1 Notes for TOMOYO Linux project !! 1 About this package:
2 2
3 This is a handy Mandatory Access Control patch !! 3 This package contains userland programs for TOMOYO Linux version 1.8.6.
4 This patch is released under the GPLv2. !! 4 This package is released under the GPLv2.
5 5
6 Project URL: https://tomoyo.sourceforge.net/ !! 6 https://tomoyo.osdn.jp/
7 <<
8 The authors of this patch (hereafter, we) don' <<
9 in kernel programming. We are worried that thi <<
10 some mistakes such as missing hooks, improper <<
11 potential deadlocks. There would be better way <<
12 All kinds of comments, pointing the errors and <<
13 <<
14 We do hope this patch reduces the labor of ser <<
15 and you enjoy the life with Linux. <<
16 <<
17 This project was very inspired by the comic "C <<
18 one of the CLAMP's masterworks. <<
19 7
20 ChangeLog: 8 ChangeLog:
21 9
22 Version 1.0 2005/11/11 First release. 10 Version 1.0 2005/11/11 First release.
23 11
24 Fix 2005/11/18 <<
25 <<
26 @ Add setattr() missing hook in SYAORAN fs <<
27 <<
28 setattr() checking for special inode was <<
29 <<
30 Fix 2005/11/25 <<
31 <<
32 @ Allow initrd.img include /sbin/init . <<
33 <<
34 Since version 1.0 loads policy when /sbi <<
35 for the first time, initrd.img without t <<
36 mustn't start /sbin/init . This forced u <<
37 initrd.img that includes /sbin/init . <<
38 I modified to delay loading policy if th <<
39 doesn't exist and wait for /sbin/init be <<
40 <<
41 Fix 2005/12/02 <<
42 <<
43 @ Use lookup_one_len() instead of lookup_h <<
44 <<
45 Kernel 2.6.15 changed parameters for loo <<
46 I modified to use lookup_one_len() to ke <<
47 <<
48 Fix 2005/12/06 <<
49 <<
50 @ Add S_ISDIR() check in SYAORAN fs. <<
51 <<
52 Malicious configuration file that attemp <<
53 under non-directory inode caused segment <<
54 <<
55 Version 1.0.1 2005/12/08 Minor update releas 12 Version 1.0.1 2005/12/08 Minor update release.
56 13
57 Fix 2006/01/04 !! 14 makesyaoranconf.exe:
58 !! 15 Use versionsort() for sorting entries.
59 @ Add CheckWritePermission() check in unix <<
60 <<
61 I modified to check write permission in <<
62 sys_mknod(S_IFSOCK) checks write permiss <<
63 <<
64 @ Show hook version in proc_misc_init(). <<
65 <<
66 The hook part of this patch depends on t <<
67 while the rest part of this patch doesn' <<
68 I added the hook version so that the adm <<
69 know the last modified date of the hooks <<
70 <<
71 @ Move permission checks from filp_open() <<
72 <<
73 I moved the location of checking MAC's p <<
74 from filp_open() to open_namei(). <<
75 <<
76 @ Fix an error in filp_open(). (only 2.6. <<
77 <<
78 This error was only in the patch 2.6.15- <<
79 was fixed in the patch for 2.6.15. <<
80 <<
81 Fix 2006/01/12 <<
82 <<
83 @ Add /proc/ccs/info/self_domain. <<
84 <<
85 I added /proc/ccs/info/self_domain so th <<
86 can know the name of domain they belong <<
87 <<
88 Fix 2006/01/13 <<
89 <<
90 @ Merge constants for CheckTaskCapability( <<
91 <<
92 I merged *_INHERITABLE_* and *_LOCAL_* t <<
93 calling CheckTaskCapability() with both <<
94 <<
95 @ DropTaskCapability() returns -EAGAIN on <<
96 <<
97 DropTaskCapability() must not return 0 o <<
98 DropTaskCapability() is called from do_e <<
99 <<
100 @ Fix an error for chroot() permission che <<
101 <<
102 The chroot() restriction was not working <<
103 CheckChRootPermission() || CheckTaskCapa <<
104 CheckChRootPermission() | CheckTaskCapab <<
105 <<
106 Fix 2006/01/17 <<
107 <<
108 @ Suppress some of debug messages in TOMOY <<
109 <<
110 I added KERN_DEBUG to suppress some of d <<
111 <<
112 Fix 2006/01/19 <<
113 <<
114 @ Remove isRoot() checks in AddChrootACL() <<
115 <<
116 I found a program that needs to chroot b <<
117 So, I stopped checking uid=euid=0 for th <<
118 "accept mode" can append ACLs. <<
119 The isRoot() is checked at AddChrootPoli <<
120 <<
121 @ Map NULL device name to "<NULL>" in AddM <<
122 <<
123 VMware mounts vmware-hgfs with NULL devi <<
124 So I mapped NULL device name to "<NULL>" <<
125 <<
126 Fix 2006/01/20 <<
127 <<
128 @ Suppress some of debug messages in SAKUR <<
129 <<
130 I added KERN_DEBUG to suppress some of d <<
131 <<
132 @ Call panic() if failed to load given pro <<
133 <<
134 Call panic() if profile index was given <<
135 but the profile doesn't exist. <<
136 If CCS= parameter is not given, the kern <<
137 profile 0, but it doesn't call panic() i <<
138 <<
139 Fix 2006/01/24 <<
140 <<
141 @ Use full_name_hash() for IsGloballyReada <<
142 <<
143 I modified to use full_name_hash() for f <<
144 <<
145 @ Add signal checking condition in CheckSi <<
146 <<
147 The documentation says "if the target do <<
148 starts with the source domain's domainna <<
149 but actually it isn't. I'll change the d <<
150 changing the source code. <<
151 <<
152 Also, checking for pid = -1 was missing. <<
153 <<
154 Fix 2006/02/09 <<
155 <<
156 @ Use mutex_lock()/mutex_unlock instead of <<
157 16
158 Kernel 2.6.16 changed members of "struct !! 17 poled.exe:
159 I modified to use mutex_lock()/mutex_unl !! 18 Support "search" command.
160 and down()/up() for before 2.6.16. <<
161 19
162 Version 1.0.2 2006/02/14 Many bug-fixes rele !! 20 poled_old.exe:
163 !! 21 Support "search" command.
164 Fix 2006/02/21 !! 22 Fix "initializer" checking bug.
165 !! 23
166 @ Divide generic-write permission into ind !! 24 syspol.exe:
167 !! 25 Support editing without resetting cursor position.
168 Write permission was divided into the fo !! 26
169 !! 27 Version 1.0.2 2006/02/14 Procedure review.
170 'mkdir' for creating directory. !! 28
171 'rmdir' for deleting directory. !! 29 savepolicy:
172 'create' for creating regular file. !! 30 Support saving "system policy" and "exception policy"
173 'unlink' for deleting non-directory. !! 31 in addition to "domain policy".
174 'mksock' for creating UNIX domain soc !! 32
175 'mkfifo' for creating FIFO. !! 33 The following programs were added.
176 'mkchar' for creating character devic !! 34
177 'mkblock' for creating block device. !! 35 editpolicy:
178 'link' for creating hard link. !! 36 "syspol.exe" "poled.exe" "poled_old.exe" were integrated
179 'symlink' for creating symbolic link. !! 37 and renamed to "editpolicy".
180 'rename' for renaming directory or no !! 38 This program can edit "system policy", "exception policy"
181 'truncate' for truncating regular file. !! 39 and "domain policy".
182 !! 40 Command key assignments were changed.
183 The permission check for opening files i !! 41
184 conventional read/write/execute permissi !! 42 checkpolicy:
185 !! 43 A policy validator taken from "poled_old.exe".
186 @ Add /proc/ccs/info/mapping. !! 44 This program was designed for detecting and fixing errors
187 !! 45 in "domain policy".
188 I added /proc/ccs/info/mapping so that t !! 46
189 can know the mapping of individual write !! 47 loadpolicy:
190 !! 48 A policy reloader.
191 Fix 2006/02/27 !! 49 This program was designed for loading policy from the disk
192 !! 50 after clearing current policy in the kernel.
193 @ Fix handling of trailing '\*' in PathMat !! 51
194 !! 52 sortpolicy:
195 PathMatchesToPattern("/tmp/", "/tmp/\*") !! 53 A "domain policy" sorter.
196 because "\*" matches "zero or more repet !! 54 This program was designed to compress access logs
197 until '/' or end". But since this is a c !! 55 generated by "ccs-auditd".
198 directory and non-directory, this should !! 56 You can use normal "sort" command for sorting
199 !! 57 "system policy" and "exception policy".
200 This behavior causes the following secur !! 58
201 In enforce mode, allowing "2 /tmp/\*" gr !! 59 make_exception.sh:
202 "mkdir /tmp/" and "rmdir /tmp/" which sh !! 60 A script to create "exception policy".
203 granted only when "2 /tmp/" is allowed. !! 61
204 In accept mode, "mkdir /tmp/" or "rmdir !! 62 The following programs were renamed.
205 "2 /tmp/\*" into the domain policy if "f !! 63
206 is in the exception policy. !! 64 "remount.exe" was renamed to "remount_rootfs".
207 !! 65 "makesyaoranconf.exe" was renamed to "makesyaoranconf".
208 I changed not to ignore trailing '\*' in !! 66
209 if pathname ends with '/'. !! 67 The following programs were removed.
210 !! 68
211 Fix 2006/03/01 !! 69 "poled.exe" "poled_old.exe" "syspol.exe"
212 !! 70 "obsolete_chksymlink" "obsolete_chroot_su"
213 @ Add missing spinlock in GetAbsolutePath( !! 71 "obsolete_lsdir" "obsolete_makelink" "obsolete_movlog"
214 !! 72 "bindtest" "logtest" "pathnametest" "rofstest"
215 vfsmount_lock was missing. !! 73 "linuxrc_old"
216 !! 74
217 Fix 2006/03/08 !! 75 The following programs for testing TOMOYO Linux's kernel were added.
218 !! 76 They are in the kernel_test directory.
219 @ Add support for "shared subtree" mount o !! 77
220 !! 78 "sakura_bind_test" "sakura_capability_test"
221 Kernel 2.6.15 introduced "shared subtree !! 79 "sakura_filesystem_test" "sakura_trace_test"
222 But CheckMountPermission() couldn't reco !! 80 "tomoyo_capability_test" "tomoyo_file_test" "tomoyo_info_test"
223 do_change_type(). !! 81 "tomoyo_name_test" "tomoyo_port_test" "tomoyo_signal_test"
224 <<
225 @ Add support for more mount flags. <<
226 <<
227 atime/noatime, diratime/nodiratime, recu <<
228 are supported. <<
229 <<
230 Fix 2006/03/20 <<
231 <<
232 @ Check port numbers for only AF_INET/AF_I <<
233 <<
234 CheckBindEntry() and CheckConnectEntry() <<
235 only when the given address family is ei <<
236 for address family such as AF_UNSPEC cou <<
237 and connect() for PF_INET/PF_INET6 socke <<
238 <<
239 Fix 2006/03/27 <<
240 <<
241 @ Use /proc/self/ rather than /proc/\$/ fo <<
242 <<
243 GetAbsolutePath() now uses "self" instea <<
244 if current process refers to information <<
245 This exception violates the rule "TOMOYO <<
246 contain symbolic links before the last ' <<
247 to do so. The following are the merits g <<
248 <<
249 Prevent administrators from granting red <<
250 when a process needs to refer to only cu <<
251 <<
252 Allow administrators make current proces <<
253 readable using 'allow_read' directive. <<
254 82
255 Version 1.1 2006/04/01 Functionality enhan 83 Version 1.1 2006/04/01 Functionality enhancement release.
256 84
257 Fix 2006/04/03 !! 85 loadpolicy:
258 !! 86 Delete domain for loadpolicy anyway.
259 @ Use queue instead of fixed sized array f <<
260 <<
261 WriteAuditLog() now uses queue to save s <<
262 Administrators can give any size for aud <<
263 <<
264 @ Use kzalloc() instead of kmalloc() + mem <<
265 <<
266 kmalloc() + memset() were replaced with <<
267 <<
268 Fix 2006/04/04 <<
269 <<
270 @ Support "delayed enforcing" mode. <<
271 87
272 Until now, access request was immediatel !! 88 findtemp:
273 if policy doesn't allow that access and !! 89 Now supports for detecting all nonexistent pathnames.
274 running in enforce mode. <<
275 Sometimes, especially after updating sof <<
276 some unexpected access requests arise fr <<
277 Such access requests should be granted b <<
278 they are not caused by malicious attacks <<
279 So I introduced a mechanism to allow adm <<
280 to decide to grant or reject such access <<
281 This mechanism is implemented in the fol <<
282 "Don't return immediately if permissio <<
283 "Sleep for a while waiting administrat <<
284 "Return successfully if administrator <<
285 90
286 Fix 2006/04/12 !! 91 savepolicy:
>> 92 Run twice inside savepolicy itself to include necessary ACLs
>> 93 for savepolicy itself.
287 94
288 @ Fix handling of prefix in GetAbsolutePat !! 95 The following program for testing TOMOYO Linux's kernel was added.
289 96
290 Some objects doesn't have prefix "/". !! 97 "testall.sh"
291 Pipe has prefix "pipe:" and socket has p <<
292 GetAbsolutePath() couldn't handle prefix <<
293 <<
294 @ Remove IsCorrectPath() checks for File A <<
295 <<
296 File Access Control functions accepted o <<
297 with '/' because these functions assumed <<
298 GetAbsolutePath() always start with '/'. <<
299 However, I found a program that opens an <<
300 (probably) /proc/PID/fd/ directory. (You <<
301 "pipe:[number]" if you run "ls -l /proc/ <<
302 Now, File Access Control functions have <<
303 that don't start with '/'. So, I stopped <<
304 <<
305 Fix 2006/04/19 <<
306 <<
307 @ Fix handling of NULL nameidata in vfs_op <<
308 <<
309 In 2.6 kernels, NFS daemon and sys_mq_op <<
310 vfs_create() with NULL nameidata. In suc <<
311 CheckSingleWritePermission() must not be <<
312 98
313 Version 1.1.1 2006/05/15 Functionality enhan 99 Version 1.1.1 2006/05/15 Functionality enhancement release.
314 100
315 Fix 2006/05/16 !! 101 The following programs were added.
316 <<
317 @ Support program files aggregation. <<
318 102
319 Until now, programs that have no fixed n !! 103 ld-watch:
320 parent programs had to be run in a trust !! 104 Monitors /etc/ld.so.cache and updates exception policy.
321 since it is impossible to use patterns f !! 105 This program is used only when updating packages.
322 execute permission and defining domains. !! 106
323 I introduced a mechanism to aggregate si !! 107 ccs-queryd:
324 using 'aggregator' directive. !! 108 Monitors /proc/ccs/policy/query for policy violation and
325 Some examples: !! 109 asks the administrator whether to grant or reject the request.
326 !! 110 This program is used while and after updating packages.
327 'aggregator /tmp/logrotate.\?\?\?\?\?\ <<
328 to run all temporary programs for logr <<
329 <<
330 'aggregator /usr/bin/tac /bin/cat' <<
331 to run /usr/bin/tac and /bin/cat as /b <<
332 <<
333 Fix 2006/05/18 <<
334 <<
335 @ Unlimit max count for audit log. <<
336 <<
337 I forgot to replace MAX_GRANT_LOG and MA <<
338 so that administrators can give any size <<
339 <<
340 Fix 2006/05/22 <<
341 <<
342 @ Support individual domain ACL removal. <<
343 <<
344 Until now, to remove ACLs from a domain, <<
345 once delete and recreate that domain, wh <<
346 I introduced a mechanism to remove domai <<
347 recreating domains. <<
348 Administrator can delete domains or remo <<
349 via /proc/ccs/policy/domain_policy . <<
350 /proc/ccs/policy/delete_domain and /proc <<
351 were removed. <<
352 <<
353 Fix 2006/05/30 <<
354 <<
355 @ Add missing spinlock in SAKURA_MayMount( <<
356 <<
357 vfsmount_lock was missing. <<
358 111
359 Version 1.1.2 2006/06/02 Functionality enhan 112 Version 1.1.2 2006/06/02 Functionality enhancement release.
360 113
361 Fix 2006/06/13 !! 114 The following programs were redesigned.
362 <<
363 @ Merge tomoyo_connect.c and tomoyo_bind.c <<
364 <<
365 I merged these files that have only diff <<
366 that are likely to be enabled both or ne <<
367 115
368 @ Add CONFIG_TOMOYO_AUDIT option. !! 116 editpolicy:
>> 117 Simplified domain policy handling and removed "save" key.
>> 118 All modifications are taken effect immediately.
369 119
370 I made auditing functions as optional be !! 120 loadpolicy:
371 may have not enough disk space to store !! 121 Simplified domain policy handling.
372 122
373 Fix 2006/06/15 !! 123 sortpolicy:
>> 124 Simplified domain policy handling.
374 125
375 @ Support use of symbolic links for progra !! 126 savepolicy:
>> 127 Save all policies by default.
376 128
377 Until now, domains for programs executed !! 129 The following program was removed.
378 symbolic links were defined using derefe <<
379 This was inconvenient for some Linux box <<
380 can't keep hard links of busybox. <<
381 I introduced a mechanism to allow using <<
382 symbolic links using 'alias' directive. <<
383 Some examples: <<
384 130
385 'alias /sbin/busybox /bin/ls' to run / !! 131 editpolicy_offline
386 (which is a symbolic link to /sbin/bus <<
387 if /bin/ls is executed. <<
388 <<
389 'alias /bin/bash /bin/sh' to run /bin/ <<
390 (which is a symbolic link to /bin/bash <<
391 if /bin/sh is executed. <<
392 <<
393 Fix 2006/06/21 <<
394 <<
395 @ Use ccs_alloc() instead of kzalloc(). <<
396 <<
397 To detect memory leaks, <<
398 I added a wrapper for tracing kmalloc() <<
399 There is no way to detect memory leaks c <<
400 132
401 Version 1.1.3 2006/07/13 Functionality enhan 133 Version 1.1.3 2006/07/13 Functionality enhancement release.
402 134
403 Fix 2006/07/14 !! 135 The following bugs were fixed.
404 <<
405 @ Change behavior of pathname pattern matc <<
406 <<
407 Until now, it was impossible to use patt <<
408 "\*" matched zero or more repetitions of <<
409 Now, "\*" matches zero or more repetitio <<
410 <<
411 Until now, it was impossible to use patt <<
412 because "\$" matched one or more repetit <<
413 non digit character. <<
414 Now, "\$" matches one or more repetition <<
415 <<
416 Also, new patterns "\x" "\X" "\a" "\A" " <<
417 <<
418 Fix 2006/07/21 <<
419 <<
420 @ Add CONFIG_TOMOYO_NETWORK option. <<
421 <<
422 Until now, only port numbers for TCP and <<
423 Now, the combination of IPv4/IPv6 addres <<
424 for TCP and UDP is controllable. <<
425 CONFIG_TOMOYO_NETWORKPORT became obsolet <<
426 <<
427 Fix 2006/07/25 <<
428 <<
429 @ Change matching rule for CheckFileACL(). <<
430 <<
431 Until now, only first entry that matched <<
432 was used for permission checking. For ex <<
433 <<
434 "2 /tmp/file-\$.txt" <<
435 "4 /tmp/fil\?-0.txt" <<
436 <<
437 are given in this order and requested pa <<
438 the "2 /tmp/file-\$.txt" is used. But if <<
439 <<
440 "4 /tmp/fil\?-0.txt" <<
441 "2 /tmp/file-\$.txt" <<
442 <<
443 are given in this order, the "4 /tmp/fil <<
444 This may potentially cause trouble becau <<
445 permission checks depends on the order o <<
446 <<
447 Now, all entries that matched the reques <<
448 are used for permission checking so that <<
449 permission checks doesn't depend on the <<
450 <<
451 Fix 2006/07/27 <<
452 <<
453 @ Support RAW IPv4/IPv6 control. <<
454 <<
455 Some programs such as 'ping' and 'tracer <<
456 Now, the combination of IPv4/IPv6 addres <<
457 for IP is controllable. <<
458 <<
459 Fix 2006/08/04 <<
460 <<
461 @ Add filename and argv[0] comparison chec <<
462 <<
463 The domain transition was done based on <<
464 while the behavior was defined based on <<
465 There is no problem if the filename is a <<
466 But if argv[0]-aware, access control byp <<
467 transits to trusted domain but behaves a <<
468 For example, when the administrator spec <<
469 trusted but both /bin/ls and /bin/cat ar <<
470 a cracker can run /bin/cat in a trusted <<
471 succeeds to invoke do_execve() with file <<
472 argv[0] = "/bin/cat". <<
473 <<
474 I introduced a directive that permits th <<
475 basename of filename and argv[0]. <<
476 <<
477 Fix 2006/08/10 <<
478 136
479 @ Support ID based condition checks. !! 137 editpolicy:
>> 138 The "Commands =" line was too wide to show within 80x25 screen.
480 139
481 It was impossible to use process id (uid !! 140 checkpolicy:
482 checking individual domain ACL. !! 141 Renamed domain for "initializer" was wrong.
483 <<
484 Now it became possible to use process id <<
485 domain ACL. For example, <<
486 <<
487 "1 /bin/sh if task.euid!=0" <<
488 <<
489 allows the domain to execute /bin/sh onl <<
490 is not 0, and <<
491 <<
492 "6 /home/\*/\* if task.uid=path1.uid" <<
493 <<
494 allows the domain to read-write user's h <<
495 only when the file's owner matches the p <<
496 <<
497 Fix 2006/08/22 <<
498 <<
499 @ Fix ROUNDUP() in fs/realpath.c . <<
500 <<
501 Alignment using sizeof(int) may be inapp <<
502 I changed to use the larger size of 'voi <<
503 instead of 'int'. <<
504 For environment where sizeof(int) = size <<
505 this change has no effect. <<
506 142
507 Version 1.2 2006/09/03 Functionality enhan 143 Version 1.2 2006/09/03 Functionality enhancement release.
508 144
509 Fix 2006/09/30 !! 145 findtemp:
510 !! 146 Now displays all nonexistent pathnames.
511 @ Fix CheckFilePerm() in fs/tomoyo_file.c <<
512 <<
513 The location to call path_release() was <<
514 <<
515 Fix 2006/10/02 <<
516 <<
517 @ Support per-domain profile. <<
518 <<
519 It became possible to assign different p <<
520 This will help administrators using buil <<
521 <<
522 Fix 2006/10/05 <<
523 <<
524 @ Change parameters for CheckFilePerm(). <<
525 <<
526 I was re-resolving pathnames inside Chec <<
527 the caller function already resolved the <<
528 So I changed to pass dentry and vfsmount <<
529 and removed changes made on 2006/09/30. <<
530 <<
531 Fix 2006/10/06 <<
532 <<
533 @ Support deny_rewrite and allow_rewrite p <<
534 <<
535 It became possible to make regular files <<
536 using "deny_rewrite" directive in except <<
537 override it using "allow_rewrite" direct <<
538 <<
539 Regular files specified using "deny_rewr <<
540 can't be open()ed with O_TRUNC or with <<
541 can't be truncate()ed or ftruncate()ed <<
542 can't be turned O_APPEND flag off usin <<
543 unless specified using "allow_rewrite" d <<
544 <<
545 Fix 2006/10/12 <<
546 <<
547 @ Enable configuration options by default <<
548 <<
549 CONFIG_SAKURA and CONFIG_TOMOYO are now <<
550 and CONFIG_SYAORAN is now 'm' by default <<
551 <<
552 Fix 2006/10/13 <<
553 <<
554 @ Use external policy loader. <<
555 <<
556 Until now, policies are loaded when /sbi <<
557 initial control levels are switched usin <<
558 But since some boxes have to fixate kern <<
559 at compilation time, I think it will bec <<
560 by running external policy loader using <<
561 initial control levels can be specified <<
562 <<
563 Call panic() if initial control levels a <<
564 147
565 Fix 2006/10/16 !! 148 editpolicy_offline:
566 !! 149 Redesigned to use the same operation manner.
567 @ Add missing parameter in FindNextDomain( !! 150 Saves changes automatically when exiting.
568 <<
569 'struct file' was needed for allowing 'i <<
570 <<
571 Fix 2006/10/23 <<
572 <<
573 @ Print error messages in CheckFlags(). <<
574 <<
575 Some users seem to have troubles picking <<
576 entries for the configuration file of SY <<
577 since makesyaoranconf can't pick up entr <<
578 nonexistent at the time. <<
579 I added error message so that users can <<
580 using dmesg. <<
581 <<
582 Fix 2006/10/24 <<
583 <<
584 @ Change /proc/ccs/info/self_domain . <<
585 <<
586 I changed /proc/ccs/info/self_domain to <<
587 the domain of open time rather than firs <<
588 This modification makes shell's redirect <<
589 more convenient since redirection opens <<
590 but doesn't read at the time. <<
591 <<
592 'cat < /proc/ccs/info/self_domain' will <<
593 the domain of shell, and <<
594 'cat /proc/ccs/info/self_domain' will re <<
595 the domain of cat . <<
596 <<
597 Fix 2006/11/06 <<
598 <<
599 @ Replace MAX_ENFORCE_GRACE with ALLOW_ENF <<
600 <<
601 Since it was inconvenient that requests <<
602 supervisor's decision are rejected autom <<
603 MAX_ENFORCE_GRACE seconds has elapsed, I <<
604 reset timeout counter whenever a supervi <<
605 and I modified ccs-queryd write a dummy <<
606 so that the requests won't be rejected a <<
607 ccs-queryd is running. <<
608 This change made MAX_ENFORCE_GRACE's mea <<
609 So I fixated MAX_ENFORCE_GRACE to 10 sec <<
610 MAX_ENFORCE_GRACE parameter. <<
611 To allow administrators selectively enab <<
612 mode, I added ALLOW_ENFORCE_GRACE parame <<
613 The behavior of "delayed enforcing" mode <<
614 in the following order. <<
615 <<
616 (1) The requests are rejected immediatel <<
617 (2) The requests are rejected immediatel <<
618 if nobody is opening /proc/ccs/polic <<
619 (3) The requests won't be rejected autom <<
620 if ALLOW_ENFORCE_GRACE=1 and ccs-que <<
621 (4) The requests will be rejected in 10 <<
622 if somebody other than ccs-queryd (s <<
623 opening /proc/ccs/policy/query inter <<
624 such process doesn't write dummy dec <<
625 151
626 Version 1.3 2006/11/11 First anniversary r 152 Version 1.3 2006/11/11 First anniversary release.
627 153
628 Fix 2006/11/13 !! 154 The following program was redesigned.
629 <<
630 @ Replace trust_domain with keep_domain. <<
631 <<
632 Since it was troublesome that there are <<
633 (assigning a profile that doesn't enable <<
634 with trust_domain directive), I removed <<
635 Instead, I introduced keep_domain direct <<
636 unless a program registered with initial <<
637 This change has the following advantages <<
638 <<
639 (1) Allows administrator use "enforce mo <<
640 Since it was difficult to know what <<
641 and accessed in what sequences befor <<
642 directive for such domain, allowing <<
643 access any files in any sequence. <<
644 But now, we can use keep_domain dire <<
645 "enforce mode" for such domain, forc <<
646 commands and access only allowed fil <<
647 while these operations are kept unde <<
648 <<
649 (2) Allows administrator determine easil <<
650 under MAC or not because only the pr <<
651 the domain determines it. <<
652 <<
653 (3) Saves total number of domains and me <<
654 <<
655 Fix 2006/11/22 <<
656 <<
657 @ Don't allow use of undefined profile. <<
658 <<
659 To avoid assigning undefined profile to <<
660 I added checks before assigning profiles <<
661 Now, profiles have to be defined prior t <<
662 <<
663 Version 1.3.1 2006/12/08 Minor update releas <<
664 <<
665 Fix 2006/12/10 <<
666 <<
667 @ Allow pathname grouping. <<
668 <<
669 To reduce the labor of repeating '/\*' t <<
670 I introduced a macro 'path_group' to mak <<
671 For example, you had to give like <<
672 <<
673 4 /var/www/html/\* <<
674 4 /var/www/html/\*/\* <<
675 4 /var/www/html/\*/\*/\* <<
676 4 /var/www/html/\*/\*/\*/\* <<
677 <<
678 but now, you can give just <<
679 <<
680 4 @WEB-CONTENTS <<
681 <<
682 if you give <<
683 <<
684 path_group WEB-CONTENTS /var/www/html/ <<
685 path_group WEB-CONTENTS /var/www/html/ <<
686 path_group WEB-CONTENTS /var/www/html/ <<
687 path_group WEB-CONTENTS /var/www/html/ <<
688 <<
689 in the exception policy. <<
690 This macro will be useful when grouping <<
691 <<
692 Fix 2006/12/15 <<
693 155
694 @ Use structured pathnames instead for sim !! 156 checkpolicy:
>> 157 A policy validator.
>> 158 Reads policy from stdin and prints syntax errors with line numbers.
695 159
696 To reduce the cost of strcmp(), I change !! 160 The following programs were added.
697 SaveName() from 'const char *' to 'const <<
698 This change will speed up PathMatchesToP <<
699 161
700 Fix 2006/12/19 !! 162 setprofile:
>> 163 Assigns profiles to domains.
701 164
702 @ Allow registering policy managers using !! 165 pathmatch:
>> 166 Reads pathname patterns and expands them.
703 167
704 It was difficult to restrict programs th !! 168 domainmatch:
705 via /proc/ccs/ interfaces using pathname !! 169 fgrep for /proc/ccs/policy/domain_policy .
706 these programs could be unintendedly inv <<
707 Now, it became possible to restrict doma <<
708 via /proc/ccs/ interfaces as well as pro <<
709 By restricting using domainnames, it bec <<
710 unintended invocation. <<
711 170
712 Fix 2006/12/22 !! 171 ccstree:
>> 172 pstree with profile numbers and domain names.
713 173
714 @ Add initialize_domain,no_initizlize_doma !! 174 patternize:
>> 175 Reads domain policy and patternize pathnames.
715 176
716 To control domain transitions more stric !! 177 proxy:
717 initialize_domain,no_initizlize_domain,n !! 178 A tiny TCP port forwarder, binding to local port explicitly
718 were introduced. !! 179 to allow servers filter based on client's port numbers.
719 180
720 "initialize_domain /some/program" means !! 181 mailauth:
721 jump to "<kernel> /some/program" domain !! 182 An example program for CERBERUS.
722 called from any domain. <<
723 This is equivalent to conventional "init <<
724 183
725 "initialize_domain /some/program from so !! 184 timeauth:
726 jump to "<kernel> /some/program" domain !! 185 An example program for CERBERUS, similar to honey.
727 called from "some_domain" domain. <<
728 186
729 "no_initialize_domain /some/program" mea !! 187 The following programs were removed.
730 don't jump to "<kernel> /some/program" d !! 188 If you need them, please take from version 1.2 .
731 "initialize_domain /some/program" or !! 189 "remount_rootfs" "linuxrc"
732 "initialize_domain /some/program from so !! 190 "dumplink" "dumpsymlink" "makelink" "makesymlink"
733 if /some/program is called from any doma <<
734 191
735 "no_initialize_domain /some/program from !! 192 The following program for testing TOMOYO Linux's kernel was added.
736 don't jump to "<kernel> /some/program" d <<
737 "initialize_domain /some/program" or <<
738 "initialize_domain /some/program from so <<
739 if /some/program is called from "some_do <<
740 193
741 "keep_domain some_domain" means don't ju !! 194 "tomoyo_rewrite_test"
742 if any programs are called from "some_do <<
743 195
744 "keep_domain /some/program from some_dom !! 196 Version 1.3.1 2006/12/08 Minor update release.
745 don't jump to child domain only if /some <<
746 called from "some_domain" domain. <<
747 <<
748 "no_keep_domain some_domain" means <<
749 jump to child domain even if <<
750 "keep_domain /some/program" or <<
751 "keep_domain /some/program from some_dom <<
752 if any programs are called from "some_do <<
753 <<
754 "no_keep_domain /some/program from some_ <<
755 jump to child domain even if <<
756 "keep_domain /some/program" or <<
757 "keep_domain /some/program from some_dom <<
758 if /some/program is called from "some_do <<
759 <<
760 "some_domain" can be just the last compo <<
761 For example, giving "/bin/mail" as "some <<
762 all domains whose domainname ends with " <<
763 <<
764 Fix 2007/01/19 <<
765 <<
766 @ Allow reuse of memory allocated for doma <<
767 <<
768 Regarding domain policy, unlike other po <<
769 "is_deleted" flag and new memory were al <<
770 if the deleted entries are given again. <<
771 But to allow administrators switch domai <<
772 I introduced "is_deleted" flag. <<
773 <<
774 Writing "some_domain" to /proc/ccs/polic <<
775 creates "some_domain" using new memory i <<
776 <<
777 Writing "select some_domain" doesn't cre <<
778 if it didn't exist. <<
779 <<
780 Writing "delete some_domain" deletes "so <<
781 but does not delete entries in "some_dom <<
782 <<
783 Writing "undelete some_domain" undeletes <<
784 if it was deleted by "delete some_domain <<
785 <<
786 Fix 2007/01/22 <<
787 <<
788 @ Allow getting already deleted pathnames. <<
789 <<
790 To allow getting pathnames that are alre <<
791 I removed (IS_ROOT(dentry) || !d_unhashe <<
792 <<
793 Fix 2007/01/26 <<
794 <<
795 @ Limit string length to 4000. <<
796 197
797 I was using PAGE_SIZE (4096 in many envi !! 198 The following bug was fixed.
798 as the max length of any string data. <<
799 But for environments that have larger PA <<
800 doing memset(ptr, 0, PAGE_SIZE) every ti <<
801 199
802 Fix 2007/01/29 !! 200 editpolicy:
>> 201 PageUp/PageDown keys and screen drawings were not working well
>> 202 on some environments due to forcefully setting "TERM=linux".
803 203
804 @ Add garbage collector for domain policy. !! 204 The following program for testing TOMOYO Linux's kernel was updated.
805 205
806 Writing "some_domain" to /proc/ccs/polic !! 206 "newns"
807 creates "some_domain" using new memory o <<
808 some process is staying at that deleted <<
809 If no process is staying at that deleted <<
810 "some_domain" is undeleted with all ACLs <<
811 207
812 Version 1.3.2 2007/02/14 Usability enhanceme 208 Version 1.3.2 2007/02/14 Usability enhancement release.
813 209
814 Fix 2007/02/20 !! 210 Many tools were merged into single source code.
815 !! 211 Policy editor was redesigned.
816 @ Allow address grouping. <<
817 <<
818 To reduce the labor of repeating similar <<
819 I introduced a macro 'address_group' to <<
820 For example, you had to give like <<
821 <<
822 allow_network TCP accept 10.0.0.0-10.2 <<
823 allow_network TCP accept 172.16.0.0-17 <<
824 allow_network TCP accept 192.168.0.0-1 <<
825 <<
826 but now, you can give just <<
827 <<
828 allow_network TCP accept @localnet 102 <<
829 <<
830 if you give <<
831 <<
832 address_group localnet 10.0.0.0-10.255 <<
833 address_group localnet 172.16.0.0-172. <<
834 address_group localnet 192.168.0.0-192 <<
835 <<
836 in the exception policy. <<
837 <<
838 Fix 2007/03/03 <<
839 <<
840 @ Remove obsolete functions. <<
841 <<
842 @ Add some hooks. <<
843 <<
844 Read permission check is done if open_ex <<
845 is called from search_binary_handler(). <<
846 Read permission check is not done if ope <<
847 is called from do_execve(), instead, <<
848 execute permission check is done at <<
849 search_binary_handler_with_transition(). <<
850 <<
851 I moved the location of calling CheckCap <<
852 and CheckMountPermission() from sys_moun <<
853 <<
854 Fix 2007/03/07 <<
855 <<
856 @ Use 'unsigned int' for sscanf(). <<
857 <<
858 I compiled SYAORAN fs on x86_64 environm <<
859 the compiler showing warning messages ab <<
860 Since size of data types may mismatch fo <<
861 I replaced some types with 'unsigned int <<
862 212
863 Version 1.4 2007/04/01 x86_64 support rele 213 Version 1.4 2007/04/01 x86_64 support release.
864 214
865 Fix 2007/04/18 !! 215 The following bug was fixed.
866 <<
867 @ Change argv[0] checking rule. <<
868 <<
869 I was comparing the basename of symbolic <<
870 Since execute permission check and domai <<
871 based on realpath while argv[0] check is <<
872 pathname and argv[0], this specification <<
873 as /bin/cat in the domain of /bin/ls if <<
874 links to /sbin/busybox" and "the attacke <<
875 a symlink named ~/cat that points to /bi <<
876 permitted to run /bin/ls". <<
877 So, I changed to compare the basename of <<
878 Also, I moved the location to compare be <<
879 "aggregator" directive so that <<
880 "aggregator /tmp/logrotate.\?\?\?\?\?\? <<
881 won't cause the mismatch of the basename <<
882 <<
883 If /bin/ls is a symlink to /sbin/busybox <<
884 creating a symlink named ~/cat that poin <<
885 executing ~/cat won't work as expected b <<
886 domain transition are done using /sbin/b <<
887 and will be rejected since the administr <<
888 "1 /sbin/busybox". <<
889 <<
890 Fix 2007/05/07 <<
891 <<
892 @ Support pathname subtraction. <<
893 <<
894 There was no way to exclude specific pat <<
895 permissions using wildcards. <<
896 There would be a need to exclude specifi <<
897 I introduced "\-" as subtraction operato <<
898 <<
899 "A\-B" means "A" other than "B". <<
900 "A\-B\-C" means "A" other than "B" and <<
901 "A\-B\-C\-D" means "A" other than "B" <<
902 <<
903 "A", "B", "C", "D" may contain wildcards <<
904 216
905 An example usage is "/home/\*/\*\-.ssh/\ !! 217 editpolicy:
906 "/home/\*/\*/\*" other than "/home/\*/.s !! 218 Domain flags was wrong if "keep_domain <kernel>" is given.
907 <<
908 "A" should contain wildcards because sub <<
909 (e.g. "/usr\-usr/" or "/usr\-home/") is <<
910 <<
911 Don't try "A\-B\+C" because "\+" is not <<
912 <<
913 Fix 2007/05/24 <<
914 <<
915 @ Fix autobind hook. <<
916 <<
917 The location to call SAKURA_MayAutobind( <<
918 and net/ipv6/udp.c were wrong. <<
919 <<
920 Fix 2007/06/03 <<
921 <<
922 @ Add a space in MakeMountOptions(). <<
923 <<
924 I forgot to add a space after "atime" an <<
925 219
926 Version 1.4.1 2007/06/05 Minor update releas 220 Version 1.4.1 2007/06/05 Minor update release.
927 221
928 Fix 2007/07/04 !! 222 Single source code was divided into many source code.
929 <<
930 @ Fix ReadAddressGroupPolicy() bug. <<
931 <<
932 ReadAddressGroupPolicy() fails if both " <<
933 are used because I forgot to set "head-> <<
934 223
935 Fix 2007/07/10 !! 224 The following bug was fixed.
936 225
937 @ Add compat_sys_stime() hook. !! 226 checkpolicy:
938 !! 227 "keep_domain" syntax was not checked correctly.
939 Some of 64bit kernels support compat_sys <<
940 but permission check was missing. <<
941 228
942 Version 1.4.2 2007/07/13 Bug fix release. 229 Version 1.4.2 2007/07/13 Bug fix release.
943 230
944 Fix 2007/08/06 !! 231 .init:
945 !! 232 Prompt message has changed.
946 @ Remove mount-flags manipulation. <<
947 <<
948 Until now, administrator is permitted to <<
949 options regardless of mount options pass <<
950 I removed this feature because "exact op <<
951 "automatic option enabler/disabler". <<
952 <<
953 @ Remove /proc/ccs/info/mapping . <<
954 <<
955 I removed /proc/ccs/info/mapping because <<
956 feature. <<
957 <<
958 @ Call external policy loader automaticall <<
959 <<
960 Until now, users had to add init=/.init <<
961 before /sbin/init starts. <<
962 I inserted call_usermodehelper() to call <<
963 execve("/sbin/init") is requested and ex <<
964 <<
965 This change will remove init=/.init para <<
966 although call_usermodehelper() can't han <<
967 <<
968 @ Move external policy loader from /.init <<
969 <<
970 Installing programs in / directory is no <<
971 <<
972 Fix 2007/08/13 <<
973 <<
974 @ Update external policy loader. <<
975 <<
976 It turned out that /sbin/ccs-init invoke <<
977 can handle interactive operations by ope <<
978 Now, there is no difference between init <<
979 call_usermodehelper("/sbin/ccs-init"), a <<
980 add init=/sbin/ccs-init parameter to loa <<
981 starts. <<
982 <<
983 Fix 2007/08/14 <<
984 <<
985 @ Update recvmsg() hooks. <<
986 <<
987 Until now, it was impossible to apply ne <<
988 incoming UDP and RAW packets if they are <<
989 read() or recvmsg() with NULL address be <<
990 I moved hooks from sock_recvmsg() to skb <<
991 network access control for incoming UDP <<
992 <<
993 Fix 2007/08/16 <<
994 <<
995 @ Return appropriate error code for CheckM <<
996 <<
997 I was returning -EPERM if something is w <<
998 But SELinux determines whether selinuxfs <<
999 based on whether error code is -ENODEV o <<
1000 So I stopped returning -EPERM unconditi <<
1001 <<
1002 Fix 2007/08/17 <<
1003 <<
1004 @ Remove initializer directive. <<
1005 <<
1006 Use "initialize_domain" instead of "ini <<
1007 <<
1008 Fix 2007/08/21 <<
1009 <<
1010 @ Fix "allow_argv0 ... if if ..." bug. <<
1011 <<
1012 It was impossible to use a word "if" to <<
1013 allow_argv0 if condition part is used. <<
1014 <<
1015 Fix 2007/08/24 <<
1016 <<
1017 @ Move /proc/ccs/\*/\* to /proc/ccs/\* . <<
1018 <<
1019 Some pathnames for /proc/ccs/ interface <<
1020 <<
1021 Fix 2007/09/05 <<
1022 <<
1023 @ Drop MSG_PEEK'ed message before skb_fre <<
1024 <<
1025 I need to remove head message from unwa <<
1026 from socket's receive queue so that the <<
1027 next message from wanted source with MS <<
1028 233
1029 Version 1.5.0 2007/09/20 Usability enhancem 234 Version 1.5.0 2007/09/20 Usability enhancement release.
1030 235
1031 Fix 2007/09/27 !! 236 The following bug was fixed.
1032 <<
1033 @ Avoid eating memory after quota exceede <<
1034 <<
1035 Although ACL entries in a domain won't <<
1036 has exceeded, SaveName() in AddFileACL( <<
1037 This caused unneeded memory consumption <<
1038 <<
1039 Now, quota checking is done before gett <<
1040 This may exceed quota by one or two ent <<
1041 <<
1042 Fix 2007/10/16 <<
1043 <<
1044 @ Add environment variable check. <<
1045 <<
1046 There are environment variables that ma <<
1047 like LD_\* . <<
1048 So I introduced 'allow_env' directive t <<
1049 environment variable inherited to next <<
1050 Unlike other permissions, this check is <<
1051 using next domain's ACL information. <<
1052 <<
1053 To manage commonly inherited environmen <<
1054 you can use 'allow_env' directive in ex <<
1055 to globally grant specified environment <<
1056 <<
1057 Fix 2007/11/05 <<
1058 <<
1059 @ Replace semaphore with mutex. <<
1060 <<
1061 I replaced semaphore with mutex. <<
1062 <<
1063 @ Add missing down() in AddReservedEntry( <<
1064 <<
1065 Mutex debugging capability told me that <<
1066 since TOMOYO version 1.3.2 . <<
1067 This function is not called by learning <<
1068 so the semaphore's counter will not ove <<
1069 <<
1070 Fix 2005/11/27 <<
1071 <<
1072 @ Fix ReadTable() truncation bug. <<
1073 <<
1074 "snprintf(str, size, format, ...) >= si <<
1075 But I was checking for "snprintf(str, s <<
1076 As a result, some entries might be dump <<
1077 <<
1078 @ Purge direct "->prev"/"->next" manipula <<
1079 <<
1080 All list manipulations use "struct list <<
1081 "struct list1_head" doesn't have "->pre <<
1082 <<
1083 Fix 2007/11/29 <<
1084 <<
1085 @ Add missing semaphore in GetEXE(). <<
1086 <<
1087 mm->mmap_sem was missing. <<
1088 <<
1089 Fix 2007/12/17 <<
1090 <<
1091 @ Remove unused EXPORT_SYMBOL(). <<
1092 <<
1093 Mark some functions static. <<
1094 <<
1095 Fix 2007/12/18 <<
1096 <<
1097 @ Fix AddMountACL() rejection bug. <<
1098 <<
1099 To my surprise, "mount --bind source de <<
1100 not only "both source and dest are dire <<
1101 but also "both source and dest are non- <<
1102 I was rejecting if dest is not a direct <<
1103 <<
1104 @ Change log format. <<
1105 <<
1106 Profile number and mode is added in aud <<
1107 <<
1108 Fix 2008/01/03 <<
1109 <<
1110 @ Change directive for file's read/write/ <<
1111 <<
1112 Directives for file's read/write/execut <<
1113 4/2/1 respectively. But for easier unde <<
1114 replaced by read/write/execute (e.g. "a <<
1115 But for easier inputting, 4/2/1 are sti <<
1116 allow_read/allow_write/allow_execute re <<
1117 <<
1118 @ Change internal data structure. <<
1119 <<
1120 Since I don't have more than 16 types o <<
1121 I combined them using bit-fields. <<
1122 <<
1123 Each entry had a field for conditional <<
1124 But since this field is unlikely used, <<
1125 common part. <<
1126 <<
1127 These changes will reduce memory used b <<
1128 <<
1129 Fix 2008/01/15 <<
1130 <<
1131 @ Add ptrace() hook. <<
1132 <<
1133 To prevent attackers from controlling i <<
1134 ptrace(), I added a hook for ptrace(). <<
1135 Most programs (except strace(1) and gdb <<
1136 <<
1137 @ Fix sleep condition check in CheckSocke <<
1138 <<
1139 It seems that correct method to use is <<
1140 rather than in_interrupt() because in_a <<
1141 whenever scheduling is not allowed. <<
1142 <<
1143 Fix 2008/02/05 <<
1144 <<
1145 @ Use find_task_by_vpid() instead of find <<
1146 <<
1147 Kernel 2.6.24 introduced PID namespace. <<
1148 To search PID given from userland, the <<
1149 find_task_by_vpid() instead of find_tas <<
1150 <<
1151 Fix 2008/02/14 <<
1152 <<
1153 @ Add execve() parameter checking. <<
1154 <<
1155 Until now, it was impossible to check a <<
1156 passed to execve(). <<
1157 I expanded conditional permission synta <<
1158 { argc, envc, argv[] , envp[] } paramet <<
1159 This will allow administrator permit ex <<
1160 /bin/sh is invoked in the form of "/bin <<
1161 HOME is set by specifying <<
1162 <<
1163 allow_execute /bin/sh if exec.argv[1] <<
1164 <<
1165 in the policy. <<
1166 This extension will make exploit codes <<
1167 they unlikely set up environment variab <<
1168 option when invoking /bin/sh , whereas <<
1169 environment variables and likely specif <<
1170 <<
1171 Fix 2008/02/18 <<
1172 <<
1173 @ Add process state checking. <<
1174 <<
1175 Until now, it was impossible to change <<
1176 I added three variables for performing <<
1177 You can set current process's state lik <<
1178 <<
1179 allow_network TCP accept @TRUSTED_HOS <<
1180 allow_network TCP accept @UNTRUSTED_H <<
1181 237
1182 and you can use the state like !! 238 editpolicy:
>> 239 Memory for "path_group" was not freed correctly.
1183 240
1184 allow_read /path/to/important/file if !! 241 The following program for testing TOMOYO Linux's kernel was updated.
1185 242
1186 in the policy. !! 243 "tomoyo_network_test"
1187 The state changes when the request was <<
1188 so please be careful with situations wh <<
1189 successfully but the request was not pr <<
1190 (e.g. out of memory). <<
1191 244
1192 Fix 2008/02/26 !! 245 The following features are added.
1193 246
1194 @ Support /proc/ccs/ access by non-root u !! 247 editpolicy:
>> 248 Printing with colors is supported.
>> 249 Contributed by Yoshihiro Kusuno <yocto _at_ users.osdn.me>.
1195 250
1196 Until now, only root user can access /p !! 251 loadpolicy:
1197 But to permit /proc/ccs/ access by non- !! 252 Reading policy from stdin is supported.
1198 ssh login by root user when administrat <<
1199 I made "(current->uid == 0 && current-> <<
1200 If this requirement is disabled, only " <<
1201 checks" and "/proc/ccs/manager checks" <<
1202 253
1203 Fix 2008/02/29 !! 254 The /.init is renamed to /sbin/ccs-init .
1204 255
1205 @ Add sleep_on_violation feature. !! 256 Version 1.5.1 2007/10/19 Minor update release.
1206 257
1207 Some exploit codes (e.g. trans2open for !! 258 The following programs were updated.
1208 until it achieves the purpose of the ex <<
1209 259
1210 If such code is injected due to buffer !! 260 ccs-init:
1211 rejects the request, it triggers infini !! 261 Removed /bin/bash dependency.
1212 As a result, the CPU usage becomes 100% !! 262 Don't show prompt for selecting a profile
1213 the rest of processes. !! 263 unless something went wrong or explicitly asked.
1214 This is a side effect of rejecting the <<
1215 which wouldn't happen if the request fr <<
1216 264
1217 To avoid such CPU consumption, I added !! 265 init_policy.sh:
1218 sleeps for specified period when a requ !! 266 Removed /bin/bash dependency.
>> 267 Some "file_pattern"s are added.
>> 268 Error check is added upon startup.
1219 269
1220 This penalty doesn't work if the exploi !! 270 loadpolicy:
1221 continue running, but I think most expl !! 271 Don't try to open /proc/self/fd/0 when reading from standard input.
1222 to start some program rather than to sl <<
1223 272
1224 @ Add alt_exec feature. !! 273 setlevel:
>> 274 Don't show profiles that are not asked to modify.
1225 275
1226 Since TOMOYO Linux's approach is "know !! 276 domainmatch:
1227 and create policy that permits only the !! 277 Removed /bin/bash dependency.
1228 requests as attacks (if you want to do !! 278 Insert a blank line before printing domainname.
1229 279
1230 Common MAC implementations merely rejec !! 280 mailauth:
1231 But I added a special handler for execv !! 281 Removed openssl-devel dependency.
>> 282 Use decimal numbers instead of random ASCII character.
1232 283
1233 This handler is triggered when a proces !! 284 Version 1.5.2 2007/12/05 Minor update release.
1234 but the request was rejected by the pol <<
1235 This handler executes a program specifi <<
1236 instead of a program requested by the p <<
1237 285
1238 Most attackers attempt to execute /bin/ !! 286 The following program was updated.
1239 Attackers execute an exploit code using <<
1240 to steal control of a process. But this <<
1241 if an exploit code requests execve() th <<
1242 287
1243 By default, this handler does nothing ( !! 288 editpolicy:
1244 request). You can specify any program t !! 289 Use different color for domainname's line and selected line.
1245 290
1246 You can redirect attackers to somewhere !! 291 editpolicy_offline:
1247 This makes it possible to act your Linu !! 292 Allow invoking as ccs-editpolicy_offline .
1248 while keeping regular services for your <<
1249 293
1250 You can collect information of the atta !! 294 Version 1.5.3 2008/01/31 Minor update release.
1251 update firewall configuration. <<
1252 295
1253 You can silently terminate a process wh !! 296 The following program was updated.
1254 that is not permitted by policy. <<
1255 297
1256 Fix 2008/03/03 !! 298 editpolicy:
>> 299 Allow keyword aliasing.
1257 300
1258 @ Add "force_alt_exec" directive. !! 301 loadpolicy:
>> 302 Allow deleting domain definition.
>> 303 Fix some bugs.
1259 304
1260 To be able to fully utilize "alt_exec" !! 305 savepolicy:
1261 I added "force_alt_exec" directive so t !! 306 Allow printing to stdout.
1262 all execute requests are replaced by th !! 307 Allow saving profile and manager.
1263 specified by alt_exec feature. <<
1264 308
1265 If this directive is specified for a do !! 309 checkpolicy:
1266 executes any programs regardless of the !! 310 Fix some bugs.
1267 (i.e. the domain won't execute even if <<
1268 Instead, the domain executes the progra <<
1269 and the program specified by alt_exec f <<
1270 request and executes it if it is approp <<
1271 311
1272 If you can tolerate that there is no ch !! 312 The following program was added.
1273 to the caller to tell the execute reque <<
1274 this is more flexible approach than in- <<
1275 checking because we can do argv[] and e <<
1276 313
1277 Fix 2008/03/04 !! 314 ccs-notifyd:
1278 !! 315 Notify the occurrence of first policy violation in enforcing mode.
1279 @ Use string for access control mode. <<
1280 <<
1281 An integer expression for access contro <<
1282 administrators because profile number i <<
1283 To avoid confusion between profile numb <<
1284 I introduced a string expression for ac <<
1285 <<
1286 Modes which take an integer between 0 <<
1287 <<
1288 0 -> disabled <<
1289 1 -> learning <<
1290 2 -> permissive <<
1291 3 -> enforcing <<
1292 <<
1293 Modes which take 0 or 1. <<
1294 <<
1295 0 -> disabled <<
1296 1 -> enabled <<
1297 <<
1298 Fix 2008/03/10 <<
1299 <<
1300 @ Rename "force_alt_exec" directive to "e <<
1301 <<
1302 To be able to use different programs fo <<
1303 I moved the location to specify the pro <<
1304 to domain policy. <<
1305 <<
1306 The "execute_handler" directive takes o <<
1307 invoked whenever execve() request is is <<
1308 directives in a domain with "execute_ha <<
1309 This directive is designed for validati <<
1310 requests in userspace, although there i <<
1311 that the execve() request was rejected. <<
1312 <<
1313 @ Rename "alt_exec" directive to "denied_ <<
1314 <<
1315 The "denied_execute_handler" directive <<
1316 invoked only when execve() request was <<
1317 this program is invoked only when the f <<
1318 <<
1319 (1) None of "allow_execute" directive <<
1320 (2) The execve() request was rejected <<
1321 (3) "execute_handler" directive is no <<
1322 <<
1323 This directive is designed for handling <<
1324 requests, to redirect the process issui <<
1325 <<
1326 Fix 2008/03/18 <<
1327 <<
1328 @ Fix wrong/redundant locks in pre-vfs fu <<
1329 <<
1330 lock_kernel()/unlock_kernel() in pre_vf <<
1331 2.6 kernels. <<
1332 <<
1333 Locking order in pre_vfs_link() and pre <<
1334 after 2.4.33 were different from before <<
1335 <<
1336 Fix 2008/03/28 <<
1337 <<
1338 @ Disable execute handler loop. <<
1339 <<
1340 To be able to use "execute_handler" in <<
1341 ignore "execute_handler" and "denied_ex <<
1342 if the current process is executing pro <<
1343 "execute_handler" or "denied_execute_ha <<
1344 <<
1345 This exception is needed to avoid infin <<
1346 If a domain has both "keep_domain" and <<
1347 any execute request by that domain is h <<
1348 and the execute handler attempts to pro <<
1349 But the original execute request is han <<
1350 unless the execute handler ignores "exe <<
1351 <<
1352 @ Update coding style. <<
1353 <<
1354 I rewrote the code to pass scripts/chec <<
1355 Function names were changed to use only <<
1356 316
1357 Version 1.6.0 2008/04/01 Feature enhancemen 317 Version 1.6.0 2008/04/01 Feature enhancement release.
1358 318
1359 Fix 2008/04/14 !! 319 The following program was updated.
1360 <<
1361 @ Fix "Compilation failures" and "Initial <<
1362 with kernels before 2.4.30/2.6.11 . <<
1363 <<
1364 2.6 kernels before 2.6.9 didn't have in <<
1365 resulting compilation error at #include <<
1366 I added #elif condition. <<
1367 <<
1368 CentOS 4.6's 2.6.9 kernel calls do_exec <<
1369 ccs_alloc(), resulting NULL pointer der <<
1370 I changed __initcall to core_initcall. <<
1371 <<
1372 CentOS 4.6's 2.6.9 kernel backported kz <<
1373 resulting compilation error at kzalloc( <<
1374 I modified prototype of kzalloc(). <<
1375 <<
1376 Fix 2008/04/20 <<
1377 <<
1378 @ Fix "Compilation failures" with kernels <<
1379 <<
1380 Turbolinux 10 Server's 2.6.8 kernel bac <<
1381 function, resulting compilation error a <<
1382 I converted kzalloc() from an inlined f <<
1383 <<
1384 Fix 2008/04/21 <<
1385 <<
1386 @ Add workaround for gcc 3.2.2's inline b <<
1387 <<
1388 RedHat Linux 9's gcc 3.2.2 generated a <<
1389 if ((var_of_u8 & 0x000000BF) & 0x800 <<
1390 where the expected code is <<
1391 if ((var_of_u8 & 0xBF) & 0x80) { } <<
1392 when embedding ccs_acl_type2() into pri <<
1393 resulting runtime BUG(). <<
1394 I added the expected code explicitly as <<
1395 <<
1396 Fix 2008/05/06 <<
1397 <<
1398 @ Add memory quota. <<
1399 <<
1400 1.5.x returns -ENOMEM when FindNextDoma <<
1401 domain, but I forgot to return -ENOMEM <<
1402 create a new domain. <<
1403 <<
1404 A domain is automatically created by fi <<
1405 the domain for the requested program do <<
1406 This behavior is for the administrator' <<
1407 The administrator needn't to know how m <<
1408 the whole programs in the system before <<
1409 But the administrator does not want the <<
1410 requested program when developing the p <<
1411 <<
1412 So, I think it is better to grant execu <<
1413 find_next_domain() failed to create a n <<
1414 Thus, I decided not to return -ENOMEM w <<
1415 create a new domain. This exception bre <<
1416 so I print "transition_failed" warning <<
1417 when this exception happened. <<
1418 <<
1419 Also, to prevent the system from being <<
1420 all kernel memory for the policy, I add <<
1421 This quota is configurable via /proc/cc <<
1422 <<
1423 echo Shared: 1048576 > /proc/ccs/mem <<
1424 echo Private: 1048576 > /proc/ccs/mem <<
1425 <<
1426 Version 1.6.1 2008/05/10 Bug fix release. <<
1427 <<
1428 Fix 2008/06/04 <<
1429 <<
1430 @ Check open mode of /proc/ccs/ interface <<
1431 <<
1432 It turned out that I can avoid allocati <<
1433 FMODE_READ is not set and memory for wr <<
1434 <<
1435 @ Wait for completion of /sbin/ccs-init . <<
1436 <<
1437 Since 2.4 kernel's call_usermodehelper( <<
1438 the executed program, I was using the c <<
1439 /proc/ccs/meminfo to indicate that load <<
1440 But since /proc/ccs/meminfo could be ac <<
1441 by /etc/ccs/ccs-post-init , I stopped u <<
1442 The policy loader no longer need to acc <<
1443 the kernel that loading policy has fini <<
1444 <<
1445 Fix 2008/06/05 <<
1446 <<
1447 @ Fix realpath for pipes and sockets. <<
1448 <<
1449 Kernel 2.6.22 and later use different m <<
1450 Since fs/realpath.c didn't notice the c <<
1451 appeared as "pipe:" rather than "pipe:[ <<
1452 /proc/PID/fd/ directory. <<
1453 <<
1454 @ Add process's information into /proc/cc <<
1455 <<
1456 While /proc/ccs/grant_log and /proc/ccs <<
1457 information, /proc/ccs/query doesn't co <<
1458 To be able to utilize ccs-queryd and cc <<
1459 /proc/ccs/query . <<
1460 <<
1461 Fix 2008/06/10 <<
1462 320
1463 @ Allow using patterns for globally reada !! 321 editpolicy:
>> 322 Allow keyword aliasing via configuration file.
>> 323 Allow line coloring via configuration file.
1464 324
1465 To allow users specify locale specific !! 325 Version 1.6.1 2008/05/10 Minor update release.
1466 I relaxed checking in update_globally_r <<
1467 326
1468 Fix 2008/06/11 !! 327 The following program was updated.
1469 328
1470 @ Remove ALLOW_ENFORCE_GRACE parameter. !! 329 init_policy.sh:
1471 !! 330 Check /usr/lib for symbolic link.
1472 Since unexpected requests caused by doi <<
1473 in all profiles, users likely have to w <<
1474 to all profiles. And it makes meaningle <<
1475 enable specific profile's ALLOW_ENFORCE <<
1476 So, I removed ALLOW_ENFORCE_GRACE param <<
1477 Now, the system behaves as if ALLOW_ENF <<
1478 The behavior of "delayed enforcing" mod <<
1479 order. <<
1480 <<
1481 (1) The requests are rejected immediate <<
1482 /proc/ccs/query interface. <<
1483 (2) The requests will be rejected in 10 <<
1484 ccs-queryd (such as less(1)) is ope <<
1485 for such process doesn't write dumm <<
1486 <<
1487 Fix 2008/06/22 <<
1488 <<
1489 @ Pass escaped pathname to audit_execute_ <<
1490 <<
1491 I was passing unescaped pathname to aud <<
1492 which causes /proc/ccs/grant_log contai <<
1493 if execute handler's pathname contains <<
1494 <<
1495 Fix 2008/06/25 <<
1496 <<
1497 @ Return 0 when ccs_may_umount() succeeds <<
1498 <<
1499 I forgot to clear error value in ccs_ma <<
1500 directory didn't match "deny_unmount" d <<
1501 request with RESTRICT_UNMOUNT=enforcing <<
1502 331
1503 Version 1.6.2 2008/06/25 Usability enhancem 332 Version 1.6.2 2008/06/25 Usability enhancement release.
1504 333
1505 Fix 2008/07/01 !! 334 The following programs were updated.
1506 <<
1507 @ Fix "Compilation failure" with 2.4.20 k <<
1508 <<
1509 RedHat Linux 9's 2.4.20 kernel backport <<
1510 resulting compilation error at ccs_load <<
1511 I added defined(TASK_DEAD) check. <<
1512 <<
1513 Fix 2008/07/08 <<
1514 <<
1515 @ Don't check permissions if vfsmount is <<
1516 <<
1517 Some filesystems (e.g. unionfs) pass NU <<
1518 I changed fs/tomoyo_file.c not to try t <<
1519 if vfsmount is NULL. <<
1520 <<
1521 Version 1.6.3 2008/07/15 Bug fix release. <<
1522 <<
1523 Fix 2008/08/21 <<
1524 <<
1525 @ Add workaround for gcc 4.3's bug. <<
1526 <<
1527 In some environments, fs/tomoyo_network <<
1528 because of gcc 4.3's bug. <<
1529 I modified save_ipv6_address() to use " <<
1530 instead for "static const u8" variable. <<
1531 <<
1532 @ Change prototypes of some functions. <<
1533 <<
1534 To support 2.6.27 kernels, I replaced " <<
1535 "struct path" for some functions. <<
1536 <<
1537 @ Detect distributor specific patches aut <<
1538 <<
1539 Since kernels with AppArmor patch appli <<
1540 I introduced a mechanism which determin <<
1541 are applied or not, based on "#define" <<
1542 <<
1543 Fix 2008/08/29 <<
1544 <<
1545 @ Remove "-ccs" suffix from Makefile's EX <<
1546 <<
1547 To reduce conflicts on Makefile's EXTRA <<
1548 I removed "-ccs" suffix from ccs-patch- <<
1549 Those who build kernels without using s <<
1550 please edit EXTRAVERSION tag manually s <<
1551 will not be overwritten by TOMOYO Linux <<
1552 <<
1553 Version 1.6.4 2008/09/03 Minor update relea <<
1554 <<
1555 Fix 2008/09/09 <<
1556 <<
1557 @ Add "try again" response to "delayed en <<
1558 <<
1559 To be able to handle pathname changes c <<
1560 "delayed enforcing" mode was introduced <<
1561 grant access requests which are about t <<
1562 <<
1563 To be able to handle pathname changes c <<
1564 I introduced "try again" response. As " <<
1565 a process which violated policy, admini <<
1566 the process is sleeping. This "try agai <<
1567 to restart policy checks from the begin <<
1568 <<
1569 Fix 2008/09/11 <<
1570 <<
1571 @ Remember whether the process is allowed <<
1572 <<
1573 Since programs for manipulating policy <<
1574 in the form of RPM/DEB packages, these <<
1575 pathnames when they are updated by the <<
1576 manager renames these programs before d <<
1577 the package manager can rollback the op <<
1578 This causes a problem when the programs <<
1579 using pathnames, as the programs will n <<
1580 /proc/ccs/ interface while the process <<
1581 alive. <<
1582 <<
1583 To solve this problem, I modified to re <<
1584 is once allowed to write to /proc/ccs/ <<
1585 attempts to execute a different program <<
1586 This change makes it impossible to revo <<
1587 /proc/ccs/ interface without killing th <<
1588 than nonfunctioning ccs-queryd program. <<
1589 <<
1590 Fix 2008/09/19 <<
1591 <<
1592 @ Allow selecting a domain by PID. <<
1593 <<
1594 Sometimes we want to know what ACLs are <<
1595 finding a domainname for that PID from <<
1596 reading ACLs from /proc/ccs/domain_poli <<
1597 Thus, I modified /proc/ccs/domain_polic <<
1598 PID. For example, to read domain ACL of <<
1599 run as follows. <<
1600 <<
1601 # exec 100<>/proc/ccs/domain_policy <<
1602 # echo select pid=$$ >&100 <<
1603 # while read -u 100; do echo $REPLY; do <<
1604 <<
1605 If a domain is once selected by PID, re <<
1606 print only that domain if that PID exis <<
1607 <<
1608 @ Disallow concurrent /proc/ccs/ access u <<
1609 <<
1610 Until now, one process can read() from <<
1611 that shares the file descriptor can wri <<
1612 But to implement "Allow selecting a dom <<
1613 concurrent read()/write() because the f <<
1614 while writing. <<
1615 <<
1616 Fix 2008/10/01 <<
1617 <<
1618 @ Add retry counter into /proc/ccs/query <<
1619 <<
1620 To be able to handle some of queries fr <<
1621 interaction, I added retry counter for <<
1622 "try again" response. <<
1623 <<
1624 Fix 2008/10/07 <<
1625 <<
1626 @ Don't transit to new domain until do_ex <<
1627 <<
1628 Until now, a process's domain was updat <<
1629 will belong to before do_execve() succe <<
1630 permission checks for interpreters and <<
1631 new domain. But this caused a subtle pr <<
1632 signals to the process, for the process <<
1633 do_execve() failed. <<
1634 <<
1635 So, I modified to pass new domain to fu <<
1636 modifying a process's domain before do_ <<
1637 <<
1638 @ Use old task state for audit logs. <<
1639 <<
1640 Until now, audit logs were generated us <<
1641 processing "; set task.state" part. But <<
1642 I modified to save the task state befor <<
1643 part and use the saved state for audit <<
1644 <<
1645 @ Use a structure for passing parameters. <<
1646 <<
1647 As the number of parameters is increasi <<
1648 for passing parameters. <<
1649 <<
1650 Fix 2008/10/11 <<
1651 335
1652 @ Remove domain_acl_lock mutex. !! 336 ccs-init:
>> 337 Don't wait for user's input if /etc/ccs/ doesn't exist.
1653 338
1654 I noticed that I don't need to keep all !! 339 init_policy.sh:
1655 a domain mutually exclusive. Since each !! 340 Add some files under /usr/share/ to globally readable files.
1656 of ACL, locking is needed only when the !! 341 Don't make patterns for /sys/ .
1657 So, I modified to use local locks. !! 342 Fix some bugs.
1658 343
1659 Fix 2008/10/14 !! 344 ccs-queryd:
>> 345 Show more information regarding pending requests.
>> 346 Merge functionality of ld-watch .
1660 347
1661 @ Fix ccs_check_condition() bug. !! 348 ccs-notifyd:
>> 349 Show more information regarding pending requests.
1662 350
1663 Due to a bug in ccs_check_condition(), !! 351 The following program was added.
1664 task.state[0] task.state[1] task.state[ <<
1665 if the ACL does not treat a pathname. F <<
1666 352
1667 allow_network TCP connect @HTTP_SERVE !! 353 convert-exec-param:
>> 354 Generate "allow_execute" entry which considers argv[] values
>> 355 from access logs.
1668 356
1669 didn't work. !! 357 Version 1.6.3 2008/07/15 Bug fix release.
1670 <<
1671 Fix 2008/10/15 <<
1672 <<
1673 @ Show process information in /proc/ccs/. <<
1674 <<
1675 To be able to determine a process's typ <<
1676 which returns process information of th <<
1677 "PID manager=\* execute_handler=\* stat <<
1678 format. <<
1679 <<
1680 Fix 2008/10/20 <<
1681 <<
1682 @ Use rcu_dereference() when walking the <<
1683 <<
1684 I was using "dependency ordering" for a <<
1685 without asking the reader to take a loc <<
1686 is not respected by DEC Alpha or by som <<
1687 compiler optimizations. <<
1688 <<
1689 On such environment, use of "dependency <<
1690 crash because the reader might read uni <<
1691 appended element. <<
1692 <<
1693 To prevent the reader from reading unin <<
1694 element, I inserted rcu_dereference() w <<
1695 <<
1696 Fix 2008/11/04 <<
1697 <<
1698 @ Use sys_getpid() instead for current->p <<
1699 <<
1700 Kernel 2.6.24 introduced PID namespace. <<
1701 <<
1702 To compare PID given from userland, I c <<
1703 So, I modified to use sys_getpid() inst <<
1704 <<
1705 I modified to use task_tgid_nr_ns() for <<
1706 current->tgid when checking /proc/self/ <<
1707 358
1708 Fix 2008/11/07 !! 359 The following programs were updated.
1709 360
1710 @ Fix is_alphabet_char(). !! 361 editpolicy:
>> 362 Treat ASCII code's BS character as ncurses code's BS character.
1711 363
1712 is_alphabet_char() should match 'A' - ' !! 364 proxy:
1713 but was matching from 'A' - 'F' and 'a' !! 365 Dropped suid-root since /usr/lib/ccs/ is globally accessible
>> 366 since 1.6.2 .
1714 367
1715 @ Add /proc/ccs/.execute_handler . !! 368 Version 1.6.4 2008/09/03 Bug fix release.
1716 369
1717 Process information became visible to u !! 370 No changes for tools.
1718 "Show process information in /proc/ccs/ <<
1719 However, programs specified by execute_ <<
1720 non root user, making it impossible to <<
1721 371
1722 So, I added a new interface that allows !! 372 Only programs for testing kernel were updated.
1723 to see process information. The content <<
1724 identical to /proc/ccs/.process_status <<
1725 373
1726 Version 1.6.5 2008/11/11 Third anniversary 374 Version 1.6.5 2008/11/11 Third anniversary release.
1727 375
1728 Fix 2008/12/01 !! 376 Updated coding style and fixed some bugs.
1729 <<
1730 @ Introduce "task.type=execute_handler" c <<
1731 <<
1732 The execute_handler directive is very v <<
1733 directive to do anything you want to do <<
1734 modifying command line parameters and e <<
1735 closing and redirecting files, creating <<
1736 spam filtering, deploying a DMZ between <<
1737 shells). <<
1738 <<
1739 To be able to use this directive in a d <<
1740 while limiting access to resources need <<
1741 programs invoked as an execute handler <<
1742 <<
1743 In learning mode, "if task.type=execute <<
1744 automatically added for requests issued <<
1745 <<
1746 @ Introduce file's type and permissions a <<
1747 <<
1748 To be able to limit file types a proces <<
1749 new conditions for checking file's type <<
1750 For example, <<
1751 <<
1752 allow_read /etc/fstab if path1.type=f <<
1753 <<
1754 will allow opening /etc/fstab for readi <<
1755 file and it's permission is 0644, and <<
1756 <<
1757 allow_write /dev/null if path1.type=c <<
1758 <<
1759 will allow opening /dev/null for writin <<
1760 device file with major=1 and minor=3 at <<
1761 <<
1762 @ Add memory quota for temporary memory u <<
1763 <<
1764 Although there are MAX_GRANT_LOG and MA <<
1765 which limit the number of entries for a <<
1766 memory consumption by audit logs, it wo <<
1767 also limit the size in bytes. <<
1768 Thus, I added a new quota line. <<
1769 <<
1770 echo Dynamic: 1048576 > /proc/ccs/mem <<
1771 <<
1772 This quota is not applied to temporary <<
1773 <<
1774 Fix 2008/12/09 <<
1775 <<
1776 @ Fix ccs_can_save_audit_log() checks. <<
1777 <<
1778 Due to incorrect statement "if (ccs_can <<
1779 while ccs_can_save_audit_log() is boole <<
1780 MAX_REJECT_LOG were not working. <<
1781 <<
1782 This bug will trigger OOM killer if /us <<
1783 <<
1784 Fix 2008/12/24 <<
1785 <<
1786 @ Add "ccs_" prefix. <<
1787 <<
1788 To be able to tell whether a symbol is <<
1789 I added "ccs_" prefix as much as possib <<
1790 <<
1791 @ Fix ccs_check_flags() error message. <<
1792 <<
1793 I meant to print SYAORAN-ERROR: message <<
1794 but I was printing it when error == 0 s <<
1795 <<
1796 Fix 2009/01/05 <<
1797 <<
1798 @ Use kmap_atomic()/kunmap_atomic() for r <<
1799 <<
1800 As remove_arg_zero() uses kmap_atomic(K <<
1801 kmap_atomic(KM_USER0) rather than kmap( <<
1802 <<
1803 Fix 2009/01/28 <<
1804 <<
1805 @ Fix "allow_read" + "allow_write" != "al <<
1806 <<
1807 Since 1.6.0 , due to a bug in ccs_updat <<
1808 appending "allow_read/write" entry didn <<
1809 and "allow_write" entries. As a result, <<
1810 but open(O_RDONLY) and open(O_WRONLY) f <<
1811 <<
1812 Workaround is to write an entry twice w <<
1813 If written twice, internal "allow_read" <<
1814 are updated. <<
1815 <<
1816 Fix 2009/02/26 <<
1817 <<
1818 @ Fix profile read error. <<
1819 <<
1820 Incorrect profiles were shown in /proc/ <<
1821 if either CONFIG_SAKURA or CONFIG_TOMOY <<
1822 <<
1823 Fix 2009/03/02 <<
1824 <<
1825 @ Undelete CONFIG_TOMOYO_AUDIT option. <<
1826 <<
1827 While HDD-less systems can use profiles <<
1828 MAX_REJECT_LOG=0 , I undeleted CONFIG_T <<
1829 memory used for /proc/ccs/grant_log and <<
1830 <<
1831 Fix 2009/03/13 <<
1832 <<
1833 @ Show only profile entry names ever spec <<
1834 <<
1835 Even if an administrator specifies only <<
1836 entries for /proc/ccs/profile , all ava <<
1837 This was designed to help administrator <<
1838 available, but sometimes makes administ <<
1839 entries showing default values. <<
1840 <<
1841 Thus, I modified to show only profile e <<
1842 377
1843 Fix 2009/03/18 !! 378 Version 1.6.6 2009/02/02 Bug fix release.
1844 379
1845 @ Add MAC_FOR_IOCTL functionality. !! 380 The following programs were updated.
1846 381
1847 To be able to restrict ioctl() requests !! 382 ccs-editpolicy:
1848 functionality. !! 383 Handle '\A' and '\a' correctly.
1849 384
1850 This functionality requires modificatio !! 385 ccs-pathmatch:
1851 !! 386 Handle '\A' and '\a' correctly.
1852 @ Use better name for socket's pathname. <<
1853 <<
1854 Until now, socket's pathname was repres <<
1855 where \$ is inode's number. But inode's <<
1856 access control. Therefore, I modified t <<
1857 "socket:[family=\$:type=\$:protocol=\$] <<
1858 <<
1859 This will help administrator to control <<
1860 precisely. <<
1861 <<
1862 @ Fix misplaced ccs_capable() call. (onl <<
1863 <<
1864 Location to insert ccs_capable(TOMOYO_S <<
1865 wrong since version 1.1 . <<
1866 <<
1867 @ Insert ccs_check_ioctl_permission() cal <<
1868 <<
1869 To make MAC_FOR_IOCTL functionality wor <<
1870 ccs_check_ioctl_permission() call into <<
1871 <<
1872 Fix 2009/03/23 <<
1873 <<
1874 @ Move sysctl()'s check from ccs-patch-\* <<
1875 <<
1876 Since try_parse_table() in kernel/sysct <<
1877 all versions, I moved that function to <<
1878 <<
1879 @ Relocate definitions and functions. <<
1880 <<
1881 To reduce exposed symbols, I relocated <<
1882 <<
1883 Fix 2009/03/24 <<
1884 <<
1885 @ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS <<
1886 <<
1887 Some systems don't have /sbin/modprobe <<
1888 Thus, I made these pathnames configurab <<
1889 387
1890 Version 1.6.7 2009/04/01 Feature enhancemen 388 Version 1.6.7 2009/04/01 Feature enhancement release.
1891 389
1892 Fix 2009/04/06 !! 390 ccs-editpolicy:
1893 !! 391 Add ability to edit profile and manager and meminfo.
1894 @ Drop "undelete domain" command. !! 392 Add ability to edit policy files in arbitrary location.
1895 !! 393 Add ability to edit policy remotely.
1896 I added "undelete domain" command on 20 !! 394 Add readonly mode option for showcase use.
1897 management tools. The garbage collector !! 395 Add automatic refresh option for showcase use.
1898 automatically reuse memory and allow ad <<
1899 periodically, provided that the adminis <<
1900 domains before recreating new domains w <<
1901 <<
1902 Thus, I dropped "undelete domain" comma <<
1903 <<
1904 @ Escape invalid characters in ccs_check_ <<
1905 <<
1906 ccs_check_mount_permission2() was passi <<
1907 and ccs_update_mount_acl() and ccs_chec <<
1908 /proc/ccs/system_policy and /proc/ccs/q <<
1909 characters within a string. <<
1910 <<
1911 Fix 2009/04/07 <<
1912 <<
1913 @ Fix IPv4's "address_group" handling err <<
1914 <<
1915 Since 1.6.5 , due to lack of ntohl() (b <<
1916 ccs_update_address_group_entry(), "addr <<
1917 not working. <<
1918 <<
1919 This problem happens on little endian p <<
1920 <<
1921 Fix 2009/05/08 <<
1922 <<
1923 @ Add condition for symlink's target path <<
1924 <<
1925 Until now, "allow_symlink" keyword allo <<
1926 not check the symlink's target. Usually <<
1927 permission checks are done using derefe <<
1928 cases, we should restrict the symlink's <<
1929 "ln -s .htpasswd /var/www/html/readme.h <<
1930 blocked because we will allow Apache to <<
1931 /var/www/html/readme.html and /var/www/ <<
1932 <<
1933 Thus, I added new condition, "symlink.t <<
1934 <<
1935 allow_symlink /var/www/html/\*.html i <<
1936 <<
1937 allow_symlink /var/www/html/\*\-.\* i <<
1938 <<
1939 @ Don't return -EAGAIN at ccs_socket_recv <<
1940 <<
1941 It turned out that it is not permitted <<
1942 return -EAGAIN if poll() said connectio <<
1943 recvmsg() may return -EAGAIN and potent <<
1944 because ccs_socket_recvmsg_permission() <<
1945 <<
1946 Thus, I modified ccs_socket_recvmsg_per <<
1947 rather than -EAGAIN. <<
1948 <<
1949 Fix 2009/05/19 <<
1950 <<
1951 @ Don't call get_fs_type() with a mutex h <<
1952 <<
1953 Until now, when ccs_update_mount_acl() <<
1954 filesystem, /sbin/modprobe is executed <<
1955 filesystem module. And get_fs_type() do <<
1956 finishes. <<
1957 <<
1958 This means that it will cause deadlock <<
1959 executed via get_fs_type() in ccs_updat <<
1960 ccs_update_mount_acl(); although it won <<
1961 inserts execute_handler to call mount() <<
1962 add "allow_mount" entries to /proc/ccs/ <<
1963 <<
1964 I modified to unlock the mutex before c <<
1965 <<
1966 Fix 2009/05/20 <<
1967 <<
1968 @ Update recvmsg() hooks. <<
1969 <<
1970 Since 1.5.0, I was doing network access <<
1971 packets inside skb_recv_datagram(). But <<
1972 I moved ccs_recv_datagram_permission() <<
1973 udp_recvmsg()/udpv6_recvmsg()/raw_recvm <<
1974 change to ccs_recvmsg_permission(). <<
1975 <<
1976 Version 1.6.8 2009/05/28 Feature enhancemen <<
1977 <<
1978 Fix 2009/07/03 <<
1979 <<
1980 @ Fix buffer overrun when used with CONFI <<
1981 <<
1982 Since 1.6.7 , ccs_allocate_execve_entry <<
1983 bytes while the comment says it is 4096 <<
1984 overrun when slob allocator is used, fo <<
1985 4000 bytes whereas slab and slub alloca <<
1986 <<
1987 Fix 2009/09/01 <<
1988 <<
1989 @ Add garbage collector support. <<
1990 <<
1991 Until now, it was impossible to release <<
1992 I added SRCU based garbage collector so <<
1993 policy will be automatically released. <<
1994 <<
1995 @ Remove word length limitation and line <<
1996 <<
1997 Until now, the max length of a word is <<
1998 is 8192. To be able to handle longer pa <<
1999 limitations. Now, the max length (excep <<
2000 argv[]/envp[]) is 128K (which is the ma <<
2001 can allocate in most environments). <<
2002 <<
2003 @ Support more fine grained profile confi <<
2004 <<
2005 Profile was reconstructed. <<
2006 <<
2007 @ Support more fine grained parameters re <<
2008 396
2009 "allow_create", "allow_mkdir", "allow_m !! 397 ccs-loadpolicy:
2010 create mode. "allow_mkblock" and "allow !! 398 Add ability to load policy remotely.
2011 major/minor device numbers. "allow_chmo !! 399 Add ability to load meminfo.
2012 checks new owner. "allow_chgrp" checks <<
2013 400
2014 @ Allow number grouping. !! 401 ccs-savepolicy:
>> 402 Add ability to save policy remotely.
>> 403 Add ability to print meminfo.
2015 404
2016 To help specifying numeric values, a ne !! 405 ccs-editpolicy-agent:
2017 introduced. !! 406 This program gives ccs-editpolicy and ccs-loadpolicy and ccs-savepolicy
>> 407 ability to manage embedded systems remotely via TCP/IP networking.
2018 408
2019 @ Remove "alias" directive and "allow_arg !! 409 ccs-editpolicy_offline:
>> 410 This program was removed because its functionality was merged into
>> 411 ccs-editpolicy.
2020 412
2021 Until now, "allow_execute" used derefer !! 413 ccs-setlevel:
2022 unless explicitly specified by "alias" !! 414 This program became obsolete because its functionality was merged into
>> 415 ccs-editpolicy and ccs-loadpolicy.
2023 416
2024 Now, "allow_execute" uses symlink's pat !! 417 Version 1.6.8 2009/05/28 Bug fix release.
2025 "exec.realpath" in "if" clause checks t <<
2026 "exec.argv[0]" in "if" clause checks th <<
2027 418
2028 @ Remove /proc/ccs/system_policy and /etc !! 419 ccs-ccstree:
>> 420 Add ability to fetch status remotely.
2029 421
2030 "deny_autobind" was moved to /proc/ccs/ !! 422 ccs-editpolicy-agent:
2031 /etc/ccs/exception_policy.conf . Other !! 423 Add support for ccs-ccstree.
2032 /proc/ccs/domain_policy and /etc/ccs/do <<
2033 424
2034 @ Remove syaoran filesystem. !! 425 Version 1.6.8p1 2009/06/23 Bug fix release.
2035 426
2036 Since "allow_create"/"allow_mkdir"/"all !! 427 ccs-auditd:
2037 "allow_mkblock"/"allow_mkchar"/"allow_c !! 428 Print error message if auditing interface is not available.
2038 can restrict mode changes and owner/gro <<
2039 restrict these changes at filesystem le <<
2040 <<
2041 Thus, I removed syaoran filesystem. <<
2042 <<
2043 @ Reduce spinlocks. <<
2044 <<
2045 Until now, TOMOYO was using own list fo <<
2046 kernel 2.6.31 introduced memory leak de <<
2047 ( CONFIG_DEBUG_KMEMLEAK ), TOMOYO no lo <<
2048 <<
2049 I removed the list to reduce use of spi <<
2050 <<
2051 @ Rewrite ccs-patch-2.\*.diff . <<
2052 <<
2053 ccs-patch-2.\*.diff was rewritten like <<
2054 <<
2055 @ Don't check "allow_read/write" for open <<
2056 <<
2057 open(pathname, 3) means open for ioctl( <<
2058 Until now, TOMOYO was checking "allow_r <<
2059 But since TOMOYO checks "allow_ioctl" f <<
2060 require "allow_read/write" for open(pat <<
2061 <<
2062 @ Add missing sigqueue() and tgsigqueue() <<
2063 <<
2064 Until now, kill(), tkill(), tgkill() ha <<
2065 tgsigqueue() didn't. <<
2066 <<
2067 @ Move files from fs/ to security/ccsecur <<
2068 <<
2069 Config menu section changed from "File <<
2070 <<
2071 Kernel config symbols changed from CONF <<
2072 CONFIG_SYAORAN to CONFIG_CCSECURITY . <<
2073 <<
2074 @ Add global PID to audit logs. <<
2075 <<
2076 ccs-queryd was using domainname for rea <<
2077 belongs to, but the domain could be del <<
2078 policy violation. If the domain is dele <<
2079 reach the domain by domainname. Thus, c <<
2080 reaching the domain which the process b <<
2081 <<
2082 Kernel 2.6.24 introduced PID namespace. <<
2083 by a process inside a container is usel <<
2084 the domain which the process belongs to <<
2085 <<
2086 Thus, I added global PID in audit logs. <<
2087 <<
2088 @ Transit to new domain before do_execve( <<
2089 <<
2090 Permission checks for interpreters and <<
2091 done using new domain. In order to allo <<
2092 domain via global PID, I reverted "Don' <<
2093 do_execve() succeeds." made on 2008/10/ <<
2094 429
2095 Version 1.7.0 2009/09/03 Feature enhancemen 430 Version 1.7.0 2009/09/03 Feature enhancement release.
2096 431
2097 Fix 2009/09/04 !! 432 Removed programs for TOMOYO 2.2.0 from this package.
2098 !! 433 Please use tomoyo-tools-2.2.0 package for TOMOYO 2.2.0 .
2099 @ Fix wrong ccs_profile() calls. <<
2100 <<
2101 I can't call ccs_profile() for profile <<
2102 ccs_profile() never returns NULL. <<
2103 <<
2104 Fix 2009/09/06 <<
2105 <<
2106 @ Fix wrong error code in ccs_try_alt_exe <<
2107 <<
2108 ccs_try_alt_exec() was returning ENOMEM <<
2109 It needs to return -ENOMEM to fail. <<
2110 <<
2111 Fix 2009/09/10 <<
2112 <<
2113 @ Do not check umount() permission for mo <<
2114 <<
2115 Until 1.6.x , umount() restriction was <<
2116 white listing. This change caused "moun <<
2117 require "allow_unmount old" permission <<
2118 "allow_mount old new --move 0" permissi <<
2119 But we don't want to allow umount(old) <<
2120 only mount(old, new, MS_MOVE) requests. <<
2121 "allow_unmount old" permission for moun <<
2122 <<
2123 Fix 2009/09/11 <<
2124 <<
2125 @ Support recursive match operators. <<
2126 <<
2127 Until now, ccs_path_matches_pattern() d <<
2128 comparison. Thus, users had to repeat " <<
2129 recursively. <<
2130 <<
2131 I introduced "\{" and "\}" as repetitio <<
2132 To ensure consistency with TOMOYO's '/' <<
2133 and "\-" operator, only "/\{dir\}/" seq <<
2134 '/') is permitted. <<
2135 <<
2136 Fix 2009/09/24 <<
2137 <<
2138 @ Don't check chmod/chown capability for <<
2139 <<
2140 Until now, ccs_setattr_permission() was <<
2141 But notify_change() is also called by r <<
2142 and it made difficult to use TOMOYO on <<
2143 <<
2144 Thus, I moved ccs_capable() checks from <<
2145 ccs_chmod_permission() and ccs_chown_pe <<
2146 ccs_setattr_permission(). <<
2147 <<
2148 Fix 2009/09/25 <<
2149 <<
2150 @ Embed more information into audit logs. <<
2151 <<
2152 Until now, /proc/ccs/grant_log /proc/cc <<
2153 not printing file's information (e.g. f <<
2154 <<
2155 Recently, users who started using "if" <<
2156 mode automatically adds various conditi <<
2157 <<
2158 But the profile will become too complic <<
2159 conditions. Thus, I added all informati <<
2160 "if" clause with all possible condition <<
2161 <<
2162 Now, the learning mode got different us <<
2163 "CONFIG::learning={ max_entry=0 }" in t <<
2164 are not permitted by policy will be sen <<
2165 "mode=learning" header lines. Users can <<
2166 and append to the policy using "/usr/sb <<
2167 The learning mode with "CONFIG::learnin <<
2168 the same with the permissive mode, only <<
2169 and "mode=permissive". <<
2170 <<
2171 Fix 2009/10/05 <<
2172 <<
2173 @ Fix size truncation bug at ccs_memcmp() <<
2174 <<
2175 ccs_memcmp() was using "u8" for size pa <<
2176 size >= 256 was passed to ccs_memcmp(), <<
2177 (incorrect result) or read overrun (CPU <<
2178 <<
2179 ccs_memcmp() should use "size_t" for si <<
2180 "struct ccs_condition" may exceed 256 b <<
2181 given. <<
2182 <<
2183 Fix 2009/10/08 <<
2184 <<
2185 @ Add CONFIG_CCSECURITY_DEFAULT_LOADER op <<
2186 <<
2187 I made the default policy loader's path <<
2188 configurable. <<
2189 <<
2190 @ Add CONFIG_CCSECURITY_ALTERNATIVE_TRIGG <<
2191 <<
2192 Some environments do not have /sbin/ini <<
2193 to use different program's pathname (e. <<
2194 activation trigger. <<
2195 <<
2196 Thus, I made the alternative trigger ( <<
2197 <<
2198 Fix 2009/11/02 <<
2199 <<
2200 @ Fix buffer contention. <<
2201 <<
2202 A permission like <<
2203 434
2204 allow_env PATH if exec.envp["PATH"]=" !! 435 Installation directory changed.
>> 436 Renamed from "ccs-ccstree" to "ccs-pstree".
>> 437 Removed "realpath", "make_alias", "makesyaoranconf".
2205 438
2206 was not working since I was using the s !! 439 /sbin/ccs-init:
2207 variable's name and value. !! 440 Converted to binary program.
2208 441
2209 Fix 2009/11/03 !! 442 /usr/lib/ccs/init_policy:
>> 443 Converted to binary program.
2210 444
2211 @ Fix memory leak in ccs_write_address_gr !! 445 /usr/sbin/ccs-findtenp:
>> 446 Add "--with-domainname" option.
2212 447
2213 I forgot to call kfree() if same entry !! 448 /usr/sbin/ccs-queryd:
>> 449 Use global PID for reaching the target domain.
>> 450 Add 'Show policy' command.
>> 451 Change 'Yes and append to policy' to 'Append to policy and retry'.
2214 452
2215 @ Reduce mutexes. !! 453 /usr/sbin/ccs-auditd:
>> 454 Reduce fsync() requests.
2216 455
2217 I was using mutex_lock()/mutex_unlock() !! 456 /usr/sbin/ccs-editpolicy:
2218 atomic_dec_and_test() for removing an e !! 457 Removed system policy editor.
2219 I moved that operation to garbage colle !! 458 Changed profile editor.
2220 of mutex_lock()/mutex_unlock() calls. <<
2221 <<
2222 @ Escape from nested loops correctly. <<
2223 <<
2224 In ccs_read_address_group_policy(), I w <<
2225 correctly. But in ccs_read_path_group_p <<
2226 ccs_read_number_group_policy(), I wasn' <<
2227 <<
2228 As a result, reading path_group and num <<
2229 when they were not read atomically. <<
2230 <<
2231 Fix 2009/11/06 <<
2232 <<
2233 @ Fix incorrect allow_mount audit log. <<
2234 <<
2235 Audit log for allow_mount was using dec <<
2236 It needs to use hexadecimal format. <<
2237 <<
2238 Fix 2009/11/09 <<
2239 <<
2240 @ Add profile version check. <<
2241 <<
2242 To avoid upgrading from TOMOYO 1.6.x to <<
2243 /proc/ccs/profile (which results in not <<
2244 I added a check for PROFILE_VERSION= . <<
2245 459
2246 Version 1.7.1 2009/11/11 Fourth anniversary 460 Version 1.7.1 2009/11/11 Fourth anniversary release.
2247 461
2248 Fix 2009/11/13 !! 462 /usr/sbin/ccs-queryd
2249 !! 463 Add ability to handle query remotely.
2250 @ Don't use core_initcall() for initializ <<
2251 <<
2252 Some kernels call TOMOYO's hooks before <<
2253 Thus, I can't use core_initcall() for in <<
2254 <<
2255 Fix 2009/11/18 <<
2256 <<
2257 @ Don't check "allow_write" permission fo <<
2258 <<
2259 Since TOMOYO checks "allow_truncate" pe <<
2260 permission for O_TRUNC, I need to disti <<
2261 and open(O_RDWR | O_TRUNC). But I made <<
2262 1.7.1 which made it impossible for TOMO <<
2263 to distinguish them. <<
2264 <<
2265 Fix 2009/11/27 <<
2266 <<
2267 @ Use newly created domain's name for dom <<
2268 <<
2269 Since 1.7.0 , /proc/ccs/reject_log was <<
2270 name when auditing newly created domain <<
2271 <<
2272 Fix 2009/12/12 <<
2273 <<
2274 @ Use rcu_read_lock() for find_task_by_pi <<
2275 <<
2276 Since kernel 2.6.18 , caller of find_ta <<
2277 rcu_read_lock() rather than read_lock(& <<
2278 uses RCU primitives but spinlock does n <<
2279 preemptive RCU ( CONFIG_PREEMPT_RCU or <<
2280 enabled. <<
2281 <<
2282 Fix 2009/12/15 <<
2283 <<
2284 @ Allow deleting "quota_exceeded" and "tr <<
2285 <<
2286 To notify users of "this domain has too <<
2287 process in this domain was not able to <<
2288 "quota_exceeded" and "transition_failed <<
2289 These messages were not deletable. But <<
2290 to be notified again if such events occ <<
2291 Thus, I made these messages deletable. <<
2292 <<
2293 Fix 2009/12/17 <<
2294 <<
2295 @ Don't check read permission in ccs_try_ <<
2296 <<
2297 While I was trying to remove ccs_execve <<
2298 between TOMOYO 1.7.0 and 1.7.1 , I made <<
2299 check allow_read permission of the prog <<
2300 and denied_execute_handler keywords. <<
2301 <<
2302 @ Don't check DAC permission if disabled <<
2303 <<
2304 I was checking DAC permissions regardin <<
2305 operations (e.g. mkdir()) even if mode= <<
2306 resource to check DAC permissions when <<
2307 Thus, I modified to skip DAC permission <<
2308 <<
2309 Fix 2009/12/19 <<
2310 <<
2311 @ Fix memory leak in ccs_environ(). <<
2312 <<
2313 When I fixed a bug that a permission li <<
2314 <<
2315 allow_env PATH if exec.envp["PATH"]=" <<
2316 <<
2317 was not working (2009/11/02), I allocat <<
2318 was released. <<
2319 <<
2320 This bug will trigger OOM killer if env <<
2321 enabled. <<
2322 <<
2323 Fix 2010/01/17 <<
2324 <<
2325 @ Use current domain's name for execute_h <<
2326 <<
2327 Since 1.6.7 , /proc/ccs/grant_log was b <<
2328 when auditing current domain's "execute <<
2329 <<
2330 Fix 2010/03/02 <<
2331 <<
2332 @ Allow domain transition without execve( <<
2333 <<
2334 To be able to split permissions for Apa <<
2335 executed without execve(), I added spec <<
2336 performed by atomically writing '\0'-te <<
2337 /proc/ccs/.transition interface. For ex <<
2338 "<kernel> /usr/sbin/httpd" domain will <<
2339 "<kernel> /usr/sbin/httpd //app=cgi1\04 <<
2340 writing "app=cgi1 id=10000" + '\0' to / <<
2341 Apache's ap_hook_handler() functionalit <<
2342 <<
2343 Note that '\0'-terminated binary string <<
2344 inside kernel and prefix "//" is automa <<
2345 that domainname does not conflict with <<
2346 Without this prefix, if "<kernel> /usr/ <<
2347 allowed to open /proc/ccs/.transition f <<
2348 "<kernel> /usr/sbin/sshd /bin/bash /usr <<
2349 access /etc/shadow , /bin/bash will be <<
2350 atomically writing "/usr/bin/passwd" + <<
2351 Allowing /bin/bash to access /etc/shado <<
2352 <<
2353 Permission for this operation is checke <<
2354 Unlike "allow_execute" keyword, the str <<
2355 keyword does not refer a real file on f <<
2356 you can store any combination of parame <<
2357 string parameter for "allow_transit" ke <<
2358 <<
2359 Fix 2010/03/08 <<
2360 <<
2361 @ Allow building as loadable kernel modul <<
2362 <<
2363 To be able to minimize filesize increme <<
2364 possible to compile TOMOYO Linux as loa <<
2365 Although patching the kernel source and <<
2366 inevitable, this change will make it ea <<
2367 when there is a filesize limitation on <<
2368 <<
2369 Fix 2010/03/25 <<
2370 <<
2371 @ Fix ccs_get_ipv6_address() bug. <<
2372 <<
2373 Since 1.7.0 , ccs_get_ipv6_address() wa <<
2374 "struct list_head ccs_address_list" if <<
2375 As a result, ccs_put_ipv6_address() wil <<
2376 "struct list_head ccs_address_list" if <<
2377 <<
2378 Fix 2010/03/26 <<
2379 <<
2380 @ Fix ccs_lport_reserved() bug. <<
2381 <<
2382 Since 1.7.0 , ccs_lport_reserved() was <<
2383 number. As a result, "deny_autobind" ke <<
2384 <<
2385 Version 1.7.2 2010/04/01 Feature enhancemen <<
2386 <<
2387 Fix 2010/04/10 <<
2388 464
2389 @ Fix invalid "struct nameidata" to "stru !! 465 /usr/sbin/ccs-auditd
>> 466 Add ability to fetch logs remotely.
2390 467
2391 Regarding kernels 2.6.24 and earlier, I !! 468 /usr/lib/ccs/ccs-editpolicy-agent
2392 to "struct path" in caller side so that !! 469 Add support for ccs-queryd and ccs-auditd .
2393 parameter type. But it turned out that <<
2394 standards and did not work with gcc 4.x <<
2395 keyword was not working as expected. <<
2396 470
2397 Fix 2010/05/05 !! 471 /usr/sbin/ccs-savepolicy
>> 472 Removed \*.base support.
2398 473
2399 @ Fix incorrect audit on/off control. !! 474 /usr/sbin/ccs-loadpolicy
>> 475 Removed \*.base support.
2400 476
2401 The grant_log= and reject_log= paramete !! 477 /usr/sbin/ccs-init
2402 used because I forgot to update request !! 478 Removed \*.base support.
2403 CONFIG::file::execute were used for CON <<
2404 479
2405 Those of CONFIG::file::rewrite were not !! 480 /usr/sbin/ccs-diffpolicy
2406 request type. As a result, those of CON !! 481 Program for generating diff of domain policy.
2407 CONFIG::file::rewrite . <<
2408 482
2409 Fix 2010/05/10 !! 483 /usr/sbin/ccs-selectpolicy
>> 484 Program for picking up specific domain's policy.
2410 485
2411 @ Fix incorrect out of memory warning. !! 486 /usr/lib/ccs/convert-audit-log
>> 487 Program for generating domain policy from audit logs.
2412 488
2413 Out of memory warnings were not printed !! 489 /usr/sbin/ccs-checkpolicy
>> 490 Updated to handle TOMOYO 1.7's syntax.
2414 491
2415 Fix 2010/05/27 !! 492 /usr/sbin/ccs-patternize
>> 493 Updated to handle TOMOYO 1.7's syntax.
>> 494 Add support for "path_group" "number_group" "address_group" in addition to "file_pattern".
>> 495 Add "--file" option for passing the whole exception policy.
2416 496
2417 @ Add missing rcu_dereference() for ccs_f !! 497 Version 1.7.1p1 2010/01/10 Bug fix release.
2418 498
2419 Since 1.7.0 , ccs_find_execute_handler( !! 499 Use dynamic buffer allocation for supporting longer lines.
2420 list_for_each_entry() rather than list_ <<
2421 This bug affects only Alpha architectur <<
2422 500
2423 Fix 2010/06/03 !! 501 /usr/sbin/ccs-auditd
>> 502 Call fflush() immediately after fprintf() rather than calling fflush()
>> 503 only when new logs are not available for a second. Omitting write() unless
>> 504 needed should improve performance if there are many logs to fetch. But
>> 505 it turned out that omitting fflush() causes audit logs more likely to be
>> 506 written partially in some environments.
2424 507
2425 @ Fix missing sanity check for "file_patt !! 508 /usr/sbin/ccs-queryd
>> 509 ccs-queryd was not monitoring /etc/ld.so.cache updates since 1.7.1
>> 510 because of segmentation fault caused by fclose(NULL).
2426 511
2427 Since 1.7.0 , ccs_write_pattern_policy( !! 512 /usr/sbin/ccs-checkpolicy
2428 invalid pathname. !! 513 Some of TOMOYO 1.7's syntaxes were not handled correctly.
2429 514
2430 Fix 2010/06/09 !! 515 /usr/sbin/ccs-editpolicy
>> 516 Ignore /proc/0 which is an invalid proc entry.
2431 517
2432 @ Add missing ccs_put_name() in ccs_parse !! 518 /usr/sbin/ccs-pstree
>> 519 Ignore /proc/0 which is an invalid proc entry.
2433 520
2434 Since 1.7.0 , ccs_parse_envp() was not !! 521 /usr/lib/ccs/ccs-editpolicy-agent
2435 environment variable's value ('if exec. !! 522 Ignore /proc/0 which is an invalid proc entry.
2436 was invalid. <<
2437 523
2438 @ Add missing NULL check in ccs_condition !! 524 Version 1.7.2 2010/04/01 Minor update release.
2439 525
2440 Since 1.7.0 , if 'if symlink.target=' p !! 526 /sbin/ccs-init
2441 permissions (e.g. allow_env PATH if sym !! 527 Call /etc/ccs/ccs-load-module if TOMOYO is built as a loadable kernel
2442 NULL pointer dereference. !! 528 module and the module is not yet loaded into kernel.
2443 529
2444 Fix 2010/10/28 !! 530 /usr/sbin/ccs-sortpolicy
2445 !! 531 Do not remove "use_profile" lines so that we can use this program for not
2446 @ Fix umount() pathname calculation. !! 532 only compressing audit logs saved by /usr/sbin/ccs-auditd but also sorting
2447 !! 533 /etc/ccs/domain_policy.conf and /proc/ccs/domain_policy .
2448 "mount --bind /path/to/file1 /path/to/f !! 534 With this change, since the output of this program may contain
2449 Therefore, "umount /path/to/file2" is a !! 535 "use_profile" lines which will unexpectedly change access control mode of
2450 Do not automatically append trailing '/ !! 536 domains listed in audit logs, passing audit logs to this program and
2451 does not end with '/'. !! 537 piping the output to /usr/sbin/ccs-loadpolicy is no longer recommended.
2452 !! 538 Please review before using the output of /usr/sbin/ccs-sortpolicy .
2453 @ Add preserve KABI compatibility option. <<
2454 <<
2455 TOMOYO needs "struct ccs_domain_info *" <<
2456 "struct task_struct". But embedding the <<
2457 "struct task_struct" breaks KABI for pr <<
2458 means that you will need to rebuild pre <<
2459 <<
2460 Since KABI is commonly used (compared t <<
2461 rebuild kernel modules which are not in <<
2462 longer preferable. Therefore, I added a <<
2463 "struct task_struct" unmodified in orde <<
2464 <<
2465 Note that you have to use ccs-patch-2.6 <<
2466 kernel/fork.c in order to use this opti <<
2467 memory whenever "struct task_struct" is <<
2468 <<
2469 @ Change directives. <<
2470 <<
2471 I removed "allow_" prefix from directiv <<
2472 prefixed with "file ". For example, "al <<
2473 "allow_ioctl" changed to "file ioctl". <<
2474 TCP" is "network inet stream", "allow_n <<
2475 dgram", "allow_network RAW" is "network <<
2476 "allow_env" is "misc env". New directiv <<
2477 signal". New directive for "allow_capab <<
2478 directives correspond with keywords use <<
2479 <<
2480 I removed "deny_rewrite" and "allow_rew <<
2481 "file append" directive. Thus, permissi <<
2482 changed from "allow_write" + "allow_rew <<
2483 <<
2484 I removed "SYS_MOUNT", "SYS_UMOUNT", "S <<
2485 "SYS_LINK", "SYS_SYMLINK", "SYS_RENAME" <<
2486 "SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_RO <<
2487 because these permissions can be checke <<
2488 "file mount", "ipc signal"). <<
2489 <<
2490 I also removed "conceal_mount" keyword <<
2491 check requires hooks in filesystem part <<
2492 filesystem part have moved to LSM by Li <<
2493 <<
2494 New directive for "execute_handler" is <<
2495 "denied_execute_handler" is "task denie <<
2496 <<
2497 @ Distinguish send() and recv() operation <<
2498 <<
2499 Until now, it was impossible for UDP an <<
2500 only sending or only receiving because <<
2501 "connect" keyword. I broke "connect" ke <<
2502 keywords so that you can keep access co <<
2503 when you have to disable access control <<
2504 application breakage by discarding inco <<
2505 <<
2506 @ Add Unix domain socket restriction supp <<
2507 <<
2508 Until now, it was possible to restrict <<
2509 TCP/UDP/RAW). I added restriction for U <<
2510 dgram/seqpacket). New directive "networ <<
2511 "network inet" directive. <<
2512 <<
2513 @ Allow specifying multiple permissions i <<
2514 <<
2515 Until now, only "allow_read/write" can <<
2516 "allow_read" + "allow_write". Now, you <<
2517 long as type of parameters for these pe <<
2518 "file read/write/append/execute/unlink/ <<
2519 but "file read/write/create /tmp/file" <<
2520 requires create mode whereas "file read <<
2521 <<
2522 @ Allow wildcard for execute permission a <<
2523 <<
2524 Until now, to execute programs with tem <<
2525 needed. To simplify code, I modified to <<
2526 permission and domainname. Now, you can <<
2527 "file execute /tmp/logrotate.\?\?\?\?\? <<
2528 "/tmp/logrotate.\?\?\?\?\?\?" within do <<
2529 <<
2530 @ Change pathname for non-rename()able fi <<
2531 <<
2532 LSM version of TOMOYO wants to use /pro <<
2533 $PID matches current thread's process I <<
2534 thread from accessing other process's i <<
2535 But since procfs can be mounted on vari <<
2536 /p/ /tmp/foo/100/p/ ), LSM version of T <<
2537 numeric part in the string returned by <<
2538 or not. <<
2539 <<
2540 Therefore, to be able to convert from $ <<
2541 is mounted, I changed pathname represen <<
2542 not support rename() operation (e.g. pr <<
2543 <<
2544 Now, "/proc/self/mounts" changed to "pr <<
2545 "/sys/kernel/security/" changed to "sys <<
2546 "/dev/pts/0" changed to "devpts:/0". <<
2547 <<
2548 @ Add a new keyword "any" for domain tran <<
2549 <<
2550 To be able to make it easier to apply a <<
2551 domain, I added "any" keyword to domain <<
2552 "initialize_domain /usr/sbin/sshd" chan <<
2553 "initialize_domain /usr/sbin/sshd from <<
2554 "keep_domain <kernel> /usr/sbin/sshd /b <<
2555 "keep_domain any from <kernel> /usr/sbi <<
2556 <<
2557 "keep_domain /path/to/auto_execute_hand <<
2558 apply auto_execute_handler for any doma <<
2559 auto_execute_handler. <<
2560 <<
2561 @ Change buffering mode for reading polic <<
2562 <<
2563 To be able to read() very very long lin <<
2564 TOMOYO buffers policy for reading. <<
2565 <<
2566 @ Introduce "acl_group" keyword. <<
2567 <<
2568 Until now, it was possible to specify o <<
2569 keywords in the exception policy. <<
2570 <<
2571 Since some operations like "file read/w <<
2572 "network UDP send/recv @DNS_SERVER 53" <<
2573 permitted to all domains, I introduced <<
2574 such permissions. <<
2575 <<
2576 For example, specify "acl_group 0 file <<
2577 the exception policy and specify "use_g <<
2578 domain policy. <<
2579 <<
2580 "ignore_global_allow_read" and "ignore_ <<
2581 removed from domain policy and "use_gro <<
2582 <<
2583 @ Remove "if" and "; set" keyword. <<
2584 <<
2585 I removed need for specifying these key <<
2586 You can simply specify like below. <<
2587 <<
2588 file read /etc/shadow task.uid=0 <<
2589 <<
2590 @ Remove "file_pattern" keyword. <<
2591 <<
2592 I removed "file_pattern" keyword becaus <<
2593 all possible pathname patterns. Also, l <<
2594 patterns makes it difficult to later re <<
2595 <<
2596 @ Replace verbose= parameter with statist <<
2597 <<
2598 Since it is noisy if a lot of policy vi <<
2599 I removed printk(). To be able to check <<
2600 or not, I introduced /proc/ccs/stat int <<
2601 policy violations occurred. You can fir <<
2602 check /proc/ccs/reject_log . <<
2603 <<
2604 @ Remove global preference. <<
2605 <<
2606 I removed global preference in order to <<
2607 <<
2608 @ Allow controlling generation of access <<
2609 basis. <<
2610 <<
2611 I added per-entry flag which controls g <<
2612 Xen and KVM issues ioctl requests so fr <<
2613 <<
2614 file ioctl /dev/null 0x5401 grant_log <<
2615 <<
2616 will suppress /proc/ccs/grant_log even <<
2617 <<
2618 file ioctl /dev/null 0x5401 grant_log <<
2619 <<
2620 will generate /proc/ccs/grant_log even <<
2621 <<
2622 file ioctl /dev/null 0x5401 <<
2623 <<
2624 will generate /proc/ccs/grant_log only <<
2625 <<
2626 This flag is intended for frequently ac <<
2627 <<
2628 file read /var/www/html/\{\*\}/\*.htm <<
2629 <<
2630 . <<
2631 <<
2632 @ Automatically create domain by execve() <<
2633 <<
2634 Until now, new domains are not created <<
2635 current domain is enforcing mode ("CONF <<
2636 <<
2637 To be able to restrict shell session wi <<
2638 I changed to create new domains automat <<
2639 enforcing mode. <<
2640 <<
2641 @ Replace "task.state" with "auto_domain_ <<
2642 <<
2643 task.state is difficult to use. Thus, I <<
2644 auto_domain_transition which performs d <<
2645 changing current process's state variab <<
2646 <<
2647 If domain transition failed, current pr <<
2648 signal. This should not happen in norma <<
2649 domain to transit to and thereby you wi <<
2650 when you use "auto_domain_transition" k <<
2651 <<
2652 @ Replace "allow_transit" with "task manu <<
2653 <<
2654 I changed this directive to specify abs <<
2655 "<kernel> /usr/sbin/httpd //app=cgi1\04 <<
2656 pathname (e.g. "//app=cgi1\040id=10000" <<
2657 transit to and thereby you will define <<
2658 "task manual_domain_transition" directi <<
2659 <<
2660 This change allows you to jump to arbit <<
2661 <<
2662 Note that this change also reverts "Cha <<
2663 made on 2006/10/24. Now, 'cat < /proc/c <<
2664 'cat /proc/ccs/info/self_domain'. Progr <<
2665 need to be updated. <<
2666 <<
2667 @ Add "task auto_domain_transition". <<
2668 <<
2669 This is similar to "task manual_domain_ <<
2670 applied whenever conditions are met. Fo <<
2671 <<
2672 task auto_domain_transition <kernel> <<
2673 <<
2674 will automatically jump to "<kernel> // <<
2675 process's UID is not 0 whereas <<
2676 <<
2677 task manual_domain_transition <kernel <<
2678 <<
2679 will jump to "<kernel> //./non-root" do <<
2680 not 0 and current process wrote "<kerne <<
2681 /proc/ccs/self_domain interface. <<
2682 <<
2683 If domain transition failed, current pr <<
2684 signal. <<
2685 <<
2686 @ Optimize for object's size. <<
2687 <<
2688 I merged similar code in order to reduc <<
2689 539
2690 Version 1.8.0 2010/11/11 Fifth anniversary 540 Version 1.8.0 2010/11/11 Fifth anniversary release.
2691 541
2692 Fix 2010/12/01 !! 542 Updated to handle TOMOYO 1.8's syntax.
2693 <<
2694 @ Use same interface for audit logs. <<
2695 <<
2696 To be able to perform fine grained filt <<
2697 I merged /proc/ccs/grant_log and /proc/ <<
2698 /proc/ccs/audit and added granted=yes o <<
2699 <<
2700 Fix 2010/12/17 <<
2701 <<
2702 @ Split ccs_null_security into ccs_defaul <<
2703 <<
2704 ccs_null_security is used by preserve K <<
2705 used for providing default values again <<
2706 allocated memory for their security con <<
2707 <<
2708 If current thread failed to allocate me <<
2709 context, current thread uses ccs_null_s <<
2710 allowed to modify current thread's secu <<
2711 modify ccs_null_security which should n <<
2712 <<
2713 Therefore, I split ccs_null_security in <<
2714 ccs_oom_security and use ccs_oom_securi <<
2715 allocate memory for current thread's se <<
2716 <<
2717 Threads which do not share ccs_oom_secu <<
2718 which share ccs_oom_security. Threads w <<
2719 experience temporary inconsistency, but <<
2720 killed by SIGKILL signal. <<
2721 <<
2722 Fix 2011/01/11 <<
2723 <<
2724 @ Use filesystem name for unnamed devices <<
2725 <<
2726 "Change pathname for non-rename()able f <<
2727 "$fsname:" if the filesystem does not s <<
2728 "dev($major,$minor):" otherwise when vf <<
2729 out that it is useless to use "dev($maj <<
2730 (filesystems with $major == 0). Thus, I <<
2731 than "dev($major,$minor):" for filesyst <<
2732 is missing. <<
2733 <<
2734 Fix 2011/02/07 <<
2735 <<
2736 @ Fix infinite loop bug when reading /pro <<
2737 <<
2738 In ccs_flush(), head->r.w[0] holds poin <<
2739 But head->r.w[0] was updated only when <<
2740 printed (because head->r.w[0] will be u <<
2741 completely printed). However, regarding <<
2742 /proc/ccs/query , an additional '\0' is <<
2743 completely printed. But if free space f <<
2744 printing the additional '\0', ccs_flush <<
2745 head->r.w[0]. As a result, ccs_flush() <<
2746 string data. <<
2747 <<
2748 Fix 2011/03/01 <<
2749 <<
2750 @ Run garbage collector without waiting f <<
2751 <<
2752 Currently TOMOYO holds SRCU lock upon o <<
2753 because list elements stored in the "st <<
2754 accessed until close() is called. Howev <<
2755 to complain about leaving the kernel wi <<
2756 I changed to hold/release SRCU upon eac <<
2757 deferring kfree() by keeping track of t <<
2758 instances. <<
2759 <<
2760 Fix 2011/03/05 <<
2761 <<
2762 @ Support built-in policy configuration. <<
2763 <<
2764 To be able to start using enforcing mod <<
2765 sequence, I added support for built-in <<
2766 activating access control without calli <<
2767 <<
2768 This will be useful for systems where o <<
2769 hijacking of the boot sequence are need <<
2770 For example, you can activate immediate <<
2771 policy which will allow only operations <<
2772 which contains the variant part of poli <<
2773 check) and loading the variant part of <<
2774 enforcing mode from the beginning, you <<
2775 hijacking the boot sequence. <<
2776 <<
2777 Fix 2011/03/10 <<
2778 <<
2779 @ Remove /proc/ccs/meminfo interface. <<
2780 <<
2781 Please use /proc/ccs/stat interface ins <<
2782 <<
2783 Fix 2011/03/15 <<
2784 <<
2785 @ Pack policy when printing via /proc/ccs <<
2786 <<
2787 The kernel side is ready for accepting <<
2788 <<
2789 file read/write/execute /path/to/file <<
2790 <<
2791 but was using unpacked output like <<
2792 <<
2793 file read /path/to/file <<
2794 file write /path/to/file <<
2795 file execute /path/to/file <<
2796 <<
2797 because most of userland tools were not <<
2798 <<
2799 The advantages of using packed policy a <<
2800 smaller and it speeds up loading/saving <<
2801 <<
2802 Since most of userland tools are ready <<
2803 I changed to use packed policy for both <<
2804 <<
2805 Fix 2011/03/31 <<
2806 <<
2807 @ Fix conditional policy parsing. <<
2808 <<
2809 Since exec.realpath= and symlink.target <<
2810 symlink.target="@foo" was by error pars <<
2811 <<
2812 @ Serialize updating profile's comment li <<
2813 <<
2814 We need to serialize when updating COMM <<
2815 <<
2816 Version 1.8.1 2011/04/01 Usability enhanc <<
2817 <<
2818 Fix 2011/04/03 <<
2819 <<
2820 @ Fix fcntl(F_SETFL, O_APPEND) handling. <<
2821 <<
2822 Since 1.8.0, TOMOYO was by error checki <<
2823 than "file append" permission when chan <<
2824 "overwriting" to "append". <<
2825 <<
2826 This error should impact little (except <<
2827 a file was opened for "overwriting" mod <<
2828 mode cannot undo overwriting the file. <<
2829 due to different ACC_MODE definition, T <<
2830 checking "file read" permission when fc <<
2831 <<
2832 Fix 2011/04/20 <<
2833 <<
2834 @ Remove unused "struct inode *" paramete <<
2835 <<
2836 Since pre-vfs functions were removed on <<
2837 parameter which was used for checking p <<
2838 is no longer used. <<
2839 <<
2840 Note that "struct ccsecurity_operations <<
2841 Loadable kernel modules that depends on <<
2842 <<
2843 Fix 2011/05/05 <<
2844 <<
2845 @ Fix wrong profile number in audit logs <<
2846 <<
2847 Profile number used for "file execute" <<
2848 when generating audit logs for "misc en <<
2849 <<
2850 Fix 2011/05/11 <<
2851 <<
2852 @ Fix wrong domainname validation. <<
2853 <<
2854 "<kernel>" + "/foo/\" + "/bar" was by e <<
2855 "<kernel> /foo/\* /bar" was given. As a <<
2856 "<kernel> /foo/\* /bar" are rejected. <<
2857 <<
2858 Fix 2011/06/06 <<
2859 <<
2860 @ Add policy namespace support. <<
2861 <<
2862 To be able to use TOMOYO in LXC environ <<
2863 namespace. Each policy namespace has it <<
2864 exception policy and profiles, which ar <<
2865 namespaces. <<
2866 <<
2867 @ Remove CONFIG_CCSECURITY_BUILTIN_INITIA <<
2868 <<
2869 From now on, exception policy and manag <<
2870 policy namespace (which is a <$namespac <<
2871 Thus, space-separated list for CONFIG_C <<
2872 no longer suitable for handling policy <<
2873 <<
2874 Fix 2011/06/10 <<
2875 <<
2876 @ Allow specifying trigger for activation <<
2877 <<
2878 To be able to use TOMOYO under systemd <<
2879 is used, I changed to allow overriding <<
2880 policy loader and activating MAC via ke <<
2881 <<
2882 Fix 2011/06/14 <<
2883 <<
2884 @ Remove unused "struct inode *" paramete <<
2885 <<
2886 To follow changes I made on 2011/04/20, <<
2887 ccs_mknod_permission(), ccs_mkdir_permi <<
2888 ccs_unlink_permission(), ccs_symlink_pe <<
2889 ccs_rename_permission() that are called <<
2890 net/unix/af_unix.c include/linux/securi <<
2891 If you have your own ccs-patch-*.diff , <<
2892 <<
2893 Version 1.8.2 2011/06/20 Usability enhanc <<
2894 <<
2895 Fix 2011/07/07 <<
2896 <<
2897 @ Remove /proc/ccs/.domain_status interfa <<
2898 <<
2899 Writing to /proc/ccs/.domain_status can <<
2900 <<
2901 ( echo "select " $domainname; echo "u <<
2902 /usr/sbin/ccs-loadpolicy -d <<
2903 <<
2904 and reading from /proc/ccs/.domain_stat <<
2905 <<
2906 grep -A 1 '^<' /proc/ccs/domain_polic <<
2907 awk ' { if ( domainname == "" ) { if <<
2908 domainname = $0; } else if ( $1 == "u <<
2909 print $2 " " domainname; domainname = <<
2910 <<
2911 . Since this interface is used by only <<
2912 remove this interface by updating /usr/ <<
2913 <<
2914 Fix 2011/07/09 <<
2915 <<
2916 @ Fix /proc/ccs/stat parser. <<
2917 <<
2918 For optimization, I changed to use simp <<
2919 in ccs_write_stat(). But it caused pars <<
2920 before value (e.g. "Memory used by poli <<
2921 <<
2922 Fix 2011/07/13 <<
2923 <<
2924 @ Accept "::" notation for IPv6 address. <<
2925 <<
2926 In order to add network access restrict <<
2927 routines for parsing/printing IPv4/IPv6 <<
2928 TOMOYO 1.8.2. <<
2929 Now, IPv6 address accepts "::1" instead <<
2930 <<
2931 Fix 2011/09/03 <<
2932 <<
2933 @ Avoid race when retrying "file execute" <<
2934 <<
2935 There was a race window that the pathna <<
2936 "file execute" permission check when re <<
2937 because the pathname was recalculated u <<
2938 inevitable race window even without sup <<
2939 the symbolic link's pathname from "stru <<
2940 than from "struct linux_binprm"->file b <<
2941 the symbolic link's pathname from the d <<
2942 <<
2943 @ Remove unneeded daemonize(). <<
2944 <<
2945 Garbage collector thread is created usi <<
2946 Kernel threads created by kthread_creat <<
2947 daemonize(). <<
2948 <<
2949 Fix 2011/09/16 <<
2950 <<
2951 @ Allow specifying domain transition pref <<
2952 <<
2953 I got an opinion that it is difficult t <<
2954 transition control directives because t <<
2955 specified to "file execute" directives. <<
2956 /bin/\*\-ls\-cat" is given, correspondi <<
2957 directive needs to be like "no_keep_dom <<
2958 <<
2959 To solve this difficulty, I introduced <<
2960 exception policy's domain transition co <<
2961 <<
2962 file execute /bin/ls keep exec.realpa <<
2963 file execute /bin/cat keep exec.realp <<
2964 file execute /bin/\*\-ls\-cat child <<
2965 file execute /usr/sbin/httpd <apache> <<
2966 <<
2967 This argument allows transition to diff <<
2968 <<
2969 <kernel> /usr/sbin/sshd <<
2970 file execute /bin/bash <kernel> /usr/ <<
2971 file execute /bin/bash <kernel> /usr/ <<
2972 file execute /bin/bash <kernel> /usr/ <<
2973 <<
2974 Fix 2011/09/25 <<
2975 <<
2976 @ Simplify garbage collector. <<
2977 <<
2978 It turned out that use of batched proce <<
2979 collector when certain pattern of entri <<
2980 with sequential processing. <<
2981 <<
2982 Version 1.8.3 2011/09/29 Usability enhanc <<
2983 <<
2984 Fix 2011/10/24 <<
2985 <<
2986 @ Fix incomplete read after seek. <<
2987 <<
2988 ccs_flush() tries to flush data to be r <<
2989 ccs_select_domain() (which is called by <<
2990 meant to be read by next read(), but pr <<
2991 size was not cleared. As a result, sinc <<
2992 <<
2993 char *cp = "select global-pid=1\n"; <<
2994 read(fd, buf1, sizeof(buf1)); <<
2995 write(fd, cp, strlen(cp)); <<
2996 read(fd, buf2, sizeof(buf2)); <<
2997 <<
2998 causes enqueued data to be flushed to b <<
2999 <<
3000 @ Use query id for reaching target proces <<
3001 <<
3002 Use query id for reaching target proces <<
3003 target process's global PID. This is fo <<
3004 but this change makes /usr/sbin/ccs-que <<
3005 kernel will return empty domain policy <<
3006 ccs-queryd reaches target process's dom <<
3007 <<
3008 @ Fix quota counting. <<
3009 <<
3010 "task manual_domain_transition" should <<
3011 "task auto_domain_transition"/"task aut <<
3012 "task denied_execute_handler" because t <<
3013 mode. <<
3014 <<
3015 Fix 2011/11/11 <<
3016 <<
3017 @ Optimize for object's size. <<
3018 <<
3019 I rearranged functions/variables into t <<
3020 object's filesize. Also, I added kernel <<
3021 by excluding unnecessary functionality. <<
3022 <<
3023 Fix 2011/11/18 <<
3024 <<
3025 @ Fix kernel config mapping error. <<
3026 <<
3027 Due to a typo in ccs_p2mac definition, <<
3028 by error used when checking "file getat <<
3029 not be affected by this error because C <<
3030 CONFIG::file::getattr are by default co <<
3031 CONFIG settings. <<
3032 <<
3033 Fix 2011/12/13 <<
3034 <<
3035 @ Follow __d_path() behavior change. (Onl <<
3036 <<
3037 The behavior of __d_path() has changed <<
3038 NULL when the pathname cannot be calcul <<
3039 version when using with 3.2-rc5 and lat <<
3040 panic because ccs_get_absolute_path() t <<
3041 <<
3042 The patch that changed the behavior of <<
3043 2.6.36 to 3.1 kernels. You must update <<
3044 backported, or you will experience the <<
3045 <<
3046 The patch that changed the behavior of <<
3047 handling pathnames under lazy-unmounted <<
3048 using incomplete pathnames returned by <<
3049 under lazy-unmounted directory. But fro <<
3050 pathnames returned by ccs_get_local_pat <<
3051 lazy-unmounted directory (because __d_p <<
3052 <<
3053 Since applications unlikely do lazy unm <<
3054 lazy-unmounted directory should not hap <<
3055 explicitly does lazy unmounts. But path <<
3056 conditions in the policy file (if any) <<
3057 <<
3058 Fix 2012/01/20 <<
3059 <<
3060 @ Follow changes in 3.3-rc1. <<
3061 <<
3062 Use umode_t rather than mode_t. <<
3063 Remove ipv6_addr_copy() usage. <<
3064 <<
3065 Fix 2012/02/25 <<
3066 <<
3067 @ Follow changes in linux-next. <<
3068 <<
3069 UMH_WAIT_PROC constant (currently 1) is <<
3070 <<
3071 Use UMH_WAIT_PROC constant instead of h <<
3072 for backporting call_usermodehelper() r <<
3073 backported, you will start experiencing <<
3074 of external policy loader (i.e. /sbin/c <<
3075 longer wait for completion of external <<
3076 <<
3077 Although I changed to use UMH_WAIT_PROC <<
3078 to detect renumbering in 2.6.22 and ear <<
3079 constant is currently available to only <<
3080 started to experience the kernel panic, <<
3081 was backported or not. <<
3082 <<
3083 Fix 2012/02/29 <<
3084 <<
3085 @ Fix mount flags checking order. <<
3086 <<
3087 Userspace can pass in arbitrary combina <<
3088 <<
3089 If both MS_BIND and one of MS_SHARED/MS <<
3090 are passed, device name which should be <<
3091 checked because MS_SHARED/MS_PRIVATE/MS <<
3092 priority than MS_BIND. <<
3093 <<
3094 If both one of MS_BIND/MS_MOVE and MS_R <<
3095 which should not be checked for MS_REMO <<
3096 MS_MOVE had higher priority than MS_REM <<
3097 <<
3098 Fix these bugs by changing priority to <<
3099 MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBIND <<
3100 does. Also, I changed to unconditionall <<
3101 of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNB <<
3102 will not generate inaccurate audit logs <<
3103 check mount flags passed to change_mnt_ <<
3104 these flags must be exclusively passed. <<
3105 <<
3106 Fix 2012/03/08 <<
3107 <<
3108 @ Allow returning other errors when ptrac <<
3109 <<
3110 Currently -EPERM is returned when ccs_p <<
3111 error code. I changed to return return <<
3112 so that we can return -ESRCH when targe <<
3113 <<
3114 Fix 2012/03/16 <<
3115 <<
3116 @ Return appropriate value to poll(). <<
3117 <<
3118 Return POLLIN | POLLRDNORM | POLLOUT | <<
3119 POLLOUT | POLLWRNORM otherwise. <<
3120 <<
3121 Fix 2012/04/22 <<
3122 <<
3123 @ Readd RHEL_MINOR/AX_MINOR checks. <<
3124 <<
3125 This check was added in revision 2346 a <<
3126 <<
3127 Add it back in order to support RHEL 5. <<
3128 <<
3129 @ Fix skb_kill_datagram() for kernels 2.6 <<
3130 543
3131 Commit 208d8984 "[IPV4]: Fix BUG() in 2 !! 544 Version 1.8.0p1 2010/11/22 Bug fix release.
3132 CONFIG_HIGHMEM" clarified that skb_kill <<
3133 spin_lock_bh()/spin_unlock_bh() rather <<
3134 spin_lock_irq()/spin_unlock_irq(). <<
3135 545
3136 RHEL 4.9 (2.6.9) kernel has that patch !! 546 /usr/sbin/ccs-patternize
>> 547 The "network " keyword was not printed by error.
3137 548
3138 @ Fix missing locks for RHEL 5.2-5.8 kern !! 549 Version 1.8.0p2 2010/12/31 Usability enhancement release.
3139 550
3140 Since RHEL 5.2 and later kernels have b !! 551 Policy file's location has moved from /etc/ccs/ directory to
3141 "[UDP]: Add memory accounting." patch, !! 552 /etc/ccs/policy/YY-MM-DD.hh:mm:ss/ directory. A symlink named "current" which
3142 lock_sock()/release_sock() around skb_k !! 553 points to YY-MM-DD.hh:mm:ss/ directory is created under /etc/ccs/policy/
3143 packet was dropped by TOMOYO. !! 554 directory so that users can switch policy files by manipulating only one
>> 555 symlink. Also, a symlink named "previous" which points to previous
>> 556 YY-MM-DD.hh:mm:ss/ directory is created under /etc/ccs/policy/ directory
>> 557 so that users can easily find previous back up. For compatibility and user's
>> 558 convenience, symlinks which point to policy/current/ are created in
>> 559 /etc/ccs/ directory.
3144 560
3145 Fix 2012/04/28 !! 561 Configuration file for userland programs has moved from
>> 562 /usr/lib/ccs/ccstools.conf to /etc/ccs/tools/ directory.
3146 563
3147 @ Accept manager programs which do not st !! 564 /usr/sbin/ccs-patternize
>> 565 Changed syntax and keywords.
>> 566 Added conditional rewriting support.
>> 567 Added leading pathname matching and trailing pathname matching support.
>> 568 Use /etc/ccs/tools/patternize.conf rather than command line arguments.
>> 569 First command line argument was not used by error.
>> 570 The "file getattr" permission was not handled by error.
3148 571
3149 The pathname of /usr/sbin/ccs-editpolic !! 572 /usr/sbin/ccs-auditd
3150 CD is squashfs:/usr/sbin/ccs-editpolicy !! 573 Use /proc/ccs/audit rather than /proc/ccs/grant_log and
3151 /usr/sbin/ccs-editpolicy . Therefore, w !! 574 /proc/ccs/reject_log (this change requires updated ccs-patch ).
3152 programs which do not start with / . !! 575 Added conditional auditing support.
>> 576 Use /etc/ccs/tools/auditd.conf rather than command line arguments.
3153 577
3154 Fix 2012/10/08 !! 578 /usr/sbin/ccs-editpolicy
>> 579 Use /etc/ccs/tools/editpolicy.conf rather than /usr/lib/ccs/ccstools.conf .
>> 580 Use /proc/ccs/stat rather than /proc/ccs/meminfo .
3155 581
3156 @ Fix KABI breakage on Ubuntu 12.10. !! 582 /usr/sbin/ccs-diffpolicy
>> 583 The first argument and the second argument were reversed by error.
3157 584
3158 I was using include/linux/security.h as !! 585 /usr/sbin/ccs-loadpolicy
3159 include/linux/ccsecurity.h so that I ca !! 586 Always read from stdin.
>> 587 Do not allow loading multiple policies at the same time.
>> 588 Require one of '-e' '-d' '-p' '-m' '-s'.
3160 589
3161 When scripts/genksyms/genksyms calculat !! 590 /usr/sbin/ccs-savepolicy
3162 file, it uses the extracted form of inv !! 591 Always save domain_policy.conf exception_policy.conf manager.conf and
3163 layout is known but it instead uses UNK !! 592 profile.conf under /etc/ccs/policy/YY-MM-DD.hh:mm:ss/ directory.
3164 not known. Therefore, pulling in includ !! 593 Require one of '-e' '-d' '-p' '-m' '-s' for printing to stdout.
3165 layout from include/linux/ccsecurity.h <<
3166 and causes KABI breakage, even if no ch <<
3167 structures. <<
3168 594
3169 Fix this breakage by avoiding pulling i !! 595 /usr/sbin/ccs-notifyd
3170 include/linux/dcache.h from include/lin !! 596 Do not terminate upon first occurrence (this means we no longer need to
>> 597 start periodically from cron daemon).
>> 598 Moved from /usr/lib/ccs/ to /usr/sbin/ .
>> 599 Use /etc/ccs/tools/notifyd.conf rather than command line arguments.
3171 600
3172 Fix 2015/01/01 !! 601 /usr/lib/ccs/init_policy
>> 602 Create initial policy under /etc/ccs/policy/YY-MM-DD.hh:mm:ss/ directory.
>> 603 Create initial userland configuration under /etc/ccs/tools/ directory.
>> 604 Reserve ANY_PATHNAME ANY_DIRECTORY and COMMON_IOCTL_CMDS groups.
3173 605
3174 @ Fix missing chmod(-1) check in Linux 3. !! 606 /usr/lib/ccs/convert-audit-log
>> 607 Fix use_group line handling.
3175 608
3176 Commit e57712ebebbb9db7 "merge fchmod() !! 609 Version 1.8.0p3 2011/02/14 Dependency reduction and code cleanup release.
3177 ancient broken kludge" changed chmod(-1 <<
3178 07777. Therefore, TOMOYO must not ignor <<
3179 610
3180 @ Fix potentially using bogus attributes !! 611 Use readymade manpages in order to remove help2man and gzip from build
>> 612 dependency.
3181 613
3182 We should reset attributes information !! 614 Removed examples from build target in order to remove readline-devel from
3183 program, or attributes of original prog !! 615 build dependency.
3184 on execute_handler program failed. <<
3185 616
3186 Fix 2015/04/08 !! 617 Use Include.make for passing variables.
3187 618
3188 @ Fix incorrect readdir() permission chec !! 619 Use install command rather than cp/chmod/chown commands.
3189 620
3190 CONFIG_CCSECURITY_FILE_READDIR was mean !! 621 Add comments on and reconstruct some of files.
3191 readdir() permission check. However, CO <<
3192 by error used for controlling readdir() <<
3193 should not affect kernels built with de <<
3194 CONFIG_CCSECURITY_FILE_READDIR and CONF <<
3195 defined by default. <<
3196 622
3197 Fix 2015/04/15 !! 623 Stop if failed to build ccs-editpolicy (probably due to lack of
>> 624 ncurses-devel).
3198 625
3199 @ Fix incorrect retry request check. !! 626 Version 1.8.1 2011/04/01 Minor update release.
3200 627
3201 When a request was asked to retry, acl_ !! 628 Updated to handle TOMOYO 1.8.1's syntax.
3202 use_group keyword was by error ignored. <<
3203 able to use permissions defined by acl_ <<
3204 629
3205 Fix 2015/05/01 !! 630 Support packed policy format.
3206 631
3207 @ Support multiple use_group entries. !! 632 Fix build error on parallel build.
3208 633
3209 Until now, each domain can include only !! 634 /usr/sbin/ccs-editpolicy
3210 I changed to allow each domain to inclu !! 635 Handle all domain transition related directives.
3211 As a result, you will be able to reduce <<
3212 defining multiple acl_group entries bas <<
3213 them from each domain as needed. <<
3214 636
3215 Version 1.8.4 2015/05/05 Usability enhanc !! 637 Version 1.8.1p1 2011/05/11 Minor update release.
3216 638
3217 Fix 2015/11/08 !! 639 /usr/lib/libccstools.so.1
>> 640 Fix wrong domainname validation.
3218 641
3219 @ Use memory allocation flags used by TOM !! 642 /sbin/ccs-init
>> 643 Fix wrong ACL lines counting.
3220 644
3221 Until now, TOMOYO 1.x was using memory !! 645 /usr/sbin/ccs-editpolicy
3222 than TOMOYO 2.x in order to make sure t !! 646 Allow configuring background color.
3223 TOMOYO 1.x shall not cause silent livel <<
3224 647
3225 But as I learn about this livelock prob !! 648 Version 1.8.2 2011/06/20 Minor update release.
3226 not a problem which TOMOYO can manage. <<
3227 at memory allocation is a problem, refu <<
3228 by critical processes due to memory all <<
3229 weaker memory allocation flags is also <<
3230 649
3231 Since situations regarding memory alloc !! 650 Updated to handle TOMOYO 1.8.2's syntax.
3232 are changing, it will be safer to use m <<
3233 TOMOYO 2.x. <<
3234 651
3235 Fix 2015/11/10 !! 652 Support policy namespace.
3236 653
3237 @ Limit wildcard recursion depth. !! 654 /usr/sbin/ccs-editpolicy
>> 655 Validate policy when editing on-disk policy files.
3238 656
3239 Since wildcards that need recursion con !! 657 /usr/sbin/ccs-auditd
3240 we cannot allow infinite recursion. !! 658 Allow reloading configuration file upon SIGHUP.
3241 659
3242 Version 1.8.5 2015/11/11 Tenth anniversar !! 660 /usr/sbin/ccs-notifyd
>> 661 Allow reloading configuration file upon SIGHUP.
3243 662
3244 Fix 2017/02/02 !! 663 /usr/lib/libccstools.so.2
>> 664 Version bump.
3245 665
3246 @ Use for_each_thread() for GC operation. !! 666 Version 1.8.2p1 2011/06/26 Bug fix release.
3247 667
3248 while_each_thread() without tasklist_lo !! 668 /usr/sbin/ccs-editpolicy
3249 Use for_each_process_thread() if it is !! 669 Improve domain transition jump information.
3250 tasklist_lock otherwise. !! 670 Fix several bugs.
3251 671
3252 Fix 2018/04/01 !! 672 Version 1.8.2p2 2011/07/07 Bug fix release.
3253 673
3254 @ Use smb_rmb() when waiting for initiali !! 674 /usr/sbin/ccs-editpolicy
>> 675 Fix bugs in ccs-editpolicy's domain transition jump information.
3255 676
3256 "while (!cond);" is implicitly optimize !! 677 /usr/sbin/ccs-setprofile
3257 Use "while (!cond) smp_rmb();" in order !! 678 Use /proc/ccs/domain_policy rather than /proc/ccs/.domain_status .
3258 679
3259 Fix 2019/07/27 !! 680 Version 1.8.2p3 2011/07/13 Bug fix release.
3260 681
3261 @ Change pathname calculation for read-on !! 682 /sbin/ccs-init
>> 683 Handle profiles in all namespaces.
3262 684
3263 Commit 5625f2e3266319fd ("TOMOYO: Chang !! 685 /usr/sbin/ccs-editpolicy
3264 filesystems.") intended to be applied t !! 686 Print domain's name rather than shortcut's name.
3265 not controllable from the userspace (e. !! 687 Parse and print IPv6 address in RFC5952 format.
3266 on an assumption that such filesystems <<
3267 688
3268 But it turned out that read-only filesy !! 689 /usr/sbin/ccs-checkpolicy
3269 operation despite the content is contro !! 690 Parse and check IPv6 address in RFC5952 format.
3270 commit is annoying TOMOYO users who wan <<
3271 filesystem due to use of local name whi <<
3272 691
3273 Therefore, based on an assumption that !! 692 /usr/lib/libccstools.so.2
3274 device argument upon mount() request is !! 693 Parse IPv6 address in RFC5952 format.
3275 is controllable from the userspace, do <<
3276 does not support rename() operation but <<
3277 mount() request. <<
3278 694
3279 @ Reject move_mount() system call for now !! 695 Version 1.8.2p4 2011/08/20 Bug fix release.
3280 696
3281 Commit 2db154b3ea8e14b0 ("vfs: syscall: !! 697 /usr/lib/ccs/init_policy
3282 around") introduced security_move_mount !! 698 Add /proc/self/exe as aggregator entry.
3283 TOMOYO and AppArmor did not implement h <<
3284 Since unchecked mount manipulation is n <<
3285 as if move_mount(2) is unavailable. <<
3286 699
3287 @ Don't check open/getattr permission on !! 700 /usr/lib/libccstools.so.2
>> 701 Fix policy unpacking when multiple namespaces exist.
3288 702
3289 syzbot found that use of SOCKET_I()->sk !! 703 Include linux/sched.h if sched.h does not provide CLONE_NEWNS.
3290 use after free problem, for socket's in <<
3291 /proc/pid/fd/n despite destruction of S <<
3292 704
3293 But there is no point with calling secu !! 705 Version 1.8.2p5 2011/09/16 Bug fix release.
3294 because open("/proc/pid/fd/n", !O_PATH) <<
3295 706
3296 There is some point with calling securi !! 707 /usr/sbin/ccs-editpolicy
3297 because stat("/proc/pid/fd/n") and fsta !! 708 Fix infinite recursion if "task auto_domain_transition" or
3298 are valid. But since information which !! 709 "task manual_domain_transition" entries are given to exception policy
3299 security_inode_getattr() on sockets is !! 710 using "acl_group" keyword.
3300 711
3301 Version 1.8.6 2019/08/20 Bug fix release. !! 712 Revert "Include linux/sched.h if sched.h does not provide CLONE_NEWNS" and
>> 713 bring "#define _GNU_SOURCE" to the top.
3302 714
3303 Fix 2019/12/07 !! 715 Version 1.8.3 2011/09/29 Bug fix release.
3304 716
3305 @ Don't use nifty names on sockets. !! 717 Fix build failure with --as-needed option.
3306 718
3307 Revert "Don't check open/getattr permis !! 719 /usr/sbin/ccs-editpolicy
3308 get rid of special handling of sockets. !! 720 Handle domain transition preference.
3309 "socket:[family=\$:type=\$:protocol=\$] <<
3310 rewritten to "socket:[\$]". <<
3311 721
3312 Fix 2020/04/09 !! 722 /usr/sbin/ccs-checkpolicy
>> 723 Handle domain transition preference.
3313 724
3314 @ Fix wrong put_page() usage in ccs_dump_ !! 725 /usr/lib/libccstools.so.3
>> 726 Version bump.
3315 727
3316 ccs_dump_page() for 5.6+ was by error u !! 728 Version 1.8.3p1 2011/10/25 Bug fix release.
3317 729
3318 Fix 2020/05/01 !! 730 /usr/sbin/ccs-queryd
>> 731 Use query id rather than global PID when reading or updating target
>> 732 process's domain policy (this change requires updated ccs-patch ).
3319 733
3320 @ Loosen domainname validation and pathna !! 734 /usr/lib/ccs/init_policy
>> 735 Add "socket:[family=\\$:type=\\$:protocol=\\$]" to ANY_PATHNAME group.
3321 736
3322 Currently a domainname must start with !! 737 Version 1.8.3p2 2012/03/01 Bug fix release.
3323 zero or more repetitions of a pathname <<
3324 738
3325 But situation is getting more and more !! 739 /usr/sbin/ccs-editpolicy
3326 a pathname which starts with '/', for e !! 740 Print number of selected entries if any.
3327 on e.g. some filesystems cause ccs_real <<
3328 in "$fsname:/$pathname" format. <<
3329 741
3330 Fortunately, since $fsname must not con !! 742 Version 1.8.3p3 2012/04/14 Bug fix release.
3331 we can recognize a token which appears <<
3332 proc:/self/exe ) as a pathname and a to <<
3333 '/' appears (e.g. exec.realpath="/bin/b <<
3334 with an exception that a pathname canno <<
3335 auto_domain_transition=" because it is <<
3336 for on-match domain transition. Also, w <<
3337 followed by such tokens (e.g. <kernel> <<
3338 a domainname. <<
3339 743
3340 Version 1.8.7 2020/05/05 Usability enhanc !! 744 Rename root of source tree from ccstools to ccs-tools.
3341 745
3342 Fix 2020/07/22 !! 746 /sbin/ccs-init
>> 747 Parse statistics lines correctly.
3343 748
3344 @ Fix domain transition preference. !! 749 /usr/lib/libccstools.so
>> 750 Fix IP address parsing.
3345 751
3346 The domain transition preference which !! 752 Version 1.8.3p4 2012/08/05 Bug fix release.
3347 by error ignored since 1.8.3p4, for ccs <<
3348 ccs_write_log2() from ccs_supervisor() <<
3349 resets r->matched_acl to NULL. Change c <<
3350 to reset r->matched_acl to NULL. <<
3351 753
3352 Fix 2020/08/17 !! 754 /usr/sbin/ccs-checkpolicy
>> 755 Fix namespace prefix parsing in exception policy.
3353 756
3354 @ Fix ccs_realpath() fallback. !! 757 Rename manpage for init_policy to ccs_init_policy
>> 758 (to allow parallel installation of tomoyo-tools package).
3355 759
3356 ccs_realpath() for 3.17+ was by error n !! 760 Version 1.8.3p5 2013/02/14 Packaging fix release.
3357 when ccs_get_absolute_path() returned - <<
3358 761
3359 Fix 2020/08/19 !! 762 Change Makefile's build flags, as suggested by Simon Ruderich and Hideki
>> 763 Yamane. (Debian bug 674723)
3360 764
3361 @ Fix wrong ccs_search_binary_handler() m !! 765 Change / to /* in rpm's %files section because Fedora 18 complains conflicts.
3362 766
3363 When support for 5.8 kernel was added, !! 767 Version 1.8.3p6 2013/04/06 Packaging fix release.
3364 3.7- was by error mapped to wrong funct <<
3365 768
3366 Fix 2020/10/24 !! 769 Fix compile warning from clang.
3367 770
3368 @ Fix /proc pathname calculation for Linu !! 771 Version 1.8.3p7 2014/01/05 Bug fix release.
3369 772
3370 ccs_realpath() for 5.8+ was by error no !! 773 /usr/lib/ccs/init_policy
3371 calculating /proc pathname. !! 774 Add path to systemd , as suggested by Shawn Landden.
3372 775
3373 Version 1.8.8 2020/11/11 Fifteenth annive !! 776 /usr/sbin/ccs-queryd
>> 777 Use poll() rather than select().
3374 778
3375 Fix 2021/03/13 !! 779 Version 1.8.3p8 2014/06/01 Bug fix release.
3376 780
3377 @ Skip permission checks for fileless exe !! 781 /usr/sbin/ccs-editpolicy
>> 782 Print "acl_group $N" correctly when using offline mode.
3378 783
3379 Kernels from 4.18 to 5.8 are using call !! 784 Version 1.8.3p9 2015/04/21 Bug fix release.
3380 starting program without a valid pathna <<
3381 /sbin/modprobe from dockerd process cou <<
3382 because ccs_symlink_path() cannot calcu <<
3383 a valid pathname. Thus, allow call_user <<
3384 permission checks and suppress domain t <<
3385 785
3386 @ Fix ccs_kernel_service(). !! 786 /usr/sbin/ccs-editpolicy
>> 787 Handle more optimization coverage.
>> 788 Switch to previous screen by TAB key than switch between
>> 789 exception policy screen and domain policy screen.
>> 790 Redefine source code's symbol names.
3387 791
3388 Kernels from 5.5 to 5.11 are using PF_K !! 792 Programs for testing TOMOYO Linux's kernel have been updated.
3389 worker threads. <<
3390 793
3391 Version 1.8.9 2021/04/01 Bug fix release. !! 794 Version 1.8.4 2015/05/05 Usability enhancement release.
3392 795
3393 Fix 2021/12/28 !! 796 Support multiple use_group entries (this change requires updated ccs-patch).
3394 797
3395 @ Check exceeded quota early. !! 798 Version 1.8.5 2015/11/11 Tenth anniversary release.
3396 799
3397 Backport commit 04e57a2d952bbd34 ("tomo !! 800 Limit wildcard recursion depth (this change recommends updated ccs-patch).
3398 tomoyo_domain_quota_is_ok().") and comm <<
3399 hwight16() in tomoyo_domain_quota_is_ok <<
3400 overhead of the learning mode. Note tha <<
3401 explicitly delete "quota_exceeded" entr <<
3402 to resume the learning mode. <<
3403 801
3404 Fix 2024/03/31 !! 802 Version 1.8.5p1 2017/01/02 Bug fix release.
3405 803
3406 @ Fix a UAF bug introduced by an oversigh !! 804 /usr/sbin/ccs-editpolicy
>> 805 Create namespaces when creating domains.
>> 806 Add profile number when copying profiles.
3407 807
3408 Backport commit 2f03fc340cac ("tomoyo: !! 808 Version 1.8.6 2020/01/01 Bug fix release.
3409 tomoyo_write_control()"). <<
3410 809
3411 Version 1.8.10 2024/04/01 Security bug fi !! 810 /usr/lib/ccs/init_policy
>> 811 Remove "socket:[family=\\$:type=\\$:protocol=\\$]" from ANY_PATHNAME group.
3412 812
3413 Fix 2024/06/28 !! 813 Version 1.8.7 2020/05/05 Usability enhancement release.
3414 814
3415 @ Unblock move_mount() system call. !! 815 Loosen domainname validation and pathname validation (this change requires
>> 816 updated ccs-patch).
3416 817
3417 Since util-linux 2.39 started using lib !! 818 Version 1.8.9 2021/09/10 Bug fix release.
3418 implementing appropriate permission che <<
3419 necessary for successfully booting a Li <<
3420 819
3421 Version 1.8.11 2024/07/15 Bug fix release !! 820 Add -DNCURSES_WIDECHAR=0 to programs using ncurses library.
>> 821 ( https://lists.gnu.org/archive/html/bug-ncurses/2021-07/msg00021.html )
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.