1 Notes for TOMOYO Linux project 1 Notes for TOMOYO Linux project
2 2
3 This is a handy Mandatory Access Control patch 3 This is a handy Mandatory Access Control patch for Linux kernels.
4 This patch is released under the GPLv2. 4 This patch is released under the GPLv2.
5 5
6 Project URL: https://tomoyo.sourceforge.net/ 6 Project URL: https://tomoyo.sourceforge.net/
7 7
8 The authors of this patch (hereafter, we) don' 8 The authors of this patch (hereafter, we) don't have much experience
9 in kernel programming. We are worried that thi 9 in kernel programming. We are worried that this patch would contain
10 some mistakes such as missing hooks, improper 10 some mistakes such as missing hooks, improper location of hooks,
11 potential deadlocks. There would be better way 11 potential deadlocks. There would be better way of implementation.
12 All kinds of comments, pointing the errors and 12 All kinds of comments, pointing the errors and suggestions are welcome.
13 13
14 We do hope this patch reduces the labor of ser 14 We do hope this patch reduces the labor of server security management
15 and you enjoy the life with Linux. 15 and you enjoy the life with Linux.
16 16
17 This project was very inspired by the comic "C 17 This project was very inspired by the comic "Card Captor SAKURA",
18 one of the CLAMP's masterworks. 18 one of the CLAMP's masterworks.
19 19
20 ChangeLog: 20 ChangeLog:
21 21
22 Version 1.0 2005/11/11 First release. 22 Version 1.0 2005/11/11 First release.
23 23
24 Fix 2005/11/18 24 Fix 2005/11/18
25 25
26 @ Add setattr() missing hook in SYAORAN fs 26 @ Add setattr() missing hook in SYAORAN fs.
27 27
28 setattr() checking for special inode was 28 setattr() checking for special inode was missing.
29 29
30 Fix 2005/11/25 30 Fix 2005/11/25
31 31
32 @ Allow initrd.img include /sbin/init . 32 @ Allow initrd.img include /sbin/init .
33 33
34 Since version 1.0 loads policy when /sbi 34 Since version 1.0 loads policy when /sbin/init is called
35 for the first time, initrd.img without t 35 for the first time, initrd.img without the policy directory
36 mustn't start /sbin/init . This forced u 36 mustn't start /sbin/init . This forced users not to use
37 initrd.img that includes /sbin/init . 37 initrd.img that includes /sbin/init .
38 I modified to delay loading policy if th 38 I modified to delay loading policy if the policy directory
39 doesn't exist and wait for /sbin/init be 39 doesn't exist and wait for /sbin/init being called again.
40 40
41 Fix 2005/12/02 41 Fix 2005/12/02
42 42
43 @ Use lookup_one_len() instead of lookup_h 43 @ Use lookup_one_len() instead of lookup_hash().
44 44
45 Kernel 2.6.15 changed parameters for loo 45 Kernel 2.6.15 changed parameters for lookup_hash().
46 I modified to use lookup_one_len() to ke 46 I modified to use lookup_one_len() to keep compatibility.
47 47
48 Fix 2005/12/06 48 Fix 2005/12/06
49 49
50 @ Add S_ISDIR() check in SYAORAN fs. 50 @ Add S_ISDIR() check in SYAORAN fs.
51 51
52 Malicious configuration file that attemp 52 Malicious configuration file that attempts to create an inode
53 under non-directory inode caused segment 53 under non-directory inode caused segmentation fault.
54 54
55 Version 1.0.1 2005/12/08 Minor update releas 55 Version 1.0.1 2005/12/08 Minor update release.
56 56
57 Fix 2006/01/04 57 Fix 2006/01/04
58 58
59 @ Add CheckWritePermission() check in unix 59 @ Add CheckWritePermission() check in unix_bind().
60 60
61 I modified to check write permission in 61 I modified to check write permission in unix_bind(), for
62 sys_mknod(S_IFSOCK) checks write permiss 62 sys_mknod(S_IFSOCK) checks write permission.
63 63
64 @ Show hook version in proc_misc_init(). 64 @ Show hook version in proc_misc_init().
65 65
66 The hook part of this patch depends on t 66 The hook part of this patch depends on the kernel's version,
67 while the rest part of this patch doesn' 67 while the rest part of this patch doesn't.
68 I added the hook version so that the adm 68 I added the hook version so that the administrator can
69 know the last modified date of the hooks 69 know the last modified date of the hooks.
70 70
71 @ Move permission checks from filp_open() 71 @ Move permission checks from filp_open() to open_namei().
72 72
73 I moved the location of checking MAC's p 73 I moved the location of checking MAC's permission
74 from filp_open() to open_namei(). 74 from filp_open() to open_namei().
75 75
76 @ Fix an error in filp_open(). (only 2.6. 76 @ Fix an error in filp_open(). (only 2.6.15-rc5)
77 77
78 This error was only in the patch 2.6.15- 78 This error was only in the patch 2.6.15-rc5 and
79 was fixed in the patch for 2.6.15. 79 was fixed in the patch for 2.6.15.
80 80
81 Fix 2006/01/12 81 Fix 2006/01/12
82 82
83 @ Add /proc/ccs/info/self_domain. 83 @ Add /proc/ccs/info/self_domain.
84 84
85 I added /proc/ccs/info/self_domain so th 85 I added /proc/ccs/info/self_domain so that the userland programs
86 can know the name of domain they belong 86 can know the name of domain they belong to if necessary.
87 87
88 Fix 2006/01/13 88 Fix 2006/01/13
89 89
90 @ Merge constants for CheckTaskCapability( 90 @ Merge constants for CheckTaskCapability().
91 91
92 I merged *_INHERITABLE_* and *_LOCAL_* t 92 I merged *_INHERITABLE_* and *_LOCAL_* to avoid always
93 calling CheckTaskCapability() with both 93 calling CheckTaskCapability() with both constants.
94 94
95 @ DropTaskCapability() returns -EAGAIN on 95 @ DropTaskCapability() returns -EAGAIN on success.
96 96
97 DropTaskCapability() must not return 0 o 97 DropTaskCapability() must not return 0 on success, for
98 DropTaskCapability() is called from do_e 98 DropTaskCapability() is called from do_execve().
99 99
100 @ Fix an error for chroot() permission che 100 @ Fix an error for chroot() permission check.
101 101
102 The chroot() restriction was not working 102 The chroot() restriction was not working due to the following mistake.
103 CheckChRootPermission() || CheckTaskCapa 103 CheckChRootPermission() || CheckTaskCapability() returns 0 or 1, while
104 CheckChRootPermission() | CheckTaskCapab 104 CheckChRootPermission() | CheckTaskCapability() returns 0 or -EPERM.
105 105
106 Fix 2006/01/17 106 Fix 2006/01/17
107 107
108 @ Suppress some of debug messages in TOMOY 108 @ Suppress some of debug messages in TOMOYO.
109 109
110 I added KERN_DEBUG to suppress some of d 110 I added KERN_DEBUG to suppress some of debug messages.
111 111
112 Fix 2006/01/19 112 Fix 2006/01/19
113 113
114 @ Remove isRoot() checks in AddChrootACL() 114 @ Remove isRoot() checks in AddChrootACL() and AddMountACL().
115 115
116 I found a program that needs to chroot b 116 I found a program that needs to chroot by non-root.
117 So, I stopped checking uid=euid=0 for th 117 So, I stopped checking uid=euid=0 for these functions so that
118 "accept mode" can append ACLs. 118 "accept mode" can append ACLs.
119 The isRoot() is checked at AddChrootPoli 119 The isRoot() is checked at AddChrootPolicy() and AddMountPolicy().
120 120
121 @ Map NULL device name to "<NULL>" in AddM 121 @ Map NULL device name to "<NULL>" in AddMountACL().
122 122
123 VMware mounts vmware-hgfs with NULL devi 123 VMware mounts vmware-hgfs with NULL device name.
124 So I mapped NULL device name to "<NULL>" 124 So I mapped NULL device name to "<NULL>".
125 125
126 Fix 2006/01/20 126 Fix 2006/01/20
127 127
128 @ Suppress some of debug messages in SAKUR 128 @ Suppress some of debug messages in SAKURA.
129 129
130 I added KERN_DEBUG to suppress some of d 130 I added KERN_DEBUG to suppress some of debug messages.
131 131
132 @ Call panic() if failed to load given pro 132 @ Call panic() if failed to load given profile.
133 133
134 Call panic() if profile index was given 134 Call panic() if profile index was given via CCS= parameter
135 but the profile doesn't exist. 135 but the profile doesn't exist.
136 If CCS= parameter is not given, the kern 136 If CCS= parameter is not given, the kernel attempts to load
137 profile 0, but it doesn't call panic() i 137 profile 0, but it doesn't call panic() if profile 0 doesn't exist.
138 138
139 Fix 2006/01/24 139 Fix 2006/01/24
140 140
141 @ Use full_name_hash() for IsGloballyReada 141 @ Use full_name_hash() for IsGloballyReadableFile().
142 142
143 I modified to use full_name_hash() for f 143 I modified to use full_name_hash() for faster scan.
144 144
145 @ Add signal checking condition in CheckSi 145 @ Add signal checking condition in CheckSignalACL().
146 146
147 The documentation says "if the target do 147 The documentation says "if the target domain's domainname
148 starts with the source domain's domainna 148 starts with the source domain's domainname, it is always granted"
149 but actually it isn't. I'll change the d 149 but actually it isn't. I'll change the documentation instead of
150 changing the source code. 150 changing the source code.
151 151
152 Also, checking for pid = -1 was missing. 152 Also, checking for pid = -1 was missing. This error was fixed.
153 153
154 Fix 2006/02/09 154 Fix 2006/02/09
155 155
156 @ Use mutex_lock()/mutex_unlock instead of 156 @ Use mutex_lock()/mutex_unlock instead of down()/up().
157 157
158 Kernel 2.6.16 changed members of "struct 158 Kernel 2.6.16 changed members of "struct inode".
159 I modified to use mutex_lock()/mutex_unl 159 I modified to use mutex_lock()/mutex_unlock() for after 2.6.16
160 and down()/up() for before 2.6.16. 160 and down()/up() for before 2.6.16.
161 161
162 Version 1.0.2 2006/02/14 Many bug-fixes rele 162 Version 1.0.2 2006/02/14 Many bug-fixes release.
163 163
164 Fix 2006/02/21 164 Fix 2006/02/21
165 165
166 @ Divide generic-write permission into ind 166 @ Divide generic-write permission into individual write permissions.
167 167
168 Write permission was divided into the fo 168 Write permission was divided into the following permissions.
169 169
170 'mkdir' for creating directory. 170 'mkdir' for creating directory.
171 'rmdir' for deleting directory. 171 'rmdir' for deleting directory.
172 'create' for creating regular file. 172 'create' for creating regular file.
173 'unlink' for deleting non-directory. 173 'unlink' for deleting non-directory.
174 'mksock' for creating UNIX domain soc 174 'mksock' for creating UNIX domain socket.
175 'mkfifo' for creating FIFO. 175 'mkfifo' for creating FIFO.
176 'mkchar' for creating character devic 176 'mkchar' for creating character device.
177 'mkblock' for creating block device. 177 'mkblock' for creating block device.
178 'link' for creating hard link. 178 'link' for creating hard link.
179 'symlink' for creating symbolic link. 179 'symlink' for creating symbolic link.
180 'rename' for renaming directory or no 180 'rename' for renaming directory or non-directory.
181 'truncate' for truncating regular file. 181 'truncate' for truncating regular file.
182 182
183 The permission check for opening files i 183 The permission check for opening files is done using
184 conventional read/write/execute permissi 184 conventional read/write/execute permission.
185 185
186 @ Add /proc/ccs/info/mapping. 186 @ Add /proc/ccs/info/mapping.
187 187
188 I added /proc/ccs/info/mapping so that t 188 I added /proc/ccs/info/mapping so that the userland programs
189 can know the mapping of individual write 189 can know the mapping of individual write permissions.
190 190
191 Fix 2006/02/27 191 Fix 2006/02/27
192 192
193 @ Fix handling of trailing '\*' in PathMat 193 @ Fix handling of trailing '\*' in PathMatchesToPattern().
194 194
195 PathMatchesToPattern("/tmp/", "/tmp/\*") 195 PathMatchesToPattern("/tmp/", "/tmp/\*") returned true
196 because "\*" matches "zero or more repet 196 because "\*" matches "zero or more repetitions of characters
197 until '/' or end". But since this is a c 197 until '/' or end". But since this is a comparison between
198 directory and non-directory, this should 198 directory and non-directory, this should not match.
199 199
200 This behavior causes the following secur 200 This behavior causes the following security risks.
201 In enforce mode, allowing "2 /tmp/\*" gr 201 In enforce mode, allowing "2 /tmp/\*" grants
202 "mkdir /tmp/" and "rmdir /tmp/" which sh 202 "mkdir /tmp/" and "rmdir /tmp/" which should be
203 granted only when "2 /tmp/" is allowed. 203 granted only when "2 /tmp/" is allowed.
204 In accept mode, "mkdir /tmp/" or "rmdir 204 In accept mode, "mkdir /tmp/" or "rmdir /tmp/" appends
205 "2 /tmp/\*" into the domain policy if "f 205 "2 /tmp/\*" into the domain policy if "file_pattern /tmp/\*"
206 is in the exception policy. 206 is in the exception policy.
207 207
208 I changed not to ignore trailing '\*' in 208 I changed not to ignore trailing '\*' in the pattern
209 if pathname ends with '/'. 209 if pathname ends with '/'.
210 210
211 Fix 2006/03/01 211 Fix 2006/03/01
212 212
213 @ Add missing spinlock in GetAbsolutePath( 213 @ Add missing spinlock in GetAbsolutePath().
214 214
215 vfsmount_lock was missing. 215 vfsmount_lock was missing.
216 216
217 Fix 2006/03/08 217 Fix 2006/03/08
218 218
219 @ Add support for "shared subtree" mount o 219 @ Add support for "shared subtree" mount operations.
220 220
221 Kernel 2.6.15 introduced "shared subtree 221 Kernel 2.6.15 introduced "shared subtree" functionality.
222 But CheckMountPermission() couldn't reco 222 But CheckMountPermission() couldn't recognize flags for
223 do_change_type(). 223 do_change_type().
224 224
225 @ Add support for more mount flags. 225 @ Add support for more mount flags.
226 226
227 atime/noatime, diratime/nodiratime, recu 227 atime/noatime, diratime/nodiratime, recurse/norecurse flags
228 are supported. 228 are supported.
229 229
230 Fix 2006/03/20 230 Fix 2006/03/20
231 231
232 @ Check port numbers for only AF_INET/AF_I 232 @ Check port numbers for only AF_INET/AF_INET6.
233 233
234 CheckBindEntry() and CheckConnectEntry() 234 CheckBindEntry() and CheckConnectEntry() should check port numbers
235 only when the given address family is ei 235 only when the given address family is either AF_INET or AF_INET6,
236 for address family such as AF_UNSPEC cou 236 for address family such as AF_UNSPEC could be passed to bind()
237 and connect() for PF_INET/PF_INET6 socke 237 and connect() for PF_INET/PF_INET6 sockets.
238 238
239 Fix 2006/03/27 239 Fix 2006/03/27
240 240
241 @ Use /proc/self/ rather than /proc/\$/ fo 241 @ Use /proc/self/ rather than /proc/\$/ for current process.
242 242
243 GetAbsolutePath() now uses "self" instea 243 GetAbsolutePath() now uses "self" instead of pid
244 if current process refers to information 244 if current process refers to information related to itself.
245 This exception violates the rule "TOMOYO 245 This exception violates the rule "TOMOYO Linux's pathnames don't
246 contain symbolic links before the last ' 246 contain symbolic links before the last '/'", but I think it worth
247 to do so. The following are the merits g 247 to do so. The following are the merits gained by this exception.
248 248
249 Prevent administrators from granting red 249 Prevent administrators from granting redundant permissions
250 when a process needs to refer to only cu 250 when a process needs to refer to only current process's information.
251 251
252 Allow administrators make current proces 252 Allow administrators make current process's information always
253 readable using 'allow_read' directive. 253 readable using 'allow_read' directive.
254 254
255 Version 1.1 2006/04/01 Functionality enhan 255 Version 1.1 2006/04/01 Functionality enhancement release.
256 256
257 Fix 2006/04/03 257 Fix 2006/04/03
258 258
259 @ Use queue instead of fixed sized array f 259 @ Use queue instead of fixed sized array for audit log.
260 260
261 WriteAuditLog() now uses queue to save s 261 WriteAuditLog() now uses queue to save statically allocated memory.
262 Administrators can give any size for aud 262 Administrators can give any size for audit logs at runtime.
263 263
264 @ Use kzalloc() instead of kmalloc() + mem 264 @ Use kzalloc() instead of kmalloc() + memset().
265 265
266 kmalloc() + memset() were replaced with 266 kmalloc() + memset() were replaced with kzalloc().
267 267
268 Fix 2006/04/04 268 Fix 2006/04/04
269 269
270 @ Support "delayed enforcing" mode. 270 @ Support "delayed enforcing" mode.
271 271
272 Until now, access request was immediatel 272 Until now, access request was immediately rejected
273 if policy doesn't allow that access and 273 if policy doesn't allow that access and the system is
274 running in enforce mode. 274 running in enforce mode.
275 Sometimes, especially after updating sof 275 Sometimes, especially after updating softwares,
276 some unexpected access requests arise fr 276 some unexpected access requests arise from proper procedure.
277 Such access requests should be granted b 277 Such access requests should be granted because
278 they are not caused by malicious attacks 278 they are not caused by malicious attacks.
279 So I introduced a mechanism to allow adm 279 So I introduced a mechanism to allow administrator some grace
280 to decide to grant or reject such access 280 to decide to grant or reject such access requests.
281 This mechanism is implemented in the fol 281 This mechanism is implemented in the following manner.
282 "Don't return immediately if permissio 282 "Don't return immediately if permission denied."
283 "Sleep for a while waiting administrat 283 "Sleep for a while waiting administrator's decision."
284 "Return successfully if administrator 284 "Return successfully if administrator tells to do so."
285 285
286 Fix 2006/04/12 286 Fix 2006/04/12
287 287
288 @ Fix handling of prefix in GetAbsolutePat 288 @ Fix handling of prefix in GetAbsolutePath().
289 289
290 Some objects doesn't have prefix "/". 290 Some objects doesn't have prefix "/".
291 Pipe has prefix "pipe:" and socket has p 291 Pipe has prefix "pipe:" and socket has prefix "socket:".
292 GetAbsolutePath() couldn't handle prefix 292 GetAbsolutePath() couldn't handle prefixes other than '/' properly.
293 293
294 @ Remove IsCorrectPath() checks for File A 294 @ Remove IsCorrectPath() checks for File Access Control functions.
295 295
296 File Access Control functions accepted o 296 File Access Control functions accepted only pathnames that start
297 with '/' because these functions assumed 297 with '/' because these functions assumed pathnames returned by
298 GetAbsolutePath() always start with '/'. 298 GetAbsolutePath() always start with '/'.
299 However, I found a program that opens an 299 However, I found a program that opens an unnamed pipe via
300 (probably) /proc/PID/fd/ directory. (You 300 (probably) /proc/PID/fd/ directory. (You can see entries like
301 "pipe:[number]" if you run "ls -l /proc/ 301 "pipe:[number]" if you run "ls -l /proc/*/fd/".)
302 Now, File Access Control functions have 302 Now, File Access Control functions have to accept pathnames
303 that don't start with '/'. So, I stopped 303 that don't start with '/'. So, I stopped checking IsCorrectPath().
304 304
305 Fix 2006/04/19 305 Fix 2006/04/19
306 306
307 @ Fix handling of NULL nameidata in vfs_op 307 @ Fix handling of NULL nameidata in vfs_open().
308 308
309 In 2.6 kernels, NFS daemon and sys_mq_op 309 In 2.6 kernels, NFS daemon and sys_mq_open() call
310 vfs_create() with NULL nameidata. In suc 310 vfs_create() with NULL nameidata. In such cases,
311 CheckSingleWritePermission() must not be 311 CheckSingleWritePermission() must not be called.
312 312
313 Version 1.1.1 2006/05/15 Functionality enhan 313 Version 1.1.1 2006/05/15 Functionality enhancement release.
314 314
315 Fix 2006/05/16 315 Fix 2006/05/16
316 316
317 @ Support program files aggregation. 317 @ Support program files aggregation.
318 318
319 Until now, programs that have no fixed n 319 Until now, programs that have no fixed names and their
320 parent programs had to be run in a trust 320 parent programs had to be run in a trusted domain
321 since it is impossible to use patterns f 321 since it is impossible to use patterns for granting
322 execute permission and defining domains. 322 execute permission and defining domains.
323 I introduced a mechanism to aggregate si 323 I introduced a mechanism to aggregate similar programs
324 using 'aggregator' directive. 324 using 'aggregator' directive.
325 Some examples: 325 Some examples:
326 326
327 'aggregator /tmp/logrotate.\?\?\?\?\?\ 327 'aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp'
328 to run all temporary programs for logr 328 to run all temporary programs for logrotate as /tmp/logrotate.tmp
329 329
330 'aggregator /usr/bin/tac /bin/cat' 330 'aggregator /usr/bin/tac /bin/cat'
331 to run /usr/bin/tac and /bin/cat as /b 331 to run /usr/bin/tac and /bin/cat as /bin/cat
332 332
333 Fix 2006/05/18 333 Fix 2006/05/18
334 334
335 @ Unlimit max count for audit log. 335 @ Unlimit max count for audit log.
336 336
337 I forgot to replace MAX_GRANT_LOG and MA 337 I forgot to replace MAX_GRANT_LOG and MAX_REJECT_LOG with INT_MAX
338 so that administrators can give any size 338 so that administrators can give any size for audit logs at runtime.
339 339
340 Fix 2006/05/22 340 Fix 2006/05/22
341 341
342 @ Support individual domain ACL removal. 342 @ Support individual domain ACL removal.
343 343
344 Until now, to remove ACLs from a domain, 344 Until now, to remove ACLs from a domain, administrator had to
345 once delete and recreate that domain, wh 345 once delete and recreate that domain, which wastes a lot of memory.
346 I introduced a mechanism to remove domai 346 I introduced a mechanism to remove domain ACL without deleting and
347 recreating domains. 347 recreating domains.
348 Administrator can delete domains or remo 348 Administrator can delete domains or remove ACLs from domains
349 via /proc/ccs/policy/domain_policy . 349 via /proc/ccs/policy/domain_policy .
350 /proc/ccs/policy/delete_domain and /proc 350 /proc/ccs/policy/delete_domain and /proc/ccs/policy/update_domain
351 were removed. 351 were removed.
352 352
353 Fix 2006/05/30 353 Fix 2006/05/30
354 354
355 @ Add missing spinlock in SAKURA_MayMount( 355 @ Add missing spinlock in SAKURA_MayMount().
356 356
357 vfsmount_lock was missing. 357 vfsmount_lock was missing.
358 358
359 Version 1.1.2 2006/06/02 Functionality enhan 359 Version 1.1.2 2006/06/02 Functionality enhancement release.
360 360
361 Fix 2006/06/13 361 Fix 2006/06/13
362 362
363 @ Merge tomoyo_connect.c and tomoyo_bind.c 363 @ Merge tomoyo_connect.c and tomoyo_bind.c into tomoyo_port.c
364 364
365 I merged these files that have only diff 365 I merged these files that have only difference CONNECT and BIND,
366 that are likely to be enabled both or ne 366 that are likely to be enabled both or neither.
367 367
368 @ Add CONFIG_TOMOYO_AUDIT option. 368 @ Add CONFIG_TOMOYO_AUDIT option.
369 369
370 I made auditing functions as optional be 370 I made auditing functions as optional because some Linux boxes
371 may have not enough disk space to store 371 may have not enough disk space to store audit logs.
372 372
373 Fix 2006/06/15 373 Fix 2006/06/15
374 374
375 @ Support use of symbolic links for progra 375 @ Support use of symbolic links for program execution.
376 376
377 Until now, domains for programs executed 377 Until now, domains for programs executed by dereferencing
378 symbolic links were defined using derefe 378 symbolic links were defined using dereferenced pathnames.
379 This was inconvenient for some Linux box 379 This was inconvenient for some Linux boxes who use busybox but
380 can't keep hard links of busybox. 380 can't keep hard links of busybox.
381 I introduced a mechanism to allow using 381 I introduced a mechanism to allow using pathnames of
382 symbolic links using 'alias' directive. 382 symbolic links using 'alias' directive.
383 Some examples: 383 Some examples:
384 384
385 'alias /sbin/busybox /bin/ls' to run / 385 'alias /sbin/busybox /bin/ls' to run /bin/ls
386 (which is a symbolic link to /sbin/bus 386 (which is a symbolic link to /sbin/busybox) as /bin/ls
387 if /bin/ls is executed. 387 if /bin/ls is executed.
388 388
389 'alias /bin/bash /bin/sh' to run /bin/ 389 'alias /bin/bash /bin/sh' to run /bin/sh
390 (which is a symbolic link to /bin/bash 390 (which is a symbolic link to /bin/bash) as /bin/sh
391 if /bin/sh is executed. 391 if /bin/sh is executed.
392 392
393 Fix 2006/06/21 393 Fix 2006/06/21
394 394
395 @ Use ccs_alloc() instead of kzalloc(). 395 @ Use ccs_alloc() instead of kzalloc().
396 396
397 To detect memory leaks, 397 To detect memory leaks,
398 I added a wrapper for tracing kmalloc() 398 I added a wrapper for tracing kmalloc() and kfree().
399 There is no way to detect memory leaks c 399 There is no way to detect memory leaks caused by ccs-*.txt .
400 400
401 Version 1.1.3 2006/07/13 Functionality enhan 401 Version 1.1.3 2006/07/13 Functionality enhancement release.
402 402
403 Fix 2006/07/14 403 Fix 2006/07/14
404 404
405 @ Change behavior of pathname pattern matc 405 @ Change behavior of pathname pattern matching.
406 406
407 Until now, it was impossible to use patt 407 Until now, it was impossible to use patterns like "\*.txt" because
408 "\*" matched zero or more repetitions of 408 "\*" matched zero or more repetitions of characters until next '/'.
409 Now, "\*" matches zero or more repetitio 409 Now, "\*" matches zero or more repetitions of characters.
410 410
411 Until now, it was impossible to use patt 411 Until now, it was impossible to use patterns like "\$00"
412 because "\$" matched one or more repetit 412 because "\$" matched one or more repetitions of digits until next
413 non digit character. 413 non digit character.
414 Now, "\$" matches one or more repetition 414 Now, "\$" matches one or more repetitions of digits.
415 415
416 Also, new patterns "\x" "\X" "\a" "\A" " 416 Also, new patterns "\x" "\X" "\a" "\A" "\@" are added.
417 417
418 Fix 2006/07/21 418 Fix 2006/07/21
419 419
420 @ Add CONFIG_TOMOYO_NETWORK option. 420 @ Add CONFIG_TOMOYO_NETWORK option.
421 421
422 Until now, only port numbers for TCP and 422 Until now, only port numbers for TCP and UDP were controllable.
423 Now, the combination of IPv4/IPv6 addres 423 Now, the combination of IPv4/IPv6 address and port numbers
424 for TCP and UDP is controllable. 424 for TCP and UDP is controllable.
425 CONFIG_TOMOYO_NETWORKPORT became obsolet 425 CONFIG_TOMOYO_NETWORKPORT became obsolete.
426 426
427 Fix 2006/07/25 427 Fix 2006/07/25
428 428
429 @ Change matching rule for CheckFileACL(). 429 @ Change matching rule for CheckFileACL().
430 430
431 Until now, only first entry that matched 431 Until now, only first entry that matched the requested pathname
432 was used for permission checking. For ex 432 was used for permission checking. For example, two entries
433 433
434 "2 /tmp/file-\$.txt" 434 "2 /tmp/file-\$.txt"
435 "4 /tmp/fil\?-0.txt" 435 "4 /tmp/fil\?-0.txt"
436 436
437 are given in this order and requested pa 437 are given in this order and requested pathname is "/tmp/file-0.txt",
438 the "2 /tmp/file-\$.txt" is used. But if 438 the "2 /tmp/file-\$.txt" is used. But if two entries
439 439
440 "4 /tmp/fil\?-0.txt" 440 "4 /tmp/fil\?-0.txt"
441 "2 /tmp/file-\$.txt" 441 "2 /tmp/file-\$.txt"
442 442
443 are given in this order, the "4 /tmp/fil 443 are given in this order, the "4 /tmp/fil\?-0.txt" is used.
444 This may potentially cause trouble becau 444 This may potentially cause trouble because the result of
445 permission checks depends on the order o 445 permission checks depends on the order of entries.
446 446
447 Now, all entries that matched the reques 447 Now, all entries that matched the requested pathname
448 are used for permission checking so that 448 are used for permission checking so that the result of
449 permission checks doesn't depend on the 449 permission checks doesn't depend on the order of entries.
450 450
451 Fix 2006/07/27 451 Fix 2006/07/27
452 452
453 @ Support RAW IPv4/IPv6 control. 453 @ Support RAW IPv4/IPv6 control.
454 454
455 Some programs such as 'ping' and 'tracer 455 Some programs such as 'ping' and 'traceroute' use raw IP socket.
456 Now, the combination of IPv4/IPv6 addres 456 Now, the combination of IPv4/IPv6 address and protocol numbers
457 for IP is controllable. 457 for IP is controllable.
458 458
459 Fix 2006/08/04 459 Fix 2006/08/04
460 460
461 @ Add filename and argv[0] comparison chec 461 @ Add filename and argv[0] comparison check.
462 462
463 The domain transition was done based on 463 The domain transition was done based on filename passed to do_execve(),
464 while the behavior was defined based on 464 while the behavior was defined based on argv[0].
465 There is no problem if the filename is a 465 There is no problem if the filename is argv[0]-unaware application.
466 But if argv[0]-aware, access control byp 466 But if argv[0]-aware, access control bypassing happens if the process
467 transits to trusted domain but behaves a 467 transits to trusted domain but behaves as different program.
468 For example, when the administrator spec 468 For example, when the administrator specifies domain for /bin/ls as
469 trusted but both /bin/ls and /bin/cat ar 469 trusted but both /bin/ls and /bin/cat are links to /sbin/busybox ,
470 a cracker can run /bin/cat in a trusted 470 a cracker can run /bin/cat in a trusted domain if the cracker
471 succeeds to invoke do_execve() with file 471 succeeds to invoke do_execve() with filename = "/bin/ls" and
472 argv[0] = "/bin/cat". 472 argv[0] = "/bin/cat".
473 473
474 I introduced a directive that permits th 474 I introduced a directive that permits the mismatch of
475 basename of filename and argv[0]. 475 basename of filename and argv[0].
476 476
477 Fix 2006/08/10 477 Fix 2006/08/10
478 478
479 @ Support ID based condition checks. 479 @ Support ID based condition checks.
480 480
481 It was impossible to use process id (uid 481 It was impossible to use process id (uid and gid and so on) for
482 checking individual domain ACL. 482 checking individual domain ACL.
483 483
484 Now it became possible to use process id 484 Now it became possible to use process id for checking individual
485 domain ACL. For example, 485 domain ACL. For example,
486 486
487 "1 /bin/sh if task.euid!=0" 487 "1 /bin/sh if task.euid!=0"
488 488
489 allows the domain to execute /bin/sh onl 489 allows the domain to execute /bin/sh only when the process's euid
490 is not 0, and 490 is not 0, and
491 491
492 "6 /home/\*/\* if task.uid=path1.uid" 492 "6 /home/\*/\* if task.uid=path1.uid"
493 493
494 allows the domain to read-write user's h 494 allows the domain to read-write user's home directory
495 only when the file's owner matches the p 495 only when the file's owner matches the process's uid.
496 496
497 Fix 2006/08/22 497 Fix 2006/08/22
498 498
499 @ Fix ROUNDUP() in fs/realpath.c . 499 @ Fix ROUNDUP() in fs/realpath.c .
500 500
501 Alignment using sizeof(int) may be inapp 501 Alignment using sizeof(int) may be inappropriate for 64bit environment.
502 I changed to use the larger size of 'voi 502 I changed to use the larger size of 'void *' and 'long'
503 instead of 'int'. 503 instead of 'int'.
504 For environment where sizeof(int) = size 504 For environment where sizeof(int) = sizeof(long) = sizeof(void *),
505 this change has no effect. 505 this change has no effect.
506 506
507 Version 1.2 2006/09/03 Functionality enhan 507 Version 1.2 2006/09/03 Functionality enhancement release.
508 508
509 Fix 2006/09/30 509 Fix 2006/09/30
510 510
511 @ Fix CheckFilePerm() in fs/tomoyo_file.c 511 @ Fix CheckFilePerm() in fs/tomoyo_file.c .
512 512
513 The location to call path_release() was 513 The location to call path_release() was too early.
514 514
515 Fix 2006/10/02 515 Fix 2006/10/02
516 516
517 @ Support per-domain profile. 517 @ Support per-domain profile.
518 518
519 It became possible to assign different p 519 It became possible to assign different profiles for different domains.
520 This will help administrators using buil 520 This will help administrators using building up approach.
521 521
522 Fix 2006/10/05 522 Fix 2006/10/05
523 523
524 @ Change parameters for CheckFilePerm(). 524 @ Change parameters for CheckFilePerm().
525 525
526 I was re-resolving pathnames inside Chec 526 I was re-resolving pathnames inside CheckFilePerm() even though
527 the caller function already resolved the 527 the caller function already resolved them.
528 So I changed to pass dentry and vfsmount 528 So I changed to pass dentry and vfsmount instead of pathname,
529 and removed changes made on 2006/09/30. 529 and removed changes made on 2006/09/30.
530 530
531 Fix 2006/10/06 531 Fix 2006/10/06
532 532
533 @ Support deny_rewrite and allow_rewrite p 533 @ Support deny_rewrite and allow_rewrite permission.
534 534
535 It became possible to make regular files 535 It became possible to make regular files append-only
536 using "deny_rewrite" directive in except 536 using "deny_rewrite" directive in exception policy and
537 override it using "allow_rewrite" direct 537 override it using "allow_rewrite" directive in domain policy.
538 538
539 Regular files specified using "deny_rewr 539 Regular files specified using "deny_rewrite" directive
540 can't be open()ed with O_TRUNC or with 540 can't be open()ed with O_TRUNC or without O_APPEND,
541 can't be truncate()ed or ftruncate()ed 541 can't be truncate()ed or ftruncate()ed,
542 can't be turned O_APPEND flag off usin 542 can't be turned O_APPEND flag off using fcntl(F_SETFL)
543 unless specified using "allow_rewrite" d 543 unless specified using "allow_rewrite" directive.
544 544
545 Fix 2006/10/12 545 Fix 2006/10/12
546 546
547 @ Enable configuration options by default 547 @ Enable configuration options by default for kernel config.
548 548
549 CONFIG_SAKURA and CONFIG_TOMOYO are now 549 CONFIG_SAKURA and CONFIG_TOMOYO are now 'y' by default
550 and CONFIG_SYAORAN is now 'm' by default 550 and CONFIG_SYAORAN is now 'm' by default.
551 551
552 Fix 2006/10/13 552 Fix 2006/10/13
553 553
554 @ Use external policy loader. 554 @ Use external policy loader.
555 555
556 Until now, policies are loaded when /sbi 556 Until now, policies are loaded when /sbin/init starts and
557 initial control levels are switched usin 557 initial control levels are switched using CCS= parameter.
558 But since some boxes have to fixate kern 558 But since some boxes have to fixate kernel command line options
559 at compilation time, I think it will bec 559 at compilation time, I think it will become more flexible
560 by running external policy loader using 560 by running external policy loader using init= parameter so that
561 initial control levels can be specified 561 initial control levels can be specified before /sbin/init starts.
562 562
563 Call panic() if initial control levels a 563 Call panic() if initial control levels are not specified.
564 564
565 Fix 2006/10/16 565 Fix 2006/10/16
566 566
567 @ Add missing parameter in FindNextDomain( 567 @ Add missing parameter in FindNextDomain().
568 568
569 'struct file' was needed for allowing 'i 569 'struct file' was needed for allowing 'if path1.*' checks.
570 570
571 Fix 2006/10/23 571 Fix 2006/10/23
572 572
573 @ Print error messages in CheckFlags(). 573 @ Print error messages in CheckFlags().
574 574
575 Some users seem to have troubles picking 575 Some users seem to have troubles picking up all necessary
576 entries for the configuration file of SY 576 entries for the configuration file of SYAORAN filesystem
577 since makesyaoranconf can't pick up entr 577 since makesyaoranconf can't pick up entries that are
578 nonexistent at the time. 578 nonexistent at the time.
579 I added error message so that users can 579 I added error message so that users can find missing entries
580 using dmesg. 580 using dmesg.
581 581
582 Fix 2006/10/24 582 Fix 2006/10/24
583 583
584 @ Change /proc/ccs/info/self_domain . 584 @ Change /proc/ccs/info/self_domain .
585 585
586 I changed /proc/ccs/info/self_domain to 586 I changed /proc/ccs/info/self_domain to return
587 the domain of open time rather than firs 587 the domain of open time rather than first read time.
588 This modification makes shell's redirect 588 This modification makes shell's redirection usage
589 more convenient since redirection opens 589 more convenient since redirection opens file
590 but doesn't read at the time. 590 but doesn't read at the time.
591 591
592 'cat < /proc/ccs/info/self_domain' will 592 'cat < /proc/ccs/info/self_domain' will return
593 the domain of shell, and 593 the domain of shell, and
594 'cat /proc/ccs/info/self_domain' will re 594 'cat /proc/ccs/info/self_domain' will return
595 the domain of cat . 595 the domain of cat .
596 596
597 Fix 2006/11/06 597 Fix 2006/11/06
598 598
599 @ Replace MAX_ENFORCE_GRACE with ALLOW_ENF 599 @ Replace MAX_ENFORCE_GRACE with ALLOW_ENFORCE_GRACE.
600 600
601 Since it was inconvenient that requests 601 Since it was inconvenient that requests that are waiting for
602 supervisor's decision are rejected autom 602 supervisor's decision are rejected automatically when
603 MAX_ENFORCE_GRACE seconds has elapsed, I 603 MAX_ENFORCE_GRACE seconds has elapsed, I modified WriteAnswer()
604 reset timeout counter whenever a supervi 604 reset timeout counter whenever a supervisor's decision is written
605 and I modified ccs-queryd write a dummy 605 and I modified ccs-queryd write a dummy decision every seconds
606 so that the requests won't be rejected a 606 so that the requests won't be rejected automatically as long as
607 ccs-queryd is running. 607 ccs-queryd is running.
608 This change made MAX_ENFORCE_GRACE's mea 608 This change made MAX_ENFORCE_GRACE's meaning boolean.
609 So I fixated MAX_ENFORCE_GRACE to 10 sec 609 So I fixated MAX_ENFORCE_GRACE to 10 seconds and removed
610 MAX_ENFORCE_GRACE parameter. 610 MAX_ENFORCE_GRACE parameter.
611 To allow administrators selectively enab 611 To allow administrators selectively enable "delayed enforcing"
612 mode, I added ALLOW_ENFORCE_GRACE parame 612 mode, I added ALLOW_ENFORCE_GRACE parameter.
613 The behavior of "delayed enforcing" mode 613 The behavior of "delayed enforcing" mode is defined
614 in the following order. 614 in the following order.
615 615
616 (1) The requests are rejected immediatel 616 (1) The requests are rejected immediately if ALLOW_ENFORCE_GRACE=0.
617 (2) The requests are rejected immediatel 617 (2) The requests are rejected immediately
618 if nobody is opening /proc/ccs/polic 618 if nobody is opening /proc/ccs/policy/query interface.
619 (3) The requests won't be rejected autom 619 (3) The requests won't be rejected automatically
620 if ALLOW_ENFORCE_GRACE=1 and ccs-que 620 if ALLOW_ENFORCE_GRACE=1 and ccs-queryd is running.
621 (4) The requests will be rejected in 10 621 (4) The requests will be rejected in 10 seconds
622 if somebody other than ccs-queryd (s 622 if somebody other than ccs-queryd (such as less(1)) is
623 opening /proc/ccs/policy/query inter 623 opening /proc/ccs/policy/query interface, for
624 such process doesn't write dummy dec 624 such process doesn't write dummy decisions.
625 625
626 Version 1.3 2006/11/11 First anniversary r 626 Version 1.3 2006/11/11 First anniversary release.
627 627
628 Fix 2006/11/13 628 Fix 2006/11/13
629 629
630 @ Replace trust_domain with keep_domain. 630 @ Replace trust_domain with keep_domain.
631 631
632 Since it was troublesome that there are 632 Since it was troublesome that there are two elements that can disable MAC
633 (assigning a profile that doesn't enable 633 (assigning a profile that doesn't enable MAC or registering domains
634 with trust_domain directive), I removed 634 with trust_domain directive), I removed trust_domain directive.
635 Instead, I introduced keep_domain direct 635 Instead, I introduced keep_domain directive to not to transit domains
636 unless a program registered with initial 636 unless a program registered with initializer directive is executed.
637 This change has the following advantages 637 This change has the following advantages.
638 638
639 (1) Allows administrator use "enforce mo 639 (1) Allows administrator use "enforce mode" for operations after login.
640 Since it was difficult to know what 640 Since it was difficult to know what commands and files are invoked
641 and accessed in what sequences befor 641 and accessed in what sequences beforehand, we had to use trust_domain
642 directive for such domain, allowing 642 directive for such domain, allowing users invoke any commands and
643 access any files in any sequence. 643 access any files in any sequence.
644 But now, we can use keep_domain dire 644 But now, we can use keep_domain directive and assign a profile for
645 "enforce mode" for such domain, forc 645 "enforce mode" for such domain, forcing users invoke only allowed
646 commands and access only allowed fil 646 commands and access only allowed files in any sequence
647 while these operations are kept unde 647 while these operations are kept under the control of "enforce mode".
648 648
649 (2) Allows administrator determine easil 649 (2) Allows administrator determine easily whether the domain is
650 under MAC or not because only the pr 650 under MAC or not because only the profile currently assigned to
651 the domain determines it. 651 the domain determines it.
652 652
653 (3) Saves total number of domains and me 653 (3) Saves total number of domains and memory.
654 654
655 Fix 2006/11/22 655 Fix 2006/11/22
656 656
657 @ Don't allow use of undefined profile. 657 @ Don't allow use of undefined profile.
658 658
659 To avoid assigning undefined profile to 659 To avoid assigning undefined profile to domains by error,
660 I added checks before assigning profiles 660 I added checks before assigning profiles to domains.
661 Now, profiles have to be defined prior t 661 Now, profiles have to be defined prior to assigning them to domains.
662 662
663 Version 1.3.1 2006/12/08 Minor update releas 663 Version 1.3.1 2006/12/08 Minor update release.
664 664
665 Fix 2006/12/10 665 Fix 2006/12/10
666 666
667 @ Allow pathname grouping. 667 @ Allow pathname grouping.
668 668
669 To reduce the labor of repeating '/\*' t 669 To reduce the labor of repeating '/\*' to allow access recursively,
670 I introduced a macro 'path_group' to mak 670 I introduced a macro 'path_group' to make group such pathnames.
671 For example, you had to give like 671 For example, you had to give like
672 672
673 4 /var/www/html/\* 673 4 /var/www/html/\*
674 4 /var/www/html/\*/\* 674 4 /var/www/html/\*/\*
675 4 /var/www/html/\*/\*/\* 675 4 /var/www/html/\*/\*/\*
676 4 /var/www/html/\*/\*/\*/\* 676 4 /var/www/html/\*/\*/\*/\*
677 677
678 but now, you can give just 678 but now, you can give just
679 679
680 4 @WEB-CONTENTS 680 4 @WEB-CONTENTS
681 681
682 if you give 682 if you give
683 683
684 path_group WEB-CONTENTS /var/www/html/ 684 path_group WEB-CONTENTS /var/www/html/\*
685 path_group WEB-CONTENTS /var/www/html/ 685 path_group WEB-CONTENTS /var/www/html/\*/\*
686 path_group WEB-CONTENTS /var/www/html/ 686 path_group WEB-CONTENTS /var/www/html/\*/\*/\*
687 path_group WEB-CONTENTS /var/www/html/ 687 path_group WEB-CONTENTS /var/www/html/\*/\*/\*/\*
688 688
689 in the exception policy. 689 in the exception policy.
690 This macro will be useful when grouping 690 This macro will be useful when grouping different directories.
691 691
692 Fix 2006/12/15 692 Fix 2006/12/15
693 693
694 @ Use structured pathnames instead for sim 694 @ Use structured pathnames instead for simple 'char *'.
695 695
696 To reduce the cost of strcmp(), I change 696 To reduce the cost of strcmp(), I changed the return value of
697 SaveName() from 'const char *' to 'const 697 SaveName() from 'const char *' to 'const struct path_info *'.
698 This change will speed up PathMatchesToP 698 This change will speed up PathMatchesToPattern() comparison.
699 699
700 Fix 2006/12/19 700 Fix 2006/12/19
701 701
702 @ Allow registering policy managers using 702 @ Allow registering policy managers using domainnames.
703 703
704 It was difficult to restrict programs th 704 It was difficult to restrict programs that can update policies
705 via /proc/ccs/ interfaces using pathname 705 via /proc/ccs/ interfaces using pathnames of these programs, for
706 these programs could be unintendedly inv 706 these programs could be unintendedly invoked.
707 Now, it became possible to restrict doma 707 Now, it became possible to restrict domains that can update policies
708 via /proc/ccs/ interfaces as well as pro 708 via /proc/ccs/ interfaces as well as programs.
709 By restricting using domainnames, it bec 709 By restricting using domainnames, it becomes easier to avoid
710 unintended invocation. 710 unintended invocation.
711 711
712 Fix 2006/12/22 712 Fix 2006/12/22
713 713
714 @ Add initialize_domain,no_initizlize_doma 714 @ Add initialize_domain,no_initizlize_domain,no_keep_domain
715 715
716 To control domain transitions more stric 716 To control domain transitions more strictly,
717 initialize_domain,no_initizlize_domain,n 717 initialize_domain,no_initizlize_domain,no_keep_domain directives
718 were introduced. 718 were introduced.
719 719
720 "initialize_domain /some/program" means 720 "initialize_domain /some/program" means
721 jump to "<kernel> /some/program" domain 721 jump to "<kernel> /some/program" domain if /some/program is
722 called from any domain. 722 called from any domain.
723 This is equivalent to conventional "init 723 This is equivalent to conventional "initializer /some/program".
724 724
725 "initialize_domain /some/program from so 725 "initialize_domain /some/program from some_domain" means
726 jump to "<kernel> /some/program" domain 726 jump to "<kernel> /some/program" domain only if /some/program is
727 called from "some_domain" domain. 727 called from "some_domain" domain.
728 728
729 "no_initialize_domain /some/program" mea 729 "no_initialize_domain /some/program" means
730 don't jump to "<kernel> /some/program" d 730 don't jump to "<kernel> /some/program" domain even if
731 "initialize_domain /some/program" or 731 "initialize_domain /some/program" or
732 "initialize_domain /some/program from so 732 "initialize_domain /some/program from some_domain" are given
733 if /some/program is called from any doma 733 if /some/program is called from any domain.
734 734
735 "no_initialize_domain /some/program from 735 "no_initialize_domain /some/program from some_domain" means
736 don't jump to "<kernel> /some/program" d 736 don't jump to "<kernel> /some/program" domain even if
737 "initialize_domain /some/program" or 737 "initialize_domain /some/program" or
738 "initialize_domain /some/program from so 738 "initialize_domain /some/program from some_domain" are given
739 if /some/program is called from "some_do 739 if /some/program is called from "some_domain" domain.
740 740
741 "keep_domain some_domain" means don't ju 741 "keep_domain some_domain" means don't jump to child domain
742 if any programs are called from "some_do 742 if any programs are called from "some_domain" domain.
743 743
744 "keep_domain /some/program from some_dom 744 "keep_domain /some/program from some_domain" means
745 don't jump to child domain only if /some 745 don't jump to child domain only if /some/program is
746 called from "some_domain" domain. 746 called from "some_domain" domain.
747 747
748 "no_keep_domain some_domain" means 748 "no_keep_domain some_domain" means
749 jump to child domain even if 749 jump to child domain even if
750 "keep_domain /some/program" or 750 "keep_domain /some/program" or
751 "keep_domain /some/program from some_dom 751 "keep_domain /some/program from some_domain" are given
752 if any programs are called from "some_do 752 if any programs are called from "some_domain" domain.
753 753
754 "no_keep_domain /some/program from some_ 754 "no_keep_domain /some/program from some_domain" means
755 jump to child domain even if 755 jump to child domain even if
756 "keep_domain /some/program" or 756 "keep_domain /some/program" or
757 "keep_domain /some/program from some_dom 757 "keep_domain /some/program from some_domain" are given
758 if /some/program is called from "some_do 758 if /some/program is called from "some_domain" domain.
759 759
760 "some_domain" can be just the last compo 760 "some_domain" can be just the last component of domainname.
761 For example, giving "/bin/mail" as "some 761 For example, giving "/bin/mail" as "some_domain" matches
762 all domains whose domainname ends with " 762 all domains whose domainname ends with "/bin/mail".
763 763
764 Fix 2007/01/19 764 Fix 2007/01/19
765 765
766 @ Allow reuse of memory allocated for doma 766 @ Allow reuse of memory allocated for domain policy.
767 767
768 Regarding domain policy, unlike other po 768 Regarding domain policy, unlike other policies, didn't have
769 "is_deleted" flag and new memory were al 769 "is_deleted" flag and new memory were allocated
770 if the deleted entries are given again. 770 if the deleted entries are given again.
771 But to allow administrators switch domai 771 But to allow administrators switch domain policy periodically,
772 I introduced "is_deleted" flag. 772 I introduced "is_deleted" flag.
773 773
774 Writing "some_domain" to /proc/ccs/polic 774 Writing "some_domain" to /proc/ccs/policy/domain_policy
775 creates "some_domain" using new memory i 775 creates "some_domain" using new memory if it didn't exist.
776 776
777 Writing "select some_domain" doesn't cre 777 Writing "select some_domain" doesn't create "some_domain"
778 if it didn't exist. 778 if it didn't exist.
779 779
780 Writing "delete some_domain" deletes "so 780 Writing "delete some_domain" deletes "some_domain"
781 but does not delete entries in "some_dom 781 but does not delete entries in "some_domain".
782 782
783 Writing "undelete some_domain" undeletes 783 Writing "undelete some_domain" undeletes "some_domain"
784 if it was deleted by "delete some_domain 784 if it was deleted by "delete some_domain".
785 785
786 Fix 2007/01/22 786 Fix 2007/01/22
787 787
788 @ Allow getting already deleted pathnames. 788 @ Allow getting already deleted pathnames.
789 789
790 To allow getting pathnames that are alre 790 To allow getting pathnames that are already deleted,
791 I removed (IS_ROOT(dentry) || !d_unhashe 791 I removed (IS_ROOT(dentry) || !d_unhashed(dentry)) check.
792 792
793 Fix 2007/01/26 793 Fix 2007/01/26
794 794
795 @ Limit string length to 4000. 795 @ Limit string length to 4000.
796 796
797 I was using PAGE_SIZE (4096 in many envi 797 I was using PAGE_SIZE (4096 in many environments)
798 as the max length of any string data. 798 as the max length of any string data.
799 But for environments that have larger PA 799 But for environments that have larger PAGE_SIZE,
800 doing memset(ptr, 0, PAGE_SIZE) every ti 800 doing memset(ptr, 0, PAGE_SIZE) every time is too wasteful.
801 801
802 Fix 2007/01/29 802 Fix 2007/01/29
803 803
804 @ Add garbage collector for domain policy. 804 @ Add garbage collector for domain policy.
805 805
806 Writing "some_domain" to /proc/ccs/polic 806 Writing "some_domain" to /proc/ccs/policy/domain_policy
807 creates "some_domain" using new memory o 807 creates "some_domain" using new memory only if
808 some process is staying at that deleted 808 some process is staying at that deleted domain.
809 If no process is staying at that deleted 809 If no process is staying at that deleted domain,
810 "some_domain" is undeleted with all ACLs 810 "some_domain" is undeleted with all ACLs deleted.
811 811
812 Version 1.3.2 2007/02/14 Usability enhanceme 812 Version 1.3.2 2007/02/14 Usability enhancement release.
813 813
814 Fix 2007/02/20 814 Fix 2007/02/20
815 815
816 @ Allow address grouping. 816 @ Allow address grouping.
817 817
818 To reduce the labor of repeating similar 818 To reduce the labor of repeating similar IPv4/IPv6 addresses,
819 I introduced a macro 'address_group' to 819 I introduced a macro 'address_group' to make group such addresses.
820 For example, you had to give like 820 For example, you had to give like
821 821
822 allow_network TCP accept 10.0.0.0-10.2 822 allow_network TCP accept 10.0.0.0-10.255.255.255 1024-65535
823 allow_network TCP accept 172.16.0.0-17 823 allow_network TCP accept 172.16.0.0-172.31.255.255 1024-65535
824 allow_network TCP accept 192.168.0.0-1 824 allow_network TCP accept 192.168.0.0-192.168.255.255 1024-65535
825 825
826 but now, you can give just 826 but now, you can give just
827 827
828 allow_network TCP accept @localnet 102 828 allow_network TCP accept @localnet 1024-65535
829 829
830 if you give 830 if you give
831 831
832 address_group localnet 10.0.0.0-10.255 832 address_group localnet 10.0.0.0-10.255.255.255
833 address_group localnet 172.16.0.0-172. 833 address_group localnet 172.16.0.0-172.31.255.255
834 address_group localnet 192.168.0.0-192 834 address_group localnet 192.168.0.0-192.168.255.255
835 835
836 in the exception policy. 836 in the exception policy.
837 837
838 Fix 2007/03/03 838 Fix 2007/03/03
839 839
840 @ Remove obsolete functions. 840 @ Remove obsolete functions.
841 841
842 @ Add some hooks. 842 @ Add some hooks.
843 843
844 Read permission check is done if open_ex 844 Read permission check is done if open_exec()
845 is called from search_binary_handler(). 845 is called from search_binary_handler().
846 Read permission check is not done if ope 846 Read permission check is not done if open_exec()
847 is called from do_execve(), instead, 847 is called from do_execve(), instead,
848 execute permission check is done at 848 execute permission check is done at
849 search_binary_handler_with_transition(). 849 search_binary_handler_with_transition().
850 850
851 I moved the location of calling CheckCap 851 I moved the location of calling CheckCapabilityACL()
852 and CheckMountPermission() from sys_moun 852 and CheckMountPermission() from sys_mount() to do_mount().
853 853
854 Fix 2007/03/07 854 Fix 2007/03/07
855 855
856 @ Use 'unsigned int' for sscanf(). 856 @ Use 'unsigned int' for sscanf().
857 857
858 I compiled SYAORAN fs on x86_64 environm 858 I compiled SYAORAN fs on x86_64 environment and found
859 the compiler showing warning messages ab 859 the compiler showing warning messages about size of data types.
860 Since size of data types may mismatch fo 860 Since size of data types may mismatch for sscanf(),
861 I replaced some types with 'unsigned int 861 I replaced some types with 'unsigned int'.
862 862
863 Version 1.4 2007/04/01 x86_64 support rele 863 Version 1.4 2007/04/01 x86_64 support release.
864 864
865 Fix 2007/04/18 865 Fix 2007/04/18
866 866
867 @ Change argv[0] checking rule. 867 @ Change argv[0] checking rule.
868 868
869 I was comparing the basename of symbolic 869 I was comparing the basename of symbolic link's pathname and argv[0].
870 Since execute permission check and domai 870 Since execute permission check and domain transition are done
871 based on realpath while argv[0] check is 871 based on realpath while argv[0] check is done based on the symlink's
872 pathname and argv[0], this specification 872 pathname and argv[0], this specification will allow attackers behave
873 as /bin/cat in the domain of /bin/ls if 873 as /bin/cat in the domain of /bin/ls if "/bin/ls and /bin/cat are
874 links to /sbin/busybox" and "the attacke 874 links to /sbin/busybox" and "the attacker is permitted to create
875 a symlink named ~/cat that points to /bi 875 a symlink named ~/cat that points to /bin/ls" and "the attacker is
876 permitted to run /bin/ls". 876 permitted to run /bin/ls".
877 So, I changed to compare the basename of 877 So, I changed to compare the basename of realpath and argv[0].
878 Also, I moved the location to compare be 878 Also, I moved the location to compare before processing
879 "aggregator" directive so that 879 "aggregator" directive so that
880 "aggregator /tmp/logrotate.\?\?\?\?\?\? 880 "aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp"
881 won't cause the mismatch of the basename 881 won't cause the mismatch of the basename of realpath and argv[0].
882 882
883 If /bin/ls is a symlink to /sbin/busybox 883 If /bin/ls is a symlink to /sbin/busybox, then
884 creating a symlink named ~/cat that poin 884 creating a symlink named ~/cat that points to /bin/ls and
885 executing ~/cat won't work as expected b 885 executing ~/cat won't work as expected because permission check and
886 domain transition are done using /sbin/b 886 domain transition are done using /sbin/busybox (realpath of /bin/ls)
887 and will be rejected since the administr 887 and will be rejected since the administrator won't grant
888 "1 /sbin/busybox". 888 "1 /sbin/busybox".
889 889
890 Fix 2007/05/07 890 Fix 2007/05/07
891 891
892 @ Support pathname subtraction. 892 @ Support pathname subtraction.
893 893
894 There was no way to exclude specific pat 894 There was no way to exclude specific pathnames when granting
895 permissions using wildcards. 895 permissions using wildcards.
896 There would be a need to exclude specifi 896 There would be a need to exclude specific files and directories.
897 I introduced "\-" as subtraction operato 897 I introduced "\-" as subtraction operator.
898 898
899 "A\-B" means "A" other than "B". 899 "A\-B" means "A" other than "B".
900 "A\-B\-C" means "A" other than "B" and 900 "A\-B\-C" means "A" other than "B" and "C".
901 "A\-B\-C\-D" means "A" other than "B" 901 "A\-B\-C\-D" means "A" other than "B" and "C" and "D".
902 902
903 "A", "B", "C", "D" may contain wildcards 903 "A", "B", "C", "D" may contain wildcards.
904 904
905 An example usage is "/home/\*/\*\-.ssh/\ 905 An example usage is "/home/\*/\*\-.ssh/\*", which means
906 "/home/\*/\*/\*" other than "/home/\*/.s 906 "/home/\*/\*/\*" other than "/home/\*/.ssh/\*".
907 907
908 "A" should contain wildcards because sub 908 "A" should contain wildcards because subtraction from constants
909 (e.g. "/usr\-usr/" or "/usr\-home/") is 909 (e.g. "/usr\-usr/" or "/usr\-home/") is meaningless.
910 910
911 Don't try "A\-B\+C" because "\+" is not 911 Don't try "A\-B\+C" because "\+" is not addition operator.
912 912
913 Fix 2007/05/24 913 Fix 2007/05/24
914 914
915 @ Fix autobind hook. 915 @ Fix autobind hook.
916 916
917 The location to call SAKURA_MayAutobind( 917 The location to call SAKURA_MayAutobind() in net/ipv4/udp.c
918 and net/ipv6/udp.c were wrong. 918 and net/ipv6/udp.c were wrong.
919 919
920 Fix 2007/06/03 920 Fix 2007/06/03
921 921
922 @ Add a space in MakeMountOptions(). 922 @ Add a space in MakeMountOptions().
923 923
924 I forgot to add a space after "atime" an 924 I forgot to add a space after "atime" and "noatime".
925 925
926 Version 1.4.1 2007/06/05 Minor update releas 926 Version 1.4.1 2007/06/05 Minor update release.
927 927
928 Fix 2007/07/04 928 Fix 2007/07/04
929 929
930 @ Fix ReadAddressGroupPolicy() bug. 930 @ Fix ReadAddressGroupPolicy() bug.
931 931
932 ReadAddressGroupPolicy() fails if both " 932 ReadAddressGroupPolicy() fails if both "path_group" and "address_group"
933 are used because I forgot to set "head-> 933 are used because I forgot to set "head->read_var1 = NULL".
934 934
935 Fix 2007/07/10 935 Fix 2007/07/10
936 936
937 @ Add compat_sys_stime() hook. 937 @ Add compat_sys_stime() hook.
938 938
939 Some of 64bit kernels support compat_sys 939 Some of 64bit kernels support compat_sys_stime()
940 but permission check was missing. 940 but permission check was missing.
941 941
942 Version 1.4.2 2007/07/13 Bug fix release. 942 Version 1.4.2 2007/07/13 Bug fix release.
943 943
944 Fix 2007/08/06 944 Fix 2007/08/06
945 945
946 @ Remove mount-flags manipulation. 946 @ Remove mount-flags manipulation.
947 947
948 Until now, administrator is permitted to 948 Until now, administrator is permitted to turn on/off specific mount
949 options regardless of mount options pass 949 options regardless of mount options passed to kernel.
950 I removed this feature because "exact op 950 I removed this feature because "exact option matching" sounds better than
951 "automatic option enabler/disabler". 951 "automatic option enabler/disabler".
952 952
953 @ Remove /proc/ccs/info/mapping . 953 @ Remove /proc/ccs/info/mapping .
954 954
955 I removed /proc/ccs/info/mapping because 955 I removed /proc/ccs/info/mapping because nobody seems to use this
956 feature. 956 feature.
957 957
958 @ Call external policy loader automaticall 958 @ Call external policy loader automatically.
959 959
960 Until now, users had to add init=/.init 960 Until now, users had to add init=/.init parameter to load policy
961 before /sbin/init starts. 961 before /sbin/init starts.
962 I inserted call_usermodehelper() to call 962 I inserted call_usermodehelper() to call external policy loader when
963 execve("/sbin/init") is requested and ex 963 execve("/sbin/init") is requested and external policy loader exists.
964 964
965 This change will remove init=/.init para 965 This change will remove init=/.init parameter from most environment,
966 although call_usermodehelper() can't han 966 although call_usermodehelper() can't handle interactive operations.
967 967
968 @ Move external policy loader from /.init 968 @ Move external policy loader from /.init to /sbin/ccs-init .
969 969
970 Installing programs in / directory is no 970 Installing programs in / directory is not good for packaging.
971 971
972 Fix 2007/08/13 972 Fix 2007/08/13
973 973
974 @ Update external policy loader. 974 @ Update external policy loader.
975 975
976 It turned out that /sbin/ccs-init invoke 976 It turned out that /sbin/ccs-init invoked via call_usermodehelper()
977 can handle interactive operations by ope 977 can handle interactive operations by opening /dev/console .
978 Now, there is no difference between init 978 Now, there is no difference between init=/sbin/ccs-init and
979 call_usermodehelper("/sbin/ccs-init"), a 979 call_usermodehelper("/sbin/ccs-init"), and users no longer need to
980 add init=/sbin/ccs-init parameter to loa 980 add init=/sbin/ccs-init parameter to load policy before /sbin/init
981 starts. 981 starts.
982 982
983 Fix 2007/08/14 983 Fix 2007/08/14
984 984
985 @ Update recvmsg() hooks. 985 @ Update recvmsg() hooks.
986 986
987 Until now, it was impossible to apply ne 987 Until now, it was impossible to apply network access control for
988 incoming UDP and RAW packets if they are 988 incoming UDP and RAW packets if they are brought to userland using
989 read() or recvmsg() with NULL address be 989 read() or recvmsg() with NULL address because address buffer is NULL.
990 I moved hooks from sock_recvmsg() to skb 990 I moved hooks from sock_recvmsg() to skb_recv_datagram() so that
991 network access control for incoming UDP 991 network access control for incoming UDP and RAW packets always work.
992 992
993 Fix 2007/08/16 993 Fix 2007/08/16
994 994
995 @ Return appropriate error code for CheckM 995 @ Return appropriate error code for CheckMountPermission().
996 996
997 I was returning -EPERM if something is w 997 I was returning -EPERM if something is wrong with CheckMountPermission().
998 But SELinux determines whether selinuxfs 998 But SELinux determines whether selinuxfs is supported by kernel
999 based on whether error code is -ENODEV o 999 based on whether error code is -ENODEV or not.
1000 So I stopped returning -EPERM unconditi 1000 So I stopped returning -EPERM unconditionally.
1001 1001
1002 Fix 2007/08/17 1002 Fix 2007/08/17
1003 1003
1004 @ Remove initializer directive. 1004 @ Remove initializer directive.
1005 1005
1006 Use "initialize_domain" instead of "ini 1006 Use "initialize_domain" instead of "initializer".
1007 1007
1008 Fix 2007/08/21 1008 Fix 2007/08/21
1009 1009
1010 @ Fix "allow_argv0 ... if if ..." bug. 1010 @ Fix "allow_argv0 ... if if ..." bug.
1011 1011
1012 It was impossible to use a word "if" to 1012 It was impossible to use a word "if" to the second argument of
1013 allow_argv0 if condition part is used. 1013 allow_argv0 if condition part is used.
1014 1014
1015 Fix 2007/08/24 1015 Fix 2007/08/24
1016 1016
1017 @ Move /proc/ccs/\*/\* to /proc/ccs/\* . 1017 @ Move /proc/ccs/\*/\* to /proc/ccs/\* .
1018 1018
1019 Some pathnames for /proc/ccs/ interface 1019 Some pathnames for /proc/ccs/ interface were changed.
1020 1020
1021 Fix 2007/09/05 1021 Fix 2007/09/05
1022 1022
1023 @ Drop MSG_PEEK'ed message before skb_fre 1023 @ Drop MSG_PEEK'ed message before skb_free_datagram().
1024 1024
1025 I need to remove head message from unwa 1025 I need to remove head message from unwanted source
1026 from socket's receive queue so that the 1026 from socket's receive queue so that the caller can pick up
1027 next message from wanted source with MS 1027 next message from wanted source with MSG_PEEK flags.
1028 1028
1029 Version 1.5.0 2007/09/20 Usability enhancem 1029 Version 1.5.0 2007/09/20 Usability enhancement release.
1030 1030
1031 Fix 2007/09/27 1031 Fix 2007/09/27
1032 1032
1033 @ Avoid eating memory after quota exceede 1033 @ Avoid eating memory after quota exceeded.
1034 1034
1035 Although ACL entries in a domain won't 1035 Although ACL entries in a domain won't be added if the domain's quota
1036 has exceeded, SaveName() in AddFileACL( 1036 has exceeded, SaveName() in AddFileACL() is called anyway.
1037 This caused unneeded memory consumption 1037 This caused unneeded memory consumption.
1038 1038
1039 Now, quota checking is done before gett 1039 Now, quota checking is done before getting domain_acl_lock lock.
1040 This may exceed quota by one or two ent 1040 This may exceed quota by one or two entries, but that won't matter.
1041 1041
1042 Fix 2007/10/16 1042 Fix 2007/10/16
1043 1043
1044 @ Add environment variable check. 1044 @ Add environment variable check.
1045 1045
1046 There are environment variables that ma 1046 There are environment variables that may cause dangerous behavior
1047 like LD_\* . 1047 like LD_\* .
1048 So I introduced 'allow_env' directive t 1048 So I introduced 'allow_env' directive that allows specified
1049 environment variable inherited to next 1049 environment variable inherited to next domain.
1050 Unlike other permissions, this check is 1050 Unlike other permissions, this check is done at execve() time
1051 using next domain's ACL information. 1051 using next domain's ACL information.
1052 1052
1053 To manage commonly inherited environmen 1053 To manage commonly inherited environments like PATH ,
1054 you can use 'allow_env' directive in ex 1054 you can use 'allow_env' directive in exception policy
1055 to globally grant specified environment 1055 to globally grant specified environment variable.
1056 1056
1057 Fix 2007/11/05 1057 Fix 2007/11/05
1058 1058
1059 @ Replace semaphore with mutex. 1059 @ Replace semaphore with mutex.
1060 1060
1061 I replaced semaphore with mutex. 1061 I replaced semaphore with mutex.
1062 1062
1063 @ Add missing down() in AddReservedEntry( 1063 @ Add missing down() in AddReservedEntry().
1064 1064
1065 Mutex debugging capability told me that 1065 Mutex debugging capability told me that I had forgotten to call down()
1066 since TOMOYO version 1.3.2 . 1066 since TOMOYO version 1.3.2 .
1067 This function is not called by learning 1067 This function is not called by learning mode,
1068 so the semaphore's counter will not ove 1068 so the semaphore's counter will not overflow for normal usage.
1069 1069
1070 Fix 2005/11/27 1070 Fix 2005/11/27
1071 1071
1072 @ Fix ReadTable() truncation bug. 1072 @ Fix ReadTable() truncation bug.
1073 1073
1074 "snprintf(str, size, format, ...) >= si 1074 "snprintf(str, size, format, ...) >= size" means truncated.
1075 But I was checking for "snprintf(str, s 1075 But I was checking for "snprintf(str, size, format, ...) > size".
1076 As a result, some entries might be dump 1076 As a result, some entries might be dumped without '\n'.
1077 1077
1078 @ Purge direct "->prev"/"->next" manipula 1078 @ Purge direct "->prev"/"->next" manipulation.
1079 1079
1080 All list manipulations use "struct list 1080 All list manipulations use "struct list_head" or "struct list1_head".
1081 "struct list1_head" doesn't have "->pre 1081 "struct list1_head" doesn't have "->prev" member to save memory usage.
1082 1082
1083 Fix 2007/11/29 1083 Fix 2007/11/29
1084 1084
1085 @ Add missing semaphore in GetEXE(). 1085 @ Add missing semaphore in GetEXE().
1086 1086
1087 mm->mmap_sem was missing. 1087 mm->mmap_sem was missing.
1088 1088
1089 Fix 2007/12/17 1089 Fix 2007/12/17
1090 1090
1091 @ Remove unused EXPORT_SYMBOL(). 1091 @ Remove unused EXPORT_SYMBOL().
1092 1092
1093 Mark some functions static. 1093 Mark some functions static.
1094 1094
1095 Fix 2007/12/18 1095 Fix 2007/12/18
1096 1096
1097 @ Fix AddMountACL() rejection bug. 1097 @ Fix AddMountACL() rejection bug.
1098 1098
1099 To my surprise, "mount --bind source de 1099 To my surprise, "mount --bind source dest" accepts
1100 not only "both source and dest are dire 1100 not only "both source and dest are directory"
1101 but also "both source and dest are non- 1101 but also "both source and dest are non-directory".
1102 I was rejecting if dest is not a direct 1102 I was rejecting if dest is not a directory in AddMountACL().
1103 1103
1104 @ Change log format. 1104 @ Change log format.
1105 1105
1106 Profile number and mode is added in aud 1106 Profile number and mode is added in audit logs.
1107 1107
1108 Fix 2008/01/03 1108 Fix 2008/01/03
1109 1109
1110 @ Change directive for file's read/write/ 1110 @ Change directive for file's read/write/execute permission.
1111 1111
1112 Directives for file's read/write/execut 1112 Directives for file's read/write/execute permissions were
1113 4/2/1 respectively. But for easier unde 1113 4/2/1 respectively. But for easier understanding, they are now
1114 replaced by read/write/execute (e.g. "a 1114 replaced by read/write/execute (e.g. "allow_read" instead of "4").
1115 But for easier inputting, 4/2/1 are sti 1115 But for easier inputting, 4/2/1 are still accepted instead of
1116 allow_read/allow_write/allow_execute re 1116 allow_read/allow_write/allow_execute respectively.
1117 1117
1118 @ Change internal data structure. 1118 @ Change internal data structure.
1119 1119
1120 Since I don't have more than 16 types o 1120 Since I don't have more than 16 types of file permissions,
1121 I combined them using bit-fields. 1121 I combined them using bit-fields.
1122 1122
1123 Each entry had a field for conditional 1123 Each entry had a field for conditional permission support.
1124 But since this field is unlikely used, 1124 But since this field is unlikely used, I separated the field from
1125 common part. 1125 common part.
1126 1126
1127 These changes will reduce memory used b 1127 These changes will reduce memory used by policy.
1128 1128
1129 Fix 2008/01/15 1129 Fix 2008/01/15
1130 1130
1131 @ Add ptrace() hook. 1131 @ Add ptrace() hook.
1132 1132
1133 To prevent attackers from controlling i 1133 To prevent attackers from controlling important processes using
1134 ptrace(), I added a hook for ptrace(). 1134 ptrace(), I added a hook for ptrace().
1135 Most programs (except strace(1) and gdb 1135 Most programs (except strace(1) and gdb(1)) won't use ptrace(2).
1136 1136
1137 @ Fix sleep condition check in CheckSocke 1137 @ Fix sleep condition check in CheckSocketRecvDatagramPermission().
1138 1138
1139 It seems that correct method to use is 1139 It seems that correct method to use is in_atomic()
1140 rather than in_interrupt() because in_a 1140 rather than in_interrupt() because in_atomic() returns nonzero
1141 whenever scheduling is not allowed. 1141 whenever scheduling is not allowed.
1142 1142
1143 Fix 2008/02/05 1143 Fix 2008/02/05
1144 1144
1145 @ Use find_task_by_vpid() instead of find 1145 @ Use find_task_by_vpid() instead of find_task_by_pid().
1146 1146
1147 Kernel 2.6.24 introduced PID namespace. 1147 Kernel 2.6.24 introduced PID namespace.
1148 To search PID given from userland, the 1148 To search PID given from userland, the kernel needs to use
1149 find_task_by_vpid() instead of find_tas 1149 find_task_by_vpid() instead of find_task_by_pid().
1150 1150
1151 Fix 2008/02/14 1151 Fix 2008/02/14
1152 1152
1153 @ Add execve() parameter checking. 1153 @ Add execve() parameter checking.
1154 1154
1155 Until now, it was impossible to check a 1155 Until now, it was impossible to check argv[] and envp[] parameters
1156 passed to execve(). 1156 passed to execve().
1157 I expanded conditional permission synta 1157 I expanded conditional permission syntax so that
1158 { argc, envc, argv[] , envp[] } paramet 1158 { argc, envc, argv[] , envp[] } parameters can be checked if needed.
1159 This will allow administrator permit ex 1159 This will allow administrator permit execution of /bin/sh only when
1160 /bin/sh is invoked in the form of "/bin 1160 /bin/sh is invoked in the form of "/bin/sh -c" and environment variable
1161 HOME is set by specifying 1161 HOME is set by specifying
1162 1162
1163 allow_execute /bin/sh if exec.argv[1] 1163 allow_execute /bin/sh if exec.argv[1]="-c" exec.envp["HOME"]!=NULL
1164 1164
1165 in the policy. 1165 in the policy.
1166 This extension will make exploit codes 1166 This extension will make exploit codes difficult to start /bin/sh because
1167 they unlikely set up environment variab 1167 they unlikely set up environment variables and unlikely specify "-c"
1168 option when invoking /bin/sh , whereas 1168 option when invoking /bin/sh , whereas proper functions likely set up
1169 environment variables and likely specif 1169 environment variables and likely specify "-c" option.
1170 1170
1171 Fix 2008/02/18 1171 Fix 2008/02/18
1172 1172
1173 @ Add process state checking. 1173 @ Add process state checking.
1174 1174
1175 Until now, it was impossible to change 1175 Until now, it was impossible to change ACL without executing program.
1176 I added three variables for performing 1176 I added three variables for performing stateful checking within a domain.
1177 You can set current process's state lik 1177 You can set current process's state like:
1178 1178
1179 allow_network TCP accept @TRUSTED_HOS 1179 allow_network TCP accept @TRUSTED_HOSTS 1024-65535 ; set task.state[0]=1
1180 allow_network TCP accept @UNTRUSTED_H 1180 allow_network TCP accept @UNTRUSTED_HOSTS 1024-65535 ; set task.state[0]=0
1181 1181
1182 and you can use the state like 1182 and you can use the state like
1183 1183
1184 allow_read /path/to/important/file if 1184 allow_read /path/to/important/file if task.state[0]=1
1185 1185
1186 in the policy. 1186 in the policy.
1187 The state changes when the request was 1187 The state changes when the request was granted by the MAC's policy,
1188 so please be careful with situations wh 1188 so please be careful with situations where the state has changed
1189 successfully but the request was not pr 1189 successfully but the request was not processed because of other reasons
1190 (e.g. out of memory). 1190 (e.g. out of memory).
1191 1191
1192 Fix 2008/02/26 1192 Fix 2008/02/26
1193 1193
1194 @ Support /proc/ccs/ access by non-root u 1194 @ Support /proc/ccs/ access by non-root user.
1195 1195
1196 Until now, only root user can access /p 1196 Until now, only root user can access /proc/ccs/ interface.
1197 But to permit /proc/ccs/ access by non- 1197 But to permit /proc/ccs/ access by non-root user so that it won't require
1198 ssh login by root user when administrat 1198 ssh login by root user when administrating from remote host,
1199 I made "(current->uid == 0 && current-> 1199 I made "(current->uid == 0 && current->euid == 0)" requirement optional.
1200 If this requirement is disabled, only " 1200 If this requirement is disabled, only "conventional DAC permission
1201 checks" and "/proc/ccs/manager checks" 1201 checks" and "/proc/ccs/manager checks" are used.
1202 1202
1203 Fix 2008/02/29 1203 Fix 2008/02/29
1204 1204
1205 @ Add sleep_on_violation feature. 1205 @ Add sleep_on_violation feature.
1206 1206
1207 Some exploit codes (e.g. trans2open for 1207 Some exploit codes (e.g. trans2open for Samba) continue running
1208 until it achieves the purpose of the ex 1208 until it achieves the purpose of the exploit code (e.g. invoke /bin/sh).
1209 1209
1210 If such code is injected due to buffer 1210 If such code is injected due to buffer overflow but the kernel
1211 rejects the request, it triggers infini 1211 rejects the request, it triggers infinite "Permission denied" loop.
1212 As a result, the CPU usage becomes 100% 1212 As a result, the CPU usage becomes 100% and gives bad effects to
1213 the rest of processes. 1213 the rest of processes.
1214 This is a side effect of rejecting the 1214 This is a side effect of rejecting the request from the exploit code
1215 which wouldn't happen if the request fr 1215 which wouldn't happen if the request from the exploit code was granted.
1216 1216
1217 To avoid such CPU consumption, I added 1217 To avoid such CPU consumption, I added a penalty that forcibly
1218 sleeps for specified period when a requ 1218 sleeps for specified period when a request is rejected.
1219 1219
1220 This penalty doesn't work if the exploi 1220 This penalty doesn't work if the exploit code does nothing but
1221 continue running, but I think most expl 1221 continue running, but I think most exploit code's purpose is
1222 to start some program rather than to sl 1222 to start some program rather than to slow down the target system.
1223 1223
1224 @ Add alt_exec feature. 1224 @ Add alt_exec feature.
1225 1225
1226 Since TOMOYO Linux's approach is "know 1226 Since TOMOYO Linux's approach is "know all essential requests in advance
1227 and create policy that permits only the 1227 and create policy that permits only them", you can regard anomalous
1228 requests as attacks (if you want to do 1228 requests as attacks (if you want to do so).
1229 1229
1230 Common MAC implementations merely rejec 1230 Common MAC implementations merely reject requests that violate policy.
1231 But I added a special handler for execv 1231 But I added a special handler for execve() to TOMOYO Linux.
1232 1232
1233 This handler is triggered when a proces 1233 This handler is triggered when a process requested to execute a program
1234 but the request was rejected by the pol 1234 but the request was rejected by the policy.
1235 This handler executes a program specifi 1235 This handler executes a program specified by the administrator
1236 instead of a program requested by the p 1236 instead of a program requested by the process.
1237 1237
1238 Most attackers attempt to execute /bin/ 1238 Most attackers attempt to execute /bin/sh to start something malicious.
1239 Attackers execute an exploit code using 1239 Attackers execute an exploit code using buffer overflow vulnerability
1240 to steal control of a process. But this 1240 to steal control of a process. But this handler can get back control
1241 if an exploit code requests execve() th 1241 if an exploit code requests execve() that is not permitted by policy.
1242 1242
1243 By default, this handler does nothing ( 1243 By default, this handler does nothing (i.e. merely reject execve()
1244 request). You can specify any program t 1244 request). You can specify any program to start what you want to do.
1245 1245
1246 You can redirect attackers to somewhere 1246 You can redirect attackers to somewhere else (e.g. honey pot).
1247 This makes it possible to act your Linu 1247 This makes it possible to act your Linux box as an on-demand honey pot
1248 while keeping regular services for your 1248 while keeping regular services for your usage.
1249 1249
1250 You can collect information of the atta 1250 You can collect information of the attacker (e.g. IP address) and
1251 update firewall configuration. 1251 update firewall configuration.
1252 1252
1253 You can silently terminate a process wh 1253 You can silently terminate a process who requested execve()
1254 that is not permitted by policy. 1254 that is not permitted by policy.
1255 1255
1256 Fix 2008/03/03 1256 Fix 2008/03/03
1257 1257
1258 @ Add "force_alt_exec" directive. 1258 @ Add "force_alt_exec" directive.
1259 1259
1260 To be able to fully utilize "alt_exec" 1260 To be able to fully utilize "alt_exec" feature,
1261 I added "force_alt_exec" directive so t 1261 I added "force_alt_exec" directive so that
1262 all execute requests are replaced by th 1262 all execute requests are replaced by the execute request of a program
1263 specified by alt_exec feature. 1263 specified by alt_exec feature.
1264 1264
1265 If this directive is specified for a do 1265 If this directive is specified for a domain, the domain no longer
1266 executes any programs regardless of the 1266 executes any programs regardless of the mode of file access control
1267 (i.e. the domain won't execute even if 1267 (i.e. the domain won't execute even if MAC_FOR_FILE=0 ).
1268 Instead, the domain executes the progra 1268 Instead, the domain executes the program specified by alt_exec feature
1269 and the program specified by alt_exec f 1269 and the program specified by alt_exec feature validates the execute
1270 request and executes it if it is approp 1270 request and executes it if it is appropriate to execute.
1271 1271
1272 If you can tolerate that there is no ch 1272 If you can tolerate that there is no chance to return an error code
1273 to the caller to tell the execute reque 1273 to the caller to tell the execute request was rejected,
1274 this is more flexible approach than in- 1274 this is more flexible approach than in-kernel execve() parameter
1275 checking because we can do argv[] and e 1275 checking because we can do argv[] and envp[] checking easily.
1276 1276
1277 Fix 2008/03/04 1277 Fix 2008/03/04
1278 1278
1279 @ Use string for access control mode. 1279 @ Use string for access control mode.
1280 1280
1281 An integer expression for access contro 1281 An integer expression for access control mode sometimes confuses
1282 administrators because profile number i 1282 administrators because profile number is also an integer expression.
1283 To avoid confusion between profile numb 1283 To avoid confusion between profile number and access control mode,
1284 I introduced a string expression for ac 1284 I introduced a string expression for access control mode.
1285 1285
1286 Modes which take an integer between 0 1286 Modes which take an integer between 0 and 3.
1287 1287
1288 0 -> disabled 1288 0 -> disabled
1289 1 -> learning 1289 1 -> learning
1290 2 -> permissive 1290 2 -> permissive
1291 3 -> enforcing 1291 3 -> enforcing
1292 1292
1293 Modes which take 0 or 1. 1293 Modes which take 0 or 1.
1294 1294
1295 0 -> disabled 1295 0 -> disabled
1296 1 -> enabled 1296 1 -> enabled
1297 1297
1298 Fix 2008/03/10 1298 Fix 2008/03/10
1299 1299
1300 @ Rename "force_alt_exec" directive to "e 1300 @ Rename "force_alt_exec" directive to "execute_handler".
1301 1301
1302 To be able to use different programs fo 1302 To be able to use different programs for validating execve() parameters,
1303 I moved the location to specify the pro 1303 I moved the location to specify the program's pathname from profile
1304 to domain policy. 1304 to domain policy.
1305 1305
1306 The "execute_handler" directive takes o 1306 The "execute_handler" directive takes one pathname which is
1307 invoked whenever execve() request is is 1307 invoked whenever execve() request is issued. Thus, any "allow_execute"
1308 directives in a domain with "execute_ha 1308 directives in a domain with "execute_handler" are ignored.
1309 This directive is designed for validati 1309 This directive is designed for validating expected/desirable execve()
1310 requests in userspace, although there i 1310 requests in userspace, although there is no way to tell the caller
1311 that the execve() request was rejected. 1311 that the execve() request was rejected.
1312 1312
1313 @ Rename "alt_exec" directive to "denied_ 1313 @ Rename "alt_exec" directive to "denied_execute_handler".
1314 1314
1315 The "denied_execute_handler" directive 1315 The "denied_execute_handler" directive takes one pathname which is
1316 invoked only when execve() request was 1316 invoked only when execve() request was rejected. In other words,
1317 this program is invoked only when the f 1317 this program is invoked only when the following conditions are met.
1318 1318
1319 (1) None of "allow_execute" directive 1319 (1) None of "allow_execute" directives in the domain matched.
1320 (2) The execve() request was rejected 1320 (2) The execve() request was rejected in enforcing mode.
1321 (3) "execute_handler" directive is no 1321 (3) "execute_handler" directive is not used by the domain.
1322 1322
1323 This directive is designed for handling 1323 This directive is designed for handling unexpected/undesirable execve()
1324 requests, to redirect the process issui 1324 requests, to redirect the process issuing such requests to somewhere.
1325 1325
1326 Fix 2008/03/18 1326 Fix 2008/03/18
1327 1327
1328 @ Fix wrong/redundant locks in pre-vfs fu 1328 @ Fix wrong/redundant locks in pre-vfs functions.
1329 1329
1330 lock_kernel()/unlock_kernel() in pre_vf 1330 lock_kernel()/unlock_kernel() in pre_vfs_rename() were redundant for
1331 2.6 kernels. 1331 2.6 kernels.
1332 1332
1333 Locking order in pre_vfs_link() and pre 1333 Locking order in pre_vfs_link() and pre_vfs_unlink() for 2.4 kernels
1334 after 2.4.33 were different from before 1334 after 2.4.33 were different from before 2.4.32 .
1335 1335
1336 Fix 2008/03/28 1336 Fix 2008/03/28
1337 1337
1338 @ Disable execute handler loop. 1338 @ Disable execute handler loop.
1339 1339
1340 To be able to use "execute_handler" in 1340 To be able to use "execute_handler" in a "keep_domain" domain,
1341 ignore "execute_handler" and "denied_ex 1341 ignore "execute_handler" and "denied_execute_handler" directives
1342 if the current process is executing pro 1342 if the current process is executing programs specified by
1343 "execute_handler" or "denied_execute_ha 1343 "execute_handler" or "denied_execute_handler" directive.
1344 1344
1345 This exception is needed to avoid infin 1345 This exception is needed to avoid infinite execute handler loop.
1346 If a domain has both "keep_domain" and 1346 If a domain has both "keep_domain" and "execute_handler",
1347 any execute request by that domain is h 1347 any execute request by that domain is handled by an execute handler,
1348 and the execute handler attempts to pro 1348 and the execute handler attempts to process original execute request.
1349 But the original execute request is han 1349 But the original execute request is handled by the same execute handler
1350 unless the execute handler ignores "exe 1350 unless the execute handler ignores "execute_handler".
1351 1351
1352 @ Update coding style. 1352 @ Update coding style.
1353 1353
1354 I rewrote the code to pass scripts/chec 1354 I rewrote the code to pass scripts/checkpatch.pl as much as possible.
1355 Function names were changed to use only 1355 Function names were changed to use only lower letters.
1356 1356
1357 Version 1.6.0 2008/04/01 Feature enhancemen 1357 Version 1.6.0 2008/04/01 Feature enhancement release.
1358 1358
1359 Fix 2008/04/14 1359 Fix 2008/04/14
1360 1360
1361 @ Fix "Compilation failures" and "Initial 1361 @ Fix "Compilation failures" and "Initialization ordering bugs"
1362 with kernels before 2.4.30/2.6.11 . 1362 with kernels before 2.4.30/2.6.11 .
1363 1363
1364 2.6 kernels before 2.6.9 didn't have in 1364 2.6 kernels before 2.6.9 didn't have include/linux/hardirq.h ,
1365 resulting compilation error at #include 1365 resulting compilation error at #include <linux/hardirq.h> .
1366 I added #elif condition. 1366 I added #elif condition.
1367 1367
1368 CentOS 4.6's 2.6.9 kernel calls do_exec 1368 CentOS 4.6's 2.6.9 kernel calls do_execve() before initialization of
1369 ccs_alloc(), resulting NULL pointer der 1369 ccs_alloc(), resulting NULL pointer dereference.
1370 I changed __initcall to core_initcall. 1370 I changed __initcall to core_initcall.
1371 1371
1372 CentOS 4.6's 2.6.9 kernel backported kz 1372 CentOS 4.6's 2.6.9 kernel backported kzalloc() from 2.6.14 ,
1373 resulting compilation error at kzalloc( 1373 resulting compilation error at kzalloc().
1374 I modified prototype of kzalloc(). 1374 I modified prototype of kzalloc().
1375 1375
1376 Fix 2008/04/20 1376 Fix 2008/04/20
1377 1377
1378 @ Fix "Compilation failures" with kernels 1378 @ Fix "Compilation failures" with kernels before 2.4.30/2.6.11 .
1379 1379
1380 Turbolinux 10 Server's 2.6.8 kernel bac 1380 Turbolinux 10 Server's 2.6.8 kernel backported kzalloc() as an inlined
1381 function, resulting compilation error a 1381 function, resulting compilation error at kzalloc().
1382 I converted kzalloc() from an inlined f 1382 I converted kzalloc() from an inlined function into a macro.
1383 1383
1384 Fix 2008/04/21 1384 Fix 2008/04/21
1385 1385
1386 @ Add workaround for gcc 3.2.2's inline b 1386 @ Add workaround for gcc 3.2.2's inline bug.
1387 1387
1388 RedHat Linux 9's gcc 3.2.2 generated a 1388 RedHat Linux 9's gcc 3.2.2 generated a bad code
1389 if ((var_of_u8 & 0x000000BF) & 0x800 1389 if ((var_of_u8 & 0x000000BF) & 0x80000000) { }
1390 where the expected code is 1390 where the expected code is
1391 if ((var_of_u8 & 0xBF) & 0x80) { } 1391 if ((var_of_u8 & 0xBF) & 0x80) { }
1392 when embedding ccs_acl_type2() into pri 1392 when embedding ccs_acl_type2() into print_entry(),
1393 resulting runtime BUG(). 1393 resulting runtime BUG().
1394 I added the expected code explicitly as 1394 I added the expected code explicitly as a workaround.
1395 1395
1396 Fix 2008/05/06 1396 Fix 2008/05/06
1397 1397
1398 @ Add memory quota. 1398 @ Add memory quota.
1399 1399
1400 1.5.x returns -ENOMEM when FindNextDoma 1400 1.5.x returns -ENOMEM when FindNextDomain() failed to create a new
1401 domain, but I forgot to return -ENOMEM 1401 domain, but I forgot to return -ENOMEM when find_next_domain() failed to
1402 create a new domain. 1402 create a new domain.
1403 1403
1404 A domain is automatically created by fi 1404 A domain is automatically created by find_next_domain() only if
1405 the domain for the requested program do 1405 the domain for the requested program doesn't exist.
1406 This behavior is for the administrator' 1406 This behavior is for the administrator's convenience.
1407 The administrator needn't to know how m 1407 The administrator needn't to know how many domains are needed for running
1408 the whole programs in the system before 1408 the whole programs in the system beforehand when developing the policy.
1409 But the administrator does not want the 1409 But the administrator does not want the kernel to reject execution of the
1410 requested program when developing the p 1410 requested program when developing the policy.
1411 1411
1412 So, I think it is better to grant execu 1412 So, I think it is better to grant execution of programs even if
1413 find_next_domain() failed to create a n 1413 find_next_domain() failed to create a new domain than reject execution.
1414 Thus, I decided not to return -ENOMEM w 1414 Thus, I decided not to return -ENOMEM when find_next_domain() failed to
1415 create a new domain. This exception bre 1415 create a new domain. This exception breaks the domain transition rules,
1416 so I print "transition_failed" warning 1416 so I print "transition_failed" warning in /proc/ccs/domain_policy
1417 when this exception happened. 1417 when this exception happened.
1418 1418
1419 Also, to prevent the system from being 1419 Also, to prevent the system from being halted by unexpectedly allocating
1420 all kernel memory for the policy, I add 1420 all kernel memory for the policy, I added memory quota.
1421 This quota is configurable via /proc/cc 1421 This quota is configurable via /proc/ccs/meminfo like
1422 1422
1423 echo Shared: 1048576 > /proc/ccs/mem 1423 echo Shared: 1048576 > /proc/ccs/meminfo
1424 echo Private: 1048576 > /proc/ccs/mem 1424 echo Private: 1048576 > /proc/ccs/meminfo
1425 1425
1426 Version 1.6.1 2008/05/10 Bug fix release. 1426 Version 1.6.1 2008/05/10 Bug fix release.
1427 1427
1428 Fix 2008/06/04 1428 Fix 2008/06/04
1429 1429
1430 @ Check open mode of /proc/ccs/ interface 1430 @ Check open mode of /proc/ccs/ interface.
1431 1431
1432 It turned out that I can avoid allocati 1432 It turned out that I can avoid allocating memory for reading if
1433 FMODE_READ is not set and memory for wr 1433 FMODE_READ is not set and memory for writing if FMODE_WRITE is not set.
1434 1434
1435 @ Wait for completion of /sbin/ccs-init . 1435 @ Wait for completion of /sbin/ccs-init .
1436 1436
1437 Since 2.4 kernel's call_usermodehelper( 1437 Since 2.4 kernel's call_usermodehelper() can't wait for termination of
1438 the executed program, I was using the c 1438 the executed program, I was using the close() request of
1439 /proc/ccs/meminfo to indicate that load 1439 /proc/ccs/meminfo to indicate that loading policy has finished.
1440 But since /proc/ccs/meminfo could be ac 1440 But since /proc/ccs/meminfo could be accessed for setting memory quota
1441 by /etc/ccs/ccs-post-init , I stopped u 1441 by /etc/ccs/ccs-post-init , I stopped using the close() request.
1442 The policy loader no longer need to acc 1442 The policy loader no longer need to access /proc/ccs/meminfo to notify
1443 the kernel that loading policy has fini 1443 the kernel that loading policy has finished.
1444 1444
1445 Fix 2008/06/05 1445 Fix 2008/06/05
1446 1446
1447 @ Fix realpath for pipes and sockets. 1447 @ Fix realpath for pipes and sockets.
1448 1448
1449 Kernel 2.6.22 and later use different m 1449 Kernel 2.6.22 and later use different method for calculating d_path().
1450 Since fs/realpath.c didn't notice the c 1450 Since fs/realpath.c didn't notice the change, the realpath of pipes
1451 appeared as "pipe:" rather than "pipe:[ 1451 appeared as "pipe:" rather than "pipe:[\$]" when they are opened via
1452 /proc/PID/fd/ directory. 1452 /proc/PID/fd/ directory.
1453 1453
1454 @ Add process's information into /proc/cc 1454 @ Add process's information into /proc/ccs/query .
1455 1455
1456 While /proc/ccs/grant_log and /proc/ccs 1456 While /proc/ccs/grant_log and /proc/ccs/reject_log contain process's
1457 information, /proc/ccs/query doesn't co 1457 information, /proc/ccs/query doesn't contain it.
1458 To be able to utilize ccs-queryd and cc 1458 To be able to utilize ccs-queryd and ccs-notifyd more, I added it into
1459 /proc/ccs/query . 1459 /proc/ccs/query .
1460 1460
1461 Fix 2008/06/10 1461 Fix 2008/06/10
1462 1462
1463 @ Allow using patterns for globally reada 1463 @ Allow using patterns for globally readable files.
1464 1464
1465 To allow users specify locale specific 1465 To allow users specify locale specific files to globally readable files,
1466 I relaxed checking in update_globally_r 1466 I relaxed checking in update_globally_readable_entry().
1467 1467
1468 Fix 2008/06/11 1468 Fix 2008/06/11
1469 1469
1470 @ Remove ALLOW_ENFORCE_GRACE parameter. 1470 @ Remove ALLOW_ENFORCE_GRACE parameter.
1471 1471
1472 Since unexpected requests caused by doi 1472 Since unexpected requests caused by doing software updates can happen
1473 in all profiles, users likely have to w 1473 in all profiles, users likely have to write ALLOW_ENFORCE_GRACE=enabled
1474 to all profiles. And it makes meaningle 1474 to all profiles. And it makes meaningless to allow users to selectively
1475 enable specific profile's ALLOW_ENFORCE 1475 enable specific profile's ALLOW_ENFORCE_GRACE parameter.
1476 So, I removed ALLOW_ENFORCE_GRACE param 1476 So, I removed ALLOW_ENFORCE_GRACE parameter.
1477 Now, the system behaves as if ALLOW_ENF 1477 Now, the system behaves as if ALLOW_ENFORCE_GRACE=enabled is specified.
1478 The behavior of "delayed enforcing" mod 1478 The behavior of "delayed enforcing" mode is defined in the following
1479 order. 1479 order.
1480 1480
1481 (1) The requests are rejected immediate 1481 (1) The requests are rejected immediately if nobody is opening
1482 /proc/ccs/query interface. 1482 /proc/ccs/query interface.
1483 (2) The requests will be rejected in 10 1483 (2) The requests will be rejected in 10 seconds if somebody other than
1484 ccs-queryd (such as less(1)) is ope 1484 ccs-queryd (such as less(1)) is opening /proc/ccs/query interface,
1485 for such process doesn't write dumm 1485 for such process doesn't write dummy decisions.
1486 1486
1487 Fix 2008/06/22 1487 Fix 2008/06/22
1488 1488
1489 @ Pass escaped pathname to audit_execute_ 1489 @ Pass escaped pathname to audit_execute_handler_log().
1490 1490
1491 I was passing unescaped pathname to aud 1491 I was passing unescaped pathname to audit_execute_handler_log()
1492 which causes /proc/ccs/grant_log contai 1492 which causes /proc/ccs/grant_log contain whitespace characters
1493 if execute handler's pathname contains 1493 if execute handler's pathname contains whitespace characters.
1494 1494
1495 Fix 2008/06/25 1495 Fix 2008/06/25
1496 1496
1497 @ Return 0 when ccs_may_umount() succeeds 1497 @ Return 0 when ccs_may_umount() succeeds.
1498 1498
1499 I forgot to clear error value in ccs_ma 1499 I forgot to clear error value in ccs_may_umount() when the requested
1500 directory didn't match "deny_unmount" d 1500 directory didn't match "deny_unmount" directive. As a result, any umount()
1501 request with RESTRICT_UNMOUNT=enforcing 1501 request with RESTRICT_UNMOUNT=enforcing returned -EPERM error.
1502 1502
1503 Version 1.6.2 2008/06/25 Usability enhancem 1503 Version 1.6.2 2008/06/25 Usability enhancement release.
1504 1504
1505 Fix 2008/07/01 1505 Fix 2008/07/01
1506 1506
1507 @ Fix "Compilation failure" with 2.4.20 k 1507 @ Fix "Compilation failure" with 2.4.20 kernel.
1508 1508
1509 RedHat Linux 9's 2.4.20 kernel backport 1509 RedHat Linux 9's 2.4.20 kernel backported O(1) scheduler patch,
1510 resulting compilation error at ccs_load 1510 resulting compilation error at ccs_load_policy().
1511 I added defined(TASK_DEAD) check. 1511 I added defined(TASK_DEAD) check.
1512 1512
1513 Fix 2008/07/08 1513 Fix 2008/07/08
1514 1514
1515 @ Don't check permissions if vfsmount is 1515 @ Don't check permissions if vfsmount is NULL.
1516 1516
1517 Some filesystems (e.g. unionfs) pass NU 1517 Some filesystems (e.g. unionfs) pass NULL vfsmount.
1518 I changed fs/tomoyo_file.c not to try t 1518 I changed fs/tomoyo_file.c not to try to calculate pathnames
1519 if vfsmount is NULL. 1519 if vfsmount is NULL.
1520 1520
1521 Version 1.6.3 2008/07/15 Bug fix release. 1521 Version 1.6.3 2008/07/15 Bug fix release.
1522 1522
1523 Fix 2008/08/21 1523 Fix 2008/08/21
1524 1524
1525 @ Add workaround for gcc 4.3's bug. 1525 @ Add workaround for gcc 4.3's bug.
1526 1526
1527 In some environments, fs/tomoyo_network 1527 In some environments, fs/tomoyo_network.c could not be compiled
1528 because of gcc 4.3's bug. 1528 because of gcc 4.3's bug.
1529 I modified save_ipv6_address() to use " 1529 I modified save_ipv6_address() to use "integer literal" value
1530 instead for "static const u8" variable. 1530 instead for "static const u8" variable.
1531 1531
1532 @ Change prototypes of some functions. 1532 @ Change prototypes of some functions.
1533 1533
1534 To support 2.6.27 kernels, I replaced " 1534 To support 2.6.27 kernels, I replaced "struct nameidata" with
1535 "struct path" for some functions. 1535 "struct path" for some functions.
1536 1536
1537 @ Detect distributor specific patches aut 1537 @ Detect distributor specific patches automatically.
1538 1538
1539 Since kernels with AppArmor patch appli 1539 Since kernels with AppArmor patch applied is increasing,
1540 I introduced a mechanism which determin 1540 I introduced a mechanism which determines whether specific patches
1541 are applied or not, based on "#define" 1541 are applied or not, based on "#define" directives in the patches.
1542 1542
1543 Fix 2008/08/29 1543 Fix 2008/08/29
1544 1544
1545 @ Remove "-ccs" suffix from Makefile's EX 1545 @ Remove "-ccs" suffix from Makefile's EXTRAVERSION.
1546 1546
1547 To reduce conflicts on Makefile's EXTRA 1547 To reduce conflicts on Makefile's EXTRAVERSION,
1548 I removed "-ccs" suffix from ccs-patch- 1548 I removed "-ccs" suffix from ccs-patch-2.\*.diff .
1549 Those who build kernels without using s 1549 Those who build kernels without using specs/build-\*.sh ,
1550 please edit EXTRAVERSION tag manually s 1550 please edit EXTRAVERSION tag manually so that original kernels
1551 will not be overwritten by TOMOYO Linux 1551 will not be overwritten by TOMOYO Linux kernels.
1552 1552
1553 Version 1.6.4 2008/09/03 Minor update relea 1553 Version 1.6.4 2008/09/03 Minor update release.
1554 1554
1555 Fix 2008/09/09 1555 Fix 2008/09/09
1556 1556
1557 @ Add "try again" response to "delayed en 1557 @ Add "try again" response to "delayed enforcing" mode.
1558 1558
1559 To be able to handle pathname changes c 1559 To be able to handle pathname changes caused by software updates,
1560 "delayed enforcing" mode was introduced 1560 "delayed enforcing" mode was introduced. It allows administrator to
1561 grant access requests which are about t 1561 grant access requests which are about to be rejected by the kernel.
1562 1562
1563 To be able to handle pathname changes c 1563 To be able to handle pathname changes caused by software updates better,
1564 I introduced "try again" response. As " 1564 I introduced "try again" response. As "delayed enforcing" mode sleeps
1565 a process which violated policy, admini 1565 a process which violated policy, administrator can update policy while
1566 the process is sleeping. This "try agai 1566 the process is sleeping. This "try again" response allows administrator
1567 to restart policy checks from the begin 1567 to restart policy checks from the beginning after updating policy.
1568 1568
1569 Fix 2008/09/11 1569 Fix 2008/09/11
1570 1570
1571 @ Remember whether the process is allowed 1571 @ Remember whether the process is allowed to write to /proc/ccs/ interface.
1572 1572
1573 Since programs for manipulating policy 1573 Since programs for manipulating policy (e.g. ccs-queryd ) are installed
1574 in the form of RPM/DEB packages, these 1574 in the form of RPM/DEB packages, these programs lose the original
1575 pathnames when they are updated by the 1575 pathnames when they are updated by the package manager. The package
1576 manager renames these programs before d 1576 manager renames these programs before deleting these programs so that
1577 the package manager can rollback the op 1577 the package manager can rollback the operation.
1578 This causes a problem when the programs 1578 This causes a problem when the programs are listed into /proc/ccs/manager
1579 using pathnames, as the programs will n 1579 using pathnames, as the programs will no longer be allowed to write to
1580 /proc/ccs/ interface while the process 1580 /proc/ccs/ interface while the process of old version of the program is
1581 alive. 1581 alive.
1582 1582
1583 To solve this problem, I modified to re 1583 To solve this problem, I modified to remember the fact that the process
1584 is once allowed to write to /proc/ccs/ 1584 is once allowed to write to /proc/ccs/ interface until the process
1585 attempts to execute a different program 1585 attempts to execute a different program.
1586 This change makes it impossible to revo 1586 This change makes it impossible to revoke permission to write to
1587 /proc/ccs/ interface without killing th 1587 /proc/ccs/ interface without killing the process, but it will be better
1588 than nonfunctioning ccs-queryd program. 1588 than nonfunctioning ccs-queryd program.
1589 1589
1590 Fix 2008/09/19 1590 Fix 2008/09/19
1591 1591
1592 @ Allow selecting a domain by PID. 1592 @ Allow selecting a domain by PID.
1593 1593
1594 Sometimes we want to know what ACLs are 1594 Sometimes we want to know what ACLs are given to specific PID, but
1595 finding a domainname for that PID from 1595 finding a domainname for that PID from /proc/ccs/.process_status and
1596 reading ACLs from /proc/ccs/domain_poli 1596 reading ACLs from /proc/ccs/domain_policy by the domainname is very slow.
1597 Thus, I modified /proc/ccs/domain_polic 1597 Thus, I modified /proc/ccs/domain_policy to allow selecting a domain by
1598 PID. For example, to read domain ACL of 1598 PID. For example, to read domain ACL of current process from bash,
1599 run as follows. 1599 run as follows.
1600 1600
1601 # exec 100<>/proc/ccs/domain_policy 1601 # exec 100<>/proc/ccs/domain_policy
1602 # echo select pid=$$ >&100 1602 # echo select pid=$$ >&100
1603 # while read -u 100; do echo $REPLY; do 1603 # while read -u 100; do echo $REPLY; done
1604 1604
1605 If a domain is once selected by PID, re 1605 If a domain is once selected by PID, reading /proc/ccs/domain_policy will
1606 print only that domain if that PID exis 1606 print only that domain if that PID exists or print nothing otherwise.
1607 1607
1608 @ Disallow concurrent /proc/ccs/ access u 1608 @ Disallow concurrent /proc/ccs/ access using the same file descriptor.
1609 1609
1610 Until now, one process can read() from 1610 Until now, one process can read() from /proc/ccs/ while other process
1611 that shares the file descriptor can wri 1611 that shares the file descriptor can write() to /proc/ccs/ .
1612 But to implement "Allow selecting a dom 1612 But to implement "Allow selecting a domain by PID" feature, I disabled
1613 concurrent read()/write() because the f 1613 concurrent read()/write() because the feature need to modify read buffer
1614 while writing. 1614 while writing.
1615 1615
1616 Fix 2008/10/01 1616 Fix 2008/10/01
1617 1617
1618 @ Add retry counter into /proc/ccs/query 1618 @ Add retry counter into /proc/ccs/query .
1619 1619
1620 To be able to handle some of queries fr 1620 To be able to handle some of queries from /proc/ccs/query without user's
1621 interaction, I added retry counter for 1621 interaction, I added retry counter for avoiding infinite loop caused by
1622 "try again" response. 1622 "try again" response.
1623 1623
1624 Fix 2008/10/07 1624 Fix 2008/10/07
1625 1625
1626 @ Don't transit to new domain until do_ex 1626 @ Don't transit to new domain until do_execve() succeeds.
1627 1627
1628 Until now, a process's domain was updat 1628 Until now, a process's domain was updated to new domain which the process
1629 will belong to before do_execve() succe 1629 will belong to before do_execve() succeeds so that the kernel can do
1630 permission checks for interpreters and 1630 permission checks for interpreters and environment variables based on
1631 new domain. But this caused a subtle pr 1631 new domain. But this caused a subtle problem when other process sends
1632 signals to the process, for the process 1632 signals to the process, for the process returns to old domain if
1633 do_execve() failed. 1633 do_execve() failed.
1634 1634
1635 So, I modified to pass new domain to fu 1635 So, I modified to pass new domain to functions so that I can avoid
1636 modifying a process's domain before do_ 1636 modifying a process's domain before do_execve() succeeds.
1637 1637
1638 @ Use old task state for audit logs. 1638 @ Use old task state for audit logs.
1639 1639
1640 Until now, audit logs were generated us 1640 Until now, audit logs were generated using the task state after
1641 processing "; set task.state" part. But 1641 processing "; set task.state" part. But to generate accurate logs,
1642 I modified to save the task state befor 1642 I modified to save the task state before processing "; set task.state"
1643 part and use the saved state for audit 1643 part and use the saved state for audit logs.
1644 1644
1645 @ Use a structure for passing parameters. 1645 @ Use a structure for passing parameters.
1646 1646
1647 As the number of parameters is increasi 1647 As the number of parameters is increasing, I modified to use a structure
1648 for passing parameters. 1648 for passing parameters.
1649 1649
1650 Fix 2008/10/11 1650 Fix 2008/10/11
1651 1651
1652 @ Remove domain_acl_lock mutex. 1652 @ Remove domain_acl_lock mutex.
1653 1653
1654 I noticed that I don't need to keep all 1654 I noticed that I don't need to keep all functions that modify an ACL of
1655 a domain mutually exclusive. Since each 1655 a domain mutually exclusive. Since each functions handles different type
1656 of ACL, locking is needed only when the 1656 of ACL, locking is needed only when they append an ACL to a domain.
1657 So, I modified to use local locks. 1657 So, I modified to use local locks.
1658 1658
1659 Fix 2008/10/14 1659 Fix 2008/10/14
1660 1660
1661 @ Fix ccs_check_condition() bug. 1661 @ Fix ccs_check_condition() bug.
1662 1662
1663 Due to a bug in ccs_check_condition(), 1663 Due to a bug in ccs_check_condition(), it was impossible to use
1664 task.state[0] task.state[1] task.state[ 1664 task.state[0] task.state[1] task.state[2] inside condition part
1665 if the ACL does not treat a pathname. F 1665 if the ACL does not treat a pathname. For example, an ACL like
1666 1666
1667 allow_network TCP connect @HTTP_SERVE 1667 allow_network TCP connect @HTTP_SERVERS 80 if task.state[0]=100
1668 1668
1669 didn't work. 1669 didn't work.
1670 1670
1671 Fix 2008/10/15 1671 Fix 2008/10/15
1672 1672
1673 @ Show process information in /proc/ccs/. 1673 @ Show process information in /proc/ccs/.process_status .
1674 1674
1675 To be able to determine a process's typ 1675 To be able to determine a process's type, I added a command "info PID"
1676 which returns process information of th 1676 which returns process information of the specified PID in
1677 "PID manager=\* execute_handler=\* stat 1677 "PID manager=\* execute_handler=\* state[0]=\$ state[1]=\$ state[2]=\$"
1678 format. 1678 format.
1679 1679
1680 Fix 2008/10/20 1680 Fix 2008/10/20
1681 1681
1682 @ Use rcu_dereference() when walking the 1682 @ Use rcu_dereference() when walking the list.
1683 1683
1684 I was using "dependency ordering" for a 1684 I was using "dependency ordering" for appending an element to a list
1685 without asking the reader to take a loc 1685 without asking the reader to take a lock. But "dependency ordering"
1686 is not respected by DEC Alpha or by som 1686 is not respected by DEC Alpha or by some aggressive value-speculation
1687 compiler optimizations. 1687 compiler optimizations.
1688 1688
1689 On such environment, use of "dependency 1689 On such environment, use of "dependency ordering" can lead to system
1690 crash because the reader might read uni 1690 crash because the reader might read uninitialized value of newly
1691 appended element. 1691 appended element.
1692 1692
1693 To prevent the reader from reading unin 1693 To prevent the reader from reading uninitialized value of newly appended
1694 element, I inserted rcu_dereference() w 1694 element, I inserted rcu_dereference() when walking the list.
1695 1695
1696 Fix 2008/11/04 1696 Fix 2008/11/04
1697 1697
1698 @ Use sys_getpid() instead for current->p 1698 @ Use sys_getpid() instead for current->pid.
1699 1699
1700 Kernel 2.6.24 introduced PID namespace. 1700 Kernel 2.6.24 introduced PID namespace.
1701 1701
1702 To compare PID given from userland, I c 1702 To compare PID given from userland, I can't use current->pid.
1703 So, I modified to use sys_getpid() inst 1703 So, I modified to use sys_getpid() instead for current->pid.
1704 1704
1705 I modified to use task_tgid_nr_ns() for 1705 I modified to use task_tgid_nr_ns() for 2.6.25 and later instead for
1706 current->tgid when checking /proc/self/ 1706 current->tgid when checking /proc/self/ in get_absolute_path().
1707 1707
1708 Fix 2008/11/07 1708 Fix 2008/11/07
1709 1709
1710 @ Fix is_alphabet_char(). 1710 @ Fix is_alphabet_char().
1711 1711
1712 is_alphabet_char() should match 'A' - ' 1712 is_alphabet_char() should match 'A' - 'Z' and 'a' - 'z',
1713 but was matching from 'A' - 'F' and 'a' 1713 but was matching from 'A' - 'F' and 'a' - 'f'.
1714 1714
1715 @ Add /proc/ccs/.execute_handler . 1715 @ Add /proc/ccs/.execute_handler .
1716 1716
1717 Process information became visible to u 1717 Process information became visible to userspace by
1718 "Show process information in /proc/ccs/ 1718 "Show process information in /proc/ccs/.process_status" feature.
1719 However, programs specified by execute_ 1719 However, programs specified by execute_handler directive may run as
1720 non root user, making it impossible to 1720 non root user, making it impossible to see process information.
1721 1721
1722 So, I added a new interface that allows 1722 So, I added a new interface that allows execute handler processes
1723 to see process information. The content 1723 to see process information. The content of /proc/ccs/.execute_handler is
1724 identical to /proc/ccs/.process_status 1724 identical to /proc/ccs/.process_status .
1725 1725
1726 Version 1.6.5 2008/11/11 Third anniversary 1726 Version 1.6.5 2008/11/11 Third anniversary release.
1727 1727
1728 Fix 2008/12/01 1728 Fix 2008/12/01
1729 1729
1730 @ Introduce "task.type=execute_handler" c 1730 @ Introduce "task.type=execute_handler" condition.
1731 1731
1732 The execute_handler directive is very v 1732 The execute_handler directive is very very powerful. You can use this
1733 directive to do anything you want to do 1733 directive to do anything you want to do (e.g. logging and validating and
1734 modifying command line parameters and e 1734 modifying command line parameters and environment variables, opening and
1735 closing and redirecting files, creating 1735 closing and redirecting files, creating pipes to implement antivirus and
1736 spam filtering, deploying a DMZ between 1736 spam filtering, deploying a DMZ between the ssh daemon and the login
1737 shells). 1737 shells).
1738 1738
1739 To be able to use this directive in a d 1739 To be able to use this directive in a domain with keep_domain directive
1740 while limiting access to resources need 1740 while limiting access to resources needed for such purposes to only
1741 programs invoked as an execute handler 1741 programs invoked as an execute handler process, I added a new condition.
1742 1742
1743 In learning mode, "if task.type=execute 1743 In learning mode, "if task.type=execute_handler" condition part will be
1744 automatically added for requests issued 1744 automatically added for requests issued by an execute_handler process.
1745 1745
1746 @ Introduce file's type and permissions a 1746 @ Introduce file's type and permissions as conditions.
1747 1747
1748 To be able to limit file types a proces 1748 To be able to limit file types a process can access, I added
1749 new conditions for checking file's type 1749 new conditions for checking file's type and permissions.
1750 For example, 1750 For example,
1751 1751
1752 allow_read /etc/fstab if path1.type=f 1752 allow_read /etc/fstab if path1.type=file path1.perm=0644
1753 1753
1754 will allow opening /etc/fstab for readi 1754 will allow opening /etc/fstab for reading only if /etc/fstab is a regular
1755 file and it's permission is 0644, and 1755 file and it's permission is 0644, and
1756 1756
1757 allow_write /dev/null if path1.type=c 1757 allow_write /dev/null if path1.type=char path1.dev_major=1 path1.dev_minor=3
1758 1758
1759 will allow opening /dev/null for writin 1759 will allow opening /dev/null for writing only if /dev/null is a character
1760 device file with major=1 and minor=3 at 1760 device file with major=1 and minor=3 attributes.
1761 1761
1762 @ Add memory quota for temporary memory u 1762 @ Add memory quota for temporary memory used for auditing.
1763 1763
1764 Although there are MAX_GRANT_LOG and MA 1764 Although there are MAX_GRANT_LOG and MAX_REJECT_LOG parameters
1765 which limit the number of entries for a 1765 which limit the number of entries for audit logs so that we can avoid
1766 memory consumption by audit logs, it wo 1766 memory consumption by audit logs, it would be more convenient if we can
1767 also limit the size in bytes. 1767 also limit the size in bytes.
1768 Thus, I added a new quota line. 1768 Thus, I added a new quota line.
1769 1769
1770 echo Dynamic: 1048576 > /proc/ccs/mem 1770 echo Dynamic: 1048576 > /proc/ccs/meminfo
1771 1771
1772 This quota is not applied to temporary 1772 This quota is not applied to temporary memory used for permission checks.
1773 1773
1774 Fix 2008/12/09 1774 Fix 2008/12/09
1775 1775
1776 @ Fix ccs_can_save_audit_log() checks. 1776 @ Fix ccs_can_save_audit_log() checks.
1777 1777
1778 Due to incorrect statement "if (ccs_can 1778 Due to incorrect statement "if (ccs_can_save_audit_log() < 0)"
1779 while ccs_can_save_audit_log() is boole 1779 while ccs_can_save_audit_log() is boolean, MAX_GRANT_LOG and
1780 MAX_REJECT_LOG were not working. 1780 MAX_REJECT_LOG were not working.
1781 1781
1782 This bug will trigger OOM killer if /us 1782 This bug will trigger OOM killer if /usr/sbin/ccs-auditd is not working.
1783 1783
1784 Fix 2008/12/24 1784 Fix 2008/12/24
1785 1785
1786 @ Add "ccs_" prefix. 1786 @ Add "ccs_" prefix.
1787 1787
1788 To be able to tell whether a symbol is 1788 To be able to tell whether a symbol is TOMOYO Linux related or not,
1789 I added "ccs_" prefix as much as possib 1789 I added "ccs_" prefix as much as possible.
1790 1790
1791 @ Fix ccs_check_flags() error message. 1791 @ Fix ccs_check_flags() error message.
1792 1792
1793 I meant to print SYAORAN-ERROR: message 1793 I meant to print SYAORAN-ERROR: message when error == -EPERM,
1794 but I was printing it when error == 0 s 1794 but I was printing it when error == 0 since 1.6.0 .
1795 1795
1796 Fix 2009/01/05 1796 Fix 2009/01/05
1797 1797
1798 @ Use kmap_atomic()/kunmap_atomic() for r 1798 @ Use kmap_atomic()/kunmap_atomic() for reading "struct linux_binprm".
1799 1799
1800 As remove_arg_zero() uses kmap_atomic(K 1800 As remove_arg_zero() uses kmap_atomic(KM_USER0), I modified to use
1801 kmap_atomic(KM_USER0) rather than kmap( 1801 kmap_atomic(KM_USER0) rather than kmap().
1802 1802
1803 Fix 2009/01/28 1803 Fix 2009/01/28
1804 1804
1805 @ Fix "allow_read" + "allow_write" != "al 1805 @ Fix "allow_read" + "allow_write" != "allow_read/write" problem.
1806 1806
1807 Since 1.6.0 , due to a bug in ccs_updat 1807 Since 1.6.0 , due to a bug in ccs_update_single_path_acl(),
1808 appending "allow_read/write" entry didn 1808 appending "allow_read/write" entry didn't update internal "allow_read"
1809 and "allow_write" entries. As a result, 1809 and "allow_write" entries. As a result, attempt to open(O_RDWR) succeeds
1810 but open(O_RDONLY) and open(O_WRONLY) f 1810 but open(O_RDONLY) and open(O_WRONLY) fail.
1811 1811
1812 Workaround is to write an entry twice w 1812 Workaround is to write an entry twice when newly appending that entry.
1813 If written twice, internal "allow_read" 1813 If written twice, internal "allow_read" and "allow_write" entries
1814 are updated. 1814 are updated.
1815 1815
1816 Fix 2009/02/26 1816 Fix 2009/02/26
1817 1817
1818 @ Fix profile read error. 1818 @ Fix profile read error.
1819 1819
1820 Incorrect profiles were shown in /proc/ 1820 Incorrect profiles were shown in /proc/ccs/profile
1821 if either CONFIG_SAKURA or CONFIG_TOMOY 1821 if either CONFIG_SAKURA or CONFIG_TOMOYO is disabled.
1822 1822
1823 Fix 2009/03/02 1823 Fix 2009/03/02
1824 1824
1825 @ Undelete CONFIG_TOMOYO_AUDIT option. 1825 @ Undelete CONFIG_TOMOYO_AUDIT option.
1826 1826
1827 While HDD-less systems can use profiles 1827 While HDD-less systems can use profiles with MAX_GRANT_LOG=0 and
1828 MAX_REJECT_LOG=0 , I undeleted CONFIG_T 1828 MAX_REJECT_LOG=0 , I undeleted CONFIG_TOMOYO_AUDIT option for saving
1829 memory used for /proc/ccs/grant_log and 1829 memory used for /proc/ccs/grant_log and /proc/ccs/reject_log interfaces.
1830 1830
1831 Fix 2009/03/13 1831 Fix 2009/03/13
1832 1832
1833 @ Show only profile entry names ever spec 1833 @ Show only profile entry names ever specified.
1834 1834
1835 Even if an administrator specifies only 1835 Even if an administrator specifies only COMMENT= and MAC_FOR_FILE=
1836 entries for /proc/ccs/profile , all ava 1836 entries for /proc/ccs/profile , all available profile entries are shown.
1837 This was designed to help administrator 1837 This was designed to help administrators to know what entries are
1838 available, but sometimes makes administ 1838 available, but sometimes makes administrators feel noisy because of
1839 entries showing default values. 1839 entries showing default values.
1840 1840
1841 Thus, I modified to show only profile e 1841 Thus, I modified to show only profile entry names ever specified.
1842 1842
1843 Fix 2009/03/18 1843 Fix 2009/03/18
1844 1844
1845 @ Add MAC_FOR_IOCTL functionality. 1845 @ Add MAC_FOR_IOCTL functionality.
1846 1846
1847 To be able to restrict ioctl() requests 1847 To be able to restrict ioctl() requests, I added MAC_FOR_IOCTL
1848 functionality. 1848 functionality.
1849 1849
1850 This functionality requires modificatio 1850 This functionality requires modification of ccs-patch-\*.diff .
1851 1851
1852 @ Use better name for socket's pathname. 1852 @ Use better name for socket's pathname.
1853 1853
1854 Until now, socket's pathname was repres 1854 Until now, socket's pathname was represented as "socket:[\$]" format
1855 where \$ is inode's number. But inode's 1855 where \$ is inode's number. But inode's number is useless for name based
1856 access control. Therefore, I modified t 1856 access control. Therefore, I modified to represent socket's pathname as
1857 "socket:[family=\$:type=\$:protocol=\$] 1857 "socket:[family=\$:type=\$:protocol=\$]" format.
1858 1858
1859 This will help administrator to control 1859 This will help administrator to control ioctl() against sockets more
1860 precisely. 1860 precisely.
1861 1861
1862 @ Fix misplaced ccs_capable() call. (onl 1862 @ Fix misplaced ccs_capable() call. (only 2.6.8-\* and 2.6.9-\*)
1863 1863
1864 Location to insert ccs_capable(TOMOYO_S 1864 Location to insert ccs_capable(TOMOYO_SYS_IOCTL) in sys_ioctl() was
1865 wrong since version 1.1 . 1865 wrong since version 1.1 .
1866 1866
1867 @ Insert ccs_check_ioctl_permission() cal 1867 @ Insert ccs_check_ioctl_permission() call.
1868 1868
1869 To make MAC_FOR_IOCTL functionality wor 1869 To make MAC_FOR_IOCTL functionality working, I inserted
1870 ccs_check_ioctl_permission() call into 1870 ccs_check_ioctl_permission() call into ccs-patch-\*.diff .
1871 1871
1872 Fix 2009/03/23 1872 Fix 2009/03/23
1873 1873
1874 @ Move sysctl()'s check from ccs-patch-\* 1874 @ Move sysctl()'s check from ccs-patch-\*.diff to fs/tomoyo_file.c .
1875 1875
1876 Since try_parse_table() in kernel/sysct 1876 Since try_parse_table() in kernel/sysctl.c is almost identical between
1877 all versions, I moved that function to 1877 all versions, I moved that function to fs/tomoyo_file.c .
1878 1878
1879 @ Relocate definitions and functions. 1879 @ Relocate definitions and functions.
1880 1880
1881 To reduce exposed symbols, I relocated 1881 To reduce exposed symbols, I relocated some definitions and functions.
1882 1882
1883 Fix 2009/03/24 1883 Fix 2009/03/24
1884 1884
1885 @ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS 1885 @ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS option.
1886 1886
1887 Some systems don't have /sbin/modprobe 1887 Some systems don't have /sbin/modprobe and /sbin/hotplug .
1888 Thus, I made these pathnames configurab 1888 Thus, I made these pathnames configurable.
1889 1889
1890 Version 1.6.7 2009/04/01 Feature enhancemen 1890 Version 1.6.7 2009/04/01 Feature enhancement release.
1891 1891
1892 Fix 2009/04/06 1892 Fix 2009/04/06
1893 1893
1894 @ Drop "undelete domain" command. 1894 @ Drop "undelete domain" command.
1895 1895
1896 I added "undelete domain" command on 20 1896 I added "undelete domain" command on 2007/01/19, but never used by policy
1897 management tools. The garbage collector 1897 management tools. The garbage collector I added on 2007/01/29 will
1898 automatically reuse memory and allow ad 1898 automatically reuse memory and allow administrators switch domain policy
1899 periodically, provided that the adminis 1899 periodically, provided that the administrator kills processes in old
1900 domains before recreating new domains w 1900 domains before recreating new domains with the same domainnames.
1901 1901
1902 Thus, I dropped "undelete domain" comma 1902 Thus, I dropped "undelete domain" command.
1903 1903
1904 @ Escape invalid characters in ccs_check_ 1904 @ Escape invalid characters in ccs_check_mount_permission2().
1905 1905
1906 ccs_check_mount_permission2() was passi 1906 ccs_check_mount_permission2() was passing unencoded strings to printk()
1907 and ccs_update_mount_acl() and ccs_chec 1907 and ccs_update_mount_acl() and ccs_check_supervisor(). This may cause
1908 /proc/ccs/system_policy and /proc/ccs/q 1908 /proc/ccs/system_policy and /proc/ccs/query to contain invalid
1909 characters within a string. 1909 characters within a string.
1910 1910
1911 Fix 2009/04/07 1911 Fix 2009/04/07
1912 1912
1913 @ Fix IPv4's "address_group" handling err 1913 @ Fix IPv4's "address_group" handling error.
1914 1914
1915 Since 1.6.5 , due to lack of ntohl() (b 1915 Since 1.6.5 , due to lack of ntohl() (byte order conversion) in
1916 ccs_update_address_group_entry(), "addr 1916 ccs_update_address_group_entry(), "address_group" with IPv4 address was
1917 not working. 1917 not working.
1918 1918
1919 This problem happens on little endian p 1919 This problem happens on little endian platforms (e.g. x86).
1920 1920
1921 Fix 2009/05/08 1921 Fix 2009/05/08
1922 1922
1923 @ Add condition for symlink's target path 1923 @ Add condition for symlink's target pathname.
1924 1924
1925 Until now, "allow_symlink" keyword allo 1925 Until now, "allow_symlink" keyword allows creation of a symlink but does
1926 not check the symlink's target. Usually 1926 not check the symlink's target. Usually it is no problem because
1927 permission checks are done using derefe 1927 permission checks are done using dereferenced pathname. But in some
1928 cases, we should restrict the symlink's 1928 cases, we should restrict the symlink's target. For example,
1929 "ln -s .htpasswd /var/www/html/readme.h 1929 "ln -s .htpasswd /var/www/html/readme.html" by CGI program should be
1930 blocked because we will allow Apache to 1930 blocked because we will allow Apache to read both
1931 /var/www/html/readme.html and /var/www/ 1931 /var/www/html/readme.html and /var/www/html/.htpasswd .
1932 1932
1933 Thus, I added new condition, "symlink.t 1933 Thus, I added new condition, "symlink.target".
1934 1934
1935 allow_symlink /var/www/html/\*.html i 1935 allow_symlink /var/www/html/\*.html if symlink.target="\*.html"
1936 1936
1937 allow_symlink /var/www/html/\*\-.\* i 1937 allow_symlink /var/www/html/\*\-.\* if symlink.target="\*\-.\*"
1938 1938
1939 @ Don't return -EAGAIN at ccs_socket_recv 1939 @ Don't return -EAGAIN at ccs_socket_recvmsg_permission().
1940 1940
1941 It turned out that it is not permitted 1941 It turned out that it is not permitted for accept() and recvmsg() to
1942 return -EAGAIN if poll() said connectio 1942 return -EAGAIN if poll() said connections/datagrams are ready. However,
1943 recvmsg() may return -EAGAIN and potent 1943 recvmsg() may return -EAGAIN and potentially confuse some applications
1944 because ccs_socket_recvmsg_permission() 1944 because ccs_socket_recvmsg_permission() is returning -EAGAIN.
1945 1945
1946 Thus, I modified ccs_socket_recvmsg_per 1946 Thus, I modified ccs_socket_recvmsg_permission() to return -ENOMEM
1947 rather than -EAGAIN. 1947 rather than -EAGAIN.
1948 1948
1949 Fix 2009/05/19 1949 Fix 2009/05/19
1950 1950
1951 @ Don't call get_fs_type() with a mutex h 1951 @ Don't call get_fs_type() with a mutex held.
1952 1952
1953 Until now, when ccs_update_mount_acl() 1953 Until now, when ccs_update_mount_acl() is called with unsupported
1954 filesystem, /sbin/modprobe is executed 1954 filesystem, /sbin/modprobe is executed from get_fs_type() to load
1955 filesystem module. And get_fs_type() do 1955 filesystem module. And get_fs_type() does not return until /sbin/modprobe
1956 finishes. 1956 finishes.
1957 1957
1958 This means that it will cause deadlock 1958 This means that it will cause deadlock if /sbin/modprobe (which is
1959 executed via get_fs_type() in ccs_updat 1959 executed via get_fs_type() in ccs_update_mount_acl()) calls
1960 ccs_update_mount_acl(); although it won 1960 ccs_update_mount_acl(); although it won't happen unless an administrator
1961 inserts execute_handler to call mount() 1961 inserts execute_handler to call mount() requests in learning mode or to
1962 add "allow_mount" entries to /proc/ccs/ 1962 add "allow_mount" entries to /proc/ccs/system_policy .
1963 1963
1964 I modified to unlock the mutex before c 1964 I modified to unlock the mutex before calling get_fs_type().
1965 1965
1966 Fix 2009/05/20 1966 Fix 2009/05/20
1967 1967
1968 @ Update recvmsg() hooks. 1968 @ Update recvmsg() hooks.
1969 1969
1970 Since 1.5.0, I was doing network access 1970 Since 1.5.0, I was doing network access control for incoming UDP and RAW
1971 packets inside skb_recv_datagram(). But 1971 packets inside skb_recv_datagram(). But to synchronize with LSM version,
1972 I moved ccs_recv_datagram_permission() 1972 I moved ccs_recv_datagram_permission() hook from skb_recv_datagram() to
1973 udp_recvmsg()/udpv6_recvmsg()/raw_recvm 1973 udp_recvmsg()/udpv6_recvmsg()/raw_recvmsg()/rawv6_recvmsg() with name
1974 change to ccs_recvmsg_permission(). 1974 change to ccs_recvmsg_permission().
1975 1975
1976 Version 1.6.8 2009/05/28 Feature enhancemen 1976 Version 1.6.8 2009/05/28 Feature enhancement release.
1977 1977
1978 Fix 2009/07/03 1978 Fix 2009/07/03
1979 1979
1980 @ Fix buffer overrun when used with CONFI 1980 @ Fix buffer overrun when used with CONFIG_SLOB=y .
1981 1981
1982 Since 1.6.7 , ccs_allocate_execve_entry 1982 Since 1.6.7 , ccs_allocate_execve_entry() was requesting for only 4000
1983 bytes while the comment says it is 4096 1983 bytes while the comment says it is 4096 bytes. This may lead to buffer
1984 overrun when slob allocator is used, fo 1984 overrun when slob allocator is used, for slob allocator allocates exactly
1985 4000 bytes whereas slab and slub alloca 1985 4000 bytes whereas slab and slub allocators allocate 4096 bytes.
1986 1986
1987 Fix 2009/09/01 1987 Fix 2009/09/01
1988 1988
1989 @ Add garbage collector support. 1989 @ Add garbage collector support.
1990 1990
1991 Until now, it was impossible to release 1991 Until now, it was impossible to release memory used by deleted policy.
1992 I added SRCU based garbage collector so 1992 I added SRCU based garbage collector so that memory used by deleted
1993 policy will be automatically released. 1993 policy will be automatically released.
1994 1994
1995 @ Remove word length limitation and line 1995 @ Remove word length limitation and line length limitation.
1996 1996
1997 Until now, the max length of a word is 1997 Until now, the max length of a word is 4000 and the max length of a line
1998 is 8192. To be able to handle longer pa 1998 is 8192. To be able to handle longer pathnames, I removed these
1999 limitations. Now, the max length (excep 1999 limitations. Now, the max length (except the domainname and
2000 argv[]/envp[]) is 128K (which is the ma 2000 argv[]/envp[]) is 128K (which is the max amount of memory kmalloc()
2001 can allocate in most environments). 2001 can allocate in most environments).
2002 2002
2003 @ Support more fine grained profile confi 2003 @ Support more fine grained profile configuration.
2004 2004
2005 Profile was reconstructed. 2005 Profile was reconstructed.
2006 2006
2007 @ Support more fine grained parameters re 2007 @ Support more fine grained parameters restrictions.
2008 2008
2009 "allow_create", "allow_mkdir", "allow_m 2009 "allow_create", "allow_mkdir", "allow_mkfifo", "allow_mksock" check
2010 create mode. "allow_mkblock" and "allow 2010 create mode. "allow_mkblock" and "allow_mkchar" check create mode and
2011 major/minor device numbers. "allow_chmo 2011 major/minor device numbers. "allow_chmod" check new mode. "allow_chown"
2012 checks new owner. "allow_chgrp" checks 2012 checks new owner. "allow_chgrp" checks new group.
2013 2013
2014 @ Allow number grouping. 2014 @ Allow number grouping.
2015 2015
2016 To help specifying numeric values, a ne 2016 To help specifying numeric values, a new directive "number_group" is
2017 introduced. 2017 introduced.
2018 2018
2019 @ Remove "alias" directive and "allow_arg 2019 @ Remove "alias" directive and "allow_argv0" directive.
2020 2020
2021 Until now, "allow_execute" used derefer 2021 Until now, "allow_execute" used dereferenced pathname if it is a symlink
2022 unless explicitly specified by "alias" 2022 unless explicitly specified by "alias" directive.
2023 2023
2024 Now, "allow_execute" uses symlink's pat 2024 Now, "allow_execute" uses symlink's pathname if it is a symlink.
2025 "exec.realpath" in "if" clause checks t 2025 "exec.realpath" in "if" clause checks the dereferenced pathname.
2026 "exec.argv[0]" in "if" clause checks th 2026 "exec.argv[0]" in "if" clause checks the invocation name.
2027 2027
2028 @ Remove /proc/ccs/system_policy and /etc 2028 @ Remove /proc/ccs/system_policy and /etc/ccs/system_policy.conf .
2029 2029
2030 "deny_autobind" was moved to /proc/ccs/ 2030 "deny_autobind" was moved to /proc/ccs/exception_policy and
2031 /etc/ccs/exception_policy.conf . Other 2031 /etc/ccs/exception_policy.conf . Other directives were moved to
2032 /proc/ccs/domain_policy and /etc/ccs/do 2032 /proc/ccs/domain_policy and /etc/ccs/domain_policy.conf .
2033 2033
2034 @ Remove syaoran filesystem. 2034 @ Remove syaoran filesystem.
2035 2035
2036 Since "allow_create"/"allow_mkdir"/"all 2036 Since "allow_create"/"allow_mkdir"/"allow_mkfifo"/"allow_mksock"/
2037 "allow_mkblock"/"allow_mkchar"/"allow_c 2037 "allow_mkblock"/"allow_mkchar"/"allow_chmod"/"allow_chown"/"allow_chgrp"
2038 can restrict mode changes and owner/gro 2038 can restrict mode changes and owner/group changes, there is no need to
2039 restrict these changes at filesystem le 2039 restrict these changes at filesystem level.
2040 2040
2041 Thus, I removed syaoran filesystem. 2041 Thus, I removed syaoran filesystem.
2042 2042
2043 @ Reduce spinlocks. 2043 @ Reduce spinlocks.
2044 2044
2045 Until now, TOMOYO was using own list fo 2045 Until now, TOMOYO was using own list for detecting memory leak. But as
2046 kernel 2.6.31 introduced memory leak de 2046 kernel 2.6.31 introduced memory leak detection mechanism
2047 ( CONFIG_DEBUG_KMEMLEAK ), TOMOYO no lo 2047 ( CONFIG_DEBUG_KMEMLEAK ), TOMOYO no longer needs to use own list.
2048 2048
2049 I removed the list to reduce use of spi 2049 I removed the list to reduce use of spinlocks.
2050 2050
2051 @ Rewrite ccs-patch-2.\*.diff . 2051 @ Rewrite ccs-patch-2.\*.diff .
2052 2052
2053 ccs-patch-2.\*.diff was rewritten like 2053 ccs-patch-2.\*.diff was rewritten like LSM hooks.
2054 2054
2055 @ Don't check "allow_read/write" for open 2055 @ Don't check "allow_read/write" for open-for-ioctl-only.
2056 2056
2057 open(pathname, 3) means open for ioctl( 2057 open(pathname, 3) means open for ioctl() only.
2058 Until now, TOMOYO was checking "allow_r 2058 Until now, TOMOYO was checking "allow_read/write" for open(pathname, 3).
2059 But since TOMOYO checks "allow_ioctl" f 2059 But since TOMOYO checks "allow_ioctl" for ioctl(), I modified not to
2060 require "allow_read/write" for open(pat 2060 require "allow_read/write" for open(pathname, 3).
2061 2061
2062 @ Add missing sigqueue() and tgsigqueue() 2062 @ Add missing sigqueue() and tgsigqueue() hooks.
2063 2063
2064 Until now, kill(), tkill(), tgkill() ha 2064 Until now, kill(), tkill(), tgkill() had hooks but sigqueue() and
2065 tgsigqueue() didn't. 2065 tgsigqueue() didn't.
2066 2066
2067 @ Move files from fs/ to security/ccsecur 2067 @ Move files from fs/ to security/ccsecurity.
2068 2068
2069 Config menu section changed from "File 2069 Config menu section changed from "File systems" to "Security options".
2070 2070
2071 Kernel config symbols changed from CONF 2071 Kernel config symbols changed from CONFIG_SAKURA CONFIG_TOMOYO
2072 CONFIG_SYAORAN to CONFIG_CCSECURITY . 2072 CONFIG_SYAORAN to CONFIG_CCSECURITY .
2073 2073
2074 @ Add global PID to audit logs. 2074 @ Add global PID to audit logs.
2075 2075
2076 ccs-queryd was using domainname for rea 2076 ccs-queryd was using domainname for reaching the domain which the process
2077 belongs to, but the domain could be del 2077 belongs to, but the domain could be deleted while ccs-queryd is handling
2078 policy violation. If the domain is dele 2078 policy violation. If the domain is deleted, ccs-queryd no longer can
2079 reach the domain by domainname. Thus, c 2079 reach the domain by domainname. Thus, ccs-queryd now uses PID for
2080 reaching the domain which the process b 2080 reaching the domain which the process belongs to.
2081 2081
2082 Kernel 2.6.24 introduced PID namespace. 2082 Kernel 2.6.24 introduced PID namespace. The PID in access logs generated
2083 by a process inside a container is usel 2083 by a process inside a container is useless for ccs-queryd for reaching
2084 the domain which the process belongs to 2084 the domain which the process belongs to.
2085 2085
2086 Thus, I added global PID in audit logs. 2086 Thus, I added global PID in audit logs.
2087 2087
2088 @ Transit to new domain before do_execve( 2088 @ Transit to new domain before do_execve() succeeds.
2089 2089
2090 Permission checks for interpreters and 2090 Permission checks for interpreters and environment variables are
2091 done using new domain. In order to allo 2091 done using new domain. In order to allow ccs-queryd to reach the new
2092 domain via global PID, I reverted "Don' 2092 domain via global PID, I reverted "Don't transit to new domain until
2093 do_execve() succeeds." made on 2008/10/ 2093 do_execve() succeeds." made on 2008/10/07.
2094 2094
2095 Version 1.7.0 2009/09/03 Feature enhancemen 2095 Version 1.7.0 2009/09/03 Feature enhancement release.
2096 2096
2097 Fix 2009/09/04 2097 Fix 2009/09/04
2098 2098
2099 @ Fix wrong ccs_profile() calls. 2099 @ Fix wrong ccs_profile() calls.
2100 2100
2101 I can't call ccs_profile() for profile 2101 I can't call ccs_profile() for profile existence test because
2102 ccs_profile() never returns NULL. 2102 ccs_profile() never returns NULL.
2103 2103
2104 Fix 2009/09/06 2104 Fix 2009/09/06
2105 2105
2106 @ Fix wrong error code in ccs_try_alt_exe 2106 @ Fix wrong error code in ccs_try_alt_exec().
2107 2107
2108 ccs_try_alt_exec() was returning ENOMEM 2108 ccs_try_alt_exec() was returning ENOMEM when kmalloc() failed.
2109 It needs to return -ENOMEM to fail. 2109 It needs to return -ENOMEM to fail.
2110 2110
2111 Fix 2009/09/10 2111 Fix 2009/09/10
2112 2112
2113 @ Do not check umount() permission for mo 2113 @ Do not check umount() permission for mount(MS_MOVE) requests.
2114 2114
2115 Until 1.6.x , umount() restriction was 2115 Until 1.6.x , umount() restriction was black listing. In 1.7.0 , it is
2116 white listing. This change caused "moun 2116 white listing. This change caused "mount --move old new" requests to
2117 require "allow_unmount old" permission 2117 require "allow_unmount old" permission in addition to
2118 "allow_mount old new --move 0" permissi 2118 "allow_mount old new --move 0" permission.
2119 But we don't want to allow umount(old) 2119 But we don't want to allow umount(old) requests when we want to allow
2120 only mount(old, new, MS_MOVE) requests. 2120 only mount(old, new, MS_MOVE) requests. Thus, I modified not to check
2121 "allow_unmount old" permission for moun 2121 "allow_unmount old" permission for mount(old, new, MS_MOVE) requests.
2122 2122
2123 Fix 2009/09/11 2123 Fix 2009/09/11
2124 2124
2125 @ Support recursive match operators. 2125 @ Support recursive match operators.
2126 2126
2127 Until now, ccs_path_matches_pattern() d 2127 Until now, ccs_path_matches_pattern() did not support recursive
2128 comparison. Thus, users had to repeat " 2128 comparison. Thus, users had to repeat "/\*" when they want to specify
2129 recursively. 2129 recursively.
2130 2130
2131 I introduced "\{" and "\}" as repetitio 2131 I introduced "\{" and "\}" as repetition operator.
2132 To ensure consistency with TOMOYO's '/' 2132 To ensure consistency with TOMOYO's '/'-tokenized pattern matching rules
2133 and "\-" operator, only "/\{dir\}/" seq 2133 and "\-" operator, only "/\{dir\}/" sequences (where dir does not contain
2134 '/') is permitted. 2134 '/') is permitted.
2135 2135
2136 Fix 2009/09/24 2136 Fix 2009/09/24
2137 2137
2138 @ Don't check chmod/chown capability for 2138 @ Don't check chmod/chown capability for requests from kernel.
2139 2139
2140 Until now, ccs_setattr_permission() was 2140 Until now, ccs_setattr_permission() was inserted in notify_change().
2141 But notify_change() is also called by r 2141 But notify_change() is also called by requests from kernel (e.g. UnionFS)
2142 and it made difficult to use TOMOYO on 2142 and it made difficult to use TOMOYO on UnionFS.
2143 2143
2144 Thus, I moved ccs_capable() checks from 2144 Thus, I moved ccs_capable() checks from ccs_setattr_permission() to
2145 ccs_chmod_permission() and ccs_chown_pe 2145 ccs_chmod_permission() and ccs_chown_permission(), and removed
2146 ccs_setattr_permission(). 2146 ccs_setattr_permission().
2147 2147
2148 Fix 2009/09/25 2148 Fix 2009/09/25
2149 2149
2150 @ Embed more information into audit logs. 2150 @ Embed more information into audit logs.
2151 2151
2152 Until now, /proc/ccs/grant_log /proc/cc 2152 Until now, /proc/ccs/grant_log /proc/ccs/reject_log /proc/ccs/query were
2153 not printing file's information (e.g. f 2153 not printing file's information (e.g. file's uid/gid/mode).
2154 2154
2155 Recently, users who started using "if" 2155 Recently, users who started using "if" clause expect that the learning
2156 mode automatically adds various conditi 2156 mode automatically adds various conditions like "if task.uid=path1.uid".
2157 2157
2158 But the profile will become too complic 2158 But the profile will become too complicated if I support all possible
2159 conditions. Thus, I added all informati 2159 conditions. Thus, I added all information which is enough to generate
2160 "if" clause with all possible condition 2160 "if" clause with all possible conditions from audit logs.
2161 2161
2162 Now, the learning mode got different us 2162 Now, the learning mode got different usage. Users can specify
2163 "CONFIG::learning={ max_entry=0 }" in t 2163 "CONFIG::learning={ max_entry=0 }" in the profile. All requests which
2164 are not permitted by policy will be sen 2164 are not permitted by policy will be sent to /proc/ccs/reject_log with
2165 "mode=learning" header lines. Users can 2165 "mode=learning" header lines. Users can selectively append conditions
2166 and append to the policy using "/usr/sb 2166 and append to the policy using "/usr/sbin/ccs-loadpolicy -d".
2167 The learning mode with "CONFIG::learnin 2167 The learning mode with "CONFIG::learning={ max_entry=0 }" is almost
2168 the same with the permissive mode, only 2168 the same with the permissive mode, only difference is "mode=learning"
2169 and "mode=permissive". 2169 and "mode=permissive".
2170 2170
2171 Fix 2009/10/05 2171 Fix 2009/10/05
2172 2172
2173 @ Fix size truncation bug at ccs_memcmp() 2173 @ Fix size truncation bug at ccs_memcmp().
2174 2174
2175 ccs_memcmp() was using "u8" for size pa 2175 ccs_memcmp() was using "u8" for size parameter by error. Therefore, when
2176 size >= 256 was passed to ccs_memcmp(), 2176 size >= 256 was passed to ccs_memcmp(), it was doing partial comparison
2177 (incorrect result) or read overrun (CPU 2177 (incorrect result) or read overrun (CPU stall).
2178 2178
2179 ccs_memcmp() should use "size_t" for si 2179 ccs_memcmp() should use "size_t" for size parameter because size of
2180 "struct ccs_condition" may exceed 256 b 2180 "struct ccs_condition" may exceed 256 bytes if complicated condition was
2181 given. 2181 given.
2182 2182
2183 Fix 2009/10/08 2183 Fix 2009/10/08
2184 2184
2185 @ Add CONFIG_CCSECURITY_DEFAULT_LOADER op 2185 @ Add CONFIG_CCSECURITY_DEFAULT_LOADER option.
2186 2186
2187 I made the default policy loader's path 2187 I made the default policy loader's pathname ( /sbin/ccs-init )
2188 configurable. 2188 configurable.
2189 2189
2190 @ Add CONFIG_CCSECURITY_ALTERNATIVE_TRIGG 2190 @ Add CONFIG_CCSECURITY_ALTERNATIVE_TRIGGER option.
2191 2191
2192 Some environments do not have /sbin/ini 2192 Some environments do not have /sbin/init . In such environments, we need
2193 to use different program's pathname (e. 2193 to use different program's pathname (e.g. /init or /linuxrc ) as
2194 activation trigger. 2194 activation trigger.
2195 2195
2196 Thus, I made the alternative trigger ( 2196 Thus, I made the alternative trigger ( /sbin/ccs-start ) configurable.
2197 2197
2198 Fix 2009/11/02 2198 Fix 2009/11/02
2199 2199
2200 @ Fix buffer contention. 2200 @ Fix buffer contention.
2201 2201
2202 A permission like 2202 A permission like
2203 2203
2204 allow_env PATH if exec.envp["PATH"]=" 2204 allow_env PATH if exec.envp["PATH"]="/"
2205 2205
2206 was not working since I was using the s 2206 was not working since I was using the same buffer for both environment
2207 variable's name and value. 2207 variable's name and value.
2208 2208
2209 Fix 2009/11/03 2209 Fix 2009/11/03
2210 2210
2211 @ Fix memory leak in ccs_write_address_gr 2211 @ Fix memory leak in ccs_write_address_group_policy().
2212 2212
2213 I forgot to call kfree() if same entry 2213 I forgot to call kfree() if same entry was added.
2214 2214
2215 @ Reduce mutexes. 2215 @ Reduce mutexes.
2216 2216
2217 I was using mutex_lock()/mutex_unlock() 2217 I was using mutex_lock()/mutex_unlock() so that I can use
2218 atomic_dec_and_test() for removing an e 2218 atomic_dec_and_test() for removing an element from a list.
2219 I moved that operation to garbage colle 2219 I moved that operation to garbage collector in order to reduce frequency
2220 of mutex_lock()/mutex_unlock() calls. 2220 of mutex_lock()/mutex_unlock() calls.
2221 2221
2222 @ Escape from nested loops correctly. 2222 @ Escape from nested loops correctly.
2223 2223
2224 In ccs_read_address_group_policy(), I w 2224 In ccs_read_address_group_policy(), I was escaping from nested loops
2225 correctly. But in ccs_read_path_group_p 2225 correctly. But in ccs_read_path_group_policy() and
2226 ccs_read_number_group_policy(), I wasn' 2226 ccs_read_number_group_policy(), I wasn't.
2227 2227
2228 As a result, reading path_group and num 2228 As a result, reading path_group and number_group caused kernel oops
2229 when they were not read atomically. 2229 when they were not read atomically.
2230 2230
2231 Fix 2009/11/06 2231 Fix 2009/11/06
2232 2232
2233 @ Fix incorrect allow_mount audit log. 2233 @ Fix incorrect allow_mount audit log.
2234 2234
2235 Audit log for allow_mount was using dec 2235 Audit log for allow_mount was using decimal format.
2236 It needs to use hexadecimal format. 2236 It needs to use hexadecimal format.
2237 2237
2238 Fix 2009/11/09 2238 Fix 2009/11/09
2239 2239
2240 @ Add profile version check. 2240 @ Add profile version check.
2241 2241
2242 To avoid upgrading from TOMOYO 1.6.x to 2242 To avoid upgrading from TOMOYO 1.6.x to TOMOYO 1.7.x without upgrading
2243 /proc/ccs/profile (which results in not 2243 /proc/ccs/profile (which results in not protecting the system at all),
2244 I added a check for PROFILE_VERSION= . 2244 I added a check for PROFILE_VERSION= .
2245 2245
2246 Version 1.7.1 2009/11/11 Fourth anniversary 2246 Version 1.7.1 2009/11/11 Fourth anniversary release.
2247 2247
2248 Fix 2009/11/13 2248 Fix 2009/11/13
2249 2249
2250 @ Don't use core_initcall() for initializ 2250 @ Don't use core_initcall() for initializing lock for GC.
2251 2251
2252 Some kernels call TOMOYO's hooks before 2252 Some kernels call TOMOYO's hooks before processing core_initcall().
2253 Thus, I can't use core_initcall() for in 2253 Thus, I can't use core_initcall() for initializing lock for GC.
2254 2254
2255 Fix 2009/11/18 2255 Fix 2009/11/18
2256 2256
2257 @ Don't check "allow_write" permission fo 2257 @ Don't check "allow_write" permission for open(O_RDONLY | O_TRUNC).
2258 2258
2259 Since TOMOYO checks "allow_truncate" pe 2259 Since TOMOYO checks "allow_truncate" permission rather than "allow_write"
2260 permission for O_TRUNC, I need to disti 2260 permission for O_TRUNC, I need to distinguish open(O_RDONLY | O_TRUNC)
2261 and open(O_RDWR | O_TRUNC). But I made 2261 and open(O_RDWR | O_TRUNC). But I made a mistake between TOMOYO 1.7.0 and
2262 1.7.1 which made it impossible for TOMO 2262 1.7.1 which made it impossible for TOMOYO for kernels 2.6.14 and earlier
2263 to distinguish them. 2263 to distinguish them.
2264 2264
2265 Fix 2009/11/27 2265 Fix 2009/11/27
2266 2266
2267 @ Use newly created domain's name for dom 2267 @ Use newly created domain's name for domain creation audit log.
2268 2268
2269 Since 1.7.0 , /proc/ccs/reject_log was 2269 Since 1.7.0 , /proc/ccs/reject_log was by error using existing domain's
2270 name when auditing newly created domain 2270 name when auditing newly created domain's "use_profile" line.
2271 2271
2272 Fix 2009/12/12 2272 Fix 2009/12/12
2273 2273
2274 @ Use rcu_read_lock() for find_task_by_pi 2274 @ Use rcu_read_lock() for find_task_by_pid().
2275 2275
2276 Since kernel 2.6.18 , caller of find_ta 2276 Since kernel 2.6.18 , caller of find_task_by_pid() needs to call
2277 rcu_read_lock() rather than read_lock(& 2277 rcu_read_lock() rather than read_lock(&tasklist_lock) because find_pid()
2278 uses RCU primitives but spinlock does n 2278 uses RCU primitives but spinlock does not prevent RCU callback if
2279 preemptive RCU ( CONFIG_PREEMPT_RCU or 2279 preemptive RCU ( CONFIG_PREEMPT_RCU or CONFIG_TREE_PREEMPT_RCU ) is
2280 enabled. 2280 enabled.
2281 2281
2282 Fix 2009/12/15 2282 Fix 2009/12/15
2283 2283
2284 @ Allow deleting "quota_exceeded" and "tr 2284 @ Allow deleting "quota_exceeded" and "transition_failed" entries.
2285 2285
2286 To notify users of "this domain has too 2286 To notify users of "this domain has too many entries to hold" and "some
2287 process in this domain was not able to 2287 process in this domain was not able to perform domain transition",
2288 "quota_exceeded" and "transition_failed 2288 "quota_exceeded" and "transition_failed" messages are used respectively.
2289 These messages were not deletable. But 2289 These messages were not deletable. But it is more convenient for users
2290 to be notified again if such events occ 2290 to be notified again if such events occurred again after tuning policy.
2291 Thus, I made these messages deletable. 2291 Thus, I made these messages deletable.
2292 2292
2293 Fix 2009/12/17 2293 Fix 2009/12/17
2294 2294
2295 @ Don't check read permission in ccs_try_ 2295 @ Don't check read permission in ccs_try_alt_exec().
2296 2296
2297 While I was trying to remove ccs_execve 2297 While I was trying to remove ccs_execve_list list for GC optimization
2298 between TOMOYO 1.7.0 and 1.7.1 , I made 2298 between TOMOYO 1.7.0 and 1.7.1 , I made a mistake which made TOMOYO to
2299 check allow_read permission of the prog 2299 check allow_read permission of the programs specified by execute_handler
2300 and denied_execute_handler keywords. 2300 and denied_execute_handler keywords.
2301 2301
2302 @ Don't check DAC permission if disabled 2302 @ Don't check DAC permission if disabled mode.
2303 2303
2304 I was checking DAC permissions regardin 2304 I was checking DAC permissions regarding directory entry modification
2305 operations (e.g. mkdir()) even if mode= 2305 operations (e.g. mkdir()) even if mode=disabled . It is a waste of CPU
2306 resource to check DAC permissions when 2306 resource to check DAC permissions when MAC permissions are not checked.
2307 Thus, I modified to skip DAC permission 2307 Thus, I modified to skip DAC permission checks if mode=disabled .
2308 2308
2309 Fix 2009/12/19 2309 Fix 2009/12/19
2310 2310
2311 @ Fix memory leak in ccs_environ(). 2311 @ Fix memory leak in ccs_environ().
2312 2312
2313 When I fixed a bug that a permission li 2313 When I fixed a bug that a permission like
2314 2314
2315 allow_env PATH if exec.envp["PATH"]=" 2315 allow_env PATH if exec.envp["PATH"]="/"
2316 2316
2317 was not working (2009/11/02), I allocat 2317 was not working (2009/11/02), I allocated two buffers but only one buffer
2318 was released. 2318 was released.
2319 2319
2320 This bug will trigger OOM killer if env 2320 This bug will trigger OOM killer if environment variable checking is
2321 enabled. 2321 enabled.
2322 2322
2323 Fix 2010/01/17 2323 Fix 2010/01/17
2324 2324
2325 @ Use current domain's name for execute_h 2325 @ Use current domain's name for execute_handler audit log.
2326 2326
2327 Since 1.6.7 , /proc/ccs/grant_log was b 2327 Since 1.6.7 , /proc/ccs/grant_log was by error using next domain's name
2328 when auditing current domain's "execute 2328 when auditing current domain's "execute_handler" line.
2329 2329
2330 Fix 2010/03/02 2330 Fix 2010/03/02
2331 2331
2332 @ Allow domain transition without execve( 2332 @ Allow domain transition without execve().
2333 2333
2334 To be able to split permissions for Apa 2334 To be able to split permissions for Apache's CGI programs which are
2335 executed without execve(), I added spec 2335 executed without execve(), I added special domain transition which is
2336 performed by atomically writing '\0'-te 2336 performed by atomically writing '\0'-terminated binary string to
2337 /proc/ccs/.transition interface. For ex 2337 /proc/ccs/.transition interface. For example, a process which belongs to
2338 "<kernel> /usr/sbin/httpd" domain will 2338 "<kernel> /usr/sbin/httpd" domain will transit to
2339 "<kernel> /usr/sbin/httpd //app=cgi1\04 2339 "<kernel> /usr/sbin/httpd //app=cgi1\040id=10000" domain by atomically
2340 writing "app=cgi1 id=10000" + '\0' to / 2340 writing "app=cgi1 id=10000" + '\0' to /proc/ccs/.transition using
2341 Apache's ap_hook_handler() functionalit 2341 Apache's ap_hook_handler() functionality.
2342 2342
2343 Note that '\0'-terminated binary string 2343 Note that '\0'-terminated binary string is converted to TOMOYO's string
2344 inside kernel and prefix "//" is automa 2344 inside kernel and prefix "//" is automatically added to the string so
2345 that domainname does not conflict with 2345 that domainname does not conflict with domainnames created by execve().
2346 Without this prefix, if "<kernel> /usr/ 2346 Without this prefix, if "<kernel> /usr/sbin/sshd /bin/bash" domain is
2347 allowed to open /proc/ccs/.transition f 2347 allowed to open /proc/ccs/.transition for writing and
2348 "<kernel> /usr/sbin/sshd /bin/bash /usr 2348 "<kernel> /usr/sbin/sshd /bin/bash /usr/bin/passwd" domain is allowed to
2349 access /etc/shadow , /bin/bash will be 2349 access /etc/shadow , /bin/bash will be able to access /etc/shadow by
2350 atomically writing "/usr/bin/passwd" + 2350 atomically writing "/usr/bin/passwd" + '\0' to /proc/ccs/.transition .
2351 Allowing /bin/bash to access /etc/shado 2351 Allowing /bin/bash to access /etc/shadow is not what people want.
2352 2352
2353 Permission for this operation is checke 2353 Permission for this operation is checked by "allow_transit" keyword.
2354 Unlike "allow_execute" keyword, the str 2354 Unlike "allow_execute" keyword, the string parameter for "allow_transit"
2355 keyword does not refer a real file on f 2355 keyword does not refer a real file on filesystem's namespace. Therefore,
2356 you can store any combination of parame 2356 you can store any combination of parameters like LDAP's DN entry in the
2357 string parameter for "allow_transit" ke 2357 string parameter for "allow_transit" keyword.
2358 2358
2359 Fix 2010/03/08 2359 Fix 2010/03/08
2360 2360
2361 @ Allow building as loadable kernel modul 2361 @ Allow building as loadable kernel module.
2362 2362
2363 To be able to minimize filesize increme 2363 To be able to minimize filesize increment of vmlinux, I made it
2364 possible to compile TOMOYO Linux as loa 2364 possible to compile TOMOYO Linux as loadable kernel module.
2365 Although patching the kernel source and 2365 Although patching the kernel source and recompiling the kernel are
2366 inevitable, this change will make it ea 2366 inevitable, this change will make it easier to enable TOMOYO Linux
2367 when there is a filesize limitation on 2367 when there is a filesize limitation on vmlinux (e.g. embedded systems).
2368 2368
2369 Fix 2010/03/25 2369 Fix 2010/03/25
2370 2370
2371 @ Fix ccs_get_ipv6_address() bug. 2371 @ Fix ccs_get_ipv6_address() bug.
2372 2372
2373 Since 1.7.0 , ccs_get_ipv6_address() wa 2373 Since 1.7.0 , ccs_get_ipv6_address() was by error returning address of
2374 "struct list_head ccs_address_list" if 2374 "struct list_head ccs_address_list" if memory allocation failed.
2375 As a result, ccs_put_ipv6_address() wil 2375 As a result, ccs_put_ipv6_address() will modify memory near
2376 "struct list_head ccs_address_list" if 2376 "struct list_head ccs_address_list" if memory allocation failed.
2377 2377
2378 Fix 2010/03/26 2378 Fix 2010/03/26
2379 2379
2380 @ Fix ccs_lport_reserved() bug. 2380 @ Fix ccs_lport_reserved() bug.
2381 2381
2382 Since 1.7.0 , ccs_lport_reserved() was 2382 Since 1.7.0 , ccs_lport_reserved() was by error checking wrong port
2383 number. As a result, "deny_autobind" ke 2383 number. As a result, "deny_autobind" keyword was not working as expected.
2384 2384
2385 Version 1.7.2 2010/04/01 Feature enhancemen 2385 Version 1.7.2 2010/04/01 Feature enhancement release.
2386 2386
2387 Fix 2010/04/10 2387 Fix 2010/04/10
2388 2388
2389 @ Fix invalid "struct nameidata" to "stru 2389 @ Fix invalid "struct nameidata" to "struct path" conversion macro.
2390 2390
2391 Regarding kernels 2.6.24 and earlier, I 2391 Regarding kernels 2.6.24 and earlier, I was converting "struct nameidata"
2392 to "struct path" in caller side so that 2392 to "struct path" in caller side so that I can unify the callee function's
2393 parameter type. But it turned out that 2393 parameter type. But it turned out that the macro I used did not follow C
2394 standards and did not work with gcc 4.x 2394 standards and did not work with gcc 4.x . As a result, "allow_pivot_root"
2395 keyword was not working as expected. 2395 keyword was not working as expected.
2396 2396
2397 Fix 2010/05/05 2397 Fix 2010/05/05
2398 2398
2399 @ Fix incorrect audit on/off control. 2399 @ Fix incorrect audit on/off control.
2400 2400
2401 The grant_log= and reject_log= paramete 2401 The grant_log= and reject_log= parameters of CONFIG::misc::env were not
2402 used because I forgot to update request 2402 used because I forgot to update request type. As a result, those of
2403 CONFIG::file::execute were used for CON 2403 CONFIG::file::execute were used for CONFIG::misc::env .
2404 2404
2405 Those of CONFIG::file::rewrite were not 2405 Those of CONFIG::file::rewrite were not used because I forgot to update
2406 request type. As a result, those of CON 2406 request type. As a result, those of CONFIG::file::truncate were used for
2407 CONFIG::file::rewrite . 2407 CONFIG::file::rewrite .
2408 2408
2409 Fix 2010/05/10 2409 Fix 2010/05/10
2410 2410
2411 @ Fix incorrect out of memory warning. 2411 @ Fix incorrect out of memory warning.
2412 2412
2413 Out of memory warnings were not printed 2413 Out of memory warnings were not printed in some cases by error.
2414 2414
2415 Fix 2010/05/27 2415 Fix 2010/05/27
2416 2416
2417 @ Add missing rcu_dereference() for ccs_f 2417 @ Add missing rcu_dereference() for ccs_find_execute_handler().
2418 2418
2419 Since 1.7.0 , ccs_find_execute_handler( 2419 Since 1.7.0 , ccs_find_execute_handler() was by error using
2420 list_for_each_entry() rather than list_ 2420 list_for_each_entry() rather than list_for_each_entry_rcu().
2421 This bug affects only Alpha architectur 2421 This bug affects only Alpha architecture.
2422 2422
2423 Fix 2010/06/03 2423 Fix 2010/06/03
2424 2424
2425 @ Fix missing sanity check for "file_patt 2425 @ Fix missing sanity check for "file_pattern".
2426 2426
2427 Since 1.7.0 , ccs_write_pattern_policy( 2427 Since 1.7.0 , ccs_write_pattern_policy() was by error accepting
2428 invalid pathname. 2428 invalid pathname.
2429 2429
2430 Fix 2010/06/09 2430 Fix 2010/06/09
2431 2431
2432 @ Add missing ccs_put_name() in ccs_parse 2432 @ Add missing ccs_put_name() in ccs_parse_envp().
2433 2433
2434 Since 1.7.0 , ccs_parse_envp() was not 2434 Since 1.7.0 , ccs_parse_envp() was not calling ccs_put_name() if
2435 environment variable's value ('if exec. 2435 environment variable's value ('if exec.envp["name"]="value"' condition)
2436 was invalid. 2436 was invalid.
2437 2437
2438 @ Add missing NULL check in ccs_condition 2438 @ Add missing NULL check in ccs_condition().
2439 2439
2440 Since 1.7.0 , if 'if symlink.target=' p 2440 Since 1.7.0 , if 'if symlink.target=' part was given against non-file
2441 permissions (e.g. allow_env PATH if sym 2441 permissions (e.g. allow_env PATH if symlink.target="/"), it triggered
2442 NULL pointer dereference. 2442 NULL pointer dereference.
2443 2443
2444 Fix 2010/10/28 2444 Fix 2010/10/28
2445 2445
2446 @ Fix umount() pathname calculation. 2446 @ Fix umount() pathname calculation.
2447 2447
2448 "mount --bind /path/to/file1 /path/to/f 2448 "mount --bind /path/to/file1 /path/to/file2" is legal.
2449 Therefore, "umount /path/to/file2" is a 2449 Therefore, "umount /path/to/file2" is also legal.
2450 Do not automatically append trailing '/ 2450 Do not automatically append trailing '/' if pathname to be unmounted
2451 does not end with '/'. 2451 does not end with '/'.
2452 2452
2453 @ Add preserve KABI compatibility option. 2453 @ Add preserve KABI compatibility option. (2.6 kernels only)
2454 2454
2455 TOMOYO needs "struct ccs_domain_info *" 2455 TOMOYO needs "struct ccs_domain_info *" and "u32" for each
2456 "struct task_struct". But embedding the 2456 "struct task_struct". But embedding these variables into
2457 "struct task_struct" breaks KABI for pr 2457 "struct task_struct" breaks KABI for prebuilt kernel modules (which
2458 means that you will need to rebuild pre 2458 means that you will need to rebuild prebuilt kernel modules).
2459 2459
2460 Since KABI is commonly used (compared t 2460 Since KABI is commonly used (compared to 5 years ago), asking users to
2461 rebuild kernel modules which are not in 2461 rebuild kernel modules which are not included in kernel package is no
2462 longer preferable. Therefore, I added a 2462 longer preferable. Therefore, I added a new option that keeps
2463 "struct task_struct" unmodified in orde 2463 "struct task_struct" unmodified in order to keep KABI.
2464 2464
2465 Note that you have to use ccs-patch-2.6 2465 Note that you have to use ccs-patch-2.6.\*.diff which patches
2466 kernel/fork.c in order to use this opti 2466 kernel/fork.c in order to use this option. Otherwise, TOMOYO will leak
2467 memory whenever "struct task_struct" is 2467 memory whenever "struct task_struct" is released.
2468 2468
2469 @ Change directives. 2469 @ Change directives.
2470 2470
2471 I removed "allow_" prefix from directiv 2471 I removed "allow_" prefix from directives. New directives for files are
2472 prefixed with "file ". For example, "al 2472 prefixed with "file ". For example, "allow_read" changed to "file read",
2473 "allow_ioctl" changed to "file ioctl". 2473 "allow_ioctl" changed to "file ioctl". New directive for "allow_network
2474 TCP" is "network inet stream", "allow_n 2474 TCP" is "network inet stream", "allow_network UDP" is "network inet
2475 dgram", "allow_network RAW" is "network 2475 dgram", "allow_network RAW" is "network inet raw". New directive for
2476 "allow_env" is "misc env". New directiv 2476 "allow_env" is "misc env". New directive for "allow_signal" is "ipc
2477 signal". New directive for "allow_capab 2477 signal". New directive for "allow_capability" is "capability". These new
2478 directives correspond with keywords use 2478 directives correspond with keywords used by profile's CONFIG lines.
2479 2479
2480 I removed "deny_rewrite" and "allow_rew 2480 I removed "deny_rewrite" and "allow_rewrite" directives and introduced
2481 "file append" directive. Thus, permissi 2481 "file append" directive. Thus, permission for open(O_WRONLY | O_APPEND)
2482 changed from "allow_write" + "allow_rew 2482 changed from "allow_write" + "allow_rewrite" to "file append".
2483 2483
2484 I removed "SYS_MOUNT", "SYS_UMOUNT", "S 2484 I removed "SYS_MOUNT", "SYS_UMOUNT", "SYS_CHROOT", "SYS_KILL",
2485 "SYS_LINK", "SYS_SYMLINK", "SYS_RENAME" 2485 "SYS_LINK", "SYS_SYMLINK", "SYS_RENAME", "SYS_UNLINK", "SYS_CHMOD",
2486 "SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_RO 2486 "SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_ROOT" keywords from capabilities
2487 because these permissions can be checke 2487 because these permissions can be checked by other directives (e.g.
2488 "file mount", "ipc signal"). 2488 "file mount", "ipc signal").
2489 2489
2490 I also removed "conceal_mount" keyword 2490 I also removed "conceal_mount" keyword from capabilities because this
2491 check requires hooks in filesystem part 2491 check requires hooks in filesystem part while almost all hooks for
2492 filesystem part have moved to LSM by Li 2492 filesystem part have moved to LSM by Linux 2.6.34.
2493 2493
2494 New directive for "execute_handler" is 2494 New directive for "execute_handler" is "task auto_execute_handler",
2495 "denied_execute_handler" is "task denie 2495 "denied_execute_handler" is "task denied_execute_handler".
2496 2496
2497 @ Distinguish send() and recv() operation 2497 @ Distinguish send() and recv() operations.
2498 2498
2499 Until now, it was impossible for UDP an 2499 Until now, it was impossible for UDP and IP sockets to allow either
2500 only sending or only receiving because 2500 only sending or only receiving because permissions were aggregated with
2501 "connect" keyword. I broke "connect" ke 2501 "connect" keyword. I broke "connect" keyword into "send" and "recv"
2502 keywords so that you can keep access co 2502 keywords so that you can keep access control for send() operation enabled
2503 when you have to disable access control 2503 when you have to disable access control for recv() operation due to
2504 application breakage by discarding inco 2504 application breakage by discarding incoming datagram.
2505 2505
2506 @ Add Unix domain socket restriction supp 2506 @ Add Unix domain socket restriction support.
2507 2507
2508 Until now, it was possible to restrict 2508 Until now, it was possible to restrict only inet domain sockets (i.e.
2509 TCP/UDP/RAW). I added restriction for U 2509 TCP/UDP/RAW). I added restriction for Unix domain sockets (i.e. stream/
2510 dgram/seqpacket). New directive "networ 2510 dgram/seqpacket). New directive "network unix" is added as well as
2511 "network inet" directive. 2511 "network inet" directive.
2512 2512
2513 @ Allow specifying multiple permissions i 2513 @ Allow specifying multiple permissions in a line.
2514 2514
2515 Until now, only "allow_read/write" can 2515 Until now, only "allow_read/write" can be specified for combination of
2516 "allow_read" + "allow_write". Now, you 2516 "allow_read" + "allow_write". Now, you can combine other permissions as
2517 long as type of parameters for these pe 2517 long as type of parameters for these permissions is same. For example,
2518 "file read/write/append/execute/unlink/ 2518 "file read/write/append/execute/unlink/truncate /tmp/file" is correct
2519 but "file read/write/create /tmp/file" 2519 but "file read/write/create /tmp/file" is wrong because "file create"
2520 requires create mode whereas "file read 2520 requires create mode whereas "file read" and "file write" do not.
2521 2521
2522 @ Allow wildcard for execute permission a 2522 @ Allow wildcard for execute permission and domainname.
2523 2523
2524 Until now, to execute programs with tem 2524 Until now, to execute programs with temporary names, "aggregator" is
2525 needed. To simplify code, I modified to 2525 needed. To simplify code, I modified to accept wildcards for execute
2526 permission and domainname. Now, you can 2526 permission and domainname. Now, you can directly specify
2527 "file execute /tmp/logrotate.\?\?\?\?\? 2527 "file execute /tmp/logrotate.\?\?\?\?\?\?" and use
2528 "/tmp/logrotate.\?\?\?\?\?\?" within do 2528 "/tmp/logrotate.\?\?\?\?\?\?" within domainnames.
2529 2529
2530 @ Change pathname for non-rename()able fi 2530 @ Change pathname for non-rename()able filesystems.
2531 2531
2532 LSM version of TOMOYO wants to use /pro 2532 LSM version of TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if
2533 $PID matches current thread's process I 2533 $PID matches current thread's process ID in order to prevent current
2534 thread from accessing other process's i 2534 thread from accessing other process's information unless needed.
2535 But since procfs can be mounted on vari 2535 But since procfs can be mounted on various locations (e.g. /proc/ /proc2/
2536 /p/ /tmp/foo/100/p/ ), LSM version of T 2536 /p/ /tmp/foo/100/p/ ), LSM version of TOMOYO cannot tell that whether the
2537 numeric part in the string returned by 2537 numeric part in the string returned by __d_path() represents process ID
2538 or not. 2538 or not.
2539 2539
2540 Therefore, to be able to convert from $ 2540 Therefore, to be able to convert from $PID to self no matter where procfs
2541 is mounted, I changed pathname represen 2541 is mounted, I changed pathname representations for filesystems which do
2542 not support rename() operation (e.g. pr 2542 not support rename() operation (e.g. proc, sysfs, securityfs).
2543 2543
2544 Now, "/proc/self/mounts" changed to "pr 2544 Now, "/proc/self/mounts" changed to "proc:/self/mounts" and
2545 "/sys/kernel/security/" changed to "sys 2545 "/sys/kernel/security/" changed to "sys:/kernel/security/" and
2546 "/dev/pts/0" changed to "devpts:/0". 2546 "/dev/pts/0" changed to "devpts:/0".
2547 2547
2548 @ Add a new keyword "any" for domain tran 2548 @ Add a new keyword "any" for domain transition control.
2549 2549
2550 To be able to make it easier to apply a 2550 To be able to make it easier to apply auto_execute_handler on each
2551 domain, I added "any" keyword to domain 2551 domain, I added "any" keyword to domain transition control keywords. Now,
2552 "initialize_domain /usr/sbin/sshd" chan 2552 "initialize_domain /usr/sbin/sshd" changed to
2553 "initialize_domain /usr/sbin/sshd from 2553 "initialize_domain /usr/sbin/sshd from any" and
2554 "keep_domain <kernel> /usr/sbin/sshd /b 2554 "keep_domain <kernel> /usr/sbin/sshd /bin/bash" changed to
2555 "keep_domain any from <kernel> /usr/sbi 2555 "keep_domain any from <kernel> /usr/sbin/sshd /bin/bash".
2556 2556
2557 "keep_domain /path/to/auto_execute_hand 2557 "keep_domain /path/to/auto_execute_handler from any" will allow you to
2558 apply auto_execute_handler for any doma 2558 apply auto_execute_handler for any domains without creating domains for
2559 auto_execute_handler. 2559 auto_execute_handler.
2560 2560
2561 @ Change buffering mode for reading polic 2561 @ Change buffering mode for reading policy.
2562 2562
2563 To be able to read() very very long lin 2563 To be able to read() very very long lines correctly, I changed the way
2564 TOMOYO buffers policy for reading. 2564 TOMOYO buffers policy for reading.
2565 2565
2566 @ Introduce "acl_group" keyword. 2566 @ Introduce "acl_group" keyword.
2567 2567
2568 Until now, it was possible to specify o 2568 Until now, it was possible to specify only "allow_read" and "allow_env"
2569 keywords in the exception policy. 2569 keywords in the exception policy.
2570 2570
2571 Since some operations like "file read/w 2571 Since some operations like "file read/write/append /dev/null" and
2572 "network UDP send/recv @DNS_SERVER 53" 2572 "network UDP send/recv @DNS_SERVER 53" are very common and should be
2573 permitted to all domains, I introduced 2573 permitted to all domains, I introduced "acl_group" keyword for giving
2574 such permissions. 2574 such permissions.
2575 2575
2576 For example, specify "acl_group 0 file 2576 For example, specify "acl_group 0 file read/write/append /dev/null" in
2577 the exception policy and specify "use_g 2577 the exception policy and specify "use_group 0" from the domains in the
2578 domain policy. 2578 domain policy.
2579 2579
2580 "ignore_global_allow_read" and "ignore_ 2580 "ignore_global_allow_read" and "ignore_global_allow_env" directives were
2581 removed from domain policy and "use_gro 2581 removed from domain policy and "use_group" keyword was added.
2582 2582
2583 @ Remove "if" and "; set" keyword. 2583 @ Remove "if" and "; set" keyword.
2584 2584
2585 I removed need for specifying these key 2585 I removed need for specifying these keyword.
2586 You can simply specify like below. 2586 You can simply specify like below.
2587 2587
2588 file read /etc/shadow task.uid=0 2588 file read /etc/shadow task.uid=0
2589 2589
2590 @ Remove "file_pattern" keyword. 2590 @ Remove "file_pattern" keyword.
2591 2591
2592 I removed "file_pattern" keyword becaus 2592 I removed "file_pattern" keyword because it is impossible to predefine
2593 all possible pathname patterns. Also, l 2593 all possible pathname patterns. Also, learning pathnames using incomplete
2594 patterns makes it difficult to later re 2594 patterns makes it difficult to later replace using "path_group" keyword.
2595 2595
2596 @ Replace verbose= parameter with statist 2596 @ Replace verbose= parameter with statistic interface.
2597 2597
2598 Since it is noisy if a lot of policy vi 2598 Since it is noisy if a lot of policy violation messages are printed,
2599 I removed printk(). To be able to check 2599 I removed printk(). To be able to check whether policy violation occurred
2600 or not, I introduced /proc/ccs/stat int 2600 or not, I introduced /proc/ccs/stat interface which counts number of
2601 policy violations occurred. You can fir 2601 policy violations occurred. You can firstly check /proc/ccs/stat and then
2602 check /proc/ccs/reject_log . 2602 check /proc/ccs/reject_log .
2603 2603
2604 @ Remove global preference. 2604 @ Remove global preference.
2605 2605
2606 I removed global preference in order to 2606 I removed global preference in order to make code simpler.
2607 2607
2608 @ Allow controlling generation of access 2608 @ Allow controlling generation of access granted logs for per an entry
2609 basis. 2609 basis.
2610 2610
2611 I added per-entry flag which controls g 2611 I added per-entry flag which controls generation of grant logs because
2612 Xen and KVM issues ioctl requests so fr 2612 Xen and KVM issues ioctl requests so frequently. For example,
2613 2613
2614 file ioctl /dev/null 0x5401 grant_log 2614 file ioctl /dev/null 0x5401 grant_log=no
2615 2615
2616 will suppress /proc/ccs/grant_log even 2616 will suppress /proc/ccs/grant_log even if preference says grant_log=yes .
2617 2617
2618 file ioctl /dev/null 0x5401 grant_log 2618 file ioctl /dev/null 0x5401 grant_log=yes
2619 2619
2620 will generate /proc/ccs/grant_log even 2620 will generate /proc/ccs/grant_log even if preference says grant_log=no .
2621 2621
2622 file ioctl /dev/null 0x5401 2622 file ioctl /dev/null 0x5401
2623 2623
2624 will generate /proc/ccs/grant_log only 2624 will generate /proc/ccs/grant_log only if preference says grant_log=yes .
2625 2625
2626 This flag is intended for frequently ac 2626 This flag is intended for frequently accessed resources like
2627 2627
2628 file read /var/www/html/\{\*\}/\*.htm 2628 file read /var/www/html/\{\*\}/\*.html grant_log=no
2629 2629
2630 . 2630 .
2631 2631
2632 @ Automatically create domain by execve() 2632 @ Automatically create domain by execve() even if enforcing mode.
2633 2633
2634 Until now, new domains are not created 2634 Until now, new domains are not created if the domain was not defined and
2635 current domain is enforcing mode ("CONF 2635 current domain is enforcing mode ("CONFIG::file::execute=enforcing").
2636 2636
2637 To be able to restrict shell session wi 2637 To be able to restrict shell session without using "keep_domain",
2638 I changed to create new domains automat 2638 I changed to create new domains automatically even if current domain is
2639 enforcing mode. 2639 enforcing mode.
2640 2640
2641 @ Replace "task.state" with "auto_domain_ 2641 @ Replace "task.state" with "auto_domain_transition".
2642 2642
2643 task.state is difficult to use. Thus, I 2643 task.state is difficult to use. Thus, I replaced task.state with
2644 auto_domain_transition which performs d 2644 auto_domain_transition which performs domain transition instead of
2645 changing current process's state variab 2645 changing current process's state variables.
2646 2646
2647 If domain transition failed, current pr 2647 If domain transition failed, current process will be killed by SIGKILL
2648 signal. This should not happen in norma 2648 signal. This should not happen in normal circumstances, for you know the
2649 domain to transit to and thereby you wi 2649 domain to transit to and thereby you will define the domain beforehand
2650 when you use "auto_domain_transition" k 2650 when you use "auto_domain_transition" keyword.
2651 2651
2652 @ Replace "allow_transit" with "task manu 2652 @ Replace "allow_transit" with "task manual_domain_transition".
2653 2653
2654 I changed this directive to specify abs 2654 I changed this directive to specify absolute domainname (e.g.
2655 "<kernel> /usr/sbin/httpd //app=cgi1\04 2655 "<kernel> /usr/sbin/httpd //app=cgi1\040id=10000") rather than virtual
2656 pathname (e.g. "//app=cgi1\040id=10000" 2656 pathname (e.g. "//app=cgi1\040id=10000") because you know the domain to
2657 transit to and thereby you will define 2657 transit to and thereby you will define the domain beforehand when you use
2658 "task manual_domain_transition" directi 2658 "task manual_domain_transition" directive.
2659 2659
2660 This change allows you to jump to arbit 2660 This change allows you to jump to arbitrary domain.
2661 2661
2662 Note that this change also reverts "Cha 2662 Note that this change also reverts "Change /proc/ccs/info/self_domain ."
2663 made on 2006/10/24. Now, 'cat < /proc/c 2663 made on 2006/10/24. Now, 'cat < /proc/ccs/info/self_domain' will act like
2664 'cat /proc/ccs/info/self_domain'. Progr 2664 'cat /proc/ccs/info/self_domain'. Programs depending on old assumption
2665 need to be updated. 2665 need to be updated.
2666 2666
2667 @ Add "task auto_domain_transition". 2667 @ Add "task auto_domain_transition".
2668 2668
2669 This is similar to "task manual_domain_ 2669 This is similar to "task manual_domain_transition", but is automatically
2670 applied whenever conditions are met. Fo 2670 applied whenever conditions are met. For example,
2671 2671
2672 task auto_domain_transition <kernel> 2672 task auto_domain_transition <kernel> //./non-root task.uid!=0
2673 2673
2674 will automatically jump to "<kernel> // 2674 will automatically jump to "<kernel> //./non-root" domain if current
2675 process's UID is not 0 whereas 2675 process's UID is not 0 whereas
2676 2676
2677 task manual_domain_transition <kernel 2677 task manual_domain_transition <kernel> //./non-root task.uid!=0
2678 2678
2679 will jump to "<kernel> //./non-root" do 2679 will jump to "<kernel> //./non-root" domain if current process's UID is
2680 not 0 and current process wrote "<kerne 2680 not 0 and current process wrote "<kernel> //./non-root" to
2681 /proc/ccs/self_domain interface. 2681 /proc/ccs/self_domain interface.
2682 2682
2683 If domain transition failed, current pr 2683 If domain transition failed, current process will be killed by SIGKILL
2684 signal. 2684 signal.
2685 2685
2686 @ Optimize for object's size. 2686 @ Optimize for object's size.
2687 2687
2688 I merged similar code in order to reduc 2688 I merged similar code in order to reduce object's filesize.
2689 2689
2690 Version 1.8.0 2010/11/11 Fifth anniversary 2690 Version 1.8.0 2010/11/11 Fifth anniversary release.
2691 2691
2692 Fix 2010/12/01 2692 Fix 2010/12/01
2693 2693
2694 @ Use same interface for audit logs. 2694 @ Use same interface for audit logs.
2695 2695
2696 To be able to perform fine grained filt 2696 To be able to perform fine grained filtering by /usr/sbin/ccs-auditd ,
2697 I merged /proc/ccs/grant_log and /proc/ 2697 I merged /proc/ccs/grant_log and /proc/ccs/reject_log as
2698 /proc/ccs/audit and added granted=yes o 2698 /proc/ccs/audit and added granted=yes or granted=no to audit logs.
2699 2699
2700 Fix 2010/12/17 2700 Fix 2010/12/17
2701 2701
2702 @ Split ccs_null_security into ccs_defaul 2702 @ Split ccs_null_security into ccs_default_security and ccs_oom_security.
2703 2703
2704 ccs_null_security is used by preserve K 2704 ccs_null_security is used by preserve KABI compatibility option and is
2705 used for providing default values again 2705 used for providing default values against threads which have not yet
2706 allocated memory for their security con 2706 allocated memory for their security contexts.
2707 2707
2708 If current thread failed to allocate me 2708 If current thread failed to allocate memory for current thread's security
2709 context, current thread uses ccs_null_s 2709 context, current thread uses ccs_null_security. Since current thread is
2710 allowed to modify current thread's secu 2710 allowed to modify current thread's security context, current thread might
2711 modify ccs_null_security which should n 2711 modify ccs_null_security which should not be modified for any reason.
2712 2712
2713 Therefore, I split ccs_null_security in 2713 Therefore, I split ccs_null_security into ccs_default_security and
2714 ccs_oom_security and use ccs_oom_securi 2714 ccs_oom_security and use ccs_oom_security when current thread failed to
2715 allocate memory for current thread's se 2715 allocate memory for current thread's security context.
2716 2716
2717 Threads which do not share ccs_oom_secu 2717 Threads which do not share ccs_oom_security are not affected by threads
2718 which share ccs_oom_security. Threads w 2718 which share ccs_oom_security. Threads which share ccs_oom_security will
2719 experience temporary inconsistency, but 2719 experience temporary inconsistency, but such threads are about to be
2720 killed by SIGKILL signal. 2720 killed by SIGKILL signal.
2721 2721
2722 Fix 2011/01/11 2722 Fix 2011/01/11
2723 2723
2724 @ Use filesystem name for unnamed devices 2724 @ Use filesystem name for unnamed devices when vfsmount is missing.
2725 2725
2726 "Change pathname for non-rename()able f 2726 "Change pathname for non-rename()able filesystems." changed to use
2727 "$fsname:" if the filesystem does not s 2727 "$fsname:" if the filesystem does not support rename() operation and
2728 "dev($major,$minor):" otherwise when vf 2728 "dev($major,$minor):" otherwise when vfsmount is missing. But it turned
2729 out that it is useless to use "dev($maj 2729 out that it is useless to use "dev($major,$minor):" for unnamed devices
2730 (filesystems with $major == 0). Thus, I 2730 (filesystems with $major == 0). Thus, I changed to use "$fsname:" rather
2731 than "dev($major,$minor):" for filesyst 2731 than "dev($major,$minor):" for filesystems with $major == 0 when vfsmount
2732 is missing. 2732 is missing.
2733 2733
2734 Fix 2011/02/07 2734 Fix 2011/02/07
2735 2735
2736 @ Fix infinite loop bug when reading /pro 2736 @ Fix infinite loop bug when reading /proc/ccs/audit or /proc/ccs/query .
2737 2737
2738 In ccs_flush(), head->r.w[0] holds poin 2738 In ccs_flush(), head->r.w[0] holds pointer to string data to be printed.
2739 But head->r.w[0] was updated only when 2739 But head->r.w[0] was updated only when the string data was partially
2740 printed (because head->r.w[0] will be u 2740 printed (because head->r.w[0] will be updated by head->r.w[1] later if
2741 completely printed). However, regarding 2741 completely printed). However, regarding /proc/ccs/audit and
2742 /proc/ccs/query , an additional '\0' is 2742 /proc/ccs/query , an additional '\0' is printed after the string data was
2743 completely printed. But if free space f 2743 completely printed. But if free space for read buffer became 0 before
2744 printing the additional '\0', ccs_flush 2744 printing the additional '\0', ccs_flush() was returning without updating
2745 head->r.w[0]. As a result, ccs_flush() 2745 head->r.w[0]. As a result, ccs_flush() forever reprints already printed
2746 string data. 2746 string data.
2747 2747
2748 Fix 2011/03/01 2748 Fix 2011/03/01
2749 2749
2750 @ Run garbage collector without waiting f 2750 @ Run garbage collector without waiting for /proc/ccs/ users.
2751 2751
2752 Currently TOMOYO holds SRCU lock upon o 2752 Currently TOMOYO holds SRCU lock upon open() and releases it upon close()
2753 because list elements stored in the "st 2753 because list elements stored in the "struct ccs_io_buffer" instances are
2754 accessed until close() is called. Howev 2754 accessed until close() is called. However, such SRCU usage causes lockdep
2755 to complain about leaving the kernel wi 2755 to complain about leaving the kernel with SRCU lock held. Therefore,
2756 I changed to hold/release SRCU upon eac 2756 I changed to hold/release SRCU upon each read()/write() by selectively
2757 deferring kfree() by keeping track of t 2757 deferring kfree() by keeping track of the "struct ccs_io_buffer"
2758 instances. 2758 instances.
2759 2759
2760 Fix 2011/03/05 2760 Fix 2011/03/05
2761 2761
2762 @ Support built-in policy configuration. 2762 @ Support built-in policy configuration.
2763 2763
2764 To be able to start using enforcing mod 2764 To be able to start using enforcing mode from the early stage of boot
2765 sequence, I added support for built-in 2765 sequence, I added support for built-in policy configuration and
2766 activating access control without calli 2766 activating access control without calling external policy loader program.
2767 2767
2768 This will be useful for systems where o 2768 This will be useful for systems where operations which can lead to the
2769 hijacking of the boot sequence are need 2769 hijacking of the boot sequence are needed before loading the policy.
2770 For example, you can activate immediate 2770 For example, you can activate immediately after loading the fixed part of
2771 policy which will allow only operations 2771 policy which will allow only operations needed for mounting a partition
2772 which contains the variant part of poli 2772 which contains the variant part of policy and verifying (e.g. running GPG
2773 check) and loading the variant part of 2773 check) and loading the variant part of policy. Since you can start using
2774 enforcing mode from the beginning, you 2774 enforcing mode from the beginning, you can reduce the possibility of
2775 hijacking the boot sequence. 2775 hijacking the boot sequence.
2776 2776
2777 Fix 2011/03/10 2777 Fix 2011/03/10
2778 2778
2779 @ Remove /proc/ccs/meminfo interface. 2779 @ Remove /proc/ccs/meminfo interface.
2780 2780
2781 Please use /proc/ccs/stat interface ins 2781 Please use /proc/ccs/stat interface instead.
2782 2782
2783 Fix 2011/03/15 2783 Fix 2011/03/15
2784 2784
2785 @ Pack policy when printing via /proc/ccs 2785 @ Pack policy when printing via /proc/ccs/ interface.
2786 2786
2787 The kernel side is ready for accepting 2787 The kernel side is ready for accepting packed input like
2788 2788
2789 file read/write/execute /path/to/file 2789 file read/write/execute /path/to/file
2790 2790
2791 but was using unpacked output like 2791 but was using unpacked output like
2792 2792
2793 file read /path/to/file 2793 file read /path/to/file
2794 file write /path/to/file 2794 file write /path/to/file
2795 file execute /path/to/file 2795 file execute /path/to/file
2796 2796
2797 because most of userland tools were not 2797 because most of userland tools were not ready for accepting packed input.
2798 2798
2799 The advantages of using packed policy a 2799 The advantages of using packed policy are that it makes policy files
2800 smaller and it speeds up loading/saving 2800 smaller and it speeds up loading/saving policy files.
2801 2801
2802 Since most of userland tools are ready 2802 Since most of userland tools are ready for accepting packed input by now,
2803 I changed to use packed policy for both 2803 I changed to use packed policy for both input and output.
2804 2804
2805 Fix 2011/03/31 2805 Fix 2011/03/31
2806 2806
2807 @ Fix conditional policy parsing. 2807 @ Fix conditional policy parsing.
2808 2808
2809 Since exec.realpath= and symlink.target 2809 Since exec.realpath= and symlink.target= accept path_group,
2810 symlink.target="@foo" was by error pars 2810 symlink.target="@foo" was by error parsed as symlink.target=@foo .
2811 2811
2812 @ Serialize updating profile's comment li 2812 @ Serialize updating profile's comment line.
2813 2813
2814 We need to serialize when updating COMM 2814 We need to serialize when updating COMMENT= line in /proc/ccs/profile .
2815 2815
2816 Version 1.8.1 2011/04/01 Usability enhanc 2816 Version 1.8.1 2011/04/01 Usability enhancement with "Zettai, Daijoubudayo" release!
2817 2817
2818 Fix 2011/04/03 2818 Fix 2011/04/03
2819 2819
2820 @ Fix fcntl(F_SETFL, O_APPEND) handling. 2820 @ Fix fcntl(F_SETFL, O_APPEND) handling.
2821 2821
2822 Since 1.8.0, TOMOYO was by error checki 2822 Since 1.8.0, TOMOYO was by error checking "file write" permission rather
2823 than "file append" permission when chan 2823 than "file append" permission when changing file's writing mode from
2824 "overwriting" to "append". 2824 "overwriting" to "append".
2825 2825
2826 This error should impact little (except 2826 This error should impact little (except CentOS 6.0 kernels) because once
2827 a file was opened for "overwriting" mod 2827 a file was opened for "overwriting" mode, changing that file to "append"
2828 mode cannot undo overwriting the file. 2828 mode cannot undo overwriting the file. Regarding CentOS 6.0 kernels,
2829 due to different ACC_MODE definition, T 2829 due to different ACC_MODE definition, TOMOYO was by error needlessly
2830 checking "file read" permission when fc 2830 checking "file read" permission when fcntl() was requested.
2831 2831
2832 Fix 2011/04/20 2832 Fix 2011/04/20
2833 2833
2834 @ Remove unused "struct inode *" paramete 2834 @ Remove unused "struct inode *" parameter from hooks.
2835 2835
2836 Since pre-vfs functions were removed on 2836 Since pre-vfs functions were removed on 2010/09/18, "struct inode *"
2837 parameter which was used for checking p 2837 parameter which was used for checking parent directory's DAC permission
2838 is no longer used. 2838 is no longer used.
2839 2839
2840 Note that "struct ccsecurity_operations 2840 Note that "struct ccsecurity_operations ccsecurity_ops" has changed.
2841 Loadable kernel modules that depends on 2841 Loadable kernel modules that depends on it need to be rebuilt.
2842 2842
2843 Fix 2011/05/05 2843 Fix 2011/05/05
2844 2844
2845 @ Fix wrong profile number in audit logs 2845 @ Fix wrong profile number in audit logs for "misc env" permission.
2846 2846
2847 Profile number used for "file execute" 2847 Profile number used for "file execute" permission was by error reused
2848 when generating audit logs for "misc en 2848 when generating audit logs for "misc env" permission.
2849 2849
2850 Fix 2011/05/11 2850 Fix 2011/05/11
2851 2851
2852 @ Fix wrong domainname validation. 2852 @ Fix wrong domainname validation.
2853 2853
2854 "<kernel>" + "/foo/\" + "/bar" was by e 2854 "<kernel>" + "/foo/\" + "/bar" was by error checked when
2855 "<kernel> /foo/\* /bar" was given. As a 2855 "<kernel> /foo/\* /bar" was given. As a result, legal domainnames like
2856 "<kernel> /foo/\* /bar" are rejected. 2856 "<kernel> /foo/\* /bar" are rejected.
2857 2857
2858 Fix 2011/06/06 2858 Fix 2011/06/06
2859 2859
2860 @ Add policy namespace support. 2860 @ Add policy namespace support.
2861 2861
2862 To be able to use TOMOYO in LXC environ 2862 To be able to use TOMOYO in LXC environments, I introduced policy
2863 namespace. Each policy namespace has it 2863 namespace. Each policy namespace has its own set of domain policy,
2864 exception policy and profiles, which ar 2864 exception policy and profiles, which are all independent of other
2865 namespaces. 2865 namespaces.
2866 2866
2867 @ Remove CONFIG_CCSECURITY_BUILTIN_INITIA 2867 @ Remove CONFIG_CCSECURITY_BUILTIN_INITIALIZERS option.
2868 2868
2869 From now on, exception policy and manag 2869 From now on, exception policy and manager need to be able to handle
2870 policy namespace (which is a <$namespac 2870 policy namespace (which is a <$namespace> prefix added to each line).
2871 Thus, space-separated list for CONFIG_C 2871 Thus, space-separated list for CONFIG_CCSECURITY_BUILTIN_INITIALIZERS is
2872 no longer suitable for handling policy 2872 no longer suitable for handling policy namespace.
2873 2873
2874 Fix 2011/06/10 2874 Fix 2011/06/10
2875 2875
2876 @ Allow specifying trigger for activation 2876 @ Allow specifying trigger for activation.
2877 2877
2878 To be able to use TOMOYO under systemd 2878 To be able to use TOMOYO under systemd environments where init= parameter
2879 is used, I changed to allow overriding 2879 is used, I changed to allow overriding the trigger for calling external
2880 policy loader and activating MAC via ke 2880 policy loader and activating MAC via kernel command line options.
2881 2881
2882 Fix 2011/06/14 2882 Fix 2011/06/14
2883 2883
2884 @ Remove unused "struct inode *" paramete 2884 @ Remove unused "struct inode *" parameter from ccs-patch-\*.diff .
2885 2885
2886 To follow changes I made on 2011/04/20, 2886 To follow changes I made on 2011/04/20, I removed "struct inode *" from
2887 ccs_mknod_permission(), ccs_mkdir_permi 2887 ccs_mknod_permission(), ccs_mkdir_permission(), ccs_rmdir_permission(),
2888 ccs_unlink_permission(), ccs_symlink_pe 2888 ccs_unlink_permission(), ccs_symlink_permission(), ccs_link_permission(),
2889 ccs_rename_permission() that are called 2889 ccs_rename_permission() that are called from fs/namei.c
2890 net/unix/af_unix.c include/linux/securi 2890 net/unix/af_unix.c include/linux/security.c security/security.c .
2891 If you have your own ccs-patch-*.diff , 2891 If you have your own ccs-patch-*.diff , please update accordingly.
2892 2892
2893 Version 1.8.2 2011/06/20 Usability enhanc 2893 Version 1.8.2 2011/06/20 Usability enhancement release.
2894 2894
2895 Fix 2011/07/07 2895 Fix 2011/07/07
2896 2896
2897 @ Remove /proc/ccs/.domain_status interfa 2897 @ Remove /proc/ccs/.domain_status interface.
2898 2898
2899 Writing to /proc/ccs/.domain_status can 2899 Writing to /proc/ccs/.domain_status can be emulated by
2900 2900
2901 ( echo "select " $domainname; echo "u 2901 ( echo "select " $domainname; echo "use_profile " $profile ) |
2902 /usr/sbin/ccs-loadpolicy -d 2902 /usr/sbin/ccs-loadpolicy -d
2903 2903
2904 and reading from /proc/ccs/.domain_stat 2904 and reading from /proc/ccs/.domain_status can be emulated by
2905 2905
2906 grep -A 1 '^<' /proc/ccs/domain_polic 2906 grep -A 1 '^<' /proc/ccs/domain_policy |
2907 awk ' { if ( domainname == "" ) { if 2907 awk ' { if ( domainname == "" ) { if ( substr($1, 1, 1) == "<" )
2908 domainname = $0; } else if ( $1 == "u 2908 domainname = $0; } else if ( $1 == "use_profile" ) {
2909 print $2 " " domainname; domainname = 2909 print $2 " " domainname; domainname = ""; } } ; '
2910 2910
2911 . Since this interface is used by only 2911 . Since this interface is used by only /usr/sbin/ccs-setprofile ,
2912 remove this interface by updating /usr/ 2912 remove this interface by updating /usr/sbin/ccs-setprofile .
2913 2913
2914 Fix 2011/07/09 2914 Fix 2011/07/09
2915 2915
2916 @ Fix /proc/ccs/stat parser. 2916 @ Fix /proc/ccs/stat parser.
2917 2917
2918 For optimization, I changed to use simp 2918 For optimization, I changed to use simple_strtoul() rather than sscanf()
2919 in ccs_write_stat(). But it caused pars 2919 in ccs_write_stat(). But it caused parsing failure if space is inserted
2920 before value (e.g. "Memory used by poli 2920 before value (e.g. "Memory used by policy: $value").
2921 2921
2922 Fix 2011/07/13 2922 Fix 2011/07/13
2923 2923
2924 @ Accept "::" notation for IPv6 address. 2924 @ Accept "::" notation for IPv6 address.
2925 2925
2926 In order to add network access restrict 2926 In order to add network access restriction to TOMOYO 2.4, I backported
2927 routines for parsing/printing IPv4/IPv6 2927 routines for parsing/printing IPv4/IPv6 address from kernel 3.0 into
2928 TOMOYO 1.8.2. 2928 TOMOYO 1.8.2.
2929 Now, IPv6 address accepts "::1" instead 2929 Now, IPv6 address accepts "::1" instead of "0:0:0:0:0:0:0:1".
2930 2930
2931 Fix 2011/09/03 2931 Fix 2011/09/03
2932 2932
2933 @ Avoid race when retrying "file execute" 2933 @ Avoid race when retrying "file execute" permission check.
2934 2934
2935 There was a race window that the pathna 2935 There was a race window that the pathname which is subjected to
2936 "file execute" permission check when re 2936 "file execute" permission check when retrying via supervisor's decision
2937 because the pathname was recalculated u 2937 because the pathname was recalculated upon retry. Though, there is an
2938 inevitable race window even without sup 2938 inevitable race window even without supervisor, for we have to calculate
2939 the symbolic link's pathname from "stru 2939 the symbolic link's pathname from "struct linux_binprm"->filename rather
2940 than from "struct linux_binprm"->file b 2940 than from "struct linux_binprm"->file because we cannot back calculate
2941 the symbolic link's pathname from the d 2941 the symbolic link's pathname from the dereferenced pathname.
2942 2942
2943 @ Remove unneeded daemonize(). 2943 @ Remove unneeded daemonize().
2944 2944
2945 Garbage collector thread is created usi 2945 Garbage collector thread is created using kthread_create() since 2.6.7.
2946 Kernel threads created by kthread_creat 2946 Kernel threads created by kthread_create() does not need to call
2947 daemonize(). 2947 daemonize().
2948 2948
2949 Fix 2011/09/16 2949 Fix 2011/09/16
2950 2950
2951 @ Allow specifying domain transition pref 2951 @ Allow specifying domain transition preference.
2952 2952
2953 I got an opinion that it is difficult t 2953 I got an opinion that it is difficult to use exception policy's domain
2954 transition control directives because t 2954 transition control directives because they need to match the pathname
2955 specified to "file execute" directives. 2955 specified to "file execute" directives. For example, if "file execute
2956 /bin/\*\-ls\-cat" is given, correspondi 2956 /bin/\*\-ls\-cat" is given, corresponding domain transition control
2957 directive needs to be like "no_keep_dom 2957 directive needs to be like "no_keep_domain /bin/\*\-ls\-cat from any".
2958 2958
2959 To solve this difficulty, I introduced 2959 To solve this difficulty, I introduced optional argument that supersedes
2960 exception policy's domain transition co 2960 exception policy's domain transition control directives.
2961 2961
2962 file execute /bin/ls keep exec.realpa 2962 file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls"
2963 file execute /bin/cat keep exec.realp 2963 file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat"
2964 file execute /bin/\*\-ls\-cat child 2964 file execute /bin/\*\-ls\-cat child
2965 file execute /usr/sbin/httpd <apache> 2965 file execute /usr/sbin/httpd <apache> exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd"
2966 2966
2967 This argument allows transition to diff 2967 This argument allows transition to different domains based on conditions.
2968 2968
2969 <kernel> /usr/sbin/sshd 2969 <kernel> /usr/sbin/sshd
2970 file execute /bin/bash <kernel> /usr/ 2970 file execute /bin/bash <kernel> /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c"
2971 file execute /bin/bash <kernel> /usr/ 2971 file execute /bin/bash <kernel> /usr/sbin/sshd //root-session task.uid=0
2972 file execute /bin/bash <kernel> /usr/ 2972 file execute /bin/bash <kernel> /usr/sbin/sshd //nonroot-session task.uid!=0
2973 2973
2974 Fix 2011/09/25 2974 Fix 2011/09/25
2975 2975
2976 @ Simplify garbage collector. 2976 @ Simplify garbage collector.
2977 2977
2978 It turned out that use of batched proce 2978 It turned out that use of batched processing tends to choke garbage
2979 collector when certain pattern of entri 2979 collector when certain pattern of entries are queued. Thus, I replaced it
2980 with sequential processing. 2980 with sequential processing.
2981 2981
2982 Version 1.8.3 2011/09/29 Usability enhanc 2982 Version 1.8.3 2011/09/29 Usability enhancement release.
2983 2983
2984 Fix 2011/10/24 2984 Fix 2011/10/24
2985 2985
2986 @ Fix incomplete read after seek. 2986 @ Fix incomplete read after seek.
2987 2987
2988 ccs_flush() tries to flush data to be r 2988 ccs_flush() tries to flush data to be read as soon as possible.
2989 ccs_select_domain() (which is called by 2989 ccs_select_domain() (which is called by write()) enqueues data which
2990 meant to be read by next read(), but pr 2990 meant to be read by next read(), but previous read()'s read buffer's
2991 size was not cleared. As a result, sinc 2991 size was not cleared. As a result, since 1.8.0, sequence like
2992 2992
2993 char *cp = "select global-pid=1\n"; 2993 char *cp = "select global-pid=1\n";
2994 read(fd, buf1, sizeof(buf1)); 2994 read(fd, buf1, sizeof(buf1));
2995 write(fd, cp, strlen(cp)); 2995 write(fd, cp, strlen(cp));
2996 read(fd, buf2, sizeof(buf2)); 2996 read(fd, buf2, sizeof(buf2));
2997 2997
2998 causes enqueued data to be flushed to b 2998 causes enqueued data to be flushed to buf1 rather than buf2.
2999 2999
3000 @ Use query id for reaching target proces 3000 @ Use query id for reaching target process's domain policy.
3001 3001
3002 Use query id for reaching target proces 3002 Use query id for reaching target process's domain policy rather than
3003 target process's global PID. This is fo 3003 target process's global PID. This is for synchronizing with TOMOYO 2.x,
3004 but this change makes /usr/sbin/ccs-que 3004 but this change makes /usr/sbin/ccs-queryd more reliable because the
3005 kernel will return empty domain policy 3005 kernel will return empty domain policy when the query has expired before
3006 ccs-queryd reaches target process's dom 3006 ccs-queryd reaches target process's domain policy.
3007 3007
3008 @ Fix quota counting. 3008 @ Fix quota counting.
3009 3009
3010 "task manual_domain_transition" should 3010 "task manual_domain_transition" should not be counted for quota as with
3011 "task auto_domain_transition"/"task aut 3011 "task auto_domain_transition"/"task auto_execute_handler"/
3012 "task denied_execute_handler" because t 3012 "task denied_execute_handler" because these are not appended by learning
3013 mode. 3013 mode.
3014 3014
3015 Fix 2011/11/11 3015 Fix 2011/11/11
3016 3016
3017 @ Optimize for object's size. 3017 @ Optimize for object's size.
3018 3018
3019 I rearranged functions/variables into t 3019 I rearranged functions/variables into three groups in order to reduce
3020 object's filesize. Also, I added kernel 3020 object's filesize. Also, I added kernel config options for reducing more
3021 by excluding unnecessary functionality. 3021 by excluding unnecessary functionality.
3022 3022
3023 Fix 2011/11/18 3023 Fix 2011/11/18
3024 3024
3025 @ Fix kernel config mapping error. 3025 @ Fix kernel config mapping error.
3026 3026
3027 Due to a typo in ccs_p2mac definition, 3027 Due to a typo in ccs_p2mac definition, mode for CONFIG::file::execute was
3028 by error used when checking "file getat 3028 by error used when checking "file getattr" permission. Most users will
3029 not be affected by this error because C 3029 not be affected by this error because CONFIG::file::execute and
3030 CONFIG::file::getattr are by default co 3030 CONFIG::file::getattr are by default configured to use CONFIG::file or
3031 CONFIG settings. 3031 CONFIG settings.
3032 3032
3033 Fix 2011/12/13 3033 Fix 2011/12/13
3034 3034
3035 @ Follow __d_path() behavior change. (Onl 3035 @ Follow __d_path() behavior change. (Only 2.6.36 and later)
3036 3036
3037 The behavior of __d_path() has changed 3037 The behavior of __d_path() has changed in 3.2-rc5. __d_path() now returns
3038 NULL when the pathname cannot be calcul 3038 NULL when the pathname cannot be calculated. You must update to this
3039 version when using with 3.2-rc5 and lat 3039 version when using with 3.2-rc5 and later kernels, or the kernel will
3040 panic because ccs_get_absolute_path() t 3040 panic because ccs_get_absolute_path() triggers NULL pointer dereference.
3041 3041
3042 The patch that changed the behavior of 3042 The patch that changed the behavior of __d_path() might be backported to
3043 2.6.36 to 3.1 kernels. You must update 3043 2.6.36 to 3.1 kernels. You must update to this version if the patch was
3044 backported, or you will experience the 3044 backported, or you will experience the kernel panic as with 3.2-rc5.
3045 3045
3046 The patch that changed the behavior of 3046 The patch that changed the behavior of __d_path() also changed the way of
3047 handling pathnames under lazy-unmounted 3047 handling pathnames under lazy-unmounted directory. Until now, TOMOYO was
3048 using incomplete pathnames returned by 3048 using incomplete pathnames returned by __d_path() when the pathname is
3049 under lazy-unmounted directory. But fro 3049 under lazy-unmounted directory. But from now on, TOMOYO uses different
3050 pathnames returned by ccs_get_local_pat 3050 pathnames returned by ccs_get_local_path() when the pathname is under
3051 lazy-unmounted directory (because __d_p 3051 lazy-unmounted directory (because __d_path() no longer returns it).
3052 3052
3053 Since applications unlikely do lazy unm 3053 Since applications unlikely do lazy unmounts, requesting pathnames under
3054 lazy-unmounted directory should not hap 3054 lazy-unmounted directory should not happen unless the administrator
3055 explicitly does lazy unmounts. But path 3055 explicitly does lazy unmounts. But pathnames which is defined for such
3056 conditions in the policy file (if any) 3056 conditions in the policy file (if any) will need to be rewritten.
3057 3057
3058 Fix 2012/01/20 3058 Fix 2012/01/20
3059 3059
3060 @ Follow changes in 3.3-rc1. 3060 @ Follow changes in 3.3-rc1.
3061 3061
3062 Use umode_t rather than mode_t. 3062 Use umode_t rather than mode_t.
3063 Remove ipv6_addr_copy() usage. 3063 Remove ipv6_addr_copy() usage.
3064 3064
3065 Fix 2012/02/25 3065 Fix 2012/02/25
3066 3066
3067 @ Follow changes in linux-next. 3067 @ Follow changes in linux-next.
3068 3068
3069 UMH_WAIT_PROC constant (currently 1) is 3069 UMH_WAIT_PROC constant (currently 1) is scheduled for renumbering in 3.4.
3070 3070
3071 Use UMH_WAIT_PROC constant instead of h 3071 Use UMH_WAIT_PROC constant instead of hardcoded constant in preparation
3072 for backporting call_usermodehelper() r 3072 for backporting call_usermodehelper() related changes. If renumbering was
3073 backported, you will start experiencing 3073 backported, you will start experiencing the kernel panic upon execution
3074 of external policy loader (i.e. /sbin/c 3074 of external policy loader (i.e. /sbin/ccs-init), for the kernel will no
3075 longer wait for completion of external 3075 longer wait for completion of external policy loader process.
3076 3076
3077 Although I changed to use UMH_WAIT_PROC 3077 Although I changed to use UMH_WAIT_PROC constant, this change could fail
3078 to detect renumbering in 2.6.22 and ear 3078 to detect renumbering in 2.6.22 and earlier kernels, for UMH_WAIT_PROC
3079 constant is currently available to only 3079 constant is currently available to only 2.6.23 and later kernels. If you
3080 started to experience the kernel panic, 3080 started to experience the kernel panic, please check whether renumbering
3081 was backported or not. 3081 was backported or not.
3082 3082
3083 Fix 2012/02/29 3083 Fix 2012/02/29
3084 3084
3085 @ Fix mount flags checking order. 3085 @ Fix mount flags checking order.
3086 3086
3087 Userspace can pass in arbitrary combina 3087 Userspace can pass in arbitrary combinations of MS_* flags to mount().
3088 3088
3089 If both MS_BIND and one of MS_SHARED/MS 3089 If both MS_BIND and one of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE
3090 are passed, device name which should be 3090 are passed, device name which should be checked for MS_BIND was not
3091 checked because MS_SHARED/MS_PRIVATE/MS 3091 checked because MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE had higher
3092 priority than MS_BIND. 3092 priority than MS_BIND.
3093 3093
3094 If both one of MS_BIND/MS_MOVE and MS_R 3094 If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name
3095 which should not be checked for MS_REMO 3095 which should not be checked for MS_REMOUNT was checked because MS_BIND/
3096 MS_MOVE had higher priority than MS_REM 3096 MS_MOVE had higher priority than MS_REMOUNT.
3097 3097
3098 Fix these bugs by changing priority to 3098 Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND ->
3099 MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBIND 3099 MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount()
3100 does. Also, I changed to unconditionall 3100 does. Also, I changed to unconditionally return -EINVAL if more than one
3101 of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNB 3101 of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE is passed so that TOMOYO
3102 will not generate inaccurate audit logs 3102 will not generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity
3103 check mount flags passed to change_mnt_ 3103 check mount flags passed to change_mnt_propagation()" clarified that
3104 these flags must be exclusively passed. 3104 these flags must be exclusively passed.
3105 3105
3106 Fix 2012/03/08 3106 Fix 2012/03/08
3107 3107
3108 @ Allow returning other errors when ptrac 3108 @ Allow returning other errors when ptrace permission cannot be checked.
3109 3109
3110 Currently -EPERM is returned when ccs_p 3110 Currently -EPERM is returned when ccs_ptrace_permission() returned an
3111 error code. I changed to return return 3111 error code. I changed to return return value from ccs_ptrace_permission()
3112 so that we can return -ESRCH when targe 3112 so that we can return -ESRCH when target process was not found.
3113 3113
3114 Fix 2012/03/16 3114 Fix 2012/03/16
3115 3115
3116 @ Return appropriate value to poll(). 3116 @ Return appropriate value to poll().
3117 3117
3118 Return POLLIN | POLLRDNORM | POLLOUT | 3118 Return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM if ready to read/write,
3119 POLLOUT | POLLWRNORM otherwise. 3119 POLLOUT | POLLWRNORM otherwise.
3120 3120
3121 Fix 2012/04/22 3121 Fix 2012/04/22
3122 3122
3123 @ Readd RHEL_MINOR/AX_MINOR checks. 3123 @ Readd RHEL_MINOR/AX_MINOR checks.
3124 3124
3125 This check was added in revision 2346 a 3125 This check was added in revision 2346 and was removed in revision 4084.
3126 3126
3127 Add it back in order to support RHEL 5. 3127 Add it back in order to support RHEL 5.0, 5.1, 5.2 kernels.
3128 3128
3129 @ Fix skb_kill_datagram() for kernels 2.6 3129 @ Fix skb_kill_datagram() for kernels 2.6.0 - 2.6.11.
3130 3130
3131 Commit 208d8984 "[IPV4]: Fix BUG() in 2 3131 Commit 208d8984 "[IPV4]: Fix BUG() in 2.6.x, udp_poll(), fragments +
3132 CONFIG_HIGHMEM" clarified that skb_kill 3132 CONFIG_HIGHMEM" clarified that skb_kill_datagram() should use
3133 spin_lock_bh()/spin_unlock_bh() rather 3133 spin_lock_bh()/spin_unlock_bh() rather than
3134 spin_lock_irq()/spin_unlock_irq(). 3134 spin_lock_irq()/spin_unlock_irq().
3135 3135
3136 RHEL 4.9 (2.6.9) kernel has that patch 3136 RHEL 4.9 (2.6.9) kernel has that patch backported. So do I.
3137 3137
3138 @ Fix missing locks for RHEL 5.2-5.8 kern 3138 @ Fix missing locks for RHEL 5.2-5.8 kernels.
3139 3139
3140 Since RHEL 5.2 and later kernels have b 3140 Since RHEL 5.2 and later kernels have backported commit 95766fff
3141 "[UDP]: Add memory accounting." patch, 3141 "[UDP]: Add memory accounting." patch, TOMOYO needs to call
3142 lock_sock()/release_sock() around skb_k 3142 lock_sock()/release_sock() around skb_kill_datagram() call when UDP
3143 packet was dropped by TOMOYO. 3143 packet was dropped by TOMOYO.
3144 3144
3145 Fix 2012/04/28 3145 Fix 2012/04/28
3146 3146
3147 @ Accept manager programs which do not st 3147 @ Accept manager programs which do not start with / .
3148 3148
3149 The pathname of /usr/sbin/ccs-editpolic 3149 The pathname of /usr/sbin/ccs-editpolicy seen from Ubuntu 12.04 Live
3150 CD is squashfs:/usr/sbin/ccs-editpolicy 3150 CD is squashfs:/usr/sbin/ccs-editpolicy rather than
3151 /usr/sbin/ccs-editpolicy . Therefore, w 3151 /usr/sbin/ccs-editpolicy . Therefore, we need to accept manager
3152 programs which do not start with / . 3152 programs which do not start with / .
3153 3153
3154 Fix 2012/10/08 3154 Fix 2012/10/08
3155 3155
3156 @ Fix KABI breakage on Ubuntu 12.10. 3156 @ Fix KABI breakage on Ubuntu 12.10.
3157 3157
3158 I was using include/linux/security.h as 3158 I was using include/linux/security.h as the common path for pulling in
3159 include/linux/ccsecurity.h so that I ca 3159 include/linux/ccsecurity.h so that I can avoid scattering #include line.
3160 3160
3161 When scripts/genksyms/genksyms calculat 3161 When scripts/genksyms/genksyms calculates hash values for Module.symvers
3162 file, it uses the extracted form of inv 3162 file, it uses the extracted form of involved structures if the structure
3163 layout is known but it instead uses UNK 3163 layout is known but it instead uses UNKNOWN if the structure layout is
3164 not known. Therefore, pulling in includ 3164 not known. Therefore, pulling in include files that define structure's
3165 layout from include/linux/ccsecurity.h 3165 layout from include/linux/ccsecurity.h causes changes in the hash values
3166 and causes KABI breakage, even if no ch 3166 and causes KABI breakage, even if no changes were made to the involved
3167 structures. 3167 structures.
3168 3168
3169 Fix this breakage by avoiding pulling i 3169 Fix this breakage by avoiding pulling in include/linux/sched.h and
3170 include/linux/dcache.h from include/lin 3170 include/linux/dcache.h from include/linux/ccsecurity.h where possible.
3171 3171
3172 Fix 2015/01/01 3172 Fix 2015/01/01
3173 3173
3174 @ Fix missing chmod(-1) check in Linux 3. 3174 @ Fix missing chmod(-1) check in Linux 3.1 and later kernels.
3175 3175
3176 Commit e57712ebebbb9db7 "merge fchmod() 3176 Commit e57712ebebbb9db7 "merge fchmod() and fchmodat() guts, kill
3177 ancient broken kludge" changed chmod(-1 3177 ancient broken kludge" changed chmod(-1) from no-op to setting to
3178 07777. Therefore, TOMOYO must not ignor 3178 07777. Therefore, TOMOYO must not ignore chmod(-1) case.
3179 3179
3180 @ Fix potentially using bogus attributes 3180 @ Fix potentially using bogus attributes when stat() fails.
3181 3181
3182 We should reset attributes information 3182 We should reset attributes information when executing execute_handler
3183 program, or attributes of original prog 3183 program, or attributes of original program could be used when stat()
3184 on execute_handler program failed. 3184 on execute_handler program failed.
3185 3185
3186 Fix 2015/04/08 3186 Fix 2015/04/08
3187 3187
3188 @ Fix incorrect readdir() permission chec 3188 @ Fix incorrect readdir() permission check.
3189 3189
3190 CONFIG_CCSECURITY_FILE_READDIR was mean 3190 CONFIG_CCSECURITY_FILE_READDIR was meant for allowing users to control
3191 readdir() permission check. However, CO 3191 readdir() permission check. However, CONFIG_CCSECURITY_FILE_GETATTR was
3192 by error used for controlling readdir() 3192 by error used for controlling readdir() permission check. This fix
3193 should not affect kernels built with de 3193 should not affect kernels built with default configuration, for both
3194 CONFIG_CCSECURITY_FILE_READDIR and CONF 3194 CONFIG_CCSECURITY_FILE_READDIR and CONFIG_CCSECURITY_FILE_GETATTR are
3195 defined by default. 3195 defined by default.
3196 3196
3197 Fix 2015/04/15 3197 Fix 2015/04/15
3198 3198
3199 @ Fix incorrect retry request check. 3199 @ Fix incorrect retry request check.
3200 3200
3201 When a request was asked to retry, acl_ 3201 When a request was asked to retry, acl_group referenced by domain's
3202 use_group keyword was by error ignored. 3202 use_group keyword was by error ignored. As a result, retrying was not
3203 able to use permissions defined by acl_ 3203 able to use permissions defined by acl_group.
3204 3204
3205 Fix 2015/05/01 3205 Fix 2015/05/01
3206 3206
3207 @ Support multiple use_group entries. 3207 @ Support multiple use_group entries.
3208 3208
3209 Until now, each domain can include only 3209 Until now, each domain can include only one use_group entry.
3210 I changed to allow each domain to inclu 3210 I changed to allow each domain to include up to 256 use_group entries.
3211 As a result, you will be able to reduce 3211 As a result, you will be able to reduce duplication of policy by
3212 defining multiple acl_group entries bas 3212 defining multiple acl_group entries based on use cases and including
3213 them from each domain as needed. 3213 them from each domain as needed.
3214 3214
3215 Version 1.8.4 2015/05/05 Usability enhanc 3215 Version 1.8.4 2015/05/05 Usability enhancement release.
3216 3216
3217 Fix 2015/11/08 3217 Fix 2015/11/08
3218 3218
3219 @ Use memory allocation flags used by TOM 3219 @ Use memory allocation flags used by TOMOYO 2.x.
3220 3220
3221 Until now, TOMOYO 1.x was using memory 3221 Until now, TOMOYO 1.x was using memory allocation flags which are weaker
3222 than TOMOYO 2.x in order to make sure t 3222 than TOMOYO 2.x in order to make sure that memory allocation request by
3223 TOMOYO 1.x shall not cause silent livel 3223 TOMOYO 1.x shall not cause silent livelock problem.
3224 3224
3225 But as I learn about this livelock prob 3225 But as I learn about this livelock problem, I understood that this is
3226 not a problem which TOMOYO can manage. 3226 not a problem which TOMOYO can manage. While hitting a silent livelock
3227 at memory allocation is a problem, refu 3227 at memory allocation is a problem, refusing critical access requests
3228 by critical processes due to memory all 3228 by critical processes due to memory allocation failure caused by use of
3229 weaker memory allocation flags is also 3229 weaker memory allocation flags is also a problem.
3230 3230
3231 Since situations regarding memory alloc 3231 Since situations regarding memory allocation flags in upstream kernels
3232 are changing, it will be safer to use m 3232 are changing, it will be safer to use memory allocation flags used by
3233 TOMOYO 2.x. 3233 TOMOYO 2.x.
3234 3234
3235 Fix 2015/11/10 3235 Fix 2015/11/10
3236 3236
3237 @ Limit wildcard recursion depth. 3237 @ Limit wildcard recursion depth.
3238 3238
3239 Since wildcards that need recursion con 3239 Since wildcards that need recursion consume kernel stack memory,
3240 we cannot allow infinite recursion. 3240 we cannot allow infinite recursion.
3241 3241
3242 Version 1.8.5 2015/11/11 Tenth anniversar 3242 Version 1.8.5 2015/11/11 Tenth anniversary release.
3243 3243
3244 Fix 2017/02/02 3244 Fix 2017/02/02
3245 3245
3246 @ Use for_each_thread() for GC operation. 3246 @ Use for_each_thread() for GC operation.
3247 3247
3248 while_each_thread() without tasklist_lo 3248 while_each_thread() without tasklist_lock is not safe.
3249 Use for_each_process_thread() if it is 3249 Use for_each_process_thread() if it is available, hold
3250 tasklist_lock otherwise. 3250 tasklist_lock otherwise.
3251 3251
3252 Fix 2018/04/01 3252 Fix 2018/04/01
3253 3253
3254 @ Use smb_rmb() when waiting for initiali 3254 @ Use smb_rmb() when waiting for initialization.
3255 3255
3256 "while (!cond);" is implicitly optimize 3256 "while (!cond);" is implicitly optimized like "if (!cond) while (1);".
3257 Use "while (!cond) smp_rmb();" in order 3257 Use "while (!cond) smp_rmb();" in order to prevent such optimization.
3258 3258
3259 Fix 2019/07/27 3259 Fix 2019/07/27
3260 3260
3261 @ Change pathname calculation for read-on 3261 @ Change pathname calculation for read-only filesystems.
3262 3262
3263 Commit 5625f2e3266319fd ("TOMOYO: Chang 3263 Commit 5625f2e3266319fd ("TOMOYO: Change pathname for non-rename()able
3264 filesystems.") intended to be applied t 3264 filesystems.") intended to be applied to filesystems where the content is
3265 not controllable from the userspace (e. 3265 not controllable from the userspace (e.g. proc, sysfs, securityfs), based
3266 on an assumption that such filesystems 3266 on an assumption that such filesystems do not support rename() operation.
3267 3267
3268 But it turned out that read-only filesy 3268 But it turned out that read-only filesystems also do not support rename()
3269 operation despite the content is contro 3269 operation despite the content is controllable from the userspace, and that
3270 commit is annoying TOMOYO users who wan 3270 commit is annoying TOMOYO users who want to use e.g. squashfs as the root
3271 filesystem due to use of local name whi 3271 filesystem due to use of local name which does not start with '/'.
3272 3272
3273 Therefore, based on an assumption that 3273 Therefore, based on an assumption that filesystems which require the
3274 device argument upon mount() request is 3274 device argument upon mount() request is an indication that the content
3275 is controllable from the userspace, do 3275 is controllable from the userspace, do not use local name if a filesystem
3276 does not support rename() operation but 3276 does not support rename() operation but requires the device argument upon
3277 mount() request. 3277 mount() request.
3278 3278
3279 @ Reject move_mount() system call for now 3279 @ Reject move_mount() system call for now.
3280 3280
3281 Commit 2db154b3ea8e14b0 ("vfs: syscall: 3281 Commit 2db154b3ea8e14b0 ("vfs: syscall: Add move_mount(2) to move mounts
3282 around") introduced security_move_mount 3282 around") introduced security_move_mount() LSM hook, but we missed that
3283 TOMOYO and AppArmor did not implement h 3283 TOMOYO and AppArmor did not implement hooks for checking move_mount(2).
3284 Since unchecked mount manipulation is n 3284 Since unchecked mount manipulation is not acceptable, for now pretend
3285 as if move_mount(2) is unavailable. 3285 as if move_mount(2) is unavailable.
3286 3286
3287 @ Don't check open/getattr permission on 3287 @ Don't check open/getattr permission on sockets.
3288 3288
3289 syzbot found that use of SOCKET_I()->sk 3289 syzbot found that use of SOCKET_I()->sk from open() can result in
3290 use after free problem, for socket's in 3290 use after free problem, for socket's inode is still reachable via
3291 /proc/pid/fd/n despite destruction of S 3291 /proc/pid/fd/n despite destruction of SOCKET_I()->sk already completed.
3292 3292
3293 But there is no point with calling secu 3293 But there is no point with calling security_file_open() on sockets
3294 because open("/proc/pid/fd/n", !O_PATH) 3294 because open("/proc/pid/fd/n", !O_PATH) on sockets fails with -ENXIO.
3295 3295
3296 There is some point with calling securi 3296 There is some point with calling security_inode_getattr() on sockets
3297 because stat("/proc/pid/fd/n") and fsta 3297 because stat("/proc/pid/fd/n") and fstat(open("/proc/pid/fd/n", O_PATH))
3298 are valid. But since information which 3298 are valid. But since information which can be protected by checking
3299 security_inode_getattr() on sockets is 3299 security_inode_getattr() on sockets is trivial, let's not check it.
3300 3300
3301 Version 1.8.6 2019/08/20 Bug fix release. 3301 Version 1.8.6 2019/08/20 Bug fix release.
3302 3302
3303 Fix 2019/12/07 3303 Fix 2019/12/07
3304 3304
3305 @ Don't use nifty names on sockets. 3305 @ Don't use nifty names on sockets.
3306 3306
3307 Revert "Don't check open/getattr permis 3307 Revert "Don't check open/getattr permission on sockets.", and then
3308 get rid of special handling of sockets. 3308 get rid of special handling of sockets. As a side effect of this patch,
3309 "socket:[family=\$:type=\$:protocol=\$] 3309 "socket:[family=\$:type=\$:protocol=\$]" in the policy files has to be
3310 rewritten to "socket:[\$]". 3310 rewritten to "socket:[\$]".
3311 3311
3312 Fix 2020/04/09 3312 Fix 2020/04/09
3313 3313
3314 @ Fix wrong put_page() usage in ccs_dump_ 3314 @ Fix wrong put_page() usage in ccs_dump_page().
3315 3315
3316 ccs_dump_page() for 5.6+ was by error u 3316 ccs_dump_page() for 5.6+ was by error using wrong function to put page.
3317 3317
3318 Fix 2020/05/01 3318 Fix 2020/05/01
3319 3319
3320 @ Loosen domainname validation and pathna 3320 @ Loosen domainname validation and pathname validation.
3321 3321
3322 Currently a domainname must start with 3322 Currently a domainname must start with "<$namespace>" followed by
3323 zero or more repetitions of a pathname 3323 zero or more repetitions of a pathname which starts with '/'.
3324 3324
3325 But situation is getting more and more 3325 But situation is getting more and more difficult to enforce use of
3326 a pathname which starts with '/', for e 3326 a pathname which starts with '/', for execve() request of a pathname
3327 on e.g. some filesystems cause ccs_real 3327 on e.g. some filesystems cause ccs_realpath() to return a pathname
3328 in "$fsname:/$pathname" format. 3328 in "$fsname:/$pathname" format.
3329 3329
3330 Fortunately, since $fsname must not con 3330 Fortunately, since $fsname must not contain '.' since Linux 2.6.22,
3331 we can recognize a token which appears 3331 we can recognize a token which appears '/' before '.' appears (e.g.
3332 proc:/self/exe ) as a pathname and a to 3332 proc:/self/exe ) as a pathname and a token which appears '.' before
3333 '/' appears (e.g. exec.realpath="/bin/b 3333 '/' appears (e.g. exec.realpath="/bin/bash" ) as a condition parameter,
3334 with an exception that a pathname canno 3334 with an exception that a pathname cannot start with
3335 auto_domain_transition=" because it is 3335 auto_domain_transition=" because it is reserved as a delimiter string
3336 for on-match domain transition. Also, w 3336 for on-match domain transition. Also, we can recognize "<$namespace>"
3337 followed by such tokens (e.g. <kernel> 3337 followed by such tokens (e.g. <kernel> /foo proc:/self/exe /bar ) as
3338 a domainname. 3338 a domainname.
3339 3339
3340 Version 1.8.7 2020/05/05 Usability enhanc 3340 Version 1.8.7 2020/05/05 Usability enhancement release.
3341 3341
3342 Fix 2020/07/22 3342 Fix 2020/07/22
3343 3343
3344 @ Fix domain transition preference. 3344 @ Fix domain transition preference.
3345 3345
3346 The domain transition preference which 3346 The domain transition preference which was introduced in 1.8.3 is
3347 by error ignored since 1.8.3p4, for ccs 3347 by error ignored since 1.8.3p4, for ccs_update_task_domain() from
3348 ccs_write_log2() from ccs_supervisor() 3348 ccs_write_log2() from ccs_supervisor() from ccs_audit_log() always
3349 resets r->matched_acl to NULL. Change c 3349 resets r->matched_acl to NULL. Change ccs_update_task_domain() not
3350 to reset r->matched_acl to NULL. 3350 to reset r->matched_acl to NULL.
3351 3351
3352 Fix 2020/08/17 3352 Fix 2020/08/17
3353 3353
3354 @ Fix ccs_realpath() fallback. 3354 @ Fix ccs_realpath() fallback.
3355 3355
3356 ccs_realpath() for 3.17+ was by error n 3356 ccs_realpath() for 3.17+ was by error not calling ccs_get_local_path()
3357 when ccs_get_absolute_path() returned - 3357 when ccs_get_absolute_path() returned -EINVAL.
3358 3358
3359 Fix 2020/08/19 3359 Fix 2020/08/19
3360 3360
3361 @ Fix wrong ccs_search_binary_handler() m 3361 @ Fix wrong ccs_search_binary_handler() mapping.
3362 3362
3363 When support for 5.8 kernel was added, 3363 When support for 5.8 kernel was added, ccs_search_binary_handler() for
3364 3.7- was by error mapped to wrong funct 3364 3.7- was by error mapped to wrong function.
3365 3365
3366 Fix 2020/10/24 3366 Fix 2020/10/24
3367 3367
3368 @ Fix /proc pathname calculation for Linu 3368 @ Fix /proc pathname calculation for Linux 5.8+ kernels.
3369 3369
3370 ccs_realpath() for 5.8+ was by error no 3370 ccs_realpath() for 5.8+ was by error not using proc_pid_ns() when
3371 calculating /proc pathname. 3371 calculating /proc pathname.
3372 3372
3373 Version 1.8.8 2020/11/11 Fifteenth annive 3373 Version 1.8.8 2020/11/11 Fifteenth anniversary release.
3374 3374
3375 Fix 2021/03/13 3375 Fix 2021/03/13
3376 3376
3377 @ Skip permission checks for fileless exe 3377 @ Skip permission checks for fileless execution requests.
3378 3378
3379 Kernels from 4.18 to 5.8 are using call 3379 Kernels from 4.18 to 5.8 are using call_usermodehelper_setup_file() for
3380 starting program without a valid pathna 3380 starting program without a valid pathname on a filesystem.
3381 /sbin/modprobe from dockerd process cou 3381 /sbin/modprobe from dockerd process could not load bpfilter.ko module
3382 because ccs_symlink_path() cannot calcu 3382 because ccs_symlink_path() cannot calculate pathname of program without
3383 a valid pathname. Thus, allow call_user 3383 a valid pathname. Thus, allow call_usermodehelper_setup_file() to bypass
3384 permission checks and suppress domain t 3384 permission checks and suppress domain transitions.
3385 3385
3386 @ Fix ccs_kernel_service(). 3386 @ Fix ccs_kernel_service().
3387 3387
3388 Kernels from 5.5 to 5.11 are using PF_K 3388 Kernels from 5.5 to 5.11 are using PF_KTHREAD flag for the io_uring
3389 worker threads. 3389 worker threads.
3390 3390
3391 Version 1.8.9 2021/04/01 Bug fix release. 3391 Version 1.8.9 2021/04/01 Bug fix release.
3392 3392
3393 Fix 2021/12/28 3393 Fix 2021/12/28
3394 3394
3395 @ Check exceeded quota early. 3395 @ Check exceeded quota early.
3396 3396
3397 Backport commit 04e57a2d952bbd34 ("tomo 3397 Backport commit 04e57a2d952bbd34 ("tomoyo: Check exceeded quota early in
3398 tomoyo_domain_quota_is_ok().") and comm 3398 tomoyo_domain_quota_is_ok().") and commit f702e1107601230e ("tomoyo: use
3399 hwight16() in tomoyo_domain_quota_is_ok 3399 hwight16() in tomoyo_domain_quota_is_ok()"), for these help reducing
3400 overhead of the learning mode. Note tha 3400 overhead of the learning mode. Note that the former patch requires you to
3401 explicitly delete "quota_exceeded" entr 3401 explicitly delete "quota_exceeded" entry from the domain policy in order
3402 to resume the learning mode. 3402 to resume the learning mode.
3403 3403
3404 Fix 2024/03/31 3404 Fix 2024/03/31
3405 3405
3406 @ Fix a UAF bug introduced by an oversigh 3406 @ Fix a UAF bug introduced by an oversight in TOMOYO revision 2930.
3407 3407
3408 Backport commit 2f03fc340cac ("tomoyo: 3408 Backport commit 2f03fc340cac ("tomoyo: fix UAF write bug in
3409 tomoyo_write_control()"). 3409 tomoyo_write_control()").
3410 3410
3411 Version 1.8.10 2024/04/01 Security bug fi 3411 Version 1.8.10 2024/04/01 Security bug fix release.
3412 3412
3413 Fix 2024/06/28 3413 Fix 2024/06/28
3414 3414
3415 @ Unblock move_mount() system call. 3415 @ Unblock move_mount() system call.
3416 3416
3417 Since util-linux 2.39 started using lib 3417 Since util-linux 2.39 started using libmount-mountfd-support,
3418 implementing appropriate permission che 3418 implementing appropriate permission check for move_mount() became
3419 necessary for successfully booting a Li 3419 necessary for successfully booting a Linux system.
3420 3420
3421 Version 1.8.11 2024/07/15 Bug fix release 3421 Version 1.8.11 2024/07/15 Bug fix release.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.