--- trunk/1.6.x/ccs-patch/README.ccs	2008/06/04 03:11:54	1255
+++ trunk/1.6.x/ccs-patch/README.ccs	2008/09/19 05:02:59	1606
@@ -1445,3 +1445,174 @@
       by /etc/ccs/ccs-post-init , I stopped using the close() request.
       The policy loader no longer need to access /proc/ccs/meminfo to notify
       the kernel that loading policy has finished.
+
+Fix 2008/06/05
+
+    @ Fix realpath for pipes and sockets.
+
+      Kernel 2.6.22 and later use different method for calculating d_path().
+      Since fs/realpath.c didn't notice the change, the realpath of pipes
+      appeared as "pipe:" rather than "pipe:[\$]" when they are opened via
+      /proc/PID/fd/ directory.
+
+    @ Add process's information into /proc/ccs/query .
+
+      While /proc/ccs/grant_log and /proc/ccs/reject_log contain process's
+      information, /proc/ccs/query doesn't contain it.
+      To be able to utilize ccs-queryd and ccs-notifyd more, I added it into
+      /proc/ccs/query .
+
+Fix 2008/06/10
+
+    @ Allow using patterns for globally readable files.
+
+      To allow users specify locale specific files to globally readable files,
+      I relaxed checking in update_globally_readable_entry().
+
+Fix 2008/06/11
+
+    @ Remove ALLOW_ENFORCE_GRACE parameter.
+
+      Since unexpected requests caused by doing software updates can happen
+      in all profiles, users likely have to write ALLOW_ENFORCE_GRACE=enabled
+      to all profiles. And it makes meaningless to allow users to selectively
+      enable specific profile's ALLOW_ENFORCE_GRACE parameter.
+      So, I removed ALLOW_ENFORCE_GRACE parameter.
+      Now, the system behaves as if ALLOW_ENFORCE_GRACE=enabled is specified.
+      The behavior of "delayed enforcing" mode is defined in the following
+      order.
+
+      (1) The requests are rejected immediately if nobody is opening
+          /proc/ccs/query interface.
+      (2) The requests will be rejected in 10 seconds if somebody other than
+          ccs-queryd (such as less(1)) is opening /proc/ccs/query interface,
+          for such process doesn't write dummy decisions.
+
+Fix 2008/06/22
+
+    @ Pass escaped pathname to audit_execute_handler_log().
+
+      I was passing unescaped pathname to audit_execute_handler_log()
+      which causes /proc/ccs/grant_log contain whitespace characters
+      if execute handler's pathname contains whitespace characters.
+
+Fix 2008/06/25
+
+    @ Return 0 when ccs_may_umount() succeeds.
+
+      I forgot to clear error value in ccs_may_umount() when the requested
+      directory didn't match "deny_unmount" keyword. As a result, any umount()
+      request with RESTRICT_UNMOUNT=enforcing returned -EPERM error.
+
+Version 1.6.2 2008/06/25   Usability enhancement release.
+
+Fix 2008/07/01
+
+    @ Fix "Compilation failure" with 2.4.20 kernel.
+
+      RedHat Linux 9's 2.4.20 kernel backported O(1) scheduler patch,
+      resulting compilation error at ccs_load_policy().
+      I added defined(TASK_DEAD) check.
+
+Fix 2008/07/08
+
+    @ Don't check permissions if vfsmount is NULL.
+
+      Some filesystems (e.g. unionfs) pass NULL vfsmount.
+      I changed fs/tomoyo_file.c not to try to calculate pathnames
+      if vfsmount is NULL.
+
+Version 1.6.3 2008/07/15   Bug fix release.
+
+Fix 2008/08/21
+
+    @ Add workaround for gcc 4.3's bug.
+
+      In some environments, fs/tomoyo_network.c could not be compiled
+      because of gcc 4.3's bug.
+      I modified save_ipv6_address() to use "integer literal" value
+      instead for "static const u8" variable.
+
+    @ Change prototypes of some functions.
+
+      To support 2.6.27 kernels, I replaced "struct nameidata" with
+      "struct path" for some functions.
+
+    @ Detect distributor specific patches automatically.
+
+      Since kernels with AppArmor patch applied is increasing,
+      I introduced a mechanism which determines whether specific patches
+      are applied or not, based on "#define" directives in the patches.
+
+Fix 2008/08/29
+
+    @ Remove "-ccs" suffix from Makefile's EXTRAVERSION.
+
+      To reduce conflicts on Makefile's EXTRAVERSION,
+      I removed "-ccs" suffix from ccs-patch-2.\*.diff .
+      Those who build kernels without using specs/build-\*.sh ,
+      please edit EXTRAVERSION tag manually so that original kernels
+      will not be overwritten by TOMOYO Linux kernels.
+
+Version 1.6.4 2008/09/03   Minor update release.
+
+Fix 2008/09/09
+
+    @ Add "try again" response to "delayed enforcing" mode.
+
+      To be able to handle pathname changes caused by software updates,
+      "delayed enforcing" mode was introduced. It allows administrator to
+      grant access requests which are about to be rejected by the kernel.
+
+      To be able to handle pathname changes caused by software updates better,
+      I introduced "try again" response. As "delayed enforcing" mode sleeps
+      a process which violated policy, administrator can update policy while
+      the process is sleeping. This "try again" response allows administrator
+      to restart policy checks from the beginning after updating policy.
+
+Fix 2008/09/11
+
+    @ Remember whether the process is allowed to write to /proc/ccs/ interface.
+
+      Since programs for manipulating policy (e.g. ccs-queryd ) are installed
+      in the form of RPM/DEB packages, these programs lose the original
+      pathnames when they are updated by the package manager. The package
+      manager renames these programs before deleting these programs so that
+      the package manager can rollback the operation.
+      This causes a problem when the programs are listed into /proc/ccs/manager
+      using pathnames, as the programs will no longer be allowed to write to
+      /proc/ccs/ interface while the process of old version of the program is
+      alive.
+
+      To solve this problem, I modified to remember the fact that the process
+      is once allowed to write to /proc/ccs/ interface until the process
+      attempts to execute a different program.
+      This change makes it impossible to revoke permission to write to
+      /proc/ccs/ interface without killing the process, but it will be better
+      than nonfunctioning ccs-queryd program.
+
+Fix 2008/09/19
+
+    @ Allow selecting a domain by PID.
+
+      Sometimes we want to know what ACLs are given to specific PID, but
+      finding a domainname for that PID from /proc/ccs/.process_status and
+      reading ACLs from /proc/ccs/domain_policy by the domainname is very slow.
+      Thus, I modified /proc/ccs/domain_policy to allow selecting a domain by
+      PID. For example, to read domain ACL of current process from bash,
+      run as follows.
+
+      # exec 100<>/proc/ccs/domain_policy
+      # echo select $$ >&100
+      # while read -u 100; do echo $REPLY; done
+
+      If a domain is once selected by PID, reading /proc/ccs/domain_policy will
+      print only that domain if that PID exists or print nothing otherwise.
+
+    @ Disallow concurrent /proc/ccs/ access using the same file descriptor.
+
+      Until now, one process can read() from /proc/ccs/ while other process
+      that shares the file descriptor can write() to /proc/ccs/ .
+      But to implement "Allow selecting a domain by PID" feature, I disabled
+      concurrent read()/write() because the feature need to modify read buffer
+      while writing.