1 Notes for TOMOYO Linux project
2
3 This is a handy Mandatory Access Control patch
4 This patch is released under the GPLv2.
5
6 Project URL: https://tomoyo.sourceforge.net/
7
8 The authors of this patch (hereafter, we) don'
9 in kernel programming. We are worried that thi
10 some mistakes such as missing hooks, improper
11 potential deadlocks. There would be better way
12 All kinds of comments, pointing the errors and
13
14 We do hope this patch reduces the labor of ser
15 and you enjoy the life with Linux.
16
17 This project was very inspired by the comic "C
18 one of the CLAMP's masterworks.
19
20 ChangeLog:
21
22 Version 1.0 2005/11/11 First release.
23
24 Fix 2005/11/18
25
26 @ Add setattr() missing hook in SYAORAN fs
27
28 setattr() checking for special inode was
29
30 Fix 2005/11/25
31
32 @ Allow initrd.img include /sbin/init .
33
34 Since version 1.0 loads policy when /sbi
35 for the first time, initrd.img without t
36 mustn't start /sbin/init . This forced u
37 initrd.img that includes /sbin/init .
38 I modified to delay loading policy if th
39 doesn't exist and wait for /sbin/init be
40
41 Fix 2005/12/02
42
43 @ Use lookup_one_len() instead of lookup_h
44
45 Kernel 2.6.15 changed parameters for loo
46 I modified to use lookup_one_len() to ke
47
48 Fix 2005/12/06
49
50 @ Add S_ISDIR() check in SYAORAN fs.
51
52 Malicious configuration file that attemp
53 under non-directory inode caused segment
54
55 Version 1.0.1 2005/12/08 Minor update releas
56
57 Fix 2006/01/04
58
59 @ Add CheckWritePermission() check in unix
60
61 I modified to check write permission in
62 sys_mknod(S_IFSOCK) checks write permiss
63
64 @ Show hook version in proc_misc_init().
65
66 The hook part of this patch depends on t
67 while the rest part of this patch doesn'
68 I added the hook version so that the adm
69 know the last modified date of the hooks
70
71 @ Move permission checks from filp_open()
72
73 I moved the location of checking MAC's p
74 from filp_open() to open_namei().
75
76 @ Fix an error in filp_open(). (only 2.6.
77
78 This error was only in the patch 2.6.15-
79 was fixed in the patch for 2.6.15.
80
81 Fix 2006/01/12
82
83 @ Add /proc/ccs/info/self_domain.
84
85 I added /proc/ccs/info/self_domain so th
86 can know the name of domain they belong
87
88 Fix 2006/01/13
89
90 @ Merge constants for CheckTaskCapability(
91
92 I merged *_INHERITABLE_* and *_LOCAL_* t
93 calling CheckTaskCapability() with both
94
95 @ DropTaskCapability() returns -EAGAIN on
96
97 DropTaskCapability() must not return 0 o
98 DropTaskCapability() is called from do_e
99
100 @ Fix an error for chroot() permission che
101
102 The chroot() restriction was not working
103 CheckChRootPermission() || CheckTaskCapa
104 CheckChRootPermission() | CheckTaskCapab
105
106 Fix 2006/01/17
107
108 @ Suppress some of debug messages in TOMOY
109
110 I added KERN_DEBUG to suppress some of d
111
112 Fix 2006/01/19
113
114 @ Remove isRoot() checks in AddChrootACL()
115
116 I found a program that needs to chroot b
117 So, I stopped checking uid=euid=0 for th
118 "accept mode" can append ACLs.
119 The isRoot() is checked at AddChrootPoli
120
121 @ Map NULL device name to "<NULL>" in AddM
122
123 VMware mounts vmware-hgfs with NULL devi
124 So I mapped NULL device name to "<NULL>"
125
126 Fix 2006/01/20
127
128 @ Suppress some of debug messages in SAKUR
129
130 I added KERN_DEBUG to suppress some of d
131
132 @ Call panic() if failed to load given pro
133
134 Call panic() if profile index was given
135 but the profile doesn't exist.
136 If CCS= parameter is not given, the kern
137 profile 0, but it doesn't call panic() i
138
139 Fix 2006/01/24
140
141 @ Use full_name_hash() for IsGloballyReada
142
143 I modified to use full_name_hash() for f
144
145 @ Add signal checking condition in CheckSi
146
147 The documentation says "if the target do
148 starts with the source domain's domainna
149 but actually it isn't. I'll change the d
150 changing the source code.
151
152 Also, checking for pid = -1 was missing.
153
154 Fix 2006/02/09
155
156 @ Use mutex_lock()/mutex_unlock instead of
157
158 Kernel 2.6.16 changed members of "struct
159 I modified to use mutex_lock()/mutex_unl
160 and down()/up() for before 2.6.16.
161
162 Version 1.0.2 2006/02/14 Many bug-fixes rele
163
164 Fix 2006/02/21
165
166 @ Divide generic-write permission into ind
167
168 Write permission was divided into the fo
169
170 'mkdir' for creating directory.
171 'rmdir' for deleting directory.
172 'create' for creating regular file.
173 'unlink' for deleting non-directory.
174 'mksock' for creating UNIX domain soc
175 'mkfifo' for creating FIFO.
176 'mkchar' for creating character devic
177 'mkblock' for creating block device.
178 'link' for creating hard link.
179 'symlink' for creating symbolic link.
180 'rename' for renaming directory or no
181 'truncate' for truncating regular file.
182
183 The permission check for opening files i
184 conventional read/write/execute permissi
185
186 @ Add /proc/ccs/info/mapping.
187
188 I added /proc/ccs/info/mapping so that t
189 can know the mapping of individual write
190
191 Fix 2006/02/27
192
193 @ Fix handling of trailing '\*' in PathMat
194
195 PathMatchesToPattern("/tmp/", "/tmp/\*")
196 because "\*" matches "zero or more repet
197 until '/' or end". But since this is a c
198 directory and non-directory, this should
199
200 This behavior causes the following secur
201 In enforce mode, allowing "2 /tmp/\*" gr
202 "mkdir /tmp/" and "rmdir /tmp/" which sh
203 granted only when "2 /tmp/" is allowed.
204 In accept mode, "mkdir /tmp/" or "rmdir
205 "2 /tmp/\*" into the domain policy if "f
206 is in the exception policy.
207
208 I changed not to ignore trailing '\*' in
209 if pathname ends with '/'.
210
211 Fix 2006/03/01
212
213 @ Add missing spinlock in GetAbsolutePath(
214
215 vfsmount_lock was missing.
216
217 Fix 2006/03/08
218
219 @ Add support for "shared subtree" mount o
220
221 Kernel 2.6.15 introduced "shared subtree
222 But CheckMountPermission() couldn't reco
223 do_change_type().
224
225 @ Add support for more mount flags.
226
227 atime/noatime, diratime/nodiratime, recu
228 are supported.
229
230 Fix 2006/03/20
231
232 @ Check port numbers for only AF_INET/AF_I
233
234 CheckBindEntry() and CheckConnectEntry()
235 only when the given address family is ei
236 for address family such as AF_UNSPEC cou
237 and connect() for PF_INET/PF_INET6 socke
238
239 Fix 2006/03/27
240
241 @ Use /proc/self/ rather than /proc/\$/ fo
242
243 GetAbsolutePath() now uses "self" instea
244 if current process refers to information
245 This exception violates the rule "TOMOYO
246 contain symbolic links before the last '
247 to do so. The following are the merits g
248
249 Prevent administrators from granting red
250 when a process needs to refer to only cu
251
252 Allow administrators make current proces
253 readable using 'allow_read' directive.
254
255 Version 1.1 2006/04/01 Functionality enhan
256
257 Fix 2006/04/03
258
259 @ Use queue instead of fixed sized array f
260
261 WriteAuditLog() now uses queue to save s
262 Administrators can give any size for aud
263
264 @ Use kzalloc() instead of kmalloc() + mem
265
266 kmalloc() + memset() were replaced with
267
268 Fix 2006/04/04
269
270 @ Support "delayed enforcing" mode.
271
272 Until now, access request was immediatel
273 if policy doesn't allow that access and
274 running in enforce mode.
275 Sometimes, especially after updating sof
276 some unexpected access requests arise fr
277 Such access requests should be granted b
278 they are not caused by malicious attacks
279 So I introduced a mechanism to allow adm
280 to decide to grant or reject such access
281 This mechanism is implemented in the fol
282 "Don't return immediately if permissio
283 "Sleep for a while waiting administrat
284 "Return successfully if administrator
285
286 Fix 2006/04/12
287
288 @ Fix handling of prefix in GetAbsolutePat
289
290 Some objects doesn't have prefix "/".
291 Pipe has prefix "pipe:" and socket has p
292 GetAbsolutePath() couldn't handle prefix
293
294 @ Remove IsCorrectPath() checks for File A
295
296 File Access Control functions accepted o
297 with '/' because these functions assumed
298 GetAbsolutePath() always start with '/'.
299 However, I found a program that opens an
300 (probably) /proc/PID/fd/ directory. (You
301 "pipe:[number]" if you run "ls -l /proc/
302 Now, File Access Control functions have
303 that don't start with '/'. So, I stopped
304
305 Fix 2006/04/19
306
307 @ Fix handling of NULL nameidata in vfs_op
308
309 In 2.6 kernels, NFS daemon and sys_mq_op
310 vfs_create() with NULL nameidata. In suc
311 CheckSingleWritePermission() must not be
312
313 Version 1.1.1 2006/05/15 Functionality enhan
314
315 Fix 2006/05/16
316
317 @ Support program files aggregation.
318
319 Until now, programs that have no fixed n
320 parent programs had to be run in a trust
321 since it is impossible to use patterns f
322 execute permission and defining domains.
323 I introduced a mechanism to aggregate si
324 using 'aggregator' directive.
325 Some examples:
326
327 'aggregator /tmp/logrotate.\?\?\?\?\?\
328 to run all temporary programs for logr
329
330 'aggregator /usr/bin/tac /bin/cat'
331 to run /usr/bin/tac and /bin/cat as /b
332
333 Fix 2006/05/18
334
335 @ Unlimit max count for audit log.
336
337 I forgot to replace MAX_GRANT_LOG and MA
338 so that administrators can give any size
339
340 Fix 2006/05/22
341
342 @ Support individual domain ACL removal.
343
344 Until now, to remove ACLs from a domain,
345 once delete and recreate that domain, wh
346 I introduced a mechanism to remove domai
347 recreating domains.
348 Administrator can delete domains or remo
349 via /proc/ccs/policy/domain_policy .
350 /proc/ccs/policy/delete_domain and /proc
351 were removed.
352
353 Fix 2006/05/30
354
355 @ Add missing spinlock in SAKURA_MayMount(
356
357 vfsmount_lock was missing.
358
359 Version 1.1.2 2006/06/02 Functionality enhan
360
361 Fix 2006/06/13
362
363 @ Merge tomoyo_connect.c and tomoyo_bind.c
364
365 I merged these files that have only diff
366 that are likely to be enabled both or ne
367
368 @ Add CONFIG_TOMOYO_AUDIT option.
369
370 I made auditing functions as optional be
371 may have not enough disk space to store
372
373 Fix 2006/06/15
374
375 @ Support use of symbolic links for progra
376
377 Until now, domains for programs executed
378 symbolic links were defined using derefe
379 This was inconvenient for some Linux box
380 can't keep hard links of busybox.
381 I introduced a mechanism to allow using
382 symbolic links using 'alias' directive.
383 Some examples:
384
385 'alias /sbin/busybox /bin/ls' to run /
386 (which is a symbolic link to /sbin/bus
387 if /bin/ls is executed.
388
389 'alias /bin/bash /bin/sh' to run /bin/
390 (which is a symbolic link to /bin/bash
391 if /bin/sh is executed.
392
393 Fix 2006/06/21
394
395 @ Use ccs_alloc() instead of kzalloc().
396
397 To detect memory leaks,
398 I added a wrapper for tracing kmalloc()
399 There is no way to detect memory leaks c
400
401 Version 1.1.3 2006/07/13 Functionality enhan
402
403 Fix 2006/07/14
404
405 @ Change behavior of pathname pattern matc
406
407 Until now, it was impossible to use patt
408 "\*" matched zero or more repetitions of
409 Now, "\*" matches zero or more repetitio
410
411 Until now, it was impossible to use patt
412 because "\$" matched one or more repetit
413 non digit character.
414 Now, "\$" matches one or more repetition
415
416 Also, new patterns "\x" "\X" "\a" "\A" "
417
418 Fix 2006/07/21
419
420 @ Add CONFIG_TOMOYO_NETWORK option.
421
422 Until now, only port numbers for TCP and
423 Now, the combination of IPv4/IPv6 addres
424 for TCP and UDP is controllable.
425 CONFIG_TOMOYO_NETWORKPORT became obsolet
426
427 Fix 2006/07/25
428
429 @ Change matching rule for CheckFileACL().
430
431 Until now, only first entry that matched
432 was used for permission checking. For ex
433
434 "2 /tmp/file-\$.txt"
435 "4 /tmp/fil\?-0.txt"
436
437 are given in this order and requested pa
438 the "2 /tmp/file-\$.txt" is used. But if
439
440 "4 /tmp/fil\?-0.txt"
441 "2 /tmp/file-\$.txt"
442
443 are given in this order, the "4 /tmp/fil
444 This may potentially cause trouble becau
445 permission checks depends on the order o
446
447 Now, all entries that matched the reques
448 are used for permission checking so that
449 permission checks doesn't depend on the
450
451 Fix 2006/07/27
452
453 @ Support RAW IPv4/IPv6 control.
454
455 Some programs such as 'ping' and 'tracer
456 Now, the combination of IPv4/IPv6 addres
457 for IP is controllable.
458
459 Fix 2006/08/04
460
461 @ Add filename and argv[0] comparison chec
462
463 The domain transition was done based on
464 while the behavior was defined based on
465 There is no problem if the filename is a
466 But if argv[0]-aware, access control byp
467 transits to trusted domain but behaves a
468 For example, when the administrator spec
469 trusted but both /bin/ls and /bin/cat ar
470 a cracker can run /bin/cat in a trusted
471 succeeds to invoke do_execve() with file
472 argv[0] = "/bin/cat".
473
474 I introduced a directive that permits th
475 basename of filename and argv[0].
476
477 Fix 2006/08/10
478
479 @ Support ID based condition checks.
480
481 It was impossible to use process id (uid
482 checking individual domain ACL.
483
484 Now it became possible to use process id
485 domain ACL. For example,
486
487 "1 /bin/sh if task.euid!=0"
488
489 allows the domain to execute /bin/sh onl
490 is not 0, and
491
492 "6 /home/\*/\* if task.uid=path1.uid"
493
494 allows the domain to read-write user's h
495 only when the file's owner matches the p
496
497 Fix 2006/08/22
498
499 @ Fix ROUNDUP() in fs/realpath.c .
500
501 Alignment using sizeof(int) may be inapp
502 I changed to use the larger size of 'voi
503 instead of 'int'.
504 For environment where sizeof(int) = size
505 this change has no effect.
506
507 Version 1.2 2006/09/03 Functionality enhan
508
509 Fix 2006/09/30
510
511 @ Fix CheckFilePerm() in fs/tomoyo_file.c
512
513 The location to call path_release() was
514
515 Fix 2006/10/02
516
517 @ Support per-domain profile.
518
519 It became possible to assign different p
520 This will help administrators using buil
521
522 Fix 2006/10/05
523
524 @ Change parameters for CheckFilePerm().
525
526 I was re-resolving pathnames inside Chec
527 the caller function already resolved the
528 So I changed to pass dentry and vfsmount
529 and removed changes made on 2006/09/30.
530
531 Fix 2006/10/06
532
533 @ Support deny_rewrite and allow_rewrite p
534
535 It became possible to make regular files
536 using "deny_rewrite" directive in except
537 override it using "allow_rewrite" direct
538
539 Regular files specified using "deny_rewr
540 can't be open()ed with O_TRUNC or with
541 can't be truncate()ed or ftruncate()ed
542 can't be turned O_APPEND flag off usin
543 unless specified using "allow_rewrite" d
544
545 Fix 2006/10/12
546
547 @ Enable configuration options by default
548
549 CONFIG_SAKURA and CONFIG_TOMOYO are now
550 and CONFIG_SYAORAN is now 'm' by default
551
552 Fix 2006/10/13
553
554 @ Use external policy loader.
555
556 Until now, policies are loaded when /sbi
557 initial control levels are switched usin
558 But since some boxes have to fixate kern
559 at compilation time, I think it will bec
560 by running external policy loader using
561 initial control levels can be specified
562
563 Call panic() if initial control levels a
564
565 Fix 2006/10/16
566
567 @ Add missing parameter in FindNextDomain(
568
569 'struct file' was needed for allowing 'i
570
571 Fix 2006/10/23
572
573 @ Print error messages in CheckFlags().
574
575 Some users seem to have troubles picking
576 entries for the configuration file of SY
577 since makesyaoranconf can't pick up entr
578 nonexistent at the time.
579 I added error message so that users can
580 using dmesg.
581
582 Fix 2006/10/24
583
584 @ Change /proc/ccs/info/self_domain .
585
586 I changed /proc/ccs/info/self_domain to
587 the domain of open time rather than firs
588 This modification makes shell's redirect
589 more convenient since redirection opens
590 but doesn't read at the time.
591
592 'cat < /proc/ccs/info/self_domain' will
593 the domain of shell, and
594 'cat /proc/ccs/info/self_domain' will re
595 the domain of cat .
596
597 Fix 2006/11/06
598
599 @ Replace MAX_ENFORCE_GRACE with ALLOW_ENF
600
601 Since it was inconvenient that requests
602 supervisor's decision are rejected autom
603 MAX_ENFORCE_GRACE seconds has elapsed, I
604 reset timeout counter whenever a supervi
605 and I modified ccs-queryd write a dummy
606 so that the requests won't be rejected a
607 ccs-queryd is running.
608 This change made MAX_ENFORCE_GRACE's mea
609 So I fixated MAX_ENFORCE_GRACE to 10 sec
610 MAX_ENFORCE_GRACE parameter.
611 To allow administrators selectively enab
612 mode, I added ALLOW_ENFORCE_GRACE parame
613 The behavior of "delayed enforcing" mode
614 in the following order.
615
616 (1) The requests are rejected immediatel
617 (2) The requests are rejected immediatel
618 if nobody is opening /proc/ccs/polic
619 (3) The requests won't be rejected autom
620 if ALLOW_ENFORCE_GRACE=1 and ccs-que
621 (4) The requests will be rejected in 10
622 if somebody other than ccs-queryd (s
623 opening /proc/ccs/policy/query inter
624 such process doesn't write dummy dec
625
626 Version 1.3 2006/11/11 First anniversary r
627
628 Fix 2006/11/13
629
630 @ Replace trust_domain with keep_domain.
631
632 Since it was troublesome that there are
633 (assigning a profile that doesn't enable
634 with trust_domain directive), I removed
635 Instead, I introduced keep_domain direct
636 unless a program registered with initial
637 This change has the following advantages
638
639 (1) Allows administrator use "enforce mo
640 Since it was difficult to know what
641 and accessed in what sequences befor
642 directive for such domain, allowing
643 access any files in any sequence.
644 But now, we can use keep_domain dire
645 "enforce mode" for such domain, forc
646 commands and access only allowed fil
647 while these operations are kept unde
648
649 (2) Allows administrator determine easil
650 under MAC or not because only the pr
651 the domain determines it.
652
653 (3) Saves total number of domains and me
654
655 Fix 2006/11/22
656
657 @ Don't allow use of undefined profile.
658
659 To avoid assigning undefined profile to
660 I added checks before assigning profiles
661 Now, profiles have to be defined prior t
662
663 Version 1.3.1 2006/12/08 Minor update releas
664
665 Fix 2006/12/10
666
667 @ Allow pathname grouping.
668
669 To reduce the labor of repeating '/\*' t
670 I introduced a macro 'path_group' to mak
671 For example, you had to give like
672
673 4 /var/www/html/\*
674 4 /var/www/html/\*/\*
675 4 /var/www/html/\*/\*/\*
676 4 /var/www/html/\*/\*/\*/\*
677
678 but now, you can give just
679
680 4 @WEB-CONTENTS
681
682 if you give
683
684 path_group WEB-CONTENTS /var/www/html/
685 path_group WEB-CONTENTS /var/www/html/
686 path_group WEB-CONTENTS /var/www/html/
687 path_group WEB-CONTENTS /var/www/html/
688
689 in the exception policy.
690 This macro will be useful when grouping
691
692 Fix 2006/12/15
693
694 @ Use structured pathnames instead for sim
695
696 To reduce the cost of strcmp(), I change
697 SaveName() from 'const char *' to 'const
698 This change will speed up PathMatchesToP
699
700 Fix 2006/12/19
701
702 @ Allow registering policy managers using
703
704 It was difficult to restrict programs th
705 via /proc/ccs/ interfaces using pathname
706 these programs could be unintendedly inv
707 Now, it became possible to restrict doma
708 via /proc/ccs/ interfaces as well as pro
709 By restricting using domainnames, it bec
710 unintended invocation.
711
712 Fix 2006/12/22
713
714 @ Add initialize_domain,no_initizlize_doma
715
716 To control domain transitions more stric
717 initialize_domain,no_initizlize_domain,n
718 were introduced.
719
720 "initialize_domain /some/program" means
721 jump to "<kernel> /some/program" domain
722 called from any domain.
723 This is equivalent to conventional "init
724
725 "initialize_domain /some/program from so
726 jump to "<kernel> /some/program" domain
727 called from "some_domain" domain.
728
729 "no_initialize_domain /some/program" mea
730 don't jump to "<kernel> /some/program" d
731 "initialize_domain /some/program" or
732 "initialize_domain /some/program from so
733 if /some/program is called from any doma
734
735 "no_initialize_domain /some/program from
736 don't jump to "<kernel> /some/program" d
737 "initialize_domain /some/program" or
738 "initialize_domain /some/program from so
739 if /some/program is called from "some_do
740
741 "keep_domain some_domain" means don't ju
742 if any programs are called from "some_do
743
744 "keep_domain /some/program from some_dom
745 don't jump to child domain only if /some
746 called from "some_domain" domain.
747
748 "no_keep_domain some_domain" means
749 jump to child domain even if
750 "keep_domain /some/program" or
751 "keep_domain /some/program from some_dom
752 if any programs are called from "some_do
753
754 "no_keep_domain /some/program from some_
755 jump to child domain even if
756 "keep_domain /some/program" or
757 "keep_domain /some/program from some_dom
758 if /some/program is called from "some_do
759
760 "some_domain" can be just the last compo
761 For example, giving "/bin/mail" as "some
762 all domains whose domainname ends with "
763
764 Fix 2007/01/19
765
766 @ Allow reuse of memory allocated for doma
767
768 Regarding domain policy, unlike other po
769 "is_deleted" flag and new memory were al
770 if the deleted entries are given again.
771 But to allow administrators switch domai
772 I introduced "is_deleted" flag.
773
774 Writing "some_domain" to /proc/ccs/polic
775 creates "some_domain" using new memory i
776
777 Writing "select some_domain" doesn't cre
778 if it didn't exist.
779
780 Writing "delete some_domain" deletes "so
781 but does not delete entries in "some_dom
782
783 Writing "undelete some_domain" undeletes
784 if it was deleted by "delete some_domain
785
786 Fix 2007/01/22
787
788 @ Allow getting already deleted pathnames.
789
790 To allow getting pathnames that are alre
791 I removed (IS_ROOT(dentry) || !d_unhashe
792
793 Fix 2007/01/26
794
795 @ Limit string length to 4000.
796
797 I was using PAGE_SIZE (4096 in many envi
798 as the max length of any string data.
799 But for environments that have larger PA
800 doing memset(ptr, 0, PAGE_SIZE) every ti
801
802 Fix 2007/01/29
803
804 @ Add garbage collector for domain policy.
805
806 Writing "some_domain" to /proc/ccs/polic
807 creates "some_domain" using new memory o
808 some process is staying at that deleted
809 If no process is staying at that deleted
810 "some_domain" is undeleted with all ACLs
811
812 Version 1.3.2 2007/02/14 Usability enhanceme
813
814 Fix 2007/02/20
815
816 @ Allow address grouping.
817
818 To reduce the labor of repeating similar
819 I introduced a macro 'address_group' to
820 For example, you had to give like
821
822 allow_network TCP accept 10.0.0.0-10.2
823 allow_network TCP accept 172.16.0.0-17
824 allow_network TCP accept 192.168.0.0-1
825
826 but now, you can give just
827
828 allow_network TCP accept @localnet 102
829
830 if you give
831
832 address_group localnet 10.0.0.0-10.255
833 address_group localnet 172.16.0.0-172.
834 address_group localnet 192.168.0.0-192
835
836 in the exception policy.
837
838 Fix 2007/03/03
839
840 @ Remove obsolete functions.
841
842 @ Add some hooks.
843
844 Read permission check is done if open_ex
845 is called from search_binary_handler().
846 Read permission check is not done if ope
847 is called from do_execve(), instead,
848 execute permission check is done at
849 search_binary_handler_with_transition().
850
851 I moved the location of calling CheckCap
852 and CheckMountPermission() from sys_moun
853
854 Fix 2007/03/07
855
856 @ Use 'unsigned int' for sscanf().
857
858 I compiled SYAORAN fs on x86_64 environm
859 the compiler showing warning messages ab
860 Since size of data types may mismatch fo
861 I replaced some types with 'unsigned int
862
863 Version 1.4 2007/04/01 x86_64 support rele
864
865 Fix 2007/04/18
866
867 @ Change argv[0] checking rule.
868
869 I was comparing the basename of symbolic
870 Since execute permission check and domai
871 based on realpath while argv[0] check is
872 pathname and argv[0], this specification
873 as /bin/cat in the domain of /bin/ls if
874 links to /sbin/busybox" and "the attacke
875 a symlink named ~/cat that points to /bi
876 permitted to run /bin/ls".
877 So, I changed to compare the basename of
878 Also, I moved the location to compare be
879 "aggregator" directive so that
880 "aggregator /tmp/logrotate.\?\?\?\?\?\?
881 won't cause the mismatch of the basename
882
883 If /bin/ls is a symlink to /sbin/busybox
884 creating a symlink named ~/cat that poin
885 executing ~/cat won't work as expected b
886 domain transition are done using /sbin/b
887 and will be rejected since the administr
888 "1 /sbin/busybox".
889
890 Fix 2007/05/07
891
892 @ Support pathname subtraction.
893
894 There was no way to exclude specific pat
895 permissions using wildcards.
896 There would be a need to exclude specifi
897 I introduced "\-" as subtraction operato
898
899 "A\-B" means "A" other than "B".
900 "A\-B\-C" means "A" other than "B" and
901 "A\-B\-C\-D" means "A" other than "B"
902
903 "A", "B", "C", "D" may contain wildcards
904
905 An example usage is "/home/\*/\*\-.ssh/\
906 "/home/\*/\*/\*" other than "/home/\*/.s
907
908 "A" should contain wildcards because sub
909 (e.g. "/usr\-usr/" or "/usr\-home/") is
910
911 Don't try "A\-B\+C" because "\+" is not
912
913 Fix 2007/05/24
914
915 @ Fix autobind hook.
916
917 The location to call SAKURA_MayAutobind(
918 and net/ipv6/udp.c were wrong.
919
920 Fix 2007/06/03
921
922 @ Add a space in MakeMountOptions().
923
924 I forgot to add a space after "atime" an
925
926 Version 1.4.1 2007/06/05 Minor update releas
927
928 Fix 2007/07/04
929
930 @ Fix ReadAddressGroupPolicy() bug.
931
932 ReadAddressGroupPolicy() fails if both "
933 are used because I forgot to set "head->
934
935 Fix 2007/07/10
936
937 @ Add compat_sys_stime() hook.
938
939 Some of 64bit kernels support compat_sys
940 but permission check was missing.
941
942 Version 1.4.2 2007/07/13 Bug fix release.
943
944 Fix 2007/08/06
945
946 @ Remove mount-flags manipulation.
947
948 Until now, administrator is permitted to
949 options regardless of mount options pass
950 I removed this feature because "exact op
951 "automatic option enabler/disabler".
952
953 @ Remove /proc/ccs/info/mapping .
954
955 I removed /proc/ccs/info/mapping because
956 feature.
957
958 @ Call external policy loader automaticall
959
960 Until now, users had to add init=/.init
961 before /sbin/init starts.
962 I inserted call_usermodehelper() to call
963 execve("/sbin/init") is requested and ex
964
965 This change will remove init=/.init para
966 although call_usermodehelper() can't han
967
968 @ Move external policy loader from /.init
969
970 Installing programs in / directory is no
971
972 Fix 2007/08/13
973
974 @ Update external policy loader.
975
976 It turned out that /sbin/ccs-init invoke
977 can handle interactive operations by ope
978 Now, there is no difference between init
979 call_usermodehelper("/sbin/ccs-init"), a
980 add init=/sbin/ccs-init parameter to loa
981 starts.
982
983 Fix 2007/08/14
984
985 @ Update recvmsg() hooks.
986
987 Until now, it was impossible to apply ne
988 incoming UDP and RAW packets if they are
989 read() or recvmsg() with NULL address be
990 I moved hooks from sock_recvmsg() to skb
991 network access control for incoming UDP
992
993 Fix 2007/08/16
994
995 @ Return appropriate error code for CheckM
996
997 I was returning -EPERM if something is w
998 But SELinux determines whether selinuxfs
999 based on whether error code is -ENODEV o
1000 So I stopped returning -EPERM unconditi
1001
1002 Fix 2007/08/17
1003
1004 @ Remove initializer directive.
1005
1006 Use "initialize_domain" instead of "ini
1007
1008 Fix 2007/08/21
1009
1010 @ Fix "allow_argv0 ... if if ..." bug.
1011
1012 It was impossible to use a word "if" to
1013 allow_argv0 if condition part is used.
1014
1015 Fix 2007/08/24
1016
1017 @ Move /proc/ccs/\*/\* to /proc/ccs/\* .
1018
1019 Some pathnames for /proc/ccs/ interface
1020
1021 Fix 2007/09/05
1022
1023 @ Drop MSG_PEEK'ed message before skb_fre
1024
1025 I need to remove head message from unwa
1026 from socket's receive queue so that the
1027 next message from wanted source with MS
1028
1029 Version 1.5.0 2007/09/20 Usability enhancem
1030
1031 Fix 2007/09/27
1032
1033 @ Avoid eating memory after quota exceede
1034
1035 Although ACL entries in a domain won't
1036 has exceeded, SaveName() in AddFileACL(
1037 This caused unneeded memory consumption
1038
1039 Now, quota checking is done before gett
1040 This may exceed quota by one or two ent
1041
1042 Fix 2007/10/16
1043
1044 @ Add environment variable check.
1045
1046 There are environment variables that ma
1047 like LD_\* .
1048 So I introduced 'allow_env' directive t
1049 environment variable inherited to next
1050 Unlike other permissions, this check is
1051 using next domain's ACL information.
1052
1053 To manage commonly inherited environmen
1054 you can use 'allow_env' directive in ex
1055 to globally grant specified environment
1056
1057 Fix 2007/11/05
1058
1059 @ Replace semaphore with mutex.
1060
1061 I replaced semaphore with mutex.
1062
1063 @ Add missing down() in AddReservedEntry(
1064
1065 Mutex debugging capability told me that
1066 since TOMOYO version 1.3.2 .
1067 This function is not called by learning
1068 so the semaphore's counter will not ove
1069
1070 Fix 2005/11/27
1071
1072 @ Fix ReadTable() truncation bug.
1073
1074 "snprintf(str, size, format, ...) >= si
1075 But I was checking for "snprintf(str, s
1076 As a result, some entries might be dump
1077
1078 @ Purge direct "->prev"/"->next" manipula
1079
1080 All list manipulations use "struct list
1081 "struct list1_head" doesn't have "->pre
1082
1083 Fix 2007/11/29
1084
1085 @ Add missing semaphore in GetEXE().
1086
1087 mm->mmap_sem was missing.
1088
1089 Fix 2007/12/17
1090
1091 @ Remove unused EXPORT_SYMBOL().
1092
1093 Mark some functions static.
1094
1095 Fix 2007/12/18
1096
1097 @ Fix AddMountACL() rejection bug.
1098
1099 To my surprise, "mount --bind source de
1100 not only "both source and dest are dire
1101 but also "both source and dest are non-
1102 I was rejecting if dest is not a direct
1103
1104 @ Change log format.
1105
1106 Profile number and mode is added in aud
1107
1108 Fix 2008/01/03
1109
1110 @ Change directive for file's read/write/
1111
1112 Directives for file's read/write/execut
1113 4/2/1 respectively. But for easier unde
1114 replaced by read/write/execute (e.g. "a
1115 But for easier inputting, 4/2/1 are sti
1116 allow_read/allow_write/allow_execute re
1117
1118 @ Change internal data structure.
1119
1120 Since I don't have more than 16 types o
1121 I combined them using bit-fields.
1122
1123 Each entry had a field for conditional
1124 But since this field is unlikely used,
1125 common part.
1126
1127 These changes will reduce memory used b
1128
1129 Fix 2008/01/15
1130
1131 @ Add ptrace() hook.
1132
1133 To prevent attackers from controlling i
1134 ptrace(), I added a hook for ptrace().
1135 Most programs (except strace(1) and gdb
1136
1137 @ Fix sleep condition check in CheckSocke
1138
1139 It seems that correct method to use is
1140 rather than in_interrupt() because in_a
1141 whenever scheduling is not allowed.
1142
1143 Fix 2008/02/05
1144
1145 @ Use find_task_by_vpid() instead of find
1146
1147 Kernel 2.6.24 introduced PID namespace.
1148 To search PID given from userland, the
1149 find_task_by_vpid() instead of find_tas
1150
1151 Fix 2008/02/14
1152
1153 @ Add execve() parameter checking.
1154
1155 Until now, it was impossible to check a
1156 passed to execve().
1157 I expanded conditional permission synta
1158 { argc, envc, argv[] , envp[] } paramet
1159 This will allow administrator permit ex
1160 /bin/sh is invoked in the form of "/bin
1161 HOME is set by specifying
1162
1163 allow_execute /bin/sh if exec.argv[1]
1164
1165 in the policy.
1166 This extension will make exploit codes
1167 they unlikely set up environment variab
1168 option when invoking /bin/sh , whereas
1169 environment variables and likely specif
1170
1171 Fix 2008/02/18
1172
1173 @ Add process state checking.
1174
1175 Until now, it was impossible to change
1176 I added three variables for performing
1177 You can set current process's state lik
1178
1179 allow_network TCP accept @TRUSTED_HOS
1180 allow_network TCP accept @UNTRUSTED_H
1181
1182 and you can use the state like
1183
1184 allow_read /path/to/important/file if
1185
1186 in the policy.
1187 The state changes when the request was
1188 so please be careful with situations wh
1189 successfully but the request was not pr
1190 (e.g. out of memory).
1191
1192 Fix 2008/02/26
1193
1194 @ Support /proc/ccs/ access by non-root u
1195
1196 Until now, only root user can access /p
1197 But to permit /proc/ccs/ access by non-
1198 ssh login by root user when administrat
1199 I made "(current->uid == 0 && current->
1200 If this requirement is disabled, only "
1201 checks" and "/proc/ccs/manager checks"
1202
1203 Fix 2008/02/29
1204
1205 @ Add sleep_on_violation feature.
1206
1207 Some exploit codes (e.g. trans2open for
1208 until it achieves the purpose of the ex
1209
1210 If such code is injected due to buffer
1211 rejects the request, it triggers infini
1212 As a result, the CPU usage becomes 100%
1213 the rest of processes.
1214 This is a side effect of rejecting the
1215 which wouldn't happen if the request fr
1216
1217 To avoid such CPU consumption, I added
1218 sleeps for specified period when a requ
1219
1220 This penalty doesn't work if the exploi
1221 continue running, but I think most expl
1222 to start some program rather than to sl
1223
1224 @ Add alt_exec feature.
1225
1226 Since TOMOYO Linux's approach is "know
1227 and create policy that permits only the
1228 requests as attacks (if you want to do
1229
1230 Common MAC implementations merely rejec
1231 But I added a special handler for execv
1232
1233 This handler is triggered when a proces
1234 but the request was rejected by the pol
1235 This handler executes a program specifi
1236 instead of a program requested by the p
1237
1238 Most attackers attempt to execute /bin/
1239 Attackers execute an exploit code using
1240 to steal control of a process. But this
1241 if an exploit code requests execve() th
1242
1243 By default, this handler does nothing (
1244 request). You can specify any program t
1245
1246 You can redirect attackers to somewhere
1247 This makes it possible to act your Linu
1248 while keeping regular services for your
1249
1250 You can collect information of the atta
1251 update firewall configuration.
1252
1253 You can silently terminate a process wh
1254 that is not permitted by policy.
1255
1256 Fix 2008/03/03
1257
1258 @ Add "force_alt_exec" directive.
1259
1260 To be able to fully utilize "alt_exec"
1261 I added "force_alt_exec" directive so t
1262 all execute requests are replaced by th
1263 specified by alt_exec feature.
1264
1265 If this directive is specified for a do
1266 executes any programs regardless of the
1267 (i.e. the domain won't execute even if
1268 Instead, the domain executes the progra
1269 and the program specified by alt_exec f
1270 request and executes it if it is approp
1271
1272 If you can tolerate that there is no ch
1273 to the caller to tell the execute reque
1274 this is more flexible approach than in-
1275 checking because we can do argv[] and e
1276
1277 Fix 2008/03/04
1278
1279 @ Use string for access control mode.
1280
1281 An integer expression for access contro
1282 administrators because profile number i
1283 To avoid confusion between profile numb
1284 I introduced a string expression for ac
1285
1286 Modes which take an integer between 0
1287
1288 0 -> disabled
1289 1 -> learning
1290 2 -> permissive
1291 3 -> enforcing
1292
1293 Modes which take 0 or 1.
1294
1295 0 -> disabled
1296 1 -> enabled
1297
1298 Fix 2008/03/10
1299
1300 @ Rename "force_alt_exec" directive to "e
1301
1302 To be able to use different programs fo
1303 I moved the location to specify the pro
1304 to domain policy.
1305
1306 The "execute_handler" directive takes o
1307 invoked whenever execve() request is is
1308 directives in a domain with "execute_ha
1309 This directive is designed for validati
1310 requests in userspace, although there i
1311 that the execve() request was rejected.
1312
1313 @ Rename "alt_exec" directive to "denied_
1314
1315 The "denied_execute_handler" directive
1316 invoked only when execve() request was
1317 this program is invoked only when the f
1318
1319 (1) None of "allow_execute" directive
1320 (2) The execve() request was rejected
1321 (3) "execute_handler" directive is no
1322
1323 This directive is designed for handling
1324 requests, to redirect the process issui
1325
1326 Fix 2008/03/18
1327
1328 @ Fix wrong/redundant locks in pre-vfs fu
1329
1330 lock_kernel()/unlock_kernel() in pre_vf
1331 2.6 kernels.
1332
1333 Locking order in pre_vfs_link() and pre
1334 after 2.4.33 were different from before
1335
1336 Fix 2008/03/28
1337
1338 @ Disable execute handler loop.
1339
1340 To be able to use "execute_handler" in
1341 ignore "execute_handler" and "denied_ex
1342 if the current process is executing pro
1343 "execute_handler" or "denied_execute_ha
1344
1345 This exception is needed to avoid infin
1346 If a domain has both "keep_domain" and
1347 any execute request by that domain is h
1348 and the execute handler attempts to pro
1349 But the original execute request is han
1350 unless the execute handler ignores "exe
1351
1352 @ Update coding style.
1353
1354 I rewrote the code to pass scripts/chec
1355 Function names were changed to use only
1356
1357 Version 1.6.0 2008/04/01 Feature enhancemen
1358
1359 Fix 2008/04/14
1360
1361 @ Fix "Compilation failures" and "Initial
1362 with kernels before 2.4.30/2.6.11 .
1363
1364 2.6 kernels before 2.6.9 didn't have in
1365 resulting compilation error at #include
1366 I added #elif condition.
1367
1368 CentOS 4.6's 2.6.9 kernel calls do_exec
1369 ccs_alloc(), resulting NULL pointer der
1370 I changed __initcall to core_initcall.
1371
1372 CentOS 4.6's 2.6.9 kernel backported kz
1373 resulting compilation error at kzalloc(
1374 I modified prototype of kzalloc().
1375
1376 Fix 2008/04/20
1377
1378 @ Fix "Compilation failures" with kernels
1379
1380 Turbolinux 10 Server's 2.6.8 kernel bac
1381 function, resulting compilation error a
1382 I converted kzalloc() from an inlined f
1383
1384 Fix 2008/04/21
1385
1386 @ Add workaround for gcc 3.2.2's inline b
1387
1388 RedHat Linux 9's gcc 3.2.2 generated a
1389 if ((var_of_u8 & 0x000000BF) & 0x800
1390 where the expected code is
1391 if ((var_of_u8 & 0xBF) & 0x80) { }
1392 when embedding ccs_acl_type2() into pri
1393 resulting runtime BUG().
1394 I added the expected code explicitly as
1395
1396 Fix 2008/05/06
1397
1398 @ Add memory quota.
1399
1400 1.5.x returns -ENOMEM when FindNextDoma
1401 domain, but I forgot to return -ENOMEM
1402 create a new domain.
1403
1404 A domain is automatically created by fi
1405 the domain for the requested program do
1406 This behavior is for the administrator'
1407 The administrator needn't to know how m
1408 the whole programs in the system before
1409 But the administrator does not want the
1410 requested program when developing the p
1411
1412 So, I think it is better to grant execu
1413 find_next_domain() failed to create a n
1414 Thus, I decided not to return -ENOMEM w
1415 create a new domain. This exception bre
1416 so I print "transition_failed" warning
1417 when this exception happened.
1418
1419 Also, to prevent the system from being
1420 all kernel memory for the policy, I add
1421 This quota is configurable via /proc/cc
1422
1423 echo Shared: 1048576 > /proc/ccs/mem
1424 echo Private: 1048576 > /proc/ccs/mem
1425
1426 Version 1.6.1 2008/05/10 Bug fix release.
1427
1428 Fix 2008/06/04
1429
1430 @ Check open mode of /proc/ccs/ interface
1431
1432 It turned out that I can avoid allocati
1433 FMODE_READ is not set and memory for wr
1434
1435 @ Wait for completion of /sbin/ccs-init .
1436
1437 Since 2.4 kernel's call_usermodehelper(
1438 the executed program, I was using the c
1439 /proc/ccs/meminfo to indicate that load
1440 But since /proc/ccs/meminfo could be ac
1441 by /etc/ccs/ccs-post-init , I stopped u
1442 The policy loader no longer need to acc
1443 the kernel that loading policy has fini
1444
1445 Fix 2008/06/05
1446
1447 @ Fix realpath for pipes and sockets.
1448
1449 Kernel 2.6.22 and later use different m
1450 Since fs/realpath.c didn't notice the c
1451 appeared as "pipe:" rather than "pipe:[
1452 /proc/PID/fd/ directory.
1453
1454 @ Add process's information into /proc/cc
1455
1456 While /proc/ccs/grant_log and /proc/ccs
1457 information, /proc/ccs/query doesn't co
1458 To be able to utilize ccs-queryd and cc
1459 /proc/ccs/query .
1460
1461 Fix 2008/06/10
1462
1463 @ Allow using patterns for globally reada
1464
1465 To allow users specify locale specific
1466 I relaxed checking in update_globally_r
1467
1468 Fix 2008/06/11
1469
1470 @ Remove ALLOW_ENFORCE_GRACE parameter.
1471
1472 Since unexpected requests caused by doi
1473 in all profiles, users likely have to w
1474 to all profiles. And it makes meaningle
1475 enable specific profile's ALLOW_ENFORCE
1476 So, I removed ALLOW_ENFORCE_GRACE param
1477 Now, the system behaves as if ALLOW_ENF
1478 The behavior of "delayed enforcing" mod
1479 order.
1480
1481 (1) The requests are rejected immediate
1482 /proc/ccs/query interface.
1483 (2) The requests will be rejected in 10
1484 ccs-queryd (such as less(1)) is ope
1485 for such process doesn't write dumm
1486
1487 Fix 2008/06/22
1488
1489 @ Pass escaped pathname to audit_execute_
1490
1491 I was passing unescaped pathname to aud
1492 which causes /proc/ccs/grant_log contai
1493 if execute handler's pathname contains
1494
1495 Fix 2008/06/25
1496
1497 @ Return 0 when ccs_may_umount() succeeds
1498
1499 I forgot to clear error value in ccs_ma
1500 directory didn't match "deny_unmount" d
1501 request with RESTRICT_UNMOUNT=enforcing
1502
1503 Version 1.6.2 2008/06/25 Usability enhancem
1504
1505 Fix 2008/07/01
1506
1507 @ Fix "Compilation failure" with 2.4.20 k
1508
1509 RedHat Linux 9's 2.4.20 kernel backport
1510 resulting compilation error at ccs_load
1511 I added defined(TASK_DEAD) check.
1512
1513 Fix 2008/07/08
1514
1515 @ Don't check permissions if vfsmount is
1516
1517 Some filesystems (e.g. unionfs) pass NU
1518 I changed fs/tomoyo_file.c not to try t
1519 if vfsmount is NULL.
1520
1521 Version 1.6.3 2008/07/15 Bug fix release.
1522
1523 Fix 2008/08/21
1524
1525 @ Add workaround for gcc 4.3's bug.
1526
1527 In some environments, fs/tomoyo_network
1528 because of gcc 4.3's bug.
1529 I modified save_ipv6_address() to use "
1530 instead for "static const u8" variable.
1531
1532 @ Change prototypes of some functions.
1533
1534 To support 2.6.27 kernels, I replaced "
1535 "struct path" for some functions.
1536
1537 @ Detect distributor specific patches aut
1538
1539 Since kernels with AppArmor patch appli
1540 I introduced a mechanism which determin
1541 are applied or not, based on "#define"
1542
1543 Fix 2008/08/29
1544
1545 @ Remove "-ccs" suffix from Makefile's EX
1546
1547 To reduce conflicts on Makefile's EXTRA
1548 I removed "-ccs" suffix from ccs-patch-
1549 Those who build kernels without using s
1550 please edit EXTRAVERSION tag manually s
1551 will not be overwritten by TOMOYO Linux
1552
1553 Version 1.6.4 2008/09/03 Minor update relea
1554
1555 Fix 2008/09/09
1556
1557 @ Add "try again" response to "delayed en
1558
1559 To be able to handle pathname changes c
1560 "delayed enforcing" mode was introduced
1561 grant access requests which are about t
1562
1563 To be able to handle pathname changes c
1564 I introduced "try again" response. As "
1565 a process which violated policy, admini
1566 the process is sleeping. This "try agai
1567 to restart policy checks from the begin
1568
1569 Fix 2008/09/11
1570
1571 @ Remember whether the process is allowed
1572
1573 Since programs for manipulating policy
1574 in the form of RPM/DEB packages, these
1575 pathnames when they are updated by the
1576 manager renames these programs before d
1577 the package manager can rollback the op
1578 This causes a problem when the programs
1579 using pathnames, as the programs will n
1580 /proc/ccs/ interface while the process
1581 alive.
1582
1583 To solve this problem, I modified to re
1584 is once allowed to write to /proc/ccs/
1585 attempts to execute a different program
1586 This change makes it impossible to revo
1587 /proc/ccs/ interface without killing th
1588 than nonfunctioning ccs-queryd program.
1589
1590 Fix 2008/09/19
1591
1592 @ Allow selecting a domain by PID.
1593
1594 Sometimes we want to know what ACLs are
1595 finding a domainname for that PID from
1596 reading ACLs from /proc/ccs/domain_poli
1597 Thus, I modified /proc/ccs/domain_polic
1598 PID. For example, to read domain ACL of
1599 run as follows.
1600
1601 # exec 100<>/proc/ccs/domain_policy
1602 # echo select pid=$$ >&100
1603 # while read -u 100; do echo $REPLY; do
1604
1605 If a domain is once selected by PID, re
1606 print only that domain if that PID exis
1607
1608 @ Disallow concurrent /proc/ccs/ access u
1609
1610 Until now, one process can read() from
1611 that shares the file descriptor can wri
1612 But to implement "Allow selecting a dom
1613 concurrent read()/write() because the f
1614 while writing.
1615
1616 Fix 2008/10/01
1617
1618 @ Add retry counter into /proc/ccs/query
1619
1620 To be able to handle some of queries fr
1621 interaction, I added retry counter for
1622 "try again" response.
1623
1624 Fix 2008/10/07
1625
1626 @ Don't transit to new domain until do_ex
1627
1628 Until now, a process's domain was updat
1629 will belong to before do_execve() succe
1630 permission checks for interpreters and
1631 new domain. But this caused a subtle pr
1632 signals to the process, for the process
1633 do_execve() failed.
1634
1635 So, I modified to pass new domain to fu
1636 modifying a process's domain before do_
1637
1638 @ Use old task state for audit logs.
1639
1640 Until now, audit logs were generated us
1641 processing "; set task.state" part. But
1642 I modified to save the task state befor
1643 part and use the saved state for audit
1644
1645 @ Use a structure for passing parameters.
1646
1647 As the number of parameters is increasi
1648 for passing parameters.
1649
1650 Fix 2008/10/11
1651
1652 @ Remove domain_acl_lock mutex.
1653
1654 I noticed that I don't need to keep all
1655 a domain mutually exclusive. Since each
1656 of ACL, locking is needed only when the
1657 So, I modified to use local locks.
1658
1659 Fix 2008/10/14
1660
1661 @ Fix ccs_check_condition() bug.
1662
1663 Due to a bug in ccs_check_condition(),
1664 task.state[0] task.state[1] task.state[
1665 if the ACL does not treat a pathname. F
1666
1667 allow_network TCP connect @HTTP_SERVE
1668
1669 didn't work.
1670
1671 Fix 2008/10/15
1672
1673 @ Show process information in /proc/ccs/.
1674
1675 To be able to determine a process's typ
1676 which returns process information of th
1677 "PID manager=\* execute_handler=\* stat
1678 format.
1679
1680 Fix 2008/10/20
1681
1682 @ Use rcu_dereference() when walking the
1683
1684 I was using "dependency ordering" for a
1685 without asking the reader to take a loc
1686 is not respected by DEC Alpha or by som
1687 compiler optimizations.
1688
1689 On such environment, use of "dependency
1690 crash because the reader might read uni
1691 appended element.
1692
1693 To prevent the reader from reading unin
1694 element, I inserted rcu_dereference() w
1695
1696 Fix 2008/11/04
1697
1698 @ Use sys_getpid() instead for current->p
1699
1700 Kernel 2.6.24 introduced PID namespace.
1701
1702 To compare PID given from userland, I c
1703 So, I modified to use sys_getpid() inst
1704
1705 I modified to use task_tgid_nr_ns() for
1706 current->tgid when checking /proc/self/
1707
1708 Fix 2008/11/07
1709
1710 @ Fix is_alphabet_char().
1711
1712 is_alphabet_char() should match 'A' - '
1713 but was matching from 'A' - 'F' and 'a'
1714
1715 @ Add /proc/ccs/.execute_handler .
1716
1717 Process information became visible to u
1718 "Show process information in /proc/ccs/
1719 However, programs specified by execute_
1720 non root user, making it impossible to
1721
1722 So, I added a new interface that allows
1723 to see process information. The content
1724 identical to /proc/ccs/.process_status
1725
1726 Version 1.6.5 2008/11/11 Third anniversary
1727
1728 Fix 2008/12/01
1729
1730 @ Introduce "task.type=execute_handler" c
1731
1732 The execute_handler directive is very v
1733 directive to do anything you want to do
1734 modifying command line parameters and e
1735 closing and redirecting files, creating
1736 spam filtering, deploying a DMZ between
1737 shells).
1738
1739 To be able to use this directive in a d
1740 while limiting access to resources need
1741 programs invoked as an execute handler
1742
1743 In learning mode, "if task.type=execute
1744 automatically added for requests issued
1745
1746 @ Introduce file's type and permissions a
1747
1748 To be able to limit file types a proces
1749 new conditions for checking file's type
1750 For example,
1751
1752 allow_read /etc/fstab if path1.type=f
1753
1754 will allow opening /etc/fstab for readi
1755 file and it's permission is 0644, and
1756
1757 allow_write /dev/null if path1.type=c
1758
1759 will allow opening /dev/null for writin
1760 device file with major=1 and minor=3 at
1761
1762 @ Add memory quota for temporary memory u
1763
1764 Although there are MAX_GRANT_LOG and MA
1765 which limit the number of entries for a
1766 memory consumption by audit logs, it wo
1767 also limit the size in bytes.
1768 Thus, I added a new quota line.
1769
1770 echo Dynamic: 1048576 > /proc/ccs/mem
1771
1772 This quota is not applied to temporary
1773
1774 Fix 2008/12/09
1775
1776 @ Fix ccs_can_save_audit_log() checks.
1777
1778 Due to incorrect statement "if (ccs_can
1779 while ccs_can_save_audit_log() is boole
1780 MAX_REJECT_LOG were not working.
1781
1782 This bug will trigger OOM killer if /us
1783
1784 Fix 2008/12/24
1785
1786 @ Add "ccs_" prefix.
1787
1788 To be able to tell whether a symbol is
1789 I added "ccs_" prefix as much as possib
1790
1791 @ Fix ccs_check_flags() error message.
1792
1793 I meant to print SYAORAN-ERROR: message
1794 but I was printing it when error == 0 s
1795
1796 Fix 2009/01/05
1797
1798 @ Use kmap_atomic()/kunmap_atomic() for r
1799
1800 As remove_arg_zero() uses kmap_atomic(K
1801 kmap_atomic(KM_USER0) rather than kmap(
1802
1803 Fix 2009/01/28
1804
1805 @ Fix "allow_read" + "allow_write" != "al
1806
1807 Since 1.6.0 , due to a bug in ccs_updat
1808 appending "allow_read/write" entry didn
1809 and "allow_write" entries. As a result,
1810 but open(O_RDONLY) and open(O_WRONLY) f
1811
1812 Workaround is to write an entry twice w
1813 If written twice, internal "allow_read"
1814 are updated.
1815
1816 Fix 2009/02/26
1817
1818 @ Fix profile read error.
1819
1820 Incorrect profiles were shown in /proc/
1821 if either CONFIG_SAKURA or CONFIG_TOMOY
1822
1823 Fix 2009/03/02
1824
1825 @ Undelete CONFIG_TOMOYO_AUDIT option.
1826
1827 While HDD-less systems can use profiles
1828 MAX_REJECT_LOG=0 , I undeleted CONFIG_T
1829 memory used for /proc/ccs/grant_log and
1830
1831 Fix 2009/03/13
1832
1833 @ Show only profile entry names ever spec
1834
1835 Even if an administrator specifies only
1836 entries for /proc/ccs/profile , all ava
1837 This was designed to help administrator
1838 available, but sometimes makes administ
1839 entries showing default values.
1840
1841 Thus, I modified to show only profile e
1842
1843 Fix 2009/03/18
1844
1845 @ Add MAC_FOR_IOCTL functionality.
1846
1847 To be able to restrict ioctl() requests
1848 functionality.
1849
1850 This functionality requires modificatio
1851
1852 @ Use better name for socket's pathname.
1853
1854 Until now, socket's pathname was repres
1855 where \$ is inode's number. But inode's
1856 access control. Therefore, I modified t
1857 "socket:[family=\$:type=\$:protocol=\$]
1858
1859 This will help administrator to control
1860 precisely.
1861
1862 @ Fix misplaced ccs_capable() call. (onl
1863
1864 Location to insert ccs_capable(TOMOYO_S
1865 wrong since version 1.1 .
1866
1867 @ Insert ccs_check_ioctl_permission() cal
1868
1869 To make MAC_FOR_IOCTL functionality wor
1870 ccs_check_ioctl_permission() call into
1871
1872 Fix 2009/03/23
1873
1874 @ Move sysctl()'s check from ccs-patch-\*
1875
1876 Since try_parse_table() in kernel/sysct
1877 all versions, I moved that function to
1878
1879 @ Relocate definitions and functions.
1880
1881 To reduce exposed symbols, I relocated
1882
1883 Fix 2009/03/24
1884
1885 @ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS
1886
1887 Some systems don't have /sbin/modprobe
1888 Thus, I made these pathnames configurab
1889
1890 Version 1.6.7 2009/04/01 Feature enhancemen
1891
1892 Fix 2009/04/06
1893
1894 @ Drop "undelete domain" command.
1895
1896 I added "undelete domain" command on 20
1897 management tools. The garbage collector
1898 automatically reuse memory and allow ad
1899 periodically, provided that the adminis
1900 domains before recreating new domains w
1901
1902 Thus, I dropped "undelete domain" comma
1903
1904 @ Escape invalid characters in ccs_check_
1905
1906 ccs_check_mount_permission2() was passi
1907 and ccs_update_mount_acl() and ccs_chec
1908 /proc/ccs/system_policy and /proc/ccs/q
1909 characters within a string.
1910
1911 Fix 2009/04/07
1912
1913 @ Fix IPv4's "address_group" handling err
1914
1915 Since 1.6.5 , due to lack of ntohl() (b
1916 ccs_update_address_group_entry(), "addr
1917 not working.
1918
1919 This problem happens on little endian p
1920
1921 Fix 2009/05/08
1922
1923 @ Add condition for symlink's target path
1924
1925 Until now, "allow_symlink" keyword allo
1926 not check the symlink's target. Usually
1927 permission checks are done using derefe
1928 cases, we should restrict the symlink's
1929 "ln -s .htpasswd /var/www/html/readme.h
1930 blocked because we will allow Apache to
1931 /var/www/html/readme.html and /var/www/
1932
1933 Thus, I added new condition, "symlink.t
1934
1935 allow_symlink /var/www/html/\*.html i
1936
1937 allow_symlink /var/www/html/\*\-.\* i
1938
1939 @ Don't return -EAGAIN at ccs_socket_recv
1940
1941 It turned out that it is not permitted
1942 return -EAGAIN if poll() said connectio
1943 recvmsg() may return -EAGAIN and potent
1944 because ccs_socket_recvmsg_permission()
1945
1946 Thus, I modified ccs_socket_recvmsg_per
1947 rather than -EAGAIN.
1948
1949 Fix 2009/05/19
1950
1951 @ Don't call get_fs_type() with a mutex h
1952
1953 Until now, when ccs_update_mount_acl()
1954 filesystem, /sbin/modprobe is executed
1955 filesystem module. And get_fs_type() do
1956 finishes.
1957
1958 This means that it will cause deadlock
1959 executed via get_fs_type() in ccs_updat
1960 ccs_update_mount_acl(); although it won
1961 inserts execute_handler to call mount()
1962 add "allow_mount" entries to /proc/ccs/
1963
1964 I modified to unlock the mutex before c
1965
1966 Fix 2009/05/20
1967
1968 @ Update recvmsg() hooks.
1969
1970 Since 1.5.0, I was doing network access
1971 packets inside skb_recv_datagram(). But
1972 I moved ccs_recv_datagram_permission()
1973 udp_recvmsg()/udpv6_recvmsg()/raw_recvm
1974 change to ccs_recvmsg_permission().
1975
1976 Version 1.6.8 2009/05/28 Feature enhancemen
1977
1978 Fix 2009/07/03
1979
1980 @ Fix buffer overrun when used with CONFI
1981
1982 Since 1.6.7 , ccs_allocate_execve_entry
1983 bytes while the comment says it is 4096
1984 overrun when slob allocator is used, fo
1985 4000 bytes whereas slab and slub alloca
1986
1987 Fix 2009/09/01
1988
1989 @ Add garbage collector support.
1990
1991 Until now, it was impossible to release
1992 I added SRCU based garbage collector so
1993 policy will be automatically released.
1994
1995 @ Remove word length limitation and line
1996
1997 Until now, the max length of a word is
1998 is 8192. To be able to handle longer pa
1999 limitations. Now, the max length (excep
2000 argv[]/envp[]) is 128K (which is the ma
2001 can allocate in most environments).
2002
2003 @ Support more fine grained profile confi
2004
2005 Profile was reconstructed.
2006
2007 @ Support more fine grained parameters re
2008
2009 "allow_create", "allow_mkdir", "allow_m
2010 create mode. "allow_mkblock" and "allow
2011 major/minor device numbers. "allow_chmo
2012 checks new owner. "allow_chgrp" checks
2013
2014 @ Allow number grouping.
2015
2016 To help specifying numeric values, a ne
2017 introduced.
2018
2019 @ Remove "alias" directive and "allow_arg
2020
2021 Until now, "allow_execute" used derefer
2022 unless explicitly specified by "alias"
2023
2024 Now, "allow_execute" uses symlink's pat
2025 "exec.realpath" in "if" clause checks t
2026 "exec.argv[0]" in "if" clause checks th
2027
2028 @ Remove /proc/ccs/system_policy and /etc
2029
2030 "deny_autobind" was moved to /proc/ccs/
2031 /etc/ccs/exception_policy.conf . Other
2032 /proc/ccs/domain_policy and /etc/ccs/do
2033
2034 @ Remove syaoran filesystem.
2035
2036 Since "allow_create"/"allow_mkdir"/"all
2037 "allow_mkblock"/"allow_mkchar"/"allow_c
2038 can restrict mode changes and owner/gro
2039 restrict these changes at filesystem le
2040
2041 Thus, I removed syaoran filesystem.
2042
2043 @ Reduce spinlocks.
2044
2045 Until now, TOMOYO was using own list fo
2046 kernel 2.6.31 introduced memory leak de
2047 ( CONFIG_DEBUG_KMEMLEAK ), TOMOYO no lo
2048
2049 I removed the list to reduce use of spi
2050
2051 @ Rewrite ccs-patch-2.\*.diff .
2052
2053 ccs-patch-2.\*.diff was rewritten like
2054
2055 @ Don't check "allow_read/write" for open
2056
2057 open(pathname, 3) means open for ioctl(
2058 Until now, TOMOYO was checking "allow_r
2059 But since TOMOYO checks "allow_ioctl" f
2060 require "allow_read/write" for open(pat
2061
2062 @ Add missing sigqueue() and tgsigqueue()
2063
2064 Until now, kill(), tkill(), tgkill() ha
2065 tgsigqueue() didn't.
2066
2067 @ Move files from fs/ to security/ccsecur
2068
2069 Config menu section changed from "File
2070
2071 Kernel config symbols changed from CONF
2072 CONFIG_SYAORAN to CONFIG_CCSECURITY .
2073
2074 @ Add global PID to audit logs.
2075
2076 ccs-queryd was using domainname for rea
2077 belongs to, but the domain could be del
2078 policy violation. If the domain is dele
2079 reach the domain by domainname. Thus, c
2080 reaching the domain which the process b
2081
2082 Kernel 2.6.24 introduced PID namespace.
2083 by a process inside a container is usel
2084 the domain which the process belongs to
2085
2086 Thus, I added global PID in audit logs.
2087
2088 @ Transit to new domain before do_execve(
2089
2090 Permission checks for interpreters and
2091 done using new domain. In order to allo
2092 domain via global PID, I reverted "Don'
2093 do_execve() succeeds." made on 2008/10/
2094
2095 Version 1.7.0 2009/09/03 Feature enhancemen
2096
2097 Fix 2009/09/04
2098
2099 @ Fix wrong ccs_profile() calls.
2100
2101 I can't call ccs_profile() for profile
2102 ccs_profile() never returns NULL.
2103
2104 Fix 2009/09/06
2105
2106 @ Fix wrong error code in ccs_try_alt_exe
2107
2108 ccs_try_alt_exec() was returning ENOMEM
2109 It needs to return -ENOMEM to fail.
2110
2111 Fix 2009/09/10
2112
2113 @ Do not check umount() permission for mo
2114
2115 Until 1.6.x , umount() restriction was
2116 white listing. This change caused "moun
2117 require "allow_unmount old" permission
2118 "allow_mount old new --move 0" permissi
2119 But we don't want to allow umount(old)
2120 only mount(old, new, MS_MOVE) requests.
2121 "allow_unmount old" permission for moun
2122
2123 Fix 2009/09/11
2124
2125 @ Support recursive match operators.
2126
2127 Until now, ccs_path_matches_pattern() d
2128 comparison. Thus, users had to repeat "
2129 recursively.
2130
2131 I introduced "\{" and "\}" as repetitio
2132 To ensure consistency with TOMOYO's '/'
2133 and "\-" operator, only "/\{dir\}/" seq
2134 '/') is permitted.
2135
2136 Fix 2009/09/24
2137
2138 @ Don't check chmod/chown capability for
2139
2140 Until now, ccs_setattr_permission() was
2141 But notify_change() is also called by r
2142 and it made difficult to use TOMOYO on
2143
2144 Thus, I moved ccs_capable() checks from
2145 ccs_chmod_permission() and ccs_chown_pe
2146 ccs_setattr_permission().
2147
2148 Fix 2009/09/25
2149
2150 @ Embed more information into audit logs.
2151
2152 Until now, /proc/ccs/grant_log /proc/cc
2153 not printing file's information (e.g. f
2154
2155 Recently, users who started using "if"
2156 mode automatically adds various conditi
2157
2158 But the profile will become too complic
2159 conditions. Thus, I added all informati
2160 "if" clause with all possible condition
2161
2162 Now, the learning mode got different us
2163 "CONFIG::learning={ max_entry=0 }" in t
2164 are not permitted by policy will be sen
2165 "mode=learning" header lines. Users can
2166 and append to the policy using "/usr/sb
2167 The learning mode with "CONFIG::learnin
2168 the same with the permissive mode, only
2169 and "mode=permissive".
2170
2171 Fix 2009/10/05
2172
2173 @ Fix size truncation bug at ccs_memcmp()
2174
2175 ccs_memcmp() was using "u8" for size pa
2176 size >= 256 was passed to ccs_memcmp(),
2177 (incorrect result) or read overrun (CPU
2178
2179 ccs_memcmp() should use "size_t" for si
2180 "struct ccs_condition" may exceed 256 b
2181 given.
2182
2183 Fix 2009/10/08
2184
2185 @ Add CONFIG_CCSECURITY_DEFAULT_LOADER op
2186
2187 I made the default policy loader's path
2188 configurable.
2189
2190 @ Add CONFIG_CCSECURITY_ALTERNATIVE_TRIGG
2191
2192 Some environments do not have /sbin/ini
2193 to use different program's pathname (e.
2194 activation trigger.
2195
2196 Thus, I made the alternative trigger (
2197
2198 Fix 2009/11/02
2199
2200 @ Fix buffer contention.
2201
2202 A permission like
2203
2204 allow_env PATH if exec.envp["PATH"]="
2205
2206 was not working since I was using the s
2207 variable's name and value.
2208
2209 Fix 2009/11/03
2210
2211 @ Fix memory leak in ccs_write_address_gr
2212
2213 I forgot to call kfree() if same entry
2214
2215 @ Reduce mutexes.
2216
2217 I was using mutex_lock()/mutex_unlock()
2218 atomic_dec_and_test() for removing an e
2219 I moved that operation to garbage colle
2220 of mutex_lock()/mutex_unlock() calls.
2221
2222 @ Escape from nested loops correctly.
2223
2224 In ccs_read_address_group_policy(), I w
2225 correctly. But in ccs_read_path_group_p
2226 ccs_read_number_group_policy(), I wasn'
2227
2228 As a result, reading path_group and num
2229 when they were not read atomically.
2230
2231 Fix 2009/11/06
2232
2233 @ Fix incorrect allow_mount audit log.
2234
2235 Audit log for allow_mount was using dec
2236 It needs to use hexadecimal format.
2237
2238 Fix 2009/11/09
2239
2240 @ Add profile version check.
2241
2242 To avoid upgrading from TOMOYO 1.6.x to
2243 /proc/ccs/profile (which results in not
2244 I added a check for PROFILE_VERSION= .
2245
2246 Version 1.7.1 2009/11/11 Fourth anniversary
2247
2248 Fix 2009/11/13
2249
2250 @ Don't use core_initcall() for initializ
2251
2252 Some kernels call TOMOYO's hooks before
2253 Thus, I can't use core_initcall() for in
2254
2255 Fix 2009/11/18
2256
2257 @ Don't check "allow_write" permission fo
2258
2259 Since TOMOYO checks "allow_truncate" pe
2260 permission for O_TRUNC, I need to disti
2261 and open(O_RDWR | O_TRUNC). But I made
2262 1.7.1 which made it impossible for TOMO
2263 to distinguish them.
2264
2265 Fix 2009/11/27
2266
2267 @ Use newly created domain's name for dom
2268
2269 Since 1.7.0 , /proc/ccs/reject_log was
2270 name when auditing newly created domain
2271
2272 Fix 2009/12/12
2273
2274 @ Use rcu_read_lock() for find_task_by_pi
2275
2276 Since kernel 2.6.18 , caller of find_ta
2277 rcu_read_lock() rather than read_lock(&
2278 uses RCU primitives but spinlock does n
2279 preemptive RCU ( CONFIG_PREEMPT_RCU or
2280 enabled.
2281
2282 Fix 2009/12/15
2283
2284 @ Allow deleting "quota_exceeded" and "tr
2285
2286 To notify users of "this domain has too
2287 process in this domain was not able to
2288 "quota_exceeded" and "transition_failed
2289 These messages were not deletable. But
2290 to be notified again if such events occ
2291 Thus, I made these messages deletable.
2292
2293 Fix 2009/12/17
2294
2295 @ Don't check read permission in ccs_try_
2296
2297 While I was trying to remove ccs_execve
2298 between TOMOYO 1.7.0 and 1.7.1 , I made
2299 check allow_read permission of the prog
2300 and denied_execute_handler keywords.
2301
2302 @ Don't check DAC permission if disabled
2303
2304 I was checking DAC permissions regardin
2305 operations (e.g. mkdir()) even if mode=
2306 resource to check DAC permissions when
2307 Thus, I modified to skip DAC permission
2308
2309 Fix 2009/12/19
2310
2311 @ Fix memory leak in ccs_environ().
2312
2313 When I fixed a bug that a permission li
2314
2315 allow_env PATH if exec.envp["PATH"]="
2316
2317 was not working (2009/11/02), I allocat
2318 was released.
2319
2320 This bug will trigger OOM killer if env
2321 enabled.
2322
2323 Fix 2010/01/17
2324
2325 @ Use current domain's name for execute_h
2326
2327 Since 1.6.7 , /proc/ccs/grant_log was b
2328 when auditing current domain's "execute
2329
2330 Fix 2010/03/02
2331
2332 @ Allow domain transition without execve(
2333
2334 To be able to split permissions for Apa
2335 executed without execve(), I added spec
2336 performed by atomically writing '\0'-te
2337 /proc/ccs/.transition interface. For ex
2338 "<kernel> /usr/sbin/httpd" domain will
2339 "<kernel> /usr/sbin/httpd //app=cgi1\04
2340 writing "app=cgi1 id=10000" + '\0' to /
2341 Apache's ap_hook_handler() functionalit
2342
2343 Note that '\0'-terminated binary string
2344 inside kernel and prefix "//" is automa
2345 that domainname does not conflict with
2346 Without this prefix, if "<kernel> /usr/
2347 allowed to open /proc/ccs/.transition f
2348 "<kernel> /usr/sbin/sshd /bin/bash /usr
2349 access /etc/shadow , /bin/bash will be
2350 atomically writing "/usr/bin/passwd" +
2351 Allowing /bin/bash to access /etc/shado
2352
2353 Permission for this operation is checke
2354 Unlike "allow_execute" keyword, the str
2355 keyword does not refer a real file on f
2356 you can store any combination of parame
2357 string parameter for "allow_transit" ke
2358
2359 Fix 2010/03/08
2360
2361 @ Allow building as loadable kernel modul
2362
2363 To be able to minimize filesize increme
2364 possible to compile TOMOYO Linux as loa
2365 Although patching the kernel source and
2366 inevitable, this change will make it ea
2367 when there is a filesize limitation on
2368
2369 Fix 2010/03/25
2370
2371 @ Fix ccs_get_ipv6_address() bug.
2372
2373 Since 1.7.0 , ccs_get_ipv6_address() wa
2374 "struct list_head ccs_address_list" if
2375 As a result, ccs_put_ipv6_address() wil
2376 "struct list_head ccs_address_list" if
2377
2378 Fix 2010/03/26
2379
2380 @ Fix ccs_lport_reserved() bug.
2381
2382 Since 1.7.0 , ccs_lport_reserved() was
2383 number. As a result, "deny_autobind" ke
2384
2385 Version 1.7.2 2010/04/01 Feature enhancemen
2386
2387 Fix 2010/04/10
2388
2389 @ Fix invalid "struct nameidata" to "stru
2390
2391 Regarding kernels 2.6.24 and earlier, I
2392 to "struct path" in caller side so that
2393 parameter type. But it turned out that
2394 standards and did not work with gcc 4.x
2395 keyword was not working as expected.
2396
2397 Fix 2010/05/05
2398
2399 @ Fix incorrect audit on/off control.
2400
2401 The grant_log= and reject_log= paramete
2402 used because I forgot to update request
2403 CONFIG::file::execute were used for CON
2404
2405 Those of CONFIG::file::rewrite were not
2406 request type. As a result, those of CON
2407 CONFIG::file::rewrite .
2408
2409 Fix 2010/05/10
2410
2411 @ Fix incorrect out of memory warning.
2412
2413 Out of memory warnings were not printed
2414
2415 Fix 2010/05/27
2416
2417 @ Add missing rcu_dereference() for ccs_f
2418
2419 Since 1.7.0 , ccs_find_execute_handler(
2420 list_for_each_entry() rather than list_
2421 This bug affects only Alpha architectur
2422
2423 Fix 2010/06/03
2424
2425 @ Fix missing sanity check for "file_patt
2426
2427 Since 1.7.0 , ccs_write_pattern_policy(
2428 invalid pathname.
2429
2430 Fix 2010/06/09
2431
2432 @ Add missing ccs_put_name() in ccs_parse
2433
2434 Since 1.7.0 , ccs_parse_envp() was not
2435 environment variable's value ('if exec.
2436 was invalid.
2437
2438 @ Add missing NULL check in ccs_condition
2439
2440 Since 1.7.0 , if 'if symlink.target=' p
2441 permissions (e.g. allow_env PATH if sym
2442 NULL pointer dereference.
2443
2444 Fix 2010/10/28
2445
2446 @ Fix umount() pathname calculation.
2447
2448 "mount --bind /path/to/file1 /path/to/f
2449 Therefore, "umount /path/to/file2" is a
2450 Do not automatically append trailing '/
2451 does not end with '/'.
2452
2453 @ Add preserve KABI compatibility option.
2454
2455 TOMOYO needs "struct ccs_domain_info *"
2456 "struct task_struct". But embedding the
2457 "struct task_struct" breaks KABI for pr
2458 means that you will need to rebuild pre
2459
2460 Since KABI is commonly used (compared t
2461 rebuild kernel modules which are not in
2462 longer preferable. Therefore, I added a
2463 "struct task_struct" unmodified in orde
2464
2465 Note that you have to use ccs-patch-2.6
2466 kernel/fork.c in order to use this opti
2467 memory whenever "struct task_struct" is
2468
2469 @ Change directives.
2470
2471 I removed "allow_" prefix from directiv
2472 prefixed with "file ". For example, "al
2473 "allow_ioctl" changed to "file ioctl".
2474 TCP" is "network inet stream", "allow_n
2475 dgram", "allow_network RAW" is "network
2476 "allow_env" is "misc env". New directiv
2477 signal". New directive for "allow_capab
2478 directives correspond with keywords use
2479
2480 I removed "deny_rewrite" and "allow_rew
2481 "file append" directive. Thus, permissi
2482 changed from "allow_write" + "allow_rew
2483
2484 I removed "SYS_MOUNT", "SYS_UMOUNT", "S
2485 "SYS_LINK", "SYS_SYMLINK", "SYS_RENAME"
2486 "SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_RO
2487 because these permissions can be checke
2488 "file mount", "ipc signal").
2489
2490 I also removed "conceal_mount" keyword
2491 check requires hooks in filesystem part
2492 filesystem part have moved to LSM by Li
2493
2494 New directive for "execute_handler" is
2495 "denied_execute_handler" is "task denie
2496
2497 @ Distinguish send() and recv() operation
2498
2499 Until now, it was impossible for UDP an
2500 only sending or only receiving because
2501 "connect" keyword. I broke "connect" ke
2502 keywords so that you can keep access co
2503 when you have to disable access control
2504 application breakage by discarding inco
2505
2506 @ Add Unix domain socket restriction supp
2507
2508 Until now, it was possible to restrict
2509 TCP/UDP/RAW). I added restriction for U
2510 dgram/seqpacket). New directive "networ
2511 "network inet" directive.
2512
2513 @ Allow specifying multiple permissions i
2514
2515 Until now, only "allow_read/write" can
2516 "allow_read" + "allow_write". Now, you
2517 long as type of parameters for these pe
2518 "file read/write/append/execute/unlink/
2519 but "file read/write/create /tmp/file"
2520 requires create mode whereas "file read
2521
2522 @ Allow wildcard for execute permission a
2523
2524 Until now, to execute programs with tem
2525 needed. To simplify code, I modified to
2526 permission and domainname. Now, you can
2527 "file execute /tmp/logrotate.\?\?\?\?\?
2528 "/tmp/logrotate.\?\?\?\?\?\?" within do
2529
2530 @ Change pathname for non-rename()able fi
2531
2532 LSM version of TOMOYO wants to use /pro
2533 $PID matches current thread's process I
2534 thread from accessing other process's i
2535 But since procfs can be mounted on vari
2536 /p/ /tmp/foo/100/p/ ), LSM version of T
2537 numeric part in the string returned by
2538 or not.
2539
2540 Therefore, to be able to convert from $
2541 is mounted, I changed pathname represen
2542 not support rename() operation (e.g. pr
2543
2544 Now, "/proc/self/mounts" changed to "pr
2545 "/sys/kernel/security/" changed to "sys
2546 "/dev/pts/0" changed to "devpts:/0".
2547
2548 @ Add a new keyword "any" for domain tran
2549
2550 To be able to make it easier to apply a
2551 domain, I added "any" keyword to domain
2552 "initialize_domain /usr/sbin/sshd" chan
2553 "initialize_domain /usr/sbin/sshd from
2554 "keep_domain <kernel> /usr/sbin/sshd /b
2555 "keep_domain any from <kernel> /usr/sbi
2556
2557 "keep_domain /path/to/auto_execute_hand
2558 apply auto_execute_handler for any doma
2559 auto_execute_handler.
2560
2561 @ Change buffering mode for reading polic
2562
2563 To be able to read() very very long lin
2564 TOMOYO buffers policy for reading.
2565
2566 @ Introduce "acl_group" keyword.
2567
2568 Until now, it was possible to specify o
2569 keywords in the exception policy.
2570
2571 Since some operations like "file read/w
2572 "network UDP send/recv @DNS_SERVER 53"
2573 permitted to all domains, I introduced
2574 such permissions.
2575
2576 For example, specify "acl_group 0 file
2577 the exception policy and specify "use_g
2578 domain policy.
2579
2580 "ignore_global_allow_read" and "ignore_
2581 removed from domain policy and "use_gro
2582
2583 @ Remove "if" and "; set" keyword.
2584
2585 I removed need for specifying these key
2586 You can simply specify like below.
2587
2588 file read /etc/shadow task.uid=0
2589
2590 @ Remove "file_pattern" keyword.
2591
2592 I removed "file_pattern" keyword becaus
2593 all possible pathname patterns. Also, l
2594 patterns makes it difficult to later re
2595
2596 @ Replace verbose= parameter with statist
2597
2598 Since it is noisy if a lot of policy vi
2599 I removed printk(). To be able to check
2600 or not, I introduced /proc/ccs/stat int
2601 policy violations occurred. You can fir
2602 check /proc/ccs/reject_log .
2603
2604 @ Remove global preference.
2605
2606 I removed global preference in order to
2607
2608 @ Allow controlling generation of access
2609 basis.
2610
2611 I added per-entry flag which controls g
2612 Xen and KVM issues ioctl requests so fr
2613
2614 file ioctl /dev/null 0x5401 grant_log
2615
2616 will suppress /proc/ccs/grant_log even
2617
2618 file ioctl /dev/null 0x5401 grant_log
2619
2620 will generate /proc/ccs/grant_log even
2621
2622 file ioctl /dev/null 0x5401
2623
2624 will generate /proc/ccs/grant_log only
2625
2626 This flag is intended for frequently ac
2627
2628 file read /var/www/html/\{\*\}/\*.htm
2629
2630 .
2631
2632 @ Automatically create domain by execve()
2633
2634 Until now, new domains are not created
2635 current domain is enforcing mode ("CONF
2636
2637 To be able to restrict shell session wi
2638 I changed to create new domains automat
2639 enforcing mode.
2640
2641 @ Replace "task.state" with "auto_domain_
2642
2643 task.state is difficult to use. Thus, I
2644 auto_domain_transition which performs d
2645 changing current process's state variab
2646
2647 If domain transition failed, current pr
2648 signal. This should not happen in norma
2649 domain to transit to and thereby you wi
2650 when you use "auto_domain_transition" k
2651
2652 @ Replace "allow_transit" with "task manu
2653
2654 I changed this directive to specify abs
2655 "<kernel> /usr/sbin/httpd //app=cgi1\04
2656 pathname (e.g. "//app=cgi1\040id=10000"
2657 transit to and thereby you will define
2658 "task manual_domain_transition" directi
2659
2660 This change allows you to jump to arbit
2661
2662 Note that this change also reverts "Cha
2663 made on 2006/10/24. Now, 'cat < /proc/c
2664 'cat /proc/ccs/info/self_domain'. Progr
2665 need to be updated.
2666
2667 @ Add "task auto_domain_transition".
2668
2669 This is similar to "task manual_domain_
2670 applied whenever conditions are met. Fo
2671
2672 task auto_domain_transition <kernel>
2673
2674 will automatically jump to "<kernel> //
2675 process's UID is not 0 whereas
2676
2677 task manual_domain_transition <kernel
2678
2679 will jump to "<kernel> //./non-root" do
2680 not 0 and current process wrote "<kerne
2681 /proc/ccs/self_domain interface.
2682
2683 If domain transition failed, current pr
2684 signal.
2685
2686 @ Optimize for object's size.
2687
2688 I merged similar code in order to reduc
2689
2690 Version 1.8.0 2010/11/11 Fifth anniversary
2691
2692 Fix 2010/12/01
2693
2694 @ Use same interface for audit logs.
2695
2696 To be able to perform fine grained filt
2697 I merged /proc/ccs/grant_log and /proc/
2698 /proc/ccs/audit and added granted=yes o
2699
2700 Fix 2010/12/17
2701
2702 @ Split ccs_null_security into ccs_defaul
2703
2704 ccs_null_security is used by preserve K
2705 used for providing default values again
2706 allocated memory for their security con
2707
2708 If current thread failed to allocate me
2709 context, current thread uses ccs_null_s
2710 allowed to modify current thread's secu
2711 modify ccs_null_security which should n
2712
2713 Therefore, I split ccs_null_security in
2714 ccs_oom_security and use ccs_oom_securi
2715 allocate memory for current thread's se
2716
2717 Threads which do not share ccs_oom_secu
2718 which share ccs_oom_security. Threads w
2719 experience temporary inconsistency, but
2720 killed by SIGKILL signal.
2721
2722 Fix 2011/01/11
2723
2724 @ Use filesystem name for unnamed devices
2725
2726 "Change pathname for non-rename()able f
2727 "$fsname:" if the filesystem does not s
2728 "dev($major,$minor):" otherwise when vf
2729 out that it is useless to use "dev($maj
2730 (filesystems with $major == 0). Thus, I
2731 than "dev($major,$minor):" for filesyst
2732 is missing.
2733
2734 Fix 2011/02/07
2735
2736 @ Fix infinite loop bug when reading /pro
2737
2738 In ccs_flush(), head->r.w[0] holds poin
2739 But head->r.w[0] was updated only when
2740 printed (because head->r.w[0] will be u
2741 completely printed). However, regarding
2742 /proc/ccs/query , an additional '\0' is
2743 completely printed. But if free space f
2744 printing the additional '\0', ccs_flush
2745 head->r.w[0]. As a result, ccs_flush()
2746 string data.
2747
2748 Fix 2011/03/01
2749
2750 @ Run garbage collector without waiting f
2751
2752 Currently TOMOYO holds SRCU lock upon o
2753 because list elements stored in the "st
2754 accessed until close() is called. Howev
2755 to complain about leaving the kernel wi
2756 I changed to hold/release SRCU upon eac
2757 deferring kfree() by keeping track of t
2758 instances.
2759
2760 Fix 2011/03/05
2761
2762 @ Support built-in policy configuration.
2763
2764 To be able to start using enforcing mod
2765 sequence, I added support for built-in
2766 activating access control without calli
2767
2768 This will be useful for systems where o
2769 hijacking of the boot sequence are need
2770 For example, you can activate immediate
2771 policy which will allow only operations
2772 which contains the variant part of poli
2773 check) and loading the variant part of
2774 enforcing mode from the beginning, you
2775 hijacking the boot sequence.
2776
2777 Fix 2011/03/10
2778
2779 @ Remove /proc/ccs/meminfo interface.
2780
2781 Please use /proc/ccs/stat interface ins
2782
2783 Fix 2011/03/15
2784
2785 @ Pack policy when printing via /proc/ccs
2786
2787 The kernel side is ready for accepting
2788
2789 file read/write/execute /path/to/file
2790
2791 but was using unpacked output like
2792
2793 file read /path/to/file
2794 file write /path/to/file
2795 file execute /path/to/file
2796
2797 because most of userland tools were not
2798
2799 The advantages of using packed policy a
2800 smaller and it speeds up loading/saving
2801
2802 Since most of userland tools are ready
2803 I changed to use packed policy for both
2804
2805 Fix 2011/03/31
2806
2807 @ Fix conditional policy parsing.
2808
2809 Since exec.realpath= and symlink.target
2810 symlink.target="@foo" was by error pars
2811
2812 @ Serialize updating profile's comment li
2813
2814 We need to serialize when updating COMM
2815
2816 Version 1.8.1 2011/04/01 Usability enhanc
2817
2818 Fix 2011/04/03
2819
2820 @ Fix fcntl(F_SETFL, O_APPEND) handling.
2821
2822 Since 1.8.0, TOMOYO was by error checki
2823 than "file append" permission when chan
2824 "overwriting" to "append".
2825
2826 This error should impact little (except
2827 a file was opened for "overwriting" mod
2828 mode cannot undo overwriting the file.
2829 due to different ACC_MODE definition, T
2830 checking "file read" permission when fc
2831
2832 Fix 2011/04/20
2833
2834 @ Remove unused "struct inode *" paramete
2835
2836 Since pre-vfs functions were removed on
2837 parameter which was used for checking p
2838 is no longer used.
2839
2840 Note that "struct ccsecurity_operations
2841 Loadable kernel modules that depends on
2842
2843 Fix 2011/05/05
2844
2845 @ Fix wrong profile number in audit logs
2846
2847 Profile number used for "file execute"
2848 when generating audit logs for "misc en
2849
2850 Fix 2011/05/11
2851
2852 @ Fix wrong domainname validation.
2853
2854 "<kernel>" + "/foo/\" + "/bar" was by e
2855 "<kernel> /foo/\* /bar" was given. As a
2856 "<kernel> /foo/\* /bar" are rejected.
2857
2858 Fix 2011/06/06
2859
2860 @ Add policy namespace support.
2861
2862 To be able to use TOMOYO in LXC environ
2863 namespace. Each policy namespace has it
2864 exception policy and profiles, which ar
2865 namespaces.
2866
2867 @ Remove CONFIG_CCSECURITY_BUILTIN_INITIA
2868
2869 From now on, exception policy and manag
2870 policy namespace (which is a <$namespac
2871 Thus, space-separated list for CONFIG_C
2872 no longer suitable for handling policy
2873
2874 Fix 2011/06/10
2875
2876 @ Allow specifying trigger for activation
2877
2878 To be able to use TOMOYO under systemd
2879 is used, I changed to allow overriding
2880 policy loader and activating MAC via ke
2881
2882 Fix 2011/06/14
2883
2884 @ Remove unused "struct inode *" paramete
2885
2886 To follow changes I made on 2011/04/20,
2887 ccs_mknod_permission(), ccs_mkdir_permi
2888 ccs_unlink_permission(), ccs_symlink_pe
2889 ccs_rename_permission() that are called
2890 net/unix/af_unix.c include/linux/securi
2891 If you have your own ccs-patch-*.diff ,
2892
2893 Version 1.8.2 2011/06/20 Usability enhanc
2894
2895 Fix 2011/07/07
2896
2897 @ Remove /proc/ccs/.domain_status interfa
2898
2899 Writing to /proc/ccs/.domain_status can
2900
2901 ( echo "select " $domainname; echo "u
2902 /usr/sbin/ccs-loadpolicy -d
2903
2904 and reading from /proc/ccs/.domain_stat
2905
2906 grep -A 1 '^<' /proc/ccs/domain_polic
2907 awk ' { if ( domainname == "" ) { if
2908 domainname = $0; } else if ( $1 == "u
2909 print $2 " " domainname; domainname =
2910
2911 . Since this interface is used by only
2912 remove this interface by updating /usr/
2913
2914 Fix 2011/07/09
2915
2916 @ Fix /proc/ccs/stat parser.
2917
2918 For optimization, I changed to use simp
2919 in ccs_write_stat(). But it caused pars
2920 before value (e.g. "Memory used by poli
2921
2922 Fix 2011/07/13
2923
2924 @ Accept "::" notation for IPv6 address.
2925
2926 In order to add network access restrict
2927 routines for parsing/printing IPv4/IPv6
2928 TOMOYO 1.8.2.
2929 Now, IPv6 address accepts "::1" instead
2930
2931 Fix 2011/09/03
2932
2933 @ Avoid race when retrying "file execute"
2934
2935 There was a race window that the pathna
2936 "file execute" permission check when re
2937 because the pathname was recalculated u
2938 inevitable race window even without sup
2939 the symbolic link's pathname from "stru
2940 than from "struct linux_binprm"->file b
2941 the symbolic link's pathname from the d
2942
2943 @ Remove unneeded daemonize().
2944
2945 Garbage collector thread is created usi
2946 Kernel threads created by kthread_creat
2947 daemonize().
2948
2949 Fix 2011/09/16
2950
2951 @ Allow specifying domain transition pref
2952
2953 I got an opinion that it is difficult t
2954 transition control directives because t
2955 specified to "file execute" directives.
2956 /bin/\*\-ls\-cat" is given, correspondi
2957 directive needs to be like "no_keep_dom
2958
2959 To solve this difficulty, I introduced
2960 exception policy's domain transition co
2961
2962 file execute /bin/ls keep exec.realpa
2963 file execute /bin/cat keep exec.realp
2964 file execute /bin/\*\-ls\-cat child
2965 file execute /usr/sbin/httpd <apache>
2966
2967 This argument allows transition to diff
2968
2969 <kernel> /usr/sbin/sshd
2970 file execute /bin/bash <kernel> /usr/
2971 file execute /bin/bash <kernel> /usr/
2972 file execute /bin/bash <kernel> /usr/
2973
2974 Fix 2011/09/25
2975
2976 @ Simplify garbage collector.
2977
2978 It turned out that use of batched proce
2979 collector when certain pattern of entri
2980 with sequential processing.
2981
2982 Version 1.8.3 2011/09/29 Usability enhanc
2983
2984 Fix 2011/10/24
2985
2986 @ Fix incomplete read after seek.
2987
2988 ccs_flush() tries to flush data to be r
2989 ccs_select_domain() (which is called by
2990 meant to be read by next read(), but pr
2991 size was not cleared. As a result, sinc
2992
2993 char *cp = "select global-pid=1\n";
2994 read(fd, buf1, sizeof(buf1));
2995 write(fd, cp, strlen(cp));
2996 read(fd, buf2, sizeof(buf2));
2997
2998 causes enqueued data to be flushed to b
2999
3000 @ Use query id for reaching target proces
3001
3002 Use query id for reaching target proces
3003 target process's global PID. This is fo
3004 but this change makes /usr/sbin/ccs-que
3005 kernel will return empty domain policy
3006 ccs-queryd reaches target process's dom
3007
3008 @ Fix quota counting.
3009
3010 "task manual_domain_transition" should
3011 "task auto_domain_transition"/"task aut
3012 "task denied_execute_handler" because t
3013 mode.
3014
3015 Fix 2011/11/11
3016
3017 @ Optimize for object's size.
3018
3019 I rearranged functions/variables into t
3020 object's filesize. Also, I added kernel
3021 by excluding unnecessary functionality.
3022
3023 Fix 2011/11/18
3024
3025 @ Fix kernel config mapping error.
3026
3027 Due to a typo in ccs_p2mac definition,
3028 by error used when checking "file getat
3029 not be affected by this error because C
3030 CONFIG::file::getattr are by default co
3031 CONFIG settings.
3032
3033 Fix 2011/12/13
3034
3035 @ Follow __d_path() behavior change. (Onl
3036
3037 The behavior of __d_path() has changed
3038 NULL when the pathname cannot be calcul
3039 version when using with 3.2-rc5 and lat
3040 panic because ccs_get_absolute_path() t
3041
3042 The patch that changed the behavior of
3043 2.6.36 to 3.1 kernels. You must update
3044 backported, or you will experience the
3045
3046 The patch that changed the behavior of
3047 handling pathnames under lazy-unmounted
3048 using incomplete pathnames returned by
3049 under lazy-unmounted directory. But fro
3050 pathnames returned by ccs_get_local_pat
3051 lazy-unmounted directory (because __d_p
3052
3053 Since applications unlikely do lazy unm
3054 lazy-unmounted directory should not hap
3055 explicitly does lazy unmounts. But path
3056 conditions in the policy file (if any)
3057
3058 Fix 2012/01/20
3059
3060 @ Follow changes in 3.3-rc1.
3061
3062 Use umode_t rather than mode_t.
3063 Remove ipv6_addr_copy() usage.
3064
3065 Fix 2012/02/25
3066
3067 @ Follow changes in linux-next.
3068
3069 UMH_WAIT_PROC constant (currently 1) is
3070
3071 Use UMH_WAIT_PROC constant instead of h
3072 for backporting call_usermodehelper() r
3073 backported, you will start experiencing
3074 of external policy loader (i.e. /sbin/c
3075 longer wait for completion of external
3076
3077 Although I changed to use UMH_WAIT_PROC
3078 to detect renumbering in 2.6.22 and ear
3079 constant is currently available to only
3080 started to experience the kernel panic,
3081 was backported or not.
3082
3083 Fix 2012/02/29
3084
3085 @ Fix mount flags checking order.
3086
3087 Userspace can pass in arbitrary combina
3088
3089 If both MS_BIND and one of MS_SHARED/MS
3090 are passed, device name which should be
3091 checked because MS_SHARED/MS_PRIVATE/MS
3092 priority than MS_BIND.
3093
3094 If both one of MS_BIND/MS_MOVE and MS_R
3095 which should not be checked for MS_REMO
3096 MS_MOVE had higher priority than MS_REM
3097
3098 Fix these bugs by changing priority to
3099 MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBIND
3100 does. Also, I changed to unconditionall
3101 of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNB
3102 will not generate inaccurate audit logs
3103 check mount flags passed to change_mnt_
3104 these flags must be exclusively passed.
3105
3106 Fix 2012/03/08
3107
3108 @ Allow returning other errors when ptrac
3109
3110 Currently -EPERM is returned when ccs_p
3111 error code. I changed to return return
3112 so that we can return -ESRCH when targe
3113
3114 Fix 2012/03/16
3115
3116 @ Return appropriate value to poll().
3117
3118 Return POLLIN | POLLRDNORM | POLLOUT |
3119 POLLOUT | POLLWRNORM otherwise.
3120
3121 Fix 2012/04/22
3122
3123 @ Readd RHEL_MINOR/AX_MINOR checks.
3124
3125 This check was added in revision 2346 a
3126
3127 Add it back in order to support RHEL 5.
3128
3129 @ Fix skb_kill_datagram() for kernels 2.6
3130
3131 Commit 208d8984 "[IPV4]: Fix BUG() in 2
3132 CONFIG_HIGHMEM" clarified that skb_kill
3133 spin_lock_bh()/spin_unlock_bh() rather
3134 spin_lock_irq()/spin_unlock_irq().
3135
3136 RHEL 4.9 (2.6.9) kernel has that patch
3137
3138 @ Fix missing locks for RHEL 5.2-5.8 kern
3139
3140 Since RHEL 5.2 and later kernels have b
3141 "[UDP]: Add memory accounting." patch,
3142 lock_sock()/release_sock() around skb_k
3143 packet was dropped by TOMOYO.
3144
3145 Fix 2012/04/28
3146
3147 @ Accept manager programs which do not st
3148
3149 The pathname of /usr/sbin/ccs-editpolic
3150 CD is squashfs:/usr/sbin/ccs-editpolicy
3151 /usr/sbin/ccs-editpolicy . Therefore, w
3152 programs which do not start with / .
3153
3154 Fix 2012/10/08
3155
3156 @ Fix KABI breakage on Ubuntu 12.10.
3157
3158 I was using include/linux/security.h as
3159 include/linux/ccsecurity.h so that I ca
3160
3161 When scripts/genksyms/genksyms calculat
3162 file, it uses the extracted form of inv
3163 layout is known but it instead uses UNK
3164 not known. Therefore, pulling in includ
3165 layout from include/linux/ccsecurity.h
3166 and causes KABI breakage, even if no ch
3167 structures.
3168
3169 Fix this breakage by avoiding pulling i
3170 include/linux/dcache.h from include/lin
3171
3172 Fix 2015/01/01
3173
3174 @ Fix missing chmod(-1) check in Linux 3.
3175
3176 Commit e57712ebebbb9db7 "merge fchmod()
3177 ancient broken kludge" changed chmod(-1
3178 07777. Therefore, TOMOYO must not ignor
3179
3180 @ Fix potentially using bogus attributes
3181
3182 We should reset attributes information
3183 program, or attributes of original prog
3184 on execute_handler program failed.
3185
3186 Fix 2015/04/08
3187
3188 @ Fix incorrect readdir() permission chec
3189
3190 CONFIG_CCSECURITY_FILE_READDIR was mean
3191 readdir() permission check. However, CO
3192 by error used for controlling readdir()
3193 should not affect kernels built with de
3194 CONFIG_CCSECURITY_FILE_READDIR and CONF
3195 defined by default.
3196
3197 Fix 2015/04/15
3198
3199 @ Fix incorrect retry request check.
3200
3201 When a request was asked to retry, acl_
3202 use_group keyword was by error ignored.
3203 able to use permissions defined by acl_
3204
3205 Fix 2015/05/01
3206
3207 @ Support multiple use_group entries.
3208
3209 Until now, each domain can include only
3210 I changed to allow each domain to inclu
3211 As a result, you will be able to reduce
3212 defining multiple acl_group entries bas
3213 them from each domain as needed.
3214
3215 Version 1.8.4 2015/05/05 Usability enhanc
3216
3217 Fix 2015/11/08
3218
3219 @ Use memory allocation flags used by TOM
3220
3221 Until now, TOMOYO 1.x was using memory
3222 than TOMOYO 2.x in order to make sure t
3223 TOMOYO 1.x shall not cause silent livel
3224
3225 But as I learn about this livelock prob
3226 not a problem which TOMOYO can manage.
3227 at memory allocation is a problem, refu
3228 by critical processes due to memory all
3229 weaker memory allocation flags is also
3230
3231 Since situations regarding memory alloc
3232 are changing, it will be safer to use m
3233 TOMOYO 2.x.
3234
3235 Fix 2015/11/10
3236
3237 @ Limit wildcard recursion depth.
3238
3239 Since wildcards that need recursion con
3240 we cannot allow infinite recursion.
3241
3242 Version 1.8.5 2015/11/11 Tenth anniversar
3243
3244 Fix 2017/02/02
3245
3246 @ Use for_each_thread() for GC operation.
3247
3248 while_each_thread() without tasklist_lo
3249 Use for_each_process_thread() if it is
3250 tasklist_lock otherwise.
3251
3252 Fix 2018/04/01
3253
3254 @ Use smb_rmb() when waiting for initiali
3255
3256 "while (!cond);" is implicitly optimize
3257 Use "while (!cond) smp_rmb();" in order
3258
3259 Fix 2019/07/27
3260
3261 @ Change pathname calculation for read-on
3262
3263 Commit 5625f2e3266319fd ("TOMOYO: Chang
3264 filesystems.") intended to be applied t
3265 not controllable from the userspace (e.
3266 on an assumption that such filesystems
3267
3268 But it turned out that read-only filesy
3269 operation despite the content is contro
3270 commit is annoying TOMOYO users who wan
3271 filesystem due to use of local name whi
3272
3273 Therefore, based on an assumption that
3274 device argument upon mount() request is
3275 is controllable from the userspace, do
3276 does not support rename() operation but
3277 mount() request.
3278
3279 @ Reject move_mount() system call for now
3280
3281 Commit 2db154b3ea8e14b0 ("vfs: syscall:
3282 around") introduced security_move_mount
3283 TOMOYO and AppArmor did not implement h
3284 Since unchecked mount manipulation is n
3285 as if move_mount(2) is unavailable.
3286
3287 @ Don't check open/getattr permission on
3288
3289 syzbot found that use of SOCKET_I()->sk
3290 use after free problem, for socket's in
3291 /proc/pid/fd/n despite destruction of S
3292
3293 But there is no point with calling secu
3294 because open("/proc/pid/fd/n", !O_PATH)
3295
3296 There is some point with calling securi
3297 because stat("/proc/pid/fd/n") and fsta
3298 are valid. But since information which
3299 security_inode_getattr() on sockets is
3300
3301 Version 1.8.6 2019/08/20 Bug fix release.
3302
3303 Fix 2019/12/07
3304
3305 @ Don't use nifty names on sockets.
3306
3307 Revert "Don't check open/getattr permis
3308 get rid of special handling of sockets.
3309 "socket:[family=\$:type=\$:protocol=\$]
3310 rewritten to "socket:[\$]".
3311
3312 Fix 2020/04/09
3313
3314 @ Fix wrong put_page() usage in ccs_dump_
3315
3316 ccs_dump_page() for 5.6+ was by error u
3317
3318 Fix 2020/05/01
3319
3320 @ Loosen domainname validation and pathna
3321
3322 Currently a domainname must start with
3323 zero or more repetitions of a pathname
3324
3325 But situation is getting more and more
3326 a pathname which starts with '/', for e
3327 on e.g. some filesystems cause ccs_real
3328 in "$fsname:/$pathname" format.
3329
3330 Fortunately, since $fsname must not con
3331 we can recognize a token which appears
3332 proc:/self/exe ) as a pathname and a to
3333 '/' appears (e.g. exec.realpath="/bin/b
3334 with an exception that a pathname canno
3335 auto_domain_transition=" because it is
3336 for on-match domain transition. Also, w
3337 followed by such tokens (e.g. <kernel>
3338 a domainname.
3339
3340 Version 1.8.7 2020/05/05 Usability enhanc
3341
3342 Fix 2020/07/22
3343
3344 @ Fix domain transition preference.
3345
3346 The domain transition preference which
3347 by error ignored since 1.8.3p4, for ccs
3348 ccs_write_log2() from ccs_supervisor()
3349 resets r->matched_acl to NULL. Change c
3350 to reset r->matched_acl to NULL.
3351
3352 Fix 2020/08/17
3353
3354 @ Fix ccs_realpath() fallback.
3355
3356 ccs_realpath() for 3.17+ was by error n
3357 when ccs_get_absolute_path() returned -
3358
3359 Fix 2020/08/19
3360
3361 @ Fix wrong ccs_search_binary_handler() m
3362
3363 When support for 5.8 kernel was added,
3364 3.7- was by error mapped to wrong funct
3365
3366 Fix 2020/10/24
3367
3368 @ Fix /proc pathname calculation for Linu
3369
3370 ccs_realpath() for 5.8+ was by error no
3371 calculating /proc pathname.
3372
3373 Version 1.8.8 2020/11/11 Fifteenth annive
3374
3375 Fix 2021/03/13
3376
3377 @ Skip permission checks for fileless exe
3378
3379 Kernels from 4.18 to 5.8 are using call
3380 starting program without a valid pathna
3381 /sbin/modprobe from dockerd process cou
3382 because ccs_symlink_path() cannot calcu
3383 a valid pathname. Thus, allow call_user
3384 permission checks and suppress domain t
3385
3386 @ Fix ccs_kernel_service().
3387
3388 Kernels from 5.5 to 5.11 are using PF_K
3389 worker threads.
3390
3391 Version 1.8.9 2021/04/01 Bug fix release.
3392
3393 Fix 2021/12/28
3394
3395 @ Check exceeded quota early.
3396
3397 Backport commit 04e57a2d952bbd34 ("tomo
3398 tomoyo_domain_quota_is_ok().") and comm
3399 hwight16() in tomoyo_domain_quota_is_ok
3400 overhead of the learning mode. Note tha
3401 explicitly delete "quota_exceeded" entr
3402 to resume the learning mode.
3403
3404 Fix 2024/03/31
3405
3406 @ Fix a UAF bug introduced by an oversigh
3407
3408 Backport commit 2f03fc340cac ("tomoyo:
3409 tomoyo_write_control()").
3410
3411 Version 1.8.10 2024/04/01 Security bug fi
3412
3413 Fix 2024/06/28
3414
3415 @ Unblock move_mount() system call.
3416
3417 Since util-linux 2.39 started using lib
3418 implementing appropriate permission che
3419 necessary for successfully booting a Li
3420
3421 Version 1.8.11 2024/07/15 Bug fix release
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.