ChangeLog for ccs-patch 1.7.4
Fix 2024/03/31
@ Fix a UAF bug introduced by an oversight in TOMOYO revision 2930.
Backport commit 2f03fc340cac ("tomoyo: fix UAF write bug in
tomoyo_write_control()").
ChangeLog for ccs-patch 1.7.3
Fix 2015/01/01
@ Fix missing chmod(-1) check in Linux 3.1 and later kernels.
Commit e57712ebebbb9db7 "merge fchmod() and fchmodat() guts, kill
ancient broken kludge" changed chmod(-1) from no-op to setting to
07777. Therefore, TOMOYO must not ignore chmod(-1) case.
@ Fix potentially using bogus attributes when stat() fails.
We should reset attributes information when executing execute_handler
program, or attributes of original program could be used when stat()
on execute_handler program failed.
Fix 2012/05/04
@ Fix skb_kill_datagram() for kernels 2.6.0 - 2.6.11.
Commit 208d8984 "[IPV4]: Fix BUG() in 2.6.x, udp_poll(), fragments +
CONFIG_HIGHMEM" clarified that skb_kill_datagram() should use
spin_lock_bh()/spin_unlock_bh() rather than
spin_lock_irq()/spin_unlock_irq().
RHEL 4.9 (2.6.9) kernel has that patch backported. So do I.
@ Fix missing locks for RHEL 5.2-5.8 kernels.
Since RHEL 5.2 and later kernels have backported commit 95766fff
"[UDP]: Add memory accounting." patch, TOMOYO needs to call
lock_sock()/release_sock() around skb_kill_datagram() call when UDP
packet was dropped by TOMOYO.
Fix 2012/03/16
@ Return appropriate value to poll().
Return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM if ready to read/write,
POLLOUT | POLLWRNORM otherwise.
Fix 2012/02/29
@ Fix mount flags checking order.
Userspace can pass in arbitrary combinations of MS_* flags to mount().
It is legal to pass both MS_BIND and MS_REMOUNT at the same time, but
current code was rejecting such request. Also, if multiple MS_* flags are
passed, the resulting permission check was inaccurate.
Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND ->
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount()
does.
Fix 2011/05/05
@ Fix wrong profile number in audit logs for "allow_env" permission.
Profile number used for "allow_execute" permission was by error reused
when generating audit logs for "allow_env" permission.
Fix 2011/03/31
@ Fix conditional policy parsing.
Since exec.realpath= and symlink.target= accept path_group,
symlink.target="@foo" was by error parsed as symlink.target=@foo .
@ Serialize updating profile's comment line.
We need to serialize when updating COMMENT= line in /proc/ccs/profile .
Fix 2010/11/22
@ Fix umount() pathname calculation.
"mount --bind /path/to/file1 /path/to/file2" is legal.
Therefore, "umount /path/to/file2" is also legal.
Do not automatically append trailing '/' if pathname to be unmounted
does not end with '/'.
@ Change export level of ccsecurity_ops structure.
Non-GPL modules might need to access ccsecurity_ops via inlined functions
embedded into include/linux/security.h and include/net/ip.h .
Fix 2010/09/18
@ Remove pre-vfs functions.
I again encountered build failure due to may_create()/may_delete()
changes by distributor's patches. Since directory modification syscalls
(e.g. mkdir()/unlink()) seldom violate DAC's permission whereas directory
scanning syscalls (e.g. open()/stat()) sometimes violate it (because of
environment variable PATH), not doing DAC checks before MAC checks won't
trigger MAC's permission error flooding. Thus, I removed DAC checks which
are done before MAC checks.
Fix 2010/06/09
@ Add missing ccs_put_name() in ccs_parse_envp().
Since 1.7.0 , ccs_parse_envp() was not calling ccs_put_name() if
environment variable's value ('if exec.envp["name"]="value"' condition)
was invalid.
@ Add missing NULL check in ccs_condition().
Since 1.7.0 , if 'if symlink.target=' part was given against non-file
permissions (e.g. allow_env PATH if symlink.target="/"), it triggered
NULL pointer dereference.
Fix 2010/06/03
@ Fix missing sanity check for "file_pattern".
Since 1.7.0 , ccs_write_pattern_policy() was by error accepting
invalid pathname.
Fix 2010/05/27
@ Add missing rcu_dereference() for ccs_find_execute_handler().
Since 1.7.0 , ccs_find_execute_handler() was by error using
list_for_each_entry() rather than list_for_each_entry_rcu().
This bug affects only Alpha architecture.
Fix 2010/05/10
@ Fix incorrect out of memory warning.
Out of memory warnings were not printed in some cases by error.
Fix 2010/05/05
@ Fix incorrect audit on/off control.
The grant_log= and reject_log= parameters of CONFIG::misc::env were not
used because I forgot to update request type. As a result, those of
CONFIG::file::execute were used for CONFIG::misc::env .
Those of CONFIG::file::rewrite were not used because I forgot to update
request type. As a result, those of CONFIG::file::truncate were used for
CONFIG::file::rewrite .
Fix 2010/04/10
@ Fix invalid "struct nameidata" to "struct path" conversion macro.
Regarding kernels 2.6.24 and earlier, I was converting "struct nameidata"
to "struct path" in caller side so that I can unify the callee function's
parameter type. But it turned out that the macro I used did not follow C
standards and did not work with gcc 4.x . As a result, "allow_pivot_root"
keyword was not working as expected.
ChangeLog for ccs-patch 1.7.2
Fix 2010/11/22
@ Fix umount() pathname calculation.
"mount --bind /path/to/file1 /path/to/file2" is legal.
Therefore, "umount /path/to/file2" is also legal.
Do not automatically append trailing '/' if pathname to be unmounted
does not end with '/'.
@ Change export level of ccsecurity_ops structure.
Non-GPL modules might need to access ccsecurity_ops via inlined functions
embedded into include/linux/security.h and include/net/ip.h .
Fix 2010/09/18
@ Remove pre-vfs functions.
I again encountered build failure due to may_create()/may_delete()
changes by distributor's patches. Since directory modification syscalls
(e.g. mkdir()/unlink()) seldom violate DAC's permission whereas directory
scanning syscalls (e.g. open()/stat()) sometimes violate it (because of
environment variable PATH), not doing DAC checks before MAC checks won't
trigger MAC's permission error flooding. Thus, I removed DAC checks which
are done before MAC checks.
Fix 2010/06/09
@ Add missing ccs_put_name() in ccs_parse_envp().
Since 1.7.0 , ccs_parse_envp() was not calling ccs_put_name() if
environment variable's value ('if exec.envp["name"]="value"' condition)
was invalid.
@ Add missing NULL check in ccs_condition().
Since 1.7.0 , if 'if symlink.target=' part was given against non-file
permissions (e.g. allow_env PATH if symlink.target="/"), it triggered
NULL pointer dereference.
Fix 2010/06/03
@ Fix missing sanity check for "file_pattern".
Since 1.7.0 , ccs_write_pattern_policy() was by error accepting
invalid pathname.
Fix 2010/05/27
@ Add missing rcu_dereference() for ccs_find_execute_handler().
Since 1.7.0 , ccs_find_execute_handler() was by error using
list_for_each_entry() rather than list_for_each_entry_rcu().
This bug affects only Alpha architecture.
Fix 2010/05/10
@ Fix incorrect out of memory warning.
Out of memory warnings were not printed in some cases by error.
Fix 2010/05/05
@ Fix incorrect audit on/off control.
The grant_log= and reject_log= parameters of CONFIG::misc::env were not
used because I forgot to update request type. As a result, those of
CONFIG::file::execute were used for CONFIG::misc::env .
Those of CONFIG::file::rewrite were not used because I forgot to update
request type. As a result, those of CONFIG::file::truncate were used for
CONFIG::file::rewrite .
Fix 2010/04/10
@ Fix invalid "struct nameidata" to "struct path" conversion macro.
Regarding kernels 2.6.24 and earlier, I was converting "struct nameidata"
to "struct path" in caller side so that I can unify the callee function's
parameter type. But it turned out that the macro I used did not follow C
standards and did not work with gcc 4.x . As a result, "allow_pivot_root"
keyword was not working as expected.
ChangeLog for ccs-patch 1.7.1
Fix 2010/03/26
@ Fix ccs_lport_reserved() bug.
Since 1.7.0 , ccs_lport_reserved() was by error checking wrong port
number. As a result, "deny_autobind" keyword was not working as expected.
Fix 2010/03/25
@ Fix ccs_get_ipv6_address() bug.
Since 1.7.0 , ccs_get_ipv6_address() was by error returning address of
"struct list_head ccs_address_list" if memory allocation failed.
As a result, ccs_put_ipv6_address() will modify memory near
"struct list_head ccs_address_list" if memory allocation failed.
Fix 2010/03/08
@ Allow building as loadable kernel module.
To be able to minimize filesize increment of vmlinux, I made it
possible to compile TOMOYO Linux as loadable kernel module.
Although patching the kernel source and recompiling the kernel are
inevitable, this change will make it easier to enable TOMOYO Linux
when there is a filesize limitation on vmlinux (e.g. embedded systems).
Fix 2010/03/02
@ Allow domain transition without execve().
To be able to split permissions for Apache's CGI programs which are
executed without execve(), I added special domain transition which is
performed by atomically writing '\0'-terminated binary string to
/proc/ccs/.transition interface. For example, a process which belongs to
"<kernel> /usr/sbin/httpd" domain will transit to
"<kernel> /usr/sbin/httpd //app=cgi1\040id=10000" domain by atomically
writing "app=cgi1 id=10000" + '\0' to /proc/ccs/.transition using
Apache's ap_hook_handler() functionality.
Note that '\0'-terminated binary string is converted to TOMOYO's string
inside kernel and prefix "//" is automatically added to the string so
that domainname does not conflict with domainnames created by execve().
Without this prefix, if "<kernel> /usr/sbin/sshd /bin/bash" domain is
allowed to open /proc/ccs/.transition for writing and
"<kernel> /usr/sbin/sshd /bin/bash /usr/bin/passwd" domain is allowed to
access /etc/shadow , /bin/bash will be able to access /etc/shadow by
atomically writing "/usr/bin/passwd" + '\0' to /proc/ccs/.transition .
Allowing /bin/bash to access /etc/shadow is not what people want.
Permission for this operation is checked by "allow_transit" keyword.
Unlike "allow_execute" keyword, the string parameter for "allow_transit"
keyword does not refer a real file on filesystem's namespace. Therefore,
you can store any combination of parameters like LDAP's DN entry in the
string parameter for "allow_transit" keyword.
Fix 2010/01/17
@ Use current domain's name for execute_handler audit log.
Since 1.6.7 , /proc/ccs/grant_log was by error using next domain's name
when auditing current domain's "execute_handler" line.
Fix 2009/12/19
@ Fix memory leak in ccs_environ().
When I fixed a bug that a permission like
allow_env PATH if exec.envp["PATH"]="/"
was not working (2009/11/02), I allocated two buffers but only one buffer
was released.
This bug will trigger OOM killer if environment variable checking is
enabled.
Fix 2009/12/17
@ Don't check read permission in ccs_try_alt_exec().
While I was trying to remove ccs_execve_list list for GC optimization
between TOMOYO 1.7.0 and 1.7.1 , I made a mistake which made TOMOYO to
check allow_read permission of the programs specified by execute_handler
and denied_execute_handler keywords.
@ Don't check DAC permission if disabled mode.
I was checking DAC permissions regarding directory entry modification
operations (e.g. mkdir()) even if mode=disabled . It is a waste of CPU
resource to check DAC permissions when MAC permissions are not checked.
Thus, I modified to skip DAC permission checks if mode=disabled .
Fix 2009/12/15
@ Allow deleting "quota_exceeded" and "transition_failed" entries.
To notify users of "this domain has too many entries to hold" and "some
process in this domain was not able to perform domain transition",
"quota_exceeded" and "transition_failed" messages are used respectively.
These messages were not deletable. But it is more convenient for users
to be notified again if such events occurred again after tuning policy.
Thus, I made these messages deletable.
Fix 2009/12/12
@ Use rcu_read_lock() for find_task_by_pid().
Since kernel 2.6.18 , caller of find_task_by_pid() needs to call
rcu_read_lock() rather than read_lock(&tasklist_lock) because find_pid()
uses RCU primitives but spinlock does not prevent RCU callback if
preemptive RCU ( CONFIG_PREEMPT_RCU or CONFIG_TREE_PREEMPT_RCU ) is
enabled.
Fix 2009/11/27
@ Use newly created domain's name for domain creation audit log.
Since 1.7.0 , /proc/ccs/reject_log was by error using existing domain's
name when auditing newly created domain's "use_profile" line.
Fix 2009/11/18
@ Don't check "allow_write" permission for open(O_RDONLY | O_TRUNC).
Since TOMOYO checks "allow_truncate" permission rather than "allow_write"
permission for O_TRUNC, I need to distinguish open(O_RDONLY | O_TRUNC)
and open(O_RDWR | O_TRUNC). But I made a mistake between TOMOYO 1.7.0 and
1.7.1 which made it impossible for TOMOYO for kernels 2.6.14 and earlier
to distinguish them.
Fix 2009/11/13
@ Don't use core_initcall() for initializing lock for GC.
Some kernels call TOMOYO's hooks before processing core_initcall().
Thus, I can't use core_initcall() for initializing lock for GC.
ChangeLog for ccs-patch 1.7.0
Fix 2009/11/09
@ Add profile version check.
To avoid upgrading from TOMOYO 1.6.x to TOMOYO 1.7.x without upgrading
/proc/ccs/profile (which results in not protecting the system at all),
I added a check for PROFILE_VERSION= .
Fix 2009/11/06
@ Fix incorrect allow_mount audit log.
Audit log for allow_mount was using decimal format.
It needs to use hexadecimal format.
Fix 2009/11/03
@ Fix memory leak in ccs_write_address_group_policy().
I forgot to call kfree() if same entry was added.
@ Reduce mutexes.
I was using mutex_lock()/mutex_unlock() so that I can use
atomic_dec_and_test() for removing an element from a list.
I moved that operation to garbage collector in order to reduce frequency
of mutex_lock()/mutex_unlock() calls.
@ Escape from nested loops correctly.
In ccs_read_address_group_policy(), I was escaping from nested loops
correctly. But in ccs_read_path_group_policy() and
ccs_read_number_group_policy(), I wasn't.
As a result, reading path_group and number_group caused kernel oops
when they were not read atomically.
Fix 2009/11/02
@ Fix buffer contention.
A permission like
allow_env PATH if exec.envp["PATH"]="/"
was not working since I was using the same buffer for both environment
variable's name and value.
Fix 2009/10/08
@ Add CONFIG_CCSECURITY_DEFAULT_LOADER option.
I made the default policy loader's pathname ( /sbin/ccs-init )
configurable.
@ Add CONFIG_CCSECURITY_ALTERNATIVE_TRIGGER option.
Some environments do not have /sbin/init . In such environments, we need
to use different program's pathname (e.g. /init or /linuxrc ) as
activation trigger.
Thus, I made the alternative trigger ( /sbin/ccs-start ) configurable.
Fix 2009/10/05
@ Fix size truncation bug at ccs_memcmp().
ccs_memcmp() was using "u8" for size parameter by error. Therefore, when
size >= 256 was passed to ccs_memcmp(), it was doing partial comparison
(incorrect result) or read overrun (CPU stall).
ccs_memcmp() should use "size_t" for size parameter because size of
"struct ccs_condition" may exceed 256 bytes if complicated condition was
given.
Fix 2009/09/25
@ Embed more information into audit logs.
Until now, /proc/ccs/grant_log /proc/ccs/reject_log /proc/ccs/query were
not printing file's information (e.g. file's uid/gid/mode).
Recently, users who started using "if" clause expect that the learning
mode automatically adds various conditions like "if task.uid=path1.uid".
But the profile will become too complicated if I support all possible
conditions. Thus, I added all information which is enough to generate
"if" clause with all possible conditions from audit logs.
Now, the learning mode got different usage. Users can specify
"CONFIG::learning={ max_entry=0 }" in the profile. All requests which
are not permitted by policy will be sent to /proc/ccs/reject_log with
"mode=learning" header lines. Users can selectively append conditions
and append to the policy using "/usr/sbin/ccs-loadpolicy -d".
The learning mode with "CONFIG::learning={ max_entry=0 }" is almost
the same with the permissive mode, only difference is "mode=learning"
and "mode=permissive".
Fix 2009/09/24
@ Don't check chmod/chown capability for requests from kernel.
Until now, ccs_setattr_permission() was inserted in notify_change().
But notify_change() is also called by requests from kernel (e.g. UnionFS)
and it made difficult to use TOMOYO on UnionFS.
Thus, I moved ccs_capable() checks from ccs_setattr_permission() to
ccs_chmod_permission() and ccs_chown_permission(), and removed
ccs_setattr_permission().
Fix 2009/09/11
@ Support recursive match operators.
Until now, ccs_path_matches_pattern() did not support recursive
comparison. Thus, users had to repeat "/\*" when they want to specify
recursively.
I introduced "\{" and "\}" as repetition operator.
To ensure consistency with TOMOYO's '/'-tokenized pattern matching rules
and "\-" operator, only "/\{dir\}/" sequences (where dir does not contain
'/') is permitted.
Fix 2009/09/10
@ Do not check umount() permission for mount(MS_MOVE) requests.
Until 1.6.x , umount() restriction was black listing. In 1.7.0 , it is
white listing. This change caused "mount --move old new" requests to
require "allow_unmount old" permission in addition to
"allow_mount old new --move 0" permission.
But we don't want to allow umount(old) requests when we want to allow
only mount(old, new, MS_MOVE) requests. Thus, I modified not to check
"allow_unmount old" permission for mount(old, new, MS_MOVE) requests.
Fix 2009/09/06
@ Fix wrong error code in ccs_try_alt_exec().
ccs_try_alt_exec() was returning ENOMEM when kmalloc() failed.
It needs to return -ENOMEM to fail.
Fix 2009/09/04
@ Fix wrong ccs_profile() calls.
I can't call ccs_profile() for profile existence test because
ccs_profile() never returns NULL.
