ccs-tools/ccstools/README.ccs

About this package:

This package contains userland programs
for TOMOYO Linux version 1.7.0 .
This package is released under the GPLv2.

http://tomoyo.sourceforge.jp/

ChangeLog:

Version 1.0   2005/11/11   First release.

Version 1.0.1 2005/12/08   Minor update release.

  makesyaoranconf.exe:
    Use versionsort() for sorting entries.

  poled.exe:
    Support "search" command.

  poled_old.exe:
    Support "search" command.
    Fix "initializer" checking bug.

  syspol.exe:
    Support editing without resetting cursor position.

Version 1.0.2 2006/02/14   Procedure review.

  savepolicy:
    Support saving "system policy" and "exception policy"
    in addition to "domain policy".

  The following programs were added.

    editpolicy:
      "syspol.exe" "poled.exe" "poled_old.exe" were integrated
      and renamed to "editpolicy".
      This program can edit "system policy", "exception policy"
      and "domain policy".
      Command key assignments were changed.

    checkpolicy:
      A policy validator taken from "poled_old.exe".
      This program was designed for detecting and fixing errors
      in "domain policy".

    loadpolicy:
      A policy reloader.
      This program was designed for loading policy from the disk
      after clearing current policy in the kernel.

    sortpolicy:
      A "domain policy" sorter.
      This program was designed to compress access logs
      generated by "ccs-auditd".
      You can use normal "sort" command for sorting
      "system policy" and "exception policy".

    make_exception.sh:
      A script to create "exception policy".

  The following programs were renamed.

    "remount.exe" was renamed to "remount_rootfs".
    "makesyaoranconf.exe" was renamed to "makesyaoranconf".

  The following programs were removed.

    "poled.exe" "poled_old.exe" "syspol.exe"
    "obsolete_chksymlink" "obsolete_chroot_su"
    "obsolete_lsdir" "obsolete_makelink" "obsolete_movlog"
    "bindtest" "logtest"  "pathnametest" "rofstest"
    "linuxrc_old"

  The following programs for testing TOMOYO Linux's kernel were added.
  They are in the kernel_test directory.

    "sakura_bind_test" "sakura_capability_test"
    "sakura_filesystem_test" "sakura_trace_test"
    "tomoyo_capability_test" "tomoyo_file_test" "tomoyo_info_test"
    "tomoyo_name_test" "tomoyo_port_test" "tomoyo_signal_test"

Version 1.1   2006/04/01   Functionality enhancement release.

  loadpolicy:
    Delete domain for loadpolicy anyway.

  findtemp:
    Now supports for detecting all nonexistent pathnames.

  savepolicy:
    Run twice inside savepolicy itself to include necessary ACLs
    for savepolicy itself.

  The following program for testing TOMOYO Linux's kernel was added.

    "testall.sh"

Version 1.1.1 2006/05/15   Functionality enhancement release.

  The following programs were added.

    ld-watch:
      Monitors /etc/ld.so.cache and updates exception policy.
      This program is used only when updating packages.

    ccs-queryd:
      Monitors /proc/ccs/policy/query for policy violation and
      asks the administrator whether to grant or reject the request.
      This program is used while and after updating packages.

Version 1.1.2 2006/06/02   Functionality enhancement release.

  The following programs were redesigned.

    editpolicy:
      Simplified domain policy handling and removed "save" key.
      All modifications are taken effect immediately.

    loadpolicy:
      Simplified domain policy handling.

    sortpolicy:
      Simplified domain policy handling.

    savepolicy:
      Save all policies by default.

  The following program was removed.

    editpolicy_offline

Version 1.1.3 2006/07/13   Functionality enhancement release.

  The following bugs were fixed.

    editpolicy:
      The "Commands =" line was too wide to show within 80x25 screen.

    checkpolicy:
      Renamed domain for "initializer" was wrong.

Version 1.2   2006/09/03   Functionality enhancement release.

  findtemp:
    Now displays all nonexistent pathnames.

  editpolicy_offline:
    Redesigned to use the same operation manner.
    Saves changes automatically when exiting.

Version 1.3   2006/11/11   First anniversary release.

  The following program was redesigned.

    checkpolicy:
      A policy validator.
      Reads policy from stdin and prints syntax errors with line numbers.

  The following programs were added.

    setprofile:
      Assigns profiles to domains.

    pathmatch:
      Reads pathname patterns and expands them.

    domainmatch:
      fgrep for /proc/ccs/policy/domain_policy .

    ccstree:
      pstree with profile numbers and domain names.

    patternize:
      Reads domain policy and patternize pathnames.

    proxy:
      A tiny TCP port forwarder, binding to local port explicitly
      to allow servers filter based on client's port numbers.

    mailauth:
      An example program for CERBERUS.

    timeauth:
      An example program for CERBERUS, similar to honey.

  The following programs were removed.
  If you need them, please take from version 1.2 .
    "remount_rootfs" "linuxrc"
    "dumplink" "dumpsymlink" "makelink" "makesymlink"

  The following program for testing TOMOYO Linux's kernel was added.

    "tomoyo_rewrite_test"

Version 1.3.1 2006/12/08   Minor update release.

  The following bug was fixed.

    editpolicy:
      PageUp/PageDown keys and screen drawings were not working well
      on some environments due to forcefully setting "TERM=linux".

  The following program for testing TOMOYO Linux's kernel was updated.

    "newns"

Version 1.3.2 2007/02/14   Usability enhancement release.

  Many tools were merged into single source code.
  Policy editor was redesigned.

Version 1.4   2007/04/01   x86_64 support release.

  The following bug was fixed.

    editpolicy:
      Domain flags was wrong if "keep_domain <kernel>" is given.

Version 1.4.1 2007/06/05   Minor update release.

  Single source code was divided into many source code.

  The following bug was fixed.

    checkpolicy:
      "keep_domain" syntax was not checked correctly.

Version 1.4.2 2007/07/13   Bug fix release.

  .init:
      Prompt message has changed.

Version 1.5.0 2007/09/20   Usability enhancement release.

  The following bug was fixed.

    editpolicy:
      Memory for "path_group" was not freed correctly.

  The following program for testing TOMOYO Linux's kernel was updated.

    "tomoyo_network_test"

  The following features are added.

    editpolicy:
      Printing with colors is supported.
      Contributed by Yoshihiro Kusuno <yocto _at_ users.sourceforge.jp>.

    loadpolicy:
      Reading policy from stdin is supported.

  The /.init is renamed to /sbin/ccs-init .

Version 1.5.1 2007/10/19   Minor update release.

  The following programs were updated.

    ccs-init:
      Removed /bin/bash dependency.
      Don't show prompt for selecting a profile
      unless something went wrong or explicitly asked.

    init_policy.sh:
      Removed /bin/bash dependency.
      Some "file_pattern"s are added.
      Error check is added upon startup.

    loadpolicy:
      Don't try to open /proc/self/fd/0 when reading from standard input.

    setlevel:
      Don't show profiles that are not asked to modify.

    domainmatch:
      Removed /bin/bash dependency.
      Insert a blank line before printing domainname.

    mailauth:
      Removed openssl-devel dependency.
      Use decimal numbers instead of random ASCII character.

Version 1.5.2 2007/12/05   Minor update release.

  The following program was updated.

    editpolicy:
      Use different color for domainname's line and selected line.

    editpolicy_offline:
      Allow invoking as ccs-editpolicy_offline .

Version 1.5.3 2008/01/31   Minor update release.

  The following program was updated.

    editpolicy:
      Allow keyword aliasing.

    loadpolicy:
      Allow deleting domain definition.
      Fix some bugs.

    savepolicy:
      Allow printing to stdout.
      Allow saving profile and manager.

    checkpolicy:
      Fix some bugs.

  The following program was added.

    ccs-notifyd:
      Notify the occurrence of first policy violation in enforcing mode.

Version 1.6.0 2008/04/01   Feature enhancement release.

  The following program was updated.

    editpolicy:
      Allow keyword aliasing via configuration file.
      Allow line coloring via configuration file.

Version 1.6.1 2008/05/10   Minor update release.

  The following program was updated.

    init_policy.sh:
      Check /usr/lib for symbolic link.

Version 1.6.2 2008/06/25   Usability enhancement release.

  The following programs were updated.

    ccs-init:
      Don't wait for user's input if /etc/ccs/ doesn't exist.

    init_policy.sh:
      Add some files under /usr/share/ to globally readable files.
      Don't make patterns for /sys/ .
      Fix some bugs.

    ccs-queryd:
      Show more information regarding pending requests.
      Merge functionality of ld-watch .

    ccs-notifyd:
      Show more information regarding pending requests.

  The following program was added.

    convert-exec-param:
      Generate "allow_execute" entry which considers argv[] values
      from access logs.

Version 1.6.3 2008/07/15   Bug fix release.

  The following programs were updated.

    editpolicy:
      Treat ASCII code's BS character as ncurses code's BS character.

    proxy:
      Dropped suid-root since /usr/lib/ccs/ is globally accessible
      since 1.6.2 .

Version 1.6.4 2008/09/03   Bug fix release.

  No changes for tools.

  Only programs for testing kernel were updated.

Version 1.6.5 2008/11/11   Third anniversary release.

  Updated coding style and fixed some bugs.

Version 1.6.6 2009/02/02   Bug fix release.

  The following programs were updated.

    ccs-editpolicy:
      Handle '\A' and '\a' correctly.

    ccs-pathmatch:
      Handle '\A' and '\a' correctly.

Version 1.6.7 2009/04/01   Feature enhancement release.

  ccs-editpolicy:
    Add ability to edit profile and manager and meminfo.
    Add ability to edit policy files in arbitrary location.
    Add ability to edit policy remotely.
    Add readonly mode option for showcase use.
    Add automatic refresh option for showcase use.

  ccs-loadpolicy:
    Add ability to load policy remotely.
    Add ability to load meminfo.

  ccs-savepolicy:
    Add ability to save policy remotely.
    Add ability to print meminfo.

  ccs-editpolicy-agent:
    This program gives ccs-editpolicy and ccs-loadpolicy and ccs-savepolicy
    ability to manage embedded systems remotely via TCP/IP networking.

  ccs-editpolicy_offline:
    This program was removed because its functionality was merged into
    ccs-editpolicy.

  ccs-setlevel:
    This program became obsolete because its functionality was merged into
    ccs-editpolicy and ccs-loadpolicy.

Version 1.6.8 2009/05/28   Bug fix release.

  ccs-ccstree:
    Add ability to fetch status remotely.

  ccs-editpolicy-agent:
    Add support for ccs-ccstree.

Version 1.6.8p1 2009/06/23   Bug fix release.

  ccs-auditd:
    Print error message if auditing interface is not available.

Version 1.7.0 2009/09/03   Feature enhancement release.

  Installation directory changed.
  Renamed from "ccs-ccstree" to "ccs-pstree" .
  Removed "realpath", "make_alias", "makesyaoranconf".

  /sbin/ccs-init:
    Converted to binary program.

  /usr/lib/ccs/init_policy:
    Converted to binary program.

  /usr/sbin/ccs-findtenp:
    Add "--with-domainname" option.

  /usr/sbin/ccs-queryd:
    Use global PID for reaching the target domain.

  /usr/sbin/ccs-auditd:
    Reduce fsync() requests.

  /usr/sbin/ccs-editpolicy:
    Removed system policy editor.
    Changed profile editor.
    Optimize command temporarily not working due to syntax changes.