--- trunk/1.7.x/ccs-patch/README.ccs 2010/03/08 08:44:55 3502 +++ trunk/1.8.x/ccs-patch/README.ccs 2011/06/19 08:09:56 5147 @@ -797,7 +797,7 @@ I was using PAGE_SIZE (4096 in many environments) as the max length of any string data. But for environments that have larger PAGE_SIZE, - doing memset(ptr, 0, PAGE_SIZE) everytime is too wasteful. + doing memset(ptr, 0, PAGE_SIZE) every time is too wasteful. Fix 2007/01/29 @@ -1723,7 +1723,7 @@ to see process information. The content of /proc/ccs/.execute_handler is identical to /proc/ccs/.process_status . -Version 1.6.5 2008/11/11 Third anniversary release. +Version 1.6.5 2008/11/11 Third anniversary release. Fix 2008/12/01 @@ -2243,7 +2243,7 @@ /proc/ccs/profile (which results in not protecting the system at all), I added a check for PROFILE_VERSION= . -Version 1.7.1 2009/11/11 Fourth anniversary release. +Version 1.7.1 2009/11/11 Fourth anniversary release. Fix 2009/11/13 @@ -2342,7 +2342,7 @@ Note that '\0'-terminated binary string is converted to TOMOYO's string inside kernel and prefix "//" is automatically added to the string so - that domainname does not confclict with domainnames created by execve(). + that domainname does not conflict with domainnames created by execve(). Without this prefix, if " /usr/sbin/sshd /bin/bash" domain is allowed to open /proc/ccs/.transition for writing and " /usr/sbin/sshd /bin/bash /usr/bin/passwd" domain is allowed to @@ -2360,8 +2360,534 @@ @ Allow building as loadable kernel module. - To be able to minimize filesize increment on vmlinux, I made it + To be able to minimize filesize increment of vmlinux, I made it possible to compile TOMOYO Linux as loadable kernel module. Although patching the kernel source and recompiling the kernel are inevitable, this change will make it easier to enable TOMOYO Linux when there is a filesize limitation on vmlinux (e.g. embedded systems). + +Fix 2010/03/25 + + @ Fix ccs_get_ipv6_address() bug. + + Since 1.7.0 , ccs_get_ipv6_address() was by error returning address of + "struct list_head ccs_address_list" if memory allocation failed. + As a result, ccs_put_ipv6_address() will modify memory near + "struct list_head ccs_address_list" if memory allocation failed. + +Fix 2010/03/26 + + @ Fix ccs_lport_reserved() bug. + + Since 1.7.0 , ccs_lport_reserved() was by error checking wrong port + number. As a result, "deny_autobind" keyword was not working as expected. + +Version 1.7.2 2010/04/01 Feature enhancement release. + +Fix 2010/04/10 + + @ Fix invalid "struct nameidata" to "struct path" conversion macro. + + Regarding kernels 2.6.24 and earlier, I was converting "struct nameidata" + to "struct path" in caller side so that I can unify the callee function's + parameter type. But it turned out that the macro I used did not follow C + standards and did not work with gcc 4.x . As a result, "allow_pivot_root" + keyword was not working as expected. + +Fix 2010/05/05 + + @ Fix incorrect audit on/off control. + + The grant_log= and reject_log= parameters of CONFIG::misc::env were not + used because I forgot to update request type. As a result, those of + CONFIG::file::execute were used for CONFIG::misc::env . + + Those of CONFIG::file::rewrite were not used because I forgot to update + request type. As a result, those of CONFIG::file::truncate were used for + CONFIG::file::rewrite . + +Fix 2010/05/10 + + @ Fix incorrect out of memory warning. + + Out of memory warnings were not printed in some cases by error. + +Fix 2010/05/27 + + @ Add missing rcu_dereference() for ccs_find_execute_handler(). + + Since 1.7.0 , ccs_find_execute_handler() was by error using + list_for_each_entry() rather than list_for_each_entry_rcu(). + This bug affects only Alpha architecture. + +Fix 2010/06/03 + + @ Fix missing sanity check for "file_pattern". + + Since 1.7.0 , ccs_write_pattern_policy() was by error accepting + invalid pathname. + +Fix 2010/06/09 + + @ Add missing ccs_put_name() in ccs_parse_envp(). + + Since 1.7.0 , ccs_parse_envp() was not calling ccs_put_name() if + environment variable's value ('if exec.envp["name"]="value"' condition) + was invalid. + + @ Add missing NULL check in ccs_condition(). + + Since 1.7.0 , if 'if symlink.target=' part was given against non-file + permissions (e.g. allow_env PATH if symlink.target="/"), it triggered + NULL pointer dereference. + +Fix 2010/10/28 + + @ Fix umount() pathname calculation. + + "mount --bind /path/to/file1 /path/to/file2" is legal. + Therefore, "umount /path/to/file2" is also legal. + Do not automatically append trailing '/' if pathname to be unmounted + does not end with '/'. + + @ Add preserve KABI compatibility option. (2.6 kernels only) + + TOMOYO needs "struct ccs_domain_info *" and "u32" for each + "struct task_struct". But embedding these variables into + "struct task_struct" breaks KABI for prebuilt kernel modules (which + means that you will need to rebuild prebuilt kernel modules). + + Since KABI is commonly used (compared to 5 years ago), asking users to + rebuild kernel modules which are not included in kernel package is no + longer preferable. Therefore, I added a new option that keeps + "struct task_struct" unmodified in order to keep KABI. + + Note that you have to use ccs-patch-2.6.\*.diff which patches + kernel/fork.c in order to use this option. Otherwise, TOMOYO will leak + memory whenever "struct task_struct" is released. + + @ Change directives. + + I removed "allow_" prefix from directives. New directives for files are + prefixed with "file ". For example, "allow_read" changed to "file read", + "allow_ioctl" changed to "file ioctl". New directive for "allow_network + TCP" is "network inet stream", "allow_network UDP" is "network inet + dgram", "allow_network RAW" is "network inet raw". New directive for + "allow_env" is "misc env". New directive for "allow_signal" is "ipc + signal". New directive for "allow_capability" is "capability". These new + directives correspond with keywords used by profile's CONFIG lines. + + I removed "deny_rewrite" and "allow_rewrite" directives and introduced + "file append" directive. Thus, permission for open(O_WRONLY | O_APPEND) + changed from "allow_write" + "allow_rewrite" to "file append". + + I removed "SYS_MOUNT", "SYS_UMOUNT", "SYS_CHROOT", "SYS_KILL", + "SYS_LINK", "SYS_SYMLINK", "SYS_RENAME", "SYS_UNLINK", "SYS_CHMOD", + "SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_ROOT" keywords from capabilities + because these permissions can be checked by other directives (e.g. + "file mount", "ipc signal"). + + I also removed "conceal_mount" keyword from capabilities because this + check requires hooks in filesystem part while almost all hooks for + filesystem part have moved to LSM by Linux 2.6.34. + + New directive for "execute_handler" is "task auto_execute_handler", + "denied_execute_handler" is "task denied_execute_handler". + + @ Distinguish send() and recv() operations. + + Until now, it was impossible for UDP and IP sockets to allow either + only sending or only receiving because permissions were aggregated with + "connect" keyword. I broke "connect" keyword into "send" and "recv" + keywords so that you can keep access control for send() operation enabled + when you have to disable access control for recv() operation due to + application breakage by discarding incoming datagram. + + @ Add Unix domain socket restriction support. + + Until now, it was possible to restrict only inet domain sockets (i.e. + TCP/UDP/RAW). I added restriction for Unix domain sockets (i.e. stream/ + dgram/seqpacket). New directive "network unix" is added as well as + "network inet" directive. + + @ Allow specifying multiple permissions in a line. + + Until now, only "allow_read/write" can be specified for combination of + "allow_read" + "allow_write". Now, you can combine other permissions as + long as type of parameters for these permissions is same. For example, + "file read/write/append/execute/unlink/truncate /tmp/file" is correct + but "file read/write/create /tmp/file" is wrong because "file create" + requires create mode whereas "file read" and "file write" do not. + + @ Allow wildcard for execute permission and domainname. + + Until now, to execute programs with temporary names, "aggregator" is + needed. To simplify code, I modified to accept wildcards for execute + permission and domainname. Now, you can directly specify + "file execute /tmp/logrotate.\?\?\?\?\?\?" and use + "/tmp/logrotate.\?\?\?\?\?\?" within domainnames. + + @ Change pathname for non-rename()able filesystems. + + LSM version of TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if + $PID matches current thread's process ID in order to prevent current + thread from accessing other process's information unless needed. + But since procfs can be mounted on various locations (e.g. /proc/ /proc2/ + /p/ /tmp/foo/100/p/ ), LSM version of TOMOYO cannot tell that whether the + numeric part in the string returned by __d_path() represents process ID + or not. + + Therefore, to be able to convert from $PID to self no matter where procfs + is mounted, I changed pathname representations for filesystems which do + not support rename() operation (e.g. proc, sysfs, securityfs). + + Now, "/proc/self/mounts" changed to "proc:/self/mounts" and + "/sys/kernel/security/" changed to "sys:/kernel/security/" and + "/dev/pts/0" changed to "devpts:/0". + + @ Add a new keyword "any" for domain transition control. + + To be able to make it easier to apply auto_execute_handler on each + domain, I added "any" keyword to domain transition control keywords. Now, + "initialize_domain /usr/sbin/sshd" changed to + "initialize_domain /usr/sbin/sshd from any" and + "keep_domain /usr/sbin/sshd /bin/bash" changed to + "keep_domain any from /usr/sbin/sshd /bin/bash". + + "keep_domain /path/to/auto_execute_handler from any" will allow you to + apply auto_execute_handler for any domains without creating domains for + auto_execute_handler. + + @ Change buffering mode for reading policy. + + To be able to read() very very long lines correctly, I changed the way + TOMOYO buffers policy for reading. + + @ Introduce "acl_group" keyword. + + Until now, it was possible to specify only "allow_read" and "allow_env" + keywords in the exception policy. + + Since some operations like "file read/write/append /dev/null" and + "network UDP send/recv @DNS_SERVER 53" are very common and should be + permitted to all domains, I introduced "acl_group" keyword for giving + such permissions. + + For example, specify "acl_group 0 file read/write/append /dev/null" in + the exception policy and specify "use_group 0" from the domains in the + domain policy. + + "ignore_global_allow_read" and "ignore_global_allow_env" directives were + removed from domain policy and "use_group" keyword was added. + + @ Remove "if" and "; set" keyword. + + I removed need for specifying these keyword. + You can simply specify like below. + + file read /etc/shadow task.uid=0 + + @ Remove "file_pattern" keyword. + + I removed "file_pattern" keyword because it is impossible to predefine + all possible pathname patterns. Also, learning pathnames using incomplete + patterns makes it difficult to later replace using "path_group" keyword. + + @ Replace verbose= parameter with statistic interface. + + Since it is noisy if a lot of policy violation messages are printed, + I removed printk(). To be able to check whether policy violation occurred + or not, I introduced /proc/ccs/stat interface which counts number of + policy violations occurred. You can firstly check /proc/ccs/stat and then + check /proc/ccs/reject_log . + + @ Remove global preference. + + I removed global preference in order to make code simpler. + + @ Allow controlling generation of access granted logs for per an entry + basis. + + I added per-entry flag which controls generation of grant logs because + Xen and KVM issues ioctl requests so frequently. For example, + + file ioctl /dev/null 0x5401 grant_log=no + + will suppress /proc/ccs/grant_log even if preference says grant_log=yes . + + file ioctl /dev/null 0x5401 grant_log=yes + + will generate /proc/ccs/grant_log even if preference says grant_log=no . + + file ioctl /dev/null 0x5401 + + will generate /proc/ccs/grant_log only if preference says grant_log=yes . + + This flag is intended for frequently accessed resources like + + file read /var/www/html/\{\*\}/\*.html grant_log=no + + . + + @ Automatically create domain by execve() even if enforcing mode. + + Until now, new domains are not created if the domain was not defined and + current domain is enforcing mode ("CONFIG::file::execute=enforcing"). + + To be able to restrict shell session without using "keep_domain", + I changed to create new domains automatically even if current domain is + enforcing mode. + + @ Replace "task.state" with "auto_domain_transition". + + task.state is difficult to use. Thus, I replaced task.state with + auto_domain_transition which performs domain transition instead of + changing current process's state variables. + + If domain transition failed, current process will be killed by SIGKILL + signal. This should not happen in normal circumstances, for you know the + domain to transit to and thereby you will define the domain beforehand + when you use "auto_domain_transition" keyword. + + @ Replace "allow_transit" with "task manual_domain_transition". + + I changed this directive to specify absolute domainname (e.g. + " /usr/sbin/httpd //app=cgi1\040id=10000") rather than virtual + pathname (e.g. "//app=cgi1\040id=10000") because you know the domain to + transit to and thereby you will define the domain beforehand when you use + "task manual_domain_transition" directive. + + This change allows you to jump to arbitrary domain. + + Note that this change also reverts "Change /proc/ccs/info/self_domain ." + made on 2006/10/24. Now, 'cat < /proc/ccs/info/self_domain' will act like + 'cat /proc/ccs/info/self_domain'. Programs depending on old assumption + need to be updated. + + @ Add "task auto_domain_transition". + + This is similar to "task manual_domain_transition", but is automatically + applied whenever conditions are met. For example, + + task auto_domain_transition //./non-root task.uid!=0 + + will automatically jump to " //./non-root" domain if current + process's UID is not 0 whereas + + task manual_domain_transition //./non-root task.uid!=0 + + will jump to " //./non-root" domain if current process's UID is + not 0 and current process wrote " //./non-root" to + /proc/ccs/self_domain interface. + + If domain transition failed, current process will be killed by SIGKILL + signal. + + @ Optimize for object's size. + + I merged similar code in order to reduce object's filesize. + +Version 1.8.0 2010/11/11 Fifth anniversary release. + +Fix 2010/12/01 + + @ Use same interface for audit logs. + + To be able to perform fine grained filtering by /usr/sbin/ccs-auditd , + I merged /proc/ccs/grant_log and /proc/ccs/reject_log as + /proc/ccs/audit and added granted=yes or granted=no to audit logs. + +Fix 2010/12/17 + + @ Split ccs_null_security into ccs_default_security and ccs_oom_security. + + ccs_null_security is used by preserve KABI compatibility option and is + used for providing default values against threads which have not yet + allocated memory for their security contexts. + + If current thread failed to allocate memory for current thread's security + context, current thread uses ccs_null_security. Since current thread is + allowed to modify current thread's security context, current thread might + modify ccs_null_security which should not be modified for any reason. + + Therefore, I split ccs_null_security into ccs_default_security and + ccs_oom_security and use ccs_oom_security when current thread failed to + allocate memory for current thread's security context. + + Threads which do not share ccs_oom_security are not affected by threads + which share ccs_oom_security. Threads which share ccs_oom_security will + experience temporary inconsistency, but such threads are about to be + killed by SIGKILL signal. + +Fix 2011/01/11 + + @ Use filesystem name for unnamed devices when vfsmount is missing. + + "Change pathname for non-rename()able filesystems." changed to use + "$fsname:" if the filesystem does not support rename() operation and + "dev($major,$minor):" otherwise when vfsmount is missing. But it turned + out that it is useless to use "dev($major,$minor):" for unnamed devices + (filesystems with $major == 0). Thus, I changed to use "$fsname:" rather + than "dev($major,$minor):" for filesystems with $major == 0 when vfsmount + is missing. + +Fix 2011/02/07 + + @ Fix infinite loop bug when reading /proc/ccs/audit or /proc/ccs/query . + + In ccs_flush(), head->r.w[0] holds pointer to string data to be printed. + But head->r.w[0] was updated only when the string data was partially + printed (because head->r.w[0] will be updated by head->r.w[1] later if + completely printed). However, regarding /proc/ccs/audit and + /proc/ccs/query , an additional '\0' is printed after the string data was + completely printed. But if free space for read buffer became 0 before + printing the additional '\0', ccs_flush() was returning without updating + head->r.w[0]. As a result, ccs_flush() forever reprints already printed + string data. + +Fix 2011/03/01 + + @ Run garbage collector without waiting for /proc/ccs/ users. + + Currently TOMOYO holds SRCU lock upon open() and releases it upon close() + because list elements stored in the "struct ccs_io_buffer" instances are + accessed until close() is called. However, such SRCU usage causes lockdep + to complain about leaving the kernel with SRCU lock held. Therefore, + I changed to hold/release SRCU upon each read()/write() by selectively + deferring kfree() by keeping track of the "struct ccs_io_buffer" + instances. + +Fix 2011/03/05 + + @ Support built-in policy configuration. + + To be able to start using enforcing mode from the early stage of boot + sequence, I added support for built-in policy configuration and + activating access control without calling external policy loader program. + + This will be useful for systems where operations which can lead to the + hijacking of the boot sequence are needed before loading the policy. + For example, you can activate immediately after loading the fixed part of + policy which will allow only operations needed for mounting a partition + which contains the variant part of policy and verifying (e.g. running GPG + check) and loading the variant part of policy. Since you can start using + enforcing mode from the beginning, you can reduce the possibility of + hijacking the boot sequence. + +Fix 2011/03/10 + + @ Remove /proc/ccs/meminfo interface. + + Please use /proc/ccs/stat interface instead. + +Fix 2011/03/15 + + @ Pack policy when printing via /proc/ccs/ interface. + + The kernel side is ready for accepting packed input like + + file read/write/execute /path/to/file + + but was using unpacked output like + + file read /path/to/file + file write /path/to/file + file execute /path/to/file + + because most of userland tools were not ready for accepting packed input. + + The advantages of using packed policy are that it makes policy files + smaller and it speeds up loading/saving policy files. + + Since most of userland tools are ready for accepting packed input by now, + I changed to use packed policy for both input and output. + +Fix 2011/03/31 + + @ Fix conditional policy parsing. + + Since exec.realpath= and symlink.target= accept path_group, + symlink.target="@foo" was by error parsed as symlink.target=@foo . + + @ Serialize updating profile's comment line. + + We need to serialize when updating COMMENT= line in /proc/ccs/profile . + +Version 1.8.1 2011/04/01 Usability enhancement with "Zettai, Daijoubudayo" release! + +Fix 2011/04/03 + + @ Fix fcntl(F_SETFL, O_APPEND) handling. + + Since 1.8.0, TOMOYO was by error checking "file write" permission rather + than "file append" permission when changing file's writing mode from + "overwriting" to "append". + + This error should impact little (except CentOS 6.0 kernels) because once + a file was opened for "overwriting" mode, changing that file to "append" + mode cannot undo overwriting the file. Regarding CentOS 6.0 kernels, + due to different ACC_MODE definition, TOMOYO was by error needlessly + checking "file read" permission when fcntl() was requested. + +Fix 2011/04/20 + + @ Remove unused "struct inode *" parameter from hooks. + + Since pre-vfs functions were removed on 2010/09/18, "struct inode *" + parameter which was used for checking parent directory's DAC permission + is no longer used. + + Note that "struct ccsecurity_operations ccsecurity_ops" has changed. + Loadable kernel modules that depends on it need to be rebuilt. + +Fix 2011/05/05 + + @ Fix wrong profile number in audit logs for "misc env" permission. + + Profile number used for "file execute" permission was by error reused + when generating audit logs for "misc env" permission. + +Fix 2011/05/11 + + @ Fix wrong domainname validation. + + "" + "/foo/\" + "/bar" was by error checked when + " /foo/\* /bar" was given. As a result, legal domainnames like + " /foo/\* /bar" are rejected. + +Fix 2011/06/06 + + @ Add policy namespace support. + + To be able to use TOMOYO in LXC environments, I introduced policy + namespace. Each policy namespace has its own set of domain policy, + exception policy and profiles, which are all independent of other + namespaces. + + @ Remove CONFIG_CCSECURITY_BUILTIN_INITIALIZERS option. + + From now on, exception policy and manager need to be able to handle + policy namespace (which is a <$namespace> prefix added to each line). + Thus, space-separated list for CONFIG_CCSECURITY_BUILTIN_INITIALIZERS is + no longer suitable for handling policy namespace. + +Fix 2011/06/10 + + @ Allow specifying trigger for activation. + + To be able to use TOMOYO under systemd environments where init= parameter + is used, I changed to allow overriding the trigger for calling external + policy loader and activating MAC via kernel command line options. + +Fix 2008/06/14 + + @ Remove unused "struct inode *" parameter from ccs-patch-\*.diff . + + To follow changes I made on 2011/04/20, I removed "struct inode *" from + ccs_mknod_permission(), ccs_mkdir_permission(), ccs_rmdir_permission(), + ccs_unlink_permission(), ccs_symlink_permission(), ccs_link_permission(), + ccs_rename_permission() that are called from fs/namei.c + net/unix/af_unix.c include/linux/security.c security/security.c . + If you have your own ccs-patch-*.diff , please update accordingly. + +Version 1.8.2 2011/06/20 Usability enhancement release.