbolic link's pathname from the d 2941 the symbolic link's pathname from the dereferenced pathname. 2942 2942 2943 @ Remove unneeded daemonize(). 2943 @ Remove unneeded daemonize(). 2944 2944 2945 Garbage collector thread is created usi 2945 Garbage collector thread is created using kthread_create() since 2.6.7. 2946 Kernel threads created by kthread_creat 2946 Kernel threads created by kthread_create() does not need to call 2947 daemonize(). 2947 daemonize(). 2948 2948 2949 Fix 2011/09/16 2949 Fix 2011/09/16 2950 2950 2951 @ Allow specifying domain transition pref 2951 @ Allow specifying domain transition preference. 2952 2952 2953 I got an opinion that it is difficult t 2953 I got an opinion that it is difficult to use exception policy's domain 2954 transition control directives because t 2954 transition control directives because they need to match the pathname 2955 specified to "file execute" directives. 2955 specified to "file execute" directives. For example, if "file execute 2956 /bin/\*\-ls\-cat" is given, correspondi 2956 /bin/\*\-ls\-cat" is given, corresponding domain transition control 2957 directive needs to be like "no_keep_dom 2957 directive needs to be like "no_keep_domain /bin/\*\-ls\-cat from any". 2958 2958 2959 To solve this difficulty, I introduced 2959 To solve this difficulty, I introduced optional argument that supersedes 2960 exception policy's domain transition co 2960 exception policy's domain transition control directives. 2961 2961 2962 file execute /bin/ls keep exec.realpa 2962 file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls" 2963 file execute /bin/cat keep exec.realp 2963 file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat" 2964 file execute /bin/\*\-ls\-cat child 2964 file execute /bin/\*\-ls\-cat child 2965 file execute /usr/sbin/httpd <apache> 2965 file execute /usr/sbin/httpd <apache> exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd" 2966 2966 2967 This argument allows transition to diff 2967 This argument allows transition to different domains based on conditions. 2968 2968 2969 <kernel> /usr/sbin/sshd 2969 <kernel> /usr/sbin/sshd 2970 file execute /bin/bash <kernel> /usr/ 2970 file execute /bin/bash <kernel> /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c" 2971 file execute /bin/bash <kernel> /usr/ 2971 file execute /bin/bash <kernel> /usr/sbin/sshd //root-session task.uid=0 2972 file execute /bin/bash <kernel> /usr/ 2972 file execute /bin/bash <kernel> /usr/sbin/sshd //nonroot-session task.uid!=0 2973 2973 2974 Fix 2011/09/25 2974 Fix 2011/09/25 2975 2975 2976 @ Simplify garbage collector. 2976 @ Simplify garbage collector. 2977 2977 2978 It turned out that use of batched proce 2978 It turned out that use of batched processing tends to choke garbage 2979 collector when certain pattern of entri 2979 collector when certain pattern of entries are queued. Thus, I replaced it 2980 with sequential processing. 2980 with sequential processing. 2981 2981 2982 Version 1.8.3 2011/09/29 Usability enhanc 2982 Version 1.8.3 2011/09/29 Usability enhancement release. 2983 2983 2984 Fix 2011/10/24 2984 Fix 2011/10/24 2985 2985 2986 @ Fix incomplete read after seek. 2986 @ Fix incomplete read after seek. 2987 2987 2988 ccs_flush() tries to flush data to be r 2988 ccs_flush() tries to flush data to be read as soon as possible. 2989 ccs_select_domain() (which is called by 2989 ccs_select_domain() (which is called by write()) enqueues data which 2990 meant to be read by next read(), but pr 2990 meant to be read by next read(), but previous read()'s read buffer's 2991 size was not cleared. As a result, sinc 2991 size was not cleared. As a result, since 1.8.0, sequence like 2992 2992 2993 char *cp = "select global-pid=1\n"; 2993 char *cp = "select global-pid=1\n"; 2994 read(fd, buf1, sizeof(buf1)); 2994 read(fd, buf1, sizeof(buf1)); 2995 write(fd, cp, strlen(cp)); 2995 write(fd, cp, strlen(cp)); 2996 read(fd, buf2, sizeof(buf2)); 2996 read(fd, buf2, sizeof(buf2)); 2997 2997 2998 causes enqueued data to be flushed to b 2998 causes enqueued data to be flushed to buf1 rather than buf2. 2999 2999 3000 @ Use query id for reaching target proces 3000 @ Use query id for reaching target process's domain policy. 3001 3001 3002 Use query id for reaching target proces 3002 Use query id for reaching target process's domain policy rather than 3003 target process's global PID. This is fo 3003 target process's global PID. This is for synchronizing with TOMOYO 2.x, 3004 but this change makes /usr/sbin/ccs-que 3004 but this change makes /usr/sbin/ccs-queryd more reliable because the 3005 kernel will return empty domain policy 3005 kernel will return empty domain policy when the query has expired before 3006 ccs-queryd reaches target process's dom 3006 ccs-queryd reaches target process's domain policy. 3007 3007 3008 @ Fix quota counting. 3008 @ Fix quota counting. 3009 3009 3010 "task manual_domain_transition" should 3010 "task manual_domain_transition" should not be counted for quota as with 3011 "task auto_domain_transition"/"task aut 3011 "task auto_domain_transition"/"task auto_execute_handler"/ 3012 "task denied_execute_handler" because t 3012 "task denied_execute_handler" because these are not appended by learning 3013 mode. 3013 mode. 3014 3014 3015 Fix 2011/11/11 3015 Fix 2011/11/11 3016 3016 3017 @ Optimize for object's size. 3017 @ Optimize for object's size. 3018 3018 3019 I rearranged functions/variables into t 3019 I rearranged functions/variables into three groups in order to reduce 3020 object's filesize. Also, I added kernel 3020 object's filesize. Also, I added kernel config options for reducing more 3021 by excluding unnecessary functionality. 3021 by excluding unnecessary functionality. 3022 3022 3023 Fix 2011/11/18 3023 Fix 2011/11/18 3024 3024 3025 @ Fix kernel config mapping error. 3025 @ Fix kernel config mapping error. 3026 3026 3027 Due to a typo in ccs_p2mac definition, 3027 Due to a typo in ccs_p2mac definition, mode for CONFIG::file::execute was 3028 by error used when checking "file getat 3028 by error used when checking "file getattr" permission. Most users will 3029 not be affected by this error because C 3029 not be affected by this error because CONFIG::file::execute and 3030 CONFIG::file::getattr are by default co 3030 CONFIG::file::getattr are by default configured to use CONFIG::file or 3031 CONFIG settings. 3031 CONFIG settings. 3032 3032 3033 Fix 2011/12/13 3033 Fix 2011/12/13 3034 3034 3035 @ Follow __d_path() behavior change. (Onl 3035 @ Follow __d_path() behavior change. (Only 2.6.36 and later) 3036 3036 3037 The behavior of __d_path() has changed 3037 The behavior of __d_path() has changed in 3.2-rc5. __d_path() now returns 3038 NULL when the pathname cannot be calcul 3038 NULL when the pathname cannot be calculated. You must update to this 3039 version when using with 3.2-rc5 and lat 3039 version when using with 3.2-rc5 and later kernels, or the kernel will 3040 panic because ccs_get_absolute_path() t 3040 panic because ccs_get_absolute_path() triggers NULL pointer dereference. 3041 3041 3042 The patch that changed the behavior of 3042 The patch that changed the behavior of __d_path() might be backported to 3043 2.6.36 to 3.1 kernels. You must update 3043 2.6.36 to 3.1 kernels. You must update to this version if the patch was 3044 backported, or you will experience the 3044 backported, or you will experience the kernel panic as with 3.2-rc5. 3045 3045 3046 The patch that changed the behavior of 3046 The patch that changed the behavior of __d_path() also changed the way of 3047 handling pathnames under lazy-unmounted 3047 handling pathnames under lazy-unmounted directory. Until now, TOMOYO was 3048 using incomplete pathnames returned by 3048 using incomplete pathnames returned by __d_path() when the pathname is 3049 under lazy-unmounted directory. But fro 3049 under lazy-unmounted directory. But from now on, TOMOYO uses different 3050 pathnames returned by ccs_get_local_pat 3050 pathnames returned by ccs_get_local_path() when the pathname is under 3051 lazy-unmounted directory (because __d_p 3051 lazy-unmounted directory (because __d_path() no longer returns it). 3052 3052 3053 Since applications unlikely do lazy unm 3053 Since applications unlikely do lazy unmounts, requesting pathnames under 3054 lazy-unmounted directory should not hap 3054 lazy-unmounted directory should not happen unless the administrator 3055 explicitly does lazy unmounts. But path 3055 explicitly does lazy unmounts. But pathnames which is defined for such 3056 conditions in the policy file (if any) 3056 conditions in the policy file (if any) will need to be rewritten. 3057 3057 3058 Fix 2012/01/20 3058 Fix 2012/01/20 3059 3059 3060 @ Follow changes in 3.3-rc1. 3060 @ Follow changes in 3.3-rc1. 3061 3061 3062 Use umode_t rather than mode_t. 3062 Use umode_t rather than mode_t. 3063 Remove ipv6_addr_copy() usage. 3063 Remove ipv6_addr_copy() usage. 3064 3064 3065 Fix 2012/02/25 3065 Fix 2012/02/25 3066 3066 3067 @ Follow changes in linux-next. 3067 @ Follow changes in linux-next. 3068 3068 3069 UMH_WAIT_PROC constant (currently 1) is 3069 UMH_WAIT_PROC constant (currently 1) is scheduled for renumbering in 3.4. 3070 3070 3071 Use UMH_WAIT_PROC constant instead of h 3071 Use UMH_WAIT_PROC constant instead of hardcoded constant in preparation 3072 for backporting call_usermodehelper() r 3072 for backporting call_usermodehelper() related changes. If renumbering was 3073 backported, you will start experiencing 3073 backported, you will start experiencing the kernel panic upon execution 3074 of external policy loader (i.e. /sbin/c 3074 of external policy loader (i.e. /sbin/ccs-init), for the kernel will no 3075 longer wait for completion of external 3075 longer wait for completion of external policy loader process. 3076 3076 3077 Although I changed to use UMH_WAIT_PROC 3077 Although I changed to use UMH_WAIT_PROC constant, this change could fail 3078 to detect renumbering in 2.6.22 and ear 3078 to detect renumbering in 2.6.22 and earlier kernels, for UMH_WAIT_PROC 3079 constant is currently available to only 3079 constant is currently available to only 2.6.23 and later kernels. If you 3080 started to experience the kernel panic, 3080 started to experience the kernel panic, please check whether renumbering 3081 was backported or not. 3081 was backported or not. 3082 3082 3083 Fix 2012/02/29 3083 Fix 2012/02/29 3084 3084 3085 @ Fix mount flags checking order. 3085 @ Fix mount flags checking order. 3086 3086 3087 Userspace can pass in arbitrary combina 3087 Userspace can pass in arbitrary combinations of MS_* flags to mount(). 3088 3088 3089 If both MS_BIND and one of MS_SHARED/MS 3089 If both MS_BIND and one of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE 3090 are passed, device name which should be 3090 are passed, device name which should be checked for MS_BIND was not 3091 checked because MS_SHARED/MS_PRIVATE/MS 3091 checked because MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE had higher 3092 priority than MS_BIND. 3092 priority than MS_BIND. 3093 3093 3094 If both one of MS_BIND/MS_MOVE and MS_R 3094 If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name 3095 which should not be checked for MS_REMO 3095 which should not be checked for MS_REMOUNT was checked because MS_BIND/ 3096 MS_MOVE had higher priority than MS_REM 3096 MS_MOVE had higher priority than MS_REMOUNT. 3097 3097 3098 Fix these bugs by changing priority to 3098 Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND -> 3099 MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBIND 3099 MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount() 3100 does. Also, I changed to unconditionall 3100 does. Also, I changed to unconditionally return -EINVAL if more than one 3101 of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNB 3101 of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE is passed so that TOMOYO 3102 will not generate inaccurate audit logs 3102 will not generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity 3103 check mount flags passed to change_mnt_ 3103 check mount flags passed to change_mnt_propagation()" clarified that 3104 these flags must be exclusively passed. 3104 these flags must be exclusively passed. 3105 3105 3106 Fix 2012/03/08 3106 Fix 2012/03/08 3107 3107 3108 @ Allow returning other errors when ptrac 3108 @ Allow returning other errors when ptrace permission cannot be checked. 3109 3109 3110 Currently -EPERM is returned when ccs_p 3110 Currently -EPERM is returned when ccs_ptrace_permission() returned an 3111 error code. I changed to return return 3111 error code. I changed to return return value from ccs_ptrace_permission() 3112 so that we can return -ESRCH when targe 3112 so that we can return -ESRCH when target process was not found. 3113 3113 3114 Fix 2012/03/16 3114 Fix 2012/03/16 3115 3115 3116 @ Return appropriate value to poll(). 3116 @ Return appropriate value to poll(). 3117 3117 3118 Return POLLIN | POLLRDNORM | POLLOUT | 3118 Return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM if ready to read/write, 3119 POLLOUT | POLLWRNORM otherwise. 3119 POLLOUT | POLLWRNORM otherwise. 3120 3120 3121 Fix 2012/04/22 3121 Fix 2012/04/22 3122 3122 3123 @ Readd RHEL_MINOR/AX_MINOR checks. 3123 @ Readd RHEL_MINOR/AX_MINOR checks. 3124 3124 3125 This check was added in revision 2346 a 3125 This check was added in revision 2346 and was removed in revision 4084. 3126 3126 3127 Add it back in order to support RHEL 5. 3127 Add it back in order to support RHEL 5.0, 5.1, 5.2 kernels. 3128 3128 3129 @ Fix skb_kill_datagram() for kernels 2.6 3129 @ Fix skb_kill_datagram() for kernels 2.6.0 - 2.6.11. 3130 3130 3131 Commit 208d8984 "[IPV4]: Fix BUG() in 2 3131 Commit 208d8984 "[IPV4]: Fix BUG() in 2.6.x, udp_poll(), fragments + 3132 CONFIG_HIGHMEM" clarified that skb_kill 3132 CONFIG_HIGHMEM" clarified that skb_kill_datagram() should use 3133 spin_lock_bh()/spin_unlock_bh() rather 3133 spin_lock_bh()/spin_unlock_bh() rather than 3134 spin_lock_irq()/spin_unlock_irq(). 3134 spin_lock_irq()/spin_unlock_irq(). 3135 3135 3136 RHEL 4.9 (2.6.9) kernel has that patch 3136 RHEL 4.9 (2.6.9) kernel has that patch backported. So do I. 3137 3137 3138 @ Fix missing locks for RHEL 5.2-5.8 kern 3138 @ Fix missing locks for RHEL 5.2-5.8 kernels. 3139 3139 3140 Since RHEL 5.2 and later kernels have b 3140 Since RHEL 5.2 and later kernels have backported commit 95766fff 3141 "[UDP]: Add memory accounting." patch, 3141 "[UDP]: Add memory accounting." patch, TOMOYO needs to call 3142 lock_sock()/release_sock() around skb_k 3142 lock_sock()/release_sock() around skb_kill_datagram() call when UDP 3143 packet was dropped by TOMOYO. 3143 packet was dropped by TOMOYO. 3144 3144 3145 Fix 2012/04/28 3145 Fix 2012/04/28 3146 3146 3147 @ Accept manager programs which do not st 3147 @ Accept manager programs which do not start with / . 3148 3148 3149 The pathname of /usr/sbin/ccs-editpolic 3149 The pathname of /usr/sbin/ccs-editpolicy seen from Ubuntu 12.04 Live 3150 CD is squashfs:/usr/sbin/ccs-editpolicy 3150 CD is squashfs:/usr/sbin/ccs-editpolicy rather than 3151 /usr/sbin/ccs-editpolicy . Therefore, w 3151 /usr/sbin/ccs-editpolicy . Therefore, we need to accept manager 3152 programs which do not start with / . 3152 programs which do not start with / . 3153 3153 3154 Fix 2012/10/08 3154 Fix 2012/10/08 3155 3155 3156 @ Fix KABI breakage on Ubuntu 12.10. 3156 @ Fix KABI breakage on Ubuntu 12.10. 3157 3157 3158 I was using include/linux/security.h as 3158 I was using include/linux/security.h as the common path for pulling in 3159 include/linux/ccsecurity.h so that I ca 3159 include/linux/ccsecurity.h so that I can avoid scattering #include line. 3160 3160 3161 When scripts/genksyms/genksyms calculat 3161 When scripts/genksyms/genksyms calculates hash values for Module.symvers 3162 file, it uses the extracted form of inv 3162 file, it uses the extracted form of involved structures if the structure 3163 layout is known but it instead uses UNK 3163 layout is known but it instead uses UNKNOWN if the structure layout is 3164 not known. Therefore, pulling in includ 3164 not known. Therefore, pulling in include files that define structure's 3165 layout from include/linux/ccsecurity.h 3165 layout from include/linux/ccsecurity.h causes changes in the hash values 3166 and causes KABI breakage, even if no ch 3166 and causes KABI breakage, even if no changes were made to the involved 3167 structures. 3167 structures. 3168 3168 3169 Fix this breakage by avoiding pulling i 3169 Fix this breakage by avoiding pulling in include/linux/sched.h and 3170 include/linux/dcache.h from include/lin 3170 include/linux/dcache.h from include/linux/ccsecurity.h where possible. 3171 3171 3172 Fix 2015/01/01 3172 Fix 2015/01/01 3173 3173 3174 @ Fix missing chmod(-1) check in Linux 3. 3174 @ Fix missing chmod(-1) check in Linux 3.1 and later kernels. 3175 3175 3176 Commit e57712ebebbb9db7 "merge fchmod() 3176 Commit e57712ebebbb9db7 "merge fchmod() and fchmodat() guts, kill 3177 ancient broken kludge" changed chmod(-1 3177 ancient broken kludge" changed chmod(-1) from no-op to setting to 3178 07777. Therefore, TOMOYO must not ignor 3178 07777. Therefore, TOMOYO must not ignore chmod(-1) case. 3179 3179 3180 @ Fix potentially using bogus attributes 3180 @ Fix potentially using bogus attributes when stat() fails. 3181 3181 3182 We should reset attributes information 3182 We should reset attributes information when executing execute_handler 3183 program, or attributes of original prog 3183 program, or attributes of original program could be used when stat() 3184 on execute_handler program failed. 3184 on execute_handler program failed. 3185 3185 3186 Fix 2015/04/08 3186 Fix 2015/04/08 3187 3187 3188 @ Fix incorrect readdir() permission chec 3188 @ Fix incorrect readdir() permission check. 3189 3189 3190 CONFIG_CCSECURITY_FILE_READDIR was mean 3190 CONFIG_CCSECURITY_FILE_READDIR was meant for allowing users to control 3191 readdir() permission check. However, CO 3191 readdir() permission check. However, CONFIG_CCSECURITY_FILE_GETATTR was 3192 by error used for controlling readdir() 3192 by error used for controlling readdir() permission check. This fix 3193 should not affect kernels built with de 3193 should not affect kernels built with default configuration, for both 3194 CONFIG_CCSECURITY_FILE_READDIR and CONF 3194 CONFIG_CCSECURITY_FILE_READDIR and CONFIG_CCSECURITY_FILE_GETATTR are 3195 defined by default. 3195 defined by default. 3196 3196 3197 Fix 2015/04/15 3197 Fix 2015/04/15 3198 3198 3199 @ Fix incorrect retry request check. 3199 @ Fix incorrect retry request check. 3200 3200 3201 When a request was asked to retry, acl_ 3201 When a request was asked to retry, acl_group referenced by domain's 3202 use_group keyword was by error ignored. 3202 use_group keyword was by error ignored. As a result, retrying was not 3203 able to use permissions defined by acl_ 3203 able to use permissions defined by acl_group. 3204 3204 3205 Fix 2015/05/01 3205 Fix 2015/05/01 3206 3206 3207 @ Support multiple use_group entries. 3207 @ Support multiple use_group entries. 3208 3208 3209 Until now, each domain can include only 3209 Until now, each domain can include only one use_group entry. 3210 I changed to allow each domain to inclu 3210 I changed to allow each domain to include up to 256 use_group entries. 3211 As a result, you will be able to reduce 3211 As a result, you will be able to reduce duplication of policy by 3212 defining multiple acl_group entries bas 3212 defining multiple acl_group entries based on use cases and including 3213 them from each domain as needed. 3213 them from each domain as needed. 3214 3214 3215 Version 1.8.4 2015/05/05 Usability enhanc 3215 Version 1.8.4 2015/05/05 Usability enhancement release. 3216 3216 3217 Fix 2015/11/08 3217 Fix 2015/11/08 3218 3218 3219 @ Use memory allocation flags used by TOM 3219 @ Use memory allocation flags used by TOMOYO 2.x. 3220 3220 3221 Until now, TOMOYO 1.x was using memory 3221 Until now, TOMOYO 1.x was using memory allocation flags which are weaker 3222 than TOMOYO 2.x in order to make sure t 3222 than TOMOYO 2.x in order to make sure that memory allocation request by 3223 TOMOYO 1.x shall not cause silent livel 3223 TOMOYO 1.x shall not cause silent livelock problem. 3224 3224 3225 But as I learn about this livelock prob 3225 But as I learn about this livelock problem, I understood that this is 3226 not a problem which TOMOYO can manage. 3226 not a problem which TOMOYO can manage. While hitting a silent livelock 3227 at memory allocation is a problem, refu 3227 at memory allocation is a problem, refusing critical access requests 3228 by critical processes due to memory all 3228 by critical processes due to memory allocation failure caused by use of 3229 weaker memory allocation flags is also 3229 weaker memory allocation flags is also a problem. 3230 3230 3231 Since situations regarding memory alloc 3231 Since situations regarding memory allocation flags in upstream kernels 3232 are changing, it will be safer to use m 3232 are changing, it will be safer to use memory allocation flags used by 3233 TOMOYO 2.x. 3233 TOMOYO 2.x. 3234 3234 3235 Fix 2015/11/10 3235 Fix 2015/11/10 3236 3236 3237 @ Limit wildcard recursion depth. 3237 @ Limit wildcard recursion depth. 3238 3238 3239 Since wildcards that need recursion con 3239 Since wildcards that need recursion consume kernel stack memory, 3240 we cannot allow infinite recursion. 3240 we cannot allow infinite recursion. 3241 3241 3242 Version 1.8.5 2015/11/11 Tenth anniversar 3242 Version 1.8.5 2015/11/11 Tenth anniversary release. 3243 3243 3244 Fix 2017/02/02 3244 Fix 2017/02/02 3245 3245 3246 @ Use for_each_thread() for GC operation. 3246 @ Use for_each_thread() for GC operation. 3247 3247 3248 while_each_thread() without tasklist_lo 3248 while_each_thread() without tasklist_lock is not safe. 3249 Use for_each_process_thread() if it is 3249 Use for_each_process_thread() if it is available, hold 3250 tasklist_lock otherwise. 3250 tasklist_lock otherwise. 3251 3251 3252 Fix 2018/04/01 3252 Fix 2018/04/01 3253 3253 3254 @ Use smb_rmb() when waiting for initiali 3254 @ Use smb_rmb() when waiting for initialization. 3255 3255 3256 "while (!cond);" is implicitly optimize 3256 "while (!cond);" is implicitly optimized like "if (!cond) while (1);". 3257 Use "while (!cond) smp_rmb();" in order 3257 Use "while (!cond) smp_rmb();" in order to prevent such optimization. 3258 3258 3259 Fix 2019/07/27 3259 Fix 2019/07/27 3260 3260 3261 @ Change pathname calculation for read-on 3261 @ Change pathname calculation for read-only filesystems. 3262 3262 3263 Commit 5625f2e3266319fd ("TOMOYO: Chang 3263 Commit 5625f2e3266319fd ("TOMOYO: Change pathname for non-rename()able 3264 filesystems.") intended to be applied t 3264 filesystems.") intended to be applied to filesystems where the content is 3265 not controllable from the userspace (e. 3265 not controllable from the userspace (e.g. proc, sysfs, securityfs), based 3266 on an assumption that such filesystems 3266 on an assumption that such filesystems do not support rename() operation. 3267 3267 3268 But it turned out that read-only filesy 3268 But it turned out that read-only filesystems also do not support rename() 3269 operation despite the content is contro 3269 operation despite the content is controllable from the userspace, and that 3270 commit is annoying TOMOYO users who wan 3270 commit is annoying TOMOYO users who want to use e.g. squashfs as the root 3271 filesystem due to use of local name whi 3271 filesystem due to use of local name which does not start with '/'. 3272 3272 3273 Therefore, based on an assumption that 3273 Therefore, based on an assumption that filesystems which require the 3274 device argument upon mount() request is 3274 device argument upon mount() request is an indication that the content 3275 is controllable from the userspace, do 3275 is controllable from the userspace, do not use local name if a filesystem 3276 does not support rename() operation but 3276 does not support rename() operation but requires the device argument upon 3277 mount() request. 3277 mount() request. 3278 3278 3279 @ Reject move_mount() system call for now 3279 @ Reject move_mount() system call for now. 3280 3280 3281 Commit 2db154b3ea8e14b0 ("vfs: syscall: 3281 Commit 2db154b3ea8e14b0 ("vfs: syscall: Add move_mount(2) to move mounts 3282 around") introduced security_move_mount 3282 around") introduced security_move_mount() LSM hook, but we missed that 3283 TOMOYO and AppArmor did not implement h 3283 TOMOYO and AppArmor did not implement hooks for checking move_mount(2). 3284 Since unchecked mount manipulation is n 3284 Since unchecked mount manipulation is not acceptable, for now pretend 3285 as if move_mount(2) is unavailable. 3285 as if move_mount(2) is unavailable. 3286 3286 3287 @ Don't check open/getattr permission on 3287 @ Don't check open/getattr permission on sockets. 3288 3288 3289 syzbot found that use of SOCKET_I()->sk 3289 syzbot found that use of SOCKET_I()->sk from open() can result in 3290 use after free problem, for socket's in 3290 use after free problem, for socket's inode is still reachable via 3291 /proc/pid/fd/n despite destruction of S 3291 /proc/pid/fd/n despite destruction of SOCKET_I()->sk already completed. 3292 3292 3293 But there is no point with calling secu 3293 But there is no point with calling security_file_open() on sockets 3294 because open("/proc/pid/fd/n", !O_PATH) 3294 because open("/proc/pid/fd/n", !O_PATH) on sockets fails with -ENXIO. 3295 3295 3296 There is some point with calling securi 3296 There is some point with calling security_inode_getattr() on sockets 3297 because stat("/proc/pid/fd/n") and fsta 3297 because stat("/proc/pid/fd/n") and fstat(open("/proc/pid/fd/n", O_PATH)) 3298 are valid. But since information which 3298 are valid. But since information which can be protected by checking 3299 security_inode_getattr() on sockets is 3299 security_inode_getattr() on sockets is trivial, let's not check it. 3300 3300 3301 Version 1.8.6 2019/08/20 Bug fix release. 3301 Version 1.8.6 2019/08/20 Bug fix release. 3302 3302 3303 Fix 2019/12/07 3303 Fix 2019/12/07 3304 3304 3305 @ Don't use nifty names on sockets. 3305 @ Don't use nifty names on sockets. 3306 3306 3307 Revert "Don't check open/getattr permis 3307 Revert "Don't check open/getattr permission on sockets.", and then 3308 get rid of special handling of sockets. 3308 get rid of special handling of sockets. As a side effect of this patch, 3309 "socket:[family=\$:type=\$:protocol=\$] 3309 "socket:[family=\$:type=\$:protocol=\$]" in the policy files has to be 3310 rewritten to "socket:[\$]". 3310 rewritten to "socket:[\$]". 3311 3311 3312 Fix 2020/04/09 3312 Fix 2020/04/09 3313 3313 3314 @ Fix wrong put_page() usage in ccs_dump_ 3314 @ Fix wrong put_page() usage in ccs_dump_page(). 3315 3315 3316 ccs_dump_page() for 5.6+ was by error u 3316 ccs_dump_page() for 5.6+ was by error using wrong function to put page. 3317 3317 3318 Fix 2020/05/01 3318 Fix 2020/05/01 3319 3319 3320 @ Loosen domainname validation and pathna 3320 @ Loosen domainname validation and pathname validation. 3321 3321 3322 Currently a domainname must start with 3322 Currently a domainname must start with "<$namespace>" followed by 3323 zero or more repetitions of a pathname 3323 zero or more repetitions of a pathname which starts with '/'. 3324 3324 3325 But situation is getting more and more 3325 But situation is getting more and more difficult to enforce use of 3326 a pathname which starts with '/', for e 3326 a pathname which starts with '/', for execve() request of a pathname 3327 on e.g. some filesystems cause ccs_real 3327 on e.g. some filesystems cause ccs_realpath() to return a pathname 3328 in "$fsname:/$pathname" format. 3328 in "$fsname:/$pathname" format. 3329 3329 3330 Fortunately, since $fsname must not con 3330 Fortunately, since $fsname must not contain '.' since Linux 2.6.22, 3331 we can recognize a token which appears 3331 we can recognize a token which appears '/' before '.' appears (e.g. 3332 proc:/self/exe ) as a pathname and a to 3332 proc:/self/exe ) as a pathname and a token which appears '.' before 3333 '/' appears (e.g. exec.realpath="/bin/b 3333 '/' appears (e.g. exec.realpath="/bin/bash" ) as a condition parameter, 3334 with an exception that a pathname canno 3334 with an exception that a pathname cannot start with 3335 auto_domain_transition=" because it is 3335 auto_domain_transition=" because it is reserved as a delimiter string 3336 for on-match domain transition. Also, w 3336 for on-match domain transition. Also, we can recognize "<$namespace>" 3337 followed by such tokens (e.g. <kernel> 3337 followed by such tokens (e.g. <kernel> /foo proc:/self/exe /bar ) as 3338 a domainname. 3338 a domainname. 3339 3339 3340 Version 1.8.7 2020/05/05 Usability enhanc 3340 Version 1.8.7 2020/05/05 Usability enhancement release. 3341 3341 3342 Fix 2020/07/22 3342 Fix 2020/07/22 3343 3343 3344 @ Fix domain transition preference. 3344 @ Fix domain transition preference. 3345 3345 3346 The domain transition preference which 3346 The domain transition preference which was introduced in 1.8.3 is 3347 by error ignored since 1.8.3p4, for ccs 3347 by error ignored since 1.8.3p4, for ccs_update_task_domain() from 3348 ccs_write_log2() from ccs_supervisor() 3348 ccs_write_log2() from ccs_supervisor() from ccs_audit_log() always 3349 resets r->matched_acl to NULL. Change c 3349 resets r->matched_acl to NULL. Change ccs_update_task_domain() not 3350 to reset r->matched_acl to NULL. 3350 to reset r->matched_acl to NULL. 3351 3351 3352 Fix 2020/08/17 3352 Fix 2020/08/17 3353 3353 3354 @ Fix ccs_realpath() fallback. 3354 @ Fix ccs_realpath() fallback. 3355 3355 3356 ccs_realpath() for 3.17+ was by error n 3356 ccs_realpath() for 3.17+ was by error not calling ccs_get_local_path() 3357 when ccs_get_absolute_path() returned - 3357 when ccs_get_absolute_path() returned -EINVAL. 3358 3358 3359 Fix 2020/08/19 3359 Fix 2020/08/19 3360 3360 3361 @ Fix wrong ccs_search_binary_handler() m 3361 @ Fix wrong ccs_search_binary_handler() mapping. 3362 3362 3363 When support for 5.8 kernel was added, 3363 When support for 5.8 kernel was added, ccs_search_binary_handler() for 3364 3.7- was by error mapped to wrong funct 3364 3.7- was by error mapped to wrong function. 3365 3365 3366 Fix 2020/10/24 3366 Fix 2020/10/24 3367 3367 3368 @ Fix /proc pathname calculation for Linu 3368 @ Fix /proc pathname calculation for Linux 5.8+ kernels. 3369 3369 3370 ccs_realpath() for 5.8+ was by error no 3370 ccs_realpath() for 5.8+ was by error not using proc_pid_ns() when 3371 calculating /proc pathname. 3371 calculating /proc pathname. 3372 3372 3373 Version 1.8.8 2020/11/11 Fifteenth annive 3373 Version 1.8.8 2020/11/11 Fifteenth anniversary release. 3374 3374 3375 Fix 2021/03/13 3375 Fix 2021/03/13 3376 3376 3377 @ Skip permission checks for fileless exe 3377 @ Skip permission checks for fileless execution requests. 3378 3378 3379 Kernels from 4.18 to 5.8 are using call 3379 Kernels from 4.18 to 5.8 are using call_usermodehelper_setup_file() for 3380 starting program without a valid pathna 3380 starting program without a valid pathname on a filesystem. 3381 /sbin/modprobe from dockerd process cou 3381 /sbin/modprobe from dockerd process could not load bpfilter.ko module 3382 because ccs_symlink_path() cannot calcu 3382 because ccs_symlink_path() cannot calculate pathname of program without 3383 a valid pathname. Thus, allow call_user 3383 a valid pathname. Thus, allow call_usermodehelper_setup_file() to bypass 3384 permission checks and suppress domain t 3384 permission checks and suppress domain transitions. 3385 3385 3386 @ Fix ccs_kernel_service(). 3386 @ Fix ccs_kernel_service(). 3387 3387 3388 Kernels from 5.5 to 5.11 are using PF_K 3388 Kernels from 5.5 to 5.11 are using PF_KTHREAD flag for the io_uring 3389 worker threads. 3389 worker threads. 3390 3390 3391 Version 1.8.9 2021/04/01 Bug fix release. 3391 Version 1.8.9 2021/04/01 Bug fix release. 3392 3392 3393 Fix 2021/12/28 << 3394 << 3395 @ Check exceeded quota early. 3393 @ Check exceeded quota early. 3396 3394 3397 Backport commit 04e57a2d952bbd34 ("tomo 3395 Backport commit 04e57a2d952bbd34 ("tomoyo: Check exceeded quota early in 3398 tomoyo_domain_quota_is_ok().") and comm 3396 tomoyo_domain_quota_is_ok().") and commit f702e1107601230e ("tomoyo: use 3399 hwight16() in tomoyo_domain_quota_is_ok 3397 hwight16() in tomoyo_domain_quota_is_ok()"), for these help reducing 3400 overhead of the learning mode. Note tha 3398 overhead of the learning mode. Note that the former patch requires you to 3401 explicitly delete "quota_exceeded" entr 3399 explicitly delete "quota_exceeded" entry from the domain policy in order 3402 to resume the learning mode. 3400 to resume the learning mode. 3403 << 3404 Fix 2024/03/31 << 3405 << 3406 @ Fix a UAF bug introduced by an oversigh << 3407 << 3408 Backport commit 2f03fc340cac ("tomoyo: << 3409 tomoyo_write_control()"). << 3410 << 3411 Version 1.8.10 2024/04/01 Security bug fi << 3412 << 3413 Fix 2024/06/28 << 3414 << 3415 @ Unblock move_mount() system call. << 3416 << 3417 Since util-linux 2.39 started using lib << 3418 implementing appropriate permission che << 3419 necessary for successfully booting a Li << 3420 << 3421 Version 1.8.11 2024/07/15 Bug fix release <<
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.