ChangeLog for ccs-patch 1.8.11
Fix 2024/06/28
@ Unblock move_mount() system call.
Since util-linux 2.39 started using libmount-mountfd-support,
implementing appropriate permission check for move_mount() became
necessary for successfully booting a Linux system.
ChangeLog for ccs-patch 1.8.10
Fix 2024/03/31
@ Fix a UAF bug introduced by an oversight in TOMOYO revision 2930.
Backport commit 2f03fc340cac ("tomoyo: fix UAF write bug in
tomoyo_write_control()").
ChangeLog for ccs-patch 1.8.9
Fix 2021/12/28
@ Check exceeded quota early.
Backport commit 04e57a2d952bbd34 ("tomoyo: Check exceeded quota early in
tomoyo_domain_quota_is_ok().") and commit f702e1107601230e ("tomoyo: use
hwight16() in tomoyo_domain_quota_is_ok()"), for these help reducing
overhead of the learning mode. Note that the former patch requires you to
explicitly delete "quota_exceeded" entry from the domain policy in order
to resume the learning mode.
Fix 2021/03/13
@ Skip permission checks for fileless execution requests.
Kernels from 4.18 to 5.8 are using call_usermodehelper_setup_file() for
starting program without a valid pathname on a filesystem.
/sbin/modprobe from dockerd process could not load bpfilter.ko module
because ccs_symlink_path() cannot calculate pathname of program without
a valid pathname. Thus, allow call_usermodehelper_setup_file() to bypass
permission checks and suppress domain transitions.
@ Fix ccs_kernel_service().
Kernels from 5.5 to 5.11 are using PF_KTHREAD flag for the io_uring
worker threads.
ChangeLog for ccs-patch 1.8.8
Fix 2020/10/24
@ Fix /proc pathname calculation for Linux 5.8+ kernels.
ccs_realpath() for 5.8+ was by error not using proc_pid_ns() when
calculating /proc pathname.
Fix 2020/08/19
@ Fix wrong ccs_search_binary_handler() mapping.
When support for 5.8 kernel was added, ccs_search_binary_handler() for
3.7- was by error mapped to wrong function.
Fix 2020/08/17
@ Fix ccs_realpath() fallback.
ccs_realpath() for 3.17+ was by error not calling ccs_get_local_path()
when ccs_get_absolute_path() returned -EINVAL.
Fix 2020/07/22
@ Fix domain transition preference.
The domain transition preference which was introduced in 1.8.3 is
by error ignored since 1.8.3p4, for ccs_update_task_domain() from
ccs_write_log2() from ccs_supervisor() from ccs_audit_log() always
resets r->matched_acl to NULL. Change ccs_update_task_domain() not
to reset r->matched_acl to NULL.
ChangeLog for ccs-patch 1.8.7
Fix 2020/05/01
@ Loosen domainname validation and pathname validation.
Currently a domainname must start with "<$namespace>" followed by
zero or more repetitions of a pathname which starts with '/'.
But situation is getting more and more difficult to enforce use of
a pathname which starts with '/', for execve() request of a pathname
on e.g. some filesystems cause ccs_realpath() to return a pathname
in "$fsname:/$pathname" format.
Fortunately, since $fsname must not contain '.' since Linux 2.6.22,
we can recognize a token which appears '/' before '.' appears (e.g.
proc:/self/exe ) as a pathname and a token which appears '.' before
'/' appears (e.g. exec.realpath="/bin/bash" ) as a condition parameter,
with an exception that a pathname cannot start with
auto_domain_transition=" because it is reserved as a delimiter string
for on-match domain transition. Also, we can recognize "<$namespace>"
followed by such tokens (e.g. <kernel> /foo proc:/self/exe /bar ) as
a domainname.
ChangeLog for ccs-patch 1.8.6
Fix 2020/04/09
@ Fix wrong put_page() usage in ccs_dump_page().
ccs_dump_page() for 5.6+ was by error using wrong function to put page.
Fix 2019/12/07
@ Don't use nifty names on sockets.
Revert "Don't check open/getattr permission on sockets.", and then
get rid of special handling of sockets. As a side effect of this patch,
"socket:[family=\$:type=\$:protocol=\$]" in the policy files has to be
rewritten to "socket:[\$]".
Fix 2019/07/27
@ Change pathname calculation for read-only filesystems.
Commit 5625f2e3266319fd ("TOMOYO: Change pathname for non-rename()able
filesystems.") intended to be applied to filesystems where the content is
not controllable from the userspace (e.g. proc, sysfs, securityfs), based
on an assumption that such filesystems do not support rename() operation.
But it turned out that read-only filesystems also do not support rename()
operation despite the content is controllable from the userspace, and that
commit is annoying TOMOYO users who want to use e.g. squashfs as the root
filesystem due to use of local name which does not start with '/'.
Therefore, based on an assumption that filesystems which require the
device argument upon mount() request is an indication that the content
is controllable from the userspace, do not use local name if a filesystem
does not support rename() operation but requires the device argument upon
mount() request.
@ Reject move_mount() system call for now.
Commit 2db154b3ea8e14b0 ("vfs: syscall: Add move_mount(2) to move mounts
around") introduced security_move_mount() LSM hook, but we missed that
TOMOYO and AppArmor did not implement hooks for checking move_mount(2).
Since unchecked mount manipulation is not acceptable, for now pretend
as if move_mount(2) is unavailable.
@ Don't check open/getattr permission on sockets.
syzbot found that use of SOCKET_I()->sk from open() can result in
use after free problem, for socket's inode is still reachable via
/proc/pid/fd/n despite destruction of SOCKET_I()->sk already completed.
But there is no point with calling security_file_open() on sockets
because open("/proc/pid/fd/n", !O_PATH) on sockets fails with -ENXIO.
There is some point with calling security_inode_getattr() on sockets
because stat("/proc/pid/fd/n") and fstat(open("/proc/pid/fd/n", O_PATH))
are valid. But since information which can be protected by checking
security_inode_getattr() on sockets is trivial, let's not check it.
ChangeLog for ccs-patch 1.8.5
Fix 2018/04/01
@ Use smb_rmb() when waiting for initialization.
"while (!cond);" is implicitly optimized like "if (!cond) while (1);".
Use "while (!cond) smp_rmb();" in order to prevent such optimization.
Fix 2017/02/02
@ Use for_each_thread() for GC operation.
while_each_thread() without tasklist_lock is not safe.
Use for_each_process_thread() if it is available, hold
tasklist_lock otherwise.
Fix 2015/11/10
@ Limit wildcard recursion depth.
Since wildcards that need recursion consume kernel stack memory,
we cannot allow infinite recursion.
Fix 2015/11/08
@ Use memory allocation flags used by TOMOYO 2.x.
Until now, TOMOYO 1.x was using memory allocation flags which are weaker
than TOMOYO 2.x in order to make sure that memory allocation request by
TOMOYO 1.x shall not cause silent livelock problem.
But as I learn about this livelock problem, I understood that this is
not a problem which TOMOYO can manage. While hitting a silent livelock
at memory allocation is a problem, refusing critical access requests
by critical processes due to memory allocation failure caused by use of
weaker memory allocation flags is also a problem.
Since situations regarding memory allocation flags in upstream kernels
are changing, it will be safer to use memory allocation flags used by
TOMOYO 2.x.
ChangeLog for ccs-patch 1.8.4
Fix 2015/05/01
@ Support multiple use_group entries.
Until now, each domain can include only one use_group entry.
I changed to allow each domain to include up to 256 use_group entries.
As a result, you will be able to reduce duplication of policy by
defining multiple acl_group entries based on use cases and including
them from each domain as needed.
ChangeLog for ccs-patch 1.8.3
Fix 2015/04/15
@ Fix incorrect retry request check.
When a request was asked to retry, acl_group referenced by domain's
use_group keyword was by error ignored. As a result, retrying was not
able to use permissions defined by acl_group.
Fix 2015/04/08
@ Fix incorrect readdir() permission check.
CONFIG_CCSECURITY_FILE_READDIR was meant for allowing users to control
readdir() permission check. However, CONFIG_CCSECURITY_FILE_GETATTR was
by error used for controlling readdir() permission check. This fix
should not affect kernels built with default configuration, for both
CONFIG_CCSECURITY_FILE_READDIR and CONFIG_CCSECURITY_FILE_GETATTR are
defined by default.
Fix 2015/01/01
@ Fix missing chmod(-1) check in Linux 3.1 and later kernels.
Commit e57712ebebbb9db7 "merge fchmod() and fchmodat() guts, kill
ancient broken kludge" changed chmod(-1) from no-op to setting to
07777. Therefore, TOMOYO must not ignore chmod(-1) case.
@ Fix potentially using bogus attributes when stat() fails.
We should reset attributes information when executing execute_handler
program, or attributes of original program could be used when stat()
on execute_handler program failed.
Fix 2012/10/08
@ Fix KABI breakage on Ubuntu 12.10.
I was using include/linux/security.h as the common path for pulling in
include/linux/ccsecurity.h so that I can avoid scattering #include line.
When scripts/genksyms/genksyms calculates hash values for Module.symvers
file, it uses the extracted form of involved structures if the structure
layout is known but it instead uses UNKNOWN if the structure layout is
not known. Therefore, pulling in include files that define structure's
layout from include/linux/ccsecurity.h causes changes in the hash values
and causes KABI breakage, even if no changes were made to the involved
structures.
Fix this breakage by avoiding pulling in include/linux/sched.h and
include/linux/dcache.h from include/linux/ccsecurity.h where possible.
Fix 2012/04/28
@ Accept manager programs which do not start with / .
The pathname of /usr/sbin/ccs-editpolicy seen from Ubuntu 12.04 Live
CD is squashfs:/usr/sbin/ccs-editpolicy rather than
/usr/sbin/ccs-editpolicy . Therefore, we need to accept manager
programs which do not start with / .
Fix 2012/04/22
@ Readd RHEL_MINOR/AX_MINOR checks.
This check was added in revision 2346 and was removed in revision 4084.
Add it back in order to support RHEL 5.0, 5.1, 5.2 kernels.
@ Fix skb_kill_datagram() for kernels 2.6.0 - 2.6.11.
Commit 208d8984 "[IPV4]: Fix BUG() in 2.6.x, udp_poll(), fragments +
CONFIG_HIGHMEM" clarified that skb_kill_datagram() should use
spin_lock_bh()/spin_unlock_bh() rather than
spin_lock_irq()/spin_unlock_irq().
RHEL 4.9 (2.6.9) kernel has that patch backported. So do I.
@ Fix missing locks for RHEL 5.2-5.8 kernels.
Since RHEL 5.2 and later kernels have backported commit 95766fff
"[UDP]: Add memory accounting." patch, TOMOYO needs to call
lock_sock()/release_sock() around skb_kill_datagram() call when UDP
packet was dropped by TOMOYO.
Fix 2012/03/16
@ Return appropriate value to poll().
Return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM if ready to read/write,
POLLOUT | POLLWRNORM otherwise.
Fix 2012/03/08
@ Allow returning other errors when ptrace permission cannot be checked.
Currently -EPERM is returned when ccs_ptrace_permission() returned an
error code. I changed to return return value from ccs_ptrace_permission()
so that we can return -ESRCH when target process was not found.
Fix 2012/02/29
@ Fix mount flags checking order.
Userspace can pass in arbitrary combinations of MS_* flags to mount().
If both MS_BIND and one of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE
are passed, device name which should be checked for MS_BIND was not
checked because MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE had higher
priority than MS_BIND.
If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name
which should not be checked for MS_REMOUNT was checked because MS_BIND/
MS_MOVE had higher priority than MS_REMOUNT.
Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND ->
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount()
does. Also, I changed to unconditionally return -EINVAL if more than one
of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE is passed so that TOMOYO
will not generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity
check mount flags passed to change_mnt_propagation()" clarified that
these flags must be exclusively passed.
Fix 2012/02/25
@ Follow changes in linux-next.
UMH_WAIT_PROC constant (currently 1) is scheduled for renumbering in 3.4.
Use UMH_WAIT_PROC constant instead of hardcoded constant in preparation
for backporting call_usermodehelper() related changes. If renumbering was
backported, you will start experiencing the kernel panic upon execution
of external policy loader (i.e. /sbin/ccs-init), for the kernel will no
longer wait for completion of external policy loader process.
Although I changed to use UMH_WAIT_PROC constant, this change could fail
to detect renumbering in 2.6.22 and earlier kernels, for UMH_WAIT_PROC
constant is currently available to only 2.6.23 and later kernels. If you
started to experience the kernel panic, please check whether renumbering
was backported or not.
Fix 2012/01/20
@ Follow changes in 3.3-rc1.
Use umode_t rather than mode_t.
Remove ipv6_addr_copy() usage.
Fix 2011/12/13
@ Follow __d_path() behavior change. (Only 2.6.36 and later)
The behavior of __d_path() has changed in 3.2-rc5. __d_path() now returns
NULL when the pathname cannot be calculated. You must update to this
version when using with 3.2-rc5 and later kernels, or the kernel will
panic because ccs_get_absolute_path() triggers NULL pointer dereference.
The patch that changed the behavior of __d_path() might be backported to
2.6.36 to 3.1 kernels. You must update to this version if the patch was
backported, or you will experience the kernel panic as with 3.2-rc5.
The patch that changed the behavior of __d_path() also changed the way of
handling pathnames under lazy-unmounted directory. Until now, TOMOYO was
using incomplete pathnames returned by __d_path() when the pathname is
under lazy-unmounted directory. But from now on, TOMOYO uses different
pathnames returned by ccs_get_local_path() when the pathname is under
lazy-unmounted directory (because __d_path() no longer returns it).
Since applications unlikely do lazy unmounts, requesting pathnames under
lazy-unmounted directory should not happen unless the administrator
explicitly does lazy unmounts. But pathnames which is defined for such
conditions in the policy file (if any) will need to be rewritten.
Fix 2011/11/18
@ Fix kernel config mapping error.
Due to a typo in ccs_p2mac definition, mode for CONFIG::file::execute was
by error used when checking "file getattr" permission. Most users will
not be affected by this error because CONFIG::file::execute and
CONFIG::file::getattr are by default configured to use CONFIG::file or
CONFIG settings.
Fix 2011/11/11
@ Optimize for object's size.
I rearranged functions/variables into three groups in order to reduce
object's filesize. Also, I added kernel config options for reducing more
by excluding unnecessary functionality.
Fix 2011/10/24
@ Fix incomplete read after seek.
ccs_flush() tries to flush data to be read as soon as possible.
ccs_select_domain() (which is called by write()) enqueues data which
meant to be read by next read(), but previous read()'s read buffer's
size was not cleared. As a result, since 1.8.0, sequence like
char *cp = "select global-pid=1\n";
read(fd, buf1, sizeof(buf1));
write(fd, cp, strlen(cp));
read(fd, buf2, sizeof(buf2));
causes enqueued data to be flushed to buf1 rather than buf2.
@ Use query id for reaching target process's domain policy.
Use query id for reaching target process's domain policy rather than
target process's global PID. This is for synchronizing with TOMOYO 2.x,
but this change makes /usr/sbin/ccs-queryd more reliable because the
kernel will return empty domain policy when the query has expired before
ccs-queryd reaches target process's domain policy.
@ Fix quota counting.
"task manual_domain_transition" should not be counted for quota as with
"task auto_domain_transition"/"task auto_execute_handler"/
"task denied_execute_handler" because these are not appended by learning
mode.
Fix 2011/09/25
@ Simplify garbage collector.
It turned out that use of batched processing tends to choke garbage
collector when certain pattern of entries are queued. Thus, I replaced it
with sequential processing.
Fix 2011/09/16
@ Allow specifying domain transition preference.
I got an opinion that it is difficult to use exception policy's domain
transition control directives because they need to match the pathname
specified to "file execute" directives. For example, if "file execute
/bin/\*\-ls\-cat" is given, corresponding domain transition control
directive needs to be like "no_keep_domain /bin/\*\-ls\-cat from any".
To solve this difficulty, I introduced optional argument that supersedes
exception policy's domain transition control directives.
file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls"
file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat"
file execute /bin/\*\-ls\-cat child
file execute /usr/sbin/httpd <apache> exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd"
This argument allows transition to different domains based on conditions.
<kernel> /usr/sbin/sshd
file execute /bin/bash <kernel> /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c"
file execute /bin/bash <kernel> /usr/sbin/sshd //root-session task.uid=0
file execute /bin/bash <kernel> /usr/sbin/sshd //nonroot-session task.uid!=0
ChangeLog for ccs-patch 1.8.2
Fix 2011/09/03
@ Avoid race when retrying "file execute" permission check.
There was a race window that the pathname which is subjected to
"file execute" permission check when retrying via supervisor's decision
because the pathname was recalculated upon retry. Though, there is an
inevitable race window even without supervisor, for we have to calculate
the symbolic link's pathname from "struct linux_binprm"->filename rather
than from "struct linux_binprm"->file because we cannot back calculate
the symbolic link's pathname from the dereferenced pathname.
@ Remove unneeded daemonize().
Garbage collector thread is created using kthread_create() since 2.6.7.
Kernel threads created by kthread_create() does not need to call
daemonize().
Fix 2011/07/13
@ Accept "::" notation for IPv6 address.
In order to add network access restriction to TOMOYO 2.4, I backported
routines for parsing/printing IPv4/IPv6 address from kernel 3.0 into
TOMOYO 1.8.2.
Now, IPv6 address accepts "::1" instead of "0:0:0:0:0:0:0:1".
Fix 2011/07/07
@ Remove /proc/ccs/.domain_status interface.
Writing to /proc/ccs/.domain_status can be emulated by
( echo "select " $domainname; echo "use_profile " $profile ) |
/usr/sbin/ccs-loadpolicy -d
and reading from /proc/ccs/.domain_status can be emulated by
grep -A 1 '^<' /proc/ccs/domain_policy |
awk ' { if ( domainname == "" ) { if ( substr($1, 1, 1) == "<" )
domainname = $0; } else if ( $1 == "use_profile" ) {
print $2 " " domainname; domainname = ""; } } ; '
. Since this interface is used by only /usr/sbin/ccs-setprofile ,
remove this interface by updating /usr/sbin/ccs-setprofile .
Fix 2011/06/14
@ Remove unused "struct inode *" parameter from ccs-patch-\*.diff .
To follow changes I made on 2011/04/20, I removed "struct inode *" from
ccs_mknod_permission(), ccs_mkdir_permission(), ccs_rmdir_permission(),
ccs_unlink_permission(), ccs_symlink_permission(), ccs_link_permission(),
ccs_rename_permission() that are called from fs/namei.c
net/unix/af_unix.c include/linux/security.c security/security.c .
If you have your own ccs-patch-*.diff , please update accordingly.
Fix 2011/06/10
@ Allow specifying trigger for activation.
To be able to use TOMOYO under systemd environments where init= parameter
is used, I changed to allow overriding the trigger for calling external
policy loader and activating MAC via kernel command line options.
Fix 2011/06/06
@ Add policy namespace support.
To be able to use TOMOYO in LXC environments, I introduced policy
namespace. Each policy namespace has its own set of domain policy,
exception policy and profiles, which are all independent of other
namespaces.
@ Remove CONFIG_CCSECURITY_BUILTIN_INITIALIZERS option.
From now on, exception policy and manager need to be able to handle
policy namespace (which is a <$namespace> prefix added to each line).
Thus, space-separated list for CONFIG_CCSECURITY_BUILTIN_INITIALIZERS is
no longer suitable for handling policy namespace.
ChangeLog for ccs-patch 1.8.1
Fix 2011/05/11
@ Fix wrong domainname validation.
"<kernel>" + "/foo/\" + "/bar" was by error checked when
"<kernel> /foo/\* /bar" was given. As a result, legal domainnames like
"<kernel> /foo/\* /bar" are rejected.
Fix 2011/05/05
@ Fix wrong profile number in audit logs for "misc env" permission.
Profile number used for "file execute" permission was by error reused
when generating audit logs for "misc env" permission.
Fix 2011/04/20
@ Remove unused "struct inode *" parameter from hooks.
Since pre-vfs functions were removed on 2010/09/18, "struct inode *"
parameter which was used for checking parent directory's DAC permission
is no longer used.
Note that "struct ccsecurity_operations ccsecurity_ops" has changed.
Loadable kernel modules that depends on it need to be rebuilt.
Fix 2011/04/03
@ Fix fcntl(F_SETFL, O_APPEND) handling.
Since 1.8.0, TOMOYO was by error checking "file write" permission rather
than "file append" permission when changing file's writing mode from
"overwriting" to "append".
This error should impact little (except CentOS 6.0 kernels) because once
a file was opened for "overwriting" mode, changing that file to "append"
mode cannot undo overwriting the file. Regarding CentOS 6.0 kernels,
due to different ACC_MODE definition, TOMOYO was by error needlessly
checking "file read" permission when fcntl() was requested.
Fix 2011/03/31
@ Fix conditional policy parsing.
Since exec.realpath= and symlink.target= accept path_group,
symlink.target="@foo" was by error parsed as symlink.target=@foo .
@ Serialize updating profile's comment line.
We need to serialize when updating COMMENT= line in /proc/ccs/profile .
Fix 2011/03/15
@ Pack policy when printing via /proc/ccs/ interface.
The kernel side is ready for accepting packed input like
file read/write/execute /path/to/file
but was using unpacked output like
file read /path/to/file
file write /path/to/file
file execute /path/to/file
because most of userland tools were not ready for accepting packed input.
The advantages of using packed policy are that it makes policy files
smaller and it speeds up loading/saving policy files.
Since most of userland tools are ready for accepting packed input by now,
I changed to use packed policy for both input and output.
Fix 2011/03/10
@ Remove /proc/ccs/meminfo interface.
Please use /proc/ccs/stat interface instead.
Fix 2011/03/05
@ Support built-in policy configuration.
To be able to start using enforcing mode from the early stage of boot
sequence, I added support for built-in policy configuration and
activating access control without calling external policy loader program.
This will be useful for systems where operations which can lead to the
hijacking of the boot sequence are needed before loading the policy.
For example, you can activate immediately after loading the fixed part of
policy which will allow only operations needed for mounting a partition
which contains the variant part of policy and verifying (e.g. running GPG
check) and loading the variant part of policy. Since you can start using
enforcing mode from the beginning, you can reduce the possibility of
hijacking the boot sequence.
Fix 2011/03/01
@ Run garbage collector without waiting for /proc/ccs/ users.
Currently TOMOYO holds SRCU lock upon open() and releases it upon close()
because list elements stored in the "struct ccs_io_buffer" instances are
accessed until close() is called. However, such SRCU usage causes lockdep
to complain about leaving the kernel with SRCU lock held. Therefore,
I changed to hold/release SRCU upon each read()/write() by selectively
deferring kfree() by keeping track of the "struct ccs_io_buffer"
instances.
ChangeLog for ccs-patch 1.8.0
Fix 2011/02/07
@ Fix infinite loop bug when reading /proc/ccs/audit or /proc/ccs/query .
In ccs_flush(), head->r.w[0] holds pointer to string data to be printed.
But head->r.w[0] was updated only when the string data was partially
printed (because head->r.w[0] will be updated by head->r.w[1] later if
completely printed). However, regarding /proc/ccs/audit and
/proc/ccs/query , an additional '\0' is printed after the string data was
completely printed. But if free space for read buffer became 0 before
printing the additional '\0', ccs_flush() was returning without updating
head->r.w[0]. As a result, ccs_flush() forever reprints already printed
string data.
Fix 2011/01/11
@ Use filesystem name for unnamed devices when vfsmount is missing.
"Change pathname for non-rename()able filesystems." changed to use
"$fsname:" if the filesystem does not support rename() operation and
"dev($major,$minor):" otherwise when vfsmount is missing. But it turned
out that it is useless to use "dev($major,$minor):" for unnamed devices
(filesystems with $major == 0). Thus, I changed to use "$fsname:" rather
than "dev($major,$minor):" for filesystems with $major == 0 when vfsmount
is missing.
Fix 2010/12/17
@ Split ccs_null_security into ccs_default_security and ccs_oom_security.
ccs_null_security is used by preserve KABI compatibility option and is
used for providing default values against threads which have not yet
allocated memory for their security contexts.
If current thread failed to allocate memory for current thread's security
context, current thread uses ccs_null_security. Since current thread is
allowed to modify current thread's security context, current thread might
modify ccs_null_security which should not be modified for any reason.
Therefore, I split ccs_null_security into ccs_default_security and
ccs_oom_security and use ccs_oom_security when current thread failed to
allocate memory for current thread's security context.
Threads which do not share ccs_oom_security are not affected by threads
which share ccs_oom_security. Threads which share ccs_oom_security will
experience temporary inconsistency, but such threads are about to be
killed by SIGKILL signal.
Fix 2010/12/01
@ Use same interface for audit logs.
To be able to perform fine grained filtering by /usr/sbin/ccs-auditd ,
I merged /proc/ccs/grant_log and /proc/ccs/reject_log as
/proc/ccs/audit and added granted=yes or granted=no to audit logs.
