1 Notes for TOMOYO Linux project 2 3 This is a handy Mandatory Access Control patch 4 This patch is released under the GPLv2. 5 6 Project URL: https://tomoyo.sourceforge.net/ 7 8 The authors of this patch (hereafter, we) don' 9 in kernel programming. We are worried that thi 10 some mistakes such as missing hooks, improper 11 potential deadlocks. There would be better way 12 All kinds of comments, pointing the errors and 13 14 We do hope this patch reduces the labor of ser 15 and you enjoy the life with Linux. 16 17 This project was very inspired by the comic "C 18 one of the CLAMP's masterworks. 19 20 ChangeLog: 21 22 Version 1.0 2005/11/11 First release. 23 24 Fix 2005/11/18 25 26 @ Add setattr() missing hook in SYAORAN fs 27 28 setattr() checking for special inode was 29 30 Fix 2005/11/25 31 32 @ Allow initrd.img include /sbin/init . 33 34 Since version 1.0 loads policy when /sbi 35 for the first time, initrd.img without t 36 mustn't start /sbin/init . This forced u 37 initrd.img that includes /sbin/init . 38 I modified to delay loading policy if th 39 doesn't exist and wait for /sbin/init be 40 41 Fix 2005/12/02 42 43 @ Use lookup_one_len() instead of lookup_h 44 45 Kernel 2.6.15 changed parameters for loo 46 I modified to use lookup_one_len() to ke 47 48 Fix 2005/12/06 49 50 @ Add S_ISDIR() check in SYAORAN fs. 51 52 Malicious configuration file that attemp 53 under non-directory inode caused segment 54 55 Version 1.0.1 2005/12/08 Minor update releas 56 57 Fix 2006/01/04 58 59 @ Add CheckWritePermission() check in unix 60 61 I modified to check write permission in 62 sys_mknod(S_IFSOCK) checks write permiss 63 64 @ Show hook version in proc_misc_init(). 65 66 The hook part of this patch depends on t 67 while the rest part of this patch doesn' 68 I added the hook version so that the adm 69 know the last modified date of the hooks 70 71 @ Move permission checks from filp_open() 72 73 I moved the location of checking MAC's p 74 from filp_open() to open_namei(). 75 76 @ Fix an error in filp_open(). (only 2.6. 77 78 This error was only in the patch 2.6.15- 79 was fixed in the patch for 2.6.15. 80 81 Fix 2006/01/12 82 83 @ Add /proc/ccs/info/self_domain. 84 85 I added /proc/ccs/info/self_domain so th 86 can know the name of domain they belong 87 88 Fix 2006/01/13 89 90 @ Merge constants for CheckTaskCapability( 91 92 I merged *_INHERITABLE_* and *_LOCAL_* t 93 calling CheckTaskCapability() with both 94 95 @ DropTaskCapability() returns -EAGAIN on 96 97 DropTaskCapability() must not return 0 o 98 DropTaskCapability() is called from do_e 99 100 @ Fix an error for chroot() permission che 101 102 The chroot() restriction was not working 103 CheckChRootPermission() || CheckTaskCapa 104 CheckChRootPermission() | CheckTaskCapab 105 106 Fix 2006/01/17 107 108 @ Suppress some of debug messages in TOMOY 109 110 I added KERN_DEBUG to suppress some of d 111 112 Fix 2006/01/19 113 114 @ Remove isRoot() checks in AddChrootACL() 115 116 I found a program that needs to chroot b 117 So, I stopped checking uid=euid=0 for th 118 "accept mode" can append ACLs. 119 The isRoot() is checked at AddChrootPoli 120 121 @ Map NULL device name to "<NULL>" in AddM 122 123 VMware mounts vmware-hgfs with NULL devi 124 So I mapped NULL device name to "<NULL>" 125 126 Fix 2006/01/20 127 128 @ Suppress some of debug messages in SAKUR 129 130 I added KERN_DEBUG to suppress some of d 131 132 @ Call panic() if failed to load given pro 133 134 Call panic() if profile index was given 135 but the profile doesn't exist. 136 If CCS= parameter is not given, the kern 137 profile 0, but it doesn't call panic() i 138 139 Fix 2006/01/24 140 141 @ Use full_name_hash() for IsGloballyReada 142 143 I modified to use full_name_hash() for f 144 145 @ Add signal checking condition in CheckSi 146 147 The documentation says "if the target do 148 starts with the source domain's domainna 149 but actually it isn't. I'll change the d 150 changing the source code. 151 152 Also, checking for pid = -1 was missing. 153 154 Fix 2006/02/09 155 156 @ Use mutex_lock()/mutex_unlock instead of 157 158 Kernel 2.6.16 changed members of "struct 159 I modified to use mutex_lock()/mutex_unl 160 and down()/up() for before 2.6.16. 161 162 Version 1.0.2 2006/02/14 Many bug-fixes rele 163 164 Fix 2006/02/21 165 166 @ Divide generic-write permission into ind 167 168 Write permission was divided into the fo 169 170 'mkdir' for creating directory. 171 'rmdir' for deleting directory. 172 'create' for creating regular file. 173 'unlink' for deleting non-directory. 174 'mksock' for creating UNIX domain soc 175 'mkfifo' for creating FIFO. 176 'mkchar' for creating character devic 177 'mkblock' for creating block device. 178 'link' for creating hard link. 179 'symlink' for creating symbolic link. 180 'rename' for renaming directory or no 181 'truncate' for truncating regular file. 182 183 The permission check for opening files i 184 conventional read/write/execute permissi 185 186 @ Add /proc/ccs/info/mapping. 187 188 I added /proc/ccs/info/mapping so that t 189 can know the mapping of individual write 190 191 Fix 2006/02/27 192 193 @ Fix handling of trailing '\*' in PathMat 194 195 PathMatchesToPattern("/tmp/", "/tmp/\*") 196 because "\*" matches "zero or more repet 197 until '/' or end". But since this is a c 198 directory and non-directory, this should 199 200 This behavior causes the following secur 201 In enforce mode, allowing "2 /tmp/\*" gr 202 "mkdir /tmp/" and "rmdir /tmp/" which sh 203 granted only when "2 /tmp/" is allowed. 204 In accept mode, "mkdir /tmp/" or "rmdir 205 "2 /tmp/\*" into the domain policy if "f 206 is in the exception policy. 207 208 I changed not to ignore trailing '\*' in 209 if pathname ends with '/'. 210 211 Fix 2006/03/01 212 213 @ Add missing spinlock in GetAbsolutePath( 214 215 vfsmount_lock was missing. 216 217 Fix 2006/03/08 218 219 @ Add support for "shared subtree" mount o 220 221 Kernel 2.6.15 introduced "shared subtree 222 But CheckMountPermission() couldn't reco 223 do_change_type(). 224 225 @ Add support for more mount flags. 226 227 atime/noatime, diratime/nodiratime, recu 228 are supported. 229 230 Fix 2006/03/20 231 232 @ Check port numbers for only AF_INET/AF_I 233 234 CheckBindEntry() and CheckConnectEntry() 235 only when the given address family is ei 236 for address family such as AF_UNSPEC cou 237 and connect() for PF_INET/PF_INET6 socke 238 239 Fix 2006/03/27 240 241 @ Use /proc/self/ rather than /proc/\$/ fo 242 243 GetAbsolutePath() now uses "self" instea 244 if current process refers to information 245 This exception violates the rule "TOMOYO 246 contain symbolic links before the last ' 247 to do so. The following are the merits g 248 249 Prevent administrators from granting red 250 when a process needs to refer to only cu 251 252 Allow administrators make current proces 253 readable using 'allow_read' directive. 254 255 Version 1.1 2006/04/01 Functionality enhan 256 257 Fix 2006/04/03 258 259 @ Use queue instead of fixed sized array f 260 261 WriteAuditLog() now uses queue to save s 262 Administrators can give any size for aud 263 264 @ Use kzalloc() instead of kmalloc() + mem 265 266 kmalloc() + memset() were replaced with 267 268 Fix 2006/04/04 269 270 @ Support "delayed enforcing" mode. 271 272 Until now, access request was immediatel 273 if policy doesn't allow that access and 274 running in enforce mode. 275 Sometimes, especially after updating sof 276 some unexpected access requests arise fr 277 Such access requests should be granted b 278 they are not caused by malicious attacks 279 So I introduced a mechanism to allow adm 280 to decide to grant or reject such access 281 This mechanism is implemented in the fol 282 "Don't return immediately if permissio 283 "Sleep for a while waiting administrat 284 "Return successfully if administrator 285 286 Fix 2006/04/12 287 288 @ Fix handling of prefix in GetAbsolutePat 289 290 Some objects doesn't have prefix "/". 291 Pipe has prefix "pipe:" and socket has p 292 GetAbsolutePath() couldn't handle prefix 293 294 @ Remove IsCorrectPath() checks for File A 295 296 File Access Control functions accepted o 297 with '/' because these functions assumed 298 GetAbsolutePath() always start with '/'. 299 However, I found a program that opens an 300 (probably) /proc/PID/fd/ directory. (You 301 "pipe:[number]" if you run "ls -l /proc/ 302 Now, File Access Control functions have 303 that don't start with '/'. So, I stopped 304 305 Fix 2006/04/19 306 307 @ Fix handling of NULL nameidata in vfs_op 308 309 In 2.6 kernels, NFS daemon and sys_mq_op 310 vfs_create() with NULL nameidata. In suc 311 CheckSingleWritePermission() must not be 312 313 Version 1.1.1 2006/05/15 Functionality enhan 314 315 Fix 2006/05/16 316 317 @ Support program files aggregation. 318 319 Until now, programs that have no fixed n 320 parent programs had to be run in a trust 321 since it is impossible to use patterns f 322 execute permission and defining domains. 323 I introduced a mechanism to aggregate si 324 using 'aggregator' directive. 325 Some examples: 326 327 'aggregator /tmp/logrotate.\?\?\?\?\?\ 328 to run all temporary programs for logr 329 330 'aggregator /usr/bin/tac /bin/cat' 331 to run /usr/bin/tac and /bin/cat as /b 332 333 Fix 2006/05/18 334 335 @ Unlimit max count for audit log. 336 337 I forgot to replace MAX_GRANT_LOG and MA 338 so that administrators can give any size 339 340 Fix 2006/05/22 341 342 @ Support individual domain ACL removal. 343 344 Until now, to remove ACLs from a domain, 345 once delete and recreate that domain, wh 346 I introduced a mechanism to remove domai 347 recreating domains. 348 Administrator can delete domains or remo 349 via /proc/ccs/policy/domain_policy . 350 /proc/ccs/policy/delete_domain and /proc 351 were removed. 352 353 Fix 2006/05/30 354 355 @ Add missing spinlock in SAKURA_MayMount( 356 357 vfsmount_lock was missing. 358 359 Version 1.1.2 2006/06/02 Functionality enhan 360 361 Fix 2006/06/13 362 363 @ Merge tomoyo_connect.c and tomoyo_bind.c 364 365 I merged these files that have only diff 366 that are likely to be enabled both or ne 367 368 @ Add CONFIG_TOMOYO_AUDIT option. 369 370 I made auditing functions as optional be 371 may have not enough disk space to store 372 373 Fix 2006/06/15 374 375 @ Support use of symbolic links for progra 376 377 Until now, domains for programs executed 378 symbolic links were defined using derefe 379 This was inconvenient for some Linux box 380 can't keep hard links of busybox. 381 I introduced a mechanism to allow using 382 symbolic links using 'alias' directive. 383 Some examples: 384 385 'alias /sbin/busybox /bin/ls' to run / 386 (which is a symbolic link to /sbin/bus 387 if /bin/ls is executed. 388 389 'alias /bin/bash /bin/sh' to run /bin/ 390 (which is a symbolic link to /bin/bash 391 if /bin/sh is executed. 392 393 Fix 2006/06/21 394 395 @ Use ccs_alloc() instead of kzalloc(). 396 397 To detect memory leaks, 398 I added a wrapper for tracing kmalloc() 399 There is no way to detect memory leaks c 400 401 Version 1.1.3 2006/07/13 Functionality enhan 402 403 Fix 2006/07/14 404 405 @ Change behavior of pathname pattern matc 406 407 Until now, it was impossible to use patt 408 "\*" matched zero or more repetitions of 409 Now, "\*" matches zero or more repetitio 410 411 Until now, it was impossible to use patt 412 because "\$" matched one or more repetit 413 non digit character. 414 Now, "\$" matches one or more repetition 415 416 Also, new patterns "\x" "\X" "\a" "\A" " 417 418 Fix 2006/07/21 419 420 @ Add CONFIG_TOMOYO_NETWORK option. 421 422 Until now, only port numbers for TCP and 423 Now, the combination of IPv4/IPv6 addres 424 for TCP and UDP is controllable. 425 CONFIG_TOMOYO_NETWORKPORT became obsolet 426 427 Fix 2006/07/25 428 429 @ Change matching rule for CheckFileACL(). 430 431 Until now, only first entry that matched 432 was used for permission checking. For ex 433 434 "2 /tmp/file-\$.txt" 435 "4 /tmp/fil\?-0.txt" 436 437 are given in this order and requested pa 438 the "2 /tmp/file-\$.txt" is used. But if 439 440 "4 /tmp/fil\?-0.txt" 441 "2 /tmp/file-\$.txt" 442 443 are given in this order, the "4 /tmp/fil 444 This may potentially cause trouble becau 445 permission checks depends on the order o 446 447 Now, all entries that matched the reques 448 are used for permission checking so that 449 permission checks doesn't depend on the 450 451 Fix 2006/07/27 452 453 @ Support RAW IPv4/IPv6 control. 454 455 Some programs such as 'ping' and 'tracer 456 Now, the combination of IPv4/IPv6 addres 457 for IP is controllable. 458 459 Fix 2006/08/04 460 461 @ Add filename and argv[0] comparison chec 462 463 The domain transition was done based on 464 while the behavior was defined based on 465 There is no problem if the filename is a 466 But if argv[0]-aware, access control byp 467 transits to trusted domain but behaves a 468 For example, when the administrator spec 469 trusted but both /bin/ls and /bin/cat ar 470 a cracker can run /bin/cat in a trusted 471 succeeds to invoke do_execve() with file 472 argv[0] = "/bin/cat". 473 474 I introduced a directive that permits th 475 basename of filename and argv[0]. 476 477 Fix 2006/08/10 478 479 @ Support ID based condition checks. 480 481 It was impossible to use process id (uid 482 checking individual domain ACL. 483 484 Now it became possible to use process id 485 domain ACL. For example, 486 487 "1 /bin/sh if task.euid!=0" 488 489 allows the domain to execute /bin/sh onl 490 is not 0, and 491 492 "6 /home/\*/\* if task.uid=path1.uid" 493 494 allows the domain to read-write user's h 495 only when the file's owner matches the p 496 497 Fix 2006/08/22 498 499 @ Fix ROUNDUP() in fs/realpath.c . 500 501 Alignment using sizeof(int) may be inapp 502 I changed to use the larger size of 'voi 503 instead of 'int'. 504 For environment where sizeof(int) = size 505 this change has no effect. 506 507 Version 1.2 2006/09/03 Functionality enhan 508 509 Fix 2006/09/30 510 511 @ Fix CheckFilePerm() in fs/tomoyo_file.c 512 513 The location to call path_release() was 514 515 Fix 2006/10/02 516 517 @ Support per-domain profile. 518 519 It became possible to assign different p 520 This will help administrators using buil 521 522 Fix 2006/10/05 523 524 @ Change parameters for CheckFilePerm(). 525 526 I was re-resolving pathnames inside Chec 527 the caller function already resolved the 528 So I changed to pass dentry and vfsmount 529 and removed changes made on 2006/09/30. 530 531 Fix 2006/10/06 532 533 @ Support deny_rewrite and allow_rewrite p 534 535 It became possible to make regular files 536 using "deny_rewrite" directive in except 537 override it using "allow_rewrite" direct 538 539 Regular files specified using "deny_rewr 540 can't be open()ed with O_TRUNC or with 541 can't be truncate()ed or ftruncate()ed 542 can't be turned O_APPEND flag off usin 543 unless specified using "allow_rewrite" d 544 545 Fix 2006/10/12 546 547 @ Enable configuration options by default 548 549 CONFIG_SAKURA and CONFIG_TOMOYO are now 550 and CONFIG_SYAORAN is now 'm' by default 551 552 Fix 2006/10/13 553 554 @ Use external policy loader. 555 556 Until now, policies are loaded when /sbi 557 initial control levels are switched usin 558 But since some boxes have to fixate kern 559 at compilation time, I think it will bec 560 by running external policy loader using 561 initial control levels can be specified 562 563 Call panic() if initial control levels a 564 565 Fix 2006/10/16 566 567 @ Add missing parameter in FindNextDomain( 568 569 'struct file' was needed for allowing 'i 570 571 Fix 2006/10/23 572 573 @ Print error messages in CheckFlags(). 574 575 Some users seem to have troubles picking 576 entries for the configuration file of SY 577 since makesyaoranconf can't pick up entr 578 nonexistent at the time. 579 I added error message so that users can 580 using dmesg. 581 582 Fix 2006/10/24 583 584 @ Change /proc/ccs/info/self_domain . 585 586 I changed /proc/ccs/info/self_domain to 587 the domain of open time rather than firs 588 This modification makes shell's redirect 589 more convenient since redirection opens 590 but doesn't read at the time. 591 592 'cat < /proc/ccs/info/self_domain' will 593 the domain of shell, and 594 'cat /proc/ccs/info/self_domain' will re 595 the domain of cat . 596 597 Fix 2006/11/06 598 599 @ Replace MAX_ENFORCE_GRACE with ALLOW_ENF 600 601 Since it was inconvenient that requests 602 supervisor's decision are rejected autom 603 MAX_ENFORCE_GRACE seconds has elapsed, I 604 reset timeout counter whenever a supervi 605 and I modified ccs-queryd write a dummy 606 so that the requests won't be rejected a 607 ccs-queryd is running. 608 This change made MAX_ENFORCE_GRACE's mea 609 So I fixated MAX_ENFORCE_GRACE to 10 sec 610 MAX_ENFORCE_GRACE parameter. 611 To allow administrators selectively enab 612 mode, I added ALLOW_ENFORCE_GRACE parame 613 The behavior of "delayed enforcing" mode 614 in the following order. 615 616 (1) The requests are rejected immediatel 617 (2) The requests are rejected immediatel 618 if nobody is opening /proc/ccs/polic 619 (3) The requests won't be rejected autom 620 if ALLOW_ENFORCE_GRACE=1 and ccs-que 621 (4) The requests will be rejected in 10 622 if somebody other than ccs-queryd (s 623 opening /proc/ccs/policy/query inter 624 such process doesn't write dummy dec 625 626 Version 1.3 2006/11/11 First anniversary r 627 628 Fix 2006/11/13 629 630 @ Replace trust_domain with keep_domain. 631 632 Since it was troublesome that there are 633 (assigning a profile that doesn't enable 634 with trust_domain directive), I removed 635 Instead, I introduced keep_domain direct 636 unless a program registered with initial 637 This change has the following advantages 638 639 (1) Allows administrator use "enforce mo 640 Since it was difficult to know what 641 and accessed in what sequences befor 642 directive for such domain, allowing 643 access any files in any sequence. 644 But now, we can use keep_domain dire 645 "enforce mode" for such domain, forc 646 commands and access only allowed fil 647 while these operations are kept unde 648 649 (2) Allows administrator determine easil 650 under MAC or not because only the pr 651 the domain determines it. 652 653 (3) Saves total number of domains and me 654 655 Fix 2006/11/22 656 657 @ Don't allow use of undefined profile. 658 659 To avoid assigning undefined profile to 660 I added checks before assigning profiles 661 Now, profiles have to be defined prior t 662 663 Version 1.3.1 2006/12/08 Minor update releas 664 665 Fix 2006/12/10 666 667 @ Allow pathname grouping. 668 669 To reduce the labor of repeating '/\*' t 670 I introduced a macro 'path_group' to mak 671 For example, you had to give like 672 673 4 /var/www/html/\* 674 4 /var/www/html/\*/\* 675 4 /var/www/html/\*/\*/\* 676 4 /var/www/html/\*/\*/\*/\* 677 678 but now, you can give just 679 680 4 @WEB-CONTENTS 681 682 if you give 683 684 path_group WEB-CONTENTS /var/www/html/ 685 path_group WEB-CONTENTS /var/www/html/ 686 path_group WEB-CONTENTS /var/www/html/ 687 path_group WEB-CONTENTS /var/www/html/ 688 689 in the exception policy. 690 This macro will be useful when grouping 691 692 Fix 2006/12/15 693 694 @ Use structured pathnames instead for sim 695 696 To reduce the cost of strcmp(), I change 697 SaveName() from 'const char *' to 'const 698 This change will speed up PathMatchesToP 699 700 Fix 2006/12/19 701 702 @ Allow registering policy managers using 703 704 It was difficult to restrict programs th 705 via /proc/ccs/ interfaces using pathname 706 these programs could be unintendedly inv 707 Now, it became possible to restrict doma 708 via /proc/ccs/ interfaces as well as pro 709 By restricting using domainnames, it bec 710 unintended invocation. 711 712 Fix 2006/12/22 713 714 @ Add initialize_domain,no_initizlize_doma 715 716 To control domain transitions more stric 717 initialize_domain,no_initizlize_domain,n 718 were introduced. 719 720 "initialize_domain /some/program" means 721 jump to "<kernel> /some/program" domain 722 called from any domain. 723 This is equivalent to conventional "init 724 725 "initialize_domain /some/program from so 726 jump to "<kernel> /some/program" domain 727 called from "some_domain" domain. 728 729 "no_initialize_domain /some/program" mea 730 don't jump to "<kernel> /some/program" d 731 "initialize_domain /some/program" or 732 "initialize_domain /some/program from so 733 if /some/program is called from any doma 734 735 "no_initialize_domain /some/program from 736 don't jump to "<kernel> /some/program" d 737 "initialize_domain /some/program" or 738 "initialize_domain /some/program from so 739 if /some/program is called from "some_do 740 741 "keep_domain some_domain" means don't ju 742 if any programs are called from "some_do 743 744 "keep_domain /some/program from some_dom 745 don't jump to child domain only if /some 746 called from "some_domain" domain. 747 748 "no_keep_domain some_domain" means 749 jump to child domain even if 750 "keep_domain /some/program" or 751 "keep_domain /some/program from some_dom 752 if any programs are called from "some_do 753 754 "no_keep_domain /some/program from some_ 755 jump to child domain even if 756 "keep_domain /some/program" or 757 "keep_domain /some/program from some_dom 758 if /some/program is called from "some_do 759 760 "some_domain" can be just the last compo 761 For example, giving "/bin/mail" as "some 762 all domains whose domainname ends with " 763 764 Fix 2007/01/19 765 766 @ Allow reuse of memory allocated for doma 767 768 Regarding domain policy, unlike other po 769 "is_deleted" flag and new memory were al 770 if the deleted entries are given again. 771 But to allow administrators switch domai 772 I introduced "is_deleted" flag. 773 774 Writing "some_domain" to /proc/ccs/polic 775 creates "some_domain" using new memory i 776 777 Writing "select some_domain" doesn't cre 778 if it didn't exist. 779 780 Writing "delete some_domain" deletes "so 781 but does not delete entries in "some_dom 782 783 Writing "undelete some_domain" undeletes 784 if it was deleted by "delete some_domain 785 786 Fix 2007/01/22 787 788 @ Allow getting already deleted pathnames. 789 790 To allow getting pathnames that are alre 791 I removed (IS_ROOT(dentry) || !d_unhashe 792 793 Fix 2007/01/26 794 795 @ Limit string length to 4000. 796 797 I was using PAGE_SIZE (4096 in many envi 798 as the max length of any string data. 799 But for environments that have larger PA 800 doing memset(ptr, 0, PAGE_SIZE) every ti 801 802 Fix 2007/01/29 803 804 @ Add garbage collector for domain policy. 805 806 Writing "some_domain" to /proc/ccs/polic 807 creates "some_domain" using new memory o 808 some process is staying at that deleted 809 If no process is staying at that deleted 810 "some_domain" is undeleted with all ACLs 811 812 Version 1.3.2 2007/02/14 Usability enhanceme 813 814 Fix 2007/02/20 815 816 @ Allow address grouping. 817 818 To reduce the labor of repeating similar 819 I introduced a macro 'address_group' to 820 For example, you had to give like 821 822 allow_network TCP accept 10.0.0.0-10.2 823 allow_network TCP accept 172.16.0.0-17 824 allow_network TCP accept 192.168.0.0-1 825 826 but now, you can give just 827 828 allow_network TCP accept @localnet 102 829 830 if you give 831 832 address_group localnet 10.0.0.0-10.255 833 address_group localnet 172.16.0.0-172. 834 address_group localnet 192.168.0.0-192 835 836 in the exception policy. 837 838 Fix 2007/03/03 839 840 @ Remove obsolete functions. 841 842 @ Add some hooks. 843 844 Read permission check is done if open_ex 845 is called from search_binary_handler(). 846 Read permission check is not done if ope 847 is called from do_execve(), instead, 848 execute permission check is done at 849 search_binary_handler_with_transition(). 850 851 I moved the location of calling CheckCap 852 and CheckMountPermission() from sys_moun 853 854 Fix 2007/03/07 855 856 @ Use 'unsigned int' for sscanf(). 857 858 I compiled SYAORAN fs on x86_64 environm 859 the compiler showing warning messages ab 860 Since size of data types may mismatch fo 861 I replaced some types with 'unsigned int 862 863 Version 1.4 2007/04/01 x86_64 support rele 864 865 Fix 2007/04/18 866 867 @ Change argv[0] checking rule. 868 869 I was comparing the basename of symbolic 870 Since execute permission check and domai 871 based on realpath while argv[0] check is 872 pathname and argv[0], this specification 873 as /bin/cat in the domain of /bin/ls if 874 links to /sbin/busybox" and "the attacke 875 a symlink named ~/cat that points to /bi 876 permitted to run /bin/ls". 877 So, I changed to compare the basename of 878 Also, I moved the location to compare be 879 "aggregator" directive so that 880 "aggregator /tmp/logrotate.\?\?\?\?\?\? 881 won't cause the mismatch of the basename 882 883 If /bin/ls is a symlink to /sbin/busybox 884 creating a symlink named ~/cat that poin 885 executing ~/cat won't work as expected b 886 domain transition are done using /sbin/b 887 and will be rejected since the administr 888 "1 /sbin/busybox". 889 890 Fix 2007/05/07 891 892 @ Support pathname subtraction. 893 894 There was no way to exclude specific pat 895 permissions using wildcards. 896 There would be a need to exclude specifi 897 I introduced "\-" as subtraction operato 898 899 "A\-B" means "A" other than "B". 900 "A\-B\-C" means "A" other than "B" and 901 "A\-B\-C\-D" means "A" other than "B" 902 903 "A", "B", "C", "D" may contain wildcards 904 905 An example usage is "/home/\*/\*\-.ssh/\ 906 "/home/\*/\*/\*" other than "/home/\*/.s 907 908 "A" should contain wildcards because sub 909 (e.g. "/usr\-usr/" or "/usr\-home/") is 910 911 Don't try "A\-B\+C" because "\+" is not 912 913 Fix 2007/05/24 914 915 @ Fix autobind hook. 916 917 The location to call SAKURA_MayAutobind( 918 and net/ipv6/udp.c were wrong. 919 920 Fix 2007/06/03 921 922 @ Add a space in MakeMountOptions(). 923 924 I forgot to add a space after "atime" an 925 926 Version 1.4.1 2007/06/05 Minor update releas 927 928 Fix 2007/07/04 929 930 @ Fix ReadAddressGroupPolicy() bug. 931 932 ReadAddressGroupPolicy() fails if both " 933 are used because I forgot to set "head-> 934 935 Fix 2007/07/10 936 937 @ Add compat_sys_stime() hook. 938 939 Some of 64bit kernels support compat_sys 940 but permission check was missing. 941 942 Version 1.4.2 2007/07/13 Bug fix release. 943 944 Fix 2007/08/06 945 946 @ Remove mount-flags manipulation. 947 948 Until now, administrator is permitted to 949 options regardless of mount options pass 950 I removed this feature because "exact op 951 "automatic option enabler/disabler". 952 953 @ Remove /proc/ccs/info/mapping . 954 955 I removed /proc/ccs/info/mapping because 956 feature. 957 958 @ Call external policy loader automaticall 959 960 Until now, users had to add init=/.init 961 before /sbin/init starts. 962 I inserted call_usermodehelper() to call 963 execve("/sbin/init") is requested and ex 964 965 This change will remove init=/.init para 966 although call_usermodehelper() can't han 967 968 @ Move external policy loader from /.init 969 970 Installing programs in / directory is no 971 972 Fix 2007/08/13 973 974 @ Update external policy loader. 975 976 It turned out that /sbin/ccs-init invoke 977 can handle interactive operations by ope 978 Now, there is no difference between init 979 call_usermodehelper("/sbin/ccs-init"), a 980 add init=/sbin/ccs-init parameter to loa 981 starts. 982 983 Fix 2007/08/14 984 985 @ Update recvmsg() hooks. 986 987 Until now, it was impossible to apply ne 988 incoming UDP and RAW packets if they are 989 read() or recvmsg() with NULL address be 990 I moved hooks from sock_recvmsg() to skb 991 network access control for incoming UDP 992 993 Fix 2007/08/16 994 995 @ Return appropriate error code for CheckM 996 997 I was returning -EPERM if something is w 998 But SELinux determines whether selinuxfs 999 based on whether error code is -ENODEV o 1000 So I stopped returning -EPERM unconditi 1001 1002 Fix 2007/08/17 1003 1004 @ Remove initializer directive. 1005 1006 Use "initialize_domain" instead of "ini 1007 1008 Fix 2007/08/21 1009 1010 @ Fix "allow_argv0 ... if if ..." bug. 1011 1012 It was impossible to use a word "if" to 1013 allow_argv0 if condition part is used. 1014 1015 Fix 2007/08/24 1016 1017 @ Move /proc/ccs/\*/\* to /proc/ccs/\* . 1018 1019 Some pathnames for /proc/ccs/ interface 1020 1021 Fix 2007/09/05 1022 1023 @ Drop MSG_PEEK'ed message before skb_fre 1024 1025 I need to remove head message from unwa 1026 from socket's receive queue so that the 1027 next message from wanted source with MS 1028 1029 Version 1.5.0 2007/09/20 Usability enhancem 1030 1031 Fix 2007/09/27 1032 1033 @ Avoid eating memory after quota exceede 1034 1035 Although ACL entries in a domain won't 1036 has exceeded, SaveName() in AddFileACL( 1037 This caused unneeded memory consumption 1038 1039 Now, quota checking is done before gett 1040 This may exceed quota by one or two ent 1041 1042 Fix 2007/10/16 1043 1044 @ Add environment variable check. 1045 1046 There are environment variables that ma 1047 like LD_\* . 1048 So I introduced 'allow_env' directive t 1049 environment variable inherited to next 1050 Unlike other permissions, this check is 1051 using next domain's ACL information. 1052 1053 To manage commonly inherited environmen 1054 you can use 'allow_env' directive in ex 1055 to globally grant specified environment 1056 1057 Fix 2007/11/05 1058 1059 @ Replace semaphore with mutex. 1060 1061 I replaced semaphore with mutex. 1062 1063 @ Add missing down() in AddReservedEntry( 1064 1065 Mutex debugging capability told me that 1066 since TOMOYO version 1.3.2 . 1067 This function is not called by learning 1068 so the semaphore's counter will not ove 1069 1070 Fix 2005/11/27 1071 1072 @ Fix ReadTable() truncation bug. 1073 1074 "snprintf(str, size, format, ...) >= si 1075 But I was checking for "snprintf(str, s 1076 As a result, some entries might be dump 1077 1078 @ Purge direct "->prev"/"->next" manipula 1079 1080 All list manipulations use "struct list 1081 "struct list1_head" doesn't have "->pre 1082 1083 Fix 2007/11/29 1084 1085 @ Add missing semaphore in GetEXE(). 1086 1087 mm->mmap_sem was missing. 1088 1089 Fix 2007/12/17 1090 1091 @ Remove unused EXPORT_SYMBOL(). 1092 1093 Mark some functions static. 1094 1095 Fix 2007/12/18 1096 1097 @ Fix AddMountACL() rejection bug. 1098 1099 To my surprise, "mount --bind source de 1100 not only "both source and dest are dire 1101 but also "both source and dest are non- 1102 I was rejecting if dest is not a direct 1103 1104 @ Change log format. 1105 1106 Profile number and mode is added in aud 1107 1108 Fix 2008/01/03 1109 1110 @ Change directive for file's read/write/ 1111 1112 Directives for file's read/write/execut 1113 4/2/1 respectively. But for easier unde 1114 replaced by read/write/execute (e.g. "a 1115 But for easier inputting, 4/2/1 are sti 1116 allow_read/allow_write/allow_execute re 1117 1118 @ Change internal data structure. 1119 1120 Since I don't have more than 16 types o 1121 I combined them using bit-fields. 1122 1123 Each entry had a field for conditional 1124 But since this field is unlikely used, 1125 common part. 1126 1127 These changes will reduce memory used b 1128 1129 Fix 2008/01/15 1130 1131 @ Add ptrace() hook. 1132 1133 To prevent attackers from controlling i 1134 ptrace(), I added a hook for ptrace(). 1135 Most programs (except strace(1) and gdb 1136 1137 @ Fix sleep condition check in CheckSocke 1138 1139 It seems that correct method to use is 1140 rather than in_interrupt() because in_a 1141 whenever scheduling is not allowed. 1142 1143 Fix 2008/02/05 1144 1145 @ Use find_task_by_vpid() instead of find 1146 1147 Kernel 2.6.24 introduced PID namespace. 1148 To search PID given from userland, the 1149 find_task_by_vpid() instead of find_tas 1150 1151 Fix 2008/02/14 1152 1153 @ Add execve() parameter checking. 1154 1155 Until now, it was impossible to check a 1156 passed to execve(). 1157 I expanded conditional permission synta 1158 { argc, envc, argv[] , envp[] } paramet 1159 This will allow administrator permit ex 1160 /bin/sh is invoked in the form of "/bin 1161 HOME is set by specifying 1162 1163 allow_execute /bin/sh if exec.argv[1] 1164 1165 in the policy. 1166 This extension will make exploit codes 1167 they unlikely set up environment variab 1168 option when invoking /bin/sh , whereas 1169 environment variables and likely specif 1170 1171 Fix 2008/02/18 1172 1173 @ Add process state checking. 1174 1175 Until now, it was impossible to change 1176 I added three variables for performing 1177 You can set current process's state lik 1178 1179 allow_network TCP accept @TRUSTED_HOS 1180 allow_network TCP accept @UNTRUSTED_H 1181 1182 and you can use the state like 1183 1184 allow_read /path/to/important/file if 1185 1186 in the policy. 1187 The state changes when the request was 1188 so please be careful with situations wh 1189 successfully but the request was not pr 1190 (e.g. out of memory). 1191 1192 Fix 2008/02/26 1193 1194 @ Support /proc/ccs/ access by non-root u 1195 1196 Until now, only root user can access /p 1197 But to permit /proc/ccs/ access by non- 1198 ssh login by root user when administrat 1199 I made "(current->uid == 0 && current-> 1200 If this requirement is disabled, only " 1201 checks" and "/proc/ccs/manager checks" 1202 1203 Fix 2008/02/29 1204 1205 @ Add sleep_on_violation feature. 1206 1207 Some exploit codes (e.g. trans2open for 1208 until it achieves the purpose of the ex 1209 1210 If such code is injected due to buffer 1211 rejects the request, it triggers infini 1212 As a result, the CPU usage becomes 100% 1213 the rest of processes. 1214 This is a side effect of rejecting the 1215 which wouldn't happen if the request fr 1216 1217 To avoid such CPU consumption, I added 1218 sleeps for specified period when a requ 1219 1220 This penalty doesn't work if the exploi 1221 continue running, but I think most expl 1222 to start some program rather than to sl 1223 1224 @ Add alt_exec feature. 1225 1226 Since TOMOYO Linux's approach is "know 1227 and create policy that permits only the 1228 requests as attacks (if you want to do 1229 1230 Common MAC implementations merely rejec 1231 But I added a special handler for execv 1232 1233 This handler is triggered when a proces 1234 but the request was rejected by the pol 1235 This handler executes a program specifi 1236 instead of a program requested by the p 1237 1238 Most attackers attempt to execute /bin/ 1239 Attackers execute an exploit code using 1240 to steal control of a process. But this 1241 if an exploit code requests execve() th 1242 1243 By default, this handler does nothing ( 1244 request). You can specify any program t 1245 1246 You can redirect attackers to somewhere 1247 This makes it possible to act your Linu 1248 while keeping regular services for your 1249 1250 You can collect information of the atta 1251 update firewall configuration. 1252 1253 You can silently terminate a process wh 1254 that is not permitted by policy. 1255 1256 Fix 2008/03/03 1257 1258 @ Add "force_alt_exec" directive. 1259 1260 To be able to fully utilize "alt_exec" 1261 I added "force_alt_exec" directive so t 1262 all execute requests are replaced by th 1263 specified by alt_exec feature. 1264 1265 If this directive is specified for a do 1266 executes any programs regardless of the 1267 (i.e. the domain won't execute even if 1268 Instead, the domain executes the progra 1269 and the program specified by alt_exec f 1270 request and executes it if it is approp 1271 1272 If you can tolerate that there is no ch 1273 to the caller to tell the execute reque 1274 this is more flexible approach than in- 1275 checking because we can do argv[] and e 1276 1277 Fix 2008/03/04 1278 1279 @ Use string for access control mode. 1280 1281 An integer expression for access contro 1282 administrators because profile number i 1283 To avoid confusion between profile numb 1284 I introduced a string expression for ac 1285 1286 Modes which take an integer between 0 1287 1288 0 -> disabled 1289 1 -> learning 1290 2 -> permissive 1291 3 -> enforcing 1292 1293 Modes which take 0 or 1. 1294 1295 0 -> disabled 1296 1 -> enabled 1297 1298 Fix 2008/03/10 1299 1300 @ Rename "force_alt_exec" directive to "e 1301 1302 To be able to use different programs fo 1303 I moved the location to specify the pro 1304 to domain policy. 1305 1306 The "execute_handler" directive takes o 1307 invoked whenever execve() request is is 1308 directives in a domain with "execute_ha 1309 This directive is designed for validati 1310 requests in userspace, although there i 1311 that the execve() request was rejected. 1312 1313 @ Rename "alt_exec" directive to "denied_ 1314 1315 The "denied_execute_handler" directive 1316 invoked only when execve() request was 1317 this program is invoked only when the f 1318 1319 (1) None of "allow_execute" directive 1320 (2) The execve() request was rejected 1321 (3) "execute_handler" directive is no 1322 1323 This directive is designed for handling 1324 requests, to redirect the process issui 1325 1326 Fix 2008/03/18 1327 1328 @ Fix wrong/redundant locks in pre-vfs fu 1329 1330 lock_kernel()/unlock_kernel() in pre_vf 1331 2.6 kernels. 1332 1333 Locking order in pre_vfs_link() and pre 1334 after 2.4.33 were different from before 1335 1336 Fix 2008/03/28 1337 1338 @ Disable execute handler loop. 1339 1340 To be able to use "execute_handler" in 1341 ignore "execute_handler" and "denied_ex 1342 if the current process is executing pro 1343 "execute_handler" or "denied_execute_ha 1344 1345 This exception is needed to avoid infin 1346 If a domain has both "keep_domain" and 1347 any execute request by that domain is h 1348 and the execute handler attempts to pro 1349 But the original execute request is han 1350 unless the execute handler ignores "exe 1351 1352 @ Update coding style. 1353 1354 I rewrote the code to pass scripts/chec 1355 Function names were changed to use only 1356 1357 Version 1.6.0 2008/04/01 Feature enhancemen 1358 1359 Fix 2008/04/14 1360 1361 @ Fix "Compilation failures" and "Initial 1362 with kernels before 2.4.30/2.6.11 . 1363 1364 2.6 kernels before 2.6.9 didn't have in 1365 resulting compilation error at #include 1366 I added #elif condition. 1367 1368 CentOS 4.6's 2.6.9 kernel calls do_exec 1369 ccs_alloc(), resulting NULL pointer der 1370 I changed __initcall to core_initcall. 1371 1372 CentOS 4.6's 2.6.9 kernel backported kz 1373 resulting compilation error at kzalloc( 1374 I modified prototype of kzalloc(). 1375 1376 Fix 2008/04/20 1377 1378 @ Fix "Compilation failures" with kernels 1379 1380 Turbolinux 10 Server's 2.6.8 kernel bac 1381 function, resulting compilation error a 1382 I converted kzalloc() from an inlined f 1383 1384 Fix 2008/04/21 1385 1386 @ Add workaround for gcc 3.2.2's inline b 1387 1388 RedHat Linux 9's gcc 3.2.2 generated a 1389 if ((var_of_u8 & 0x000000BF) & 0x800 1390 where the expected code is 1391 if ((var_of_u8 & 0xBF) & 0x80) { } 1392 when embedding ccs_acl_type2() into pri 1393 resulting runtime BUG(). 1394 I added the expected code explicitly as 1395 1396 Fix 2008/05/06 1397 1398 @ Add memory quota. 1399 1400 1.5.x returns -ENOMEM when FindNextDoma 1401 domain, but I forgot to return -ENOMEM 1402 create a new domain. 1403 1404 A domain is automatically created by fi 1405 the domain for the requested program do 1406 This behavior is for the administrator' 1407 The administrator needn't to know how m 1408 the whole programs in the system before 1409 But the administrator does not want the 1410 requested program when developing the p 1411 1412 So, I think it is better to grant execu 1413 find_next_domain() failed to create a n 1414 Thus, I decided not to return -ENOMEM w 1415 create a new domain. This exception bre 1416 so I print "transition_failed" warning 1417 when this exception happened. 1418 1419 Also, to prevent the system from being 1420 all kernel memory for the policy, I add 1421 This quota is configurable via /proc/cc 1422 1423 echo Shared: 1048576 > /proc/ccs/mem 1424 echo Private: 1048576 > /proc/ccs/mem 1425 1426 Version 1.6.1 2008/05/10 Bug fix release. 1427 1428 Fix 2008/06/04 1429 1430 @ Check open mode of /proc/ccs/ interface 1431 1432 It turned out that I can avoid allocati 1433 FMODE_READ is not set and memory for wr 1434 1435 @ Wait for completion of /sbin/ccs-init . 1436 1437 Since 2.4 kernel's call_usermodehelper( 1438 the executed program, I was using the c 1439 /proc/ccs/meminfo to indicate that load 1440 But since /proc/ccs/meminfo could be ac 1441 by /etc/ccs/ccs-post-init , I stopped u 1442 The policy loader no longer need to acc 1443 the kernel that loading policy has fini 1444 1445 Fix 2008/06/05 1446 1447 @ Fix realpath for pipes and sockets. 1448 1449 Kernel 2.6.22 and later use different m 1450 Since fs/realpath.c didn't notice the c 1451 appeared as "pipe:" rather than "pipe:[ 1452 /proc/PID/fd/ directory. 1453 1454 @ Add process's information into /proc/cc 1455 1456 While /proc/ccs/grant_log and /proc/ccs 1457 information, /proc/ccs/query doesn't co 1458 To be able to utilize ccs-queryd and cc 1459 /proc/ccs/query . 1460 1461 Fix 2008/06/10 1462 1463 @ Allow using patterns for globally reada 1464 1465 To allow users specify locale specific 1466 I relaxed checking in update_globally_r 1467 1468 Fix 2008/06/11 1469 1470 @ Remove ALLOW_ENFORCE_GRACE parameter. 1471 1472 Since unexpected requests caused by doi 1473 in all profiles, users likely have to w 1474 to all profiles. And it makes meaningle 1475 enable specific profile's ALLOW_ENFORCE 1476 So, I removed ALLOW_ENFORCE_GRACE param 1477 Now, the system behaves as if ALLOW_ENF 1478 The behavior of "delayed enforcing" mod 1479 order. 1480 1481 (1) The requests are rejected immediate 1482 /proc/ccs/query interface. 1483 (2) The requests will be rejected in 10 1484 ccs-queryd (such as less(1)) is ope 1485 for such process doesn't write dumm 1486 1487 Fix 2008/06/22 1488 1489 @ Pass escaped pathname to audit_execute_ 1490 1491 I was passing unescaped pathname to aud 1492 which causes /proc/ccs/grant_log contai 1493 if execute handler's pathname contains 1494 1495 Fix 2008/06/25 1496 1497 @ Return 0 when ccs_may_umount() succeeds 1498 1499 I forgot to clear error value in ccs_ma 1500 directory didn't match "deny_unmount" d 1501 request with RESTRICT_UNMOUNT=enforcing 1502 1503 Version 1.6.2 2008/06/25 Usability enhancem 1504 1505 Fix 2008/07/01 1506 1507 @ Fix "Compilation failure" with 2.4.20 k 1508 1509 RedHat Linux 9's 2.4.20 kernel backport 1510 resulting compilation error at ccs_load 1511 I added defined(TASK_DEAD) check. 1512 1513 Fix 2008/07/08 1514 1515 @ Don't check permissions if vfsmount is 1516 1517 Some filesystems (e.g. unionfs) pass NU 1518 I changed fs/tomoyo_file.c not to try t 1519 if vfsmount is NULL. 1520 1521 Version 1.6.3 2008/07/15 Bug fix release. 1522 1523 Fix 2008/08/21 1524 1525 @ Add workaround for gcc 4.3's bug. 1526 1527 In some environments, fs/tomoyo_network 1528 because of gcc 4.3's bug. 1529 I modified save_ipv6_address() to use " 1530 instead for "static const u8" variable. 1531 1532 @ Change prototypes of some functions. 1533 1534 To support 2.6.27 kernels, I replaced " 1535 "struct path" for some functions. 1536 1537 @ Detect distributor specific patches aut 1538 1539 Since kernels with AppArmor patch appli 1540 I introduced a mechanism which determin 1541 are applied or not, based on "#define" 1542 1543 Fix 2008/08/29 1544 1545 @ Remove "-ccs" suffix from Makefile's EX 1546 1547 To reduce conflicts on Makefile's EXTRA 1548 I removed "-ccs" suffix from ccs-patch- 1549 Those who build kernels without using s 1550 please edit EXTRAVERSION tag manually s 1551 will not be overwritten by TOMOYO Linux 1552 1553 Version 1.6.4 2008/09/03 Minor update relea 1554 1555 Fix 2008/09/09 1556 1557 @ Add "try again" response to "delayed en 1558 1559 To be able to handle pathname changes c 1560 "delayed enforcing" mode was introduced 1561 grant access requests which are about t 1562 1563 To be able to handle pathname changes c 1564 I introduced "try again" response. As " 1565 a process which violated policy, admini 1566 the process is sleeping. This "try agai 1567 to restart policy checks from the begin 1568 1569 Fix 2008/09/11 1570 1571 @ Remember whether the process is allowed 1572 1573 Since programs for manipulating policy 1574 in the form of RPM/DEB packages, these 1575 pathnames when they are updated by the 1576 manager renames these programs before d 1577 the package manager can rollback the op 1578 This causes a problem when the programs 1579 using pathnames, as the programs will n 1580 /proc/ccs/ interface while the process 1581 alive. 1582 1583 To solve this problem, I modified to re 1584 is once allowed to write to /proc/ccs/ 1585 attempts to execute a different program 1586 This change makes it impossible to revo 1587 /proc/ccs/ interface without killing th 1588 than nonfunctioning ccs-queryd program. 1589 1590 Fix 2008/09/19 1591 1592 @ Allow selecting a domain by PID. 1593 1594 Sometimes we want to know what ACLs are 1595 finding a domainname for that PID from 1596 reading ACLs from /proc/ccs/domain_poli 1597 Thus, I modified /proc/ccs/domain_polic 1598 PID. For example, to read domain ACL of 1599 run as follows. 1600 1601 # exec 100<>/proc/ccs/domain_policy 1602 # echo select pid=$$ >&100 1603 # while read -u 100; do echo $REPLY; do 1604 1605 If a domain is once selected by PID, re 1606 print only that domain if that PID exis 1607 1608 @ Disallow concurrent /proc/ccs/ access u 1609 1610 Until now, one process can read() from 1611 that shares the file descriptor can wri 1612 But to implement "Allow selecting a dom 1613 concurrent read()/write() because the f 1614 while writing. 1615 1616 Fix 2008/10/01 1617 1618 @ Add retry counter into /proc/ccs/query 1619 1620 To be able to handle some of queries fr 1621 interaction, I added retry counter for 1622 "try again" response. 1623 1624 Fix 2008/10/07 1625 1626 @ Don't transit to new domain until do_ex 1627 1628 Until now, a process's domain was updat 1629 will belong to before do_execve() succe 1630 permission checks for interpreters and 1631 new domain. But this caused a subtle pr 1632 signals to the process, for the process 1633 do_execve() failed. 1634 1635 So, I modified to pass new domain to fu 1636 modifying a process's domain before do_ 1637 1638 @ Use old task state for audit logs. 1639 1640 Until now, audit logs were generated us 1641 processing "; set task.state" part. But 1642 I modified to save the task state befor 1643 part and use the saved state for audit 1644 1645 @ Use a structure for passing parameters. 1646 1647 As the number of parameters is increasi 1648 for passing parameters. 1649 1650 Fix 2008/10/11 1651 1652 @ Remove domain_acl_lock mutex. 1653 1654 I noticed that I don't need to keep all 1655 a domain mutually exclusive. Since each 1656 of ACL, locking is needed only when the 1657 So, I modified to use local locks. 1658 1659 Fix 2008/10/14 1660 1661 @ Fix ccs_check_condition() bug. 1662 1663 Due to a bug in ccs_check_condition(), 1664 task.state[0] task.state[1] task.state[ 1665 if the ACL does not treat a pathname. F 1666 1667 allow_network TCP connect @HTTP_SERVE 1668 1669 didn't work. 1670 1671 Fix 2008/10/15 1672 1673 @ Show process information in /proc/ccs/. 1674 1675 To be able to determine a process's typ 1676 which returns process information of th 1677 "PID manager=\* execute_handler=\* stat 1678 format. 1679 1680 Fix 2008/10/20 1681 1682 @ Use rcu_dereference() when walking the 1683 1684 I was using "dependency ordering" for a 1685 without asking the reader to take a loc 1686 is not respected by DEC Alpha or by som 1687 compiler optimizations. 1688 1689 On such environment, use of "dependency 1690 crash because the reader might read uni 1691 appended element. 1692 1693 To prevent the reader from reading unin 1694 element, I inserted rcu_dereference() w 1695 1696 Fix 2008/11/04 1697 1698 @ Use sys_getpid() instead for current->p 1699 1700 Kernel 2.6.24 introduced PID namespace. 1701 1702 To compare PID given from userland, I c 1703 So, I modified to use sys_getpid() inst 1704 1705 I modified to use task_tgid_nr_ns() for 1706 current->tgid when checking /proc/self/ 1707 1708 Fix 2008/11/07 1709 1710 @ Fix is_alphabet_char(). 1711 1712 is_alphabet_char() should match 'A' - ' 1713 but was matching from 'A' - 'F' and 'a' 1714 1715 @ Add /proc/ccs/.execute_handler . 1716 1717 Process information became visible to u 1718 "Show process information in /proc/ccs/ 1719 However, programs specified by execute_ 1720 non root user, making it impossible to 1721 1722 So, I added a new interface that allows 1723 to see process information. The content 1724 identical to /proc/ccs/.process_status 1725 1726 Version 1.6.5 2008/11/11 Third anniversary 1727 1728 Fix 2008/12/01 1729 1730 @ Introduce "task.type=execute_handler" c 1731 1732 The execute_handler directive is very v 1733 directive to do anything you want to do 1734 modifying command line parameters and e 1735 closing and redirecting files, creating 1736 spam filtering, deploying a DMZ between 1737 shells). 1738 1739 To be able to use this directive in a d 1740 while limiting access to resources need 1741 programs invoked as an execute handler 1742 1743 In learning mode, "if task.type=execute 1744 automatically added for requests issued 1745 1746 @ Introduce file's type and permissions a 1747 1748 To be able to limit file types a proces 1749 new conditions for checking file's type 1750 For example, 1751 1752 allow_read /etc/fstab if path1.type=f 1753 1754 will allow opening /etc/fstab for readi 1755 file and it's permission is 0644, and 1756 1757 allow_write /dev/null if path1.type=c 1758 1759 will allow opening /dev/null for writin 1760 device file with major=1 and minor=3 at 1761 1762 @ Add memory quota for temporary memory u 1763 1764 Although there are MAX_GRANT_LOG and MA 1765 which limit the number of entries for a 1766 memory consumption by audit logs, it wo 1767 also limit the size in bytes. 1768 Thus, I added a new quota line. 1769 1770 echo Dynamic: 1048576 > /proc/ccs/mem 1771 1772 This quota is not applied to temporary 1773 1774 Fix 2008/12/09 1775 1776 @ Fix ccs_can_save_audit_log() checks. 1777 1778 Due to incorrect statement "if (ccs_can 1779 while ccs_can_save_audit_log() is boole 1780 MAX_REJECT_LOG were not working. 1781 1782 This bug will trigger OOM killer if /us 1783 1784 Fix 2008/12/24 1785 1786 @ Add "ccs_" prefix. 1787 1788 To be able to tell whether a symbol is 1789 I added "ccs_" prefix as much as possib 1790 1791 @ Fix ccs_check_flags() error message. 1792 1793 I meant to print SYAORAN-ERROR: message 1794 but I was printing it when error == 0 s 1795 1796 Fix 2009/01/05 1797 1798 @ Use kmap_atomic()/kunmap_atomic() for r 1799 1800 As remove_arg_zero() uses kmap_atomic(K 1801 kmap_atomic(KM_USER0) rather than kmap( 1802 1803 Fix 2009/01/28 1804 1805 @ Fix "allow_read" + "allow_write" != "al 1806 1807 Since 1.6.0 , due to a bug in ccs_updat 1808 appending "allow_read/write" entry didn 1809 and "allow_write" entries. As a result, 1810 but open(O_RDONLY) and open(O_WRONLY) f 1811 1812 Workaround is to write an entry twice w 1813 If written twice, internal "allow_read" 1814 are updated. 1815 1816 Fix 2009/02/26 1817 1818 @ Fix profile read error. 1819 1820 Incorrect profiles were shown in /proc/ 1821 if either CONFIG_SAKURA or CONFIG_TOMOY 1822 1823 Fix 2009/03/02 1824 1825 @ Undelete CONFIG_TOMOYO_AUDIT option. 1826 1827 While HDD-less systems can use profiles 1828 MAX_REJECT_LOG=0 , I undeleted CONFIG_T 1829 memory used for /proc/ccs/grant_log and 1830 1831 Fix 2009/03/13 1832 1833 @ Show only profile entry names ever spec 1834 1835 Even if an administrator specifies only 1836 entries for /proc/ccs/profile , all ava 1837 This was designed to help administrator 1838 available, but sometimes makes administ 1839 entries showing default values. 1840 1841 Thus, I modified to show only profile e 1842 1843 Fix 2009/03/18 1844 1845 @ Add MAC_FOR_IOCTL functionality. 1846 1847 To be able to restrict ioctl() requests 1848 functionality. 1849 1850 This functionality requires modificatio 1851 1852 @ Use better name for socket's pathname. 1853 1854 Until now, socket's pathname was repres 1855 where \$ is inode's number. But inode's 1856 access control. Therefore, I modified t 1857 "socket:[family=\$:type=\$:protocol=\$] 1858 1859 This will help administrator to control 1860 precisely. 1861 1862 @ Fix misplaced ccs_capable() call. (onl 1863 1864 Location to insert ccs_capable(TOMOYO_S 1865 wrong since version 1.1 . 1866 1867 @ Insert ccs_check_ioctl_permission() cal 1868 1869 To make MAC_FOR_IOCTL functionality wor 1870 ccs_check_ioctl_permission() call into 1871 1872 Fix 2009/03/23 1873 1874 @ Move sysctl()'s check from ccs-patch-\* 1875 1876 Since try_parse_table() in kernel/sysct 1877 all versions, I moved that function to 1878 1879 @ Relocate definitions and functions. 1880 1881 To reduce exposed symbols, I relocated 1882 1883 Fix 2009/03/24 1884 1885 @ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS 1886 1887 Some systems don't have /sbin/modprobe 1888 Thus, I made these pathnames configurab 1889 1890 Version 1.6.7 2009/04/01 Feature enhancemen 1891 1892 Fix 2009/04/06 1893 1894 @ Drop "undelete domain" command. 1895 1896 I added "undelete domain" command on 20 1897 management tools. The garbage collector 1898 automatically reuse memory and allow ad 1899 periodically, provided that the adminis 1900 domains before recreating new domains w 1901 1902 Thus, I dropped "undelete domain" comma 1903 1904 @ Escape invalid characters in ccs_check_ 1905 1906 ccs_check_mount_permission2() was passi 1907 and ccs_update_mount_acl() and ccs_chec 1908 /proc/ccs/system_policy and /proc/ccs/q 1909 characters within a string. 1910 1911 Fix 2009/04/07 1912 1913 @ Fix IPv4's "address_group" handling err 1914 1915 Since 1.6.5 , due to lack of ntohl() (b 1916 ccs_update_address_group_entry(), "addr 1917 not working. 1918 1919 This problem happens on little endian p 1920 1921 Fix 2009/05/08 1922 1923 @ Add condition for symlink's target path 1924 1925 Until now, "allow_symlink" keyword allo 1926 not check the symlink's target. Usually 1927 permission checks are done using derefe 1928 cases, we should restrict the symlink's 1929 "ln -s .htpasswd /var/www/html/readme.h 1930 blocked because we will allow Apache to 1931 /var/www/html/readme.html and /var/www/ 1932 1933 Thus, I added new condition, "symlink.t 1934 1935 allow_symlink /var/www/html/\*.html i 1936 1937 allow_symlink /var/www/html/\*\-.\* i 1938 1939 @ Don't return -EAGAIN at ccs_socket_recv 1940 1941 It turned out that it is not permitted 1942 return -EAGAIN if poll() said connectio 1943 recvmsg() may return -EAGAIN and potent 1944 because ccs_socket_recvmsg_permission() 1945 1946 Thus, I modified ccs_socket_recvmsg_per 1947 rather than -EAGAIN. 1948 1949 Fix 2009/05/19 1950 1951 @ Don't call get_fs_type() with a mutex h 1952 1953 Until now, when ccs_update_mount_acl() 1954 filesystem, /sbin/modprobe is executed 1955 filesystem module. And get_fs_type() do 1956 finishes. 1957 1958 This means that it will cause deadlock 1959 executed via get_fs_type() in ccs_updat 1960 ccs_update_mount_acl(); although it won 1961 inserts execute_handler to call mount() 1962 add "allow_mount" entries to /proc/ccs/ 1963 1964 I modified to unlock the mutex before c 1965 1966 Fix 2009/05/20 1967 1968 @ Update recvmsg() hooks. 1969 1970 Since 1.5.0, I was doing network access 1971 packets inside skb_recv_datagram(). But 1972 I moved ccs_recv_datagram_permission() 1973 udp_recvmsg()/udpv6_recvmsg()/raw_recvm 1974 change to ccs_recvmsg_permission(). 1975 1976 Version 1.6.8 2009/05/28 Feature enhancemen 1977 1978 Fix 2009/07/03 1979 1980 @ Fix buffer overrun when used with CONFI 1981 1982 Since 1.6.7 , ccs_allocate_execve_entry 1983 bytes while the comment says it is 4096 1984 overrun when slob allocator is used, fo 1985 4000 bytes whereas slab and slub alloca 1986 1987 Fix 2009/09/01 1988 1989 @ Add garbage collector support. 1990 1991 Until now, it was impossible to release 1992 I added SRCU based garbage collector so 1993 policy will be automatically released. 1994 1995 @ Remove word length limitation and line 1996 1997 Until now, the max length of a word is 1998 is 8192. To be able to handle longer pa 1999 limitations. Now, the max length (excep 2000 argv[]/envp[]) is 128K (which is the ma 2001 can allocate in most environments). 2002 2003 @ Support more fine grained profile confi 2004 2005 Profile was reconstructed. 2006 2007 @ Support more fine grained parameters re 2008 2009 "allow_create", "allow_mkdir", "allow_m 2010 create mode. "allow_mkblock" and "allow 2011 major/minor device numbers. "allow_chmo 2012 checks new owner. "allow_chgrp" checks 2013 2014 @ Allow number grouping. 2015 2016 To help specifying numeric values, a ne 2017 introduced. 2018 2019 @ Remove "alias" directive and "allow_arg 2020 2021 Until now, "allow_execute" used derefer 2022 unless explicitly specified by "alias" 2023 2024 Now, "allow_execute" uses symlink's pat 2025 "exec.realpath" in "if" clause checks t 2026 "exec.argv[0]" in "if" clause checks th 2027 2028 @ Remove /proc/ccs/system_policy and /etc 2029 2030 "deny_autobind" was moved to /proc/ccs/ 2031 /etc/ccs/exception_policy.conf . Other 2032 /proc/ccs/domain_policy and /etc/ccs/do 2033 2034 @ Remove syaoran filesystem. 2035 2036 Since "allow_create"/"allow_mkdir"/"all 2037 "allow_mkblock"/"allow_mkchar"/"allow_c 2038 can restrict mode changes and owner/gro 2039 restrict these changes at filesystem le 2040 2041 Thus, I removed syaoran filesystem. 2042 2043 @ Reduce spinlocks. 2044 2045 Until now, TOMOYO was using own list fo 2046 kernel 2.6.31 introduced memory leak de 2047 ( CONFIG_DEBUG_KMEMLEAK ), TOMOYO no lo 2048 2049 I removed the list to reduce use of spi 2050 2051 @ Rewrite ccs-patch-2.\*.diff . 2052 2053 ccs-patch-2.\*.diff was rewritten like 2054 2055 @ Don't check "allow_read/write" for open 2056 2057 open(pathname, 3) means open for ioctl( 2058 Until now, TOMOYO was checking "allow_r 2059 But since TOMOYO checks "allow_ioctl" f 2060 require "allow_read/write" for open(pat 2061 2062 @ Add missing sigqueue() and tgsigqueue() 2063 2064 Until now, kill(), tkill(), tgkill() ha 2065 tgsigqueue() didn't. 2066 2067 @ Move files from fs/ to security/ccsecur 2068 2069 Config menu section changed from "File 2070 2071 Kernel config symbols changed from CONF 2072 CONFIG_SYAORAN to CONFIG_CCSECURITY . 2073 2074 @ Add global PID to audit logs. 2075 2076 ccs-queryd was using domainname for rea 2077 belongs to, but the domain could be del 2078 policy violation. If the domain is dele 2079 reach the domain by domainname. Thus, c 2080 reaching the domain which the process b 2081 2082 Kernel 2.6.24 introduced PID namespace. 2083 by a process inside a container is usel 2084 the domain which the process belongs to 2085 2086 Thus, I added global PID in audit logs. 2087 2088 @ Transit to new domain before do_execve( 2089 2090 Permission checks for interpreters and 2091 done using new domain. In order to allo 2092 domain via global PID, I reverted "Don' 2093 do_execve() succeeds." made on 2008/10/ 2094 2095 Version 1.7.0 2009/09/03 Feature enhancemen 2096 2097 Fix 2009/09/04 2098 2099 @ Fix wrong ccs_profile() calls. 2100 2101 I can't call ccs_profile() for profile 2102 ccs_profile() never returns NULL. 2103 2104 Fix 2009/09/06 2105 2106 @ Fix wrong error code in ccs_try_alt_exe 2107 2108 ccs_try_alt_exec() was returning ENOMEM 2109 It needs to return -ENOMEM to fail. 2110 2111 Fix 2009/09/10 2112 2113 @ Do not check umount() permission for mo 2114 2115 Until 1.6.x , umount() restriction was 2116 white listing. This change caused "moun 2117 require "allow_unmount old" permission 2118 "allow_mount old new --move 0" permissi 2119 But we don't want to allow umount(old) 2120 only mount(old, new, MS_MOVE) requests. 2121 "allow_unmount old" permission for moun 2122 2123 Fix 2009/09/11 2124 2125 @ Support recursive match operators. 2126 2127 Until now, ccs_path_matches_pattern() d 2128 comparison. Thus, users had to repeat " 2129 recursively. 2130 2131 I introduced "\{" and "\}" as repetitio 2132 To ensure consistency with TOMOYO's '/' 2133 and "\-" operator, only "/\{dir\}/" seq 2134 '/') is permitted. 2135 2136 Fix 2009/09/24 2137 2138 @ Don't check chmod/chown capability for 2139 2140 Until now, ccs_setattr_permission() was 2141 But notify_change() is also called by r 2142 and it made difficult to use TOMOYO on 2143 2144 Thus, I moved ccs_capable() checks from 2145 ccs_chmod_permission() and ccs_chown_pe 2146 ccs_setattr_permission(). 2147 2148 Fix 2009/09/25 2149 2150 @ Embed more information into audit logs. 2151 2152 Until now, /proc/ccs/grant_log /proc/cc 2153 not printing file's information (e.g. f 2154 2155 Recently, users who started using "if" 2156 mode automatically adds various conditi 2157 2158 But the profile will become too complic 2159 conditions. Thus, I added all informati 2160 "if" clause with all possible condition 2161 2162 Now, the learning mode got different us 2163 "CONFIG::learning={ max_entry=0 }" in t 2164 are not permitted by policy will be sen 2165 "mode=learning" header lines. Users can 2166 and append to the policy using "/usr/sb 2167 The learning mode with "CONFIG::learnin 2168 the same with the permissive mode, only 2169 and "mode=permissive". 2170 2171 Fix 2009/10/05 2172 2173 @ Fix size truncation bug at ccs_memcmp() 2174 2175 ccs_memcmp() was using "u8" for size pa 2176 size >= 256 was passed to ccs_memcmp(), 2177 (incorrect result) or read overrun (CPU 2178 2179 ccs_memcmp() should use "size_t" for si 2180 "struct ccs_condition" may exceed 256 b 2181 given. 2182 2183 Fix 2009/10/08 2184 2185 @ Add CONFIG_CCSECURITY_DEFAULT_LOADER op 2186 2187 I made the default policy loader's path 2188 configurable. 2189 2190 @ Add CONFIG_CCSECURITY_ALTERNATIVE_TRIGG 2191 2192 Some environments do not have /sbin/ini 2193 to use different program's pathname (e. 2194 activation trigger. 2195 2196 Thus, I made the alternative trigger ( 2197 2198 Fix 2009/11/02 2199 2200 @ Fix buffer contention. 2201 2202 A permission like 2203 2204 allow_env PATH if exec.envp["PATH"]=" 2205 2206 was not working since I was using the s 2207 variable's name and value. 2208 2209 Fix 2009/11/03 2210 2211 @ Fix memory leak in ccs_write_address_gr 2212 2213 I forgot to call kfree() if same entry 2214 2215 @ Reduce mutexes. 2216 2217 I was using mutex_lock()/mutex_unlock() 2218 atomic_dec_and_test() for removing an e 2219 I moved that operation to garbage colle 2220 of mutex_lock()/mutex_unlock() calls. 2221 2222 @ Escape from nested loops correctly. 2223 2224 In ccs_read_address_group_policy(), I w 2225 correctly. But in ccs_read_path_group_p 2226 ccs_read_number_group_policy(), I wasn' 2227 2228 As a result, reading path_group and num 2229 when they were not read atomically. 2230 2231 Fix 2009/11/06 2232 2233 @ Fix incorrect allow_mount audit log. 2234 2235 Audit log for allow_mount was using dec 2236 It needs to use hexadecimal format. 2237 2238 Fix 2009/11/09 2239 2240 @ Add profile version check. 2241 2242 To avoid upgrading from TOMOYO 1.6.x to 2243 /proc/ccs/profile (which results in not 2244 I added a check for PROFILE_VERSION= . 2245 2246 Version 1.7.1 2009/11/11 Fourth anniversary 2247 2248 Fix 2009/11/13 2249 2250 @ Don't use core_initcall() for initializ 2251 2252 Some kernels call TOMOYO's hooks before 2253 Thus, I can't use core_initcall() for in 2254 2255 Fix 2009/11/18 2256 2257 @ Don't check "allow_write" permission fo 2258 2259 Since TOMOYO checks "allow_truncate" pe 2260 permission for O_TRUNC, I need to disti 2261 and open(O_RDWR | O_TRUNC). But I made 2262 1.7.1 which made it impossible for TOMO 2263 to distinguish them. 2264 2265 Fix 2009/11/27 2266 2267 @ Use newly created domain's name for dom 2268 2269 Since 1.7.0 , /proc/ccs/reject_log was 2270 name when auditing newly created domain 2271 2272 Fix 2009/12/12 2273 2274 @ Use rcu_read_lock() for find_task_by_pi 2275 2276 Since kernel 2.6.18 , caller of find_ta 2277 rcu_read_lock() rather than read_lock(& 2278 uses RCU primitives but spinlock does n 2279 preemptive RCU ( CONFIG_PREEMPT_RCU or 2280 enabled. 2281 2282 Fix 2009/12/15 2283 2284 @ Allow deleting "quota_exceeded" and "tr 2285 2286 To notify users of "this domain has too 2287 process in this domain was not able to 2288 "quota_exceeded" and "transition_failed 2289 These messages were not deletable. But 2290 to be notified again if such events occ 2291 Thus, I made these messages deletable. 2292 2293 Fix 2009/12/17 2294 2295 @ Don't check read permission in ccs_try_ 2296 2297 While I was trying to remove ccs_execve 2298 between TOMOYO 1.7.0 and 1.7.1 , I made 2299 check allow_read permission of the prog 2300 and denied_execute_handler keywords. 2301 2302 @ Don't check DAC permission if disabled 2303 2304 I was checking DAC permissions regardin 2305 operations (e.g. mkdir()) even if mode= 2306 resource to check DAC permissions when 2307 Thus, I modified to skip DAC permission 2308 2309 Fix 2009/12/19 2310 2311 @ Fix memory leak in ccs_environ(). 2312 2313 When I fixed a bug that a permission li 2314 2315 allow_env PATH if exec.envp["PATH"]=" 2316 2317 was not working (2009/11/02), I allocat 2318 was released. 2319 2320 This bug will trigger OOM killer if env 2321 enabled. 2322 2323 Fix 2010/01/17 2324 2325 @ Use current domain's name for execute_h 2326 2327 Since 1.6.7 , /proc/ccs/grant_log was b 2328 when auditing current domain's "execute 2329 2330 Fix 2010/03/02 2331 2332 @ Allow domain transition without execve( 2333 2334 To be able to split permissions for Apa 2335 executed without execve(), I added spec 2336 performed by atomically writing '\0'-te 2337 /proc/ccs/.transition interface. For ex 2338 "<kernel> /usr/sbin/httpd" domain will 2339 "<kernel> /usr/sbin/httpd //app=cgi1\04 2340 writing "app=cgi1 id=10000" + '\0' to / 2341 Apache's ap_hook_handler() functionalit 2342 2343 Note that '\0'-terminated binary string 2344 inside kernel and prefix "//" is automa 2345 that domainname does not conflict with 2346 Without this prefix, if "<kernel> /usr/ 2347 allowed to open /proc/ccs/.transition f 2348 "<kernel> /usr/sbin/sshd /bin/bash /usr 2349 access /etc/shadow , /bin/bash will be 2350 atomically writing "/usr/bin/passwd" + 2351 Allowing /bin/bash to access /etc/shado 2352 2353 Permission for this operation is checke 2354 Unlike "allow_execute" keyword, the str 2355 keyword does not refer a real file on f 2356 you can store any combination of parame 2357 string parameter for "allow_transit" ke 2358 2359 Fix 2010/03/08 2360 2361 @ Allow building as loadable kernel modul 2362 2363 To be able to minimize filesize increme 2364 possible to compile TOMOYO Linux as loa 2365 Although patching the kernel source and 2366 inevitable, this change will make it ea 2367 when there is a filesize limitation on 2368 2369 Fix 2010/03/25 2370 2371 @ Fix ccs_get_ipv6_address() bug. 2372 2373 Since 1.7.0 , ccs_get_ipv6_address() wa 2374 "struct list_head ccs_address_list" if 2375 As a result, ccs_put_ipv6_address() wil 2376 "struct list_head ccs_address_list" if 2377 2378 Fix 2010/03/26 2379 2380 @ Fix ccs_lport_reserved() bug. 2381 2382 Since 1.7.0 , ccs_lport_reserved() was 2383 number. As a result, "deny_autobind" ke 2384 2385 Version 1.7.2 2010/04/01 Feature enhancemen 2386 2387 Fix 2010/04/10 2388 2389 @ Fix invalid "struct nameidata" to "stru 2390 2391 Regarding kernels 2.6.24 and earlier, I 2392 to "struct path" in caller side so that 2393 parameter type. But it turned out that 2394 standards and did not work with gcc 4.x 2395 keyword was not working as expected. 2396 2397 Fix 2010/05/05 2398 2399 @ Fix incorrect audit on/off control. 2400 2401 The grant_log= and reject_log= paramete 2402 used because I forgot to update request 2403 CONFIG::file::execute were used for CON 2404 2405 Those of CONFIG::file::rewrite were not 2406 request type. As a result, those of CON 2407 CONFIG::file::rewrite . 2408 2409 Fix 2010/05/10 2410 2411 @ Fix incorrect out of memory warning. 2412 2413 Out of memory warnings were not printed 2414 2415 Fix 2010/05/27 2416 2417 @ Add missing rcu_dereference() for ccs_f 2418 2419 Since 1.7.0 , ccs_find_execute_handler( 2420 list_for_each_entry() rather than list_ 2421 This bug affects only Alpha architectur 2422 2423 Fix 2010/06/03 2424 2425 @ Fix missing sanity check for "file_patt 2426 2427 Since 1.7.0 , ccs_write_pattern_policy( 2428 invalid pathname. 2429 2430 Fix 2010/06/09 2431 2432 @ Add missing ccs_put_name() in ccs_parse 2433 2434 Since 1.7.0 , ccs_parse_envp() was not 2435 environment variable's value ('if exec. 2436 was invalid. 2437 2438 @ Add missing NULL check in ccs_condition 2439 2440 Since 1.7.0 , if 'if symlink.target=' p 2441 permissions (e.g. allow_env PATH if sym 2442 NULL pointer dereference. 2443 2444 Fix 2010/10/28 2445 2446 @ Fix umount() pathname calculation. 2447 2448 "mount --bind /path/to/file1 /path/to/f 2449 Therefore, "umount /path/to/file2" is a 2450 Do not automatically append trailing '/ 2451 does not end with '/'. 2452 2453 @ Add preserve KABI compatibility option. 2454 2455 TOMOYO needs "struct ccs_domain_info *" 2456 "struct task_struct". But embedding the 2457 "struct task_struct" breaks KABI for pr 2458 means that you will need to rebuild pre 2459 2460 Since KABI is commonly used (compared t 2461 rebuild kernel modules which are not in 2462 longer preferable. Therefore, I added a 2463 "struct task_struct" unmodified in orde 2464 2465 Note that you have to use ccs-patch-2.6 2466 kernel/fork.c in order to use this opti 2467 memory whenever "struct task_struct" is 2468 2469 @ Change directives. 2470 2471 I removed "allow_" prefix from directiv 2472 prefixed with "file ". For example, "al 2473 "allow_ioctl" changed to "file ioctl". 2474 TCP" is "network inet stream", "allow_n 2475 dgram", "allow_network RAW" is "network 2476 "allow_env" is "misc env". New directiv 2477 signal". New directive for "allow_capab 2478 directives correspond with keywords use 2479 2480 I removed "deny_rewrite" and "allow_rew 2481 "file append" directive. Thus, permissi 2482 changed from "allow_write" + "allow_rew 2483 2484 I removed "SYS_MOUNT", "SYS_UMOUNT", "S 2485 "SYS_LINK", "SYS_SYMLINK", "SYS_RENAME" 2486 "SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_RO 2487 because these permissions can be checke 2488 "file mount", "ipc signal"). 2489 2490 I also removed "conceal_mount" keyword 2491 check requires hooks in filesystem part 2492 filesystem part have moved to LSM by Li 2493 2494 New directive for "execute_handler" is 2495 "denied_execute_handler" is "task denie 2496 2497 @ Distinguish send() and recv() operation 2498 2499 Until now, it was impossible for UDP an 2500 only sending or only receiving because 2501 "connect" keyword. I broke "connect" ke 2502 keywords so that you can keep access co 2503 when you have to disable access control 2504 application breakage by discarding inco 2505 2506 @ Add Unix domain socket restriction supp 2507 2508 Until now, it was possible to restrict 2509 TCP/UDP/RAW). I added restriction for U 2510 dgram/seqpacket). New directive "networ 2511 "network inet" directive. 2512 2513 @ Allow specifying multiple permissions i 2514 2515 Until now, only "allow_read/write" can 2516 "allow_read" + "allow_write". Now, you 2517 long as type of parameters for these pe 2518 "file read/write/append/execute/unlink/ 2519 but "file read/write/create /tmp/file" 2520 requires create mode whereas "file read 2521 2522 @ Allow wildcard for execute permission a 2523 2524 Until now, to execute programs with tem 2525 needed. To simplify code, I modified to 2526 permission and domainname. Now, you can 2527 "file execute /tmp/logrotate.\?\?\?\?\? 2528 "/tmp/logrotate.\?\?\?\?\?\?" within do 2529 2530 @ Change pathname for non-rename()able fi 2531 2532 LSM version of TOMOYO wants to use /pro 2533 $PID matches current thread's process I 2534 thread from accessing other process's i 2535 But since procfs can be mounted on vari 2536 /p/ /tmp/foo/100/p/ ), LSM version of T 2537 numeric part in the string returned by 2538 or not. 2539 2540 Therefore, to be able to convert from $ 2541 is mounted, I changed pathname represen 2542 not support rename() operation (e.g. pr 2543 2544 Now, "/proc/self/mounts" changed to "pr 2545 "/sys/kernel/security/" changed to "sys 2546 "/dev/pts/0" changed to "devpts:/0". 2547 2548 @ Add a new keyword "any" for domain tran 2549 2550 To be able to make it easier to apply a 2551 domain, I added "any" keyword to domain 2552 "initialize_domain /usr/sbin/sshd" chan 2553 "initialize_domain /usr/sbin/sshd from 2554 "keep_domain <kernel> /usr/sbin/sshd /b 2555 "keep_domain any from <kernel> /usr/sbi 2556 2557 "keep_domain /path/to/auto_execute_hand 2558 apply auto_execute_handler for any doma 2559 auto_execute_handler. 2560 2561 @ Change buffering mode for reading polic 2562 2563 To be able to read() very very long lin 2564 TOMOYO buffers policy for reading. 2565 2566 @ Introduce "acl_group" keyword. 2567 2568 Until now, it was possible to specify o 2569 keywords in the exception policy. 2570 2571 Since some operations like "file read/w 2572 "network UDP send/recv @DNS_SERVER 53" 2573 permitted to all domains, I introduced 2574 such permissions. 2575 2576 For example, specify "acl_group 0 file 2577 the exception policy and specify "use_g 2578 domain policy. 2579 2580 "ignore_global_allow_read" and "ignore_ 2581 removed from domain policy and "use_gro 2582 2583 @ Remove "if" and "; set" keyword. 2584 2585 I removed need for specifying these key 2586 You can simply specify like below. 2587 2588 file read /etc/shadow task.uid=0 2589 2590 @ Remove "file_pattern" keyword. 2591 2592 I removed "file_pattern" keyword becaus 2593 all possible pathname patterns. Also, l 2594 patterns makes it difficult to later re 2595 2596 @ Replace verbose= parameter with statist 2597 2598 Since it is noisy if a lot of policy vi 2599 I removed printk(). To be able to check 2600 or not, I introduced /proc/ccs/stat int 2601 policy violations occurred. You can fir 2602 check /proc/ccs/reject_log . 2603 2604 @ Remove global preference. 2605 2606 I removed global preference in order to 2607 2608 @ Allow controlling generation of access 2609 basis. 2610 2611 I added per-entry flag which controls g 2612 Xen and KVM issues ioctl requests so fr 2613 2614 file ioctl /dev/null 0x5401 grant_log 2615 2616 will suppress /proc/ccs/grant_log even 2617 2618 file ioctl /dev/null 0x5401 grant_log 2619 2620 will generate /proc/ccs/grant_log even 2621 2622 file ioctl /dev/null 0x5401 2623 2624 will generate /proc/ccs/grant_log only 2625 2626 This flag is intended for frequently ac 2627 2628 file read /var/www/html/\{\*\}/\*.htm 2629 2630 . 2631 2632 @ Automatically create domain by execve() 2633 2634 Until now, new domains are not created 2635 current domain is enforcing mode ("CONF 2636 2637 To be able to restrict shell session wi 2638 I changed to create new domains automat 2639 enforcing mode. 2640 2641 @ Replace "task.state" with "auto_domain_ 2642 2643 task.state is difficult to use. Thus, I 2644 auto_domain_transition which performs d 2645 changing current process's state variab 2646 2647 If domain transition failed, current pr 2648 signal. This should not happen in norma 2649 domain to transit to and thereby you wi 2650 when you use "auto_domain_transition" k 2651 2652 @ Replace "allow_transit" with "task manu 2653 2654 I changed this directive to specify abs 2655 "<kernel> /usr/sbin/httpd //app=cgi1\04 2656 pathname (e.g. "//app=cgi1\040id=10000" 2657 transit to and thereby you will define 2658 "task manual_domain_transition" directi 2659 2660 This change allows you to jump to arbit 2661 2662 Note that this change also reverts "Cha 2663 made on 2006/10/24. Now, 'cat < /proc/c 2664 'cat /proc/ccs/info/self_domain'. Progr 2665 need to be updated. 2666 2667 @ Add "task auto_domain_transition". 2668 2669 This is similar to "task manual_domain_ 2670 applied whenever conditions are met. Fo 2671 2672 task auto_domain_transition <kernel> 2673 2674 will automatically jump to "<kernel> // 2675 process's UID is not 0 whereas 2676 2677 task manual_domain_transition <kernel 2678 2679 will jump to "<kernel> //./non-root" do 2680 not 0 and current process wrote "<kerne 2681 /proc/ccs/self_domain interface. 2682 2683 If domain transition failed, current pr 2684 signal. 2685 2686 @ Optimize for object's size. 2687 2688 I merged similar code in order to reduc 2689 2690 Version 1.8.0 2010/11/11 Fifth anniversary 2691 2692 Fix 2010/12/01 2693 2694 @ Use same interface for audit logs. 2695 2696 To be able to perform fine grained filt 2697 I merged /proc/ccs/grant_log and /proc/ 2698 /proc/ccs/audit and added granted=yes o 2699 2700 Fix 2010/12/17 2701 2702 @ Split ccs_null_security into ccs_defaul 2703 2704 ccs_null_security is used by preserve K 2705 used for providing default values again 2706 allocated memory for their security con 2707 2708 If current thread failed to allocate me 2709 context, current thread uses ccs_null_s 2710 allowed to modify current thread's secu 2711 modify ccs_null_security which should n 2712 2713 Therefore, I split ccs_null_security in 2714 ccs_oom_security and use ccs_oom_securi 2715 allocate memory for current thread's se 2716 2717 Threads which do not share ccs_oom_secu 2718 which share ccs_oom_security. Threads w 2719 experience temporary inconsistency, but 2720 killed by SIGKILL signal. 2721 2722 Fix 2011/01/11 2723 2724 @ Use filesystem name for unnamed devices 2725 2726 "Change pathname for non-rename()able f 2727 "$fsname:" if the filesystem does not s 2728 "dev($major,$minor):" otherwise when vf 2729 out that it is useless to use "dev($maj 2730 (filesystems with $major == 0). Thus, I 2731 than "dev($major,$minor):" for filesyst 2732 is missing. 2733 2734 Fix 2011/02/07 2735 2736 @ Fix infinite loop bug when reading /pro 2737 2738 In ccs_flush(), head->r.w[0] holds poin 2739 But head->r.w[0] was updated only when 2740 printed (because head->r.w[0] will be u 2741 completely printed). However, regarding 2742 /proc/ccs/query , an additional '\0' is 2743 completely printed. But if free space f 2744 printing the additional '\0', ccs_flush 2745 head->r.w[0]. As a result, ccs_flush() 2746 string data. 2747 2748 Fix 2011/03/01 2749 2750 @ Run garbage collector without waiting f 2751 2752 Currently TOMOYO holds SRCU lock upon o 2753 because list elements stored in the "st 2754 accessed until close() is called. Howev 2755 to complain about leaving the kernel wi 2756 I changed to hold/release SRCU upon eac 2757 deferring kfree() by keeping track of t 2758 instances. 2759 2760 Fix 2011/03/05 2761 2762 @ Support built-in policy configuration. 2763 2764 To be able to start using enforcing mod 2765 sequence, I added support for built-in 2766 activating access control without calli 2767 2768 This will be useful for systems where o 2769 hijacking of the boot sequence are need 2770 For example, you can activate immediate 2771 policy which will allow only operations 2772 which contains the variant part of poli 2773 check) and loading the variant part of 2774 enforcing mode from the beginning, you 2775 hijacking the boot sequence. 2776 2777 Fix 2011/03/10 2778 2779 @ Remove /proc/ccs/meminfo interface. 2780 2781 Please use /proc/ccs/stat interface ins 2782 2783 Fix 2011/03/15 2784 2785 @ Pack policy when printing via /proc/ccs 2786 2787 The kernel side is ready for accepting 2788 2789 file read/write/execute /path/to/file 2790 2791 but was using unpacked output like 2792 2793 file read /path/to/file 2794 file write /path/to/file 2795 file execute /path/to/file 2796 2797 because most of userland tools were not 2798 2799 The advantages of using packed policy a 2800 smaller and it speeds up loading/saving 2801 2802 Since most of userland tools are ready 2803 I changed to use packed policy for both 2804 2805 Fix 2011/03/31 2806 2807 @ Fix conditional policy parsing. 2808 2809 Since exec.realpath= and symlink.target 2810 symlink.target="@foo" was by error pars 2811 2812 @ Serialize updating profile's comment li 2813 2814 We need to serialize when updating COMM 2815 2816 Version 1.8.1 2011/04/01 Usability enhanc 2817 2818 Fix 2011/04/03 2819 2820 @ Fix fcntl(F_SETFL, O_APPEND) handling. 2821 2822 Since 1.8.0, TOMOYO was by error checki 2823 than "file append" permission when chan 2824 "overwriting" to "append". 2825 2826 This error should impact little (except 2827 a file was opened for "overwriting" mod 2828 mode cannot undo overwriting the file. 2829 due to different ACC_MODE definition, T 2830 checking "file read" permission when fc 2831 2832 Fix 2011/04/20 2833 2834 @ Remove unused "struct inode *" paramete 2835 2836 Since pre-vfs functions were removed on 2837 parameter which was used for checking p 2838 is no longer used. 2839 2840 Note that "struct ccsecurity_operations 2841 Loadable kernel modules that depends on 2842 2843 Fix 2011/05/05 2844 2845 @ Fix wrong profile number in audit logs 2846 2847 Profile number used for "file execute" 2848 when generating audit logs for "misc en 2849 2850 Fix 2011/05/11 2851 2852 @ Fix wrong domainname validation. 2853 2854 "<kernel>" + "/foo/\" + "/bar" was by e 2855 "<kernel> /foo/\* /bar" was given. As a 2856 "<kernel> /foo/\* /bar" are rejected. 2857 2858 Fix 2011/06/06 2859 2860 @ Add policy namespace support. 2861 2862 To be able to use TOMOYO in LXC environ 2863 namespace. Each policy namespace has it 2864 exception policy and profiles, which ar 2865 namespaces. 2866 2867 @ Remove CONFIG_CCSECURITY_BUILTIN_INITIA 2868 2869 From now on, exception policy and manag 2870 policy namespace (which is a <$namespac 2871 Thus, space-separated list for CONFIG_C 2872 no longer suitable for handling policy 2873 2874 Fix 2011/06/10 2875 2876 @ Allow specifying trigger for activation 2877 2878 To be able to use TOMOYO under systemd 2879 is used, I changed to allow overriding 2880 policy loader and activating MAC via ke 2881 2882 Fix 2011/06/14 2883 2884 @ Remove unused "struct inode *" paramete 2885 2886 To follow changes I made on 2011/04/20, 2887 ccs_mknod_permission(), ccs_mkdir_permi 2888 ccs_unlink_permission(), ccs_symlink_pe 2889 ccs_rename_permission() that are called 2890 net/unix/af_unix.c include/linux/securi 2891 If you have your own ccs-patch-*.diff , 2892 2893 Version 1.8.2 2011/06/20 Usability enhanc 2894 2895 Fix 2011/07/07 2896 2897 @ Remove /proc/ccs/.domain_status interfa 2898 2899 Writing to /proc/ccs/.domain_status can 2900 2901 ( echo "select " $domainname; echo "u 2902 /usr/sbin/ccs-loadpolicy -d 2903 2904 and reading from /proc/ccs/.domain_stat 2905 2906 grep -A 1 '^<' /proc/ccs/domain_polic 2907 awk ' { if ( domainname == "" ) { if 2908 domainname = $0; } else if ( $1 == "u 2909 print $2 " " domainname; domainname = 2910 2911 . Since this interface is used by only 2912 remove this interface by updating /usr/ 2913 2914 Fix 2011/07/09 2915 2916 @ Fix /proc/ccs/stat parser. 2917 2918 For optimization, I changed to use simp 2919 in ccs_write_stat(). But it caused pars 2920 before value (e.g. "Memory used by poli 2921 2922 Fix 2011/07/13 2923 2924 @ Accept "::" notation for IPv6 address. 2925 2926 In order to add network access restrict 2927 routines for parsing/printing IPv4/IPv6 2928 TOMOYO 1.8.2. 2929 Now, IPv6 address accepts "::1" instead 2930 2931 Fix 2011/09/03 2932 2933 @ Avoid race when retrying "file execute" 2934 2935 There was a race window that the pathna 2936 "file execute" permission check when re 2937 because the pathname was recalculated u 2938 inevitable race window even without sup 2939 the symbolic link's pathname from "stru 2940 than from "struct linux_binprm"->file b 2941 the symbolic link's pathname from the d 2942 2943 @ Remove unneeded daemonize(). 2944 2945 Garbage collector thread is created usi 2946 Kernel threads created by kthread_creat 2947 daemonize(). 2948 2949 Fix 2011/09/16 2950 2951 @ Allow specifying domain transition pref 2952 2953 I got an opinion that it is difficult t 2954 transition control directives because t 2955 specified to "file execute" directives. 2956 /bin/\*\-ls\-cat" is given, correspondi 2957 directive needs to be like "no_keep_dom 2958 2959 To solve this difficulty, I introduced 2960 exception policy's domain transition co 2961 2962 file execute /bin/ls keep exec.realpa 2963 file execute /bin/cat keep exec.realp 2964 file execute /bin/\*\-ls\-cat child 2965 file execute /usr/sbin/httpd <apache> 2966 2967 This argument allows transition to diff 2968 2969 <kernel> /usr/sbin/sshd 2970 file execute /bin/bash <kernel> /usr/ 2971 file execute /bin/bash <kernel> /usr/ 2972 file execute /bin/bash <kernel> /usr/ 2973 2974 Fix 2011/09/25 2975 2976 @ Simplify garbage collector. 2977 2978 It turned out that use of batched proce 2979 collector when certain pattern of entri 2980 with sequential processing. 2981 2982 Version 1.8.3 2011/09/29 Usability enhanc 2983 2984 Fix 2011/10/24 2985 2986 @ Fix incomplete read after seek. 2987 2988 ccs_flush() tries to flush data to be r 2989 ccs_select_domain() (which is called by 2990 meant to be read by next read(), but pr 2991 size was not cleared. As a result, sinc 2992 2993 char *cp = "select global-pid=1\n"; 2994 read(fd, buf1, sizeof(buf1)); 2995 write(fd, cp, strlen(cp)); 2996 read(fd, buf2, sizeof(buf2)); 2997 2998 causes enqueued data to be flushed to b 2999 3000 @ Use query id for reaching target proces 3001 3002 Use query id for reaching target proces 3003 target process's global PID. This is fo 3004 but this change makes /usr/sbin/ccs-que 3005 kernel will return empty domain policy 3006 ccs-queryd reaches target process's dom 3007 3008 @ Fix quota counting. 3009 3010 "task manual_domain_transition" should 3011 "task auto_domain_transition"/"task aut 3012 "task denied_execute_handler" because t 3013 mode. 3014 3015 Fix 2011/11/11 3016 3017 @ Optimize for object's size. 3018 3019 I rearranged functions/variables into t 3020 object's filesize. Also, I added kernel 3021 by excluding unnecessary functionality. 3022 3023 Fix 2011/11/18 3024 3025 @ Fix kernel config mapping error. 3026 3027 Due to a typo in ccs_p2mac definition, 3028 by error used when checking "file getat 3029 not be affected by this error because C 3030 CONFIG::file::getattr are by default co 3031 CONFIG settings. 3032 3033 Fix 2011/12/13 3034 3035 @ Follow __d_path() behavior change. (Onl 3036 3037 The behavior of __d_path() has changed 3038 NULL when the pathname cannot be calcul 3039 version when using with 3.2-rc5 and lat 3040 panic because ccs_get_absolute_path() t 3041 3042 The patch that changed the behavior of 3043 2.6.36 to 3.1 kernels. You must update 3044 backported, or you will experience the 3045 3046 The patch that changed the behavior of 3047 handling pathnames under lazy-unmounted 3048 using incomplete pathnames returned by 3049 under lazy-unmounted directory. But fro 3050 pathnames returned by ccs_get_local_pat 3051 lazy-unmounted directory (because __d_p 3052 3053 Since applications unlikely do lazy unm 3054 lazy-unmounted directory should not hap 3055 explicitly does lazy unmounts. But path 3056 conditions in the policy file (if any) 3057 3058 Fix 2012/01/20 3059 3060 @ Follow changes in 3.3-rc1. 3061 3062 Use umode_t rather than mode_t. 3063 Remove ipv6_addr_copy() usage. 3064 3065 Fix 2012/02/25 3066 3067 @ Follow changes in linux-next. 3068 3069 UMH_WAIT_PROC constant (currently 1) is 3070 3071 Use UMH_WAIT_PROC constant instead of h 3072 for backporting call_usermodehelper() r 3073 backported, you will start experiencing 3074 of external policy loader (i.e. /sbin/c 3075 longer wait for completion of external 3076 3077 Although I changed to use UMH_WAIT_PROC 3078 to detect renumbering in 2.6.22 and ear 3079 constant is currently available to only 3080 started to experience the kernel panic, 3081 was backported or not. 3082 3083 Fix 2012/02/29 3084 3085 @ Fix mount flags checking order. 3086 3087 Userspace can pass in arbitrary combina 3088 3089 If both MS_BIND and one of MS_SHARED/MS 3090 are passed, device name which should be 3091 checked because MS_SHARED/MS_PRIVATE/MS 3092 priority than MS_BIND. 3093 3094 If both one of MS_BIND/MS_MOVE and MS_R 3095 which should not be checked for MS_REMO 3096 MS_MOVE had higher priority than MS_REM 3097 3098 Fix these bugs by changing priority to 3099 MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBIND 3100 does. Also, I changed to unconditionall 3101 of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNB 3102 will not generate inaccurate audit logs 3103 check mount flags passed to change_mnt_ 3104 these flags must be exclusively passed. 3105 3106 Fix 2012/03/08 3107 3108 @ Allow returning other errors when ptrac 3109 3110 Currently -EPERM is returned when ccs_p 3111 error code. I changed to return return 3112 so that we can return -ESRCH when targe 3113 3114 Fix 2012/03/16 3115 3116 @ Return appropriate value to poll(). 3117 3118 Return POLLIN | POLLRDNORM | POLLOUT | 3119 POLLOUT | POLLWRNORM otherwise. 3120 3121 Fix 2012/04/22 3122 3123 @ Readd RHEL_MINOR/AX_MINOR checks. 3124 3125 This check was added in revision 2346 a 3126 3127 Add it back in order to support RHEL 5. 3128 3129 @ Fix skb_kill_datagram() for kernels 2.6 3130 3131 Commit 208d8984 "[IPV4]: Fix BUG() in 2 3132 CONFIG_HIGHMEM" clarified that skb_kill 3133 spin_lock_bh()/spin_unlock_bh() rather 3134 spin_lock_irq()/spin_unlock_irq(). 3135 3136 RHEL 4.9 (2.6.9) kernel has that patch 3137 3138 @ Fix missing locks for RHEL 5.2-5.8 kern 3139 3140 Since RHEL 5.2 and later kernels have b 3141 "[UDP]: Add memory accounting." patch, 3142 lock_sock()/release_sock() around skb_k 3143 packet was dropped by TOMOYO. 3144 3145 Fix 2012/04/28 3146 3147 @ Accept manager programs which do not st 3148 3149 The pathname of /usr/sbin/ccs-editpolic 3150 CD is squashfs:/usr/sbin/ccs-editpolicy 3151 /usr/sbin/ccs-editpolicy . Therefore, w 3152 programs which do not start with / . 3153 3154 Fix 2012/10/08 3155 3156 @ Fix KABI breakage on Ubuntu 12.10. 3157 3158 I was using include/linux/security.h as 3159 include/linux/ccsecurity.h so that I ca 3160 3161 When scripts/genksyms/genksyms calculat 3162 file, it uses the extracted form of inv 3163 layout is known but it instead uses UNK 3164 not known. Therefore, pulling in includ 3165 layout from include/linux/ccsecurity.h 3166 and causes KABI breakage, even if no ch 3167 structures. 3168 3169 Fix this breakage by avoiding pulling i 3170 include/linux/dcache.h from include/lin 3171 3172 Fix 2015/01/01 3173 3174 @ Fix missing chmod(-1) check in Linux 3. 3175 3176 Commit e57712ebebbb9db7 "merge fchmod() 3177 ancient broken kludge" changed chmod(-1 3178 07777. Therefore, TOMOYO must not ignor 3179 3180 @ Fix potentially using bogus attributes 3181 3182 We should reset attributes information 3183 program, or attributes of original prog 3184 on execute_handler program failed. 3185 3186 Fix 2015/04/08 3187 3188 @ Fix incorrect readdir() permission chec 3189 3190 CONFIG_CCSECURITY_FILE_READDIR was mean 3191 readdir() permission check. However, CO 3192 by error used for controlling readdir() 3193 should not affect kernels built with de 3194 CONFIG_CCSECURITY_FILE_READDIR and CONF 3195 defined by default. 3196 3197 Fix 2015/04/15 3198 3199 @ Fix incorrect retry request check. 3200 3201 When a request was asked to retry, acl_ 3202 use_group keyword was by error ignored. 3203 able to use permissions defined by acl_ 3204 3205 Fix 2015/05/01 3206 3207 @ Support multiple use_group entries. 3208 3209 Until now, each domain can include only 3210 I changed to allow each domain to inclu 3211 As a result, you will be able to reduce 3212 defining multiple acl_group entries bas 3213 them from each domain as needed. 3214 3215 Version 1.8.4 2015/05/05 Usability enhanc 3216 3217 Fix 2015/11/08 3218 3219 @ Use memory allocation flags used by TOM 3220 3221 Until now, TOMOYO 1.x was using memory 3222 than TOMOYO 2.x in order to make sure t 3223 TOMOYO 1.x shall not cause silent livel 3224 3225 But as I learn about this livelock prob 3226 not a problem which TOMOYO can manage. 3227 at memory allocation is a problem, refu 3228 by critical processes due to memory all 3229 weaker memory allocation flags is also 3230 3231 Since situations regarding memory alloc 3232 are changing, it will be safer to use m 3233 TOMOYO 2.x. 3234 3235 Fix 2015/11/10 3236 3237 @ Limit wildcard recursion depth. 3238 3239 Since wildcards that need recursion con 3240 we cannot allow infinite recursion. 3241 3242 Version 1.8.5 2015/11/11 Tenth anniversar 3243 3244 Fix 2017/02/02 3245 3246 @ Use for_each_thread() for GC operation. 3247 3248 while_each_thread() without tasklist_lo 3249 Use for_each_process_thread() if it is 3250 tasklist_lock otherwise. 3251 3252 Fix 2018/04/01 3253 3254 @ Use smb_rmb() when waiting for initiali 3255 3256 "while (!cond);" is implicitly optimize 3257 Use "while (!cond) smp_rmb();" in order 3258 3259 Fix 2019/07/27 3260 3261 @ Change pathname calculation for read-on 3262 3263 Commit 5625f2e3266319fd ("TOMOYO: Chang 3264 filesystems.") intended to be applied t 3265 not controllable from the userspace (e. 3266 on an assumption that such filesystems 3267 3268 But it turned out that read-only filesy 3269 operation despite the content is contro 3270 commit is annoying TOMOYO users who wan 3271 filesystem due to use of local name whi 3272 3273 Therefore, based on an assumption that 3274 device argument upon mount() request is 3275 is controllable from the userspace, do 3276 does not support rename() operation but 3277 mount() request. 3278 3279 @ Reject move_mount() system call for now 3280 3281 Commit 2db154b3ea8e14b0 ("vfs: syscall: 3282 around") introduced security_move_mount 3283 TOMOYO and AppArmor did not implement h 3284 Since unchecked mount manipulation is n 3285 as if move_mount(2) is unavailable. 3286 3287 @ Don't check open/getattr permission on 3288 3289 syzbot found that use of SOCKET_I()->sk 3290 use after free problem, for socket's in 3291 /proc/pid/fd/n despite destruction of S 3292 3293 But there is no point with calling secu 3294 because open("/proc/pid/fd/n", !O_PATH) 3295 3296 There is some point with calling securi 3297 because stat("/proc/pid/fd/n") and fsta 3298 are valid. But since information which 3299 security_inode_getattr() on sockets is 3300 3301 Version 1.8.6 2019/08/20 Bug fix release. 3302 3303 Fix 2019/12/07 3304 3305 @ Don't use nifty names on sockets. 3306 3307 Revert "Don't check open/getattr permis 3308 get rid of special handling of sockets. 3309 "socket:[family=\$:type=\$:protocol=\$] 3310 rewritten to "socket:[\$]". 3311 3312 Fix 2020/04/09 3313 3314 @ Fix wrong put_page() usage in ccs_dump_ 3315 3316 ccs_dump_page() for 5.6+ was by error u 3317 3318 Fix 2020/05/01 3319 3320 @ Loosen domainname validation and pathna 3321 3322 Currently a domainname must start with 3323 zero or more repetitions of a pathname 3324 3325 But situation is getting more and more 3326 a pathname which starts with '/', for e 3327 on e.g. some filesystems cause ccs_real 3328 in "$fsname:/$pathname" format. 3329 3330 Fortunately, since $fsname must not con 3331 we can recognize a token which appears 3332 proc:/self/exe ) as a pathname and a to 3333 '/' appears (e.g. exec.realpath="/bin/b 3334 with an exception that a pathname canno 3335 auto_domain_transition=" because it is 3336 for on-match domain transition. Also, w 3337 followed by such tokens (e.g. <kernel> 3338 a domainname. 3339 3340 Version 1.8.7 2020/05/05 Usability enhanc 3341 3342 Fix 2020/07/22 3343 3344 @ Fix domain transition preference. 3345 3346 The domain transition preference which 3347 by error ignored since 1.8.3p4, for ccs 3348 ccs_write_log2() from ccs_supervisor() 3349 resets r->matched_acl to NULL. Change c 3350 to reset r->matched_acl to NULL. 3351 3352 Fix 2020/08/17 3353 3354 @ Fix ccs_realpath() fallback. 3355 3356 ccs_realpath() for 3.17+ was by error n 3357 when ccs_get_absolute_path() returned - 3358 3359 Fix 2020/08/19 3360 3361 @ Fix wrong ccs_search_binary_handler() m 3362 3363 When support for 5.8 kernel was added, 3364 3.7- was by error mapped to wrong funct 3365 3366 Fix 2020/10/24 3367 3368 @ Fix /proc pathname calculation for Linu 3369 3370 ccs_realpath() for 5.8+ was by error no 3371 calculating /proc pathname. 3372 3373 Version 1.8.8 2020/11/11 Fifteenth annive 3374 3375 Fix 2021/03/13 3376 3377 @ Skip permission checks for fileless exe 3378 3379 Kernels from 4.18 to 5.8 are using call 3380 starting program without a valid pathna 3381 /sbin/modprobe from dockerd process cou 3382 because ccs_symlink_path() cannot calcu 3383 a valid pathname. Thus, allow call_user 3384 permission checks and suppress domain t 3385 3386 @ Fix ccs_kernel_service(). 3387 3388 Kernels from 5.5 to 5.11 are using PF_K 3389 worker threads. 3390 3391 Version 1.8.9 2021/04/01 Bug fix release. 3392 3393 Fix 2021/12/28 3394 3395 @ Check exceeded quota early. 3396 3397 Backport commit 04e57a2d952bbd34 ("tomo 3398 tomoyo_domain_quota_is_ok().") and comm 3399 hwight16() in tomoyo_domain_quota_is_ok 3400 overhead of the learning mode. Note tha 3401 explicitly delete "quota_exceeded" entr 3402 to resume the learning mode. 3403 3404 Fix 2024/03/31 3405 3406 @ Fix a UAF bug introduced by an oversigh 3407 3408 Backport commit 2f03fc340cac ("tomoyo: 3409 tomoyo_write_control()"). 3410 3411 Version 1.8.10 2024/04/01 Security bug fi 3412 3413 Fix 2024/06/28 3414 3415 @ Unblock move_mount() system call. 3416 3417 Since util-linux 2.39 started using lib 3418 implementing appropriate permission che 3419 necessary for successfully booting a Li 3420 3421 Version 1.8.11 2024/07/15 Bug fix release 3422 3423 Fix 2024/11/09 3424 3425 @ Conditionally use realpath on execve() 3426 3427 Backport commit ada1986d0797 ("tomoyo: 3428 pathname does not exist"), and change t 3429 pathname exists and refers to proc file 3430 pathname used for checking "file execut 3431 used after a successful execve() reques 3432 3433 Before (profile version = 20200505): 3434 3435 file execute proc:/self/exe exec.real 3436 file execute proc:/self/fd/100 exec.r 3437 3438 After (profile version = 20241111): 3439 3440 file execute /usr/bin/bash exec.realp 3441 file execute /usr/bin/bash exec.realp 3442 3443 This new behavior is applied only if pr 3444 20200505 to 20241111, for modifying exi 3445 3446 Version 1.8.12 2024/11/11 Nineteenth anni
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.