~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/README.ccs

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /README.ccs (Version linux-6.11.5) and /README.ccs (Version unix-v6-master)


  1 Notes for TOMOYO Linux project                    
  2                                                   
  3 This is a handy Mandatory Access Control patch    
  4 This patch is released under the GPLv2.           
  5                                                   
  6 Project URL: https://tomoyo.sourceforge.net/      
  7                                                   
  8 The authors of this patch (hereafter, we) don'    
  9 in kernel programming. We are worried that thi    
 10 some mistakes such as missing hooks, improper     
 11 potential deadlocks. There would be better way    
 12 All kinds of comments, pointing the errors and    
 13                                                   
 14 We do hope this patch reduces the labor of ser    
 15 and you enjoy the life with Linux.                
 16                                                   
 17 This project was very inspired by the comic "C    
 18 one of the CLAMP's masterworks.                   
 19                                                   
 20 ChangeLog:                                        
 21                                                   
 22 Version 1.0   2005/11/11   First release.         
 23                                                   
 24 Fix 2005/11/18                                    
 25                                                   
 26     @ Add setattr() missing hook in SYAORAN fs    
 27                                                   
 28       setattr() checking for special inode was    
 29                                                   
 30 Fix 2005/11/25                                    
 31                                                   
 32     @ Allow initrd.img include /sbin/init .       
 33                                                   
 34       Since version 1.0 loads policy when /sbi    
 35       for the first time, initrd.img without t    
 36       mustn't start /sbin/init . This forced u    
 37       initrd.img that includes /sbin/init .       
 38       I modified to delay loading policy if th    
 39       doesn't exist and wait for /sbin/init be    
 40                                                   
 41 Fix 2005/12/02                                    
 42                                                   
 43     @ Use lookup_one_len() instead of lookup_h    
 44                                                   
 45       Kernel 2.6.15 changed parameters for loo    
 46       I modified to use lookup_one_len() to ke    
 47                                                   
 48 Fix 2005/12/06                                    
 49                                                   
 50     @ Add S_ISDIR() check in SYAORAN fs.          
 51                                                   
 52       Malicious configuration file that attemp    
 53       under non-directory inode caused segment    
 54                                                   
 55 Version 1.0.1 2005/12/08   Minor update releas    
 56                                                   
 57 Fix 2006/01/04                                    
 58                                                   
 59     @ Add CheckWritePermission() check in unix    
 60                                                   
 61       I modified to check write permission in     
 62       sys_mknod(S_IFSOCK) checks write permiss    
 63                                                   
 64     @ Show hook version in proc_misc_init().      
 65                                                   
 66       The hook part of this patch depends on t    
 67       while the rest part of this patch doesn'    
 68       I added the hook version so that the adm    
 69       know the last modified date of the hooks    
 70                                                   
 71     @ Move permission checks from filp_open()     
 72                                                   
 73       I moved the location of checking MAC's p    
 74       from filp_open() to open_namei().           
 75                                                   
 76     @ Fix an error in filp_open().  (only 2.6.    
 77                                                   
 78       This error was only in the patch 2.6.15-    
 79       was fixed in the patch for 2.6.15.          
 80                                                   
 81 Fix 2006/01/12                                    
 82                                                   
 83     @ Add /proc/ccs/info/self_domain.             
 84                                                   
 85       I added /proc/ccs/info/self_domain so th    
 86       can know the name of domain they belong     
 87                                                   
 88 Fix 2006/01/13                                    
 89                                                   
 90     @ Merge constants for CheckTaskCapability(    
 91                                                   
 92       I merged *_INHERITABLE_* and *_LOCAL_* t    
 93       calling CheckTaskCapability() with both     
 94                                                   
 95     @ DropTaskCapability() returns -EAGAIN on     
 96                                                   
 97       DropTaskCapability() must not return 0 o    
 98       DropTaskCapability() is called from do_e    
 99                                                   
100     @ Fix an error for chroot() permission che    
101                                                   
102       The chroot() restriction was not working    
103       CheckChRootPermission() || CheckTaskCapa    
104       CheckChRootPermission() | CheckTaskCapab    
105                                                   
106 Fix 2006/01/17                                    
107                                                   
108     @ Suppress some of debug messages in TOMOY    
109                                                   
110       I added KERN_DEBUG to suppress some of d    
111                                                   
112 Fix 2006/01/19                                    
113                                                   
114     @ Remove isRoot() checks in AddChrootACL()    
115                                                   
116       I found a program that needs to chroot b    
117       So, I stopped checking uid=euid=0 for th    
118       "accept mode" can append ACLs.              
119       The isRoot() is checked at AddChrootPoli    
120                                                   
121     @ Map NULL device name to "<NULL>" in AddM    
122                                                   
123       VMware mounts vmware-hgfs with NULL devi    
124       So I mapped NULL device name to "<NULL>"    
125                                                   
126 Fix 2006/01/20                                    
127                                                   
128     @ Suppress some of debug messages in SAKUR    
129                                                   
130       I added KERN_DEBUG to suppress some of d    
131                                                   
132     @ Call panic() if failed to load given pro    
133                                                   
134       Call panic() if profile index was given     
135       but the profile doesn't exist.              
136       If CCS= parameter is not given, the kern    
137       profile 0, but it doesn't call panic() i    
138                                                   
139 Fix 2006/01/24                                    
140                                                   
141     @ Use full_name_hash() for IsGloballyReada    
142                                                   
143       I modified to use full_name_hash() for f    
144                                                   
145     @ Add signal checking condition in CheckSi    
146                                                   
147       The documentation says "if the target do    
148       starts with the source domain's domainna    
149       but actually it isn't. I'll change the d    
150       changing the source code.                   
151                                                   
152       Also, checking for pid = -1 was missing.    
153                                                   
154 Fix 2006/02/09                                    
155                                                   
156     @ Use mutex_lock()/mutex_unlock instead of    
157                                                   
158       Kernel 2.6.16 changed members of "struct    
159       I modified to use mutex_lock()/mutex_unl    
160       and down()/up() for before 2.6.16.          
161                                                   
162 Version 1.0.2 2006/02/14   Many bug-fixes rele    
163                                                   
164 Fix 2006/02/21                                    
165                                                   
166     @ Divide generic-write permission into ind    
167                                                   
168       Write permission was divided into the fo    
169                                                   
170       'mkdir'     for creating directory.         
171       'rmdir'     for deleting directory.         
172       'create'    for creating regular file.      
173       'unlink'    for deleting non-directory.     
174       'mksock'    for creating UNIX domain soc    
175       'mkfifo'    for creating FIFO.              
176       'mkchar'    for creating character devic    
177       'mkblock'   for creating block device.      
178       'link'      for creating hard link.         
179       'symlink'   for creating symbolic link.     
180       'rename'    for renaming directory or no    
181       'truncate'  for truncating regular file.    
182                                                   
183       The permission check for opening files i    
184       conventional read/write/execute permissi    
185                                                   
186     @ Add /proc/ccs/info/mapping.                 
187                                                   
188       I added /proc/ccs/info/mapping so that t    
189       can know the mapping of individual write    
190                                                   
191 Fix 2006/02/27                                    
192                                                   
193     @ Fix handling of trailing '\*' in PathMat    
194                                                   
195       PathMatchesToPattern("/tmp/", "/tmp/\*")    
196       because "\*" matches "zero or more repet    
197       until '/' or end". But since this is a c    
198       directory and non-directory, this should    
199                                                   
200       This behavior causes the following secur    
201       In enforce mode, allowing "2 /tmp/\*" gr    
202       "mkdir /tmp/" and "rmdir /tmp/" which sh    
203       granted only when "2 /tmp/" is allowed.     
204       In accept mode, "mkdir /tmp/" or "rmdir     
205       "2 /tmp/\*" into the domain policy if "f    
206       is in the exception policy.                 
207                                                   
208       I changed not to ignore trailing '\*' in    
209       if pathname ends with '/'.                  
210                                                   
211 Fix 2006/03/01                                    
212                                                   
213     @ Add missing spinlock in GetAbsolutePath(    
214                                                   
215       vfsmount_lock was missing.                  
216                                                   
217 Fix 2006/03/08                                    
218                                                   
219     @ Add support for "shared subtree" mount o    
220                                                   
221       Kernel 2.6.15 introduced "shared subtree    
222       But CheckMountPermission() couldn't reco    
223       do_change_type().                           
224                                                   
225     @ Add support for more mount flags.           
226                                                   
227       atime/noatime, diratime/nodiratime, recu    
228       are supported.                              
229                                                   
230 Fix 2006/03/20                                    
231                                                   
232     @ Check port numbers for only AF_INET/AF_I    
233                                                   
234       CheckBindEntry() and CheckConnectEntry()    
235       only when the given address family is ei    
236       for address family such as AF_UNSPEC cou    
237       and connect() for PF_INET/PF_INET6 socke    
238                                                   
239 Fix 2006/03/27                                    
240                                                   
241     @ Use /proc/self/ rather than /proc/\$/ fo    
242                                                   
243       GetAbsolutePath() now uses "self" instea    
244       if current process refers to information    
245       This exception violates the rule "TOMOYO    
246       contain symbolic links before the last '    
247       to do so. The following are the merits g    
248                                                   
249       Prevent administrators from granting red    
250       when a process needs to refer to only cu    
251                                                   
252       Allow administrators make current proces    
253       readable using 'allow_read' directive.      
254                                                   
255 Version 1.1   2006/04/01   Functionality enhan    
256                                                   
257 Fix 2006/04/03                                    
258                                                   
259     @ Use queue instead of fixed sized array f    
260                                                   
261       WriteAuditLog() now uses queue to save s    
262       Administrators can give any size for aud    
263                                                   
264     @ Use kzalloc() instead of kmalloc() + mem    
265                                                   
266       kmalloc() + memset() were replaced with     
267                                                   
268 Fix 2006/04/04                                    
269                                                   
270     @ Support "delayed enforcing" mode.           
271                                                   
272       Until now, access request was immediatel    
273       if policy doesn't allow that access and     
274       running in enforce mode.                    
275       Sometimes, especially after updating sof    
276       some unexpected access requests arise fr    
277       Such access requests should be granted b    
278       they are not caused by malicious attacks    
279       So I introduced a mechanism to allow adm    
280       to decide to grant or reject such access    
281       This mechanism is implemented in the fol    
282         "Don't return immediately if permissio    
283         "Sleep for a while waiting administrat    
284         "Return successfully if administrator     
285                                                   
286 Fix 2006/04/12                                    
287                                                   
288     @ Fix handling of prefix in GetAbsolutePat    
289                                                   
290       Some objects doesn't have prefix "/".       
291       Pipe has prefix "pipe:" and socket has p    
292       GetAbsolutePath() couldn't handle prefix    
293                                                   
294     @ Remove IsCorrectPath() checks for File A    
295                                                   
296       File Access Control functions accepted o    
297       with '/' because these functions assumed    
298       GetAbsolutePath() always start with '/'.    
299       However, I found a program that opens an    
300       (probably) /proc/PID/fd/ directory. (You    
301       "pipe:[number]" if you run "ls -l /proc/    
302       Now, File Access Control functions have     
303       that don't start with '/'. So, I stopped    
304                                                   
305 Fix 2006/04/19                                    
306                                                   
307     @ Fix handling of NULL nameidata in vfs_op    
308                                                   
309       In 2.6 kernels, NFS daemon and sys_mq_op    
310       vfs_create() with NULL nameidata. In suc    
311       CheckSingleWritePermission() must not be    
312                                                   
313 Version 1.1.1 2006/05/15   Functionality enhan    
314                                                   
315 Fix 2006/05/16                                    
316                                                   
317     @ Support program files aggregation.          
318                                                   
319       Until now, programs that have no fixed n    
320       parent programs had to be run in a trust    
321       since it is impossible to use patterns f    
322       execute permission and defining domains.    
323       I introduced a mechanism to aggregate si    
324       using 'aggregator' directive.               
325       Some examples:                              
326                                                   
327         'aggregator /tmp/logrotate.\?\?\?\?\?\    
328         to run all temporary programs for logr    
329                                                   
330         'aggregator /usr/bin/tac /bin/cat'        
331         to run /usr/bin/tac and /bin/cat as /b    
332                                                   
333 Fix 2006/05/18                                    
334                                                   
335     @ Unlimit max count for audit log.            
336                                                   
337       I forgot to replace MAX_GRANT_LOG and MA    
338       so that administrators can give any size    
339                                                   
340 Fix 2006/05/22                                    
341                                                   
342     @ Support individual domain ACL removal.      
343                                                   
344       Until now, to remove ACLs from a domain,    
345       once delete and recreate that domain, wh    
346       I introduced a mechanism to remove domai    
347       recreating domains.                         
348       Administrator can delete domains or remo    
349       via /proc/ccs/policy/domain_policy .        
350       /proc/ccs/policy/delete_domain and /proc    
351       were removed.                               
352                                                   
353 Fix 2006/05/30                                    
354                                                   
355     @ Add missing spinlock in SAKURA_MayMount(    
356                                                   
357       vfsmount_lock was missing.                  
358                                                   
359 Version 1.1.2 2006/06/02   Functionality enhan    
360                                                   
361 Fix 2006/06/13                                    
362                                                   
363     @ Merge tomoyo_connect.c and tomoyo_bind.c    
364                                                   
365       I merged these files that have only diff    
366       that are likely to be enabled both or ne    
367                                                   
368     @ Add CONFIG_TOMOYO_AUDIT option.             
369                                                   
370       I made auditing functions as optional be    
371       may have not enough disk space to store     
372                                                   
373 Fix 2006/06/15                                    
374                                                   
375     @ Support use of symbolic links for progra    
376                                                   
377       Until now, domains for programs executed    
378       symbolic links were defined using derefe    
379       This was inconvenient for some Linux box    
380       can't keep hard links of busybox.           
381       I introduced a mechanism to allow using     
382       symbolic links using 'alias' directive.     
383       Some examples:                              
384                                                   
385         'alias /sbin/busybox /bin/ls' to run /    
386         (which is a symbolic link to /sbin/bus    
387         if /bin/ls is executed.                   
388                                                   
389         'alias /bin/bash /bin/sh' to run /bin/    
390         (which is a symbolic link to /bin/bash    
391         if /bin/sh is executed.                   
392                                                   
393 Fix 2006/06/21                                    
394                                                   
395     @ Use ccs_alloc() instead of kzalloc().       
396                                                   
397       To detect memory leaks,                     
398       I added a wrapper for tracing kmalloc()     
399       There is no way to detect memory leaks c    
400                                                   
401 Version 1.1.3 2006/07/13   Functionality enhan    
402                                                   
403 Fix 2006/07/14                                    
404                                                   
405     @ Change behavior of pathname pattern matc    
406                                                   
407       Until now, it was impossible to use patt    
408       "\*" matched zero or more repetitions of    
409       Now, "\*" matches zero or more repetitio    
410                                                   
411       Until now, it was impossible to use patt    
412       because "\$" matched one or more repetit    
413       non digit character.                        
414       Now, "\$" matches one or more repetition    
415                                                   
416       Also, new patterns "\x" "\X" "\a" "\A" "    
417                                                   
418 Fix 2006/07/21                                    
419                                                   
420     @ Add CONFIG_TOMOYO_NETWORK option.           
421                                                   
422       Until now, only port numbers for TCP and    
423       Now, the combination of IPv4/IPv6 addres    
424       for TCP and UDP is controllable.            
425       CONFIG_TOMOYO_NETWORKPORT became obsolet    
426                                                   
427 Fix 2006/07/25                                    
428                                                   
429     @ Change matching rule for CheckFileACL().    
430                                                   
431       Until now, only first entry that matched    
432       was used for permission checking. For ex    
433                                                   
434       "2 /tmp/file-\$.txt"                        
435       "4 /tmp/fil\?-0.txt"                        
436                                                   
437       are given in this order and requested pa    
438       the "2 /tmp/file-\$.txt" is used. But if    
439                                                   
440       "4 /tmp/fil\?-0.txt"                        
441       "2 /tmp/file-\$.txt"                        
442                                                   
443       are given in this order, the "4 /tmp/fil    
444       This may potentially cause trouble becau    
445       permission checks depends on the order o    
446                                                   
447       Now, all entries that matched the reques    
448       are used for permission checking so that    
449       permission checks doesn't depend on the     
450                                                   
451 Fix 2006/07/27                                    
452                                                   
453     @ Support RAW IPv4/IPv6 control.              
454                                                   
455       Some programs such as 'ping' and 'tracer    
456       Now, the combination of IPv4/IPv6 addres    
457       for IP is controllable.                     
458                                                   
459 Fix 2006/08/04                                    
460                                                   
461     @ Add filename and argv[0] comparison chec    
462                                                   
463       The domain transition was done based on     
464       while the behavior was defined based on     
465       There is no problem if the filename is a    
466       But if argv[0]-aware, access control byp    
467       transits to trusted domain but behaves a    
468       For example, when the administrator spec    
469       trusted but both /bin/ls and /bin/cat ar    
470       a cracker can run /bin/cat in a trusted     
471       succeeds to invoke do_execve() with file    
472       argv[0] = "/bin/cat".                       
473                                                   
474       I introduced a directive that permits th    
475       basename of filename and argv[0].           
476                                                   
477 Fix 2006/08/10                                    
478                                                   
479     @ Support ID based condition checks.          
480                                                   
481       It was impossible to use process id (uid    
482       checking individual domain ACL.             
483                                                   
484       Now it became possible to use process id    
485       domain ACL. For example,                    
486                                                   
487         "1 /bin/sh if task.euid!=0"               
488                                                   
489       allows the domain to execute /bin/sh onl    
490       is not 0, and                               
491                                                   
492         "6 /home/\*/\* if task.uid=path1.uid"     
493                                                   
494       allows the domain to read-write user's h    
495       only when the file's owner matches the p    
496                                                   
497 Fix 2006/08/22                                    
498                                                   
499     @ Fix ROUNDUP() in fs/realpath.c .            
500                                                   
501       Alignment using sizeof(int) may be inapp    
502       I changed to use the larger size of 'voi    
503       instead of 'int'.                           
504       For environment where sizeof(int) = size    
505       this change has no effect.                  
506                                                   
507 Version 1.2   2006/09/03   Functionality enhan    
508                                                   
509 Fix 2006/09/30                                    
510                                                   
511     @ Fix CheckFilePerm() in fs/tomoyo_file.c     
512                                                   
513       The location to call path_release() was     
514                                                   
515 Fix 2006/10/02                                    
516                                                   
517     @ Support per-domain profile.                 
518                                                   
519       It became possible to assign different p    
520       This will help administrators using buil    
521                                                   
522 Fix 2006/10/05                                    
523                                                   
524     @ Change parameters for CheckFilePerm().      
525                                                   
526       I was re-resolving pathnames inside Chec    
527       the caller function already resolved the    
528       So I changed to pass dentry and vfsmount    
529       and removed changes made on 2006/09/30.     
530                                                   
531 Fix 2006/10/06                                    
532                                                   
533     @ Support deny_rewrite and allow_rewrite p    
534                                                   
535       It became possible to make regular files    
536       using "deny_rewrite" directive in except    
537       override it using "allow_rewrite" direct    
538                                                   
539       Regular files specified using "deny_rewr    
540         can't be open()ed with O_TRUNC or with    
541         can't be truncate()ed or ftruncate()ed    
542         can't be turned O_APPEND flag off usin    
543       unless specified using "allow_rewrite" d    
544                                                   
545 Fix 2006/10/12                                    
546                                                   
547     @ Enable configuration options by default     
548                                                   
549       CONFIG_SAKURA and CONFIG_TOMOYO are now     
550       and CONFIG_SYAORAN is now 'm' by default    
551                                                   
552 Fix 2006/10/13                                    
553                                                   
554     @ Use external policy loader.                 
555                                                   
556       Until now, policies are loaded when /sbi    
557       initial control levels are switched usin    
558       But since some boxes have to fixate kern    
559       at compilation time, I think it will bec    
560       by running external policy loader using     
561       initial control levels can be specified     
562                                                   
563       Call panic() if initial control levels a    
564                                                   
565 Fix 2006/10/16                                    
566                                                   
567     @ Add missing parameter in FindNextDomain(    
568                                                   
569       'struct file' was needed for allowing 'i    
570                                                   
571 Fix 2006/10/23                                    
572                                                   
573     @ Print error messages in CheckFlags().       
574                                                   
575       Some users seem to have troubles picking    
576       entries for the configuration file of SY    
577       since makesyaoranconf can't pick up entr    
578       nonexistent at the time.                    
579       I added error message so that users can     
580       using dmesg.                                
581                                                   
582 Fix 2006/10/24                                    
583                                                   
584     @ Change /proc/ccs/info/self_domain .         
585                                                   
586       I changed /proc/ccs/info/self_domain to     
587       the domain of open time rather than firs    
588       This modification makes shell's redirect    
589       more convenient since redirection opens     
590       but doesn't read at the time.               
591                                                   
592       'cat < /proc/ccs/info/self_domain' will     
593       the domain of shell, and                    
594       'cat /proc/ccs/info/self_domain' will re    
595       the domain of cat .                         
596                                                   
597 Fix 2006/11/06                                    
598                                                   
599     @ Replace MAX_ENFORCE_GRACE with ALLOW_ENF    
600                                                   
601       Since it was inconvenient that requests     
602       supervisor's decision are rejected autom    
603       MAX_ENFORCE_GRACE seconds has elapsed, I    
604       reset timeout counter whenever a supervi    
605       and I modified ccs-queryd write a dummy     
606       so that the requests won't be rejected a    
607       ccs-queryd is running.                      
608       This change made MAX_ENFORCE_GRACE's mea    
609       So I fixated MAX_ENFORCE_GRACE to 10 sec    
610       MAX_ENFORCE_GRACE parameter.                
611       To allow administrators selectively enab    
612       mode, I added ALLOW_ENFORCE_GRACE parame    
613       The behavior of "delayed enforcing" mode    
614       in the following order.                     
615                                                   
616       (1) The requests are rejected immediatel    
617       (2) The requests are rejected immediatel    
618           if nobody is opening /proc/ccs/polic    
619       (3) The requests won't be rejected autom    
620           if ALLOW_ENFORCE_GRACE=1 and ccs-que    
621       (4) The requests will be rejected in 10     
622           if somebody other than ccs-queryd (s    
623           opening /proc/ccs/policy/query inter    
624           such process doesn't write dummy dec    
625                                                   
626 Version 1.3   2006/11/11   First anniversary r    
627                                                   
628 Fix 2006/11/13                                    
629                                                   
630     @ Replace trust_domain with keep_domain.      
631                                                   
632       Since it was troublesome that there are     
633       (assigning a profile that doesn't enable    
634       with trust_domain directive), I removed     
635       Instead, I introduced keep_domain direct    
636       unless a program registered with initial    
637       This change has the following advantages    
638                                                   
639       (1) Allows administrator use "enforce mo    
640           Since it was difficult to know what     
641           and accessed in what sequences befor    
642           directive for such domain, allowing     
643           access any files in any sequence.       
644           But now, we can use keep_domain dire    
645           "enforce mode" for such domain, forc    
646           commands and access only allowed fil    
647           while these operations are kept unde    
648                                                   
649       (2) Allows administrator determine easil    
650           under MAC or not because only the pr    
651           the domain determines it.               
652                                                   
653       (3) Saves total number of domains and me    
654                                                   
655 Fix 2006/11/22                                    
656                                                   
657     @ Don't allow use of undefined profile.       
658                                                   
659       To avoid assigning undefined profile to     
660       I added checks before assigning profiles    
661       Now, profiles have to be defined prior t    
662                                                   
663 Version 1.3.1 2006/12/08   Minor update releas    
664                                                   
665 Fix 2006/12/10                                    
666                                                   
667     @ Allow pathname grouping.                    
668                                                   
669       To reduce the labor of repeating '/\*' t    
670       I introduced a macro 'path_group' to mak    
671       For example, you had to give like           
672                                                   
673         4 /var/www/html/\*                        
674         4 /var/www/html/\*/\*                     
675         4 /var/www/html/\*/\*/\*                  
676         4 /var/www/html/\*/\*/\*/\*               
677                                                   
678       but now, you can give just                  
679                                                   
680         4 @WEB-CONTENTS                           
681                                                   
682       if you give                                 
683                                                   
684         path_group WEB-CONTENTS /var/www/html/    
685         path_group WEB-CONTENTS /var/www/html/    
686         path_group WEB-CONTENTS /var/www/html/    
687         path_group WEB-CONTENTS /var/www/html/    
688                                                   
689       in the exception policy.                    
690       This macro will be useful when grouping     
691                                                   
692 Fix 2006/12/15                                    
693                                                   
694     @ Use structured pathnames instead for sim    
695                                                   
696       To reduce the cost of strcmp(), I change    
697       SaveName() from 'const char *' to 'const    
698       This change will speed up PathMatchesToP    
699                                                   
700 Fix 2006/12/19                                    
701                                                   
702     @ Allow registering policy managers using     
703                                                   
704       It was difficult to restrict programs th    
705       via /proc/ccs/ interfaces using pathname    
706       these programs could be unintendedly inv    
707       Now, it became possible to restrict doma    
708       via /proc/ccs/ interfaces as well as pro    
709       By restricting using domainnames, it bec    
710       unintended invocation.                      
711                                                   
712 Fix 2006/12/22                                    
713                                                   
714     @ Add initialize_domain,no_initizlize_doma    
715                                                   
716       To control domain transitions more stric    
717       initialize_domain,no_initizlize_domain,n    
718       were introduced.                            
719                                                   
720       "initialize_domain /some/program" means     
721       jump to "<kernel> /some/program" domain     
722       called from any domain.                     
723       This is equivalent to conventional "init    
724                                                   
725       "initialize_domain /some/program from so    
726       jump to "<kernel> /some/program" domain     
727       called from "some_domain" domain.           
728                                                   
729       "no_initialize_domain /some/program" mea    
730       don't jump to "<kernel> /some/program" d    
731       "initialize_domain /some/program" or        
732       "initialize_domain /some/program from so    
733       if /some/program is called from any doma    
734                                                   
735       "no_initialize_domain /some/program from    
736       don't jump to "<kernel> /some/program" d    
737       "initialize_domain /some/program" or        
738       "initialize_domain /some/program from so    
739       if /some/program is called from "some_do    
740                                                   
741       "keep_domain some_domain" means don't ju    
742       if any programs are called from "some_do    
743                                                   
744       "keep_domain /some/program from some_dom    
745       don't jump to child domain only if /some    
746       called from "some_domain" domain.           
747                                                   
748       "no_keep_domain some_domain" means          
749       jump to child domain even if                
750       "keep_domain /some/program" or              
751       "keep_domain /some/program from some_dom    
752       if any programs are called from "some_do    
753                                                   
754       "no_keep_domain /some/program from some_    
755       jump to child domain even if                
756       "keep_domain /some/program" or              
757       "keep_domain /some/program from some_dom    
758       if /some/program is called from "some_do    
759                                                   
760       "some_domain" can be just the last compo    
761       For example, giving "/bin/mail" as "some    
762       all domains whose domainname ends with "    
763                                                   
764 Fix 2007/01/19                                    
765                                                   
766     @ Allow reuse of memory allocated for doma    
767                                                   
768       Regarding domain policy, unlike other po    
769       "is_deleted" flag and new memory were al    
770       if the deleted entries are given again.     
771       But to allow administrators switch domai    
772       I introduced "is_deleted" flag.             
773                                                   
774       Writing "some_domain" to /proc/ccs/polic    
775       creates "some_domain" using new memory i    
776                                                   
777       Writing "select some_domain" doesn't cre    
778       if it didn't exist.                         
779                                                   
780       Writing "delete some_domain" deletes "so    
781       but does not delete entries in "some_dom    
782                                                   
783       Writing "undelete some_domain" undeletes    
784       if it was deleted by "delete some_domain    
785                                                   
786 Fix 2007/01/22                                    
787                                                   
788     @ Allow getting already deleted pathnames.    
789                                                   
790       To allow getting pathnames that are alre    
791       I removed (IS_ROOT(dentry) || !d_unhashe    
792                                                   
793 Fix 2007/01/26                                    
794                                                   
795     @ Limit string length to 4000.                
796                                                   
797       I was using PAGE_SIZE (4096 in many envi    
798       as the max length of any string data.       
799       But for environments that have larger PA    
800       doing memset(ptr, 0, PAGE_SIZE) every ti    
801                                                   
802 Fix 2007/01/29                                    
803                                                   
804     @ Add garbage collector for domain policy.    
805                                                   
806       Writing "some_domain" to /proc/ccs/polic    
807       creates "some_domain" using new memory o    
808       some process is staying at that deleted     
809       If no process is staying at that deleted    
810       "some_domain" is undeleted with all ACLs    
811                                                   
812 Version 1.3.2 2007/02/14   Usability enhanceme    
813                                                   
814 Fix 2007/02/20                                    
815                                                   
816     @ Allow address grouping.                     
817                                                   
818       To reduce the labor of repeating similar    
819       I introduced a macro 'address_group' to     
820       For example, you had to give like           
821                                                   
822         allow_network TCP accept 10.0.0.0-10.2    
823         allow_network TCP accept 172.16.0.0-17    
824         allow_network TCP accept 192.168.0.0-1    
825                                                   
826       but now, you can give just                  
827                                                   
828         allow_network TCP accept @localnet 102    
829                                                   
830       if you give                                 
831                                                   
832         address_group localnet 10.0.0.0-10.255    
833         address_group localnet 172.16.0.0-172.    
834         address_group localnet 192.168.0.0-192    
835                                                   
836       in the exception policy.                    
837                                                   
838 Fix 2007/03/03                                    
839                                                   
840     @ Remove obsolete functions.                  
841                                                   
842     @ Add some hooks.                             
843                                                   
844       Read permission check is done if open_ex    
845       is called from search_binary_handler().     
846       Read permission check is not done if ope    
847       is called from do_execve(), instead,        
848       execute permission check is done at         
849       search_binary_handler_with_transition().    
850                                                   
851       I moved the location of calling CheckCap    
852       and CheckMountPermission() from sys_moun    
853                                                   
854 Fix 2007/03/07                                    
855                                                   
856     @ Use 'unsigned int' for sscanf().            
857                                                   
858       I compiled SYAORAN fs on x86_64 environm    
859       the compiler showing warning messages ab    
860       Since size of data types may mismatch fo    
861       I replaced some types with 'unsigned int    
862                                                   
863 Version 1.4   2007/04/01   x86_64 support rele    
864                                                   
865 Fix 2007/04/18                                    
866                                                   
867     @ Change argv[0] checking rule.               
868                                                   
869       I was comparing the basename of symbolic    
870       Since execute permission check and domai    
871       based on realpath while argv[0] check is    
872       pathname and argv[0], this specification    
873       as /bin/cat in the domain of /bin/ls if     
874       links to /sbin/busybox" and "the attacke    
875       a symlink named ~/cat that points to /bi    
876       permitted to run /bin/ls".                  
877       So, I changed to compare the basename of    
878       Also, I moved the location to compare be    
879       "aggregator" directive so that              
880       "aggregator /tmp/logrotate.\?\?\?\?\?\?     
881       won't cause the mismatch of the basename    
882                                                   
883       If /bin/ls is a symlink to /sbin/busybox    
884       creating a symlink named ~/cat that poin    
885       executing ~/cat won't work as expected b    
886       domain transition are done using /sbin/b    
887       and will be rejected since the administr    
888       "1 /sbin/busybox".                          
889                                                   
890 Fix 2007/05/07                                    
891                                                   
892     @ Support pathname subtraction.               
893                                                   
894       There was no way to exclude specific pat    
895       permissions using wildcards.                
896       There would be a need to exclude specifi    
897       I introduced "\-" as subtraction operato    
898                                                   
899         "A\-B" means "A" other than "B".          
900         "A\-B\-C" means "A" other than "B" and    
901         "A\-B\-C\-D" means "A" other than "B"     
902                                                   
903       "A", "B", "C", "D" may contain wildcards    
904                                                   
905       An example usage is "/home/\*/\*\-.ssh/\    
906       "/home/\*/\*/\*" other than "/home/\*/.s    
907                                                   
908       "A" should contain wildcards because sub    
909       (e.g. "/usr\-usr/" or "/usr\-home/") is     
910                                                   
911       Don't try "A\-B\+C" because "\+" is not     
912                                                   
913 Fix 2007/05/24                                    
914                                                   
915     @ Fix autobind hook.                          
916                                                   
917       The location to call SAKURA_MayAutobind(    
918       and net/ipv6/udp.c were wrong.              
919                                                   
920 Fix 2007/06/03                                    
921                                                   
922     @ Add a space in MakeMountOptions().          
923                                                   
924       I forgot to add a space after "atime" an    
925                                                   
926 Version 1.4.1 2007/06/05   Minor update releas    
927                                                   
928 Fix 2007/07/04                                    
929                                                   
930     @ Fix ReadAddressGroupPolicy() bug.           
931                                                   
932       ReadAddressGroupPolicy() fails if both "    
933       are used because I forgot to set "head->    
934                                                   
935 Fix 2007/07/10                                    
936                                                   
937     @ Add compat_sys_stime() hook.                
938                                                   
939       Some of 64bit kernels support compat_sys    
940       but permission check was missing.           
941                                                   
942 Version 1.4.2 2007/07/13   Bug fix release.       
943                                                   
944 Fix 2007/08/06                                    
945                                                   
946     @ Remove mount-flags manipulation.            
947                                                   
948       Until now, administrator is permitted to    
949       options regardless of mount options pass    
950       I removed this feature because "exact op    
951       "automatic option enabler/disabler".        
952                                                   
953     @ Remove /proc/ccs/info/mapping .             
954                                                   
955       I removed /proc/ccs/info/mapping because    
956       feature.                                    
957                                                   
958     @ Call external policy loader automaticall    
959                                                   
960       Until now, users had to add init=/.init     
961       before /sbin/init starts.                   
962       I inserted call_usermodehelper() to call    
963       execve("/sbin/init") is requested and ex    
964                                                   
965       This change will remove init=/.init para    
966       although call_usermodehelper() can't han    
967                                                   
968     @ Move external policy loader from /.init     
969                                                   
970       Installing programs in / directory is no    
971                                                   
972 Fix 2007/08/13                                    
973                                                   
974     @ Update external policy loader.              
975                                                   
976       It turned out that /sbin/ccs-init invoke    
977       can handle interactive operations by ope    
978       Now, there is no difference between init    
979       call_usermodehelper("/sbin/ccs-init"), a    
980       add init=/sbin/ccs-init parameter to loa    
981       starts.                                     
982                                                   
983 Fix 2007/08/14                                    
984                                                   
985     @ Update recvmsg() hooks.                     
986                                                   
987       Until now, it was impossible to apply ne    
988       incoming UDP and RAW packets if they are    
989       read() or recvmsg() with NULL address be    
990       I moved hooks from sock_recvmsg() to skb    
991       network access control for incoming UDP     
992                                                   
993 Fix 2007/08/16                                    
994                                                   
995     @ Return appropriate error code for CheckM    
996                                                   
997       I was returning -EPERM if something is w    
998       But SELinux determines whether selinuxfs    
999       based on whether error code is -ENODEV o    
1000       So I stopped returning -EPERM unconditi    
1001                                                  
1002 Fix 2007/08/17                                   
1003                                                  
1004     @ Remove initializer directive.              
1005                                                  
1006       Use "initialize_domain" instead of "ini    
1007                                                  
1008 Fix 2007/08/21                                   
1009                                                  
1010     @ Fix "allow_argv0 ... if if ..." bug.       
1011                                                  
1012       It was impossible to use a word "if" to    
1013       allow_argv0 if condition part is used.     
1014                                                  
1015 Fix 2007/08/24                                   
1016                                                  
1017     @ Move /proc/ccs/\*/\* to /proc/ccs/\* .     
1018                                                  
1019       Some pathnames for /proc/ccs/ interface    
1020                                                  
1021 Fix 2007/09/05                                   
1022                                                  
1023     @ Drop MSG_PEEK'ed message before skb_fre    
1024                                                  
1025       I need to remove head message from unwa    
1026       from socket's receive queue so that the    
1027       next message from wanted source with MS    
1028                                                  
1029 Version 1.5.0 2007/09/20   Usability enhancem    
1030                                                  
1031 Fix 2007/09/27                                   
1032                                                  
1033     @ Avoid eating memory after quota exceede    
1034                                                  
1035       Although ACL entries in a domain won't     
1036       has exceeded, SaveName() in AddFileACL(    
1037       This caused unneeded memory consumption    
1038                                                  
1039       Now, quota checking is done before gett    
1040       This may exceed quota by one or two ent    
1041                                                  
1042 Fix 2007/10/16                                   
1043                                                  
1044     @ Add environment variable check.            
1045                                                  
1046       There are environment variables that ma    
1047       like LD_\* .                               
1048       So I introduced 'allow_env' directive t    
1049       environment variable inherited to next     
1050       Unlike other permissions, this check is    
1051       using next domain's ACL information.       
1052                                                  
1053       To manage commonly inherited environmen    
1054       you can use 'allow_env' directive in ex    
1055       to globally grant specified environment    
1056                                                  
1057 Fix 2007/11/05                                   
1058                                                  
1059     @ Replace semaphore with mutex.              
1060                                                  
1061       I replaced semaphore with mutex.           
1062                                                  
1063     @ Add missing down() in AddReservedEntry(    
1064                                                  
1065       Mutex debugging capability told me that    
1066       since TOMOYO version 1.3.2 .               
1067       This function is not called by learning    
1068       so the semaphore's counter will not ove    
1069                                                  
1070 Fix 2005/11/27                                   
1071                                                  
1072     @ Fix ReadTable() truncation bug.            
1073                                                  
1074       "snprintf(str, size, format, ...) >= si    
1075       But I was checking for "snprintf(str, s    
1076       As a result, some entries might be dump    
1077                                                  
1078     @ Purge direct "->prev"/"->next" manipula    
1079                                                  
1080       All list manipulations use "struct list    
1081       "struct list1_head" doesn't have "->pre    
1082                                                  
1083 Fix 2007/11/29                                   
1084                                                  
1085     @ Add missing semaphore in GetEXE().         
1086                                                  
1087       mm->mmap_sem was missing.                  
1088                                                  
1089 Fix 2007/12/17                                   
1090                                                  
1091     @ Remove unused EXPORT_SYMBOL().             
1092                                                  
1093       Mark some functions static.                
1094                                                  
1095 Fix 2007/12/18                                   
1096                                                  
1097     @ Fix AddMountACL() rejection bug.           
1098                                                  
1099       To my surprise, "mount --bind source de    
1100       not only "both source and dest are dire    
1101       but also "both source and dest are non-    
1102       I was rejecting if dest is not a direct    
1103                                                  
1104     @ Change log format.                         
1105                                                  
1106       Profile number and mode is added in aud    
1107                                                  
1108 Fix 2008/01/03                                   
1109                                                  
1110     @ Change directive for file's read/write/    
1111                                                  
1112       Directives for file's read/write/execut    
1113       4/2/1 respectively. But for easier unde    
1114       replaced by read/write/execute (e.g. "a    
1115       But for easier inputting, 4/2/1 are sti    
1116       allow_read/allow_write/allow_execute re    
1117                                                  
1118     @ Change internal data structure.            
1119                                                  
1120       Since I don't have more than 16 types o    
1121       I combined them using bit-fields.          
1122                                                  
1123       Each entry had a field for conditional     
1124       But since this field is unlikely used,     
1125       common part.                               
1126                                                  
1127       These changes will reduce memory used b    
1128                                                  
1129 Fix 2008/01/15                                   
1130                                                  
1131     @ Add ptrace() hook.                         
1132                                                  
1133       To prevent attackers from controlling i    
1134       ptrace(), I added a hook for ptrace().     
1135       Most programs (except strace(1) and gdb    
1136                                                  
1137     @ Fix sleep condition check in CheckSocke    
1138                                                  
1139       It seems that correct method to use is     
1140       rather than in_interrupt() because in_a    
1141       whenever scheduling is not allowed.        
1142                                                  
1143 Fix 2008/02/05                                   
1144                                                  
1145     @ Use find_task_by_vpid() instead of find    
1146                                                  
1147       Kernel 2.6.24 introduced PID namespace.    
1148       To search PID given from userland, the     
1149       find_task_by_vpid() instead of find_tas    
1150                                                  
1151 Fix 2008/02/14                                   
1152                                                  
1153     @ Add execve() parameter checking.           
1154                                                  
1155       Until now, it was impossible to check a    
1156       passed to execve().                        
1157       I expanded conditional permission synta    
1158       { argc, envc, argv[] , envp[] } paramet    
1159       This will allow administrator permit ex    
1160       /bin/sh is invoked in the form of "/bin    
1161       HOME is set by specifying                  
1162                                                  
1163         allow_execute /bin/sh if exec.argv[1]    
1164                                                  
1165       in the policy.                             
1166       This extension will make exploit codes     
1167       they unlikely set up environment variab    
1168       option when invoking /bin/sh , whereas     
1169       environment variables and likely specif    
1170                                                  
1171 Fix 2008/02/18                                   
1172                                                  
1173     @ Add process state checking.                
1174                                                  
1175       Until now, it was impossible to change     
1176       I added three variables for performing     
1177       You can set current process's state lik    
1178                                                  
1179         allow_network TCP accept @TRUSTED_HOS    
1180         allow_network TCP accept @UNTRUSTED_H    
1181                                                  
1182       and you can use the state like             
1183                                                  
1184         allow_read /path/to/important/file if    
1185                                                  
1186       in the policy.                             
1187       The state changes when the request was     
1188       so please be careful with situations wh    
1189       successfully but the request was not pr    
1190       (e.g. out of memory).                      
1191                                                  
1192 Fix 2008/02/26                                   
1193                                                  
1194     @ Support /proc/ccs/ access by non-root u    
1195                                                  
1196       Until now, only root user can access /p    
1197       But to permit /proc/ccs/ access by non-    
1198       ssh login by root user when administrat    
1199       I made "(current->uid == 0 && current->    
1200       If this requirement is disabled, only "    
1201       checks" and "/proc/ccs/manager checks"     
1202                                                  
1203 Fix 2008/02/29                                   
1204                                                  
1205     @ Add sleep_on_violation feature.            
1206                                                  
1207       Some exploit codes (e.g. trans2open for    
1208       until it achieves the purpose of the ex    
1209                                                  
1210       If such code is injected due to buffer     
1211       rejects the request, it triggers infini    
1212       As a result, the CPU usage becomes 100%    
1213       the rest of processes.                     
1214       This is a side effect of rejecting the     
1215       which wouldn't happen if the request fr    
1216                                                  
1217       To avoid such CPU consumption, I added     
1218       sleeps for specified period when a requ    
1219                                                  
1220       This penalty doesn't work if the exploi    
1221       continue running, but I think most expl    
1222       to start some program rather than to sl    
1223                                                  
1224     @ Add alt_exec feature.                      
1225                                                  
1226       Since TOMOYO Linux's approach is "know     
1227       and create policy that permits only the    
1228       requests as attacks (if you want to do     
1229                                                  
1230       Common MAC implementations merely rejec    
1231       But I added a special handler for execv    
1232                                                  
1233       This handler is triggered when a proces    
1234       but the request was rejected by the pol    
1235       This handler executes a program specifi    
1236       instead of a program requested by the p    
1237                                                  
1238       Most attackers attempt to execute /bin/    
1239       Attackers execute an exploit code using    
1240       to steal control of a process. But this    
1241       if an exploit code requests execve() th    
1242                                                  
1243       By default, this handler does nothing (    
1244       request). You can specify any program t    
1245                                                  
1246       You can redirect attackers to somewhere    
1247       This makes it possible to act your Linu    
1248       while keeping regular services for your    
1249                                                  
1250       You can collect information of the atta    
1251       update firewall configuration.             
1252                                                  
1253       You can silently terminate a process wh    
1254       that is not permitted by policy.           
1255                                                  
1256 Fix 2008/03/03                                   
1257                                                  
1258     @ Add "force_alt_exec" directive.            
1259                                                  
1260       To be able to fully utilize "alt_exec"     
1261       I added "force_alt_exec" directive so t    
1262       all execute requests are replaced by th    
1263       specified by alt_exec feature.             
1264                                                  
1265       If this directive is specified for a do    
1266       executes any programs regardless of the    
1267       (i.e. the domain won't execute even if     
1268       Instead, the domain executes the progra    
1269       and the program specified by alt_exec f    
1270       request and executes it if it is approp    
1271                                                  
1272       If you can tolerate that there is no ch    
1273       to the caller to tell the execute reque    
1274       this is more flexible approach than in-    
1275       checking because we can do argv[] and e    
1276                                                  
1277 Fix 2008/03/04                                   
1278                                                  
1279     @ Use string for access control mode.        
1280                                                  
1281       An integer expression for access contro    
1282       administrators because profile number i    
1283       To avoid confusion between profile numb    
1284       I introduced a string expression for ac    
1285                                                  
1286         Modes which take an integer between 0    
1287                                                  
1288           0 -> disabled                          
1289           1 -> learning                          
1290           2 -> permissive                        
1291           3 -> enforcing                         
1292                                                  
1293         Modes which take 0 or 1.                 
1294                                                  
1295           0 -> disabled                          
1296           1 -> enabled                           
1297                                                  
1298 Fix 2008/03/10                                   
1299                                                  
1300     @ Rename "force_alt_exec" directive to "e    
1301                                                  
1302       To be able to use different programs fo    
1303       I moved the location to specify the pro    
1304       to domain policy.                          
1305                                                  
1306       The "execute_handler" directive takes o    
1307       invoked whenever execve() request is is    
1308       directives in a domain with "execute_ha    
1309       This directive is designed for validati    
1310       requests in userspace, although there i    
1311       that the execve() request was rejected.    
1312                                                  
1313     @ Rename "alt_exec" directive to "denied_    
1314                                                  
1315       The "denied_execute_handler" directive     
1316       invoked only when execve() request was     
1317       this program is invoked only when the f    
1318                                                  
1319         (1) None of "allow_execute" directive    
1320         (2) The execve() request was rejected    
1321         (3) "execute_handler" directive is no    
1322                                                  
1323       This directive is designed for handling    
1324       requests, to redirect the process issui    
1325                                                  
1326 Fix 2008/03/18                                   
1327                                                  
1328     @ Fix wrong/redundant locks in pre-vfs fu    
1329                                                  
1330       lock_kernel()/unlock_kernel() in pre_vf    
1331       2.6 kernels.                               
1332                                                  
1333       Locking order in pre_vfs_link() and pre    
1334       after 2.4.33 were different from before    
1335                                                  
1336 Fix 2008/03/28                                   
1337                                                  
1338     @ Disable execute handler loop.              
1339                                                  
1340       To be able to use "execute_handler" in     
1341       ignore "execute_handler" and "denied_ex    
1342       if the current process is executing pro    
1343       "execute_handler" or "denied_execute_ha    
1344                                                  
1345       This exception is needed to avoid infin    
1346       If a domain has both "keep_domain" and     
1347       any execute request by that domain is h    
1348       and the execute handler attempts to pro    
1349       But the original execute request is han    
1350       unless the execute handler ignores "exe    
1351                                                  
1352     @ Update coding style.                       
1353                                                  
1354       I rewrote the code to pass scripts/chec    
1355       Function names were changed to use only    
1356                                                  
1357 Version 1.6.0 2008/04/01   Feature enhancemen    
1358                                                  
1359 Fix 2008/04/14                                   
1360                                                  
1361     @ Fix "Compilation failures" and "Initial    
1362       with kernels before 2.4.30/2.6.11 .        
1363                                                  
1364       2.6 kernels before 2.6.9 didn't have in    
1365       resulting compilation error at #include    
1366       I added #elif condition.                   
1367                                                  
1368       CentOS 4.6's 2.6.9 kernel calls do_exec    
1369       ccs_alloc(), resulting NULL pointer der    
1370       I changed __initcall to core_initcall.     
1371                                                  
1372       CentOS 4.6's 2.6.9 kernel backported kz    
1373       resulting compilation error at kzalloc(    
1374       I modified prototype of kzalloc().         
1375                                                  
1376 Fix 2008/04/20                                   
1377                                                  
1378     @ Fix "Compilation failures" with kernels    
1379                                                  
1380       Turbolinux 10 Server's 2.6.8 kernel bac    
1381       function, resulting compilation error a    
1382       I converted kzalloc() from an inlined f    
1383                                                  
1384 Fix 2008/04/21                                   
1385                                                  
1386     @ Add workaround for gcc 3.2.2's inline b    
1387                                                  
1388       RedHat Linux 9's gcc 3.2.2 generated a     
1389          if ((var_of_u8 & 0x000000BF) & 0x800    
1390       where the expected code is                 
1391          if ((var_of_u8 & 0xBF) & 0x80) { }      
1392       when embedding ccs_acl_type2() into pri    
1393       resulting runtime BUG().                   
1394       I added the expected code explicitly as    
1395                                                  
1396 Fix 2008/05/06                                   
1397                                                  
1398     @ Add memory quota.                          
1399                                                  
1400       1.5.x returns -ENOMEM when FindNextDoma    
1401       domain, but I forgot to return -ENOMEM     
1402       create a new domain.                       
1403                                                  
1404       A domain is automatically created by fi    
1405       the domain for the requested program do    
1406       This behavior is for the administrator'    
1407       The administrator needn't to know how m    
1408       the whole programs in the system before    
1409       But the administrator does not want the    
1410       requested program when developing the p    
1411                                                  
1412       So, I think it is better to grant execu    
1413       find_next_domain() failed to create a n    
1414       Thus, I decided not to return -ENOMEM w    
1415       create a new domain. This exception bre    
1416       so I print "transition_failed" warning     
1417       when this exception happened.              
1418                                                  
1419       Also, to prevent the system from being     
1420       all kernel memory for the policy, I add    
1421       This quota is configurable via /proc/cc    
1422                                                  
1423         echo Shared:  1048576 > /proc/ccs/mem    
1424         echo Private: 1048576 > /proc/ccs/mem    
1425                                                  
1426 Version 1.6.1 2008/05/10   Bug fix release.      
1427                                                  
1428 Fix 2008/06/04                                   
1429                                                  
1430     @ Check open mode of /proc/ccs/ interface    
1431                                                  
1432       It turned out that I can avoid allocati    
1433       FMODE_READ is not set and memory for wr    
1434                                                  
1435     @ Wait for completion of /sbin/ccs-init .    
1436                                                  
1437       Since 2.4 kernel's call_usermodehelper(    
1438       the executed program, I was using the c    
1439       /proc/ccs/meminfo to indicate that load    
1440       But since /proc/ccs/meminfo could be ac    
1441       by /etc/ccs/ccs-post-init , I stopped u    
1442       The policy loader no longer need to acc    
1443       the kernel that loading policy has fini    
1444                                                  
1445 Fix 2008/06/05                                   
1446                                                  
1447     @ Fix realpath for pipes and sockets.        
1448                                                  
1449       Kernel 2.6.22 and later use different m    
1450       Since fs/realpath.c didn't notice the c    
1451       appeared as "pipe:" rather than "pipe:[    
1452       /proc/PID/fd/ directory.                   
1453                                                  
1454     @ Add process's information into /proc/cc    
1455                                                  
1456       While /proc/ccs/grant_log and /proc/ccs    
1457       information, /proc/ccs/query doesn't co    
1458       To be able to utilize ccs-queryd and cc    
1459       /proc/ccs/query .                          
1460                                                  
1461 Fix 2008/06/10                                   
1462                                                  
1463     @ Allow using patterns for globally reada    
1464                                                  
1465       To allow users specify locale specific     
1466       I relaxed checking in update_globally_r    
1467                                                  
1468 Fix 2008/06/11                                   
1469                                                  
1470     @ Remove ALLOW_ENFORCE_GRACE parameter.      
1471                                                  
1472       Since unexpected requests caused by doi    
1473       in all profiles, users likely have to w    
1474       to all profiles. And it makes meaningle    
1475       enable specific profile's ALLOW_ENFORCE    
1476       So, I removed ALLOW_ENFORCE_GRACE param    
1477       Now, the system behaves as if ALLOW_ENF    
1478       The behavior of "delayed enforcing" mod    
1479       order.                                     
1480                                                  
1481       (1) The requests are rejected immediate    
1482           /proc/ccs/query interface.             
1483       (2) The requests will be rejected in 10    
1484           ccs-queryd (such as less(1)) is ope    
1485           for such process doesn't write dumm    
1486                                                  
1487 Fix 2008/06/22                                   
1488                                                  
1489     @ Pass escaped pathname to audit_execute_    
1490                                                  
1491       I was passing unescaped pathname to aud    
1492       which causes /proc/ccs/grant_log contai    
1493       if execute handler's pathname contains     
1494                                                  
1495 Fix 2008/06/25                                   
1496                                                  
1497     @ Return 0 when ccs_may_umount() succeeds    
1498                                                  
1499       I forgot to clear error value in ccs_ma    
1500       directory didn't match "deny_unmount" d    
1501       request with RESTRICT_UNMOUNT=enforcing    
1502                                                  
1503 Version 1.6.2 2008/06/25   Usability enhancem    
1504                                                  
1505 Fix 2008/07/01                                   
1506                                                  
1507     @ Fix "Compilation failure" with 2.4.20 k    
1508                                                  
1509       RedHat Linux 9's 2.4.20 kernel backport    
1510       resulting compilation error at ccs_load    
1511       I added defined(TASK_DEAD) check.          
1512                                                  
1513 Fix 2008/07/08                                   
1514                                                  
1515     @ Don't check permissions if vfsmount is     
1516                                                  
1517       Some filesystems (e.g. unionfs) pass NU    
1518       I changed fs/tomoyo_file.c not to try t    
1519       if vfsmount is NULL.                       
1520                                                  
1521 Version 1.6.3 2008/07/15   Bug fix release.      
1522                                                  
1523 Fix 2008/08/21                                   
1524                                                  
1525     @ Add workaround for gcc 4.3's bug.          
1526                                                  
1527       In some environments, fs/tomoyo_network    
1528       because of gcc 4.3's bug.                  
1529       I modified save_ipv6_address() to use "    
1530       instead for "static const u8" variable.    
1531                                                  
1532     @ Change prototypes of some functions.       
1533                                                  
1534       To support 2.6.27 kernels, I replaced "    
1535       "struct path" for some functions.          
1536                                                  
1537     @ Detect distributor specific patches aut    
1538                                                  
1539       Since kernels with AppArmor patch appli    
1540       I introduced a mechanism which determin    
1541       are applied or not, based on "#define"     
1542                                                  
1543 Fix 2008/08/29                                   
1544                                                  
1545     @ Remove "-ccs" suffix from Makefile's EX    
1546                                                  
1547       To reduce conflicts on Makefile's EXTRA    
1548       I removed "-ccs" suffix from ccs-patch-    
1549       Those who build kernels without using s    
1550       please edit EXTRAVERSION tag manually s    
1551       will not be overwritten by TOMOYO Linux    
1552                                                  
1553 Version 1.6.4 2008/09/03   Minor update relea    
1554                                                  
1555 Fix 2008/09/09                                   
1556                                                  
1557     @ Add "try again" response to "delayed en    
1558                                                  
1559       To be able to handle pathname changes c    
1560       "delayed enforcing" mode was introduced    
1561       grant access requests which are about t    
1562                                                  
1563       To be able to handle pathname changes c    
1564       I introduced "try again" response. As "    
1565       a process which violated policy, admini    
1566       the process is sleeping. This "try agai    
1567       to restart policy checks from the begin    
1568                                                  
1569 Fix 2008/09/11                                   
1570                                                  
1571     @ Remember whether the process is allowed    
1572                                                  
1573       Since programs for manipulating policy     
1574       in the form of RPM/DEB packages, these     
1575       pathnames when they are updated by the     
1576       manager renames these programs before d    
1577       the package manager can rollback the op    
1578       This causes a problem when the programs    
1579       using pathnames, as the programs will n    
1580       /proc/ccs/ interface while the process     
1581       alive.                                     
1582                                                  
1583       To solve this problem, I modified to re    
1584       is once allowed to write to /proc/ccs/     
1585       attempts to execute a different program    
1586       This change makes it impossible to revo    
1587       /proc/ccs/ interface without killing th    
1588       than nonfunctioning ccs-queryd program.    
1589                                                  
1590 Fix 2008/09/19                                   
1591                                                  
1592     @ Allow selecting a domain by PID.           
1593                                                  
1594       Sometimes we want to know what ACLs are    
1595       finding a domainname for that PID from     
1596       reading ACLs from /proc/ccs/domain_poli    
1597       Thus, I modified /proc/ccs/domain_polic    
1598       PID. For example, to read domain ACL of    
1599       run as follows.                            
1600                                                  
1601       # exec 100<>/proc/ccs/domain_policy        
1602       # echo select pid=$$ >&100                 
1603       # while read -u 100; do echo $REPLY; do    
1604                                                  
1605       If a domain is once selected by PID, re    
1606       print only that domain if that PID exis    
1607                                                  
1608     @ Disallow concurrent /proc/ccs/ access u    
1609                                                  
1610       Until now, one process can read() from     
1611       that shares the file descriptor can wri    
1612       But to implement "Allow selecting a dom    
1613       concurrent read()/write() because the f    
1614       while writing.                             
1615                                                  
1616 Fix 2008/10/01                                   
1617                                                  
1618     @ Add retry counter into /proc/ccs/query     
1619                                                  
1620       To be able to handle some of queries fr    
1621       interaction, I added retry counter for     
1622       "try again" response.                      
1623                                                  
1624 Fix 2008/10/07                                   
1625                                                  
1626     @ Don't transit to new domain until do_ex    
1627                                                  
1628       Until now, a process's domain was updat    
1629       will belong to before do_execve() succe    
1630       permission checks for interpreters and     
1631       new domain. But this caused a subtle pr    
1632       signals to the process, for the process    
1633       do_execve() failed.                        
1634                                                  
1635       So, I modified to pass new domain to fu    
1636       modifying a process's domain before do_    
1637                                                  
1638     @ Use old task state for audit logs.         
1639                                                  
1640       Until now, audit logs were generated us    
1641       processing "; set task.state" part. But    
1642       I modified to save the task state befor    
1643       part and use the saved state for audit     
1644                                                  
1645     @ Use a structure for passing parameters.    
1646                                                  
1647       As the number of parameters is increasi    
1648       for passing parameters.                    
1649                                                  
1650 Fix 2008/10/11                                   
1651                                                  
1652     @ Remove domain_acl_lock mutex.              
1653                                                  
1654       I noticed that I don't need to keep all    
1655       a domain mutually exclusive. Since each    
1656       of ACL, locking is needed only when the    
1657       So, I modified to use local locks.         
1658                                                  
1659 Fix 2008/10/14                                   
1660                                                  
1661     @ Fix ccs_check_condition() bug.             
1662                                                  
1663       Due to a bug in ccs_check_condition(),     
1664       task.state[0] task.state[1] task.state[    
1665       if the ACL does not treat a pathname. F    
1666                                                  
1667         allow_network TCP connect @HTTP_SERVE    
1668                                                  
1669       didn't work.                               
1670                                                  
1671 Fix 2008/10/15                                   
1672                                                  
1673     @ Show process information in /proc/ccs/.    
1674                                                  
1675       To be able to determine a process's typ    
1676       which returns process information of th    
1677       "PID manager=\* execute_handler=\* stat    
1678       format.                                    
1679                                                  
1680 Fix 2008/10/20                                   
1681                                                  
1682     @ Use rcu_dereference() when walking the     
1683                                                  
1684       I was using "dependency ordering" for a    
1685       without asking the reader to take a loc    
1686       is not respected by DEC Alpha or by som    
1687       compiler optimizations.                    
1688                                                  
1689       On such environment, use of "dependency    
1690       crash because the reader might read uni    
1691       appended element.                          
1692                                                  
1693       To prevent the reader from reading unin    
1694       element, I inserted rcu_dereference() w    
1695                                                  
1696 Fix 2008/11/04                                   
1697                                                  
1698     @ Use sys_getpid() instead for current->p    
1699                                                  
1700       Kernel 2.6.24 introduced PID namespace.    
1701                                                  
1702       To compare PID given from userland, I c    
1703       So, I modified to use sys_getpid() inst    
1704                                                  
1705       I modified to use task_tgid_nr_ns() for    
1706       current->tgid when checking /proc/self/    
1707                                                  
1708 Fix 2008/11/07                                   
1709                                                  
1710     @ Fix is_alphabet_char().                    
1711                                                  
1712       is_alphabet_char() should match 'A' - '    
1713       but was matching from 'A' - 'F' and 'a'    
1714                                                  
1715     @ Add /proc/ccs/.execute_handler .           
1716                                                  
1717       Process information became visible to u    
1718       "Show process information in /proc/ccs/    
1719       However, programs specified by execute_    
1720       non root user, making it impossible to     
1721                                                  
1722       So, I added a new interface that allows    
1723       to see process information. The content    
1724       identical to /proc/ccs/.process_status     
1725                                                  
1726 Version 1.6.5 2008/11/11   Third anniversary     
1727                                                  
1728 Fix 2008/12/01                                   
1729                                                  
1730     @ Introduce "task.type=execute_handler" c    
1731                                                  
1732       The execute_handler directive is very v    
1733       directive to do anything you want to do    
1734       modifying command line parameters and e    
1735       closing and redirecting files, creating    
1736       spam filtering, deploying a DMZ between    
1737       shells).                                   
1738                                                  
1739       To be able to use this directive in a d    
1740       while limiting access to resources need    
1741       programs invoked as an execute handler     
1742                                                  
1743       In learning mode, "if task.type=execute    
1744       automatically added for requests issued    
1745                                                  
1746     @ Introduce file's type and permissions a    
1747                                                  
1748       To be able to limit file types a proces    
1749       new conditions for checking file's type    
1750       For example,                               
1751                                                  
1752         allow_read /etc/fstab if path1.type=f    
1753                                                  
1754       will allow opening /etc/fstab for readi    
1755       file and it's permission is 0644, and      
1756                                                  
1757         allow_write /dev/null if path1.type=c    
1758                                                  
1759       will allow opening /dev/null for writin    
1760       device file with major=1 and minor=3 at    
1761                                                  
1762     @ Add memory quota for temporary memory u    
1763                                                  
1764       Although there are MAX_GRANT_LOG and MA    
1765       which limit the number of entries for a    
1766       memory consumption by audit logs, it wo    
1767       also limit the size in bytes.              
1768       Thus, I added a new quota line.            
1769                                                  
1770         echo Dynamic: 1048576 > /proc/ccs/mem    
1771                                                  
1772       This quota is not applied to temporary     
1773                                                  
1774 Fix 2008/12/09                                   
1775                                                  
1776     @ Fix ccs_can_save_audit_log() checks.       
1777                                                  
1778       Due to incorrect statement "if (ccs_can    
1779       while ccs_can_save_audit_log() is boole    
1780       MAX_REJECT_LOG were not working.           
1781                                                  
1782       This bug will trigger OOM killer if /us    
1783                                                  
1784 Fix 2008/12/24                                   
1785                                                  
1786     @ Add "ccs_" prefix.                         
1787                                                  
1788       To be able to tell whether a symbol is     
1789       I added "ccs_" prefix as much as possib    
1790                                                  
1791     @ Fix ccs_check_flags() error message.       
1792                                                  
1793       I meant to print SYAORAN-ERROR: message    
1794       but I was printing it when error == 0 s    
1795                                                  
1796 Fix 2009/01/05                                   
1797                                                  
1798     @ Use kmap_atomic()/kunmap_atomic() for r    
1799                                                  
1800       As remove_arg_zero() uses kmap_atomic(K    
1801       kmap_atomic(KM_USER0) rather than kmap(    
1802                                                  
1803 Fix 2009/01/28                                   
1804                                                  
1805     @ Fix "allow_read" + "allow_write" != "al    
1806                                                  
1807       Since 1.6.0 , due to a bug in ccs_updat    
1808       appending "allow_read/write" entry didn    
1809       and "allow_write" entries. As a result,    
1810       but open(O_RDONLY) and open(O_WRONLY) f    
1811                                                  
1812       Workaround is to write an entry twice w    
1813       If written twice, internal "allow_read"    
1814       are updated.                               
1815                                                  
1816 Fix 2009/02/26                                   
1817                                                  
1818     @ Fix profile read error.                    
1819                                                  
1820       Incorrect profiles were shown in /proc/    
1821       if either CONFIG_SAKURA or CONFIG_TOMOY    
1822                                                  
1823 Fix 2009/03/02                                   
1824                                                  
1825     @ Undelete CONFIG_TOMOYO_AUDIT option.       
1826                                                  
1827       While HDD-less systems can use profiles    
1828       MAX_REJECT_LOG=0 , I undeleted CONFIG_T    
1829       memory used for /proc/ccs/grant_log and    
1830                                                  
1831 Fix 2009/03/13                                   
1832                                                  
1833     @ Show only profile entry names ever spec    
1834                                                  
1835       Even if an administrator specifies only    
1836       entries for /proc/ccs/profile , all ava    
1837       This was designed to help administrator    
1838       available, but sometimes makes administ    
1839       entries showing default values.            
1840                                                  
1841       Thus, I modified to show only profile e    
1842                                                  
1843 Fix 2009/03/18                                   
1844                                                  
1845     @ Add MAC_FOR_IOCTL functionality.           
1846                                                  
1847       To be able to restrict ioctl() requests    
1848       functionality.                             
1849                                                  
1850       This functionality requires modificatio    
1851                                                  
1852     @ Use better name for socket's pathname.     
1853                                                  
1854       Until now, socket's pathname was repres    
1855       where \$ is inode's number. But inode's    
1856       access control. Therefore, I modified t    
1857       "socket:[family=\$:type=\$:protocol=\$]    
1858                                                  
1859       This will help administrator to control    
1860       precisely.                                 
1861                                                  
1862     @ Fix misplaced ccs_capable() call.  (onl    
1863                                                  
1864       Location to insert ccs_capable(TOMOYO_S    
1865       wrong since version 1.1 .                  
1866                                                  
1867     @ Insert ccs_check_ioctl_permission() cal    
1868                                                  
1869       To make MAC_FOR_IOCTL functionality wor    
1870       ccs_check_ioctl_permission() call into     
1871                                                  
1872 Fix 2009/03/23                                   
1873                                                  
1874     @ Move sysctl()'s check from ccs-patch-\*    
1875                                                  
1876       Since try_parse_table() in kernel/sysct    
1877       all versions, I moved that function to     
1878                                                  
1879     @ Relocate definitions and functions.        
1880                                                  
1881       To reduce exposed symbols, I relocated     
1882                                                  
1883 Fix 2009/03/24                                   
1884                                                  
1885     @ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS     
1886                                                  
1887       Some systems don't have /sbin/modprobe     
1888       Thus, I made these pathnames configurab    
1889                                                  
1890 Version 1.6.7 2009/04/01   Feature enhancemen    
1891                                                  
1892 Fix 2009/04/06                                   
1893                                                  
1894     @ Drop "undelete domain" command.            
1895                                                  
1896       I added "undelete domain" command on 20    
1897       management tools. The garbage collector    
1898       automatically reuse memory and allow ad    
1899       periodically, provided that the adminis    
1900       domains before recreating new domains w    
1901                                                  
1902       Thus, I dropped "undelete domain" comma    
1903                                                  
1904     @ Escape invalid characters in ccs_check_    
1905                                                  
1906       ccs_check_mount_permission2() was passi    
1907       and ccs_update_mount_acl() and ccs_chec    
1908       /proc/ccs/system_policy and /proc/ccs/q    
1909       characters within a string.                
1910                                                  
1911 Fix 2009/04/07                                   
1912                                                  
1913     @ Fix IPv4's "address_group" handling err    
1914                                                  
1915       Since 1.6.5 , due to lack of ntohl() (b    
1916       ccs_update_address_group_entry(), "addr    
1917       not working.                               
1918                                                  
1919       This problem happens on little endian p    
1920                                                  
1921 Fix 2009/05/08                                   
1922                                                  
1923     @ Add condition for symlink's target path    
1924                                                  
1925       Until now, "allow_symlink" keyword allo    
1926       not check the symlink's target. Usually    
1927       permission checks are done using derefe    
1928       cases, we should restrict the symlink's    
1929       "ln -s .htpasswd /var/www/html/readme.h    
1930       blocked because we will allow Apache to    
1931       /var/www/html/readme.html and /var/www/    
1932                                                  
1933       Thus, I added new condition, "symlink.t    
1934                                                  
1935         allow_symlink /var/www/html/\*.html i    
1936                                                  
1937         allow_symlink /var/www/html/\*\-.\* i    
1938                                                  
1939     @ Don't return -EAGAIN at ccs_socket_recv    
1940                                                  
1941       It turned out that it is not permitted     
1942       return -EAGAIN if poll() said connectio    
1943       recvmsg() may return -EAGAIN and potent    
1944       because ccs_socket_recvmsg_permission()    
1945                                                  
1946       Thus, I modified ccs_socket_recvmsg_per    
1947       rather than -EAGAIN.                       
1948                                                  
1949 Fix 2009/05/19                                   
1950                                                  
1951     @ Don't call get_fs_type() with a mutex h    
1952                                                  
1953       Until now, when ccs_update_mount_acl()     
1954       filesystem, /sbin/modprobe is executed     
1955       filesystem module. And get_fs_type() do    
1956       finishes.                                  
1957                                                  
1958       This means that it will cause deadlock     
1959       executed via get_fs_type() in ccs_updat    
1960       ccs_update_mount_acl(); although it won    
1961       inserts execute_handler to call mount()    
1962       add "allow_mount" entries to /proc/ccs/    
1963                                                  
1964       I modified to unlock the mutex before c    
1965                                                  
1966 Fix 2009/05/20                                   
1967                                                  
1968     @ Update recvmsg() hooks.                    
1969                                                  
1970       Since 1.5.0, I was doing network access    
1971       packets inside skb_recv_datagram(). But    
1972       I moved ccs_recv_datagram_permission()     
1973       udp_recvmsg()/udpv6_recvmsg()/raw_recvm    
1974       change to ccs_recvmsg_permission().        
1975                                                  
1976 Version 1.6.8 2009/05/28   Feature enhancemen    
1977                                                  
1978 Fix 2009/07/03                                   
1979                                                  
1980     @ Fix buffer overrun when used with CONFI    
1981                                                  
1982       Since 1.6.7 , ccs_allocate_execve_entry    
1983       bytes while the comment says it is 4096    
1984       overrun when slob allocator is used, fo    
1985       4000 bytes whereas slab and slub alloca    
1986                                                  
1987 Fix 2009/09/01                                   
1988                                                  
1989     @ Add garbage collector support.             
1990                                                  
1991       Until now, it was impossible to release    
1992       I added SRCU based garbage collector so    
1993       policy will be automatically released.     
1994                                                  
1995     @ Remove word length limitation and line     
1996                                                  
1997       Until now, the max length of a word is     
1998       is 8192. To be able to handle longer pa    
1999       limitations. Now, the max length (excep    
2000       argv[]/envp[]) is 128K (which is the ma    
2001       can allocate in most environments).        
2002                                                  
2003     @ Support more fine grained profile confi    
2004                                                  
2005       Profile was reconstructed.                 
2006                                                  
2007     @ Support more fine grained parameters re    
2008                                                  
2009       "allow_create", "allow_mkdir", "allow_m    
2010       create mode. "allow_mkblock" and "allow    
2011       major/minor device numbers. "allow_chmo    
2012       checks new owner. "allow_chgrp" checks     
2013                                                  
2014     @ Allow number grouping.                     
2015                                                  
2016       To help specifying numeric values, a ne    
2017       introduced.                                
2018                                                  
2019     @ Remove "alias" directive and "allow_arg    
2020                                                  
2021       Until now, "allow_execute" used derefer    
2022       unless explicitly specified by "alias"     
2023                                                  
2024       Now, "allow_execute" uses symlink's pat    
2025       "exec.realpath" in "if" clause checks t    
2026       "exec.argv[0]" in "if" clause checks th    
2027                                                  
2028     @ Remove /proc/ccs/system_policy and /etc    
2029                                                  
2030       "deny_autobind" was moved to /proc/ccs/    
2031       /etc/ccs/exception_policy.conf . Other     
2032       /proc/ccs/domain_policy and /etc/ccs/do    
2033                                                  
2034     @ Remove syaoran filesystem.                 
2035                                                  
2036       Since "allow_create"/"allow_mkdir"/"all    
2037       "allow_mkblock"/"allow_mkchar"/"allow_c    
2038       can restrict mode changes and owner/gro    
2039       restrict these changes at filesystem le    
2040                                                  
2041       Thus, I removed syaoran filesystem.        
2042                                                  
2043     @ Reduce spinlocks.                          
2044                                                  
2045       Until now, TOMOYO was using own list fo    
2046       kernel 2.6.31 introduced memory leak de    
2047       ( CONFIG_DEBUG_KMEMLEAK ), TOMOYO no lo    
2048                                                  
2049       I removed the list to reduce use of spi    
2050                                                  
2051     @ Rewrite ccs-patch-2.\*.diff .              
2052                                                  
2053       ccs-patch-2.\*.diff was rewritten like     
2054                                                  
2055     @ Don't check "allow_read/write" for open    
2056                                                  
2057       open(pathname, 3) means open for ioctl(    
2058       Until now, TOMOYO was checking "allow_r    
2059       But since TOMOYO checks "allow_ioctl" f    
2060       require "allow_read/write" for open(pat    
2061                                                  
2062     @ Add missing sigqueue() and tgsigqueue()    
2063                                                  
2064       Until now, kill(), tkill(), tgkill() ha    
2065       tgsigqueue() didn't.                       
2066                                                  
2067     @ Move files from fs/ to security/ccsecur    
2068                                                  
2069       Config menu section changed from "File     
2070                                                  
2071       Kernel config symbols changed from CONF    
2072       CONFIG_SYAORAN to CONFIG_CCSECURITY .      
2073                                                  
2074     @ Add global PID to audit logs.              
2075                                                  
2076       ccs-queryd was using domainname for rea    
2077       belongs to, but the domain could be del    
2078       policy violation. If the domain is dele    
2079       reach the domain by domainname. Thus, c    
2080       reaching the domain which the process b    
2081                                                  
2082       Kernel 2.6.24 introduced PID namespace.    
2083       by a process inside a container is usel    
2084       the domain which the process belongs to    
2085                                                  
2086       Thus, I added global PID in audit logs.    
2087                                                  
2088     @ Transit to new domain before do_execve(    
2089                                                  
2090       Permission checks for interpreters and     
2091       done using new domain. In order to allo    
2092       domain via global PID, I reverted "Don'    
2093       do_execve() succeeds." made on 2008/10/    
2094                                                  
2095 Version 1.7.0 2009/09/03   Feature enhancemen    
2096                                                  
2097 Fix 2009/09/04                                   
2098                                                  
2099     @ Fix wrong ccs_profile() calls.             
2100                                                  
2101       I can't call ccs_profile() for profile     
2102       ccs_profile() never returns NULL.          
2103                                                  
2104 Fix 2009/09/06                                   
2105                                                  
2106     @ Fix wrong error code in ccs_try_alt_exe    
2107                                                  
2108       ccs_try_alt_exec() was returning ENOMEM    
2109       It needs to return -ENOMEM to fail.        
2110                                                  
2111 Fix 2009/09/10                                   
2112                                                  
2113     @ Do not check umount() permission for mo    
2114                                                  
2115       Until 1.6.x , umount() restriction was     
2116       white listing. This change caused "moun    
2117       require "allow_unmount old" permission     
2118       "allow_mount old new --move 0" permissi    
2119       But we don't want to allow umount(old)     
2120       only mount(old, new, MS_MOVE) requests.    
2121       "allow_unmount old" permission for moun    
2122                                                  
2123 Fix 2009/09/11                                   
2124                                                  
2125     @ Support recursive match operators.         
2126                                                  
2127       Until now, ccs_path_matches_pattern() d    
2128       comparison. Thus, users had to repeat "    
2129       recursively.                               
2130                                                  
2131       I introduced "\{" and "\}" as repetitio    
2132       To ensure consistency with TOMOYO's '/'    
2133       and "\-" operator, only "/\{dir\}/" seq    
2134       '/') is permitted.                         
2135                                                  
2136 Fix 2009/09/24                                   
2137                                                  
2138     @ Don't check chmod/chown capability for     
2139                                                  
2140       Until now, ccs_setattr_permission() was    
2141       But notify_change() is also called by r    
2142       and it made difficult to use TOMOYO on     
2143                                                  
2144       Thus, I moved ccs_capable() checks from    
2145       ccs_chmod_permission() and ccs_chown_pe    
2146       ccs_setattr_permission().                  
2147                                                  
2148 Fix 2009/09/25                                   
2149                                                  
2150     @ Embed more information into audit logs.    
2151                                                  
2152       Until now, /proc/ccs/grant_log /proc/cc    
2153       not printing file's information (e.g. f    
2154                                                  
2155       Recently, users who started using "if"     
2156       mode automatically adds various conditi    
2157                                                  
2158       But the profile will become too complic    
2159       conditions. Thus, I added all informati    
2160       "if" clause with all possible condition    
2161                                                  
2162       Now, the learning mode got different us    
2163       "CONFIG::learning={ max_entry=0 }" in t    
2164       are not permitted by policy will be sen    
2165       "mode=learning" header lines. Users can    
2166       and append to the policy using "/usr/sb    
2167       The learning mode with "CONFIG::learnin    
2168       the same with the permissive mode, only    
2169       and "mode=permissive".                     
2170                                                  
2171 Fix 2009/10/05                                   
2172                                                  
2173     @ Fix size truncation bug at ccs_memcmp()    
2174                                                  
2175       ccs_memcmp() was using "u8" for size pa    
2176       size >= 256 was passed to ccs_memcmp(),    
2177       (incorrect result) or read overrun (CPU    
2178                                                  
2179       ccs_memcmp() should use "size_t" for si    
2180       "struct ccs_condition" may exceed 256 b    
2181       given.                                     
2182                                                  
2183 Fix 2009/10/08                                   
2184                                                  
2185     @ Add CONFIG_CCSECURITY_DEFAULT_LOADER op    
2186                                                  
2187       I made the default policy loader's path    
2188       configurable.                              
2189                                                  
2190     @ Add CONFIG_CCSECURITY_ALTERNATIVE_TRIGG    
2191                                                  
2192       Some environments do not have /sbin/ini    
2193       to use different program's pathname (e.    
2194       activation trigger.                        
2195                                                  
2196       Thus, I made the alternative trigger (     
2197                                                  
2198 Fix 2009/11/02                                   
2199                                                  
2200     @ Fix buffer contention.                     
2201                                                  
2202       A permission like                          
2203                                                  
2204         allow_env PATH if exec.envp["PATH"]="    
2205                                                  
2206       was not working since I was using the s    
2207       variable's name and value.                 
2208                                                  
2209 Fix 2009/11/03                                   
2210                                                  
2211     @ Fix memory leak in ccs_write_address_gr    
2212                                                  
2213       I forgot to call kfree() if same entry     
2214                                                  
2215     @ Reduce mutexes.                            
2216                                                  
2217       I was using mutex_lock()/mutex_unlock()    
2218       atomic_dec_and_test() for removing an e    
2219       I moved that operation to garbage colle    
2220       of mutex_lock()/mutex_unlock() calls.      
2221                                                  
2222     @ Escape from nested loops correctly.        
2223                                                  
2224       In ccs_read_address_group_policy(), I w    
2225       correctly. But in ccs_read_path_group_p    
2226       ccs_read_number_group_policy(), I wasn'    
2227                                                  
2228       As a result, reading path_group and num    
2229       when they were not read atomically.        
2230                                                  
2231 Fix 2009/11/06                                   
2232                                                  
2233     @ Fix incorrect allow_mount audit log.       
2234                                                  
2235       Audit log for allow_mount was using dec    
2236       It needs to use hexadecimal format.        
2237                                                  
2238 Fix 2009/11/09                                   
2239                                                  
2240     @ Add profile version check.                 
2241                                                  
2242       To avoid upgrading from TOMOYO 1.6.x to    
2243       /proc/ccs/profile (which results in not    
2244       I added a check for PROFILE_VERSION= .     
2245                                                  
2246 Version 1.7.1 2009/11/11   Fourth anniversary    
2247                                                  
2248 Fix 2009/11/13                                   
2249                                                  
2250     @ Don't use core_initcall() for initializ    
2251                                                  
2252      Some kernels call TOMOYO's hooks before     
2253      Thus, I can't use core_initcall() for in    
2254                                                  
2255 Fix 2009/11/18                                   
2256                                                  
2257     @ Don't check "allow_write" permission fo    
2258                                                  
2259       Since TOMOYO checks "allow_truncate" pe    
2260       permission for O_TRUNC, I need to disti    
2261       and open(O_RDWR | O_TRUNC). But I made     
2262       1.7.1 which made it impossible for TOMO    
2263       to distinguish them.                       
2264                                                  
2265 Fix 2009/11/27                                   
2266                                                  
2267     @ Use newly created domain's name for dom    
2268                                                  
2269       Since 1.7.0 , /proc/ccs/reject_log was     
2270       name when auditing newly created domain    
2271                                                  
2272 Fix 2009/12/12                                   
2273                                                  
2274     @ Use rcu_read_lock() for find_task_by_pi    
2275                                                  
2276       Since kernel 2.6.18 , caller of find_ta    
2277       rcu_read_lock() rather than read_lock(&    
2278       uses RCU primitives but spinlock does n    
2279       preemptive RCU ( CONFIG_PREEMPT_RCU or     
2280       enabled.                                   
2281                                                  
2282 Fix 2009/12/15                                   
2283                                                  
2284     @ Allow deleting "quota_exceeded" and "tr    
2285                                                  
2286       To notify users of "this domain has too    
2287       process in this domain was not able to     
2288       "quota_exceeded" and "transition_failed    
2289       These messages were not deletable. But     
2290       to be notified again if such events occ    
2291       Thus, I made these messages deletable.     
2292                                                  
2293 Fix 2009/12/17                                   
2294                                                  
2295     @ Don't check read permission in ccs_try_    
2296                                                  
2297       While I was trying to remove ccs_execve    
2298       between TOMOYO 1.7.0 and 1.7.1 , I made    
2299       check allow_read permission of the prog    
2300       and denied_execute_handler keywords.       
2301                                                  
2302     @ Don't check DAC permission if disabled     
2303                                                  
2304       I was checking DAC permissions regardin    
2305       operations (e.g. mkdir()) even if mode=    
2306       resource to check DAC permissions when     
2307       Thus, I modified to skip DAC permission    
2308                                                  
2309 Fix 2009/12/19                                   
2310                                                  
2311     @ Fix memory leak in ccs_environ().          
2312                                                  
2313       When I fixed a bug that a permission li    
2314                                                  
2315         allow_env PATH if exec.envp["PATH"]="    
2316                                                  
2317       was not working (2009/11/02), I allocat    
2318       was released.                              
2319                                                  
2320       This bug will trigger OOM killer if env    
2321       enabled.                                   
2322                                                  
2323 Fix 2010/01/17                                   
2324                                                  
2325     @ Use current domain's name for execute_h    
2326                                                  
2327       Since 1.6.7 , /proc/ccs/grant_log was b    
2328       when auditing current domain's "execute    
2329                                                  
2330 Fix 2010/03/02                                   
2331                                                  
2332     @ Allow domain transition without execve(    
2333                                                  
2334       To be able to split permissions for Apa    
2335       executed without execve(), I added spec    
2336       performed by atomically writing '\0'-te    
2337       /proc/ccs/.transition interface. For ex    
2338       "<kernel> /usr/sbin/httpd" domain will     
2339       "<kernel> /usr/sbin/httpd //app=cgi1\04    
2340       writing "app=cgi1 id=10000" + '\0' to /    
2341       Apache's ap_hook_handler() functionalit    
2342                                                  
2343       Note that '\0'-terminated binary string    
2344       inside kernel and prefix "//" is automa    
2345       that domainname does not conflict with     
2346       Without this prefix, if "<kernel> /usr/    
2347       allowed to open /proc/ccs/.transition f    
2348       "<kernel> /usr/sbin/sshd /bin/bash /usr    
2349       access /etc/shadow , /bin/bash will be     
2350       atomically writing "/usr/bin/passwd" +     
2351       Allowing /bin/bash to access /etc/shado    
2352                                                  
2353       Permission for this operation is checke    
2354       Unlike "allow_execute" keyword, the str    
2355       keyword does not refer a real file on f    
2356       you can store any combination of parame    
2357       string parameter for "allow_transit" ke    
2358                                                  
2359 Fix 2010/03/08                                   
2360                                                  
2361     @ Allow building as loadable kernel modul    
2362                                                  
2363       To be able to minimize filesize increme    
2364       possible to compile TOMOYO Linux as loa    
2365       Although patching the kernel source and    
2366       inevitable, this change will make it ea    
2367       when there is a filesize limitation on     
2368                                                  
2369 Fix 2010/03/25                                   
2370                                                  
2371     @ Fix ccs_get_ipv6_address() bug.            
2372                                                  
2373       Since 1.7.0 , ccs_get_ipv6_address() wa    
2374       "struct list_head ccs_address_list" if     
2375       As a result, ccs_put_ipv6_address() wil    
2376       "struct list_head ccs_address_list" if     
2377                                                  
2378 Fix 2010/03/26                                   
2379                                                  
2380     @ Fix ccs_lport_reserved() bug.              
2381                                                  
2382       Since 1.7.0 , ccs_lport_reserved() was     
2383       number. As a result, "deny_autobind" ke    
2384                                                  
2385 Version 1.7.2 2010/04/01   Feature enhancemen    
2386                                                  
2387 Fix 2010/04/10                                   
2388                                                  
2389     @ Fix invalid "struct nameidata" to "stru    
2390                                                  
2391       Regarding kernels 2.6.24 and earlier, I    
2392       to "struct path" in caller side so that    
2393       parameter type. But it turned out that     
2394       standards and did not work with gcc 4.x    
2395       keyword was not working as expected.       
2396                                                  
2397 Fix 2010/05/05                                   
2398                                                  
2399     @ Fix incorrect audit on/off control.        
2400                                                  
2401       The grant_log= and reject_log= paramete    
2402       used because I forgot to update request    
2403       CONFIG::file::execute were used for CON    
2404                                                  
2405       Those of CONFIG::file::rewrite were not    
2406       request type. As a result, those of CON    
2407       CONFIG::file::rewrite .                    
2408                                                  
2409 Fix 2010/05/10                                   
2410                                                  
2411     @ Fix incorrect out of memory warning.       
2412                                                  
2413       Out of memory warnings were not printed    
2414                                                  
2415 Fix 2010/05/27                                   
2416                                                  
2417     @ Add missing rcu_dereference() for ccs_f    
2418                                                  
2419       Since 1.7.0 , ccs_find_execute_handler(    
2420       list_for_each_entry() rather than list_    
2421       This bug affects only Alpha architectur    
2422                                                  
2423 Fix 2010/06/03                                   
2424                                                  
2425     @ Fix missing sanity check for "file_patt    
2426                                                  
2427       Since 1.7.0 , ccs_write_pattern_policy(    
2428       invalid pathname.                          
2429                                                  
2430 Fix 2010/06/09                                   
2431                                                  
2432     @ Add missing ccs_put_name() in ccs_parse    
2433                                                  
2434       Since 1.7.0 , ccs_parse_envp() was not     
2435       environment variable's value ('if exec.    
2436       was invalid.                               
2437                                                  
2438     @ Add missing NULL check in ccs_condition    
2439                                                  
2440       Since 1.7.0 , if 'if symlink.target=' p    
2441       permissions (e.g. allow_env PATH if sym    
2442       NULL pointer dereference.                  
2443                                                  
2444 Fix 2010/10/28                                   
2445                                                  
2446     @ Fix umount() pathname calculation.         
2447                                                  
2448       "mount --bind /path/to/file1 /path/to/f    
2449       Therefore, "umount /path/to/file2" is a    
2450       Do not automatically append trailing '/    
2451       does not end with '/'.                     
2452                                                  
2453     @ Add preserve KABI compatibility option.    
2454                                                  
2455       TOMOYO needs "struct ccs_domain_info *"    
2456       "struct task_struct". But embedding the    
2457       "struct task_struct" breaks KABI for pr    
2458       means that you will need to rebuild pre    
2459                                                  
2460       Since KABI is commonly used (compared t    
2461       rebuild kernel modules which are not in    
2462       longer preferable. Therefore, I added a    
2463       "struct task_struct" unmodified in orde    
2464                                                  
2465       Note that you have to use ccs-patch-2.6    
2466       kernel/fork.c in order to use this opti    
2467       memory whenever "struct task_struct" is    
2468                                                  
2469     @ Change directives.                         
2470                                                  
2471       I removed "allow_" prefix from directiv    
2472       prefixed with "file ". For example, "al    
2473       "allow_ioctl" changed to "file ioctl".     
2474       TCP" is "network inet stream", "allow_n    
2475       dgram", "allow_network RAW" is "network    
2476       "allow_env" is "misc env". New directiv    
2477       signal". New directive for "allow_capab    
2478       directives correspond with keywords use    
2479                                                  
2480       I removed "deny_rewrite" and "allow_rew    
2481       "file append" directive. Thus, permissi    
2482       changed from "allow_write" + "allow_rew    
2483                                                  
2484       I removed "SYS_MOUNT", "SYS_UMOUNT", "S    
2485       "SYS_LINK", "SYS_SYMLINK", "SYS_RENAME"    
2486       "SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_RO    
2487       because these permissions can be checke    
2488       "file mount", "ipc signal").               
2489                                                  
2490       I also removed "conceal_mount" keyword     
2491       check requires hooks in filesystem part    
2492       filesystem part have moved to LSM by Li    
2493                                                  
2494       New directive for "execute_handler" is     
2495       "denied_execute_handler" is "task denie    
2496                                                  
2497     @ Distinguish send() and recv() operation    
2498                                                  
2499       Until now, it was impossible for UDP an    
2500       only sending or only receiving because     
2501       "connect" keyword. I broke "connect" ke    
2502       keywords so that you can keep access co    
2503       when you have to disable access control    
2504       application breakage by discarding inco    
2505                                                  
2506     @ Add Unix domain socket restriction supp    
2507                                                  
2508       Until now, it was possible to restrict     
2509       TCP/UDP/RAW). I added restriction for U    
2510       dgram/seqpacket). New directive "networ    
2511       "network inet" directive.                  
2512                                                  
2513     @ Allow specifying multiple permissions i    
2514                                                  
2515       Until now, only "allow_read/write" can     
2516       "allow_read" + "allow_write". Now, you     
2517       long as type of parameters for these pe    
2518       "file read/write/append/execute/unlink/    
2519       but "file read/write/create /tmp/file"     
2520       requires create mode whereas "file read    
2521                                                  
2522     @ Allow wildcard for execute permission a    
2523                                                  
2524       Until now, to execute programs with tem    
2525       needed. To simplify code, I modified to    
2526       permission and domainname. Now, you can    
2527       "file execute /tmp/logrotate.\?\?\?\?\?    
2528       "/tmp/logrotate.\?\?\?\?\?\?" within do    
2529                                                  
2530     @ Change pathname for non-rename()able fi    
2531                                                  
2532       LSM version of TOMOYO wants to use /pro    
2533       $PID matches current thread's process I    
2534       thread from accessing other process's i    
2535       But since procfs can be mounted on vari    
2536       /p/ /tmp/foo/100/p/ ), LSM version of T    
2537       numeric part in the string returned by     
2538       or not.                                    
2539                                                  
2540       Therefore, to be able to convert from $    
2541       is mounted, I changed pathname represen    
2542       not support rename() operation (e.g. pr    
2543                                                  
2544       Now, "/proc/self/mounts" changed to "pr    
2545       "/sys/kernel/security/" changed to "sys    
2546       "/dev/pts/0" changed to "devpts:/0".       
2547                                                  
2548     @ Add a new keyword "any" for domain tran    
2549                                                  
2550       To be able to make it easier to apply a    
2551       domain, I added "any" keyword to domain    
2552       "initialize_domain /usr/sbin/sshd" chan    
2553       "initialize_domain /usr/sbin/sshd from     
2554       "keep_domain <kernel> /usr/sbin/sshd /b    
2555       "keep_domain any from <kernel> /usr/sbi    
2556                                                  
2557       "keep_domain /path/to/auto_execute_hand    
2558       apply auto_execute_handler for any doma    
2559       auto_execute_handler.                      
2560                                                  
2561     @ Change buffering mode for reading polic    
2562                                                  
2563       To be able to read() very very long lin    
2564       TOMOYO buffers policy for reading.         
2565                                                  
2566     @ Introduce "acl_group" keyword.             
2567                                                  
2568       Until now, it was possible to specify o    
2569       keywords in the exception policy.          
2570                                                  
2571       Since some operations like "file read/w    
2572       "network UDP send/recv @DNS_SERVER 53"     
2573       permitted to all domains, I introduced     
2574       such permissions.                          
2575                                                  
2576       For example, specify "acl_group 0 file     
2577       the exception policy and specify "use_g    
2578       domain policy.                             
2579                                                  
2580       "ignore_global_allow_read" and "ignore_    
2581       removed from domain policy and "use_gro    
2582                                                  
2583     @ Remove "if" and "; set" keyword.           
2584                                                  
2585       I removed need for specifying these key    
2586       You can simply specify like below.         
2587                                                  
2588         file read /etc/shadow task.uid=0         
2589                                                  
2590     @ Remove "file_pattern" keyword.             
2591                                                  
2592       I removed "file_pattern" keyword becaus    
2593       all possible pathname patterns. Also, l    
2594       patterns makes it difficult to later re    
2595                                                  
2596     @ Replace verbose= parameter with statist    
2597                                                  
2598       Since it is noisy if a lot of policy vi    
2599       I removed printk(). To be able to check    
2600       or not, I introduced /proc/ccs/stat int    
2601       policy violations occurred. You can fir    
2602       check /proc/ccs/reject_log .               
2603                                                  
2604     @ Remove global preference.                  
2605                                                  
2606       I removed global preference in order to    
2607                                                  
2608     @ Allow controlling generation of access     
2609       basis.                                     
2610                                                  
2611       I added per-entry flag which controls g    
2612       Xen and KVM issues ioctl requests so fr    
2613                                                  
2614         file ioctl /dev/null 0x5401 grant_log    
2615                                                  
2616       will suppress /proc/ccs/grant_log even     
2617                                                  
2618         file ioctl /dev/null 0x5401 grant_log    
2619                                                  
2620       will generate /proc/ccs/grant_log even     
2621                                                  
2622         file ioctl /dev/null 0x5401              
2623                                                  
2624       will generate /proc/ccs/grant_log only     
2625                                                  
2626       This flag is intended for frequently ac    
2627                                                  
2628         file read /var/www/html/\{\*\}/\*.htm    
2629                                                  
2630       .                                          
2631                                                  
2632     @ Automatically create domain by execve()    
2633                                                  
2634       Until now, new domains are not created     
2635       current domain is enforcing mode ("CONF    
2636                                                  
2637       To be able to restrict shell session wi    
2638       I changed to create new domains automat    
2639       enforcing mode.                            
2640                                                  
2641     @ Replace "task.state" with "auto_domain_    
2642                                                  
2643       task.state is difficult to use. Thus, I    
2644       auto_domain_transition which performs d    
2645       changing current process's state variab    
2646                                                  
2647       If domain transition failed, current pr    
2648       signal. This should not happen in norma    
2649       domain to transit to and thereby you wi    
2650       when you use "auto_domain_transition" k    
2651                                                  
2652     @ Replace "allow_transit" with "task manu    
2653                                                  
2654       I changed this directive to specify abs    
2655       "<kernel> /usr/sbin/httpd //app=cgi1\04    
2656       pathname (e.g. "//app=cgi1\040id=10000"    
2657       transit to and thereby you will define     
2658       "task manual_domain_transition" directi    
2659                                                  
2660       This change allows you to jump to arbit    
2661                                                  
2662       Note that this change also reverts "Cha    
2663       made on 2006/10/24. Now, 'cat < /proc/c    
2664       'cat /proc/ccs/info/self_domain'. Progr    
2665       need to be updated.                        
2666                                                  
2667     @ Add "task auto_domain_transition".         
2668                                                  
2669       This is similar to "task manual_domain_    
2670       applied whenever conditions are met. Fo    
2671                                                  
2672         task auto_domain_transition <kernel>     
2673                                                  
2674       will automatically jump to "<kernel> //    
2675       process's UID is not 0 whereas             
2676                                                  
2677         task manual_domain_transition <kernel    
2678                                                  
2679       will jump to "<kernel> //./non-root" do    
2680       not 0 and current process wrote "<kerne    
2681       /proc/ccs/self_domain interface.           
2682                                                  
2683       If domain transition failed, current pr    
2684       signal.                                    
2685                                                  
2686     @ Optimize for object's size.                
2687                                                  
2688       I merged similar code in order to reduc    
2689                                                  
2690 Version 1.8.0 2010/11/11   Fifth anniversary     
2691                                                  
2692 Fix 2010/12/01                                   
2693                                                  
2694     @ Use same interface for audit logs.         
2695                                                  
2696       To be able to perform fine grained filt    
2697       I merged /proc/ccs/grant_log and /proc/    
2698       /proc/ccs/audit and added granted=yes o    
2699                                                  
2700 Fix 2010/12/17                                   
2701                                                  
2702     @ Split ccs_null_security into ccs_defaul    
2703                                                  
2704       ccs_null_security is used by preserve K    
2705       used for providing default values again    
2706       allocated memory for their security con    
2707                                                  
2708       If current thread failed to allocate me    
2709       context, current thread uses ccs_null_s    
2710       allowed to modify current thread's secu    
2711       modify ccs_null_security which should n    
2712                                                  
2713       Therefore, I split ccs_null_security in    
2714       ccs_oom_security and use ccs_oom_securi    
2715       allocate memory for current thread's se    
2716                                                  
2717       Threads which do not share ccs_oom_secu    
2718       which share ccs_oom_security. Threads w    
2719       experience temporary inconsistency, but    
2720       killed by SIGKILL signal.                  
2721                                                  
2722 Fix 2011/01/11                                   
2723                                                  
2724     @ Use filesystem name for unnamed devices    
2725                                                  
2726       "Change pathname for non-rename()able f    
2727       "$fsname:" if the filesystem does not s    
2728       "dev($major,$minor):" otherwise when vf    
2729       out that it is useless to use "dev($maj    
2730       (filesystems with $major == 0). Thus, I    
2731       than "dev($major,$minor):" for filesyst    
2732       is missing.                                
2733                                                  
2734 Fix 2011/02/07                                   
2735                                                  
2736     @ Fix infinite loop bug when reading /pro    
2737                                                  
2738       In ccs_flush(), head->r.w[0] holds poin    
2739       But head->r.w[0] was updated only when     
2740       printed (because head->r.w[0] will be u    
2741       completely printed). However, regarding    
2742       /proc/ccs/query , an additional '\0' is    
2743       completely printed. But if free space f    
2744       printing the additional '\0', ccs_flush    
2745       head->r.w[0]. As a result, ccs_flush()     
2746       string data.                               
2747                                                  
2748 Fix 2011/03/01                                   
2749                                                  
2750     @ Run garbage collector without waiting f    
2751                                                  
2752       Currently TOMOYO holds SRCU lock upon o    
2753       because list elements stored in the "st    
2754       accessed until close() is called. Howev    
2755       to complain about leaving the kernel wi    
2756       I changed to hold/release SRCU upon eac    
2757       deferring kfree() by keeping track of t    
2758       instances.                                 
2759                                                  
2760 Fix 2011/03/05                                   
2761                                                  
2762     @ Support built-in policy configuration.     
2763                                                  
2764       To be able to start using enforcing mod    
2765       sequence, I added support for built-in     
2766       activating access control without calli    
2767                                                  
2768       This will be useful for systems where o    
2769       hijacking of the boot sequence are need    
2770       For example, you can activate immediate    
2771       policy which will allow only operations    
2772       which contains the variant part of poli    
2773       check) and loading the variant part of     
2774       enforcing mode from the beginning, you     
2775       hijacking the boot sequence.               
2776                                                  
2777 Fix 2011/03/10                                   
2778                                                  
2779     @ Remove /proc/ccs/meminfo interface.        
2780                                                  
2781       Please use /proc/ccs/stat interface ins    
2782                                                  
2783 Fix 2011/03/15                                   
2784                                                  
2785     @ Pack policy when printing via /proc/ccs    
2786                                                  
2787       The kernel side is ready for accepting     
2788                                                  
2789         file read/write/execute /path/to/file    
2790                                                  
2791       but was using unpacked output like         
2792                                                  
2793         file read /path/to/file                  
2794         file write /path/to/file                 
2795         file execute /path/to/file               
2796                                                  
2797       because most of userland tools were not    
2798                                                  
2799       The advantages of using packed policy a    
2800       smaller and it speeds up loading/saving    
2801                                                  
2802       Since most of userland tools are ready     
2803       I changed to use packed policy for both    
2804                                                  
2805 Fix 2011/03/31                                   
2806                                                  
2807     @ Fix conditional policy parsing.            
2808                                                  
2809       Since exec.realpath= and symlink.target    
2810       symlink.target="@foo" was by error pars    
2811                                                  
2812     @ Serialize updating profile's comment li    
2813                                                  
2814       We need to serialize when updating COMM    
2815                                                  
2816 Version 1.8.1   2011/04/01   Usability enhanc    
2817                                                  
2818 Fix 2011/04/03                                   
2819                                                  
2820     @ Fix fcntl(F_SETFL, O_APPEND) handling.     
2821                                                  
2822       Since 1.8.0, TOMOYO was by error checki    
2823       than "file append" permission when chan    
2824       "overwriting" to "append".                 
2825                                                  
2826       This error should impact little (except    
2827       a file was opened for "overwriting" mod    
2828       mode cannot undo overwriting the file.     
2829       due to different ACC_MODE definition, T    
2830       checking "file read" permission when fc    
2831                                                  
2832 Fix 2011/04/20                                   
2833                                                  
2834     @ Remove unused "struct inode *" paramete    
2835                                                  
2836       Since pre-vfs functions were removed on    
2837       parameter which was used for checking p    
2838       is no longer used.                         
2839                                                  
2840       Note that "struct ccsecurity_operations    
2841       Loadable kernel modules that depends on    
2842                                                  
2843 Fix 2011/05/05                                   
2844                                                  
2845     @ Fix wrong profile number in audit logs     
2846                                                  
2847       Profile number used for "file execute"     
2848       when generating audit logs for "misc en    
2849                                                  
2850 Fix 2011/05/11                                   
2851                                                  
2852     @ Fix wrong domainname validation.           
2853                                                  
2854       "<kernel>" + "/foo/\" + "/bar" was by e    
2855       "<kernel> /foo/\* /bar" was given. As a    
2856       "<kernel> /foo/\* /bar" are rejected.      
2857                                                  
2858 Fix 2011/06/06                                   
2859                                                  
2860     @ Add policy namespace support.              
2861                                                  
2862       To be able to use TOMOYO in LXC environ    
2863       namespace. Each policy namespace has it    
2864       exception policy and profiles, which ar    
2865       namespaces.                                
2866                                                  
2867     @ Remove CONFIG_CCSECURITY_BUILTIN_INITIA    
2868                                                  
2869       From now on, exception policy and manag    
2870       policy namespace (which is a <$namespac    
2871       Thus, space-separated list for CONFIG_C    
2872       no longer suitable for handling policy     
2873                                                  
2874 Fix 2011/06/10                                   
2875                                                  
2876     @ Allow specifying trigger for activation    
2877                                                  
2878       To be able to use TOMOYO under systemd     
2879       is used, I changed to allow overriding     
2880       policy loader and activating MAC via ke    
2881                                                  
2882 Fix 2011/06/14                                   
2883                                                  
2884     @ Remove unused "struct inode *" paramete    
2885                                                  
2886       To follow changes I made on 2011/04/20,    
2887       ccs_mknod_permission(), ccs_mkdir_permi    
2888       ccs_unlink_permission(), ccs_symlink_pe    
2889       ccs_rename_permission() that are called    
2890       net/unix/af_unix.c include/linux/securi    
2891       If you have your own ccs-patch-*.diff ,    
2892                                                  
2893 Version 1.8.2   2011/06/20   Usability enhanc    
2894                                                  
2895 Fix 2011/07/07                                   
2896                                                  
2897     @ Remove /proc/ccs/.domain_status interfa    
2898                                                  
2899       Writing to /proc/ccs/.domain_status can    
2900                                                  
2901         ( echo "select " $domainname; echo "u    
2902         /usr/sbin/ccs-loadpolicy -d              
2903                                                  
2904       and reading from /proc/ccs/.domain_stat    
2905                                                  
2906         grep -A 1 '^<' /proc/ccs/domain_polic    
2907         awk ' { if ( domainname == "" ) { if     
2908         domainname = $0; } else if ( $1 == "u    
2909         print $2 " " domainname; domainname =    
2910                                                  
2911       . Since this interface is used by only     
2912       remove this interface by updating /usr/    
2913                                                  
2914 Fix 2011/07/09                                   
2915                                                  
2916     @ Fix /proc/ccs/stat parser.                 
2917                                                  
2918       For optimization, I changed to use simp    
2919       in ccs_write_stat(). But it caused pars    
2920       before value (e.g. "Memory used by poli    
2921                                                  
2922 Fix 2011/07/13                                   
2923                                                  
2924     @ Accept "::" notation for IPv6 address.     
2925                                                  
2926       In order to add network access restrict    
2927       routines for parsing/printing IPv4/IPv6    
2928       TOMOYO 1.8.2.                              
2929       Now, IPv6 address accepts "::1" instead    
2930                                                  
2931 Fix 2011/09/03                                   
2932                                                  
2933     @ Avoid race when retrying "file execute"    
2934                                                  
2935       There was a race window that the pathna    
2936       "file execute" permission check when re    
2937       because the pathname was recalculated u    
2938       inevitable race window even without sup    
2939       the symbolic link's pathname from "stru    
2940       than from "struct linux_binprm"->file b    
2941       the symbolic link's pathname from the d    
2942                                                  
2943     @ Remove unneeded daemonize().               
2944                                                  
2945       Garbage collector thread is created usi    
2946       Kernel threads created by kthread_creat    
2947       daemonize().                               
2948                                                  
2949 Fix 2011/09/16                                   
2950                                                  
2951     @ Allow specifying domain transition pref    
2952                                                  
2953       I got an opinion that it is difficult t    
2954       transition control directives because t    
2955       specified to "file execute" directives.    
2956       /bin/\*\-ls\-cat" is given, correspondi    
2957       directive needs to be like "no_keep_dom    
2958                                                  
2959       To solve this difficulty, I introduced     
2960       exception policy's domain transition co    
2961                                                  
2962         file execute /bin/ls keep exec.realpa    
2963         file execute /bin/cat keep exec.realp    
2964         file execute /bin/\*\-ls\-cat child      
2965         file execute /usr/sbin/httpd <apache>    
2966                                                  
2967       This argument allows transition to diff    
2968                                                  
2969         <kernel> /usr/sbin/sshd                  
2970         file execute /bin/bash <kernel> /usr/    
2971         file execute /bin/bash <kernel> /usr/    
2972         file execute /bin/bash <kernel> /usr/    
2973                                                  
2974 Fix 2011/09/25                                   
2975                                                  
2976     @ Simplify garbage collector.                
2977                                                  
2978       It turned out that use of batched proce    
2979       collector when certain pattern of entri    
2980       with sequential processing.                
2981                                                  
2982 Version 1.8.3   2011/09/29   Usability enhanc    
2983                                                  
2984 Fix 2011/10/24                                   
2985                                                  
2986     @ Fix incomplete read after seek.            
2987                                                  
2988       ccs_flush() tries to flush data to be r    
2989       ccs_select_domain() (which is called by    
2990       meant to be read by next read(), but pr    
2991       size was not cleared. As a result, sinc    
2992                                                  
2993         char *cp = "select global-pid=1\n";      
2994         read(fd, buf1, sizeof(buf1));            
2995         write(fd, cp, strlen(cp));               
2996         read(fd, buf2, sizeof(buf2));            
2997                                                  
2998       causes enqueued data to be flushed to b    
2999                                                  
3000     @ Use query id for reaching target proces    
3001                                                  
3002       Use query id for reaching target proces    
3003       target process's global PID. This is fo    
3004       but this change makes /usr/sbin/ccs-que    
3005       kernel will return empty domain policy     
3006       ccs-queryd reaches target process's dom    
3007                                                  
3008     @ Fix quota counting.                        
3009                                                  
3010       "task manual_domain_transition" should     
3011       "task auto_domain_transition"/"task aut    
3012       "task denied_execute_handler" because t    
3013       mode.                                      
3014                                                  
3015 Fix 2011/11/11                                   
3016                                                  
3017     @ Optimize for object's size.                
3018                                                  
3019       I rearranged functions/variables into t    
3020       object's filesize. Also, I added kernel    
3021       by excluding unnecessary functionality.    
3022                                                  
3023 Fix 2011/11/18                                   
3024                                                  
3025     @ Fix kernel config mapping error.           
3026                                                  
3027       Due to a typo in ccs_p2mac definition,     
3028       by error used when checking "file getat    
3029       not be affected by this error because C    
3030       CONFIG::file::getattr are by default co    
3031       CONFIG settings.                           
3032                                                  
3033 Fix 2011/12/13                                   
3034                                                  
3035     @ Follow __d_path() behavior change. (Onl    
3036                                                  
3037       The behavior of __d_path() has changed     
3038       NULL when the pathname cannot be calcul    
3039       version when using with 3.2-rc5 and lat    
3040       panic because ccs_get_absolute_path() t    
3041                                                  
3042       The patch that changed the behavior of     
3043       2.6.36 to 3.1 kernels. You must update     
3044       backported, or you will experience the     
3045                                                  
3046       The patch that changed the behavior of     
3047       handling pathnames under lazy-unmounted    
3048       using incomplete pathnames returned by     
3049       under lazy-unmounted directory. But fro    
3050       pathnames returned by ccs_get_local_pat    
3051       lazy-unmounted directory (because __d_p    
3052                                                  
3053       Since applications unlikely do lazy unm    
3054       lazy-unmounted directory should not hap    
3055       explicitly does lazy unmounts. But path    
3056       conditions in the policy file (if any)     
3057                                                  
3058 Fix 2012/01/20                                   
3059                                                  
3060     @ Follow changes in 3.3-rc1.                 
3061                                                  
3062       Use umode_t rather than mode_t.            
3063       Remove ipv6_addr_copy() usage.             
3064                                                  
3065 Fix 2012/02/25                                   
3066                                                  
3067     @ Follow changes in linux-next.              
3068                                                  
3069       UMH_WAIT_PROC constant (currently 1) is    
3070                                                  
3071       Use UMH_WAIT_PROC constant instead of h    
3072       for backporting call_usermodehelper() r    
3073       backported, you will start experiencing    
3074       of external policy loader (i.e. /sbin/c    
3075       longer wait for completion of external     
3076                                                  
3077       Although I changed to use UMH_WAIT_PROC    
3078       to detect renumbering in 2.6.22 and ear    
3079       constant is currently available to only    
3080       started to experience the kernel panic,    
3081       was backported or not.                     
3082                                                  
3083 Fix 2012/02/29                                   
3084                                                  
3085     @ Fix mount flags checking order.            
3086                                                  
3087       Userspace can pass in arbitrary combina    
3088                                                  
3089       If both MS_BIND and one of MS_SHARED/MS    
3090       are passed, device name which should be    
3091       checked because MS_SHARED/MS_PRIVATE/MS    
3092       priority than MS_BIND.                     
3093                                                  
3094       If both one of MS_BIND/MS_MOVE and MS_R    
3095       which should not be checked for MS_REMO    
3096       MS_MOVE had higher priority than MS_REM    
3097                                                  
3098       Fix these bugs by changing priority to     
3099       MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBIND    
3100       does. Also, I changed to unconditionall    
3101       of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNB    
3102       will not generate inaccurate audit logs    
3103       check mount flags passed to change_mnt_    
3104       these flags must be exclusively passed.    
3105                                                  
3106 Fix 2012/03/08                                   
3107                                                  
3108     @ Allow returning other errors when ptrac    
3109                                                  
3110       Currently -EPERM is returned when ccs_p    
3111       error code. I changed to return return     
3112       so that we can return -ESRCH when targe    
3113                                                  
3114 Fix 2012/03/16                                   
3115                                                  
3116     @ Return appropriate value to poll().        
3117                                                  
3118       Return POLLIN | POLLRDNORM | POLLOUT |     
3119       POLLOUT | POLLWRNORM otherwise.            
3120                                                  
3121 Fix 2012/04/22                                   
3122                                                  
3123     @ Readd RHEL_MINOR/AX_MINOR checks.          
3124                                                  
3125       This check was added in revision 2346 a    
3126                                                  
3127       Add it back in order to support RHEL 5.    
3128                                                  
3129     @ Fix skb_kill_datagram() for kernels 2.6    
3130                                                  
3131       Commit 208d8984 "[IPV4]: Fix BUG() in 2    
3132       CONFIG_HIGHMEM" clarified that skb_kill    
3133       spin_lock_bh()/spin_unlock_bh() rather     
3134       spin_lock_irq()/spin_unlock_irq().         
3135                                                  
3136       RHEL 4.9 (2.6.9) kernel has that patch     
3137                                                  
3138     @ Fix missing locks for RHEL 5.2-5.8 kern    
3139                                                  
3140       Since RHEL 5.2 and later kernels have b    
3141       "[UDP]: Add memory accounting." patch,     
3142       lock_sock()/release_sock() around skb_k    
3143       packet was dropped by TOMOYO.              
3144                                                  
3145 Fix 2012/04/28                                   
3146                                                  
3147     @ Accept manager programs which do not st    
3148                                                  
3149       The pathname of /usr/sbin/ccs-editpolic    
3150       CD is squashfs:/usr/sbin/ccs-editpolicy    
3151       /usr/sbin/ccs-editpolicy . Therefore, w    
3152       programs which do not start with / .       
3153                                                  
3154 Fix 2012/10/08                                   
3155                                                  
3156     @ Fix KABI breakage on Ubuntu 12.10.         
3157                                                  
3158       I was using include/linux/security.h as    
3159       include/linux/ccsecurity.h so that I ca    
3160                                                  
3161       When scripts/genksyms/genksyms calculat    
3162       file, it uses the extracted form of inv    
3163       layout is known but it instead uses UNK    
3164       not known. Therefore, pulling in includ    
3165       layout from include/linux/ccsecurity.h     
3166       and causes KABI breakage, even if no ch    
3167       structures.                                
3168                                                  
3169       Fix this breakage by avoiding pulling i    
3170       include/linux/dcache.h from include/lin    
3171                                                  
3172 Fix 2015/01/01                                   
3173                                                  
3174     @ Fix missing chmod(-1) check in Linux 3.    
3175                                                  
3176       Commit e57712ebebbb9db7 "merge fchmod()    
3177       ancient broken kludge" changed chmod(-1    
3178       07777. Therefore, TOMOYO must not ignor    
3179                                                  
3180     @ Fix potentially using bogus attributes     
3181                                                  
3182       We should reset attributes information     
3183       program, or attributes of original prog    
3184       on execute_handler program failed.         
3185                                                  
3186 Fix 2015/04/08                                   
3187                                                  
3188     @ Fix incorrect readdir() permission chec    
3189                                                  
3190       CONFIG_CCSECURITY_FILE_READDIR was mean    
3191       readdir() permission check. However, CO    
3192       by error used for controlling readdir()    
3193       should not affect kernels built with de    
3194       CONFIG_CCSECURITY_FILE_READDIR and CONF    
3195       defined by default.                        
3196                                                  
3197 Fix 2015/04/15                                   
3198                                                  
3199     @ Fix incorrect retry request check.         
3200                                                  
3201       When a request was asked to retry, acl_    
3202       use_group keyword was by error ignored.    
3203       able to use permissions defined by acl_    
3204                                                  
3205 Fix 2015/05/01                                   
3206                                                  
3207     @ Support multiple use_group entries.        
3208                                                  
3209       Until now, each domain can include only    
3210       I changed to allow each domain to inclu    
3211       As a result, you will be able to reduce    
3212       defining multiple acl_group entries bas    
3213       them from each domain as needed.           
3214                                                  
3215 Version 1.8.4   2015/05/05   Usability enhanc    
3216                                                  
3217 Fix 2015/11/08                                   
3218                                                  
3219     @ Use memory allocation flags used by TOM    
3220                                                  
3221       Until now, TOMOYO 1.x was using memory     
3222       than TOMOYO 2.x in order to make sure t    
3223       TOMOYO 1.x shall not cause silent livel    
3224                                                  
3225       But as I learn about this livelock prob    
3226       not a problem which TOMOYO can manage.     
3227       at memory allocation is a problem, refu    
3228       by critical processes due to memory all    
3229       weaker memory allocation flags is also     
3230                                                  
3231       Since situations regarding memory alloc    
3232       are changing, it will be safer to use m    
3233       TOMOYO 2.x.                                
3234                                                  
3235 Fix 2015/11/10                                   
3236                                                  
3237     @ Limit wildcard recursion depth.            
3238                                                  
3239       Since wildcards that need recursion con    
3240       we cannot allow infinite recursion.        
3241                                                  
3242 Version 1.8.5   2015/11/11   Tenth anniversar    
3243                                                  
3244 Fix 2017/02/02                                   
3245                                                  
3246     @ Use for_each_thread() for GC operation.    
3247                                                  
3248       while_each_thread() without tasklist_lo    
3249       Use for_each_process_thread() if it is     
3250       tasklist_lock otherwise.                   
3251                                                  
3252 Fix 2018/04/01                                   
3253                                                  
3254     @ Use smb_rmb() when waiting for initiali    
3255                                                  
3256       "while (!cond);" is implicitly optimize    
3257       Use "while (!cond) smp_rmb();" in order    
3258                                                  
3259 Fix 2019/07/27                                   
3260                                                  
3261     @ Change pathname calculation for read-on    
3262                                                  
3263       Commit 5625f2e3266319fd ("TOMOYO: Chang    
3264       filesystems.") intended to be applied t    
3265       not controllable from the userspace (e.    
3266       on an assumption that such filesystems     
3267                                                  
3268       But it turned out that read-only filesy    
3269       operation despite the content is contro    
3270       commit is annoying TOMOYO users who wan    
3271       filesystem due to use of local name whi    
3272                                                  
3273       Therefore, based on an assumption that     
3274       device argument upon mount() request is    
3275       is controllable from the userspace, do     
3276       does not support rename() operation but    
3277       mount() request.                           
3278                                                  
3279     @ Reject move_mount() system call for now    
3280                                                  
3281       Commit 2db154b3ea8e14b0 ("vfs: syscall:    
3282       around") introduced security_move_mount    
3283       TOMOYO and AppArmor did not implement h    
3284       Since unchecked mount manipulation is n    
3285       as if move_mount(2) is unavailable.        
3286                                                  
3287     @ Don't check open/getattr permission on     
3288                                                  
3289       syzbot found that use of SOCKET_I()->sk    
3290       use after free problem, for socket's in    
3291       /proc/pid/fd/n despite destruction of S    
3292                                                  
3293       But there is no point with calling secu    
3294       because open("/proc/pid/fd/n", !O_PATH)    
3295                                                  
3296       There is some point with calling securi    
3297       because stat("/proc/pid/fd/n") and fsta    
3298       are valid. But since information which     
3299       security_inode_getattr() on sockets is     
3300                                                  
3301 Version 1.8.6   2019/08/20   Bug fix release.    
3302                                                  
3303 Fix 2019/12/07                                   
3304                                                  
3305     @ Don't use nifty names on sockets.          
3306                                                  
3307       Revert "Don't check open/getattr permis    
3308       get rid of special handling of sockets.    
3309       "socket:[family=\$:type=\$:protocol=\$]    
3310       rewritten to "socket:[\$]".                
3311                                                  
3312 Fix 2020/04/09                                   
3313                                                  
3314     @ Fix wrong put_page() usage in ccs_dump_    
3315                                                  
3316       ccs_dump_page() for 5.6+ was by error u    
3317                                                  
3318 Fix 2020/05/01                                   
3319                                                  
3320     @ Loosen domainname validation and pathna    
3321                                                  
3322       Currently a domainname must start with     
3323       zero or more repetitions of a pathname     
3324                                                  
3325       But situation is getting more and more     
3326       a pathname which starts with '/', for e    
3327       on e.g. some filesystems cause ccs_real    
3328       in "$fsname:/$pathname" format.            
3329                                                  
3330       Fortunately, since $fsname must not con    
3331       we can recognize a token which appears     
3332       proc:/self/exe ) as a pathname and a to    
3333       '/' appears (e.g. exec.realpath="/bin/b    
3334       with an exception that a pathname canno    
3335       auto_domain_transition=" because it is     
3336       for on-match domain transition. Also, w    
3337       followed by such tokens (e.g. <kernel>     
3338       a domainname.                              
3339                                                  
3340 Version 1.8.7   2020/05/05   Usability enhanc    
3341                                                  
3342 Fix 2020/07/22                                   
3343                                                  
3344     @ Fix domain transition preference.          
3345                                                  
3346       The domain transition preference which     
3347       by error ignored since 1.8.3p4, for ccs    
3348       ccs_write_log2() from ccs_supervisor()     
3349       resets r->matched_acl to NULL. Change c    
3350       to reset r->matched_acl to NULL.           
3351                                                  
3352 Fix 2020/08/17                                   
3353                                                  
3354     @ Fix ccs_realpath() fallback.               
3355                                                  
3356       ccs_realpath() for 3.17+ was by error n    
3357       when ccs_get_absolute_path() returned -    
3358                                                  
3359 Fix 2020/08/19                                   
3360                                                  
3361     @ Fix wrong ccs_search_binary_handler() m    
3362                                                  
3363       When support for 5.8 kernel was added,     
3364       3.7- was by error mapped to wrong funct    
3365                                                  
3366 Fix 2020/10/24                                   
3367                                                  
3368     @ Fix /proc pathname calculation for Linu    
3369                                                  
3370       ccs_realpath() for 5.8+ was by error no    
3371       calculating /proc pathname.                
3372                                                  
3373 Version 1.8.8   2020/11/11   Fifteenth annive    
3374                                                  
3375 Fix 2021/03/13                                   
3376                                                  
3377     @ Skip permission checks for fileless exe    
3378                                                  
3379       Kernels from 4.18 to 5.8 are using call    
3380       starting program without a valid pathna    
3381       /sbin/modprobe from dockerd process cou    
3382       because ccs_symlink_path() cannot calcu    
3383       a valid pathname. Thus, allow call_user    
3384       permission checks and suppress domain t    
3385                                                  
3386     @ Fix ccs_kernel_service().                  
3387                                                  
3388       Kernels from 5.5 to 5.11 are using PF_K    
3389       worker threads.                            
3390                                                  
3391 Version 1.8.9   2021/04/01   Bug fix release.    
3392                                                  
3393 Fix 2021/12/28                                   
3394                                                  
3395     @ Check exceeded quota early.                
3396                                                  
3397       Backport commit 04e57a2d952bbd34 ("tomo    
3398       tomoyo_domain_quota_is_ok().") and comm    
3399       hwight16() in tomoyo_domain_quota_is_ok    
3400       overhead of the learning mode. Note tha    
3401       explicitly delete "quota_exceeded" entr    
3402       to resume the learning mode.               
3403                                                  
3404 Fix 2024/03/31                                   
3405                                                  
3406     @ Fix a UAF bug introduced by an oversigh    
3407                                                  
3408       Backport commit 2f03fc340cac ("tomoyo:     
3409       tomoyo_write_control()").                  
3410                                                  
3411 Version 1.8.10   2024/04/01   Security bug fi    
3412                                                  
3413 Fix 2024/06/28                                   
3414                                                  
3415     @ Unblock move_mount() system call.          
3416                                                  
3417       Since util-linux 2.39 started using lib    
3418       implementing appropriate permission che    
3419       necessary for successfully booting a Li    
3420                                                  
3421 Version 1.8.11   2024/07/15   Bug fix release    
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php