1 Notes for TOMOYO Linux project
2
3 This is a handy Mandatory Access Control patch for Linux kernels.
4 This patch is released under the GPLv2.
5
6 Project URL: https://tomoyo.sourceforge.net/
7
8 The authors of this patch (hereafter, we) don't have much experience
9 in kernel programming. We are worried that this patch would contain
10 some mistakes such as missing hooks, improper location of hooks,
11 potential deadlocks. There would be better way of implementation.
12 All kinds of comments, pointing the errors and suggestions are welcome.
13
14 We do hope this patch reduces the labor of server security management
15 and you enjoy the life with Linux.
16
17 This project was very inspired by the comic "Card Captor SAKURA",
18 one of the CLAMP's masterworks.
19
20 ChangeLog:
21
22 Version 1.0 2005/11/11 First release.
23
24 Fix 2005/11/18
25
26 @ Add setattr() missing hook in SYAORAN fs.
27
28 setattr() checking for special inode was missing.
29
30 Fix 2005/11/25
31
32 @ Allow initrd.img include /sbin/init .
33
34 Since version 1.0 loads policy when /sbin/init is called
35 for the first time, initrd.img without the policy directory
36 mustn't start /sbin/init . This forced users not to use
37 initrd.img that includes /sbin/init .
38 I modified to delay loading policy if the policy directory
39 doesn't exist and wait for /sbin/init being called again.
40
41 Fix 2005/12/02
42
43 @ Use lookup_one_len() instead of lookup_hash().
44
45 Kernel 2.6.15 changed parameters for lookup_hash().
46 I modified to use lookup_one_len() to keep compatibility.
47
48 Fix 2005/12/06
49
50 @ Add S_ISDIR() check in SYAORAN fs.
51
52 Malicious configuration file that attempts to create an inode
53 under non-directory inode caused segmentation fault.
54
55 Version 1.0.1 2005/12/08 Minor update release.
56
57 Fix 2006/01/04
58
59 @ Add CheckWritePermission() check in unix_bind().
60
61 I modified to check write permission in unix_bind(), for
62 sys_mknod(S_IFSOCK) checks write permission.
63
64 @ Show hook version in proc_misc_init().
65
66 The hook part of this patch depends on the kernel's version,
67 while the rest part of this patch doesn't.
68 I added the hook version so that the administrator can
69 know the last modified date of the hooks.
70
71 @ Move permission checks from filp_open() to open_namei().
72
73 I moved the location of checking MAC's permission
74 from filp_open() to open_namei().
75
76 @ Fix an error in filp_open(). (only 2.6.15-rc5)
77
78 This error was only in the patch 2.6.15-rc5 and
79 was fixed in the patch for 2.6.15.
80
81 Fix 2006/01/12
82
83 @ Add /proc/ccs/info/self_domain.
84
85 I added /proc/ccs/info/self_domain so that the userland programs
86 can know the name of domain they belong to if necessary.
87
88 Fix 2006/01/13
89
90 @ Merge constants for CheckTaskCapability().
91
92 I merged *_INHERITABLE_* and *_LOCAL_* to avoid always
93 calling CheckTaskCapability() with both constants.
94
95 @ DropTaskCapability() returns -EAGAIN on success.
96
97 DropTaskCapability() must not return 0 on success, for
98 DropTaskCapability() is called from do_execve().
99
100 @ Fix an error for chroot() permission check.
101
102 The chroot() restriction was not working due to the following mistake.
103 CheckChRootPermission() || CheckTaskCapability() returns 0 or 1, while
104 CheckChRootPermission() | CheckTaskCapability() returns 0 or -EPERM.
105
106 Fix 2006/01/17
107
108 @ Suppress some of debug messages in TOMOYO.
109
110 I added KERN_DEBUG to suppress some of debug messages.
111
112 Fix 2006/01/19
113
114 @ Remove isRoot() checks in AddChrootACL() and AddMountACL().
115
116 I found a program that needs to chroot by non-root.
117 So, I stopped checking uid=euid=0 for these functions so that
118 "accept mode" can append ACLs.
119 The isRoot() is checked at AddChrootPolicy() and AddMountPolicy().
120
121 @ Map NULL device name to "<NULL>" in AddMountACL().
122
123 VMware mounts vmware-hgfs with NULL device name.
124 So I mapped NULL device name to "<NULL>".
125
126 Fix 2006/01/20
127
128 @ Suppress some of debug messages in SAKURA.
129
130 I added KERN_DEBUG to suppress some of debug messages.
131
132 @ Call panic() if failed to load given profile.
133
134 Call panic() if profile index was given via CCS= parameter
135 but the profile doesn't exist.
136 If CCS= parameter is not given, the kernel attempts to load
137 profile 0, but it doesn't call panic() if profile 0 doesn't exist.
138
139 Fix 2006/01/24
140
141 @ Use full_name_hash() for IsGloballyReadableFile().
142
143 I modified to use full_name_hash() for faster scan.
144
145 @ Add signal checking condition in CheckSignalACL().
146
147 The documentation says "if the target domain's domainname
148 starts with the source domain's domainname, it is always granted"
149 but actually it isn't. I'll change the documentation instead of
150 changing the source code.
151
152 Also, checking for pid = -1 was missing. This error was fixed.
153
154 Fix 2006/02/09
155
156 @ Use mutex_lock()/mutex_unlock instead of down()/up().
157
158 Kernel 2.6.16 changed members of "struct inode".
159 I modified to use mutex_lock()/mutex_unlock() for after 2.6.16
160 and down()/up() for before 2.6.16.
161
162 Version 1.0.2 2006/02/14 Many bug-fixes release.
163
164 Fix 2006/02/21
165
166 @ Divide generic-write permission into individual write permissions.
167
168 Write permission was divided into the following permissions.
169
170 'mkdir' for creating directory.
171 'rmdir' for deleting directory.
172 'create' for creating regular file.
173 'unlink' for deleting non-directory.
174 'mksock' for creating UNIX domain socket.
175 'mkfifo' for creating FIFO.
176 'mkchar' for creating character device.
177 'mkblock' for creating block device.
178 'link' for creating hard link.
179 'symlink' for creating symbolic link.
180 'rename' for renaming directory or non-directory.
181 'truncate' for truncating regular file.
182
183 The permission check for opening files is done using
184 conventional read/write/execute permission.
185
186 @ Add /proc/ccs/info/mapping.
187
188 I added /proc/ccs/info/mapping so that the userland programs
189 can know the mapping of individual write permissions.
190
191 Fix 2006/02/27
192
193 @ Fix handling of trailing '\*' in PathMatchesToPattern().
194
195 PathMatchesToPattern("/tmp/", "/tmp/\*") returned true
196 because "\*" matches "zero or more repetitions of characters
197 until '/' or end". But since this is a comparison between
198 directory and non-directory, this should not match.
199
200 This behavior causes the following security risks.
201 In enforce mode, allowing "2 /tmp/\*" grants
202 "mkdir /tmp/" and "rmdir /tmp/" which should be
203 granted only when "2 /tmp/" is allowed.
204 In accept mode, "mkdir /tmp/" or "rmdir /tmp/" appends
205 "2 /tmp/\*" into the domain policy if "file_pattern /tmp/\*"
206 is in the exception policy.
207
208 I changed not to ignore trailing '\*' in the pattern
209 if pathname ends with '/'.
210
211 Fix 2006/03/01
212
213 @ Add missing spinlock in GetAbsolutePath().
214
215 vfsmount_lock was missing.
216
217 Fix 2006/03/08
218
219 @ Add support for "shared subtree" mount operations.
220
221 Kernel 2.6.15 introduced "shared subtree" functionality.
222 But CheckMountPermission() couldn't recognize flags for
223 do_change_type().
224
225 @ Add support for more mount flags.
226
227 atime/noatime, diratime/nodiratime, recurse/norecurse flags
228 are supported.
229
230 Fix 2006/03/20
231
232 @ Check port numbers for only AF_INET/AF_INET6.
233
234 CheckBindEntry() and CheckConnectEntry() should check port numbers
235 only when the given address family is either AF_INET or AF_INET6,
236 for address family such as AF_UNSPEC could be passed to bind()
237 and connect() for PF_INET/PF_INET6 sockets.
238
239 Fix 2006/03/27
240
241 @ Use /proc/self/ rather than /proc/\$/ for current process.
242
243 GetAbsolutePath() now uses "self" instead of pid
244 if current process refers to information related to itself.
245 This exception violates the rule "TOMOYO Linux's pathnames don't
246 contain symbolic links before the last '/'", but I think it worth
247 to do so. The following are the merits gained by this exception.
248
249 Prevent administrators from granting redundant permissions
250 when a process needs to refer to only current process's information.
251
252 Allow administrators make current process's information always
253 readable using 'allow_read' directive.
254
255 Version 1.1 2006/04/01 Functionality enhancement release.
256
257 Fix 2006/04/03
258
259 @ Use queue instead of fixed sized array for audit log.
260
261 WriteAuditLog() now uses queue to save statically allocated memory.
262 Administrators can give any size for audit logs at runtime.
263
264 @ Use kzalloc() instead of kmalloc() + memset().
265
266 kmalloc() + memset() were replaced with kzalloc().
267
268 Fix 2006/04/04
269
270 @ Support "delayed enforcing" mode.
271
272 Until now, access request was immediately rejected
273 if policy doesn't allow that access and the system is
274 running in enforce mode.
275 Sometimes, especially after updating softwares,
276 some unexpected access requests arise from proper procedure.
277 Such access requests should be granted because
278 they are not caused by malicious attacks.
279 So I introduced a mechanism to allow administrator some grace
280 to decide to grant or reject such access requests.
281 This mechanism is implemented in the following manner.
282 "Don't return immediately if permission denied."
283 "Sleep for a while waiting administrator's decision."
284 "Return successfully if administrator tells to do so."
285
286 Fix 2006/04/12
287
288 @ Fix handling of prefix in GetAbsolutePath().
289
290 Some objects doesn't have prefix "/".
291 Pipe has prefix "pipe:" and socket has prefix "socket:".
292 GetAbsolutePath() couldn't handle prefixes other than '/' properly.
293
294 @ Remove IsCorrectPath() checks for File Access Control functions.
295
296 File Access Control functions accepted only pathnames that start
297 with '/' because these functions assumed pathnames returned by
298 GetAbsolutePath() always start with '/'.
299 However, I found a program that opens an unnamed pipe via
300 (probably) /proc/PID/fd/ directory. (You can see entries like
301 "pipe:[number]" if you run "ls -l /proc/*/fd/".)
302 Now, File Access Control functions have to accept pathnames
303 that don't start with '/'. So, I stopped checking IsCorrectPath().
304
305 Fix 2006/04/19
306
307 @ Fix handling of NULL nameidata in vfs_open().
308
309 In 2.6 kernels, NFS daemon and sys_mq_open() call
310 vfs_create() with NULL nameidata. In such cases,
311 CheckSingleWritePermission() must not be called.
312
313 Version 1.1.1 2006/05/15 Functionality enhancement release.
314
315 Fix 2006/05/16
316
317 @ Support program files aggregation.
318
319 Until now, programs that have no fixed names and their
320 parent programs had to be run in a trusted domain
321 since it is impossible to use patterns for granting
322 execute permission and defining domains.
323 I introduced a mechanism to aggregate similar programs
324 using 'aggregator' directive.
325 Some examples:
326
327 'aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp'
328 to run all temporary programs for logrotate as /tmp/logrotate.tmp
329
330 'aggregator /usr/bin/tac /bin/cat'
331 to run /usr/bin/tac and /bin/cat as /bin/cat
332
333 Fix 2006/05/18
334
335 @ Unlimit max count for audit log.
336
337 I forgot to replace MAX_GRANT_LOG and MAX_REJECT_LOG with INT_MAX
338 so that administrators can give any size for audit logs at runtime.
339
340 Fix 2006/05/22
341
342 @ Support individual domain ACL removal.
343
344 Until now, to remove ACLs from a domain, administrator had to
345 once delete and recreate that domain, which wastes a lot of memory.
346 I introduced a mechanism to remove domain ACL without deleting and
347 recreating domains.
348 Administrator can delete domains or remove ACLs from domains
349 via /proc/ccs/policy/domain_policy .
350 /proc/ccs/policy/delete_domain and /proc/ccs/policy/update_domain
351 were removed.
352
353 Fix 2006/05/30
354
355 @ Add missing spinlock in SAKURA_MayMount().
356
357 vfsmount_lock was missing.
358
359 Version 1.1.2 2006/06/02 Functionality enhancement release.
360
361 Fix 2006/06/13
362
363 @ Merge tomoyo_connect.c and tomoyo_bind.c into tomoyo_port.c
364
365 I merged these files that have only difference CONNECT and BIND,
366 that are likely to be enabled both or neither.
367
368 @ Add CONFIG_TOMOYO_AUDIT option.
369
370 I made auditing functions as optional because some Linux boxes
371 may have not enough disk space to store audit logs.
372
373 Fix 2006/06/15
374
375 @ Support use of symbolic links for program execution.
376
377 Until now, domains for programs executed by dereferencing
378 symbolic links were defined using dereferenced pathnames.
379 This was inconvenient for some Linux boxes who use busybox but
380 can't keep hard links of busybox.
381 I introduced a mechanism to allow using pathnames of
382 symbolic links using 'alias' directive.
383 Some examples:
384
385 'alias /sbin/busybox /bin/ls' to run /bin/ls
386 (which is a symbolic link to /sbin/busybox) as /bin/ls
387 if /bin/ls is executed.
388
389 'alias /bin/bash /bin/sh' to run /bin/sh
390 (which is a symbolic link to /bin/bash) as /bin/sh
391 if /bin/sh is executed.
392
393 Fix 2006/06/21
394
395 @ Use ccs_alloc() instead of kzalloc().
396
397 To detect memory leaks,
398 I added a wrapper for tracing kmalloc() and kfree().
399 There is no way to detect memory leaks caused by ccs-*.txt .
400
401 Version 1.1.3 2006/07/13 Functionality enhancement release.
402
403 Fix 2006/07/14
404
405 @ Change behavior of pathname pattern matching.
406
407 Until now, it was impossible to use patterns like "\*.txt" because
408 "\*" matched zero or more repetitions of characters until next '/'.
409 Now, "\*" matches zero or more repetitions of characters.
410
411 Until now, it was impossible to use patterns like "\$00"
412 because "\$" matched one or more repetitions of digits until next
413 non digit character.
414 Now, "\$" matches one or more repetitions of digits.
415
416 Also, new patterns "\x" "\X" "\a" "\A" "\@" are added.
417
418 Fix 2006/07/21
419
420 @ Add CONFIG_TOMOYO_NETWORK option.
421
422 Until now, only port numbers for TCP and UDP were controllable.
423 Now, the combination of IPv4/IPv6 address and port numbers
424 for TCP and UDP is controllable.
425 CONFIG_TOMOYO_NETWORKPORT became obsolete.
426
427 Fix 2006/07/25
428
429 @ Change matching rule for CheckFileACL().
430
431 Until now, only first entry that matched the requested pathname
432 was used for permission checking. For example, two entries
433
434 "2 /tmp/file-\$.txt"
435 "4 /tmp/fil\?-0.txt"
436
437 are given in this order and requested pathname is "/tmp/file-0.txt",
438 the "2 /tmp/file-\$.txt" is used. But if two entries
439
440 "4 /tmp/fil\?-0.txt"
441 "2 /tmp/file-\$.txt"
442
443 are given in this order, the "4 /tmp/fil\?-0.txt" is used.
444 This may potentially cause trouble because the result of
445 permission checks depends on the order of entries.
446
447 Now, all entries that matched the requested pathname
448 are used for permission checking so that the result of
449 permission checks doesn't depend on the order of entries.
450
451 Fix 2006/07/27
452
453 @ Support RAW IPv4/IPv6 control.
454
455 Some programs such as 'ping' and 'traceroute' use raw IP socket.
456 Now, the combination of IPv4/IPv6 address and protocol numbers
457 for IP is controllable.
458
459 Fix 2006/08/04
460
461 @ Add filename and argv[0] comparison check.
462
463 The domain transition was done based on filename passed to do_execve(),
464 while the behavior was defined based on argv[0].
465 There is no problem if the filename is argv[0]-unaware application.
466 But if argv[0]-aware, access control bypassing happens if the process
467 transits to trusted domain but behaves as different program.
468 For example, when the administrator specifies domain for /bin/ls as
469 trusted but both /bin/ls and /bin/cat are links to /sbin/busybox ,
470 a cracker can run /bin/cat in a trusted domain if the cracker
471 succeeds to invoke do_execve() with filename = "/bin/ls" and
472 argv[0] = "/bin/cat".
473
474 I introduced a directive that permits the mismatch of
475 basename of filename and argv[0].
476
477 Fix 2006/08/10
478
479 @ Support ID based condition checks.
480
481 It was impossible to use process id (uid and gid and so on) for
482 checking individual domain ACL.
483
484 Now it became possible to use process id for checking individual
485 domain ACL. For example,
486
487 "1 /bin/sh if task.euid!=0"
488
489 allows the domain to execute /bin/sh only when the process's euid
490 is not 0, and
491
492 "6 /home/\*/\* if task.uid=path1.uid"
493
494 allows the domain to read-write user's home directory
495 only when the file's owner matches the process's uid.
496
497 Fix 2006/08/22
498
499 @ Fix ROUNDUP() in fs/realpath.c .
500
501 Alignment using sizeof(int) may be inappropriate for 64bit environment.
502 I changed to use the larger size of 'void *' and 'long'
503 instead of 'int'.
504 For environment where sizeof(int) = sizeof(long) = sizeof(void *),
505 this change has no effect.
506
507 Version 1.2 2006/09/03 Functionality enhancement release.
508
509 Fix 2006/09/30
510
511 @ Fix CheckFilePerm() in fs/tomoyo_file.c .
512
513 The location to call path_release() was too early.
514
515 Fix 2006/10/02
516
517 @ Support per-domain profile.
518
519 It became possible to assign different profiles for different domains.
520 This will help administrators using building up approach.
521
522 Fix 2006/10/05
523
524 @ Change parameters for CheckFilePerm().
525
526 I was re-resolving pathnames inside CheckFilePerm() even though
527 the caller function already resolved them.
528 So I changed to pass dentry and vfsmount instead of pathname,
529 and removed changes made on 2006/09/30.
530
531 Fix 2006/10/06
532
533 @ Support deny_rewrite and allow_rewrite permission.
534
535 It became possible to make regular files append-only
536 using "deny_rewrite" directive in exception policy and
537 override it using "allow_rewrite" directive in domain policy.
538
539 Regular files specified using "deny_rewrite" directive
540 can't be open()ed with O_TRUNC or without O_APPEND,
541 can't be truncate()ed or ftruncate()ed,
542 can't be turned O_APPEND flag off using fcntl(F_SETFL)
543 unless specified using "allow_rewrite" directive.
544
545 Fix 2006/10/12
546
547 @ Enable configuration options by default for kernel config.
548
549 CONFIG_SAKURA and CONFIG_TOMOYO are now 'y' by default
550 and CONFIG_SYAORAN is now 'm' by default.
551
552 Fix 2006/10/13
553
554 @ Use external policy loader.
555
556 Until now, policies are loaded when /sbin/init starts and
557 initial control levels are switched using CCS= parameter.
558 But since some boxes have to fixate kernel command line options
559 at compilation time, I think it will become more flexible
560 by running external policy loader using init= parameter so that
561 initial control levels can be specified before /sbin/init starts.
562
563 Call panic() if initial control levels are not specified.
564
565 Fix 2006/10/16
566
567 @ Add missing parameter in FindNextDomain().
568
569 'struct file' was needed for allowing 'if path1.*' checks.
570
571 Fix 2006/10/23
572
573 @ Print error messages in CheckFlags().
574
575 Some users seem to have troubles picking up all necessary
576 entries for the configuration file of SYAORAN filesystem
577 since makesyaoranconf can't pick up entries that are
578 nonexistent at the time.
579 I added error message so that users can find missing entries
580 using dmesg.
581
582 Fix 2006/10/24
583
584 @ Change /proc/ccs/info/self_domain .
585
586 I changed /proc/ccs/info/self_domain to return
587 the domain of open time rather than first read time.
588 This modification makes shell's redirection usage
589 more convenient since redirection opens file
590 but doesn't read at the time.
591
592 'cat < /proc/ccs/info/self_domain' will return
593 the domain of shell, and
594 'cat /proc/ccs/info/self_domain' will return
595 the domain of cat .
596
597 Fix 2006/11/06
598
599 @ Replace MAX_ENFORCE_GRACE with ALLOW_ENFORCE_GRACE.
600
601 Since it was inconvenient that requests that are waiting for
602 supervisor's decision are rejected automatically when
603 MAX_ENFORCE_GRACE seconds has elapsed, I modified WriteAnswer()
604 reset timeout counter whenever a supervisor's decision is written
605 and I modified ccs-queryd write a dummy decision every seconds
606 so that the requests won't be rejected automatically as long as
607 ccs-queryd is running.
608 This change made MAX_ENFORCE_GRACE's meaning boolean.
609 So I fixated MAX_ENFORCE_GRACE to 10 seconds and removed
610 MAX_ENFORCE_GRACE parameter.
611 To allow administrators selectively enable "delayed enforcing"
612 mode, I added ALLOW_ENFORCE_GRACE parameter.
613 The behavior of "delayed enforcing" mode is defined
614 in the following order.
615
616 (1) The requests are rejected immediately if ALLOW_ENFORCE_GRACE=0.
617 (2) The requests are rejected immediately
618 if nobody is opening /proc/ccs/policy/query interface.
619 (3) The requests won't be rejected automatically
620 if ALLOW_ENFORCE_GRACE=1 and ccs-queryd is running.
621 (4) The requests will be rejected in 10 seconds
622 if somebody other than ccs-queryd (such as less(1)) is
623 opening /proc/ccs/policy/query interface, for
624 such process doesn't write dummy decisions.
625
626 Version 1.3 2006/11/11 First anniversary release.
627
628 Fix 2006/11/13
629
630 @ Replace trust_domain with keep_domain.
631
632 Since it was troublesome that there are two elements that can disable MAC
633 (assigning a profile that doesn't enable MAC or registering domains
634 with trust_domain directive), I removed trust_domain directive.
635 Instead, I introduced keep_domain directive to not to transit domains
636 unless a program registered with initializer directive is executed.
637 This change has the following advantages.
638
639 (1) Allows administrator use "enforce mode" for operations after login.
640 Since it was difficult to know what commands and files are invoked
641 and accessed in what sequences beforehand, we had to use trust_domain
642 directive for such domain, allowing users invoke any commands and
643 access any files in any sequence.
644 But now, we can use keep_domain directive and assign a profile for
645 "enforce mode" for such domain, forcing users invoke only allowed
646 commands and access only allowed files in any sequence
647 while these operations are kept under the control of "enforce mode".
648
649 (2) Allows administrator determine easily whether the domain is
650 under MAC or not because only the profile currently assigned to
651 the domain determines it.
652
653 (3) Saves total number of domains and memory.
654
655 Fix 2006/11/22
656
657 @ Don't allow use of undefined profile.
658
659 To avoid assigning undefined profile to domains by error,
660 I added checks before assigning profiles to domains.
661 Now, profiles have to be defined prior to assigning them to domains.
662
663 Version 1.3.1 2006/12/08 Minor update release.
664
665 Fix 2006/12/10
666
667 @ Allow pathname grouping.
668
669 To reduce the labor of repeating '/\*' to allow access recursively,
670 I introduced a macro 'path_group' to make group such pathnames.
671 For example, you had to give like
672
673 4 /var/www/html/\*
674 4 /var/www/html/\*/\*
675 4 /var/www/html/\*/\*/\*
676 4 /var/www/html/\*/\*/\*/\*
677
678 but now, you can give just
679
680 4 @WEB-CONTENTS
681
682 if you give
683
684 path_group WEB-CONTENTS /var/www/html/\*
685 path_group WEB-CONTENTS /var/www/html/\*/\*
686 path_group WEB-CONTENTS /var/www/html/\*/\*/\*
687 path_group WEB-CONTENTS /var/www/html/\*/\*/\*/\*
688
689 in the exception policy.
690 This macro will be useful when grouping different directories.
691
692 Fix 2006/12/15
693
694 @ Use structured pathnames instead for simple 'char *'.
695
696 To reduce the cost of strcmp(), I changed the return value of
697 SaveName() from 'const char *' to 'const struct path_info *'.
698 This change will speed up PathMatchesToPattern() comparison.
699
700 Fix 2006/12/19
701
702 @ Allow registering policy managers using domainnames.
703
704 It was difficult to restrict programs that can update policies
705 via /proc/ccs/ interfaces using pathnames of these programs, for
706 these programs could be unintendedly invoked.
707 Now, it became possible to restrict domains that can update policies
708 via /proc/ccs/ interfaces as well as programs.
709 By restricting using domainnames, it becomes easier to avoid
710 unintended invocation.
711
712 Fix 2006/12/22
713
714 @ Add initialize_domain,no_initizlize_domain,no_keep_domain
715
716 To control domain transitions more strictly,
717 initialize_domain,no_initizlize_domain,no_keep_domain directives
718 were introduced.
719
720 "initialize_domain /some/program" means
721 jump to "<kernel> /some/program" domain if /some/program is
722 called from any domain.
723 This is equivalent to conventional "initializer /some/program".
724
725 "initialize_domain /some/program from some_domain" means
726 jump to "<kernel> /some/program" domain only if /some/program is
727 called from "some_domain" domain.
728
729 "no_initialize_domain /some/program" means
730 don't jump to "<kernel> /some/program" domain even if
731 "initialize_domain /some/program" or
732 "initialize_domain /some/program from some_domain" are given
733 if /some/program is called from any domain.
734
735 "no_initialize_domain /some/program from some_domain" means
736 don't jump to "<kernel> /some/program" domain even if
737 "initialize_domain /some/program" or
738 "initialize_domain /some/program from some_domain" are given
739 if /some/program is called from "some_domain" domain.
740
741 "keep_domain some_domain" means don't jump to child domain
742 if any programs are called from "some_domain" domain.
743
744 "keep_domain /some/program from some_domain" means
745 don't jump to child domain only if /some/program is
746 called from "some_domain" domain.
747
748 "no_keep_domain some_domain" means
749 jump to child domain even if
750 "keep_domain /some/program" or
751 "keep_domain /some/program from some_domain" are given
752 if any programs are called from "some_domain" domain.
753
754 "no_keep_domain /some/program from some_domain" means
755 jump to child domain even if
756 "keep_domain /some/program" or
757 "keep_domain /some/program from some_domain" are given
758 if /some/program is called from "some_domain" domain.
759
760 "some_domain" can be just the last component of domainname.
761 For example, giving "/bin/mail" as "some_domain" matches
762 all domains whose domainname ends with "/bin/mail".
763
764 Fix 2007/01/19
765
766 @ Allow reuse of memory allocated for domain policy.
767
768 Regarding domain policy, unlike other policies, didn't have
769 "is_deleted" flag and new memory were allocated
770 if the deleted entries are given again.
771 But to allow administrators switch domain policy periodically,
772 I introduced "is_deleted" flag.
773
774 Writing "some_domain" to /proc/ccs/policy/domain_policy
775 creates "some_domain" using new memory if it didn't exist.
776
777 Writing "select some_domain" doesn't create "some_domain"
778 if it didn't exist.
779
780 Writing "delete some_domain" deletes "some_domain"
781 but does not delete entries in "some_domain".
782
783 Writing "undelete some_domain" undeletes "some_domain"
784 if it was deleted by "delete some_domain".
785
786 Fix 2007/01/22
787
788 @ Allow getting already deleted pathnames.
789
790 To allow getting pathnames that are already deleted,
791 I removed (IS_ROOT(dentry) || !d_unhashed(dentry)) check.
792
793 Fix 2007/01/26
794
795 @ Limit string length to 4000.
796
797 I was using PAGE_SIZE (4096 in many environments)
798 as the max length of any string data.
799 But for environments that have larger PAGE_SIZE,
800 doing memset(ptr, 0, PAGE_SIZE) every time is too wasteful.
801
802 Fix 2007/01/29
803
804 @ Add garbage collector for domain policy.
805
806 Writing "some_domain" to /proc/ccs/policy/domain_policy
807 creates "some_domain" using new memory only if
808 some process is staying at that deleted domain.
809 If no process is staying at that deleted domain,
810 "some_domain" is undeleted with all ACLs deleted.
811
812 Version 1.3.2 2007/02/14 Usability enhancement release.
813
814 Fix 2007/02/20
815
816 @ Allow address grouping.
817
818 To reduce the labor of repeating similar IPv4/IPv6 addresses,
819 I introduced a macro 'address_group' to make group such addresses.
820 For example, you had to give like
821
822 allow_network TCP accept 10.0.0.0-10.255.255.255 1024-65535
823 allow_network TCP accept 172.16.0.0-172.31.255.255 1024-65535
824 allow_network TCP accept 192.168.0.0-192.168.255.255 1024-65535
825
826 but now, you can give just
827
828 allow_network TCP accept @localnet 1024-65535
829
830 if you give
831
832 address_group localnet 10.0.0.0-10.255.255.255
833 address_group localnet 172.16.0.0-172.31.255.255
834 address_group localnet 192.168.0.0-192.168.255.255
835
836 in the exception policy.
837
838 Fix 2007/03/03
839
840 @ Remove obsolete functions.
841
842 @ Add some hooks.
843
844 Read permission check is done if open_exec()
845 is called from search_binary_handler().
846 Read permission check is not done if open_exec()
847 is called from do_execve(), instead,
848 execute permission check is done at
849 search_binary_handler_with_transition().
850
851 I moved the location of calling CheckCapabilityACL()
852 and CheckMountPermission() from sys_mount() to do_mount().
853
854 Fix 2007/03/07
855
856 @ Use 'unsigned int' for sscanf().
857
858 I compiled SYAORAN fs on x86_64 environment and found
859 the compiler showing warning messages about size of data types.
860 Since size of data types may mismatch for sscanf(),
861 I replaced some types with 'unsigned int'.
862
863 Version 1.4 2007/04/01 x86_64 support release.
864
865 Fix 2007/04/18
866
867 @ Change argv[0] checking rule.
868
869 I was comparing the basename of symbolic link's pathname and argv[0].
870 Since execute permission check and domain transition are done
871 based on realpath while argv[0] check is done based on the symlink's
872 pathname and argv[0], this specification will allow attackers behave
873 as /bin/cat in the domain of /bin/ls if "/bin/ls and /bin/cat are
874 links to /sbin/busybox" and "the attacker is permitted to create
875 a symlink named ~/cat that points to /bin/ls" and "the attacker is
876 permitted to run /bin/ls".
877 So, I changed to compare the basename of realpath and argv[0].
878 Also, I moved the location to compare before processing
879 "aggregator" directive so that
880 "aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp"
881 won't cause the mismatch of the basename of realpath and argv[0].
882
883 If /bin/ls is a symlink to /sbin/busybox, then
884 creating a symlink named ~/cat that points to /bin/ls and
885 executing ~/cat won't work as expected because permission check and
886 domain transition are done using /sbin/busybox (realpath of /bin/ls)
887 and will be rejected since the administrator won't grant
888 "1 /sbin/busybox".
889
890 Fix 2007/05/07
891
892 @ Support pathname subtraction.
893
894 There was no way to exclude specific pathnames when granting
895 permissions using wildcards.
896 There would be a need to exclude specific files and directories.
897 I introduced "\-" as subtraction operator.
898
899 "A\-B" means "A" other than "B".
900 "A\-B\-C" means "A" other than "B" and "C".
901 "A\-B\-C\-D" means "A" other than "B" and "C" and "D".
902
903 "A", "B", "C", "D" may contain wildcards.
904
905 An example usage is "/home/\*/\*\-.ssh/\*", which means
906 "/home/\*/\*/\*" other than "/home/\*/.ssh/\*".
907
908 "A" should contain wildcards because subtraction from constants
909 (e.g. "/usr\-usr/" or "/usr\-home/") is meaningless.
910
911 Don't try "A\-B\+C" because "\+" is not addition operator.
912
913 Fix 2007/05/24
914
915 @ Fix autobind hook.
916
917 The location to call SAKURA_MayAutobind() in net/ipv4/udp.c
918 and net/ipv6/udp.c were wrong.
919
920 Fix 2007/06/03
921
922 @ Add a space in MakeMountOptions().
923
924 I forgot to add a space after "atime" and "noatime".
925
926 Version 1.4.1 2007/06/05 Minor update release.
927
928 Fix 2007/07/04
929
930 @ Fix ReadAddressGroupPolicy() bug.
931
932 ReadAddressGroupPolicy() fails if both "path_group" and "address_group"
933 are used because I forgot to set "head->read_var1 = NULL".
934
935 Fix 2007/07/10
936
937 @ Add compat_sys_stime() hook.
938
939 Some of 64bit kernels support compat_sys_stime()
940 but permission check was missing.
941
942 Version 1.4.2 2007/07/13 Bug fix release.
943
944 Fix 2007/08/06
945
946 @ Remove mount-flags manipulation.
947
948 Until now, administrator is permitted to turn on/off specific mount
949 options regardless of mount options passed to kernel.
950 I removed this feature because "exact option matching" sounds better than
951 "automatic option enabler/disabler".
952
953 @ Remove /proc/ccs/info/mapping .
954
955 I removed /proc/ccs/info/mapping because nobody seems to use this
956 feature.
957
958 @ Call external policy loader automatically.
959
960 Until now, users had to add init=/.init parameter to load policy
961 before /sbin/init starts.
962 I inserted call_usermodehelper() to call external policy loader when
963 execve("/sbin/init") is requested and external policy loader exists.
964
965 This change will remove init=/.init parameter from most environment,
966 although call_usermodehelper() can't handle interactive operations.
967
968 @ Move external policy loader from /.init to /sbin/ccs-init .
969
970 Installing programs in / directory is not good for packaging.
971
972 Fix 2007/08/13
973
974 @ Update external policy loader.
975
976 It turned out that /sbin/ccs-init invoked via call_usermodehelper()
977 can handle interactive operations by opening /dev/console .
978 Now, there is no difference between init=/sbin/ccs-init and
979 call_usermodehelper("/sbin/ccs-init"), and users no longer need to
980 add init=/sbin/ccs-init parameter to load policy before /sbin/init
981 starts.
982
983 Fix 2007/08/14
984
985 @ Update recvmsg() hooks.
986
987 Until now, it was impossible to apply network access control for
988 incoming UDP and RAW packets if they are brought to userland using
989 read() or recvmsg() with NULL address because address buffer is NULL.
990 I moved hooks from sock_recvmsg() to skb_recv_datagram() so that
991 network access control for incoming UDP and RAW packets always work.
992
993 Fix 2007/08/16
994
995 @ Return appropriate error code for CheckMountPermission().
996
997 I was returning -EPERM if something is wrong with CheckMountPermission().
998 But SELinux determines whether selinuxfs is supported by kernel
999 based on whether error code is -ENODEV or not.
1000 So I stopped returning -EPERM unconditionally.
1001
1002 Fix 2007/08/17
1003
1004 @ Remove initializer directive.
1005
1006 Use "initialize_domain" instead of "initializer".
1007
1008 Fix 2007/08/21
1009
1010 @ Fix "allow_argv0 ... if if ..." bug.
1011
1012 It was impossible to use a word "if" to the second argument of
1013 allow_argv0 if condition part is used.
1014
1015 Fix 2007/08/24
1016
1017 @ Move /proc/ccs/\*/\* to /proc/ccs/\* .
1018
1019 Some pathnames for /proc/ccs/ interface were changed.
1020
1021 Fix 2007/09/05
1022
1023 @ Drop MSG_PEEK'ed message before skb_free_datagram().
1024
1025 I need to remove head message from unwanted source
1026 from socket's receive queue so that the caller can pick up
1027 next message from wanted source with MSG_PEEK flags.
1028
1029 Version 1.5.0 2007/09/20 Usability enhancement release.
1030
1031 Fix 2007/09/27
1032
1033 @ Avoid eating memory after quota exceeded.
1034
1035 Although ACL entries in a domain won't be added if the domain's quota
1036 has exceeded, SaveName() in AddFileACL() is called anyway.
1037 This caused unneeded memory consumption.
1038
1039 Now, quota checking is done before getting domain_acl_lock lock.
1040 This may exceed quota by one or two entries, but that won't matter.
1041
1042 Fix 2007/10/16
1043
1044 @ Add environment variable check.
1045
1046 There are environment variables that may cause dangerous behavior
1047 like LD_\* .
1048 So I introduced 'allow_env' directive that allows specified
1049 environment variable inherited to next domain.
1050 Unlike other permissions, this check is done at execve() time
1051 using next domain's ACL information.
1052
1053 To manage commonly inherited environments like PATH ,
1054 you can use 'allow_env' directive in exception policy
1055 to globally grant specified environment variable.
1056
1057 Fix 2007/11/05
1058
1059 @ Replace semaphore with mutex.
1060
1061 I replaced semaphore with mutex.
1062
1063 @ Add missing down() in AddReservedEntry().
1064
1065 Mutex debugging capability told me that I had forgotten to call down()
1066 since TOMOYO version 1.3.2 .
1067 This function is not called by learning mode,
1068 so the semaphore's counter will not overflow for normal usage.
1069
1070 Fix 2005/11/27
1071
1072 @ Fix ReadTable() truncation bug.
1073
1074 "snprintf(str, size, format, ...) >= size" means truncated.
1075 But I was checking for "snprintf(str, size, format, ...) > size".
1076 As a result, some entries might be dumped without '\n'.
1077
1078 @ Purge direct "->prev"/"->next" manipulation.
1079
1080 All list manipulations use "struct list_head" or "struct list1_head".
1081 "struct list1_head" doesn't have "->prev" member to save memory usage.
1082
1083 Fix 2007/11/29
1084
1085 @ Add missing semaphore in GetEXE().
1086
1087 mm->mmap_sem was missing.
1088
1089 Fix 2007/12/17
1090
1091 @ Remove unused EXPORT_SYMBOL().
1092
1093 Mark some functions static.
1094
1095 Fix 2007/12/18
1096
1097 @ Fix AddMountACL() rejection bug.
1098
1099 To my surprise, "mount --bind source dest" accepts
1100 not only "both source and dest are directory"
1101 but also "both source and dest are non-directory".
1102 I was rejecting if dest is not a directory in AddMountACL().
1103
1104 @ Change log format.
1105
1106 Profile number and mode is added in audit logs.
1107
1108 Fix 2008/01/03
1109
1110 @ Change directive for file's read/write/execute permission.
1111
1112 Directives for file's read/write/execute permissions were
1113 4/2/1 respectively. But for easier understanding, they are now
1114 replaced by read/write/execute (e.g. "allow_read" instead of "4").
1115 But for easier inputting, 4/2/1 are still accepted instead of
1116 allow_read/allow_write/allow_execute respectively.
1117
1118 @ Change internal data structure.
1119
1120 Since I don't have more than 16 types of file permissions,
1121 I combined them using bit-fields.
1122
1123 Each entry had a field for conditional permission support.
1124 But since this field is unlikely used, I separated the field from
1125 common part.
1126
1127 These changes will reduce memory used by policy.
1128
1129 Fix 2008/01/15
1130
1131 @ Add ptrace() hook.
1132
1133 To prevent attackers from controlling important processes using
1134 ptrace(), I added a hook for ptrace().
1135 Most programs (except strace(1) and gdb(1)) won't use ptrace(2).
1136
1137 @ Fix sleep condition check in CheckSocketRecvDatagramPermission().
1138
1139 It seems that correct method to use is in_atomic()
1140 rather than in_interrupt() because in_atomic() returns nonzero
1141 whenever scheduling is not allowed.
1142
1143 Fix 2008/02/05
1144
1145 @ Use find_task_by_vpid() instead of find_task_by_pid().
1146
1147 Kernel 2.6.24 introduced PID namespace.
1148 To search PID given from userland, the kernel needs to use
1149 find_task_by_vpid() instead of find_task_by_pid().
1150
1151 Fix 2008/02/14
1152
1153 @ Add execve() parameter checking.
1154
1155 Until now, it was impossible to check argv[] and envp[] parameters
1156 passed to execve().
1157 I expanded conditional permission syntax so that
1158 { argc, envc, argv[] , envp[] } parameters can be checked if needed.
1159 This will allow administrator permit execution of /bin/sh only when
1160 /bin/sh is invoked in the form of "/bin/sh -c" and environment variable
1161 HOME is set by specifying
1162
1163 allow_execute /bin/sh if exec.argv[1]="-c" exec.envp["HOME"]!=NULL
1164
1165 in the policy.
1166 This extension will make exploit codes difficult to start /bin/sh because
1167 they unlikely set up environment variables and unlikely specify "-c"
1168 option when invoking /bin/sh , whereas proper functions likely set up
1169 environment variables and likely specify "-c" option.
1170
1171 Fix 2008/02/18
1172
1173 @ Add process state checking.
1174
1175 Until now, it was impossible to change ACL without executing program.
1176 I added three variables for performing stateful checking within a domain.
1177 You can set current process's state like:
1178
1179 allow_network TCP accept @TRUSTED_HOSTS 1024-65535 ; set task.state[0]=1
1180 allow_network TCP accept @UNTRUSTED_HOSTS 1024-65535 ; set task.state[0]=0
1181
1182 and you can use the state like
1183
1184 allow_read /path/to/important/file if task.state[0]=1
1185
1186 in the policy.
1187 The state changes when the request was granted by the MAC's policy,
1188 so please be careful with situations where the state has changed
1189 successfully but the request was not processed because of other reasons
1190 (e.g. out of memory).
1191
1192 Fix 2008/02/26
1193
1194 @ Support /proc/ccs/ access by non-root user.
1195
1196 Until now, only root user can access /proc/ccs/ interface.
1197 But to permit /proc/ccs/ access by non-root user so that it won't require
1198 ssh login by root user when administrating from remote host,
1199 I made "(current->uid == 0 && current->euid == 0)" requirement optional.
1200 If this requirement is disabled, only "conventional DAC permission
1201 checks" and "/proc/ccs/manager checks" are used.
1202
1203 Fix 2008/02/29
1204
1205 @ Add sleep_on_violation feature.
1206
1207 Some exploit codes (e.g. trans2open for Samba) continue running
1208 until it achieves the purpose of the exploit code (e.g. invoke /bin/sh).
1209
1210 If such code is injected due to buffer overflow but the kernel
1211 rejects the request, it triggers infinite "Permission denied" loop.
1212 As a result, the CPU usage becomes 100% and gives bad effects to
1213 the rest of processes.
1214 This is a side effect of rejecting the request from the exploit code
1215 which wouldn't happen if the request from the exploit code was granted.
1216
1217 To avoid such CPU consumption, I added a penalty that forcibly
1218 sleeps for specified period when a request is rejected.
1219
1220 This penalty doesn't work if the exploit code does nothing but
1221 continue running, but I think most exploit code's purpose is
1222 to start some program rather than to slow down the target system.
1223
1224 @ Add alt_exec feature.
1225
1226 Since TOMOYO Linux's approach is "know all essential requests in advance
1227 and create policy that permits only them", you can regard anomalous
1228 requests as attacks (if you want to do so).
1229
1230 Common MAC implementations merely reject requests that violate policy.
1231 But I added a special handler for execve() to TOMOYO Linux.
1232
1233 This handler is triggered when a process requested to execute a program
1234 but the request was rejected by the policy.
1235 This handler executes a program specified by the administrator
1236 instead of a program requested by the process.
1237
1238 Most attackers attempt to execute /bin/sh to start something malicious.
1239 Attackers execute an exploit code using buffer overflow vulnerability
1240 to steal control of a process. But this handler can get back control
1241 if an exploit code requests execve() that is not permitted by policy.
1242
1243 By default, this handler does nothing (i.e. merely reject execve()
1244 request). You can specify any program to start what you want to do.
1245
1246 You can redirect attackers to somewhere else (e.g. honey pot).
1247 This makes it possible to act your Linux box as an on-demand honey pot
1248 while keeping regular services for your usage.
1249
1250 You can collect information of the attacker (e.g. IP address) and
1251 update firewall configuration.
1252
1253 You can silently terminate a process who requested execve()
1254 that is not permitted by policy.
1255
1256 Fix 2008/03/03
1257
1258 @ Add "force_alt_exec" directive.
1259
1260 To be able to fully utilize "alt_exec" feature,
1261 I added "force_alt_exec" directive so that
1262 all execute requests are replaced by the execute request of a program
1263 specified by alt_exec feature.
1264
1265 If this directive is specified for a domain, the domain no longer
1266 executes any programs regardless of the mode of file access control
1267 (i.e. the domain won't execute even if MAC_FOR_FILE=0 ).
1268 Instead, the domain executes the program specified by alt_exec feature
1269 and the program specified by alt_exec feature validates the execute
1270 request and executes it if it is appropriate to execute.
1271
1272 If you can tolerate that there is no chance to return an error code
1273 to the caller to tell the execute request was rejected,
1274 this is more flexible approach than in-kernel execve() parameter
1275 checking because we can do argv[] and envp[] checking easily.
1276
1277 Fix 2008/03/04
1278
1279 @ Use string for access control mode.
1280
1281 An integer expression for access control mode sometimes confuses
1282 administrators because profile number is also an integer expression.
1283 To avoid confusion between profile number and access control mode,
1284 I introduced a string expression for access control mode.
1285
1286 Modes which take an integer between 0 and 3.
1287
1288 0 -> disabled
1289 1 -> learning
1290 2 -> permissive
1291 3 -> enforcing
1292
1293 Modes which take 0 or 1.
1294
1295 0 -> disabled
1296 1 -> enabled
1297
1298 Fix 2008/03/10
1299
1300 @ Rename "force_alt_exec" directive to "execute_handler".
1301
1302 To be able to use different programs for validating execve() parameters,
1303 I moved the location to specify the program's pathname from profile
1304 to domain policy.
1305
1306 The "execute_handler" directive takes one pathname which is
1307 invoked whenever execve() request is issued. Thus, any "allow_execute"
1308 directives in a domain with "execute_handler" are ignored.
1309 This directive is designed for validating expected/desirable execve()
1310 requests in userspace, although there is no way to tell the caller
1311 that the execve() request was rejected.
1312
1313 @ Rename "alt_exec" directive to "denied_execute_handler".
1314
1315 The "denied_execute_handler" directive takes one pathname which is
1316 invoked only when execve() request was rejected. In other words,
1317 this program is invoked only when the following conditions are met.
1318
1319 (1) None of "allow_execute" directives in the domain matched.
1320 (2) The execve() request was rejected in enforcing mode.
1321 (3) "execute_handler" directive is not used by the domain.
1322
1323 This directive is designed for handling unexpected/undesirable execve()
1324 requests, to redirect the process issuing such requests to somewhere.
1325
1326 Fix 2008/03/18
1327
1328 @ Fix wrong/redundant locks in pre-vfs functions.
1329
1330 lock_kernel()/unlock_kernel() in pre_vfs_rename() were redundant for
1331 2.6 kernels.
1332
1333 Locking order in pre_vfs_link() and pre_vfs_unlink() for 2.4 kernels
1334 after 2.4.33 were different from before 2.4.32 .
1335
1336 Fix 2008/03/28
1337
1338 @ Disable execute handler loop.
1339
1340 To be able to use "execute_handler" in a "keep_domain" domain,
1341 ignore "execute_handler" and "denied_execute_handler" directives
1342 if the current process is executing programs specified by
1343 "execute_handler" or "denied_execute_handler" directive.
1344
1345 This exception is needed to avoid infinite execute handler loop.
1346 If a domain has both "keep_domain" and "execute_handler",
1347 any execute request by that domain is handled by an execute handler,
1348 and the execute handler attempts to process original execute request.
1349 But the original execute request is handled by the same execute handler
1350 unless the execute handler ignores "execute_handler".
1351
1352 @ Update coding style.
1353
1354 I rewrote the code to pass scripts/checkpatch.pl as much as possible.
1355 Function names were changed to use only lower letters.
1356
1357 Version 1.6.0 2008/04/01 Feature enhancement release.
1358
1359 Fix 2008/04/14
1360
1361 @ Fix "Compilation failures" and "Initialization ordering bugs"
1362 with kernels before 2.4.30/2.6.11 .
1363
1364 2.6 kernels before 2.6.9 didn't have include/linux/hardirq.h ,
1365 resulting compilation error at #include <linux/hardirq.h> .
1366 I added #elif condition.
1367
1368 CentOS 4.6's 2.6.9 kernel calls do_execve() before initialization of
1369 ccs_alloc(), resulting NULL pointer dereference.
1370 I changed __initcall to core_initcall.
1371
1372 CentOS 4.6's 2.6.9 kernel backported kzalloc() from 2.6.14 ,
1373 resulting compilation error at kzalloc().
1374 I modified prototype of kzalloc().
1375
1376 Fix 2008/04/20
1377
1378 @ Fix "Compilation failures" with kernels before 2.4.30/2.6.11 .
1379
1380 Turbolinux 10 Server's 2.6.8 kernel backported kzalloc() as an inlined
1381 function, resulting compilation error at kzalloc().
1382 I converted kzalloc() from an inlined function into a macro.
1383
1384 Fix 2008/04/21
1385
1386 @ Add workaround for gcc 3.2.2's inline bug.
1387
1388 RedHat Linux 9's gcc 3.2.2 generated a bad code
1389 if ((var_of_u8 & 0x000000BF) & 0x80000000) { }
1390 where the expected code is
1391 if ((var_of_u8 & 0xBF) & 0x80) { }
1392 when embedding ccs_acl_type2() into print_entry(),
1393 resulting runtime BUG().
1394 I added the expected code explicitly as a workaround.
1395
1396 Fix 2008/05/06
1397
1398 @ Add memory quota.
1399
1400 1.5.x returns -ENOMEM when FindNextDomain() failed to create a new
1401 domain, but I forgot to return -ENOMEM when find_next_domain() failed to
1402 create a new domain.
1403
1404 A domain is automatically created by find_next_domain() only if
1405 the domain for the requested program doesn't exist.
1406 This behavior is for the administrator's convenience.
1407 The administrator needn't to know how many domains are needed for running
1408 the whole programs in the system beforehand when developing the policy.
1409 But the administrator does not want the kernel to reject execution of the
1410 requested program when developing the policy.
1411
1412 So, I think it is better to grant execution of programs even if
1413 find_next_domain() failed to create a new domain than reject execution.
1414 Thus, I decided not to return -ENOMEM when find_next_domain() failed to
1415 create a new domain. This exception breaks the domain transition rules,
1416 so I print "transition_failed" warning in /proc/ccs/domain_policy
1417 when this exception happened.
1418
1419 Also, to prevent the system from being halted by unexpectedly allocating
1420 all kernel memory for the policy, I added memory quota.
1421 This quota is configurable via /proc/ccs/meminfo like
1422
1423 echo Shared: 1048576 > /proc/ccs/meminfo
1424 echo Private: 1048576 > /proc/ccs/meminfo
1425
1426 Version 1.6.1 2008/05/10 Bug fix release.
1427
1428 Fix 2008/06/04
1429
1430 @ Check open mode of /proc/ccs/ interface.
1431
1432 It turned out that I can avoid allocating memory for reading if
1433 FMODE_READ is not set and memory for writing if FMODE_WRITE is not set.
1434
1435 @ Wait for completion of /sbin/ccs-init .
1436
1437 Since 2.4 kernel's call_usermodehelper() can't wait for termination of
1438 the executed program, I was using the close() request of
1439 /proc/ccs/meminfo to indicate that loading policy has finished.
1440 But since /proc/ccs/meminfo could be accessed for setting memory quota
1441 by /etc/ccs/ccs-post-init , I stopped using the close() request.
1442 The policy loader no longer need to access /proc/ccs/meminfo to notify
1443 the kernel that loading policy has finished.
1444
1445 Fix 2008/06/05
1446
1447 @ Fix realpath for pipes and sockets.
1448
1449 Kernel 2.6.22 and later use different method for calculating d_path().
1450 Since fs/realpath.c didn't notice the change, the realpath of pipes
1451 appeared as "pipe:" rather than "pipe:[\$]" when they are opened via
1452 /proc/PID/fd/ directory.
1453
1454 @ Add process's information into /proc/ccs/query .
1455
1456 While /proc/ccs/grant_log and /proc/ccs/reject_log contain process's
1457 information, /proc/ccs/query doesn't contain it.
1458 To be able to utilize ccs-queryd and ccs-notifyd more, I added it into
1459 /proc/ccs/query .
1460
1461 Fix 2008/06/10
1462
1463 @ Allow using patterns for globally readable files.
1464
1465 To allow users specify locale specific files to globally readable files,
1466 I relaxed checking in update_globally_readable_entry().
1467
1468 Fix 2008/06/11
1469
1470 @ Remove ALLOW_ENFORCE_GRACE parameter.
1471
1472 Since unexpected requests caused by doing software updates can happen
1473 in all profiles, users likely have to write ALLOW_ENFORCE_GRACE=enabled
1474 to all profiles. And it makes meaningless to allow users to selectively
1475 enable specific profile's ALLOW_ENFORCE_GRACE parameter.
1476 So, I removed ALLOW_ENFORCE_GRACE parameter.
1477 Now, the system behaves as if ALLOW_ENFORCE_GRACE=enabled is specified.
1478 The behavior of "delayed enforcing" mode is defined in the following
1479 order.
1480
1481 (1) The requests are rejected immediately if nobody is opening
1482 /proc/ccs/query interface.
1483 (2) The requests will be rejected in 10 seconds if somebody other than
1484 ccs-queryd (such as less(1)) is opening /proc/ccs/query interface,
1485 for such process doesn't write dummy decisions.
1486
1487 Fix 2008/06/22
1488
1489 @ Pass escaped pathname to audit_execute_handler_log().
1490
1491 I was passing unescaped pathname to audit_execute_handler_log()
1492 which causes /proc/ccs/grant_log contain whitespace characters
1493 if execute handler's pathname contains whitespace characters.
1494
1495 Fix 2008/06/25
1496
1497 @ Return 0 when ccs_may_umount() succeeds.
1498
1499 I forgot to clear error value in ccs_may_umount() when the requested
1500 directory didn't match "deny_unmount" directive. As a result, any umount()
1501 request with RESTRICT_UNMOUNT=enforcing returned -EPERM error.
1502
1503 Version 1.6.2 2008/06/25 Usability enhancement release.
1504
1505 Fix 2008/07/01
1506
1507 @ Fix "Compilation failure" with 2.4.20 kernel.
1508
1509 RedHat Linux 9's 2.4.20 kernel backported O(1) scheduler patch,
1510 resulting compilation error at ccs_load_policy().
1511 I added defined(TASK_DEAD) check.
1512
1513 Fix 2008/07/08
1514
1515 @ Don't check permissions if vfsmount is NULL.
1516
1517 Some filesystems (e.g. unionfs) pass NULL vfsmount.
1518 I changed fs/tomoyo_file.c not to try to calculate pathnames
1519 if vfsmount is NULL.
1520
1521 Version 1.6.3 2008/07/15 Bug fix release.
1522
1523 Fix 2008/08/21
1524
1525 @ Add workaround for gcc 4.3's bug.
1526
1527 In some environments, fs/tomoyo_network.c could not be compiled
1528 because of gcc 4.3's bug.
1529 I modified save_ipv6_address() to use "integer literal" value
1530 instead for "static const u8" variable.
1531
1532 @ Change prototypes of some functions.
1533
1534 To support 2.6.27 kernels, I replaced "struct nameidata" with
1535 "struct path" for some functions.
1536
1537 @ Detect distributor specific patches automatically.
1538
1539 Since kernels with AppArmor patch applied is increasing,
1540 I introduced a mechanism which determines whether specific patches
1541 are applied or not, based on "#define" directives in the patches.
1542
1543 Fix 2008/08/29
1544
1545 @ Remove "-ccs" suffix from Makefile's EXTRAVERSION.
1546
1547 To reduce conflicts on Makefile's EXTRAVERSION,
1548 I removed "-ccs" suffix from ccs-patch-2.\*.diff .
1549 Those who build kernels without using specs/build-\*.sh ,
1550 please edit EXTRAVERSION tag manually so that original kernels
1551 will not be overwritten by TOMOYO Linux kernels.
1552
1553 Version 1.6.4 2008/09/03 Minor update release.
1554
1555 Fix 2008/09/09
1556
1557 @ Add "try again" response to "delayed enforcing" mode.
1558
1559 To be able to handle pathname changes caused by software updates,
1560 "delayed enforcing" mode was introduced. It allows administrator to
1561 grant access requests which are about to be rejected by the kernel.
1562
1563 To be able to handle pathname changes caused by software updates better,
1564 I introduced "try again" response. As "delayed enforcing" mode sleeps
1565 a process which violated policy, administrator can update policy while
1566 the process is sleeping. This "try again" response allows administrator
1567 to restart policy checks from the beginning after updating policy.
1568
1569 Fix 2008/09/11
1570
1571 @ Remember whether the process is allowed to write to /proc/ccs/ interface.
1572
1573 Since programs for manipulating policy (e.g. ccs-queryd ) are installed
1574 in the form of RPM/DEB packages, these programs lose the original
1575 pathnames when they are updated by the package manager. The package
1576 manager renames these programs before deleting these programs so that
1577 the package manager can rollback the operation.
1578 This causes a problem when the programs are listed into /proc/ccs/manager
1579 using pathnames, as the programs will no longer be allowed to write to
1580 /proc/ccs/ interface while the process of old version of the program is
1581 alive.
1582
1583 To solve this problem, I modified to remember the fact that the process
1584 is once allowed to write to /proc/ccs/ interface until the process
1585 attempts to execute a different program.
1586 This change makes it impossible to revoke permission to write to
1587 /proc/ccs/ interface without killing the process, but it will be better
1588 than nonfunctioning ccs-queryd program.
1589
1590 Fix 2008/09/19
1591
1592 @ Allow selecting a domain by PID.
1593
1594 Sometimes we want to know what ACLs are given to specific PID, but
1595 finding a domainname for that PID from /proc/ccs/.process_status and
1596 reading ACLs from /proc/ccs/domain_policy by the domainname is very slow.
1597 Thus, I modified /proc/ccs/domain_policy to allow selecting a domain by
1598 PID. For example, to read domain ACL of current process from bash,
1599 run as follows.
1600
1601 # exec 100<>/proc/ccs/domain_policy
1602 # echo select pid=$$ >&100
1603 # while read -u 100; do echo $REPLY; done
1604
1605 If a domain is once selected by PID, reading /proc/ccs/domain_policy will
1606 print only that domain if that PID exists or print nothing otherwise.
1607
1608 @ Disallow concurrent /proc/ccs/ access using the same file descriptor.
1609
1610 Until now, one process can read() from /proc/ccs/ while other process
1611 that shares the file descriptor can write() to /proc/ccs/ .
1612 But to implement "Allow selecting a domain by PID" feature, I disabled
1613 concurrent read()/write() because the feature need to modify read buffer
1614 while writing.
1615
1616 Fix 2008/10/01
1617
1618 @ Add retry counter into /proc/ccs/query .
1619
1620 To be able to handle some of queries from /proc/ccs/query without user's
1621 interaction, I added retry counter for avoiding infinite loop caused by
1622 "try again" response.
1623
1624 Fix 2008/10/07
1625
1626 @ Don't transit to new domain until do_execve() succeeds.
1627
1628 Until now, a process's domain was updated to new domain which the process
1629 will belong to before do_execve() succeeds so that the kernel can do
1630 permission checks for interpreters and environment variables based on
1631 new domain. But this caused a subtle problem when other process sends
1632 signals to the process, for the process returns to old domain if
1633 do_execve() failed.
1634
1635 So, I modified to pass new domain to functions so that I can avoid
1636 modifying a process's domain before do_execve() succeeds.
1637
1638 @ Use old task state for audit logs.
1639
1640 Until now, audit logs were generated using the task state after
1641 processing "; set task.state" part. But to generate accurate logs,
1642 I modified to save the task state before processing "; set task.state"
1643 part and use the saved state for audit logs.
1644
1645 @ Use a structure for passing parameters.
1646
1647 As the number of parameters is increasing, I modified to use a structure
1648 for passing parameters.
1649
1650 Fix 2008/10/11
1651
1652 @ Remove domain_acl_lock mutex.
1653
1654 I noticed that I don't need to keep all functions that modify an ACL of
1655 a domain mutually exclusive. Since each functions handles different type
1656 of ACL, locking is needed only when they append an ACL to a domain.
1657 So, I modified to use local locks.
1658
1659 Fix 2008/10/14
1660
1661 @ Fix ccs_check_condition() bug.
1662
1663 Due to a bug in ccs_check_condition(), it was impossible to use
1664 task.state[0] task.state[1] task.state[2] inside condition part
1665 if the ACL does not treat a pathname. For example, an ACL like
1666
1667 allow_network TCP connect @HTTP_SERVERS 80 if task.state[0]=100
1668
1669 didn't work.
1670
1671 Fix 2008/10/15
1672
1673 @ Show process information in /proc/ccs/.process_status .
1674
1675 To be able to determine a process's type, I added a command "info PID"
1676 which returns process information of the specified PID in
1677 "PID manager=\* execute_handler=\* state[0]=\$ state[1]=\$ state[2]=\$"
1678 format.
1679
1680 Fix 2008/10/20
1681
1682 @ Use rcu_dereference() when walking the list.
1683
1684 I was using "dependency ordering" for appending an element to a list
1685 without asking the reader to take a lock. But "dependency ordering"
1686 is not respected by DEC Alpha or by some aggressive value-speculation
1687 compiler optimizations.
1688
1689 On such environment, use of "dependency ordering" can lead to system
1690 crash because the reader might read uninitialized value of newly
1691 appended element.
1692
1693 To prevent the reader from reading uninitialized value of newly appended
1694 element, I inserted rcu_dereference() when walking the list.
1695
1696 Fix 2008/11/04
1697
1698 @ Use sys_getpid() instead for current->pid.
1699
1700 Kernel 2.6.24 introduced PID namespace.
1701
1702 To compare PID given from userland, I can't use current->pid.
1703 So, I modified to use sys_getpid() instead for current->pid.
1704
1705 I modified to use task_tgid_nr_ns() for 2.6.25 and later instead for
1706 current->tgid when checking /proc/self/ in get_absolute_path().
1707
1708 Fix 2008/11/07
1709
1710 @ Fix is_alphabet_char().
1711
1712 is_alphabet_char() should match 'A' - 'Z' and 'a' - 'z',
1713 but was matching from 'A' - 'F' and 'a' - 'f'.
1714
1715 @ Add /proc/ccs/.execute_handler .
1716
1717 Process information became visible to userspace by
1718 "Show process information in /proc/ccs/.process_status" feature.
1719 However, programs specified by execute_handler directive may run as
1720 non root user, making it impossible to see process information.
1721
1722 So, I added a new interface that allows execute handler processes
1723 to see process information. The content of /proc/ccs/.execute_handler is
1724 identical to /proc/ccs/.process_status .
1725
1726 Version 1.6.5 2008/11/11 Third anniversary release.
1727
1728 Fix 2008/12/01
1729
1730 @ Introduce "task.type=execute_handler" condition.
1731
1732 The execute_handler directive is very very powerful. You can use this
1733 directive to do anything you want to do (e.g. logging and validating and
1734 modifying command line parameters and environment variables, opening and
1735 closing and redirecting files, creating pipes to implement antivirus and
1736 spam filtering, deploying a DMZ between the ssh daemon and the login
1737 shells).
1738
1739 To be able to use this directive in a domain with keep_domain directive
1740 while limiting access to resources needed for such purposes to only
1741 programs invoked as an execute handler process, I added a new condition.
1742
1743 In learning mode, "if task.type=execute_handler" condition part will be
1744 automatically added for requests issued by an execute_handler process.
1745
1746 @ Introduce file's type and permissions as conditions.
1747
1748 To be able to limit file types a process can access, I added
1749 new conditions for checking file's type and permissions.
1750 For example,
1751
1752 allow_read /etc/fstab if path1.type=file path1.perm=0644
1753
1754 will allow opening /etc/fstab for reading only if /etc/fstab is a regular
1755 file and it's permission is 0644, and
1756
1757 allow_write /dev/null if path1.type=char path1.dev_major=1 path1.dev_minor=3
1758
1759 will allow opening /dev/null for writing only if /dev/null is a character
1760 device file with major=1 and minor=3 attributes.
1761
1762 @ Add memory quota for temporary memory used for auditing.
1763
1764 Although there are MAX_GRANT_LOG and MAX_REJECT_LOG parameters
1765 which limit the number of entries for audit logs so that we can avoid
1766 memory consumption by audit logs, it would be more convenient if we can
1767 also limit the size in bytes.
1768 Thus, I added a new quota line.
1769
1770 echo Dynamic: 1048576 > /proc/ccs/meminfo
1771
1772 This quota is not applied to temporary memory used for permission checks.
1773
1774 Fix 2008/12/09
1775
1776 @ Fix ccs_can_save_audit_log() checks.
1777
1778 Due to incorrect statement "if (ccs_can_save_audit_log() < 0)"
1779 while ccs_can_save_audit_log() is boolean, MAX_GRANT_LOG and
1780 MAX_REJECT_LOG were not working.
1781
1782 This bug will trigger OOM killer if /usr/sbin/ccs-auditd is not working.
1783
1784 Fix 2008/12/24
1785
1786 @ Add "ccs_" prefix.
1787
1788 To be able to tell whether a symbol is TOMOYO Linux related or not,
1789 I added "ccs_" prefix as much as possible.
1790
1791 @ Fix ccs_check_flags() error message.
1792
1793 I meant to print SYAORAN-ERROR: message when error == -EPERM,
1794 but I was printing it when error == 0 since 1.6.0 .
1795
1796 Fix 2009/01/05
1797
1798 @ Use kmap_atomic()/kunmap_atomic() for reading "struct linux_binprm".
1799
1800 As remove_arg_zero() uses kmap_atomic(KM_USER0), I modified to use
1801 kmap_atomic(KM_USER0) rather than kmap().
1802
1803 Fix 2009/01/28
1804
1805 @ Fix "allow_read" + "allow_write" != "allow_read/write" problem.
1806
1807 Since 1.6.0 , due to a bug in ccs_update_single_path_acl(),
1808 appending "allow_read/write" entry didn't update internal "allow_read"
1809 and "allow_write" entries. As a result, attempt to open(O_RDWR) succeeds
1810 but open(O_RDONLY) and open(O_WRONLY) fail.
1811
1812 Workaround is to write an entry twice when newly appending that entry.
1813 If written twice, internal "allow_read" and "allow_write" entries
1814 are updated.
1815
1816 Fix 2009/02/26
1817
1818 @ Fix profile read error.
1819
1820 Incorrect profiles were shown in /proc/ccs/profile
1821 if either CONFIG_SAKURA or CONFIG_TOMOYO is disabled.
1822
1823 Fix 2009/03/02
1824
1825 @ Undelete CONFIG_TOMOYO_AUDIT option.
1826
1827 While HDD-less systems can use profiles with MAX_GRANT_LOG=0 and
1828 MAX_REJECT_LOG=0 , I undeleted CONFIG_TOMOYO_AUDIT option for saving
1829 memory used for /proc/ccs/grant_log and /proc/ccs/reject_log interfaces.
1830
1831 Fix 2009/03/13
1832
1833 @ Show only profile entry names ever specified.
1834
1835 Even if an administrator specifies only COMMENT= and MAC_FOR_FILE=
1836 entries for /proc/ccs/profile , all available profile entries are shown.
1837 This was designed to help administrators to know what entries are
1838 available, but sometimes makes administrators feel noisy because of
1839 entries showing default values.
1840
1841 Thus, I modified to show only profile entry names ever specified.
1842
1843 Fix 2009/03/18
1844
1845 @ Add MAC_FOR_IOCTL functionality.
1846
1847 To be able to restrict ioctl() requests, I added MAC_FOR_IOCTL
1848 functionality.
1849
1850 This functionality requires modification of ccs-patch-\*.diff .
1851
1852 @ Use better name for socket's pathname.
1853
1854 Until now, socket's pathname was represented as "socket:[\$]" format
1855 where \$ is inode's number. But inode's number is useless for name based
1856 access control. Therefore, I modified to represent socket's pathname as
1857 "socket:[family=\$:type=\$:protocol=\$]" format.
1858
1859 This will help administrator to control ioctl() against sockets more
1860 precisely.
1861
1862 @ Fix misplaced ccs_capable() call. (only 2.6.8-\* and 2.6.9-\*)
1863
1864 Location to insert ccs_capable(TOMOYO_SYS_IOCTL) in sys_ioctl() was
1865 wrong since version 1.1 .
1866
1867 @ Insert ccs_check_ioctl_permission() call.
1868
1869 To make MAC_FOR_IOCTL functionality working, I inserted
1870 ccs_check_ioctl_permission() call into ccs-patch-\*.diff .
1871
1872 Fix 2009/03/23
1873
1874 @ Move sysctl()'s check from ccs-patch-\*.diff to fs/tomoyo_file.c .
1875
1876 Since try_parse_table() in kernel/sysctl.c is almost identical between
1877 all versions, I moved that function to fs/tomoyo_file.c .
1878
1879 @ Relocate definitions and functions.
1880
1881 To reduce exposed symbols, I relocated some definitions and functions.
1882
1883 Fix 2009/03/24
1884
1885 @ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS option.
1886
1887 Some systems don't have /sbin/modprobe and /sbin/hotplug .
1888 Thus, I made these pathnames configurable.
1889
1890 Version 1.6.7 2009/04/01 Feature enhancement release.
1891
1892 Fix 2009/04/06
1893
1894 @ Drop "undelete domain" command.
1895
1896 I added "undelete domain" command on 2007/01/19, but never used by policy
1897 management tools. The garbage collector I added on 2007/01/29 will
1898 automatically reuse memory and allow administrators switch domain policy
1899 periodically, provided that the administrator kills processes in old
1900 domains before recreating new domains with the same domainnames.
1901
1902 Thus, I dropped "undelete domain" command.
1903
1904 @ Escape invalid characters in ccs_check_mount_permission2().
1905
1906 ccs_check_mount_permission2() was passing unencoded strings to printk()
1907 and ccs_update_mount_acl() and ccs_check_supervisor(). This may cause
1908 /proc/ccs/system_policy and /proc/ccs/query to contain invalid
1909 characters within a string.
1910
1911 Fix 2009/04/07
1912
1913 @ Fix IPv4's "address_group" handling error.
1914
1915 Since 1.6.5 , due to lack of ntohl() (byte order conversion) in
1916 ccs_update_address_group_entry(), "address_group" with IPv4 address was
1917 not working.
1918
1919 This problem happens on little endian platforms (e.g. x86).
1920
1921 Fix 2009/05/08
1922
1923 @ Add condition for symlink's target pathname.
1924
1925 Until now, "allow_symlink" keyword allows creation of a symlink but does
1926 not check the symlink's target. Usually it is no problem because
1927 permission checks are done using dereferenced pathname. But in some
1928 cases, we should restrict the symlink's target. For example,
1929 "ln -s .htpasswd /var/www/html/readme.html" by CGI program should be
1930 blocked because we will allow Apache to read both
1931 /var/www/html/readme.html and /var/www/html/.htpasswd .
1932
1933 Thus, I added new condition, "symlink.target".
1934
1935 allow_symlink /var/www/html/\*.html if symlink.target="\*.html"
1936
1937 allow_symlink /var/www/html/\*\-.\* if symlink.target="\*\-.\*"
1938
1939 @ Don't return -EAGAIN at ccs_socket_recvmsg_permission().
1940
1941 It turned out that it is not permitted for accept() and recvmsg() to
1942 return -EAGAIN if poll() said connections/datagrams are ready. However,
1943 recvmsg() may return -EAGAIN and potentially confuse some applications
1944 because ccs_socket_recvmsg_permission() is returning -EAGAIN.
1945
1946 Thus, I modified ccs_socket_recvmsg_permission() to return -ENOMEM
1947 rather than -EAGAIN.
1948
1949 Fix 2009/05/19
1950
1951 @ Don't call get_fs_type() with a mutex held.
1952
1953 Until now, when ccs_update_mount_acl() is called with unsupported
1954 filesystem, /sbin/modprobe is executed from get_fs_type() to load
1955 filesystem module. And get_fs_type() does not return until /sbin/modprobe
1956 finishes.
1957
1958 This means that it will cause deadlock if /sbin/modprobe (which is
1959 executed via get_fs_type() in ccs_update_mount_acl()) calls
1960 ccs_update_mount_acl(); although it won't happen unless an administrator
1961 inserts execute_handler to call mount() requests in learning mode or to
1962 add "allow_mount" entries to /proc/ccs/system_policy .
1963
1964 I modified to unlock the mutex before calling get_fs_type().
1965
1966 Fix 2009/05/20
1967
1968 @ Update recvmsg() hooks.
1969
1970 Since 1.5.0, I was doing network access control for incoming UDP and RAW
1971 packets inside skb_recv_datagram(). But to synchronize with LSM version,
1972 I moved ccs_recv_datagram_permission() hook from skb_recv_datagram() to
1973 udp_recvmsg()/udpv6_recvmsg()/raw_recvmsg()/rawv6_recvmsg() with name
1974 change to ccs_recvmsg_permission().
1975
1976 Version 1.6.8 2009/05/28 Feature enhancement release.
1977
1978 Fix 2009/07/03
1979
1980 @ Fix buffer overrun when used with CONFIG_SLOB=y .
1981
1982 Since 1.6.7 , ccs_allocate_execve_entry() was requesting for only 4000
1983 bytes while the comment says it is 4096 bytes. This may lead to buffer
1984 overrun when slob allocator is used, for slob allocator allocates exactly
1985 4000 bytes whereas slab and slub allocators allocate 4096 bytes.
1986
1987 Fix 2009/09/01
1988
1989 @ Add garbage collector support.
1990
1991 Until now, it was impossible to release memory used by deleted policy.
1992 I added SRCU based garbage collector so that memory used by deleted
1993 policy will be automatically released.
1994
1995 @ Remove word length limitation and line length limitation.
1996
1997 Until now, the max length of a word is 4000 and the max length of a line
1998 is 8192. To be able to handle longer pathnames, I removed these
1999 limitations. Now, the max length (except the domainname and
2000 argv[]/envp[]) is 128K (which is the max amount of memory kmalloc()
2001 can allocate in most environments).
2002
2003 @ Support more fine grained profile configuration.
2004
2005 Profile was reconstructed.
2006
2007 @ Support more fine grained parameters restrictions.
2008
2009 "allow_create", "allow_mkdir", "allow_mkfifo", "allow_mksock" check
2010 create mode. "allow_mkblock" and "allow_mkchar" check create mode and
2011 major/minor device numbers. "allow_chmod" check new mode. "allow_chown"
2012 checks new owner. "allow_chgrp" checks new group.
2013
2014 @ Allow number grouping.
2015
2016 To help specifying numeric values, a new directive "number_group" is
2017 introduced.
2018
2019 @ Remove "alias" directive and "allow_argv0" directive.
2020
2021 Until now, "allow_execute" used dereferenced pathname if it is a symlink
2022 unless explicitly specified by "alias" directive.
2023
2024 Now, "allow_execute" uses symlink's pathname if it is a symlink.
2025 "exec.realpath" in "if" clause checks the dereferenced pathname.
2026 "exec.argv[0]" in "if" clause checks the invocation name.
2027
2028 @ Remove /proc/ccs/system_policy and /etc/ccs/system_policy.conf .
2029
2030 "deny_autobind" was moved to /proc/ccs/exception_policy and
2031 /etc/ccs/exception_policy.conf . Other directives were moved to
2032 /proc/ccs/domain_policy and /etc/ccs/domain_policy.conf .
2033
2034 @ Remove syaoran filesystem.
2035
2036 Since "allow_create"/"allow_mkdir"/"allow_mkfifo"/"allow_mksock"/
2037 "allow_mkblock"/"allow_mkchar"/"allow_chmod"/"allow_chown"/"allow_chgrp"
2038 can restrict mode changes and owner/group changes, there is no need to
2039 restrict these changes at filesystem level.
2040
2041 Thus, I removed syaoran filesystem.
2042
2043 @ Reduce spinlocks.
2044
2045 Until now, TOMOYO was using own list for detecting memory leak. But as
2046 kernel 2.6.31 introduced memory leak detection mechanism
2047 ( CONFIG_DEBUG_KMEMLEAK ), TOMOYO no longer needs to use own list.
2048
2049 I removed the list to reduce use of spinlocks.
2050
2051 @ Rewrite ccs-patch-2.\*.diff .
2052
2053 ccs-patch-2.\*.diff was rewritten like LSM hooks.
2054
2055 @ Don't check "allow_read/write" for open-for-ioctl-only.
2056
2057 open(pathname, 3) means open for ioctl() only.
2058 Until now, TOMOYO was checking "allow_read/write" for open(pathname, 3).
2059 But since TOMOYO checks "allow_ioctl" for ioctl(), I modified not to
2060 require "allow_read/write" for open(pathname, 3).
2061
2062 @ Add missing sigqueue() and tgsigqueue() hooks.
2063
2064 Until now, kill(), tkill(), tgkill() had hooks but sigqueue() and
2065 tgsigqueue() didn't.
2066
2067 @ Move files from fs/ to security/ccsecurity.
2068
2069 Config menu section changed from "File systems" to "Security options".
2070
2071 Kernel config symbols changed from CONFIG_SAKURA CONFIG_TOMOYO
2072 CONFIG_SYAORAN to CONFIG_CCSECURITY .
2073
2074 @ Add global PID to audit logs.
2075
2076 ccs-queryd was using domainname for reaching the domain which the process
2077 belongs to, but the domain could be deleted while ccs-queryd is handling
2078 policy violation. If the domain is deleted, ccs-queryd no longer can
2079 reach the domain by domainname. Thus, ccs-queryd now uses PID for
2080 reaching the domain which the process belongs to.
2081
2082 Kernel 2.6.24 introduced PID namespace. The PID in access logs generated
2083 by a process inside a container is useless for ccs-queryd for reaching
2084 the domain which the process belongs to.
2085
2086 Thus, I added global PID in audit logs.
2087
2088 @ Transit to new domain before do_execve() succeeds.
2089
2090 Permission checks for interpreters and environment variables are
2091 done using new domain. In order to allow ccs-queryd to reach the new
2092 domain via global PID, I reverted "Don't transit to new domain until
2093 do_execve() succeeds." made on 2008/10/07.
2094
2095 Version 1.7.0 2009/09/03 Feature enhancement release.
2096
2097 Fix 2009/09/04
2098
2099 @ Fix wrong ccs_profile() calls.
2100
2101 I can't call ccs_profile() for profile existence test because
2102 ccs_profile() never returns NULL.
2103
2104 Fix 2009/09/06
2105
2106 @ Fix wrong error code in ccs_try_alt_exec().
2107
2108 ccs_try_alt_exec() was returning ENOMEM when kmalloc() failed.
2109 It needs to return -ENOMEM to fail.
2110
2111 Fix 2009/09/10
2112
2113 @ Do not check umount() permission for mount(MS_MOVE) requests.
2114
2115 Until 1.6.x , umount() restriction was black listing. In 1.7.0 , it is
2116 white listing. This change caused "mount --move old new" requests to
2117 require "allow_unmount old" permission in addition to
2118 "allow_mount old new --move 0" permission.
2119 But we don't want to allow umount(old) requests when we want to allow
2120 only mount(old, new, MS_MOVE) requests. Thus, I modified not to check
2121 "allow_unmount old" permission for mount(old, new, MS_MOVE) requests.
2122
2123 Fix 2009/09/11
2124
2125 @ Support recursive match operators.
2126
2127 Until now, ccs_path_matches_pattern() did not support recursive
2128 comparison. Thus, users had to repeat "/\*" when they want to specify
2129 recursively.
2130
2131 I introduced "\{" and "\}" as repetition operator.
2132 To ensure consistency with TOMOYO's '/'-tokenized pattern matching rules
2133 and "\-" operator, only "/\{dir\}/" sequences (where dir does not contain
2134 '/') is permitted.
2135
2136 Fix 2009/09/24
2137
2138 @ Don't check chmod/chown capability for requests from kernel.
2139
2140 Until now, ccs_setattr_permission() was inserted in notify_change().
2141 But notify_change() is also called by requests from kernel (e.g. UnionFS)
2142 and it made difficult to use TOMOYO on UnionFS.
2143
2144 Thus, I moved ccs_capable() checks from ccs_setattr_permission() to
2145 ccs_chmod_permission() and ccs_chown_permission(), and removed
2146 ccs_setattr_permission().
2147
2148 Fix 2009/09/25
2149
2150 @ Embed more information into audit logs.
2151
2152 Until now, /proc/ccs/grant_log /proc/ccs/reject_log /proc/ccs/query were
2153 not printing file's information (e.g. file's uid/gid/mode).
2154
2155 Recently, users who started using "if" clause expect that the learning
2156 mode automatically adds various conditions like "if task.uid=path1.uid".
2157
2158 But the profile will become too complicated if I support all possible
2159 conditions. Thus, I added all information which is enough to generate
2160 "if" clause with all possible conditions from audit logs.
2161
2162 Now, the learning mode got different usage. Users can specify
2163 "CONFIG::learning={ max_entry=0 }" in the profile. All requests which
2164 are not permitted by policy will be sent to /proc/ccs/reject_log with
2165 "mode=learning" header lines. Users can selectively append conditions
2166 and append to the policy using "/usr/sbin/ccs-loadpolicy -d".
2167 The learning mode with "CONFIG::learning={ max_entry=0 }" is almost
2168 the same with the permissive mode, only difference is "mode=learning"
2169 and "mode=permissive".
2170
2171 Fix 2009/10/05
2172
2173 @ Fix size truncation bug at ccs_memcmp().
2174
2175 ccs_memcmp() was using "u8" for size parameter by error. Therefore, when
2176 size >= 256 was passed to ccs_memcmp(), it was doing partial comparison
2177 (incorrect result) or read overrun (CPU stall).
2178
2179 ccs_memcmp() should use "size_t" for size parameter because size of
2180 "struct ccs_condition" may exceed 256 bytes if complicated condition was
2181 given.
2182
2183 Fix 2009/10/08
2184
2185 @ Add CONFIG_CCSECURITY_DEFAULT_LOADER option.
2186
2187 I made the default policy loader's pathname ( /sbin/ccs-init )
2188 configurable.
2189
2190 @ Add CONFIG_CCSECURITY_ALTERNATIVE_TRIGGER option.
2191
2192 Some environments do not have /sbin/init . In such environments, we need
2193 to use different program's pathname (e.g. /init or /linuxrc ) as
2194 activation trigger.
2195
2196 Thus, I made the alternative trigger ( /sbin/ccs-start ) configurable.
2197
2198 Fix 2009/11/02
2199
2200 @ Fix buffer contention.
2201
2202 A permission like
2203
2204 allow_env PATH if exec.envp["PATH"]="/"
2205
2206 was not working since I was using the same buffer for both environment
2207 variable's name and value.
2208
2209 Fix 2009/11/03
2210
2211 @ Fix memory leak in ccs_write_address_group_policy().
2212
2213 I forgot to call kfree() if same entry was added.
2214
2215 @ Reduce mutexes.
2216
2217 I was using mutex_lock()/mutex_unlock() so that I can use
2218 atomic_dec_and_test() for removing an element from a list.
2219 I moved that operation to garbage collector in order to reduce frequency
2220 of mutex_lock()/mutex_unlock() calls.
2221
2222 @ Escape from nested loops correctly.
2223
2224 In ccs_read_address_group_policy(), I was escaping from nested loops
2225 correctly. But in ccs_read_path_group_policy() and
2226 ccs_read_number_group_policy(), I wasn't.
2227
2228 As a result, reading path_group and number_group caused kernel oops
2229 when they were not read atomically.
2230
2231 Fix 2009/11/06
2232
2233 @ Fix incorrect allow_mount audit log.
2234
2235 Audit log for allow_mount was using decimal format.
2236 It needs to use hexadecimal format.
2237
2238 Fix 2009/11/09
2239
2240 @ Add profile version check.
2241
2242 To avoid upgrading from TOMOYO 1.6.x to TOMOYO 1.7.x without upgrading
2243 /proc/ccs/profile (which results in not protecting the system at all),
2244 I added a check for PROFILE_VERSION= .
2245
2246 Version 1.7.1 2009/11/11 Fourth anniversary release.
2247
2248 Fix 2009/11/13
2249
2250 @ Don't use core_initcall() for initializing lock for GC.
2251
2252 Some kernels call TOMOYO's hooks before processing core_initcall().
2253 Thus, I can't use core_initcall() for initializing lock for GC.
2254
2255 Fix 2009/11/18
2256
2257 @ Don't check "allow_write" permission for open(O_RDONLY | O_TRUNC).
2258
2259 Since TOMOYO checks "allow_truncate" permission rather than "allow_write"
2260 permission for O_TRUNC, I need to distinguish open(O_RDONLY | O_TRUNC)
2261 and open(O_RDWR | O_TRUNC). But I made a mistake between TOMOYO 1.7.0 and
2262 1.7.1 which made it impossible for TOMOYO for kernels 2.6.14 and earlier
2263 to distinguish them.
2264
2265 Fix 2009/11/27
2266
2267 @ Use newly created domain's name for domain creation audit log.
2268
2269 Since 1.7.0 , /proc/ccs/reject_log was by error using existing domain's
2270 name when auditing newly created domain's "use_profile" line.
2271
2272 Fix 2009/12/12
2273
2274 @ Use rcu_read_lock() for find_task_by_pid().
2275
2276 Since kernel 2.6.18 , caller of find_task_by_pid() needs to call
2277 rcu_read_lock() rather than read_lock(&tasklist_lock) because find_pid()
2278 uses RCU primitives but spinlock does not prevent RCU callback if
2279 preemptive RCU ( CONFIG_PREEMPT_RCU or CONFIG_TREE_PREEMPT_RCU ) is
2280 enabled.
2281
2282 Fix 2009/12/15
2283
2284 @ Allow deleting "quota_exceeded" and "transition_failed" entries.
2285
2286 To notify users of "this domain has too many entries to hold" and "some
2287 process in this domain was not able to perform domain transition",
2288 "quota_exceeded" and "transition_failed" messages are used respectively.
2289 These messages were not deletable. But it is more convenient for users
2290 to be notified again if such events occurred again after tuning policy.
2291 Thus, I made these messages deletable.
2292
2293 Fix 2009/12/17
2294
2295 @ Don't check read permission in ccs_try_alt_exec().
2296
2297 While I was trying to remove ccs_execve_list list for GC optimization
2298 between TOMOYO 1.7.0 and 1.7.1 , I made a mistake which made TOMOYO to
2299 check allow_read permission of the programs specified by execute_handler
2300 and denied_execute_handler keywords.
2301
2302 @ Don't check DAC permission if disabled mode.
2303
2304 I was checking DAC permissions regarding directory entry modification
2305 operations (e.g. mkdir()) even if mode=disabled . It is a waste of CPU
2306 resource to check DAC permissions when MAC permissions are not checked.
2307 Thus, I modified to skip DAC permission checks if mode=disabled .
2308
2309 Fix 2009/12/19
2310
2311 @ Fix memory leak in ccs_environ().
2312
2313 When I fixed a bug that a permission like
2314
2315 allow_env PATH if exec.envp["PATH"]="/"
2316
2317 was not working (2009/11/02), I allocated two buffers but only one buffer
2318 was released.
2319
2320 This bug will trigger OOM killer if environment variable checking is
2321 enabled.
2322
2323 Fix 2010/01/17
2324
2325 @ Use current domain's name for execute_handler audit log.
2326
2327 Since 1.6.7 , /proc/ccs/grant_log was by error using next domain's name
2328 when auditing current domain's "execute_handler" line.
2329
2330 Fix 2010/03/02
2331
2332 @ Allow domain transition without execve().
2333
2334 To be able to split permissions for Apache's CGI programs which are
2335 executed without execve(), I added special domain transition which is
2336 performed by atomically writing '\0'-terminated binary string to
2337 /proc/ccs/.transition interface. For example, a process which belongs to
2338 "<kernel> /usr/sbin/httpd" domain will transit to
2339 "<kernel> /usr/sbin/httpd //app=cgi1\040id=10000" domain by atomically
2340 writing "app=cgi1 id=10000" + '\0' to /proc/ccs/.transition using
2341 Apache's ap_hook_handler() functionality.
2342
2343 Note that '\0'-terminated binary string is converted to TOMOYO's string
2344 inside kernel and prefix "//" is automatically added to the string so
2345 that domainname does not conflict with domainnames created by execve().
2346 Without this prefix, if "<kernel> /usr/sbin/sshd /bin/bash" domain is
2347 allowed to open /proc/ccs/.transition for writing and
2348 "<kernel> /usr/sbin/sshd /bin/bash /usr/bin/passwd" domain is allowed to
2349 access /etc/shadow , /bin/bash will be able to access /etc/shadow by
2350 atomically writing "/usr/bin/passwd" + '\0' to /proc/ccs/.transition .
2351 Allowing /bin/bash to access /etc/shadow is not what people want.
2352
2353 Permission for this operation is checked by "allow_transit" keyword.
2354 Unlike "allow_execute" keyword, the string parameter for "allow_transit"
2355 keyword does not refer a real file on filesystem's namespace. Therefore,
2356 you can store any combination of parameters like LDAP's DN entry in the
2357 string parameter for "allow_transit" keyword.
2358
2359 Fix 2010/03/08
2360
2361 @ Allow building as loadable kernel module.
2362
2363 To be able to minimize filesize increment of vmlinux, I made it
2364 possible to compile TOMOYO Linux as loadable kernel module.
2365 Although patching the kernel source and recompiling the kernel are
2366 inevitable, this change will make it easier to enable TOMOYO Linux
2367 when there is a filesize limitation on vmlinux (e.g. embedded systems).
2368
2369 Fix 2010/03/25
2370
2371 @ Fix ccs_get_ipv6_address() bug.
2372
2373 Since 1.7.0 , ccs_get_ipv6_address() was by error returning address of
2374 "struct list_head ccs_address_list" if memory allocation failed.
2375 As a result, ccs_put_ipv6_address() will modify memory near
2376 "struct list_head ccs_address_list" if memory allocation failed.
2377
2378 Fix 2010/03/26
2379
2380 @ Fix ccs_lport_reserved() bug.
2381
2382 Since 1.7.0 , ccs_lport_reserved() was by error checking wrong port
2383 number. As a result, "deny_autobind" keyword was not working as expected.
2384
2385 Version 1.7.2 2010/04/01 Feature enhancement release.
2386
2387 Fix 2010/04/10
2388
2389 @ Fix invalid "struct nameidata" to "struct path" conversion macro.
2390
2391 Regarding kernels 2.6.24 and earlier, I was converting "struct nameidata"
2392 to "struct path" in caller side so that I can unify the callee function's
2393 parameter type. But it turned out that the macro I used did not follow C
2394 standards and did not work with gcc 4.x . As a result, "allow_pivot_root"
2395 keyword was not working as expected.
2396
2397 Fix 2010/05/05
2398
2399 @ Fix incorrect audit on/off control.
2400
2401 The grant_log= and reject_log= parameters of CONFIG::misc::env were not
2402 used because I forgot to update request type. As a result, those of
2403 CONFIG::file::execute were used for CONFIG::misc::env .
2404
2405 Those of CONFIG::file::rewrite were not used because I forgot to update
2406 request type. As a result, those of CONFIG::file::truncate were used for
2407 CONFIG::file::rewrite .
2408
2409 Fix 2010/05/10
2410
2411 @ Fix incorrect out of memory warning.
2412
2413 Out of memory warnings were not printed in some cases by error.
2414
2415 Fix 2010/05/27
2416
2417 @ Add missing rcu_dereference() for ccs_find_execute_handler().
2418
2419 Since 1.7.0 , ccs_find_execute_handler() was by error using
2420 list_for_each_entry() rather than list_for_each_entry_rcu().
2421 This bug affects only Alpha architecture.
2422
2423 Fix 2010/06/03
2424
2425 @ Fix missing sanity check for "file_pattern".
2426
2427 Since 1.7.0 , ccs_write_pattern_policy() was by error accepting
2428 invalid pathname.
2429
2430 Fix 2010/06/09
2431
2432 @ Add missing ccs_put_name() in ccs_parse_envp().
2433
2434 Since 1.7.0 , ccs_parse_envp() was not calling ccs_put_name() if
2435 environment variable's value ('if exec.envp["name"]="value"' condition)
2436 was invalid.
2437
2438 @ Add missing NULL check in ccs_condition().
2439
2440 Since 1.7.0 , if 'if symlink.target=' part was given against non-file
2441 permissions (e.g. allow_env PATH if symlink.target="/"), it triggered
2442 NULL pointer dereference.
2443
2444 Fix 2010/10/28
2445
2446 @ Fix umount() pathname calculation.
2447
2448 "mount --bind /path/to/file1 /path/to/file2" is legal.
2449 Therefore, "umount /path/to/file2" is also legal.
2450 Do not automatically append trailing '/' if pathname to be unmounted
2451 does not end with '/'.
2452
2453 @ Add preserve KABI compatibility option. (2.6 kernels only)
2454
2455 TOMOYO needs "struct ccs_domain_info *" and "u32" for each
2456 "struct task_struct". But embedding these variables into
2457 "struct task_struct" breaks KABI for prebuilt kernel modules (which
2458 means that you will need to rebuild prebuilt kernel modules).
2459
2460 Since KABI is commonly used (compared to 5 years ago), asking users to
2461 rebuild kernel modules which are not included in kernel package is no
2462 longer preferable. Therefore, I added a new option that keeps
2463 "struct task_struct" unmodified in order to keep KABI.
2464
2465 Note that you have to use ccs-patch-2.6.\*.diff which patches
2466 kernel/fork.c in order to use this option. Otherwise, TOMOYO will leak
2467 memory whenever "struct task_struct" is released.
2468
2469 @ Change directives.
2470
2471 I removed "allow_" prefix from directives. New directives for files are
2472 prefixed with "file ". For example, "allow_read" changed to "file read",
2473 "allow_ioctl" changed to "file ioctl". New directive for "allow_network
2474 TCP" is "network inet stream", "allow_network UDP" is "network inet
2475 dgram", "allow_network RAW" is "network inet raw". New directive for
2476 "allow_env" is "misc env". New directive for "allow_signal" is "ipc
2477 signal". New directive for "allow_capability" is "capability". These new
2478 directives correspond with keywords used by profile's CONFIG lines.
2479
2480 I removed "deny_rewrite" and "allow_rewrite" directives and introduced
2481 "file append" directive. Thus, permission for open(O_WRONLY | O_APPEND)
2482 changed from "allow_write" + "allow_rewrite" to "file append".
2483
2484 I removed "SYS_MOUNT", "SYS_UMOUNT", "SYS_CHROOT", "SYS_KILL",
2485 "SYS_LINK", "SYS_SYMLINK", "SYS_RENAME", "SYS_UNLINK", "SYS_CHMOD",
2486 "SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_ROOT" keywords from capabilities
2487 because these permissions can be checked by other directives (e.g.
2488 "file mount", "ipc signal").
2489
2490 I also removed "conceal_mount" keyword from capabilities because this
2491 check requires hooks in filesystem part while almost all hooks for
2492 filesystem part have moved to LSM by Linux 2.6.34.
2493
2494 New directive for "execute_handler" is "task auto_execute_handler",
2495 "denied_execute_handler" is "task denied_execute_handler".
2496
2497 @ Distinguish send() and recv() operations.
2498
2499 Until now, it was impossible for UDP and IP sockets to allow either
2500 only sending or only receiving because permissions were aggregated with
2501 "connect" keyword. I broke "connect" keyword into "send" and "recv"
2502 keywords so that you can keep access control for send() operation enabled
2503 when you have to disable access control for recv() operation due to
2504 application breakage by discarding incoming datagram.
2505
2506 @ Add Unix domain socket restriction support.
2507
2508 Until now, it was possible to restrict only inet domain sockets (i.e.
2509 TCP/UDP/RAW). I added restriction for Unix domain sockets (i.e. stream/
2510 dgram/seqpacket). New directive "network unix" is added as well as
2511 "network inet" directive.
2512
2513 @ Allow specifying multiple permissions in a line.
2514
2515 Until now, only "allow_read/write" can be specified for combination of
2516 "allow_read" + "allow_write". Now, you can combine other permissions as
2517 long as type of parameters for these permissions is same. For example,
2518 "file read/write/append/execute/unlink/truncate /tmp/file" is correct
2519 but "file read/write/create /tmp/file" is wrong because "file create"
2520 requires create mode whereas "file read" and "file write" do not.
2521
2522 @ Allow wildcard for execute permission and domainname.
2523
2524 Until now, to execute programs with temporary names, "aggregator" is
2525 needed. To simplify code, I modified to accept wildcards for execute
2526 permission and domainname. Now, you can directly specify
2527 "file execute /tmp/logrotate.\?\?\?\?\?\?" and use
2528 "/tmp/logrotate.\?\?\?\?\?\?" within domainnames.
2529
2530 @ Change pathname for non-rename()able filesystems.
2531
2532 LSM version of TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if
2533 $PID matches current thread's process ID in order to prevent current
2534 thread from accessing other process's information unless needed.
2535 But since procfs can be mounted on various locations (e.g. /proc/ /proc2/
2536 /p/ /tmp/foo/100/p/ ), LSM version of TOMOYO cannot tell that whether the
2537 numeric part in the string returned by __d_path() represents process ID
2538 or not.
2539
2540 Therefore, to be able to convert from $PID to self no matter where procfs
2541 is mounted, I changed pathname representations for filesystems which do
2542 not support rename() operation (e.g. proc, sysfs, securityfs).
2543
2544 Now, "/proc/self/mounts" changed to "proc:/self/mounts" and
2545 "/sys/kernel/security/" changed to "sys:/kernel/security/" and
2546 "/dev/pts/0" changed to "devpts:/0".
2547
2548 @ Add a new keyword "any" for domain transition control.
2549
2550 To be able to make it easier to apply auto_execute_handler on each
2551 domain, I added "any" keyword to domain transition control keywords. Now,
2552 "initialize_domain /usr/sbin/sshd" changed to
2553 "initialize_domain /usr/sbin/sshd from any" and
2554 "keep_domain <kernel> /usr/sbin/sshd /bin/bash" changed to
2555 "keep_domain any from <kernel> /usr/sbin/sshd /bin/bash".
2556
2557 "keep_domain /path/to/auto_execute_handler from any" will allow you to
2558 apply auto_execute_handler for any domains without creating domains for
2559 auto_execute_handler.
2560
2561 @ Change buffering mode for reading policy.
2562
2563 To be able to read() very very long lines correctly, I changed the way
2564 TOMOYO buffers policy for reading.
2565
2566 @ Introduce "acl_group" keyword.
2567
2568 Until now, it was possible to specify only "allow_read" and "allow_env"
2569 keywords in the exception policy.
2570
2571 Since some operations like "file read/write/append /dev/null" and
2572 "network UDP send/recv @DNS_SERVER 53" are very common and should be
2573 permitted to all domains, I introduced "acl_group" keyword for giving
2574 such permissions.
2575
2576 For example, specify "acl_group 0 file read/write/append /dev/null" in
2577 the exception policy and specify "use_group 0" from the domains in the
2578 domain policy.
2579
2580 "ignore_global_allow_read" and "ignore_global_allow_env" directives were
2581 removed from domain policy and "use_group" keyword was added.
2582
2583 @ Remove "if" and "; set" keyword.
2584
2585 I removed need for specifying these keyword.
2586 You can simply specify like below.
2587
2588 file read /etc/shadow task.uid=0
2589
2590 @ Remove "file_pattern" keyword.
2591
2592 I removed "file_pattern" keyword because it is impossible to predefine
2593 all possible pathname patterns. Also, learning pathnames using incomplete
2594 patterns makes it difficult to later replace using "path_group" keyword.
2595
2596 @ Replace verbose= parameter with statistic interface.
2597
2598 Since it is noisy if a lot of policy violation messages are printed,
2599 I removed printk(). To be able to check whether policy violation occurred
2600 or not, I introduced /proc/ccs/stat interface which counts number of
2601 policy violations occurred. You can firstly check /proc/ccs/stat and then
2602 check /proc/ccs/reject_log .
2603
2604 @ Remove global preference.
2605
2606 I removed global preference in order to make code simpler.
2607
2608 @ Allow controlling generation of access granted logs for per an entry
2609 basis.
2610
2611 I added per-entry flag which controls generation of grant logs because
2612 Xen and KVM issues ioctl requests so frequently. For example,
2613
2614 file ioctl /dev/null 0x5401 grant_log=no
2615
2616 will suppress /proc/ccs/grant_log even if preference says grant_log=yes .
2617
2618 file ioctl /dev/null 0x5401 grant_log=yes
2619
2620 will generate /proc/ccs/grant_log even if preference says grant_log=no .
2621
2622 file ioctl /dev/null 0x5401
2623
2624 will generate /proc/ccs/grant_log only if preference says grant_log=yes .
2625
2626 This flag is intended for frequently accessed resources like
2627
2628 file read /var/www/html/\{\*\}/\*.html grant_log=no
2629
2630 .
2631
2632 @ Automatically create domain by execve() even if enforcing mode.
2633
2634 Until now, new domains are not created if the domain was not defined and
2635 current domain is enforcing mode ("CONFIG::file::execute=enforcing").
2636
2637 To be able to restrict shell session without using "keep_domain",
2638 I changed to create new domains automatically even if current domain is
2639 enforcing mode.
2640
2641 @ Replace "task.state" with "auto_domain_transition".
2642
2643 task.state is difficult to use. Thus, I replaced task.state with
2644 auto_domain_transition which performs domain transition instead of
2645 changing current process's state variables.
2646
2647 If domain transition failed, current process will be killed by SIGKILL
2648 signal. This should not happen in normal circumstances, for you know the
2649 domain to transit to and thereby you will define the domain beforehand
2650 when you use "auto_domain_transition" keyword.
2651
2652 @ Replace "allow_transit" with "task manual_domain_transition".
2653
2654 I changed this directive to specify absolute domainname (e.g.
2655 "<kernel> /usr/sbin/httpd //app=cgi1\040id=10000") rather than virtual
2656 pathname (e.g. "//app=cgi1\040id=10000") because you know the domain to
2657 transit to and thereby you will define the domain beforehand when you use
2658 "task manual_domain_transition" directive.
2659
2660 This change allows you to jump to arbitrary domain.
2661
2662 Note that this change also reverts "Change /proc/ccs/info/self_domain ."
2663 made on 2006/10/24. Now, 'cat < /proc/ccs/info/self_domain' will act like
2664 'cat /proc/ccs/info/self_domain'. Programs depending on old assumption
2665 need to be updated.
2666
2667 @ Add "task auto_domain_transition".
2668
2669 This is similar to "task manual_domain_transition", but is automatically
2670 applied whenever conditions are met. For example,
2671
2672 task auto_domain_transition <kernel> //./non-root task.uid!=0
2673
2674 will automatically jump to "<kernel> //./non-root" domain if current
2675 process's UID is not 0 whereas
2676
2677 task manual_domain_transition <kernel> //./non-root task.uid!=0
2678
2679 will jump to "<kernel> //./non-root" domain if current process's UID is
2680 not 0 and current process wrote "<kernel> //./non-root" to
2681 /proc/ccs/self_domain interface.
2682
2683 If domain transition failed, current process will be killed by SIGKILL
2684 signal.
2685
2686 @ Optimize for object's size.
2687
2688 I merged similar code in order to reduce object's filesize.
2689
2690 Version 1.8.0 2010/11/11 Fifth anniversary release.
2691
2692 Fix 2010/12/01
2693
2694 @ Use same interface for audit logs.
2695
2696 To be able to perform fine grained filtering by /usr/sbin/ccs-auditd ,
2697 I merged /proc/ccs/grant_log and /proc/ccs/reject_log as
2698 /proc/ccs/audit and added granted=yes or granted=no to audit logs.
2699
2700 Fix 2010/12/17
2701
2702 @ Split ccs_null_security into ccs_default_security and ccs_oom_security.
2703
2704 ccs_null_security is used by preserve KABI compatibility option and is
2705 used for providing default values against threads which have not yet
2706 allocated memory for their security contexts.
2707
2708 If current thread failed to allocate memory for current thread's security
2709 context, current thread uses ccs_null_security. Since current thread is
2710 allowed to modify current thread's security context, current thread might
2711 modify ccs_null_security which should not be modified for any reason.
2712
2713 Therefore, I split ccs_null_security into ccs_default_security and
2714 ccs_oom_security and use ccs_oom_security when current thread failed to
2715 allocate memory for current thread's security context.
2716
2717 Threads which do not share ccs_oom_security are not affected by threads
2718 which share ccs_oom_security. Threads which share ccs_oom_security will
2719 experience temporary inconsistency, but such threads are about to be
2720 killed by SIGKILL signal.
2721
2722 Fix 2011/01/11
2723
2724 @ Use filesystem name for unnamed devices when vfsmount is missing.
2725
2726 "Change pathname for non-rename()able filesystems." changed to use
2727 "$fsname:" if the filesystem does not support rename() operation and
2728 "dev($major,$minor):" otherwise when vfsmount is missing. But it turned
2729 out that it is useless to use "dev($major,$minor):" for unnamed devices
2730 (filesystems with $major == 0). Thus, I changed to use "$fsname:" rather
2731 than "dev($major,$minor):" for filesystems with $major == 0 when vfsmount
2732 is missing.
2733
2734 Fix 2011/02/07
2735
2736 @ Fix infinite loop bug when reading /proc/ccs/audit or /proc/ccs/query .
2737
2738 In ccs_flush(), head->r.w[0] holds pointer to string data to be printed.
2739 But head->r.w[0] was updated only when the string data was partially
2740 printed (because head->r.w[0] will be updated by head->r.w[1] later if
2741 completely printed). However, regarding /proc/ccs/audit and
2742 /proc/ccs/query , an additional '\0' is printed after the string data was
2743 completely printed. But if free space for read buffer became 0 before
2744 printing the additional '\0', ccs_flush() was returning without updating
2745 head->r.w[0]. As a result, ccs_flush() forever reprints already printed
2746 string data.
2747
2748 Fix 2011/03/01
2749
2750 @ Run garbage collector without waiting for /proc/ccs/ users.
2751
2752 Currently TOMOYO holds SRCU lock upon open() and releases it upon close()
2753 because list elements stored in the "struct ccs_io_buffer" instances are
2754 accessed until close() is called. However, such SRCU usage causes lockdep
2755 to complain about leaving the kernel with SRCU lock held. Therefore,
2756 I changed to hold/release SRCU upon each read()/write() by selectively
2757 deferring kfree() by keeping track of the "struct ccs_io_buffer"
2758 instances.
2759
2760 Fix 2011/03/05
2761
2762 @ Support built-in policy configuration.
2763
2764 To be able to start using enforcing mode from the early stage of boot
2765 sequence, I added support for built-in policy configuration and
2766 activating access control without calling external policy loader program.
2767
2768 This will be useful for systems where operations which can lead to the
2769 hijacking of the boot sequence are needed before loading the policy.
2770 For example, you can activate immediately after loading the fixed part of
2771 policy which will allow only operations needed for mounting a partition
2772 which contains the variant part of policy and verifying (e.g. running GPG
2773 check) and loading the variant part of policy. Since you can start using
2774 enforcing mode from the beginning, you can reduce the possibility of
2775 hijacking the boot sequence.
2776
2777 Fix 2011/03/10
2778
2779 @ Remove /proc/ccs/meminfo interface.
2780
2781 Please use /proc/ccs/stat interface instead.
2782
2783 Fix 2011/03/15
2784
2785 @ Pack policy when printing via /proc/ccs/ interface.
2786
2787 The kernel side is ready for accepting packed input like
2788
2789 file read/write/execute /path/to/file
2790
2791 but was using unpacked output like
2792
2793 file read /path/to/file
2794 file write /path/to/file
2795 file execute /path/to/file
2796
2797 because most of userland tools were not ready for accepting packed input.
2798
2799 The advantages of using packed policy are that it makes policy files
2800 smaller and it speeds up loading/saving policy files.
2801
2802 Since most of userland tools are ready for accepting packed input by now,
2803 I changed to use packed policy for both input and output.
2804
2805 Fix 2011/03/31
2806
2807 @ Fix conditional policy parsing.
2808
2809 Since exec.realpath= and symlink.target= accept path_group,
2810 symlink.target="@foo" was by error parsed as symlink.target=@foo .
2811
2812 @ Serialize updating profile's comment line.
2813
2814 We need to serialize when updating COMMENT= line in /proc/ccs/profile .
2815
2816 Version 1.8.1 2011/04/01 Usability enhancement with "Zettai, Daijoubudayo" release!
2817
2818 Fix 2011/04/03
2819
2820 @ Fix fcntl(F_SETFL, O_APPEND) handling.
2821
2822 Since 1.8.0, TOMOYO was by error checking "file write" permission rather
2823 than "file append" permission when changing file's writing mode from
2824 "overwriting" to "append".
2825
2826 This error should impact little (except CentOS 6.0 kernels) because once
2827 a file was opened for "overwriting" mode, changing that file to "append"
2828 mode cannot undo overwriting the file. Regarding CentOS 6.0 kernels,
2829 due to different ACC_MODE definition, TOMOYO was by error needlessly
2830 checking "file read" permission when fcntl() was requested.
2831
2832 Fix 2011/04/20
2833
2834 @ Remove unused "struct inode *" parameter from hooks.
2835
2836 Since pre-vfs functions were removed on 2010/09/18, "struct inode *"
2837 parameter which was used for checking parent directory's DAC permission
2838 is no longer used.
2839
2840 Note that "struct ccsecurity_operations ccsecurity_ops" has changed.
2841 Loadable kernel modules that depends on it need to be rebuilt.
2842
2843 Fix 2011/05/05
2844
2845 @ Fix wrong profile number in audit logs for "misc env" permission.
2846
2847 Profile number used for "file execute" permission was by error reused
2848 when generating audit logs for "misc env" permission.
2849
2850 Fix 2011/05/11
2851
2852 @ Fix wrong domainname validation.
2853
2854 "<kernel>" + "/foo/\" + "/bar" was by error checked when
2855 "<kernel> /foo/\* /bar" was given. As a result, legal domainnames like
2856 "<kernel> /foo/\* /bar" are rejected.
2857
2858 Fix 2011/06/06
2859
2860 @ Add policy namespace support.
2861
2862 To be able to use TOMOYO in LXC environments, I introduced policy
2863 namespace. Each policy namespace has its own set of domain policy,
2864 exception policy and profiles, which are all independent of other
2865 namespaces.
2866
2867 @ Remove CONFIG_CCSECURITY_BUILTIN_INITIALIZERS option.
2868
2869 From now on, exception policy and manager need to be able to handle
2870 policy namespace (which is a <$namespace> prefix added to each line).
2871 Thus, space-separated list for CONFIG_CCSECURITY_BUILTIN_INITIALIZERS is
2872 no longer suitable for handling policy namespace.
2873
2874 Fix 2011/06/10
2875
2876 @ Allow specifying trigger for activation.
2877
2878 To be able to use TOMOYO under systemd environments where init= parameter
2879 is used, I changed to allow overriding the trigger for calling external
2880 policy loader and activating MAC via kernel command line options.
2881
2882 Fix 2011/06/14
2883
2884 @ Remove unused "struct inode *" parameter from ccs-patch-\*.diff .
2885
2886 To follow changes I made on 2011/04/20, I removed "struct inode *" from
2887 ccs_mknod_permission(), ccs_mkdir_permission(), ccs_rmdir_permission(),
2888 ccs_unlink_permission(), ccs_symlink_permission(), ccs_link_permission(),
2889 ccs_rename_permission() that are called from fs/namei.c
2890 net/unix/af_unix.c include/linux/security.c security/security.c .
2891 If you have your own ccs-patch-*.diff , please update accordingly.
2892
2893 Version 1.8.2 2011/06/20 Usability enhancement release.
2894
2895 Fix 2011/07/07
2896
2897 @ Remove /proc/ccs/.domain_status interface.
2898
2899 Writing to /proc/ccs/.domain_status can be emulated by
2900
2901 ( echo "select " $domainname; echo "use_profile " $profile ) |
2902 /usr/sbin/ccs-loadpolicy -d
2903
2904 and reading from /proc/ccs/.domain_status can be emulated by
2905
2906 grep -A 1 '^<' /proc/ccs/domain_policy |
2907 awk ' { if ( domainname == "" ) { if ( substr($1, 1, 1) == "<" )
2908 domainname = $0; } else if ( $1 == "use_profile" ) {
2909 print $2 " " domainname; domainname = ""; } } ; '
2910
2911 . Since this interface is used by only /usr/sbin/ccs-setprofile ,
2912 remove this interface by updating /usr/sbin/ccs-setprofile .
2913
2914 Fix 2011/07/09
2915
2916 @ Fix /proc/ccs/stat parser.
2917
2918 For optimization, I changed to use simple_strtoul() rather than sscanf()
2919 in ccs_write_stat(). But it caused parsing failure if space is inserted
2920 before value (e.g. "Memory used by policy: $value").
2921
2922 Fix 2011/07/13
2923
2924 @ Accept "::" notation for IPv6 address.
2925
2926 In order to add network access restriction to TOMOYO 2.4, I backported
2927 routines for parsing/printing IPv4/IPv6 address from kernel 3.0 into
2928 TOMOYO 1.8.2.
2929 Now, IPv6 address accepts "::1" instead of "0:0:0:0:0:0:0:1".
2930
2931 Fix 2011/09/03
2932
2933 @ Avoid race when retrying "file execute" permission check.
2934
2935 There was a race window that the pathname which is subjected to
2936 "file execute" permission check when retrying via supervisor's decision
2937 because the pathname was recalculated upon retry. Though, there is an
2938 inevitable race window even without supervisor, for we have to calculate
2939 the symbolic link's pathname from "struct linux_binprm"->filename rather
2940 than from "struct linux_binprm"->file because we cannot back calculate
2941 the symbolic link's pathname from the dereferenced pathname.
2942
2943 @ Remove unneeded daemonize().
2944
2945 Garbage collector thread is created using kthread_create() since 2.6.7.
2946 Kernel threads created by kthread_create() does not need to call
2947 daemonize().
2948
2949 Fix 2011/09/16
2950
2951 @ Allow specifying domain transition preference.
2952
2953 I got an opinion that it is difficult to use exception policy's domain
2954 transition control directives because they need to match the pathname
2955 specified to "file execute" directives. For example, if "file execute
2956 /bin/\*\-ls\-cat" is given, corresponding domain transition control
2957 directive needs to be like "no_keep_domain /bin/\*\-ls\-cat from any".
2958
2959 To solve this difficulty, I introduced optional argument that supersedes
2960 exception policy's domain transition control directives.
2961
2962 file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls"
2963 file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat"
2964 file execute /bin/\*\-ls\-cat child
2965 file execute /usr/sbin/httpd <apache> exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd"
2966
2967 This argument allows transition to different domains based on conditions.
2968
2969 <kernel> /usr/sbin/sshd
2970 file execute /bin/bash <kernel> /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c"
2971 file execute /bin/bash <kernel> /usr/sbin/sshd //root-session task.uid=0
2972 file execute /bin/bash <kernel> /usr/sbin/sshd //nonroot-session task.uid!=0
2973
2974 Fix 2011/09/25
2975
2976 @ Simplify garbage collector.
2977
2978 It turned out that use of batched processing tends to choke garbage
2979 collector when certain pattern of entries are queued. Thus, I replaced it
2980 with sequential processing.
2981
2982 Version 1.8.3 2011/09/29 Usability enhancement release.
2983
2984 Fix 2011/10/24
2985
2986 @ Fix incomplete read after seek.
2987
2988 ccs_flush() tries to flush data to be read as soon as possible.
2989 ccs_select_domain() (which is called by write()) enqueues data which
2990 meant to be read by next read(), but previous read()'s read buffer's
2991 size was not cleared. As a result, since 1.8.0, sequence like
2992
2993 char *cp = "select global-pid=1\n";
2994 read(fd, buf1, sizeof(buf1));
2995 write(fd, cp, strlen(cp));
2996 read(fd, buf2, sizeof(buf2));
2997
2998 causes enqueued data to be flushed to buf1 rather than buf2.
2999
3000 @ Use query id for reaching target process's domain policy.
3001
3002 Use query id for reaching target process's domain policy rather than
3003 target process's global PID. This is for synchronizing with TOMOYO 2.x,
3004 but this change makes /usr/sbin/ccs-queryd more reliable because the
3005 kernel will return empty domain policy when the query has expired before
3006 ccs-queryd reaches target process's domain policy.
3007
3008 @ Fix quota counting.
3009
3010 "task manual_domain_transition" should not be counted for quota as with
3011 "task auto_domain_transition"/"task auto_execute_handler"/
3012 "task denied_execute_handler" because these are not appended by learning
3013 mode.
3014
3015 Fix 2011/11/11
3016
3017 @ Optimize for object's size.
3018
3019 I rearranged functions/variables into three groups in order to reduce
3020 object's filesize. Also, I added kernel config options for reducing more
3021 by excluding unnecessary functionality.
3022
3023 Fix 2011/11/18
3024
3025 @ Fix kernel config mapping error.
3026
3027 Due to a typo in ccs_p2mac definition, mode for CONFIG::file::execute was
3028 by error used when checking "file getattr" permission. Most users will
3029 not be affected by this error because CONFIG::file::execute and
3030 CONFIG::file::getattr are by default configured to use CONFIG::file or
3031 CONFIG settings.
3032
3033 Fix 2011/12/13
3034
3035 @ Follow __d_path() behavior change. (Only 2.6.36 and later)
3036
3037 The behavior of __d_path() has changed in 3.2-rc5. __d_path() now returns
3038 NULL when the pathname cannot be calculated. You must update to this
3039 version when using with 3.2-rc5 and later kernels, or the kernel will
3040 panic because ccs_get_absolute_path() triggers NULL pointer dereference.
3041
3042 The patch that changed the behavior of __d_path() might be backported to
3043 2.6.36 to 3.1 kernels. You must update to this version if the patch was
3044 backported, or you will experience the kernel panic as with 3.2-rc5.
3045
3046 The patch that changed the behavior of __d_path() also changed the way of
3047 handling pathnames under lazy-unmounted directory. Until now, TOMOYO was
3048 using incomplete pathnames returned by __d_path() when the pathname is
3049 under lazy-unmounted directory. But from now on, TOMOYO uses different
3050 pathnames returned by ccs_get_local_path() when the pathname is under
3051 lazy-unmounted directory (because __d_path() no longer returns it).
3052
3053 Since applications unlikely do lazy unmounts, requesting pathnames under
3054 lazy-unmounted directory should not happen unless the administrator
3055 explicitly does lazy unmounts. But pathnames which is defined for such
3056 conditions in the policy file (if any) will need to be rewritten.
3057
3058 Fix 2012/01/20
3059
3060 @ Follow changes in 3.3-rc1.
3061
3062 Use umode_t rather than mode_t.
3063 Remove ipv6_addr_copy() usage.
3064
3065 Fix 2012/02/25
3066
3067 @ Follow changes in linux-next.
3068
3069 UMH_WAIT_PROC constant (currently 1) is scheduled for renumbering in 3.4.
3070
3071 Use UMH_WAIT_PROC constant instead of hardcoded constant in preparation
3072 for backporting call_usermodehelper() related changes. If renumbering was
3073 backported, you will start experiencing the kernel panic upon execution
3074 of external policy loader (i.e. /sbin/ccs-init), for the kernel will no
3075 longer wait for completion of external policy loader process.
3076
3077 Although I changed to use UMH_WAIT_PROC constant, this change could fail
3078 to detect renumbering in 2.6.22 and earlier kernels, for UMH_WAIT_PROC
3079 constant is currently available to only 2.6.23 and later kernels. If you
3080 started to experience the kernel panic, please check whether renumbering
3081 was backported or not.
3082
3083 Fix 2012/02/29
3084
3085 @ Fix mount flags checking order.
3086
3087 Userspace can pass in arbitrary combinations of MS_* flags to mount().
3088
3089 If both MS_BIND and one of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE
3090 are passed, device name which should be checked for MS_BIND was not
3091 checked because MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE had higher
3092 priority than MS_BIND.
3093
3094 If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name
3095 which should not be checked for MS_REMOUNT was checked because MS_BIND/
3096 MS_MOVE had higher priority than MS_REMOUNT.
3097
3098 Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND ->
3099 MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount()
3100 does. Also, I changed to unconditionally return -EINVAL if more than one
3101 of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE is passed so that TOMOYO
3102 will not generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity
3103 check mount flags passed to change_mnt_propagation()" clarified that
3104 these flags must be exclusively passed.
3105
3106 Fix 2012/03/08
3107
3108 @ Allow returning other errors when ptrace permission cannot be checked.
3109
3110 Currently -EPERM is returned when ccs_ptrace_permission() returned an
3111 error code. I changed to return return value from ccs_ptrace_permission()
3112 so that we can return -ESRCH when target process was not found.
3113
3114 Fix 2012/03/16
3115
3116 @ Return appropriate value to poll().
3117
3118 Return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM if ready to read/write,
3119 POLLOUT | POLLWRNORM otherwise.
3120
3121 Fix 2012/04/22
3122
3123 @ Readd RHEL_MINOR/AX_MINOR checks.
3124
3125 This check was added in revision 2346 and was removed in revision 4084.
3126
3127 Add it back in order to support RHEL 5.0, 5.1, 5.2 kernels.
3128
3129 @ Fix skb_kill_datagram() for kernels 2.6.0 - 2.6.11.
3130
3131 Commit 208d8984 "[IPV4]: Fix BUG() in 2.6.x, udp_poll(), fragments +
3132 CONFIG_HIGHMEM" clarified that skb_kill_datagram() should use
3133 spin_lock_bh()/spin_unlock_bh() rather than
3134 spin_lock_irq()/spin_unlock_irq().
3135
3136 RHEL 4.9 (2.6.9) kernel has that patch backported. So do I.
3137
3138 @ Fix missing locks for RHEL 5.2-5.8 kernels.
3139
3140 Since RHEL 5.2 and later kernels have backported commit 95766fff
3141 "[UDP]: Add memory accounting." patch, TOMOYO needs to call
3142 lock_sock()/release_sock() around skb_kill_datagram() call when UDP
3143 packet was dropped by TOMOYO.
3144
3145 Fix 2012/04/28
3146
3147 @ Accept manager programs which do not start with / .
3148
3149 The pathname of /usr/sbin/ccs-editpolicy seen from Ubuntu 12.04 Live
3150 CD is squashfs:/usr/sbin/ccs-editpolicy rather than
3151 /usr/sbin/ccs-editpolicy . Therefore, we need to accept manager
3152 programs which do not start with / .
3153
3154 Fix 2012/10/08
3155
3156 @ Fix KABI breakage on Ubuntu 12.10.
3157
3158 I was using include/linux/security.h as the common path for pulling in
3159 include/linux/ccsecurity.h so that I can avoid scattering #include line.
3160
3161 When scripts/genksyms/genksyms calculates hash values for Module.symvers
3162 file, it uses the extracted form of involved structures if the structure
3163 layout is known but it instead uses UNKNOWN if the structure layout is
3164 not known. Therefore, pulling in include files that define structure's
3165 layout from include/linux/ccsecurity.h causes changes in the hash values
3166 and causes KABI breakage, even if no changes were made to the involved
3167 structures.
3168
3169 Fix this breakage by avoiding pulling in include/linux/sched.h and
3170 include/linux/dcache.h from include/linux/ccsecurity.h where possible.
3171
3172 Fix 2015/01/01
3173
3174 @ Fix missing chmod(-1) check in Linux 3.1 and later kernels.
3175
3176 Commit e57712ebebbb9db7 "merge fchmod() and fchmodat() guts, kill
3177 ancient broken kludge" changed chmod(-1) from no-op to setting to
3178 07777. Therefore, TOMOYO must not ignore chmod(-1) case.
3179
3180 @ Fix potentially using bogus attributes when stat() fails.
3181
3182 We should reset attributes information when executing execute_handler
3183 program, or attributes of original program could be used when stat()
3184 on execute_handler program failed.
3185
3186 Fix 2015/04/08
3187
3188 @ Fix incorrect readdir() permission check.
3189
3190 CONFIG_CCSECURITY_FILE_READDIR was meant for allowing users to control
3191 readdir() permission check. However, CONFIG_CCSECURITY_FILE_GETATTR was
3192 by error used for controlling readdir() permission check. This fix
3193 should not affect kernels built with default configuration, for both
3194 CONFIG_CCSECURITY_FILE_READDIR and CONFIG_CCSECURITY_FILE_GETATTR are
3195 defined by default.
3196
3197 Fix 2015/04/15
3198
3199 @ Fix incorrect retry request check.
3200
3201 When a request was asked to retry, acl_group referenced by domain's
3202 use_group keyword was by error ignored. As a result, retrying was not
3203 able to use permissions defined by acl_group.
3204
3205 Fix 2015/05/01
3206
3207 @ Support multiple use_group entries.
3208
3209 Until now, each domain can include only one use_group entry.
3210 I changed to allow each domain to include up to 256 use_group entries.
3211 As a result, you will be able to reduce duplication of policy by
3212 defining multiple acl_group entries based on use cases and including
3213 them from each domain as needed.
3214
3215 Version 1.8.4 2015/05/05 Usability enhancement release.
3216
3217 Fix 2015/11/08
3218
3219 @ Use memory allocation flags used by TOMOYO 2.x.
3220
3221 Until now, TOMOYO 1.x was using memory allocation flags which are weaker
3222 than TOMOYO 2.x in order to make sure that memory allocation request by
3223 TOMOYO 1.x shall not cause silent livelock problem.
3224
3225 But as I learn about this livelock problem, I understood that this is
3226 not a problem which TOMOYO can manage. While hitting a silent livelock
3227 at memory allocation is a problem, refusing critical access requests
3228 by critical processes due to memory allocation failure caused by use of
3229 weaker memory allocation flags is also a problem.
3230
3231 Since situations regarding memory allocation flags in upstream kernels
3232 are changing, it will be safer to use memory allocation flags used by
3233 TOMOYO 2.x.
3234
3235 Fix 2015/11/10
3236
3237 @ Limit wildcard recursion depth.
3238
3239 Since wildcards that need recursion consume kernel stack memory,
3240 we cannot allow infinite recursion.
3241
3242 Version 1.8.5 2015/11/11 Tenth anniversary release.
3243
3244 Fix 2017/02/02
3245
3246 @ Use for_each_thread() for GC operation.
3247
3248 while_each_thread() without tasklist_lock is not safe.
3249 Use for_each_process_thread() if it is available, hold
3250 tasklist_lock otherwise.
3251
3252 Fix 2018/04/01
3253
3254 @ Use smb_rmb() when waiting for initialization.
3255
3256 "while (!cond);" is implicitly optimized like "if (!cond) while (1);".
3257 Use "while (!cond) smp_rmb();" in order to prevent such optimization.
3258
3259 Fix 2019/07/27
3260
3261 @ Change pathname calculation for read-only filesystems.
3262
3263 Commit 5625f2e3266319fd ("TOMOYO: Change pathname for non-rename()able
3264 filesystems.") intended to be applied to filesystems where the content is
3265 not controllable from the userspace (e.g. proc, sysfs, securityfs), based
3266 on an assumption that such filesystems do not support rename() operation.
3267
3268 But it turned out that read-only filesystems also do not support rename()
3269 operation despite the content is controllable from the userspace, and that
3270 commit is annoying TOMOYO users who want to use e.g. squashfs as the root
3271 filesystem due to use of local name which does not start with '/'.
3272
3273 Therefore, based on an assumption that filesystems which require the
3274 device argument upon mount() request is an indication that the content
3275 is controllable from the userspace, do not use local name if a filesystem
3276 does not support rename() operation but requires the device argument upon
3277 mount() request.
3278
3279 @ Reject move_mount() system call for now.
3280
3281 Commit 2db154b3ea8e14b0 ("vfs: syscall: Add move_mount(2) to move mounts
3282 around") introduced security_move_mount() LSM hook, but we missed that
3283 TOMOYO and AppArmor did not implement hooks for checking move_mount(2).
3284 Since unchecked mount manipulation is not acceptable, for now pretend
3285 as if move_mount(2) is unavailable.
3286
3287 @ Don't check open/getattr permission on sockets.
3288
3289 syzbot found that use of SOCKET_I()->sk from open() can result in
3290 use after free problem, for socket's inode is still reachable via
3291 /proc/pid/fd/n despite destruction of SOCKET_I()->sk already completed.
3292
3293 But there is no point with calling security_file_open() on sockets
3294 because open("/proc/pid/fd/n", !O_PATH) on sockets fails with -ENXIO.
3295
3296 There is some point with calling security_inode_getattr() on sockets
3297 because stat("/proc/pid/fd/n") and fstat(open("/proc/pid/fd/n", O_PATH))
3298 are valid. But since information which can be protected by checking
3299 security_inode_getattr() on sockets is trivial, let's not check it.
3300
3301 Version 1.8.6 2019/08/20 Bug fix release.
3302
3303 Fix 2019/12/07
3304
3305 @ Don't use nifty names on sockets.
3306
3307 Revert "Don't check open/getattr permission on sockets.", and then
3308 get rid of special handling of sockets. As a side effect of this patch,
3309 "socket:[family=\$:type=\$:protocol=\$]" in the policy files has to be
3310 rewritten to "socket:[\$]".
3311
3312 Fix 2020/04/09
3313
3314 @ Fix wrong put_page() usage in ccs_dump_page().
3315
3316 ccs_dump_page() for 5.6+ was by error using wrong function to put page.
3317
3318 Fix 2020/05/01
3319
3320 @ Loosen domainname validation and pathname validation.
3321
3322 Currently a domainname must start with "<$namespace>" followed by
3323 zero or more repetitions of a pathname which starts with '/'.
3324
3325 But situation is getting more and more difficult to enforce use of
3326 a pathname which starts with '/', for execve() request of a pathname
3327 on e.g. some filesystems cause ccs_realpath() to return a pathname
3328 in "$fsname:/$pathname" format.
3329
3330 Fortunately, since $fsname must not contain '.' since Linux 2.6.22,
3331 we can recognize a token which appears '/' before '.' appears (e.g.
3332 proc:/self/exe ) as a pathname and a token which appears '.' before
3333 '/' appears (e.g. exec.realpath="/bin/bash" ) as a condition parameter,
3334 with an exception that a pathname cannot start with
3335 auto_domain_transition=" because it is reserved as a delimiter string
3336 for on-match domain transition. Also, we can recognize "<$namespace>"
3337 followed by such tokens (e.g. <kernel> /foo proc:/self/exe /bar ) as
3338 a domainname.
3339
3340 Version 1.8.7 2020/05/05 Usability enhancement release.
3341
3342 Fix 2020/07/22
3343
3344 @ Fix domain transition preference.
3345
3346 The domain transition preference which was introduced in 1.8.3 is
3347 by error ignored since 1.8.3p4, for ccs_update_task_domain() from
3348 ccs_write_log2() from ccs_supervisor() from ccs_audit_log() always
3349 resets r->matched_acl to NULL. Change ccs_update_task_domain() not
3350 to reset r->matched_acl to NULL.
3351
3352 Fix 2020/08/17
3353
3354 @ Fix ccs_realpath() fallback.
3355
3356 ccs_realpath() for 3.17+ was by error not calling ccs_get_local_path()
3357 when ccs_get_absolute_path() returned -EINVAL.
3358
3359 Fix 2020/08/19
3360
3361 @ Fix wrong ccs_search_binary_handler() mapping.
3362
3363 When support for 5.8 kernel was added, ccs_search_binary_handler() for
3364 3.7- was by error mapped to wrong function.
3365
3366 Fix 2020/10/24
3367
3368 @ Fix /proc pathname calculation for Linux 5.8+ kernels.
3369
3370 ccs_realpath() for 5.8+ was by error not using proc_pid_ns() when
3371 calculating /proc pathname.
3372
3373 Version 1.8.8 2020/11/11 Fifteenth anniversary release.
3374
3375 Fix 2021/03/13
3376
3377 @ Skip permission checks for fileless execution requests.
3378
3379 Kernels from 4.18 to 5.8 are using call_usermodehelper_setup_file() for
3380 starting program without a valid pathname on a filesystem.
3381 /sbin/modprobe from dockerd process could not load bpfilter.ko module
3382 because ccs_symlink_path() cannot calculate pathname of program without
3383 a valid pathname. Thus, allow call_usermodehelper_setup_file() to bypass
3384 permission checks and suppress domain transitions.
3385
3386 @ Fix ccs_kernel_service().
3387
3388 Kernels from 5.5 to 5.11 are using PF_KTHREAD flag for the io_uring
3389 worker threads.
3390
3391 Version 1.8.9 2021/04/01 Bug fix release.
3392
3393 Fix 2021/12/28
3394
3395 @ Check exceeded quota early.
3396
3397 Backport commit 04e57a2d952bbd34 ("tomoyo: Check exceeded quota early in
3398 tomoyo_domain_quota_is_ok().") and commit f702e1107601230e ("tomoyo: use
3399 hwight16() in tomoyo_domain_quota_is_ok()"), for these help reducing
3400 overhead of the learning mode. Note that the former patch requires you to
3401 explicitly delete "quota_exceeded" entry from the domain policy in order
3402 to resume the learning mode.
3403
3404 Fix 2024/03/31
3405
3406 @ Fix a UAF bug introduced by an oversight in TOMOYO revision 2930.
3407
3408 Backport commit 2f03fc340cac ("tomoyo: fix UAF write bug in
3409 tomoyo_write_control()").
3410
3411 Version 1.8.10 2024/04/01 Security bug fix release.
3412
3413 Fix 2024/06/28
3414
3415 @ Unblock move_mount() system call.
3416
3417 Since util-linux 2.39 started using libmount-mountfd-support,
3418 implementing appropriate permission check for move_mount() became
3419 necessary for successfully booting a Linux system.
3420
3421 Version 1.8.11 2024/07/15 Bug fix release.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.