ChangeLog for ccs-patch 1.6.9
Fix 2012/05/04
@ Fix skb_kill_datagram() for kernels 2.6.0 - 2.6.11.
Commit 208d8984 "[IPV4]: Fix BUG() in 2.6.x, udp_poll(), fragments +
CONFIG_HIGHMEM" clarified that skb_kill_datagram() should use
spin_lock_bh()/spin_unlock_bh() rather than
spin_lock_irq()/spin_unlock_irq().
RHEL 4.9 (2.6.9) kernel has that patch backported. So do I.
@ Fix missing locks for RHEL 5.2-5.8 kernels.
Since RHEL 5.2 and later kernels have backported commit 95766fff
"[UDP]: Add memory accounting." patch, TOMOYO needs to call
lock_sock()/release_sock() around skb_kill_datagram() call when UDP
packet was dropped by TOMOYO.
Fix 2012/03/16
@ Return appropriate value to poll().
Return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM if ready to read/write,
POLLOUT | POLLWRNORM otherwise.
Fix 2012/02/29
@ Fix mount flags checking order.
Userspace can pass in arbitrary combinations of MS_* flags to mount().
It is legal to pass both MS_BIND and MS_REMOUNT at the same time, but
current code was rejecting such request. Also, if multiple MS_* flags are
passed, the resulting permission check was inaccurate.
Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND ->
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount()
does.
Fix 2011/05/05
@ Fix race on updating profile's comment line.
Since ccs_save_name() in ccs_write_profile() may return NULL,
ccs_profile->comment ? ccs_profile->comment->name : ""
in ccs_read_profile() may race.
Keep the old value rather than replace with empty string when out of
memory error has occurred.
@ Fix wrong profile number in audit logs for "allow_env" permission.
Profile number used for "allow_execute" permission was by error reused
when generating audit logs for "allow_env" permission.
Fix 2010/11/22
@ Do not check trailing '/' for deny_unmount keyword.
"mount --bind /path/to/file1 /path/to/file2" is legal.
Therefore, "umount /path/to/file2" is also legal.
Do not reject if pathname to be unmounted does not end with '/'.
Fix 2010/01/20
@ Use rcu_read_lock() for find_task_by_pid().
Since kernel 2.6.18 , caller of find_task_by_pid() needs to call
rcu_read_lock() rather than read_lock(&tasklist_lock) because find_pid()
uses RCU primitives but spinlock does not prevent RCU callback if
preemptive RCU ( CONFIG_PREEMPT_RCU or CONFIG_TREE_PREEMPT_RCU ) is
enabled.
Fix 2010/01/17
@ Use current domain's name for execute_handler audit log.
Since 1.6.7 , /proc/ccs/grant_log was by error using next domain's name
when auditing current domain's "execute_handler" line.
@ Fix buffer contention.
A permission like
allow_env PATH if exec.envp["PATH"]="/"
was not working since I was using the same buffer for both environment
variable's name and value.
Fix 2009/09/25
@ Fix incorrect reference after ccs_try_alt_exec().
Since 1.6.0 , I forgot to update dentry/vfsmount reference inside
ccs_try_alt_exec(). But this bug did not come out because nobody used
old dentry/vfsmount after ccs_try_alt_exec().
Fix 2009/07/03
@ Fix buffer overrun when used with CONFIG_SLOB=y .
Since 1.6.7 , ccs_allocate_execve_entry() was requesting for only 4000
bytes while the comment says it is 4096 bytes. This may lead to buffer
overrun when slob allocator is used, for slob allocator allocates exactly
4000 bytes whereas slab and slub allocators allocate 4096 bytes.
ChangeLog for ccs-patch 1.6.8
Fix 2010/11/22
@ Do not check trailing '/' for deny_unmount keyword.
"mount --bind /path/to/file1 /path/to/file2" is legal.
Therefore, "umount /path/to/file2" is also legal.
Do not reject if pathname to be unmounted does not end with '/'.
Fix 2010/01/20
@ Use rcu_read_lock() for find_task_by_pid().
Since kernel 2.6.18 , caller of find_task_by_pid() needs to call
rcu_read_lock() rather than read_lock(&tasklist_lock) because find_pid()
uses RCU primitives but spinlock does not prevent RCU callback if
preemptive RCU ( CONFIG_PREEMPT_RCU or CONFIG_TREE_PREEMPT_RCU ) is
enabled.
Fix 2010/01/17
@ Use current domain's name for execute_handler audit log.
Since 1.6.7 , /proc/ccs/grant_log was by error using next domain's name
when auditing current domain's "execute_handler" line.
@ Fix buffer contention.
A permission like
allow_env PATH if exec.envp["PATH"]="/"
was not working since I was using the same buffer for both environment
variable's name and value.
Fix 2009/09/25
@ Fix incorrect reference after ccs_try_alt_exec().
Since 1.6.0 , I forgot to update dentry/vfsmount reference inside
ccs_try_alt_exec(). But this bug did not come out because nobody used
old dentry/vfsmount after ccs_try_alt_exec().
Fix 2009/07/03
@ Fix buffer overrun when used with CONFIG_SLOB=y .
Since 1.6.7 , ccs_allocate_execve_entry() was requesting for only 4000
bytes while the comment says it is 4096 bytes. This may lead to buffer
overrun when slob allocator is used, for slob allocator allocates exactly
4000 bytes whereas slab and slub allocators allocate 4096 bytes.
ChangeLog for ccs-patch 1.6.7
Fix 2009/05/20
@ Update recvmsg() hooks.
Since 1.5.0, I was doing network access control for incoming UDP and RAW
packets inside skb_recv_datagram(). But to synchronize with LSM version,
I moved ccs_recv_datagram_permission() hook from skb_recv_datagram() to
udp_recvmsg()/udpv6_recvmsg()/raw_recvmsg()/rawv6_recvmsg() with name
change to ccs_recvmsg_permission().
Fix 2009/05/19
@ Don't call get_fs_type() with a mutex held.
Until now, when ccs_update_mount_acl() is called with unsupported
filesystem, /sbin/modprobe is executed from get_fs_type() to load
filesystem module. And get_fs_type() does not return until /sbin/modprobe
finishes.
This means that it will cause deadlock if /sbin/modprobe (which is
executed via get_fs_type() in ccs_update_mount_acl()) calls
ccs_update_mount_acl(); although it won't happen unless an administrator
inserts execute_handler to call mount() requests in learning mode or to
add "allow_mount" entries to /proc/ccs/system_policy .
I modified to unlock the mutex before calling get_fs_type().
Fix 2009/05/08
@ Add condition for symlink's target pathname.
Until now, "allow_symlink" keyword allows creation of a symlink but does
not check the symlink's target. Usually it is no problem because
permission checks are done using dereferenced pathname. But in some
cases, we should restrict the symlink's target. For example,
"ln -s .htpasswd /var/www/html/readme.html" by CGI program should be
blocked because we will allow Apache to read both
/var/www/html/readme.html and /var/www/html/.htpasswd .
Thus, I added new condition, "symlink.target".
allow_symlink /var/www/html/\*.html if symlink.target="\*.html"
allow_symlink /var/www/html/\*\-.\* if symlink.target="\*\-.\*"
@ Don't return -EAGAIN at ccs_socket_recvmsg_permission().
It turned out that it is not permitted for accept() and recvmsg() to
return -EAGAIN if poll() said connections/datagrams are ready. However,
recvmsg() may return -EAGAIN and potentially confuse some applications
because ccs_socket_recvmsg_permission() is returning -EAGAIN.
Thus, I modified ccs_socket_recvmsg_permission() to return -ENOMEM
rather than -EAGAIN.
Fix 2009/04/07
@ Fix IPv4's "address_group" handling error.
Since 1.6.5 , due to lack of ntohl() (byte order conversion) in
ccs_update_address_group_entry(), "address_group" with IPv4 address was
not working.
This problem happens on little endian platforms (e.g. x86).
Fix 2009/04/06
@ Drop "undelete domain" command.
I added "undelete domain" command on 2007/01/19, but never used by policy
management tools. The garbage collector I added on 2007/01/29 will
automatically reuse memory and allow administrators switch domain policy
periodically, provided that the administrator kills processes in old
domains before recreating new domains with the same domainnames.
Thus, I dropped "undelete domain" command.
@ Escape invalid characters in ccs_check_mount_permission2().
ccs_check_mount_permission2() was passing unencoded strings to printk()
and ccs_update_mount_acl() and ccs_check_supervisor(). This may cause
/proc/ccs/system_policy and /proc/ccs/query to contain invalid
characters within a string.
ChangeLog for ccs-patch 1.6.5
Fix 2009/03/24
@ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS option.
Some systems don't have /sbin/modprobe and /sbin/hotplug .
Thus, I made these pathnames configurable.
Fix 2009/03/23
@ Move sysctl()'s check from ccs-patch-\*.diff to fs/tomoyo_file.c .
Since try_parse_table() in kernel/sysctl.c is almost identical between
all versions, I moved that function to fs/tomoyo_file.c .
@ Relocate definitions and functions.
To reduce exposed symbols, I relocated some definitions and functions.
Fix 2009/03/18
@ Add MAC_FOR_IOCTL functionality.
To be able to restrict ioctl() requests, I added MAC_FOR_IOCTL
functionality.
This functionality requires modification of ccs-patch-\*.diff .
@ Use better name for socket's pathname.
Until now, socket's pathname was represented as "socket:[\$]" format
where \$ is inode's number. But inode's number is useless for name based
access control. Therefore, I modified to represent socket's pathname as
"socket:[family=\$:type=\$:protocol=\$]" format.
This will help administrator to control ioctl() against sockets more
precisely.
@ Fix misplaced ccs_capable() call. (only 2.6.8-\* and 2.6.9-\*)
Location to insert ccs_capable(TOMOYO_SYS_IOCTL) in sys_ioctl() was
wrong since version 1.1 .
@ Insert ccs_check_ioctl_permission() call.
To make MAC_FOR_IOCTL functionality working, I inserted
ccs_check_ioctl_permission() call into ccs-patch-\*.diff .
Fix 2009/03/13
@ Show only profile entry names ever specified.
Even if an administrator specifies only COMMENT= and MAC_FOR_FILE=
entries for /proc/ccs/profile , all available profile entries are shown.
This was designed to help administrators to know what entries are
available, but sometimes makes administrators feel noisy because of
entries showing default values.
Thus, I modified to show only profile entry names ever specified.
Fix 2009/03/02
@ Undelete CONFIG_TOMOYO_AUDIT option.
While HDD-less systems can use profiles with MAX_GRANT_LOG=0 and
MAX_REJECT_LOG=0 , I undeleted CONFIG_TOMOYO_AUDIT option for saving
memory used for /proc/ccs/grant_log and /proc/ccs/reject_log interfaces.
Fix 2009/02/26
@ Fix profile read error.
Incorrect profiles were shown in /proc/ccs/profile
if either CONFIG_SAKURA or CONFIG_TOMOYO is disabled.
Fix 2009/01/28
@ Fix "allow_read" + "allow_write" != "allow_read/write" problem.
Since 1.6.0 , due to a bug in ccs_update_single_path_acl(),
appending "allow_read/write" entry didn't update internal "allow_read"
and "allow_write" entries. As a result, attempt to open(O_RDWR) succeeds
but open(O_RDONLY) and open(O_WRONLY) fail.
Workaround is to write an entry twice when newly appending that entry.
If written twice, internal "allow_read" and "allow_write" entries
are updated.
Fix 2009/01/05
@ Use kmap_atomic()/kunmap_atomic() for reading "struct linux_binprm".
As remove_arg_zero() uses kmap_atomic(KM_USER0), I modified to use
kmap_atomic(KM_USER0) rather than kmap().
Fix 2008/12/24
@ Add "ccs_" prefix.
To be able to tell whether a symbol is TOMOYO Linux related or not,
I added "ccs_" prefix as much as possible.
@ Fix ccs_check_flags() error message.
I meant to print SYAORAN-ERROR: message when error == -EPERM,
but I was printing it when error == 0 since 1.6.0 .
Fix 2008/12/09
@ Fix ccs_can_save_audit_log() checks.
Due to incorrect statement "if (ccs_can_save_audit_log() < 0)"
while ccs_can_save_audit_log() is boolean, MAX_GRANT_LOG and
MAX_REJECT_LOG were not working.
This bug will trigger OOM killer if /usr/sbin/ccs-auditd is not working.
Fix 2008/12/01
@ Introduce "task.type=execute_handler" condition.
The execute_handler directive is very very powerful. You can use this
directive to do anything you want to do (e.g. logging and validating and
modifying command line parameters and environment variables, opening and
closing and redirecting files, creating pipes to implement antivirus and
spam filtering, deploying a DMZ between the ssh daemon and the login
shells).
To be able to use this directive in a domain with keep_domain directive
while limiting access to resources needed for such purposes to only
programs invoked as an execute handler process, I added a new condition.
In learning mode, "if task.type=execute_handler" condition part will be
automatically added for requests issued by an execute_handler process.
@ Introduce file's type and permissions as conditions.
To be able to limit file types a process can access, I added
new conditions for checking file's type and permissions.
For example,
allow_read /etc/fstab if path1.type=file path1.perm=0644
will allow opening /etc/fstab for reading only if /etc/fstab is a regular
file and it's permission is 0644, and
allow_write /dev/null if path1.type=char path1.dev_major=1 path1.dev_minor=3
will allow opening /dev/null for writing only if /dev/null is a character
device file with major=1 and minor=3 attributes.
@ Add memory quota for temporary memory used for auditing.
Although there are MAX_GRANT_LOG and MAX_REJECT_LOG parameters
which limit the number of entries for audit logs so that we can avoid
memory consumption by audit logs, it would be more convenient if we can
also limit the size in bytes.
Thus, I added a new quota line.
echo Dynamic: 1048576 > /proc/ccs/meminfo
This quota is not applied to temporary memory used for permission checks.
ChangeLog for ccs-patch 1.6.4
Fix 2008/11/07
@ Fix is_alphabet_char().
is_alphabet_char() should match 'A' - 'Z' and 'a' - 'z',
but was matching from 'A' - 'F' and 'a' - 'f'.
@ Add /proc/ccs/.execute_handler .
Process information became visible to userspace by
"Show process information in /proc/ccs/.process_status" feature.
However, programs specified by execute_handler directive may run as
non root user, making it impossible to see process information.
So, I added a new interface that allows execute handler processes
to see process information. The content of /proc/ccs/.execute_handler is
identical to /proc/ccs/.process_status .
Fix 2008/11/04
@ Use sys_getpid() instead for current->pid.
Kernel 2.6.24 introduced PID namespace.
To compare PID given from userland, I can't use current->pid.
So, I modified to use sys_getpid() instead for current->pid.
I modified to use task_tgid_nr_ns() for 2.6.25 and later instead for
current->tgid when checking /proc/self/ in get_absolute_path().
Fix 2008/10/20
@ Use rcu_dereference() when walking the list.
I was using "dependency ordering" for appending an element to a list
without asking the reader to take a lock. But "dependency ordering"
is not respected by DEC Alpha or by some aggressive value-speculation
compiler optimizations.
On such environment, use of "dependency ordering" can lead to system
crash because the reader might read uninitialized value of newly
appended element.
To prevent the reader from reading uninitialized value of newly appended
element, I inserted rcu_dereference() when walking the list.
Fix 2008/10/15
@ Show process information in /proc/ccs/.process_status .
To be able to determine a process's type, I added a command "info PID"
which returns process information of the specified PID in
"PID manager=\* execute_handler=\* state[0]=\$ state[1]=\$ state[2]=\$"
format.
Fix 2008/10/14
@ Fix ccs_check_condition() bug.
Due to a bug in ccs_check_condition(), it was impossible to use
task.state[0] task.state[1] task.state[2] inside condition part
if the ACL does not treat a pathname. For example, an ACL like
allow_network TCP connect @HTTP_SERVERS 80 if task.state[0]=100
didn't work.
Fix 2008/10/11
@ Remove domain_acl_lock mutex.
I noticed that I don't need to keep all functions that modify an ACL of
a domain mutually exclusive. Since each functions handles different type
of ACL, locking is needed only when they append an ACL to a domain.
So, I modified to use local locks.
Fix 2008/10/07
@ Don't transit to new domain until do_execve() succeeds.
Until now, a process's domain was updated to new domain which the process
will belong to before do_execve() succeeds so that the kernel can do
permission checks for interpreters and environment variables based on
new domain. But this caused a subtle problem when other process sends
signals to the process, for the process returns to old domain if
do_execve() failed.
So, I modified to pass new domain to functions so that I can avoid
modifying a process's domain before do_execve() succeeds.
@ Use old task state for audit logs.
Until now, audit logs were generated using the task state after
processing "; set task.state" part. But to generate accurate logs,
I modified to save the task state before processing "; set task.state"
part and use the saved state for audit logs.
@ Use a structure for passing parameters.
As the number of parameters is increasing, I modified to use a structure
for passing parameters.
Fix 2008/10/01
@ Add retry counter into /proc/ccs/query .
To be able to handle some of queries from /proc/ccs/query without user's
interaction, I added retry counter for avoiding infinite loop caused by
"try again" response.
Fix 2008/09/19
@ Allow selecting a domain by PID.
Sometimes we want to know what ACLs are given to specific PID, but
finding a domainname for that PID from /proc/ccs/.process_status and
reading ACLs from /proc/ccs/domain_policy by the domainname is very slow.
Thus, I modified /proc/ccs/domain_policy to allow selecting a domain by
PID. For example, to read domain ACL of current process from bash,
run as follows.
# exec 100<>/proc/ccs/domain_policy
# echo select pid=$$ >&100
# while read -u 100; do echo $REPLY; done
If a domain is once selected by PID, reading /proc/ccs/domain_policy will
print only that domain if that PID exists or print nothing otherwise.
@ Disallow concurrent /proc/ccs/ access using the same file descriptor.
Until now, one process can read() from /proc/ccs/ while other process
that shares the file descriptor can write() to /proc/ccs/ .
But to implement "Allow selecting a domain by PID" feature, I disabled
concurrent read()/write() because the feature need to modify read buffer
while writing.
Fix 2008/09/11
@ Remember whether the process is allowed to write to /proc/ccs/ interface.
Since programs for manipulating policy (e.g. ccs-queryd ) are installed
in the form of RPM/DEB packages, these programs lose the original
pathnames when they are updated by the package manager. The package
manager renames these programs before deleting these programs so that
the package manager can rollback the operation.
This causes a problem when the programs are listed into /proc/ccs/manager
using pathnames, as the programs will no longer be allowed to write to
/proc/ccs/ interface while the process of old version of the program is
alive.
To solve this problem, I modified to remember the fact that the process
is once allowed to write to /proc/ccs/ interface until the process
attempts to execute a different program.
This change makes it impossible to revoke permission to write to
/proc/ccs/ interface without killing the process, but it will be better
than nonfunctioning ccs-queryd program.
Fix 2008/09/09
@ Add "try again" response to "delayed enforcing" mode.
To be able to handle pathname changes caused by software updates,
"delayed enforcing" mode was introduced. It allows administrator to
grant access requests which are about to be rejected by the kernel.
To be able to handle pathname changes caused by software updates better,
I introduced "try again" response. As "delayed enforcing" mode sleeps
a process which violated policy, administrator can update policy while
the process is sleeping. This "try again" response allows administrator
to restart policy checks from the beginning after updating policy.
ChangeLog for ccs-patch 1.6.3
Fix 2008/08/29
@ Remove "-ccs" suffix from Makefile's EXTRAVERSION.
To reduce conflicts on Makefile's EXTRAVERSION,
I removed "-ccs" suffix from ccs-patch-2.\*.diff .
Those who build kernels without using specs/build-\*.sh ,
please edit EXTRAVERSION tag manually so that original kernels
will not be overwritten by TOMOYO Linux kernels.
Fix 2008/08/21
@ Add workaround for gcc 4.3's bug.
In some environments, fs/tomoyo_network.c could not be compiled
because of gcc 4.3's bug.
I modified save_ipv6_address() to use "integer literal" value
instead for "static const u8" variable.
@ Change prototypes of some functions.
To support 2.6.27 kernels, I replaced "struct nameidata" with
"struct path" for some functions.
@ Detect distributor specific patches automatically.
Since kernels with AppArmor patch applied is increasing,
I introduced a mechanism which determines whether specific patches
are applied or not, based on "#define" directives in the patches.
ChangeLog for ccs-patch 1.6.2
Fix 2008/07/08
@ Don't check permissions if vfsmount is NULL.
Some filesystems (e.g. unionfs) pass NULL vfsmount.
I changed fs/tomoyo_file.c not to try to calculate pathnames
if vfsmount is NULL.
Fix 2008/07/01
@ Fix "Compilation failure" with 2.4.20 kernel.
RedHat Linux 9's 2.4.20 kernel backported O(1) scheduler patch,
resulting compilation error at ccs_load_policy().
I added defined(TASK_DEAD) check.
ChangeLog for ccs-patch 1.6.1
Fix 2008/06/25
@ Return 0 when ccs_may_umount() succeeds.
I forgot to clear error value in ccs_may_umount() when the requested
directory didn't match "deny_unmount" directive. As a result, any umount()
request with RESTRICT_UNMOUNT=enforcing returned -EPERM error.
Fix 2008/06/22
@ Pass escaped pathname to audit_execute_handler_log().
I was passing unescaped pathname to audit_execute_handler_log()
which causes /proc/ccs/grant_log contain whitespace characters
if execute handler's pathname contains whitespace characters.
Fix 2008/06/11
@ Remove ALLOW_ENFORCE_GRACE parameter.
Since unexpected requests caused by doing software updates can happen
in all profiles, users likely have to write ALLOW_ENFORCE_GRACE=enabled
to all profiles. And it makes meaningless to allow users to selectively
enable specific profile's ALLOW_ENFORCE_GRACE parameter.
So, I removed ALLOW_ENFORCE_GRACE parameter.
Now, the system behaves as if ALLOW_ENFORCE_GRACE=enabled is specified.
The behavior of "delayed enforcing" mode is defined in the following
order.
(1) The requests are rejected immediately if nobody is opening
/proc/ccs/query interface.
(2) The requests will be rejected in 10 seconds if somebody other than
ccs-queryd (such as less(1)) is opening /proc/ccs/query interface,
for such process doesn't write dummy decisions.
Fix 2008/06/10
@ Allow using patterns for globally readable files.
To allow users specify locale specific files to globally readable files,
I relaxed checking in update_globally_readable_entry().
Fix 2008/06/05
@ Fix realpath for pipes and sockets.
Kernel 2.6.22 and later use different method for calculating d_path().
Since fs/realpath.c didn't notice the change, the realpath of pipes
appeared as "pipe:" rather than "pipe:[\$]" when they are opened via
/proc/PID/fd/ directory.
@ Add process's information into /proc/ccs/query .
While /proc/ccs/grant_log and /proc/ccs/reject_log contain process's
information, /proc/ccs/query doesn't contain it.
To be able to utilize ccs-queryd and ccs-notifyd more, I added it into
/proc/ccs/query .
Fix 2008/06/04
@ Check open mode of /proc/ccs/ interface.
It turned out that I can avoid allocating memory for reading if
FMODE_READ is not set and memory for writing if FMODE_WRITE is not set.
@ Wait for completion of /sbin/ccs-init .
Since 2.4 kernel's call_usermodehelper() can't wait for termination of
the executed program, I was using the close() request of
/proc/ccs/meminfo to indicate that loading policy has finished.
But since /proc/ccs/meminfo could be accessed for setting memory quota
by /etc/ccs/ccs-post-init , I stopped using the close() request.
The policy loader no longer need to access /proc/ccs/meminfo to notify
the kernel that loading policy has finished.
ChangeLog for ccs-patch 1.6.0
Fix 2008/05/06
@ Add memory quota.
1.5.x returns -ENOMEM when FindNextDomain() failed to create a new
domain, but I forgot to return -ENOMEM when find_next_domain() failed to
create a new domain.
A domain is automatically created by find_next_domain() only if
the domain for the requested program doesn't exist.
This behavior is for the administrator's convenience.
The administrator needn't to know how many domains are needed for running
the whole programs in the system beforehand when developing the policy.
But the administrator does not want the kernel to reject execution of the
requested program when developing the policy.
So, I think it is better to grant execution of programs even if
find_next_domain() failed to create a new domain than reject execution.
Thus, I decided not to return -ENOMEM when find_next_domain() failed to
create a new domain. This exception breaks the domain transition rules,
so I print "transition_failed" warning in /proc/ccs/domain_policy
when this exception happened.
Also, to prevent the system from being halted by unexpectedly allocating
all kernel memory for the policy, I added memory quota.
This quota is configurable via /proc/ccs/meminfo like
echo Shared: 1048576 > /proc/ccs/meminfo
echo Private: 1048576 > /proc/ccs/meminfo
Fix 2008/04/21
@ Add workaround for gcc 3.2.2's inline bug.
RedHat Linux 9's gcc 3.2.2 generated a bad code
if ((var_of_u8 & 0x000000BF) & 0x80000000) { }
where the expected code is
if ((var_of_u8 & 0xBF) & 0x80) { }
when embedding ccs_acl_type2() into print_entry(),
resulting runtime BUG().
I added the expected code explicitly as a workaround.
Fix 2008/04/20
@ Fix "Compilation failures" with kernels before 2.4.30/2.6.11 .
Turbolinux 10 Server's 2.6.8 kernel backported kzalloc() as an inlined
function, resulting compilation error at kzalloc().
I converted kzalloc() from an inlined function into a macro.
Fix 2008/04/14
@ Fix "Compilation failures" and "Initialization ordering bugs"
with kernels before 2.4.30/2.6.11 .
2.6 kernels before 2.6.9 didn't have include/linux/hardirq.h ,
resulting compilation error at #include <linux/hardirq.h> .
I added #elif condition.
CentOS 4.6's 2.6.9 kernel calls do_execve() before initialization of
ccs_alloc(), resulting NULL pointer dereference.
I changed __initcall to core_initcall.
CentOS 4.6's 2.6.9 kernel backported kzalloc() from 2.6.14 ,
resulting compilation error at kzalloc().
I modified prototype of kzalloc().
