1 |
kumaneko |
111 |
Notes for TOMOYO Linux project |
2 |
|
|
|
3 |
|
|
This is a handy Mandatory Access Control patch for Linux kernels. |
4 |
kumaneko |
1057 |
This patch is released under the GPLv2. |
5 |
kumaneko |
111 |
|
6 |
|
|
Project URL: http://tomoyo.sourceforge.jp/ |
7 |
|
|
|
8 |
|
|
The authors of this patch (hereafter, we) don't have much experience |
9 |
|
|
in kernel programming. We are worried that this patch would contain |
10 |
|
|
some mistakes such as missing hooks, improper location of hooks, |
11 |
|
|
potential deadlocks. There would be better way of implementation. |
12 |
|
|
All kinds of comments, pointing the errors and suggestions are welcome. |
13 |
|
|
|
14 |
|
|
We do hope this patch reduces the labor of server security management |
15 |
|
|
and you enjoy the life with Linux. |
16 |
|
|
|
17 |
|
|
This project was very inspired by the comic "Card Captor SAKURA", |
18 |
|
|
one of the CLAMP's masterworks. |
19 |
|
|
The names SAKURA and TOMOYO and SYAORAN were borrowed from the comic |
20 |
|
|
with the heartfelt thanks to CLAMP. |
21 |
|
|
|
22 |
|
|
|
23 |
|
|
|
24 |
|
|
ChangeLog: |
25 |
|
|
|
26 |
|
|
Version 1.0 2005/11/11 First release. |
27 |
|
|
|
28 |
|
|
Fix 2005/11/18 |
29 |
|
|
|
30 |
|
|
@ Add setattr() missing hook in SYAORAN fs. |
31 |
|
|
|
32 |
|
|
setattr() checking for special inode was missing. |
33 |
|
|
|
34 |
|
|
Fix 2005/11/25 |
35 |
|
|
|
36 |
|
|
@ Allow initrd.img include /sbin/init . |
37 |
|
|
|
38 |
|
|
Since version 1.0 loads policy when /sbin/init is called |
39 |
|
|
for the first time, initrd.img without the policy directory |
40 |
|
|
mustn't start /sbin/init . This forced users not to use |
41 |
|
|
initrd.img that includes /sbin/init . |
42 |
|
|
I modified to delay loading policy if the policy directory |
43 |
|
|
doesn't exist and wait for /sbin/init being called again. |
44 |
|
|
|
45 |
|
|
Fix 2005/12/02 |
46 |
|
|
|
47 |
|
|
@ Use lookup_one_len() instead of lookup_hash(). |
48 |
|
|
|
49 |
|
|
Kernel 2.6.15 changed parameters for lookup_hash(). |
50 |
|
|
I modified to use lookup_one_len() to keep compatibility. |
51 |
|
|
|
52 |
|
|
Fix 2005/12/06 |
53 |
|
|
|
54 |
|
|
@ Add S_ISDIR() check in SYAORAN fs. |
55 |
|
|
|
56 |
|
|
Malicious configuration file that attempts to create an inode |
57 |
|
|
under non-directory inode caused segmentation fault. |
58 |
|
|
|
59 |
|
|
Version 1.0.1 2005/12/08 Minor update release. |
60 |
|
|
|
61 |
|
|
Fix 2006/01/04 |
62 |
|
|
|
63 |
|
|
@ Add CheckWritePermission() check in unix_bind(). |
64 |
|
|
|
65 |
|
|
I modified to check write permission in unix_bind(), for |
66 |
|
|
sys_mknod(S_IFSOCK) checks write permission. |
67 |
|
|
|
68 |
|
|
@ Show hook version in proc_misc_init(). |
69 |
|
|
|
70 |
|
|
The hook part of this patch depends on the kernel's version, |
71 |
|
|
while the rest part of this patch doesn't. |
72 |
|
|
I added the hook version so that the administrator can |
73 |
|
|
know the last modified date of the hooks. |
74 |
|
|
|
75 |
|
|
@ Move permission checks from filp_open() to open_namei(). |
76 |
|
|
|
77 |
|
|
I moved the location of checking MAC's permission |
78 |
|
|
from filp_open() to open_namei(). |
79 |
|
|
|
80 |
|
|
@ Fix an error in filp_open(). (only 2.6.15-rc5) |
81 |
|
|
|
82 |
|
|
This error was only in the patch 2.6.15-rc5 and |
83 |
|
|
was fixed in the patch for 2.6.15. |
84 |
|
|
|
85 |
|
|
Fix 2006/01/12 |
86 |
|
|
|
87 |
|
|
@ Add /proc/ccs/info/self_domain. |
88 |
|
|
|
89 |
|
|
I added /proc/ccs/info/self_domain so that the userland programs |
90 |
|
|
can know the name of domain they belong to if necessary. |
91 |
|
|
|
92 |
|
|
Fix 2006/01/13 |
93 |
|
|
|
94 |
|
|
@ Merge constants for CheckTaskCapability(). |
95 |
|
|
|
96 |
|
|
I merged *_INHERITABLE_* and *_LOCAL_* to avoid always |
97 |
|
|
calling CheckTaskCapability() with both constants. |
98 |
|
|
|
99 |
|
|
@ DropTaskCapability() returns -EAGAIN on success. |
100 |
|
|
|
101 |
|
|
DropTaskCapability() must not return 0 on success, for |
102 |
|
|
DropTaskCapability() is called from do_execve(). |
103 |
|
|
|
104 |
|
|
@ Fix an error for chroot() permission check. |
105 |
|
|
|
106 |
|
|
The chroot() restriction was not working due to the following mistake. |
107 |
|
|
CheckChRootPermission() || CheckTaskCapability() returns 0 or 1, while |
108 |
|
|
CheckChRootPermission() | CheckTaskCapability() returns 0 or -EPERM. |
109 |
|
|
|
110 |
|
|
Fix 2006/01/17 |
111 |
|
|
|
112 |
|
|
@ Suppress some of debug messages in TOMOYO. |
113 |
|
|
|
114 |
|
|
I added KERN_DEBUG to suppress some of debug messages. |
115 |
|
|
|
116 |
|
|
Fix 2006/01/19 |
117 |
|
|
|
118 |
|
|
@ Remove isRoot() checks in AddChrootACL() and AddMountACL(). |
119 |
|
|
|
120 |
|
|
I found a program that needs to chroot by non-root. |
121 |
|
|
So, I stopped checking uid=euid=0 for these functions so that |
122 |
|
|
"accept mode" can append ACLs. |
123 |
|
|
The isRoot() is checked at AddChrootPolicy() and AddMountPolicy(). |
124 |
|
|
|
125 |
|
|
@ Map NULL device name to "<NULL>" in AddMountACL(). |
126 |
|
|
|
127 |
|
|
VMware mounts vmware-hgfs with NULL device name. |
128 |
|
|
So I mapped NULL device name to "<NULL>". |
129 |
|
|
|
130 |
|
|
Fix 2006/01/20 |
131 |
|
|
|
132 |
|
|
@ Suppress some of debug messages in SAKURA. |
133 |
|
|
|
134 |
|
|
I added KERN_DEBUG to suppress some of debug messages. |
135 |
|
|
|
136 |
|
|
@ Call panic() if failed to load given profile. |
137 |
|
|
|
138 |
|
|
Call panic() if profile index was given via CCS= parameter |
139 |
|
|
but the profile doesn't exist. |
140 |
|
|
If CCS= parameter is not given, the kernel attempts to load |
141 |
|
|
profile 0, but it doesn't call panic() if profile 0 doesn't exist. |
142 |
|
|
|
143 |
|
|
Fix 2006/01/24 |
144 |
|
|
|
145 |
|
|
@ Use full_name_hash() for IsGloballyReadableFile(). |
146 |
|
|
|
147 |
|
|
I modified to use full_name_hash() for faster scan. |
148 |
|
|
|
149 |
|
|
@ Add signal checking condition in CheckSignalACL(). |
150 |
|
|
|
151 |
|
|
The documentation says "if the target domain's domainname |
152 |
|
|
starts with the source domain's domainname, it is always granted" |
153 |
|
|
but actually it isn't. I'll change the documentation instead of |
154 |
|
|
changing the source code. |
155 |
|
|
|
156 |
|
|
Also, checking for pid = -1 was missing. This error was fixed. |
157 |
|
|
|
158 |
|
|
Fix 2006/02/09 |
159 |
|
|
|
160 |
|
|
@ Use mutex_lock()/mutex_unlock instead of down()/up(). |
161 |
|
|
|
162 |
|
|
Kernel 2.6.16 changed members of "struct inode". |
163 |
|
|
I modified to use mutex_lock()/mutex_unlock() for after 2.6.16 |
164 |
|
|
and down()/up() for before 2.6.16. |
165 |
|
|
|
166 |
|
|
Version 1.0.2 2006/02/14 Many bug-fixes release. |
167 |
|
|
|
168 |
|
|
Fix 2006/02/21 |
169 |
|
|
|
170 |
|
|
@ Divide generic-write permission into individual write permissions. |
171 |
|
|
|
172 |
|
|
Write permission was divided into the following permissions. |
173 |
|
|
|
174 |
|
|
'mkdir' for creating directory. |
175 |
|
|
'rmdir' for deleting directory. |
176 |
|
|
'create' for creating regular file. |
177 |
|
|
'unlink' for deleting non-directory. |
178 |
|
|
'mksock' for creating UNIX domain socket. |
179 |
|
|
'mkfifo' for creating FIFO. |
180 |
|
|
'mkchar' for creating character device. |
181 |
|
|
'mkblock' for creating block device. |
182 |
|
|
'link' for creating hard link. |
183 |
|
|
'symlink' for creating symbolic link. |
184 |
|
|
'rename' for renaming directory or non-directory. |
185 |
|
|
'truncate' for truncating regular file. |
186 |
|
|
|
187 |
|
|
The permission check for opening files is done using |
188 |
|
|
conventional read/write/execute permission. |
189 |
|
|
|
190 |
|
|
@ Add /proc/ccs/info/mapping. |
191 |
|
|
|
192 |
|
|
I added /proc/ccs/info/mapping so that the userland programs |
193 |
|
|
can know the mapping of individual write permissions. |
194 |
|
|
|
195 |
|
|
Fix 2006/02/27 |
196 |
|
|
|
197 |
|
|
@ Fix handling of trailing '\*' in PathMatchesToPattern(). |
198 |
|
|
|
199 |
|
|
PathMatchesToPattern("/tmp/", "/tmp/\*") returned true |
200 |
|
|
because "\*" matches to "more than or equals to 0 character |
201 |
|
|
until '/' or end". But since this is a comparison between |
202 |
|
|
directory and non-directory, this should not match. |
203 |
|
|
|
204 |
|
|
This behavior causes the following security risks. |
205 |
|
|
In enforce mode, allowing "2 /tmp/\*" grants |
206 |
|
|
"mkdir /tmp/" and "rmdir /tmp/" which should be |
207 |
|
|
granted only when "2 /tmp/" is allowed. |
208 |
|
|
In accept mode, "mkdir /tmp/" or "rmdir /tmp/" appends |
209 |
|
|
"2 /tmp/\*" into the domain policy if "file_pattern /tmp/\*" |
210 |
|
|
is in the exception policy. |
211 |
|
|
|
212 |
|
|
I changed not to ignore trailing '\*' in the pattern |
213 |
|
|
if pathname ends with '/'. |
214 |
|
|
|
215 |
|
|
Fix 2006/03/01 |
216 |
|
|
|
217 |
|
|
@ Add missing spinlock in GetAbsolutePath(). |
218 |
|
|
|
219 |
|
|
vfsmount_lock was missing. |
220 |
|
|
|
221 |
|
|
Fix 2006/03/08 |
222 |
|
|
|
223 |
|
|
@ Add support for "shared subtree" mount operations. |
224 |
|
|
|
225 |
|
|
Kernel 2.6.15 introduced "shared subtree" functionality. |
226 |
|
|
But CheckMountPermission() couldn't recognize flags for |
227 |
|
|
do_change_type(). |
228 |
|
|
|
229 |
|
|
@ Add support for more mount flags. |
230 |
|
|
|
231 |
|
|
atime/noatime, diratime/nodiratime, recurse/norecurse flags |
232 |
|
|
are supported. |
233 |
|
|
|
234 |
|
|
Fix 2006/03/20 |
235 |
|
|
|
236 |
|
|
@ Check port numbers for only AF_INET/AF_INET6. |
237 |
|
|
|
238 |
|
|
CheckBindEntry() and CheckConnectEntry() should check port numbers |
239 |
|
|
only when the given address family is either AF_INET or AF_INET6, |
240 |
|
|
for address family such as AF_UNSPEC could be passed to bind() |
241 |
|
|
and connect() for PF_INET/PF_INET6 sockets. |
242 |
|
|
|
243 |
|
|
Fix 2006/03/27 |
244 |
|
|
|
245 |
|
|
@ Use /proc/self/ rather than /proc/\$/ for current process. |
246 |
|
|
|
247 |
|
|
GetAbsolutePath() now uses "self" instead of pid |
248 |
|
|
if current process refers to information related to itself. |
249 |
|
|
This exception violates the rule "TOMOYO Linux's pathnames don't |
250 |
|
|
contain symbolic links before the last '/'", but I think it worth |
251 |
|
|
to do so. The following are the merits gained by this exception. |
252 |
|
|
|
253 |
|
|
Prevent administrators from granting redundant permissions |
254 |
|
|
when a process needs to refer to only current process's information. |
255 |
|
|
|
256 |
|
|
Allow administrators make current process's information always |
257 |
|
|
readable using 'allow_read' directive. |
258 |
|
|
|
259 |
|
|
Version 1.1 2006/04/01 Functionality enhancement release. |
260 |
|
|
|
261 |
|
|
Fix 2006/04/03 |
262 |
|
|
|
263 |
|
|
@ Use queue instead of fixed sized array for audit log. |
264 |
|
|
|
265 |
|
|
WriteAuditLog() now uses queue to save statically allocated memory. |
266 |
|
|
Administrators can give any size for audit logs at runtime. |
267 |
|
|
|
268 |
|
|
@ Use kzalloc() instead of kmalloc() + memset(). |
269 |
|
|
|
270 |
|
|
kmalloc() + memset() were replaced with kzalloc(). |
271 |
|
|
|
272 |
|
|
Fix 2006/04/04 |
273 |
|
|
|
274 |
|
|
@ Support "delayed enforcing" mode. |
275 |
|
|
|
276 |
|
|
Until now, access request was immediately rejected |
277 |
|
|
if policy doesn't allow that access and the system is |
278 |
|
|
running in enforce mode. |
279 |
|
|
Sometimes, especially after updating softwares, |
280 |
|
|
some unexpected access requests arise from proper procedure. |
281 |
|
|
Such access requests should be granted because |
282 |
|
|
they are not caused by malicious attacks. |
283 |
|
|
So I introduced a mechanism to allow administrator some grace |
284 |
|
|
to decide to grant or reject such access requests. |
285 |
|
|
This mechanism is implemented in the following manner. |
286 |
|
|
"Don't return immediately if permission denied." |
287 |
|
|
"Sleep for a while waiting administrator's decision." |
288 |
|
|
"Return successfully if administrator tells to do so." |
289 |
|
|
|
290 |
|
|
Fix 2006/04/12 |
291 |
|
|
|
292 |
|
|
@ Fix handling of prefix in GetAbsolutePath(). |
293 |
|
|
|
294 |
|
|
Some objects doesn't have prefix "/". |
295 |
|
|
Pipe has prefix "pipe:" and socket has prefix "socket:". |
296 |
|
|
GetAbsolutePath() couldn't handle prefixes other than '/' properly. |
297 |
|
|
|
298 |
|
|
@ Remove IsCorrectPath() checks for File Access Control functions. |
299 |
|
|
|
300 |
|
|
File Access Control functions accepted only pathnames that start |
301 |
|
|
with '/' because these functions assumed pathnames returned by |
302 |
|
|
GetAbsolutePath() always start with '/'. |
303 |
|
|
However, I found a program that opens an unnamed pipe via |
304 |
|
|
(probably) /proc/PID/fd/ directory. (You can see entries like |
305 |
|
|
"pipe:[number]" if you run "ls -l /proc/*/fd/".) |
306 |
|
|
Now, File Access Control functions have to accept pathnames |
307 |
|
|
that don't start with '/'. So, I stopped checking IsCorrectPath(). |
308 |
|
|
|
309 |
|
|
Fix 2006/04/19 |
310 |
|
|
|
311 |
|
|
@ Fix handling of NULL nameidata in vfs_open(). |
312 |
|
|
|
313 |
|
|
In 2.6 kernels, NFS daemon and sys_mq_open() call |
314 |
|
|
vfs_create() with NULL nameidata. In such cases, |
315 |
|
|
CheckSingleWritePermission() must not be called. |
316 |
|
|
|
317 |
|
|
Version 1.1.1 2006/05/15 Functionality enhancement release. |
318 |
|
|
|
319 |
|
|
Fix 2006/05/16 |
320 |
|
|
|
321 |
|
|
@ Support program files aggregation. |
322 |
|
|
|
323 |
|
|
Until now, programs that have no fixed names and their |
324 |
|
|
parent programs had to be run in a trusted domain |
325 |
|
|
since it is impossible to use patterns for granting |
326 |
|
|
execute permission and defining domains. |
327 |
|
|
I introduced a mechanism to aggregate similar programs |
328 |
|
|
using 'aggregator' directive. |
329 |
|
|
Some examples: |
330 |
|
|
|
331 |
|
|
'aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp' |
332 |
|
|
to run all temporary programs for logrotate as /tmp/logrotate.tmp |
333 |
|
|
|
334 |
|
|
'aggregator /usr/bin/tac /bin/cat' |
335 |
|
|
to run /usr/bin/tac and /bin/cat as /bin/cat |
336 |
|
|
|
337 |
|
|
Fix 2006/05/18 |
338 |
|
|
|
339 |
|
|
@ Unlimit max count for audit log. |
340 |
|
|
|
341 |
|
|
I forgot to replace MAX_GRANT_LOG and MAX_REJECT_LOG with INT_MAX |
342 |
|
|
so that administrators can give any size for audit logs at runtime. |
343 |
|
|
|
344 |
|
|
Fix 2006/05/22 |
345 |
|
|
|
346 |
|
|
@ Support individual domain ACL removal. |
347 |
|
|
|
348 |
|
|
Until now, to remove ACLs from a domain, administrator had to |
349 |
|
|
once delete and recreate that domain, which wastes a lot of memory. |
350 |
|
|
I introduced a mechanism to remove domain ACL without deleting and |
351 |
|
|
recreating domains. |
352 |
|
|
Administrator can delete domains or remove ACLs from domains |
353 |
|
|
via /proc/ccs/policy/domain_policy . |
354 |
|
|
/proc/ccs/policy/delete_domain and /proc/ccs/policy/update_domain |
355 |
|
|
were removed. |
356 |
|
|
|
357 |
|
|
Fix 2006/05/30 |
358 |
|
|
|
359 |
|
|
@ Add missing spinlock in SAKURA_MayMount(). |
360 |
|
|
|
361 |
|
|
vfsmount_lock was missing. |
362 |
|
|
|
363 |
|
|
Version 1.1.2 2006/06/02 Functionality enhancement release. |
364 |
|
|
|
365 |
|
|
Fix 2006/06/13 |
366 |
|
|
|
367 |
|
|
@ Merge tomoyo_connect.c and tomoyo_bind.c into tomoyo_port.c |
368 |
|
|
|
369 |
|
|
I merged these files that have only difference CONNECT and BIND, |
370 |
|
|
that are likely to be enabled both or neither. |
371 |
|
|
|
372 |
|
|
@ Add CONFIG_TOMOYO_AUDIT option. |
373 |
|
|
|
374 |
|
|
I made auditing functions as optional because some Linux boxes |
375 |
|
|
may have not enough disk space to store audit logs. |
376 |
|
|
|
377 |
|
|
Fix 2006/06/15 |
378 |
|
|
|
379 |
|
|
@ Support use of symbolic links for program execution. |
380 |
|
|
|
381 |
|
|
Until now, domains for programs executed by dereferencing |
382 |
|
|
symbolic links were defined using dereferenced pathnames. |
383 |
|
|
This was inconvenient for some Linux boxes who use busybox but |
384 |
|
|
can't keep hard links of busybox. |
385 |
|
|
I introduced a mechanism to allow using pathnames of |
386 |
|
|
symbolic links using 'alias' directive. |
387 |
|
|
Some examples: |
388 |
|
|
|
389 |
|
|
'alias /sbin/busybox /bin/ls' to run /bin/ls |
390 |
|
|
(which is a symbolic link to /sbin/busybox) as /bin/ls |
391 |
|
|
if /bin/ls is executed. |
392 |
|
|
|
393 |
|
|
'alias /bin/bash /bin/sh' to run /bin/sh |
394 |
|
|
(which is a symbolic link to /bin/bash) as /bin/sh |
395 |
|
|
if /bin/sh is executed. |
396 |
|
|
|
397 |
|
|
Fix 2006/06/21 |
398 |
|
|
|
399 |
|
|
@ Use ccs_alloc() instead of kzalloc(). |
400 |
|
|
|
401 |
|
|
To detect memory leaks, |
402 |
|
|
I added a wrapper for tracing kmalloc() and kfree(). |
403 |
|
|
There is no way to detect memory leaks caused by ccs-*.txt . |
404 |
|
|
|
405 |
|
|
Version 1.1.3 2006/07/13 Functionality enhancement release. |
406 |
|
|
|
407 |
|
|
Fix 2006/07/14 |
408 |
|
|
|
409 |
|
|
@ Change behavior of pathname pattern matching. |
410 |
|
|
|
411 |
|
|
Until now, it was impossible to use patterns like "\*.txt" |
412 |
|
|
because "\*" matched to more than 0 characters until next '/'. |
413 |
|
|
Now, "\*" matches to more than 0 characters. |
414 |
|
|
|
415 |
|
|
Until now, it was impossible to use patterns like "\$00" |
416 |
|
|
because "\$" matched to more than 1 digits until next |
417 |
|
|
non digit character. |
418 |
|
|
Now, "\$" matches to more than 1 digits. |
419 |
|
|
|
420 |
|
|
Also, new patterns "\x" "\X" "\a" "\A" "\@" are added. |
421 |
|
|
|
422 |
|
|
Fix 2006/07/21 |
423 |
|
|
|
424 |
|
|
@ Add CONFIG_TOMOYO_NETWORK option. |
425 |
|
|
|
426 |
|
|
Until now, only port numbers for TCP and UDP were controllable. |
427 |
|
|
Now, the combination of IPv4/IPv6 address and port numbers |
428 |
|
|
for TCP and UDP is controllable. |
429 |
|
|
CONFIG_TOMOYO_NETWORKPORT became obsolete. |
430 |
|
|
|
431 |
|
|
Fix 2006/07/25 |
432 |
|
|
|
433 |
|
|
@ Change matching rule for CheckFileACL(). |
434 |
|
|
|
435 |
|
|
Until now, only first entry that matched to the requested pathname |
436 |
|
|
was used for permission checking. For example, two entries |
437 |
|
|
|
438 |
|
|
"2 /tmp/file-\$.txt" |
439 |
|
|
"4 /tmp/fil\?-0.txt" |
440 |
|
|
|
441 |
|
|
are given in this order and requested pathname is "/tmp/file-0.txt", |
442 |
|
|
the "2 /tmp/file-\$.txt" is used. But if two entries |
443 |
|
|
|
444 |
|
|
"4 /tmp/fil\?-0.txt" |
445 |
|
|
"2 /tmp/file-\$.txt" |
446 |
|
|
|
447 |
|
|
are given in this order, the "4 /tmp/fil\?-0.txt" is used. |
448 |
|
|
This may potentially cause trouble because the result of |
449 |
|
|
permission checks depends on the order of entries. |
450 |
|
|
|
451 |
|
|
Now, all entries that matched to the requested pathname |
452 |
|
|
are used for permission checking so that the result of |
453 |
|
|
permission checks doesn't depend on the order of entries. |
454 |
|
|
|
455 |
|
|
Fix 2006/07/27 |
456 |
|
|
|
457 |
|
|
@ Support RAW IPv4/IPv6 control. |
458 |
|
|
|
459 |
|
|
Some programs such as 'ping' and 'traceroute' use raw IP socket. |
460 |
|
|
Now, the combination of IPv4/IPv6 address and protocol numbers |
461 |
|
|
for IP is controllable. |
462 |
|
|
|
463 |
|
|
Fix 2006/08/04 |
464 |
|
|
|
465 |
|
|
@ Add filename and argv[0] comparison check. |
466 |
|
|
|
467 |
|
|
The domain transition was done based on filename passed to do_execve(), |
468 |
|
|
while the behavior was defined based on argv[0]. |
469 |
|
|
There is no problem if the filename is argv[0]-unaware application. |
470 |
|
|
But if argv[0]-aware, access control bypassing happens if the process |
471 |
|
|
transits to trusted domain but behaves as different program. |
472 |
|
|
For example, when the administrator specifies domain for /bin/ls as |
473 |
|
|
trusted but both /bin/ls and /bin/cat are links to /sbin/busybox , |
474 |
|
|
a cracker can run /bin/cat in a trusted domain if the cracker |
475 |
|
|
succeeds to invoke do_execve() with filename = "/bin/ls" and |
476 |
|
|
argv[0] = "/bin/cat". |
477 |
|
|
|
478 |
kumaneko |
1903 |
I introduced a directive that permits the mismatch of |
479 |
kumaneko |
111 |
basename of filename and argv[0]. |
480 |
|
|
|
481 |
|
|
Fix 2006/08/10 |
482 |
|
|
|
483 |
|
|
@ Support ID based condition checks. |
484 |
|
|
|
485 |
|
|
It was impossible to use process id (uid and gid and so on) for |
486 |
|
|
checking individual domain ACL. |
487 |
|
|
|
488 |
|
|
Now it became possible to use process id for checking individual |
489 |
|
|
domain ACL. For example, |
490 |
|
|
|
491 |
|
|
"1 /bin/sh if task.euid!=0" |
492 |
|
|
|
493 |
|
|
allows the domain to execute /bin/sh only when the process's euid |
494 |
|
|
is not 0, and |
495 |
|
|
|
496 |
|
|
"6 /home/\*/\* if task.uid=path1.uid" |
497 |
|
|
|
498 |
|
|
allows the domain to read-write user's home directory |
499 |
|
|
only when the file's owner matches to the process's uid. |
500 |
|
|
|
501 |
|
|
Fix 2006/08/22 |
502 |
|
|
|
503 |
|
|
@ Fix ROUNDUP() in fs/realpath.c . |
504 |
|
|
|
505 |
|
|
Alignment using sizeof(int) may be inappropriate for 64bit environment. |
506 |
|
|
I changed to use the larger size of 'void *' and 'long' |
507 |
|
|
instead of 'int'. |
508 |
|
|
For environment where sizeof(int) = sizeof(long) = sizeof(void *), |
509 |
|
|
this change has no effect. |
510 |
|
|
|
511 |
|
|
Version 1.2 2006/09/03 Functionality enhancement release. |
512 |
|
|
|
513 |
|
|
Fix 2006/09/30 |
514 |
|
|
|
515 |
|
|
@ Fix CheckFilePerm() in fs/tomoyo_file.c . |
516 |
|
|
|
517 |
|
|
The location to call path_release() was too early. |
518 |
|
|
|
519 |
|
|
Fix 2006/10/02 |
520 |
|
|
|
521 |
|
|
@ Support per-domain profile. |
522 |
|
|
|
523 |
|
|
It became possible to assign different profiles for different domains. |
524 |
|
|
This will help administrators using building up approach. |
525 |
|
|
|
526 |
|
|
Fix 2006/10/05 |
527 |
|
|
|
528 |
|
|
@ Change parameters for CheckFilePerm(). |
529 |
|
|
|
530 |
|
|
I was re-resolving pathnames inside CheckFilePerm() even though |
531 |
|
|
the caller function already resolved them. |
532 |
|
|
So I changed to pass dentry and vfsmount instead of pathname, |
533 |
|
|
and removed changes made on 2006/09/30. |
534 |
|
|
|
535 |
|
|
Fix 2006/10/06 |
536 |
|
|
|
537 |
|
|
@ Support deny_rewrite and allow_rewrite permission. |
538 |
|
|
|
539 |
|
|
It became possible to make regular files append-only |
540 |
|
|
using "deny_rewrite" directive in exception policy and |
541 |
|
|
override it using "allow_rewrite" directive in domain policy. |
542 |
|
|
|
543 |
|
|
Regular files specified using "deny_rewrite" directive |
544 |
|
|
can't be open()ed with O_TRUNC or without O_APPEND, |
545 |
|
|
can't be truncate()ed or ftruncate()ed, |
546 |
|
|
can't be turned O_APPEND flag off using fcntl(F_SETFL) |
547 |
|
|
unless specified using "allow_rewrite" directive. |
548 |
|
|
|
549 |
|
|
Fix 2006/10/12 |
550 |
|
|
|
551 |
|
|
@ Enable configuration options by default for kernel config. |
552 |
|
|
|
553 |
|
|
CONFIG_SAKURA and CONFIG_TOMOYO are now 'y' by default |
554 |
|
|
and CONFIG_SYAORAN is now 'm' by default. |
555 |
|
|
|
556 |
|
|
Fix 2006/10/13 |
557 |
|
|
|
558 |
|
|
@ Use external policy loader. |
559 |
|
|
|
560 |
|
|
Until now, policies are loaded when /sbin/init starts and |
561 |
|
|
initial control levels are switched using CCS= parameter. |
562 |
|
|
But since some boxes have to fixate kernel command line options |
563 |
|
|
at compilation time, I think it will become more flexible |
564 |
|
|
by running external policy loader using init= parameter so that |
565 |
|
|
initial control levels can be specified before /sbin/init starts. |
566 |
|
|
|
567 |
|
|
Call panic() if initial control levels are not specified. |
568 |
|
|
|
569 |
|
|
Fix 2006/10/16 |
570 |
|
|
|
571 |
|
|
@ Add missing parameter in FindNextDomain(). |
572 |
|
|
|
573 |
|
|
'struct file' was needed for allowing 'if path1.*' checks. |
574 |
|
|
|
575 |
|
|
Fix 2006/10/23 |
576 |
|
|
|
577 |
|
|
@ Print error messages in CheckFlags(). |
578 |
|
|
|
579 |
|
|
Some users seem to have troubles picking up all necessary |
580 |
|
|
entries for the configuration file of SYAORAN filesystem |
581 |
|
|
since makesyaoranconf can't pick up entries that are |
582 |
|
|
nonexistent at the time. |
583 |
|
|
I added error message so that users can find missing entries |
584 |
|
|
using dmesg. |
585 |
|
|
|
586 |
|
|
Fix 2006/10/24 |
587 |
|
|
|
588 |
|
|
@ Change /proc/ccs/info/self_domain . |
589 |
|
|
|
590 |
|
|
I changed /proc/ccs/info/self_domain to return |
591 |
|
|
the domain of open time rather than first read time. |
592 |
|
|
This modification makes shell's redirection usage |
593 |
|
|
more convenient since redirection opens file |
594 |
|
|
but doesn't read at the time. |
595 |
|
|
|
596 |
|
|
'cat < /proc/ccs/info/self_domain' will return |
597 |
|
|
the domain of shell, and |
598 |
|
|
'cat /proc/ccs/info/self_domain' will return |
599 |
|
|
the domain of cat . |
600 |
|
|
|
601 |
|
|
Fix 2006/11/06 |
602 |
|
|
|
603 |
|
|
@ Replace MAX_ENFORCE_GRACE with ALLOW_ENFORCE_GRACE. |
604 |
|
|
|
605 |
|
|
Since it was inconvenient that requests that are waiting for |
606 |
|
|
supervisor's decision are rejected automatically when |
607 |
|
|
MAX_ENFORCE_GRACE seconds has elapsed, I modified WriteAnswer() |
608 |
|
|
reset timeout counter whenever a supervisor's decision is written |
609 |
|
|
and I modified ccs-queryd write a dummy decision every seconds |
610 |
|
|
so that the requests won't be rejected automatically as long as |
611 |
|
|
ccs-queryd is running. |
612 |
|
|
This change made MAX_ENFORCE_GRACE's meaning boolean. |
613 |
|
|
So I fixated MAX_ENFORCE_GRACE to 10 seconds and removed |
614 |
|
|
MAX_ENFORCE_GRACE parameter. |
615 |
|
|
To allow administrators selectively enable "delayed enforcing" |
616 |
|
|
mode, I added ALLOW_ENFORCE_GRACE parameter. |
617 |
|
|
The behavior of "delayed enforcing" mode is defined |
618 |
|
|
in the following order. |
619 |
|
|
|
620 |
|
|
(1) The requests are rejected immediately if ALLOW_ENFORCE_GRACE=0. |
621 |
|
|
(2) The requests are rejected immediately |
622 |
|
|
if nobody is opening /proc/ccs/policy/query interface. |
623 |
|
|
(3) The requests won't be rejected automatically |
624 |
|
|
if ALLOW_ENFORCE_GRACE=1 and ccs-queryd is running. |
625 |
|
|
(4) The requests will be rejected in 10 seconds |
626 |
|
|
if somebody other than ccs-queryd (such as less(1)) is |
627 |
|
|
opening /proc/ccs/policy/query interface, for |
628 |
|
|
such process doesn't write dummy decisions. |
629 |
|
|
|
630 |
|
|
Version 1.3 2006/11/11 First anniversary release. |
631 |
|
|
|
632 |
|
|
Fix 2006/11/13 |
633 |
|
|
|
634 |
|
|
@ Replace trust_domain with keep_domain. |
635 |
|
|
|
636 |
|
|
Since it was troublesome that there are two elements that can disable MAC |
637 |
|
|
(assigning a profile that doesn't enable MAC or registering domains |
638 |
|
|
with trust_domain directive), I removed trust_domain directive. |
639 |
|
|
Instead, I introduced keep_domain directive to not to transit domains |
640 |
|
|
unless a program registered with initializer directive is executed. |
641 |
|
|
This change has the following advantages. |
642 |
|
|
|
643 |
|
|
(1) Allows administrator use "enforce mode" for operations after login. |
644 |
|
|
Since it was difficult to know what commands and files are invoked |
645 |
|
|
and accessed in what sequences beforehand, we had to use trust_domain |
646 |
|
|
directive for such domain, allowing users invoke any commands and |
647 |
|
|
access any files in any sequence. |
648 |
|
|
But now, we can use keep_domain directive and assign a profile for |
649 |
|
|
"enforce mode" for such domain, forcing users invoke only allowed |
650 |
|
|
commands and access only allowed files in any sequence |
651 |
|
|
while these operations are kept under the control of "enforce mode". |
652 |
|
|
|
653 |
|
|
(2) Allows administrator determine easily whether the domain is |
654 |
|
|
under MAC or not because only the profile currently assigned to |
655 |
|
|
the domain determines it. |
656 |
|
|
|
657 |
|
|
(3) Saves total number of domains and memory. |
658 |
|
|
|
659 |
|
|
Fix 2006/11/22 |
660 |
|
|
|
661 |
|
|
@ Don't allow use of undefined profile. |
662 |
|
|
|
663 |
|
|
To avoid assigning undefined profile to domains by error, |
664 |
|
|
I added checks before assigning profiles to domains. |
665 |
|
|
Now, profiles have to be defined prior to assigning them to domains. |
666 |
|
|
|
667 |
|
|
Version 1.3.1 2006/12/08 Minor update release. |
668 |
|
|
|
669 |
|
|
Fix 2006/12/10 |
670 |
|
|
|
671 |
|
|
@ Allow pathname grouping. |
672 |
|
|
|
673 |
|
|
To reduce the labor of repeating '/\*' to allow access recursively, |
674 |
|
|
I introduced a macro 'path_group' to make group such pathnames. |
675 |
|
|
For example, you had to give like |
676 |
|
|
|
677 |
|
|
4 /var/www/html/\* |
678 |
|
|
4 /var/www/html/\*/\* |
679 |
|
|
4 /var/www/html/\*/\*/\* |
680 |
|
|
4 /var/www/html/\*/\*/\*/\* |
681 |
|
|
|
682 |
|
|
but now, you can give just |
683 |
|
|
|
684 |
|
|
4 @WEB-CONTENTS |
685 |
|
|
|
686 |
|
|
if you give |
687 |
|
|
|
688 |
|
|
path_group WEB-CONTENTS /var/www/html/\* |
689 |
|
|
path_group WEB-CONTENTS /var/www/html/\*/\* |
690 |
|
|
path_group WEB-CONTENTS /var/www/html/\*/\*/\* |
691 |
|
|
path_group WEB-CONTENTS /var/www/html/\*/\*/\*/\* |
692 |
|
|
|
693 |
|
|
in the exception policy. |
694 |
|
|
This macro will be useful when grouping different directories. |
695 |
|
|
|
696 |
|
|
Fix 2006/12/15 |
697 |
|
|
|
698 |
|
|
@ Use structured pathnames instead for simple 'char *'. |
699 |
|
|
|
700 |
|
|
To reduce the cost of strcmp(), I changed the return value of |
701 |
|
|
SaveName() from 'const char *' to 'const struct path_info *'. |
702 |
|
|
This change will speed up PathMatchesToPattern() comparison. |
703 |
|
|
|
704 |
|
|
Fix 2006/12/19 |
705 |
|
|
|
706 |
|
|
@ Allow registering policy managers using domainnames. |
707 |
|
|
|
708 |
|
|
It was difficult to restrict programs that can update policies |
709 |
|
|
via /proc/ccs/ interfaces using pathnames of these programs, for |
710 |
|
|
these programs could be unintendedly invoked. |
711 |
|
|
Now, it became possible to restrict domains that can update policies |
712 |
|
|
via /proc/ccs/ interfaces as well as programs. |
713 |
|
|
By restricting using domainnames, it becomes easier to avoid |
714 |
|
|
unintended invocation. |
715 |
|
|
|
716 |
|
|
Fix 2006/12/22 |
717 |
|
|
|
718 |
|
|
@ Add initialize_domain,no_initizlize_domain,no_keep_domain |
719 |
|
|
|
720 |
|
|
To control domain transitions more strictly, |
721 |
|
|
initialize_domain,no_initizlize_domain,no_keep_domain directives |
722 |
|
|
were introduced. |
723 |
|
|
|
724 |
|
|
"initialize_domain /some/program" means |
725 |
|
|
jump to "<kernel> /some/program" domain if /some/program is |
726 |
|
|
called from any domain. |
727 |
|
|
This is equivalent to conventional "initializer /some/program". |
728 |
|
|
|
729 |
|
|
"initialize_domain /some/program from some_domain" means |
730 |
|
|
jump to "<kernel> /some/program" domain only if /some/program is |
731 |
|
|
called from "some_domain" domain. |
732 |
|
|
|
733 |
|
|
"no_initialize_domain /some/program" means |
734 |
|
|
don't jump to "<kernel> /some/program" domain even if |
735 |
|
|
"initialize_domain /some/program" or |
736 |
|
|
"initialize_domain /some/program from some_domain" are given |
737 |
|
|
if /some/program is called from any domain. |
738 |
|
|
|
739 |
|
|
"no_initialize_domain /some/program from some_domain" means |
740 |
|
|
don't jump to "<kernel> /some/program" domain even if |
741 |
|
|
"initialize_domain /some/program" or |
742 |
|
|
"initialize_domain /some/program from some_domain" are given |
743 |
|
|
if /some/program is called from "some_domain" domain. |
744 |
|
|
|
745 |
|
|
"keep_domain some_domain" means don't jump to child domain |
746 |
|
|
if any programs are called from "some_domain" domain. |
747 |
|
|
|
748 |
|
|
"keep_domain /some/program from some_domain" means |
749 |
|
|
don't jump to child domain only if /some/program is |
750 |
|
|
called from "some_domain" domain. |
751 |
|
|
|
752 |
|
|
"no_keep_domain some_domain" means |
753 |
|
|
jump to child domain even if |
754 |
|
|
"keep_domain /some/program" or |
755 |
|
|
"keep_domain /some/program from some_domain" are given |
756 |
|
|
if any programs are called from "some_domain" domain. |
757 |
|
|
|
758 |
|
|
"no_keep_domain /some/program from some_domain" means |
759 |
|
|
jump to child domain even if |
760 |
|
|
"keep_domain /some/program" or |
761 |
|
|
"keep_domain /some/program from some_domain" are given |
762 |
|
|
if /some/program is called from "some_domain" domain. |
763 |
|
|
|
764 |
|
|
"some_domain" can be just the last component of domainname. |
765 |
|
|
For example, giving "/bin/mail" as "some_domain" matches to |
766 |
|
|
all domains whose domainname ends with "/bin/mail". |
767 |
|
|
|
768 |
|
|
Fix 2007/01/19 |
769 |
|
|
|
770 |
|
|
@ Allow reuse of memory allocated for domain policy. |
771 |
|
|
|
772 |
kumaneko |
813 |
Regarding domain policy, unlike other policies, didn't have |
773 |
kumaneko |
111 |
"is_deleted" flag and new memory were allocated |
774 |
|
|
if the deleted entries are given again. |
775 |
|
|
But to allow administrators switch domain policy periodically, |
776 |
|
|
I introduced "is_deleted" flag. |
777 |
|
|
|
778 |
|
|
Writing "some_domain" to /proc/ccs/policy/domain_policy |
779 |
|
|
creates "some_domain" using new memory if it didn't exist. |
780 |
|
|
|
781 |
|
|
Writing "select some_domain" doesn't create "some_domain" |
782 |
|
|
if it didn't exist. |
783 |
|
|
|
784 |
|
|
Writing "delete some_domain" deletes "some_domain" |
785 |
|
|
but does not delete entries in "some_domain". |
786 |
|
|
|
787 |
|
|
Writing "undelete some_domain" undeletes "some_domain" |
788 |
|
|
if it was deleted by "delete some_domain". |
789 |
|
|
|
790 |
|
|
Fix 2007/01/22 |
791 |
|
|
|
792 |
|
|
@ Allow getting already deleted pathnames. |
793 |
|
|
|
794 |
|
|
To allow getting pathnames that are already deleted, |
795 |
|
|
I removed (IS_ROOT(dentry) || !d_unhashed(dentry)) check. |
796 |
|
|
|
797 |
|
|
Fix 2007/01/26 |
798 |
|
|
|
799 |
|
|
@ Limit string length to 4000. |
800 |
|
|
|
801 |
|
|
I was using PAGE_SIZE (4096 in many environments) |
802 |
|
|
as the max length of any string data. |
803 |
|
|
But for environments that have larger PAGE_SIZE, |
804 |
|
|
doing memset(ptr, 0, PAGE_SIZE) everytime is too wasteful. |
805 |
|
|
|
806 |
|
|
Fix 2007/01/29 |
807 |
|
|
|
808 |
|
|
@ Add garbage collector for domain policy. |
809 |
|
|
|
810 |
|
|
Writing "some_domain" to /proc/ccs/policy/domain_policy |
811 |
|
|
creates "some_domain" using new memory only if |
812 |
|
|
some process is staying at that deleted domain. |
813 |
|
|
If no process is staying at that deleted domain, |
814 |
|
|
"some_domain" is undeleted with all ACLs deleted. |
815 |
|
|
|
816 |
|
|
Version 1.3.2 2007/02/14 Usability enhancement release. |
817 |
|
|
|
818 |
|
|
Fix 2007/02/20 |
819 |
|
|
|
820 |
|
|
@ Allow address grouping. |
821 |
|
|
|
822 |
|
|
To reduce the labor of repeating similar IPv4/IPv6 addresses, |
823 |
|
|
I introduced a macro 'address_group' to make group such addresses. |
824 |
|
|
For example, you had to give like |
825 |
|
|
|
826 |
|
|
allow_network TCP accept 10.0.0.0-10.255.255.255 1024-65535 |
827 |
|
|
allow_network TCP accept 172.16.0.0-172.31.255.255 1024-65535 |
828 |
|
|
allow_network TCP accept 192.168.0.0-192.168.255.255 1024-65535 |
829 |
|
|
|
830 |
|
|
but now, you can give just |
831 |
|
|
|
832 |
|
|
allow_network TCP accept @localnet 1024-65535 |
833 |
|
|
|
834 |
|
|
if you give |
835 |
|
|
|
836 |
|
|
address_group localnet 10.0.0.0-10.255.255.255 |
837 |
|
|
address_group localnet 172.16.0.0-172.31.255.255 |
838 |
|
|
address_group localnet 192.168.0.0-192.168.255.255 |
839 |
|
|
|
840 |
|
|
in the exception policy. |
841 |
kumaneko |
115 |
|
842 |
|
|
Fix 2007/03/03 |
843 |
|
|
|
844 |
|
|
@ Remove obsolete functions. |
845 |
|
|
|
846 |
|
|
@ Add some hooks. |
847 |
|
|
|
848 |
|
|
Read permission check is done if open_exec() |
849 |
|
|
is called from search_binary_handler(). |
850 |
|
|
Read permission check is not done if open_exec() |
851 |
|
|
is called from do_execve(), instead, |
852 |
|
|
execute permission check is done at |
853 |
|
|
search_binary_handler_with_transition(). |
854 |
|
|
|
855 |
|
|
I moved the location of calling CheckCapabilityACL() |
856 |
|
|
and CheckMountPermission() from sys_mount() to do_mount(). |
857 |
kumaneko |
118 |
|
858 |
|
|
Fix 2007/03/07 |
859 |
|
|
|
860 |
|
|
@ Use 'unsigned int' for sscanf(). |
861 |
|
|
|
862 |
|
|
I compiled SYAORAN fs on x86_64 environment and found |
863 |
|
|
the compiler showing warning messages about size of data types. |
864 |
|
|
Since size of data types may mismatch for sscanf(), |
865 |
|
|
I replaced some types with 'unsigned int'. |
866 |
kumaneko |
162 |
|
867 |
|
|
Version 1.4 2007/04/01 x86_64 support release. |
868 |
kumaneko |
183 |
|
869 |
|
|
Fix 2007/04/18 |
870 |
|
|
|
871 |
|
|
@ Change argv[0] checking rule. |
872 |
|
|
|
873 |
|
|
I was comparing the basename of symbolic link's pathname and argv[0]. |
874 |
|
|
Since execute permission check and domain transition are done |
875 |
|
|
based on realpath while argv[0] check is done based on the symlink's |
876 |
|
|
pathname and argv[0], this specification will allow attackers behave |
877 |
|
|
as /bin/cat in the domain of /bin/ls if "/bin/ls and /bin/cat are |
878 |
|
|
links to /sbin/busybox" and "the attacker is permitted to create |
879 |
|
|
a symlink named ~/cat that points to /bin/ls" and "the attacker is |
880 |
|
|
permitted to run /bin/ls". |
881 |
|
|
So, I changed to compare the basename of realpath and argv[0]. |
882 |
|
|
Also, I moved the location to compare before processing |
883 |
|
|
"aggregator" directive so that |
884 |
|
|
"aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp" |
885 |
|
|
won't cause the mismatch of the basename of realpath and argv[0]. |
886 |
|
|
|
887 |
|
|
If /bin/ls is a symlink to /sbin/busybox, then |
888 |
|
|
creating a symlink named ~/cat that points to /bin/ls and |
889 |
|
|
executing ~/cat won't work as expected because permission check and |
890 |
|
|
domain transition are done using /sbin/busybox (realpath of /bin/ls) |
891 |
|
|
and will be rejected since the administrator won't grant |
892 |
|
|
"1 /sbin/busybox". |
893 |
kumaneko |
206 |
|
894 |
|
|
Fix 2007/05/07 |
895 |
|
|
|
896 |
|
|
@ Support pathname subtraction. |
897 |
|
|
|
898 |
|
|
There was no way to exclude specific pathnames when granting |
899 |
|
|
permissions using wildcards. |
900 |
|
|
There would be a need to exclude specific files and directories. |
901 |
|
|
I introduced "\-" as subtraction operator. |
902 |
|
|
|
903 |
|
|
"A\-B" means "A" other than "B". |
904 |
|
|
"A\-B\-C" means "A" other than "B" and "C". |
905 |
|
|
"A\-B\-C\-D" means "A" other than "B" and "C" and "D". |
906 |
|
|
|
907 |
|
|
"A", "B", "C", "D" may contain wildcards. |
908 |
|
|
|
909 |
|
|
An example usage is "/home/\*/\*\-.ssh/\*", which means |
910 |
|
|
"/home/\*/\*/\*" other than "/home/\*/.ssh/\*". |
911 |
|
|
|
912 |
|
|
"A" should contain wildcards because subtraction from constants |
913 |
|
|
(e.g. "/usr\-usr/" or "/usr\-home/") is meaningless. |
914 |
|
|
|
915 |
|
|
Don't try "A\-B\+C" because "\+" is not addition operator. |
916 |
kumaneko |
229 |
|
917 |
kumaneko |
238 |
Fix 2007/05/24 |
918 |
kumaneko |
237 |
|
919 |
|
|
@ Fix autobind hook. |
920 |
|
|
|
921 |
kumaneko |
238 |
The location to call SAKURA_MayAutobind() in net/ipv4/udp.c |
922 |
|
|
and net/ipv6/udp.c were wrong. |
923 |
kumaneko |
237 |
|
924 |
kumaneko |
258 |
Fix 2007/06/03 |
925 |
|
|
|
926 |
|
|
@ Add a space in MakeMountOptions(). |
927 |
|
|
|
928 |
|
|
I forgot to add a space after "atime" and "noatime". |
929 |
|
|
|
930 |
kumaneko |
265 |
Version 1.4.1 2007/06/05 Minor update release. |
931 |
kumaneko |
286 |
|
932 |
|
|
Fix 2007/07/04 |
933 |
|
|
|
934 |
|
|
@ Fix ReadAddressGroupPolicy() bug. |
935 |
|
|
|
936 |
kumaneko |
1006 |
ReadAddressGroupPolicy() fails if both "path_group" and "address_group" |
937 |
|
|
are used because I forgot to set "head->read_var1 = NULL". |
938 |
kumaneko |
290 |
|
939 |
|
|
Fix 2007/07/10 |
940 |
|
|
|
941 |
|
|
@ Add compat_sys_stime() hook. |
942 |
|
|
|
943 |
|
|
Some of 64bit kernels support compat_sys_stime() |
944 |
|
|
but permission check was missing. |
945 |
|
|
|
946 |
|
|
Version 1.4.2 2007/07/13 Bug fix release. |
947 |
kumaneko |
325 |
|
948 |
|
|
Fix 2007/08/06 |
949 |
|
|
|
950 |
|
|
@ Remove mount-flags manipulation. |
951 |
|
|
|
952 |
kumaneko |
1006 |
Until now, administrator is permitted to turn on/off specific mount |
953 |
|
|
options regardless of mount options passed to kernel. |
954 |
kumaneko |
325 |
I removed this feature because "exact option matching" sounds better than |
955 |
|
|
"automatic option enabler/disabler". |
956 |
|
|
|
957 |
|
|
@ Remove /proc/ccs/info/mapping . |
958 |
|
|
|
959 |
kumaneko |
1006 |
I removed /proc/ccs/info/mapping because nobody seems to use this |
960 |
|
|
feature. |
961 |
kumaneko |
325 |
|
962 |
|
|
@ Call external policy loader automatically. |
963 |
|
|
|
964 |
|
|
Until now, users had to add init=/.init parameter to load policy |
965 |
|
|
before /sbin/init starts. |
966 |
|
|
I inserted call_usermodehelper() to call external policy loader when |
967 |
|
|
execve("/sbin/init") is requested and external policy loader exists. |
968 |
|
|
|
969 |
|
|
This change will remove init=/.init parameter from most environment, |
970 |
|
|
although call_usermodehelper() can't handle interactive operations. |
971 |
|
|
|
972 |
|
|
@ Move external policy loader from /.init to /sbin/ccs-init . |
973 |
|
|
|
974 |
|
|
Installing programs in / directory is not good for packaging. |
975 |
kumaneko |
352 |
|
976 |
|
|
Fix 2007/08/13 |
977 |
|
|
|
978 |
|
|
@ Update external policy loader. |
979 |
|
|
|
980 |
|
|
It turned out that /sbin/ccs-init invoked via call_usermodehelper() |
981 |
|
|
can handle interactive operations by opening /dev/console . |
982 |
|
|
Now, there is no difference between init=/sbin/ccs-init and |
983 |
|
|
call_usermodehelper("/sbin/ccs-init"), and users no longer need to |
984 |
kumaneko |
1006 |
add init=/sbin/ccs-init parameter to load policy before /sbin/init |
985 |
|
|
starts. |
986 |
kumaneko |
352 |
|
987 |
|
|
Fix 2007/08/14 |
988 |
|
|
|
989 |
|
|
@ Update recvmsg() hooks. |
990 |
|
|
|
991 |
|
|
Until now, it was impossible to apply network access control for |
992 |
|
|
incoming UDP and RAW packets if they are brought to userland using |
993 |
|
|
read() or recvmsg() with NULL address because address buffer is NULL. |
994 |
|
|
I moved hooks from sock_recvmsg() to skb_recv_datagram() so that |
995 |
|
|
network access control for incoming UDP and RAW packets always work. |
996 |
kumaneko |
358 |
|
997 |
kumaneko |
360 |
Fix 2007/08/16 |
998 |
kumaneko |
358 |
|
999 |
|
|
@ Return appropriate error code for CheckMountPermission(). |
1000 |
|
|
|
1001 |
|
|
I was returning -EPERM if something is wrong with CheckMountPermission(). |
1002 |
|
|
But SELinux determines whether selinuxfs is supported by kernel |
1003 |
|
|
based on whether error code is -ENODEV or not. |
1004 |
|
|
So I stopped returning -EPERM unconditionally. |
1005 |
kumaneko |
366 |
|
1006 |
|
|
Fix 2007/08/17 |
1007 |
|
|
|
1008 |
|
|
@ Remove initializer directive. |
1009 |
|
|
|
1010 |
|
|
Use "initialize_domain" instrad of "initializer". |
1011 |
kumaneko |
403 |
|
1012 |
|
|
Fix 2007/08/21 |
1013 |
|
|
|
1014 |
|
|
@ Fix "allow_argv0 ... if if ..." bug. |
1015 |
|
|
|
1016 |
|
|
It was impossible to use a word "if" to the second argument of |
1017 |
|
|
allow_argv0 if condition part is used. |
1018 |
kumaneko |
418 |
|
1019 |
|
|
Fix 2007/08/24 |
1020 |
|
|
|
1021 |
|
|
@ Move /proc/ccs/\*/\* to /proc/ccs/\* . |
1022 |
|
|
|
1023 |
|
|
Some pathnames for /proc/ccs/ interface were changed. |
1024 |
kumaneko |
448 |
|
1025 |
|
|
Fix 2007/09/05 |
1026 |
|
|
|
1027 |
|
|
@ Drop MSG_PEEK'ed message before skb_free_datagram(). |
1028 |
|
|
|
1029 |
|
|
I need to remove head message from unwanted source |
1030 |
|
|
from socket's receive queue so that the caller can pick up |
1031 |
|
|
next message from wanted source with MSG_PEEK flags. |
1032 |
kumaneko |
473 |
|
1033 |
kumaneko |
502 |
Version 1.5.0 2007/09/20 Usability enhancement release. |
1034 |
kumaneko |
512 |
|
1035 |
|
|
Fix 2007/09/27 |
1036 |
|
|
|
1037 |
|
|
@ Avoid eating memory after quota exceeded. |
1038 |
|
|
|
1039 |
|
|
Although ACL entries in a domain won't be added if the domain's quota |
1040 |
|
|
has exceeded, SaveName() in AddFileACL() is called anyway. |
1041 |
|
|
This caused unneeded memory consumption. |
1042 |
|
|
|
1043 |
|
|
Now, quota checking is done before getting domain_acl_lock lock. |
1044 |
|
|
This may exceed quota by one or two entries, but that won't matter. |
1045 |
kumaneko |
581 |
|
1046 |
|
|
Fix 2007/10/16 |
1047 |
|
|
|
1048 |
|
|
@ Add environment variable check. |
1049 |
|
|
|
1050 |
|
|
There are environment variables that may cause dangerous behavior |
1051 |
|
|
like LD_\* . |
1052 |
|
|
So I introduced 'allow_env' directive that allows specified |
1053 |
|
|
environment variable inherited to next domain. |
1054 |
|
|
Unlike other permissions, this check is done at execve() time |
1055 |
|
|
using next domain's ACL information. |
1056 |
|
|
|
1057 |
|
|
To manage commonly inherited environments like PATH , |
1058 |
|
|
you can use 'allow_env' directive in exception policy |
1059 |
|
|
to globally grant specified environment variable. |
1060 |
kumaneko |
652 |
|
1061 |
|
|
Fix 2007/11/05 |
1062 |
|
|
|
1063 |
|
|
@ Replace semaphore with mutex. |
1064 |
|
|
|
1065 |
|
|
I replaced semaphore with mutex. |
1066 |
|
|
|
1067 |
|
|
@ Add missing down() in AddReservedEntry(). |
1068 |
|
|
|
1069 |
|
|
Mutex debugging capability told me that I had forgotten to call down() |
1070 |
|
|
since TOMOYO version 1.3.2 . |
1071 |
|
|
This function is not called by learning mode, |
1072 |
|
|
so the semaphore's counter will not overflow for normal usage. |
1073 |
kumaneko |
731 |
|
1074 |
|
|
Fix 2005/11/27 |
1075 |
|
|
|
1076 |
|
|
@ Fix ReadTable() truncation bug. |
1077 |
|
|
|
1078 |
|
|
"snprintf(str, size, format, ...) >= size" means truncated. |
1079 |
|
|
But I was checking for "snprintf(str, size, format, ...) > size". |
1080 |
|
|
As a result, some entries might be dumped without '\n'. |
1081 |
|
|
|
1082 |
|
|
@ Purge direct "->prev"/"->next" manipulation. |
1083 |
|
|
|
1084 |
|
|
All list manipulations use "struct list_head" or "struct list1_head". |
1085 |
|
|
"struct list1_head" doesn't have "->prev" member to save memory usage. |
1086 |
kumaneko |
737 |
|
1087 |
|
|
Fix 2007/11/29 |
1088 |
|
|
|
1089 |
|
|
@ Add missing semaphore in GetEXE(). |
1090 |
|
|
|
1091 |
|
|
mm->mmap_sem was missing. |
1092 |
kumaneko |
808 |
|
1093 |
|
|
Fix 2007/12/17 |
1094 |
|
|
|
1095 |
|
|
@ Remove unused EXPORT_SYMBOL(). |
1096 |
|
|
|
1097 |
|
|
Mark some functions static. |
1098 |
kumaneko |
813 |
|
1099 |
|
|
Fix 2007/12/18 |
1100 |
|
|
|
1101 |
|
|
@ Fix AddMountACL() rejection bug. |
1102 |
|
|
|
1103 |
|
|
To my surprise, "mount --bind source dest" accepts |
1104 |
|
|
not only "both source and dest are directory" |
1105 |
|
|
but also "both source and dest are non-directory". |
1106 |
kumaneko |
898 |
I was rejecting if dest is not a directory in AddMountACL(). |
1107 |
kumaneko |
815 |
|
1108 |
|
|
@ Change log format. |
1109 |
|
|
|
1110 |
|
|
Profile number and mode is added in audit logs. |
1111 |
kumaneko |
856 |
|
1112 |
|
|
Fix 2008/01/03 |
1113 |
|
|
|
1114 |
|
|
@ Change directive for file's read/write/execute permission. |
1115 |
|
|
|
1116 |
|
|
Directives for file's read/write/execute permissions were |
1117 |
|
|
4/2/1 respectively. But for easier understanding, they are now |
1118 |
|
|
replaced by read/write/execute (e.g. "allow_read" instead of "4"). |
1119 |
|
|
But for easier inputting, 4/2/1 are still accepted instead of |
1120 |
|
|
allow_read/allow_write/allow_execute respectively. |
1121 |
|
|
|
1122 |
|
|
@ Change internal data structure. |
1123 |
|
|
|
1124 |
kumaneko |
860 |
Since I don't have more than 16 types of file permissions, |
1125 |
|
|
I combined them using bit-fields. |
1126 |
kumaneko |
856 |
|
1127 |
|
|
Each entry had a field for conditional permission support. |
1128 |
|
|
But since this field is unlikely used, I separated the field from |
1129 |
|
|
common part. |
1130 |
|
|
|
1131 |
|
|
These changes will reduce memory used by policy. |
1132 |
kumaneko |
893 |
|
1133 |
|
|
Fix 2008/01/15 |
1134 |
|
|
|
1135 |
|
|
@ Add ptrace() hook. |
1136 |
|
|
|
1137 |
|
|
To prevent attackers from controlling important processes using |
1138 |
|
|
ptrace(), I added a hook for ptrace(). |
1139 |
|
|
Most programs (except strace(1) and gdb(1)) won't use ptrace(2). |
1140 |
kumaneko |
899 |
|
1141 |
|
|
@ Fix sleep condition check in CheckSocketRecvDatagramPermission(). |
1142 |
|
|
|
1143 |
|
|
It seems that correct method to use is in_atomic() |
1144 |
|
|
rather than in_interrupt() because in_atomic() returns nonzero |
1145 |
|
|
whenever scheduling is not allowed. |
1146 |
kumaneko |
924 |
|
1147 |
kumaneko |
964 |
Fix 2008/02/05 |
1148 |
|
|
|
1149 |
kumaneko |
1194 |
@ Use find_task_by_vpid() instead of find_task_by_pid(). |
1150 |
kumaneko |
964 |
|
1151 |
|
|
Kernel 2.6.24 introduced PID namespace. |
1152 |
|
|
To search PID given from userland, the kernel needs to use |
1153 |
kumaneko |
1194 |
find_task_by_vpid() instead of find_task_by_pid(). |
1154 |
kumaneko |
987 |
|
1155 |
|
|
Fix 2008/02/14 |
1156 |
|
|
|
1157 |
|
|
@ Add execve() parameter checking. |
1158 |
|
|
|
1159 |
|
|
Until now, it was impossible to check argv[] and envp[] parameters |
1160 |
|
|
passed to execve(). |
1161 |
|
|
I expanded conditional permission syntax so that |
1162 |
|
|
{ argc, envc, argv[] , envp[] } parameters can be checked if needed. |
1163 |
|
|
This will allow administrator permit execution of /bin/sh only when |
1164 |
|
|
/bin/sh is invoked in the form of "/bin/sh -c" and environment variable |
1165 |
|
|
HOME is set by specifying |
1166 |
|
|
|
1167 |
|
|
allow_execute /bin/sh if exec.argv[1]="-c" exec.envp["HOME"]!=NULL |
1168 |
|
|
|
1169 |
|
|
in the policy. |
1170 |
|
|
This extension will make exploit codes difficult to start /bin/sh because |
1171 |
|
|
they unlikely set up environment variables and unlikely specify "-c" |
1172 |
|
|
option when invoking /bin/sh , whereas proper functions likely set up |
1173 |
|
|
environment variables and likely specify "-c" option. |
1174 |
kumaneko |
994 |
|
1175 |
|
|
Fix 2008/02/18 |
1176 |
|
|
|
1177 |
|
|
@ Add process state checking. |
1178 |
|
|
|
1179 |
|
|
Until now, it was impossible to change ACL without executing program. |
1180 |
|
|
I added three variables for performing stateful checking within a domain. |
1181 |
|
|
You can set current process's state like: |
1182 |
|
|
|
1183 |
|
|
allow_network TCP accept @TRUSTED_HOSTS 1024-65535 ; set task.state[0]=1 |
1184 |
|
|
allow_network TCP accept @UNTRUSTED_HOSTS 1024-65535 ; set task.state[0]=0 |
1185 |
|
|
|
1186 |
|
|
and you can use the state like |
1187 |
|
|
|
1188 |
|
|
allow_read /path/to/important/file if task.state[0]=1 |
1189 |
|
|
|
1190 |
|
|
in the policy. |
1191 |
|
|
The state changes when the request was granted by the MAC's policy, |
1192 |
kumaneko |
1006 |
so please be careful with situations where the state has changed |
1193 |
|
|
successfully but the request was not processed because of other reasons |
1194 |
|
|
(e.g. out of memory). |
1195 |
|
|
|
1196 |
|
|
Fix 2008/02/26 |
1197 |
|
|
|
1198 |
|
|
@ Support /proc/ccs/ access by non-root user. |
1199 |
|
|
|
1200 |
|
|
Until now, only root user can access /proc/ccs/ interface. |
1201 |
|
|
But to permit /proc/ccs/ access by non-root user so that it won't require |
1202 |
|
|
ssh login by root user when administrating from remote host, |
1203 |
|
|
I made "(current->uid == 0 && current->euid == 0)" requirement optional. |
1204 |
|
|
If this requirement is disabled, only "conventional DAC permission |
1205 |
|
|
checks" and "/proc/ccs/manager checks" are used. |
1206 |
kumaneko |
1010 |
|
1207 |
|
|
Fix 2008/02/29 |
1208 |
|
|
|
1209 |
|
|
@ Add sleep_on_violation feature. |
1210 |
|
|
|
1211 |
|
|
Some exploit codes (e.g. trans2open for Samba) continue running |
1212 |
|
|
until it achieves the purpose of the exploit code (e.g. invoke /bin/sh). |
1213 |
|
|
|
1214 |
|
|
If such code is injected due to buffer overflow but the kernel |
1215 |
|
|
rejects the request, it triggers infinite "Permission denied" loop. |
1216 |
|
|
As a result, the CPU usage becomes 100% and gives bad effects to |
1217 |
|
|
the rest of processes. |
1218 |
|
|
This is a side effect of rejecting the request from the exploit code |
1219 |
|
|
which wouldn't happen if the request from the exploit code was granted. |
1220 |
|
|
|
1221 |
|
|
To avoid such CPU consumption, I added a penalty that forcibly |
1222 |
|
|
sleeps for specified period when a request is rejected. |
1223 |
|
|
|
1224 |
|
|
This penalty doesn't work if the exploit code does nothing but |
1225 |
|
|
continue running, but I think most exploit code's purpose is |
1226 |
|
|
to start some program rather than to slow down the target system. |
1227 |
|
|
|
1228 |
|
|
@ Add alt_exec feature. |
1229 |
|
|
|
1230 |
|
|
Since TOMOYO Linux's approach is "know all essential requests in advance |
1231 |
|
|
and create policy that permits only them", you can regard anomalous |
1232 |
|
|
requests as attacks (if you want to do so). |
1233 |
|
|
|
1234 |
|
|
Common MAC implementations merely reject requests that violate policy. |
1235 |
|
|
But I added a special handler for execve() to TOMOYO Linux. |
1236 |
|
|
|
1237 |
|
|
This handler is triggered when a process requested to execute a program |
1238 |
|
|
but the request was rejected by the policy. |
1239 |
|
|
This handler executes a program specified by the administrator |
1240 |
|
|
instead of a program requested by the process. |
1241 |
|
|
|
1242 |
|
|
Most attackers attempt to execute /bin/sh to start something malicious. |
1243 |
|
|
Attackers execute an exploit code using buffer overflow vulnerability |
1244 |
|
|
to steal control of a process. But this handler can get back control |
1245 |
|
|
if an exploit code requests execve() that is not permitted by policy. |
1246 |
|
|
|
1247 |
|
|
By default, this handler does nothing (i.e. merely reject execve() |
1248 |
|
|
request). You can specify any program to start what you want to do. |
1249 |
|
|
|
1250 |
kumaneko |
1064 |
You can redirect attackers to somewhere else (e.g. honey pot). |
1251 |
|
|
This makes it possible to act your Linux box as an on-demand honey pot |
1252 |
kumaneko |
1010 |
while keeping regular services for your usage. |
1253 |
|
|
|
1254 |
|
|
You can collect information of the attacker (e.g. IP address) and |
1255 |
|
|
update firewall configuration. |
1256 |
|
|
|
1257 |
|
|
You can silently terminate a process who requested execve() |
1258 |
|
|
that is not permitted by policy. |
1259 |
kumaneko |
1012 |
|
1260 |
|
|
Fix 2008/03/03 |
1261 |
|
|
|
1262 |
kumaneko |
1903 |
@ Add "force_alt_exec" directive. |
1263 |
kumaneko |
1012 |
|
1264 |
|
|
To be able to fully utilize "alt_exec" feature, |
1265 |
kumaneko |
1903 |
I added "force_alt_exec" directive so that |
1266 |
kumaneko |
1012 |
all execute requests are replaced by the execute request of a program |
1267 |
|
|
specified by alt_exec feature. |
1268 |
|
|
|
1269 |
kumaneko |
1903 |
If this directive is specified for a domain, the domain no longer |
1270 |
kumaneko |
1012 |
executes any programs regardless of the mode of file access control |
1271 |
|
|
(i.e. the domain won't execute even if MAC_FOR_FILE=0 ). |
1272 |
|
|
Instead, the domain executes the program specified by alt_exec feature |
1273 |
|
|
and the program specified by alt_exec feature validates the execute |
1274 |
|
|
request and executes it if it is appropriate to execute. |
1275 |
|
|
|
1276 |
|
|
If you can tolerate that there is no chance to return an error code |
1277 |
|
|
to the caller to tell the execute request was rejected, |
1278 |
|
|
this is more flexible approach than in-kernel execve() parameter |
1279 |
|
|
checking because we can do argv[] and envp[] checking easily. |
1280 |
kumaneko |
1014 |
|
1281 |
|
|
Fix 2008/03/04 |
1282 |
|
|
|
1283 |
|
|
@ Use string for access control mode. |
1284 |
|
|
|
1285 |
|
|
An integer expression for access control mode sometimes confuses |
1286 |
|
|
administrators because profile number is also an integer expression. |
1287 |
|
|
To avoid confusion between profile number and access control mode, |
1288 |
|
|
I introduced a string expression for access control mode. |
1289 |
|
|
|
1290 |
|
|
Modes which take an integer between 0 and 3. |
1291 |
|
|
|
1292 |
|
|
0 -> disabled |
1293 |
|
|
1 -> learning |
1294 |
|
|
2 -> permissive |
1295 |
|
|
3 -> enforcing |
1296 |
|
|
|
1297 |
|
|
Modes which take 0 or 1. |
1298 |
|
|
|
1299 |
|
|
0 -> disabled |
1300 |
|
|
1 -> enabled |
1301 |
kumaneko |
1029 |
|
1302 |
|
|
Fix 2008/03/10 |
1303 |
|
|
|
1304 |
kumaneko |
1903 |
@ Rename "force_alt_exec" directive to "execute_handler". |
1305 |
kumaneko |
1029 |
|
1306 |
|
|
To be able to use different programs for validating execve() parameters, |
1307 |
|
|
I moved the location to specify the program's pathname from profile |
1308 |
|
|
to domain policy. |
1309 |
|
|
|
1310 |
kumaneko |
1903 |
The "execute_handler" directive takes one pathname which is |
1311 |
kumaneko |
1029 |
invoked whenever execve() request is issued. Thus, any "allow_execute" |
1312 |
kumaneko |
1903 |
directives in a domain with "execute_handler" are ignored. |
1313 |
|
|
This directive is designed for validating expected/desirable execve() |
1314 |
kumaneko |
1029 |
requests in userspace, although there is no way to tell the caller |
1315 |
|
|
that the execve() request was rejected. |
1316 |
|
|
|
1317 |
kumaneko |
1903 |
@ Rename "alt_exec" directive to "denied_execute_handler". |
1318 |
kumaneko |
1029 |
|
1319 |
kumaneko |
1903 |
The "denied_execute_handler" directive takes one pathname which is |
1320 |
kumaneko |
1029 |
invoked only when execve() request was rejected. In other words, |
1321 |
|
|
this program is invoked only when the following conditions are met. |
1322 |
|
|
|
1323 |
kumaneko |
1903 |
(1) None of "allow_execute" directives in the domain matched. |
1324 |
kumaneko |
1029 |
(2) The execve() request was rejected in enforcing mode. |
1325 |
kumaneko |
1903 |
(3) "execute_handler" directive is not used by the domain. |
1326 |
kumaneko |
1029 |
|
1327 |
kumaneko |
1903 |
This directive is designed for handling unexpected/undesirable execve() |
1328 |
kumaneko |
1029 |
requests, to redirect the process issuing such requests to somewhere. |
1329 |
kumaneko |
1052 |
|
1330 |
|
|
Fix 2008/03/18 |
1331 |
|
|
|
1332 |
|
|
@ Fix wrong/redundant locks in pre-vfs functions. |
1333 |
|
|
|
1334 |
|
|
lock_kernel()/unlock_kernel() in pre_vfs_rename() were redundant for |
1335 |
|
|
2.6 kernels. |
1336 |
|
|
|
1337 |
|
|
Locking order in pre_vfs_link() and pre_vfs_unlink() for 2.4 kernels |
1338 |
|
|
after 2.4.33 were different from before 2.4.32 . |
1339 |
kumaneko |
1056 |
|
1340 |
kumaneko |
1064 |
Fix 2008/03/28 |
1341 |
|
|
|
1342 |
|
|
@ Disable execute handler loop. |
1343 |
|
|
|
1344 |
|
|
To be able to use "execute_handler" in a "keep_domain" domain, |
1345 |
kumaneko |
1903 |
ignore "execute_handler" and "denied_execute_handler" directives |
1346 |
kumaneko |
1064 |
if the current process is executing programs specified by |
1347 |
kumaneko |
1903 |
"execute_handler" or "denied_execute_handler" directive. |
1348 |
kumaneko |
1064 |
|
1349 |
|
|
This exception is needed to avoid infinite execute handler loop. |
1350 |
|
|
If a domain has both "keep_domain" and "execute_handler", |
1351 |
|
|
any execute request by that domain is handled by an execute handler, |
1352 |
|
|
and the execute handler attempts to process original execute request. |
1353 |
|
|
But the original execute request is handled by the same execute handler |
1354 |
|
|
unless the execute handler ignores "execute_handler". |
1355 |
|
|
|
1356 |
kumaneko |
1065 |
@ Update coding style. |
1357 |
|
|
|
1358 |
|
|
I rewrote the code to pass scripts/checkpatch.pl as much as possible. |
1359 |
|
|
Function names were changed to use only lower letters. |
1360 |
|
|
|
1361 |
kumaneko |
1076 |
Version 1.6.0 2008/04/01 Feature enhancement release. |
1362 |
kumaneko |
1084 |
|
1363 |
kumaneko |
1106 |
Fix 2008/04/14 |
1364 |
kumaneko |
1084 |
|
1365 |
|
|
@ Fix "Compilation failures" and "Initialization ordering bugs" |
1366 |
|
|
with kernels before 2.4.30/2.6.11 . |
1367 |
|
|
|
1368 |
|
|
2.6 kernels before 2.6.9 didn't have include/linux/hardirq.h , |
1369 |
|
|
resulting compilation error at #include <linux/hardirq.h> . |
1370 |
|
|
I added #elif condition. |
1371 |
|
|
|
1372 |
kumaneko |
1106 |
CentOS 4.6's 2.6.9 kernel calls do_execve() before initialization of |
1373 |
kumaneko |
1084 |
ccs_alloc(), resulting NULL pointer dereference. |
1374 |
kumaneko |
1106 |
I changed __initcall to core_initcall. |
1375 |
kumaneko |
1084 |
|
1376 |
kumaneko |
1106 |
CentOS 4.6's 2.6.9 kernel backported kzalloc() from 2.6.14 , |
1377 |
kumaneko |
1084 |
resulting compilation error at kzalloc(). |
1378 |
kumaneko |
1089 |
I modified prototype of kzalloc(). |
1379 |
kumaneko |
1117 |
|
1380 |
|
|
Fix 2008/04/20 |
1381 |
|
|
|
1382 |
|
|
@ Fix "Compilation failures" with kernels before 2.4.30/2.6.11 . |
1383 |
|
|
|
1384 |
|
|
Turbolinux 10 Server's 2.6.8 kernel backported kzalloc() as an inlined |
1385 |
|
|
function, resulting compilation error at kzalloc(). |
1386 |
|
|
I converted kzalloc() from an inlined function into a macro. |
1387 |
kumaneko |
1120 |
|
1388 |
|
|
Fix 2008/04/21 |
1389 |
|
|
|
1390 |
|
|
@ Add workaround for gcc 3.2.2's inline bug. |
1391 |
|
|
|
1392 |
|
|
RedHat Linux 9's gcc 3.2.2 generated a bad code |
1393 |
|
|
if ((var_of_u8 & 0x000000BF) & 0x80000000) { } |
1394 |
|
|
where the expected code is |
1395 |
|
|
if ((var_of_u8 & 0xBF) & 0x80) { } |
1396 |
|
|
when embedding ccs_acl_type2() into print_entry(), |
1397 |
|
|
resulting runtime BUG(). |
1398 |
|
|
I added the expected code explicitly as a workaround. |
1399 |
kumaneko |
1135 |
|
1400 |
kumaneko |
1180 |
Fix 2008/05/06 |
1401 |
kumaneko |
1139 |
|
1402 |
kumaneko |
1180 |
@ Add memory quota. |
1403 |
kumaneko |
1139 |
|
1404 |
|
|
1.5.x returns -ENOMEM when FindNextDomain() failed to create a new |
1405 |
kumaneko |
1180 |
domain, but I forgot to return -ENOMEM when find_next_domain() failed to |
1406 |
|
|
create a new domain. |
1407 |
kumaneko |
1139 |
|
1408 |
kumaneko |
1180 |
A domain is automatically created by find_next_domain() only if |
1409 |
|
|
the domain for the requested program doesn't exist. |
1410 |
|
|
This behavior is for the administrator's convenience. |
1411 |
|
|
The administrator needn't to know how many domains are needed for running |
1412 |
|
|
the whole programs in the system beforehand when developing the policy. |
1413 |
|
|
But the administrator does not want the kernel to reject execution of the |
1414 |
|
|
requested program when developing the policy. |
1415 |
|
|
|
1416 |
|
|
So, I think it is better to grant execution of programs even if |
1417 |
|
|
find_next_domain() failed to create a new domain than reject execution. |
1418 |
|
|
Thus, I decided not to return -ENOMEM when find_next_domain() failed to |
1419 |
|
|
create a new domain. This exception breaks the domain transition rules, |
1420 |
|
|
so I print "transition_failed" warning in /proc/ccs/domain_policy |
1421 |
|
|
when this exception happened. |
1422 |
|
|
|
1423 |
|
|
Also, to prevent the system from being halted by unexpectedly allocating |
1424 |
|
|
all kernel memory for the policy, I added memory quota. |
1425 |
|
|
This quota is configurable via /proc/ccs/meminfo like |
1426 |
|
|
|
1427 |
|
|
echo Shared: 1048576 > /proc/ccs/meminfo |
1428 |
|
|
echo Private: 1048576 > /proc/ccs/meminfo |
1429 |
|
|
|
1430 |
kumaneko |
1191 |
Version 1.6.1 2008/05/10 Bug fix release. |
1431 |
kumaneko |
1255 |
|
1432 |
|
|
Fix 2008/06/04 |
1433 |
|
|
|
1434 |
|
|
@ Check open mode of /proc/ccs/ interface. |
1435 |
|
|
|
1436 |
|
|
It turned out that I can avoid allocating memory for reading if |
1437 |
|
|
FMODE_READ is not set and memory for writing if FMODE_WRITE is not set. |
1438 |
|
|
|
1439 |
|
|
@ Wait for completion of /sbin/ccs-init . |
1440 |
|
|
|
1441 |
|
|
Since 2.4 kernel's call_usermodehelper() can't wait for termination of |
1442 |
|
|
the executed program, I was using the close() request of |
1443 |
|
|
/proc/ccs/meminfo to indicate that loading policy has finished. |
1444 |
|
|
But since /proc/ccs/meminfo could be accessed for setting memory quota |
1445 |
|
|
by /etc/ccs/ccs-post-init , I stopped using the close() request. |
1446 |
|
|
The policy loader no longer need to access /proc/ccs/meminfo to notify |
1447 |
|
|
the kernel that loading policy has finished. |
1448 |
kumaneko |
1259 |
|
1449 |
|
|
Fix 2008/06/05 |
1450 |
|
|
|
1451 |
|
|
@ Fix realpath for pipes and sockets. |
1452 |
|
|
|
1453 |
|
|
Kernel 2.6.22 and later use different method for calculating d_path(). |
1454 |
|
|
Since fs/realpath.c didn't notice the change, the realpath of pipes |
1455 |
|
|
appeared as "pipe:" rather than "pipe:[\$]" when they are opened via |
1456 |
|
|
/proc/PID/fd/ directory. |
1457 |
kumaneko |
1260 |
|
1458 |
|
|
@ Add process's information into /proc/ccs/query . |
1459 |
|
|
|
1460 |
|
|
While /proc/ccs/grant_log and /proc/ccs/reject_log contain process's |
1461 |
|
|
information, /proc/ccs/query doesn't contain it. |
1462 |
|
|
To be able to utilize ccs-queryd and ccs-notifyd more, I added it into |
1463 |
|
|
/proc/ccs/query . |
1464 |
kumaneko |
1278 |
|
1465 |
|
|
Fix 2008/06/10 |
1466 |
|
|
|
1467 |
|
|
@ Allow using patterns for globally readable files. |
1468 |
|
|
|
1469 |
|
|
To allow users specify locale specific files to globally readable files, |
1470 |
|
|
I relaxed checking in update_globally_readable_entry(). |
1471 |
kumaneko |
1279 |
|
1472 |
kumaneko |
1283 |
Fix 2008/06/11 |
1473 |
|
|
|
1474 |
|
|
@ Remove ALLOW_ENFORCE_GRACE parameter. |
1475 |
|
|
|
1476 |
|
|
Since unexpected requests caused by doing software updates can happen |
1477 |
kumaneko |
1286 |
in all profiles, users likely have to write ALLOW_ENFORCE_GRACE=enabled |
1478 |
|
|
to all profiles. And it makes meaningless to allow users to selectively |
1479 |
|
|
enable specific profile's ALLOW_ENFORCE_GRACE parameter. |
1480 |
|
|
So, I removed ALLOW_ENFORCE_GRACE parameter. |
1481 |
kumaneko |
1283 |
Now, the system behaves as if ALLOW_ENFORCE_GRACE=enabled is specified. |
1482 |
|
|
The behavior of "delayed enforcing" mode is defined in the following |
1483 |
|
|
order. |
1484 |
|
|
|
1485 |
|
|
(1) The requests are rejected immediately if nobody is opening |
1486 |
|
|
/proc/ccs/query interface. |
1487 |
|
|
(2) The requests will be rejected in 10 seconds if somebody other than |
1488 |
|
|
ccs-queryd (such as less(1)) is opening /proc/ccs/query interface, |
1489 |
|
|
for such process doesn't write dummy decisions. |
1490 |
kumaneko |
1286 |
|
1491 |
kumaneko |
1319 |
Fix 2008/06/22 |
1492 |
|
|
|
1493 |
|
|
@ Pass escaped pathname to audit_execute_handler_log(). |
1494 |
|
|
|
1495 |
|
|
I was passing unescaped pathname to audit_execute_handler_log() |
1496 |
|
|
which causes /proc/ccs/grant_log contain whitespace characters |
1497 |
|
|
if execute handler's pathname contains whitespace characters. |
1498 |
|
|
|
1499 |
kumaneko |
1333 |
Fix 2008/06/25 |
1500 |
|
|
|
1501 |
|
|
@ Return 0 when ccs_may_umount() succeeds. |
1502 |
|
|
|
1503 |
|
|
I forgot to clear error value in ccs_may_umount() when the requested |
1504 |
kumaneko |
1903 |
directory didn't match "deny_unmount" directive. As a result, any umount() |
1505 |
kumaneko |
1333 |
request with RESTRICT_UNMOUNT=enforcing returned -EPERM error. |
1506 |
|
|
|
1507 |
kumaneko |
1330 |
Version 1.6.2 2008/06/25 Usability enhancement release. |
1508 |
kumaneko |
1366 |
|
1509 |
|
|
Fix 2008/07/01 |
1510 |
|
|
|
1511 |
|
|
@ Fix "Compilation failure" with 2.4.20 kernel. |
1512 |
|
|
|
1513 |
|
|
RedHat Linux 9's 2.4.20 kernel backported O(1) scheduler patch, |
1514 |
|
|
resulting compilation error at ccs_load_policy(). |
1515 |
|
|
I added defined(TASK_DEAD) check. |
1516 |
kumaneko |
1377 |
|
1517 |
|
|
Fix 2008/07/08 |
1518 |
|
|
|
1519 |
|
|
@ Don't check permissions if vfsmount is NULL. |
1520 |
|
|
|
1521 |
|
|
Some filesystems (e.g. unionfs) pass NULL vfsmount. |
1522 |
|
|
I changed fs/tomoyo_file.c not to try to calculate pathnames |
1523 |
|
|
if vfsmount is NULL. |
1524 |
kumaneko |
1379 |
|
1525 |
kumaneko |
1384 |
Version 1.6.3 2008/07/15 Bug fix release. |
1526 |
kumaneko |
1471 |
|
1527 |
|
|
Fix 2008/08/21 |
1528 |
|
|
|
1529 |
|
|
@ Add workaround for gcc 4.3's bug. |
1530 |
|
|
|
1531 |
|
|
In some environments, fs/tomoyo_network.c could not be compiled |
1532 |
|
|
because of gcc 4.3's bug. |
1533 |
|
|
I modified save_ipv6_address() to use "integer literal" value |
1534 |
|
|
instead for "static const u8" variable. |
1535 |
|
|
|
1536 |
|
|
@ Change prototypes of some functions. |
1537 |
|
|
|
1538 |
|
|
To support 2.6.27 kernels, I replaced "struct nameidata" with |
1539 |
|
|
"struct path" for some functions. |
1540 |
|
|
|
1541 |
|
|
@ Detect distributor specific patches automatically. |
1542 |
|
|
|
1543 |
|
|
Since kernels with AppArmor patch applied is increasing, |
1544 |
|
|
I introduced a mechanism which determines whether specific patches |
1545 |
|
|
are applied or not, based on "#define" directives in the patches. |
1546 |
kumaneko |
1498 |
|
1547 |
|
|
Fix 2008/08/29 |
1548 |
|
|
|
1549 |
|
|
@ Remove "-ccs" suffix from Makefile's EXTRAVERSION. |
1550 |
|
|
|
1551 |
|
|
To reduce conflicts on Makefile's EXTRAVERSION, |
1552 |
|
|
I removed "-ccs" suffix from ccs-patch-2.\*.diff . |
1553 |
|
|
Those who build kernels without using specs/build-\*.sh , |
1554 |
|
|
please edit EXTRAVERSION tag manually so that original kernels |
1555 |
|
|
will not be overwritten by TOMOYO Linux kernels. |
1556 |
|
|
|
1557 |
kumaneko |
1505 |
Version 1.6.4 2008/09/03 Minor update release. |
1558 |
kumaneko |
1561 |
|
1559 |
|
|
Fix 2008/09/09 |
1560 |
|
|
|
1561 |
|
|
@ Add "try again" response to "delayed enforcing" mode. |
1562 |
|
|
|
1563 |
|
|
To be able to handle pathname changes caused by software updates, |
1564 |
|
|
"delayed enforcing" mode was introduced. It allows administrator to |
1565 |
|
|
grant access requests which are about to be rejected by the kernel. |
1566 |
|
|
|
1567 |
|
|
To be able to handle pathname changes caused by software updates better, |
1568 |
|
|
I introduced "try again" response. As "delayed enforcing" mode sleeps |
1569 |
|
|
a process which violated policy, administrator can update policy while |
1570 |
|
|
the process is sleeping. This "try again" response allows administrator |
1571 |
|
|
to restart policy checks from the beginning after updating policy. |
1572 |
kumaneko |
1578 |
|
1573 |
|
|
Fix 2008/09/11 |
1574 |
|
|
|
1575 |
|
|
@ Remember whether the process is allowed to write to /proc/ccs/ interface. |
1576 |
|
|
|
1577 |
|
|
Since programs for manipulating policy (e.g. ccs-queryd ) are installed |
1578 |
|
|
in the form of RPM/DEB packages, these programs lose the original |
1579 |
|
|
pathnames when they are updated by the package manager. The package |
1580 |
|
|
manager renames these programs before deleting these programs so that |
1581 |
|
|
the package manager can rollback the operation. |
1582 |
|
|
This causes a problem when the programs are listed into /proc/ccs/manager |
1583 |
|
|
using pathnames, as the programs will no longer be allowed to write to |
1584 |
|
|
/proc/ccs/ interface while the process of old version of the program is |
1585 |
|
|
alive. |
1586 |
|
|
|
1587 |
|
|
To solve this problem, I modified to remember the fact that the process |
1588 |
|
|
is once allowed to write to /proc/ccs/ interface until the process |
1589 |
|
|
attempts to execute a different program. |
1590 |
|
|
This change makes it impossible to revoke permission to write to |
1591 |
|
|
/proc/ccs/ interface without killing the process, but it will be better |
1592 |
|
|
than nonfunctioning ccs-queryd program. |
1593 |
kumaneko |
1606 |
|
1594 |
|
|
Fix 2008/09/19 |
1595 |
|
|
|
1596 |
|
|
@ Allow selecting a domain by PID. |
1597 |
|
|
|
1598 |
|
|
Sometimes we want to know what ACLs are given to specific PID, but |
1599 |
|
|
finding a domainname for that PID from /proc/ccs/.process_status and |
1600 |
|
|
reading ACLs from /proc/ccs/domain_policy by the domainname is very slow. |
1601 |
|
|
Thus, I modified /proc/ccs/domain_policy to allow selecting a domain by |
1602 |
|
|
PID. For example, to read domain ACL of current process from bash, |
1603 |
|
|
run as follows. |
1604 |
|
|
|
1605 |
|
|
# exec 100<>/proc/ccs/domain_policy |
1606 |
kumaneko |
1609 |
# echo select pid=$$ >&100 |
1607 |
kumaneko |
1606 |
# while read -u 100; do echo $REPLY; done |
1608 |
|
|
|
1609 |
|
|
If a domain is once selected by PID, reading /proc/ccs/domain_policy will |
1610 |
|
|
print only that domain if that PID exists or print nothing otherwise. |
1611 |
|
|
|
1612 |
|
|
@ Disallow concurrent /proc/ccs/ access using the same file descriptor. |
1613 |
|
|
|
1614 |
|
|
Until now, one process can read() from /proc/ccs/ while other process |
1615 |
|
|
that shares the file descriptor can write() to /proc/ccs/ . |
1616 |
|
|
But to implement "Allow selecting a domain by PID" feature, I disabled |
1617 |
|
|
concurrent read()/write() because the feature need to modify read buffer |
1618 |
|
|
while writing. |
1619 |
kumaneko |
1644 |
|
1620 |
|
|
Fix 2008/10/01 |
1621 |
|
|
|
1622 |
|
|
@ Add retry counter into /proc/ccs/query . |
1623 |
|
|
|
1624 |
|
|
To be able to handle some of queries from /proc/ccs/query without user's |
1625 |
|
|
interaction, I added retry counter for avoiding infinite loop caused by |
1626 |
|
|
"try again" response. |
1627 |
kumaneko |
1657 |
|
1628 |
|
|
Fix 2008/10/07 |
1629 |
|
|
|
1630 |
|
|
@ Don't transit to new domain until do_execve() succeeds. |
1631 |
|
|
|
1632 |
|
|
Until now, a process's domain was updated to new domain which the process |
1633 |
kumaneko |
1903 |
will belong to before do_execve() succeeds so that the kernel can do |
1634 |
kumaneko |
1657 |
permission checks for interpreters and environment variables based on |
1635 |
|
|
new domain. But this caused a subtle problem when other process sends |
1636 |
|
|
signals to the process, for the process returns to old domain if |
1637 |
|
|
do_execve() failed. |
1638 |
|
|
|
1639 |
|
|
So, I modified to pass new domain to functions so that I can avoid |
1640 |
|
|
modifying a process's domain before do_execve() succeeds. |
1641 |
|
|
|
1642 |
|
|
@ Use old task state for audit logs. |
1643 |
|
|
|
1644 |
|
|
Until now, audit logs were generated using the task state after |
1645 |
|
|
processing "; set task.state" part. But to generate accurate logs, |
1646 |
|
|
I modified to save the task state before processing "; set task.state" |
1647 |
|
|
part and use the saved state for audit logs. |
1648 |
|
|
|
1649 |
|
|
@ Use a structure for passing parameters. |
1650 |
|
|
|
1651 |
|
|
As the number of parameters is increasing, I modified to use a structure |
1652 |
|
|
for passing parameters. |
1653 |
|
|
|
1654 |
kumaneko |
1695 |
Fix 2008/10/11 |
1655 |
|
|
|
1656 |
|
|
@ Remove domain_acl_lock mutex. |
1657 |
|
|
|
1658 |
|
|
I noticed that I don't need to keep all functions that modify an ACL of |
1659 |
|
|
a domain mutually exclusive. Since each functions handles different type |
1660 |
|
|
of ACL, locking is needed only when they append an ACL to a domain. |
1661 |
|
|
So, I modified to use local locks. |
1662 |
kumaneko |
1703 |
|
1663 |
|
|
Fix 2008/10/14 |
1664 |
|
|
|
1665 |
|
|
@ Fix ccs_check_condition() bug. |
1666 |
|
|
|
1667 |
|
|
Due to a bug in ccs_check_condition(), it was impossible to use |
1668 |
|
|
task.state[0] task.state[1] task.state[2] inside condition part |
1669 |
|
|
if the ACL does not treat a pathname. For example, an ACL like |
1670 |
|
|
|
1671 |
|
|
allow_network TCP connect @HTTP_SERVERS 80 if task.state[0]=100 |
1672 |
|
|
|
1673 |
|
|
didn't work. |
1674 |
kumaneko |
1705 |
|
1675 |
|
|
Fix 2008/10/15 |
1676 |
|
|
|
1677 |
|
|
@ Show process information in /proc/ccs/.process_status . |
1678 |
|
|
|
1679 |
|
|
To be able to determine a process's type, I added a command "info PID" |
1680 |
|
|
which returns process information of the specified PID in |
1681 |
|
|
"PID manager=\* execute_handler=\* state[0]=\$ state[1]=\$ state[2]=\$" |
1682 |
|
|
format. |
1683 |
kumaneko |
1712 |
|
1684 |
|
|
Fix 2008/10/20 |
1685 |
|
|
|
1686 |
|
|
@ Use rcu_dereference() when walking the list. |
1687 |
|
|
|
1688 |
|
|
I was using "dependency ordering" for appending an element to a list |
1689 |
|
|
without asking the reader to take a lock. But "dependency ordering" |
1690 |
|
|
is not respected by DEC Alpha or by some aggressive value-speculation |
1691 |
|
|
compiler optimizations. |
1692 |
|
|
|
1693 |
|
|
On such environment, use of "dependency ordering" can lead to system |
1694 |
|
|
crash because the reader might read uninitialized value of newly |
1695 |
|
|
appended element. |
1696 |
|
|
|
1697 |
|
|
To prevent the reader from reading uninitialized value of newly appended |
1698 |
|
|
element, I inserted rcu_dereference() when walking the list. |
1699 |
kumaneko |
1778 |
|
1700 |
|
|
Fix 2008/11/04 |
1701 |
|
|
|
1702 |
|
|
@ Use sys_getpid() instead for current->pid. |
1703 |
|
|
|
1704 |
|
|
Kernel 2.6.24 introduced PID namespace. |
1705 |
|
|
|
1706 |
|
|
To compare PID given from userland, I can't use current->pid. |
1707 |
|
|
So, I modified to use sys_getpid() instead for current->pid. |
1708 |
|
|
|
1709 |
|
|
I modified to use task_tgid_nr_ns() for 2.6.25 and later instead for |
1710 |
|
|
current->tgid when checking /proc/self/ in get_absolute_path(). |
1711 |
kumaneko |
1785 |
|
1712 |
kumaneko |
1794 |
Fix 2008/11/07 |
1713 |
|
|
|
1714 |
|
|
@ Fix is_alphabet_char(). |
1715 |
|
|
|
1716 |
|
|
is_alphabet_char() should match 'A' - 'Z' and 'a' - 'z', |
1717 |
|
|
but was matching from 'A' - 'F' and 'a' - 'f'. |
1718 |
|
|
|
1719 |
kumaneko |
1798 |
@ Add /proc/ccs/.execute_handler . |
1720 |
|
|
|
1721 |
|
|
Process information became visible to userspace by |
1722 |
|
|
"Show process information in /proc/ccs/.process_status" feature. |
1723 |
kumaneko |
1903 |
However, programs specified by execute_handler directive may run as |
1724 |
kumaneko |
1798 |
non root user, making it impossible to see process information. |
1725 |
|
|
|
1726 |
|
|
So, I added a new interface that allows execute handler processes |
1727 |
|
|
to see process information. The content of /proc/ccs/.execute_handler is |
1728 |
|
|
identical to /proc/ccs/.process_status . |
1729 |
|
|
|
1730 |
kumaneko |
1817 |
Version 1.6.5 2008/11/11 Third anniversary release. |
1731 |
kumaneko |
1903 |
|
1732 |
|
|
Fix 2008/12/01 |
1733 |
|
|
|
1734 |
|
|
@ Introduce "task.type=execute_handler" condition. |
1735 |
|
|
|
1736 |
|
|
The execute_handler directive is very very powerful. You can use this |
1737 |
|
|
directive to do anything you want to do (e.g. logging and validating and |
1738 |
|
|
modifying command line parameters and environment variables, opening and |
1739 |
|
|
closing and redirecting files, creating pipes to implement antivirus and |
1740 |
|
|
spam filtering, deploying a DMZ between the ssh daemon and the login |
1741 |
|
|
shells). |
1742 |
|
|
|
1743 |
|
|
To be able to use this directive in a domain with keep_domain directive |
1744 |
|
|
while limiting access to resources needed for such purposes to only |
1745 |
|
|
programs invoked as an execute handler process, I added a new condition. |
1746 |
|
|
|
1747 |
|
|
In learning mode, "if task.type=execute_handler" condition part will be |
1748 |
|
|
automatically added for requests issued by an execute_handler process. |
1749 |
|
|
|
1750 |
|
|
@ Introduce file's type and permissions as conditions. |
1751 |
|
|
|
1752 |
|
|
To be able to limit file types a process can access, I added |
1753 |
|
|
new conditions for checking file's type and permissions. |
1754 |
|
|
For example, |
1755 |
|
|
|
1756 |
kumaneko |
2178 |
allow_read /etc/fstab if path1.type=file path1.perm=0644 |
1757 |
kumaneko |
1903 |
|
1758 |
|
|
will allow opening /etc/fstab for reading only if /etc/fstab is a regular |
1759 |
|
|
file and it's permission is 0644, and |
1760 |
|
|
|
1761 |
kumaneko |
1992 |
allow_write /dev/null if path1.type=char path1.dev_major=1 path1.dev_minor=3 |
1762 |
kumaneko |
1903 |
|
1763 |
|
|
will allow opening /dev/null for writing only if /dev/null is a character |
1764 |
|
|
device file with major=1 and minor=3 attributes. |
1765 |
|
|
|
1766 |
|
|
@ Add memory quota for temporary memory used for auditing. |
1767 |
|
|
|
1768 |
|
|
Although there are MAX_GRANT_LOG and MAX_REJECT_LOG parameters |
1769 |
|
|
which limit the number of entries for audit logs so that we can avoid |
1770 |
|
|
memory consumption by audit logs, it would be more convenient if we can |
1771 |
|
|
also limit the size in bytes. |
1772 |
|
|
Thus, I added a new quota line. |
1773 |
|
|
|
1774 |
|
|
echo Dynamic: 1048576 > /proc/ccs/meminfo |
1775 |
|
|
|
1776 |
|
|
This quota is not applied to temporary memory used for permission checks. |
1777 |
kumaneko |
1928 |
|
1778 |
|
|
Fix 2008/12/09 |
1779 |
|
|
|
1780 |
|
|
@ Fix ccs_can_save_audit_log() checks. |
1781 |
|
|
|
1782 |
|
|
Due to incorrect statement "if (ccs_can_save_audit_log() < 0)" |
1783 |
|
|
while ccs_can_save_audit_log() is boolean, MAX_GRANT_LOG and |
1784 |
|
|
MAX_REJECT_LOG were not working. |
1785 |
|
|
|
1786 |
|
|
This bug will trigger OOM killer if /usr/sbin/ccs-auditd is not working. |
1787 |
kumaneko |
2002 |
|
1788 |
|
|
Fix 2008/12/24 |
1789 |
|
|
|
1790 |
|
|
@ Add "ccs_" prefix. |
1791 |
|
|
|
1792 |
|
|
To be able to tell whether a symbol is TOMOYO Linux related or not, |
1793 |
|
|
I added "ccs_" prefix as much as possible. |
1794 |
kumaneko |
2003 |
|
1795 |
|
|
@ Fix ccs_check_flags() error message. |
1796 |
|
|
|
1797 |
|
|
I meant to print SYAORAN-ERROR: message when error == -EPERM, |
1798 |
|
|
but I was printing it when error == 0 since 1.6.0 . |
1799 |
kumaneko |
2037 |
|
1800 |
|
|
Fix 2009/01/05 |
1801 |
|
|
|
1802 |
|
|
@ Use kmap_atomic()/kunmap_atomic() for reading "struct linux_binprm". |
1803 |
|
|
|
1804 |
|
|
As remove_arg_zero() uses kmap_atomic(KM_USER0), I modified to use |
1805 |
|
|
kmap_atomic(KM_USER0) rather than kmap(). |
1806 |
|
|
|
1807 |
|
|
@ Relocate definitions and functions. |
1808 |
|
|
|
1809 |
|
|
To reduce exposed symbols, I relocated some definitions and functions. |
1810 |
kumaneko |
2079 |
|
1811 |
|
|
Fix 2009/01/28 |
1812 |
|
|
|
1813 |
|
|
@ Fix "allow_read" + "allow_write" != "allow_read/write" problem. |
1814 |
|
|
|
1815 |
|
|
Since 1.6.0 , due to a bug in ccs_update_single_path_acl(), |
1816 |
|
|
appending "allow_read/write" entry didn't update internal "allow_read" |
1817 |
|
|
and "allow_write" entries. As a result, attempt to open(O_RDWR) succeeds |
1818 |
|
|
but open(O_RDONLY) and open(O_WRONLY) fail. |
1819 |
|
|
|
1820 |
|
|
Workaround is to write an entry twice when newly appending that entry. |
1821 |
kumaneko |
2080 |
If written twice, internal "allow_read" and "allow_write" entries |
1822 |
kumaneko |
2079 |
are updated. |
1823 |
kumaneko |
2201 |
|
1824 |
|
|
Fix 2009/02/26 |
1825 |
|
|
|
1826 |
|
|
@ Fix profile read error. |
1827 |
|
|
|
1828 |
|
|
Incorrect profiles were shown in /proc/ccs/profile |
1829 |
|
|
if either CONFIG_SAKURA or CONFIG_TOMOYO is disabled. |
1830 |
kumaneko |
2213 |
|
1831 |
|
|
Fix 2009/03/02 |
1832 |
|
|
|
1833 |
|
|
@ Undelete CONFIG_TOMOYO_AUDIT option. |
1834 |
|
|
|
1835 |
|
|
While HDD-less systems can use profiles with MAX_GRANT_LOG=0 and |
1836 |
|
|
MAX_REJECT_LOG=0 , I undeleted CONFIG_TOMOYO_AUDIT option for saving |
1837 |
|
|
memory used for /proc/ccs/grant_log and /proc/ccs/reject_log interfaces. |
1838 |
|
|
|
1839 |
kumaneko |
2254 |
Fix 2009/03/13 |
1840 |
|
|
|
1841 |
|
|
@ Show only profile entry names ever specified. |
1842 |
|
|
|
1843 |
|
|
Even if an administrator specifies only COMMENT= and MAC_FOR_FILE= |
1844 |
|
|
entries for /proc/ccs/profile , all available profile entries are shown. |
1845 |
|
|
This was designed to help administrators to know what entries are |
1846 |
|
|
available, but sometimes makes administrators feel noisy because of |
1847 |
|
|
entries showing default values. |
1848 |
|
|
|
1849 |
|
|
Thus, I modified to show only profile entry names ever specified. |
1850 |
|
|
|
1851 |
kumaneko |
2271 |
Fix 2009/03/18 |
1852 |
|
|
|
1853 |
|
|
@ Add MAC_FOR_IOCTL functionality. |
1854 |
|
|
|
1855 |
|
|
To be able to restrict ioctl() requests, I added MAC_FOR_IOCTL |
1856 |
|
|
functionality. |
1857 |
|
|
|
1858 |
|
|
This functionality requires modification of ccs-patch-\*.diff . |
1859 |
|
|
|
1860 |
|
|
@ Use better name for socket's pathname. |
1861 |
|
|
|
1862 |
|
|
Until now, socket's pathname was represented as "socket:[\$]" format |
1863 |
|
|
where \$ is inode's number. But inode's number is useless for name based |
1864 |
|
|
access control. Therefore, I modified to represent socket's pathname as |
1865 |
|
|
"socket:[family=\$:type=\$:protocol=\$]" format. |
1866 |
|
|
|
1867 |
kumaneko |
2281 |
This will help administrator to control ioctl() against sockets more |
1868 |
kumaneko |
2271 |
precisely. |
1869 |
|
|
|
1870 |
kumaneko |
2281 |
@ Fix misplaced ccs_capable() call. (only 2.6.8-\* and 2.6.9-\*) |
1871 |
|
|
|
1872 |
|
|
Location to insert ccs_capable(TOMOYO_SYS_IOCTL) in sys_ioctl() was |
1873 |
|
|
wrong since version 1.1 . |
1874 |
|
|
|
1875 |
|
|
@ Insert ccs_check_ioctl_permission() call. |
1876 |
|
|
|
1877 |
|
|
To enable MAC_FOR_IOCTL functionality work, I inserted |
1878 |
|
|
ccs_check_ioctl_permission() call into ccs-patch-\*.diff . |
1879 |
|
|
|
1880 |
kumaneko |
2298 |
Fix 2009/03/23 |
1881 |
|
|
|
1882 |
|
|
@ Move sysctl()'s check from ccs-patch-\*.diff to fs/tomoyo_file.c . |
1883 |
|
|
|
1884 |
|
|
Since try_parse_table() in kernel/sysctl.c is almost identical between |
1885 |
|
|
all versions, I moved that function to fs/tomoyo_file.c . |
1886 |
|
|
|
1887 |
|
|
@ Relocate definitions and functions. |
1888 |
|
|
|
1889 |
|
|
To reduce exposed symbols, I relocated some definitions and functions. |
1890 |
|
|
|
1891 |
kumaneko |
2308 |
Fix 2009/03/24 |
1892 |
|
|
|
1893 |
|
|
@ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS option. |
1894 |
|
|
|
1895 |
|
|
Some systems don't have /sbin/modprobe and /sbin/hotplug . |
1896 |
|
|
Thus, I made these pathnames configurable. |
1897 |
|
|
|
1898 |
kumaneko |
2311 |
Version 1.6.7 2009/04/01 Feature enhancement release. |