475 |
succeeds to invoke do_execve() with filename = "/bin/ls" and |
succeeds to invoke do_execve() with filename = "/bin/ls" and |
476 |
argv[0] = "/bin/cat". |
argv[0] = "/bin/cat". |
477 |
|
|
478 |
I introduced a keyword that permits the mismatch of |
I introduced a directive that permits the mismatch of |
479 |
basename of filename and argv[0]. |
basename of filename and argv[0]. |
480 |
|
|
481 |
Fix 2006/08/10 |
Fix 2006/08/10 |
1259 |
|
|
1260 |
Fix 2008/03/03 |
Fix 2008/03/03 |
1261 |
|
|
1262 |
@ Add "force_alt_exec" keyword. |
@ Add "force_alt_exec" directive. |
1263 |
|
|
1264 |
To be able to fully utilize "alt_exec" feature, |
To be able to fully utilize "alt_exec" feature, |
1265 |
I added "force_alt_exec" keyword so that |
I added "force_alt_exec" directive so that |
1266 |
all execute requests are replaced by the execute request of a program |
all execute requests are replaced by the execute request of a program |
1267 |
specified by alt_exec feature. |
specified by alt_exec feature. |
1268 |
|
|
1269 |
If this keyword is specified for a domain, the domain no longer |
If this directive is specified for a domain, the domain no longer |
1270 |
executes any programs regardless of the mode of file access control |
executes any programs regardless of the mode of file access control |
1271 |
(i.e. the domain won't execute even if MAC_FOR_FILE=0 ). |
(i.e. the domain won't execute even if MAC_FOR_FILE=0 ). |
1272 |
Instead, the domain executes the program specified by alt_exec feature |
Instead, the domain executes the program specified by alt_exec feature |
1301 |
|
|
1302 |
Fix 2008/03/10 |
Fix 2008/03/10 |
1303 |
|
|
1304 |
@ Rename "force_alt_exec" keyword to "execute_handler". |
@ Rename "force_alt_exec" directive to "execute_handler". |
1305 |
|
|
1306 |
To be able to use different programs for validating execve() parameters, |
To be able to use different programs for validating execve() parameters, |
1307 |
I moved the location to specify the program's pathname from profile |
I moved the location to specify the program's pathname from profile |
1308 |
to domain policy. |
to domain policy. |
1309 |
|
|
1310 |
The "execute_handler" keyword takes one pathname which is |
The "execute_handler" directive takes one pathname which is |
1311 |
invoked whenever execve() request is issued. Thus, any "allow_execute" |
invoked whenever execve() request is issued. Thus, any "allow_execute" |
1312 |
keywords in a domain with "execute_handler" are ignored. |
directives in a domain with "execute_handler" are ignored. |
1313 |
This keyword is designed for validating expected/desirable execve() |
This directive is designed for validating expected/desirable execve() |
1314 |
requests in userspace, although there is no way to tell the caller |
requests in userspace, although there is no way to tell the caller |
1315 |
that the execve() request was rejected. |
that the execve() request was rejected. |
1316 |
|
|
1317 |
@ Rename "alt_exec" keyword to "denied_execute_handler". |
@ Rename "alt_exec" directive to "denied_execute_handler". |
1318 |
|
|
1319 |
The "denied_execute_handler" keyword takes one pathname which is |
The "denied_execute_handler" directive takes one pathname which is |
1320 |
invoked only when execve() request was rejected. In other words, |
invoked only when execve() request was rejected. In other words, |
1321 |
this program is invoked only when the following conditions are met. |
this program is invoked only when the following conditions are met. |
1322 |
|
|
1323 |
(1) None of "allow_execute" keywords in the domain matched. |
(1) None of "allow_execute" directives in the domain matched. |
1324 |
(2) The execve() request was rejected in enforcing mode. |
(2) The execve() request was rejected in enforcing mode. |
1325 |
(3) "execute_handler" keyword is not used by the domain. |
(3) "execute_handler" directive is not used by the domain. |
1326 |
|
|
1327 |
This keyword is designed for handling unexpected/undesirable execve() |
This directive is designed for handling unexpected/undesirable execve() |
1328 |
requests, to redirect the process issuing such requests to somewhere. |
requests, to redirect the process issuing such requests to somewhere. |
1329 |
|
|
1330 |
Fix 2008/03/18 |
Fix 2008/03/18 |
1342 |
@ Disable execute handler loop. |
@ Disable execute handler loop. |
1343 |
|
|
1344 |
To be able to use "execute_handler" in a "keep_domain" domain, |
To be able to use "execute_handler" in a "keep_domain" domain, |
1345 |
ignore "execute_handler" and "denied_execute_handler" keywords |
ignore "execute_handler" and "denied_execute_handler" directives |
1346 |
if the current process is executing programs specified by |
if the current process is executing programs specified by |
1347 |
"execute_handler" or "denied_execute_handler" keyword. |
"execute_handler" or "denied_execute_handler" directive. |
1348 |
|
|
1349 |
This exception is needed to avoid infinite execute handler loop. |
This exception is needed to avoid infinite execute handler loop. |
1350 |
If a domain has both "keep_domain" and "execute_handler", |
If a domain has both "keep_domain" and "execute_handler", |
1501 |
@ Return 0 when ccs_may_umount() succeeds. |
@ Return 0 when ccs_may_umount() succeeds. |
1502 |
|
|
1503 |
I forgot to clear error value in ccs_may_umount() when the requested |
I forgot to clear error value in ccs_may_umount() when the requested |
1504 |
directory didn't match "deny_unmount" keyword. As a result, any umount() |
directory didn't match "deny_unmount" directive. As a result, any umount() |
1505 |
request with RESTRICT_UNMOUNT=enforcing returned -EPERM error. |
request with RESTRICT_UNMOUNT=enforcing returned -EPERM error. |
1506 |
|
|
1507 |
Version 1.6.2 2008/06/25 Usability enhancement release. |
Version 1.6.2 2008/06/25 Usability enhancement release. |
1630 |
@ Don't transit to new domain until do_execve() succeeds. |
@ Don't transit to new domain until do_execve() succeeds. |
1631 |
|
|
1632 |
Until now, a process's domain was updated to new domain which the process |
Until now, a process's domain was updated to new domain which the process |
1633 |
will belongs to before do_execve() succeeds so that the kernel can do |
will belong to before do_execve() succeeds so that the kernel can do |
1634 |
permission checks for interpreters and environment variables based on |
permission checks for interpreters and environment variables based on |
1635 |
new domain. But this caused a subtle problem when other process sends |
new domain. But this caused a subtle problem when other process sends |
1636 |
signals to the process, for the process returns to old domain if |
signals to the process, for the process returns to old domain if |
1716 |
is_alphabet_char() should match 'A' - 'Z' and 'a' - 'z', |
is_alphabet_char() should match 'A' - 'Z' and 'a' - 'z', |
1717 |
but was matching from 'A' - 'F' and 'a' - 'f'. |
but was matching from 'A' - 'F' and 'a' - 'f'. |
1718 |
|
|
1719 |
Version 1.6.5 2008/11/?? Third anniversary release. |
@ Add /proc/ccs/.execute_handler . |
1720 |
|
|
1721 |
|
Process information became visible to userspace by |
1722 |
|
"Show process information in /proc/ccs/.process_status" feature. |
1723 |
|
However, programs specified by execute_handler directive may run as |
1724 |
|
non root user, making it impossible to see process information. |
1725 |
|
|
1726 |
|
So, I added a new interface that allows execute handler processes |
1727 |
|
to see process information. The content of /proc/ccs/.execute_handler is |
1728 |
|
identical to /proc/ccs/.process_status . |
1729 |
|
|
1730 |
|
Version 1.6.5 2008/11/11 Third anniversary release. |
1731 |
|
|
1732 |
|
Fix 2008/12/01 |
1733 |
|
|
1734 |
|
@ Introduce "task.type=execute_handler" condition. |
1735 |
|
|
1736 |
|
The execute_handler directive is very very powerful. You can use this |
1737 |
|
directive to do anything you want to do (e.g. logging and validating and |
1738 |
|
modifying command line parameters and environment variables, opening and |
1739 |
|
closing and redirecting files, creating pipes to implement antivirus and |
1740 |
|
spam filtering, deploying a DMZ between the ssh daemon and the login |
1741 |
|
shells). |
1742 |
|
|
1743 |
|
To be able to use this directive in a domain with keep_domain directive |
1744 |
|
while limiting access to resources needed for such purposes to only |
1745 |
|
programs invoked as an execute handler process, I added a new condition. |
1746 |
|
|
1747 |
|
In learning mode, "if task.type=execute_handler" condition part will be |
1748 |
|
automatically added for requests issued by an execute_handler process. |
1749 |
|
|
1750 |
|
@ Introduce file's type and permissions as conditions. |
1751 |
|
|
1752 |
|
To be able to limit file types a process can access, I added |
1753 |
|
new conditions for checking file's type and permissions. |
1754 |
|
For example, |
1755 |
|
|
1756 |
|
allow_read /etc/fstab if path1.type=regular path1.perm=0644 |
1757 |
|
|
1758 |
|
will allow opening /etc/fstab for reading only if /etc/fstab is a regular |
1759 |
|
file and it's permission is 0644, and |
1760 |
|
|
1761 |
|
allow_write /dev/null if path1.type=char path1.dev_major=1 path1.dev_minor=3 |
1762 |
|
|
1763 |
|
will allow opening /dev/null for writing only if /dev/null is a character |
1764 |
|
device file with major=1 and minor=3 attributes. |
1765 |
|
|
1766 |
|
@ Add memory quota for temporary memory used for auditing. |
1767 |
|
|
1768 |
|
Although there are MAX_GRANT_LOG and MAX_REJECT_LOG parameters |
1769 |
|
which limit the number of entries for audit logs so that we can avoid |
1770 |
|
memory consumption by audit logs, it would be more convenient if we can |
1771 |
|
also limit the size in bytes. |
1772 |
|
Thus, I added a new quota line. |
1773 |
|
|
1774 |
|
echo Dynamic: 1048576 > /proc/ccs/meminfo |
1775 |
|
|
1776 |
|
This quota is not applied to temporary memory used for permission checks. |
1777 |
|
|
1778 |
|
Fix 2008/12/09 |
1779 |
|
|
1780 |
|
@ Fix ccs_can_save_audit_log() checks. |
1781 |
|
|
1782 |
|
Due to incorrect statement "if (ccs_can_save_audit_log() < 0)" |
1783 |
|
while ccs_can_save_audit_log() is boolean, MAX_GRANT_LOG and |
1784 |
|
MAX_REJECT_LOG were not working. |
1785 |
|
|
1786 |
|
This bug will trigger OOM killer if /usr/sbin/ccs-auditd is not working. |
1787 |
|
|
1788 |
|
Fix 2008/12/24 |
1789 |
|
|
1790 |
|
@ Add "ccs_" prefix. |
1791 |
|
|
1792 |
|
To be able to tell whether a symbol is TOMOYO Linux related or not, |
1793 |
|
I added "ccs_" prefix as much as possible. |
1794 |
|
|
1795 |
|
@ Fix ccs_check_flags() error message. |
1796 |
|
|
1797 |
|
I meant to print SYAORAN-ERROR: message when error == -EPERM, |
1798 |
|
but I was printing it when error == 0 since 1.6.0 . |
1799 |
|
|
1800 |
|
Fix 2009/01/05 |
1801 |
|
|
1802 |
|
@ Use kmap_atomic()/kunmap_atomic() for reading "struct linux_binprm". |
1803 |
|
|
1804 |
|
As remove_arg_zero() uses kmap_atomic(KM_USER0), I modified to use |
1805 |
|
kmap_atomic(KM_USER0) rather than kmap(). |
1806 |
|
|
1807 |
|
@ Relocate definitions and functions. |
1808 |
|
|
1809 |
|
To reduce exposed symbols, I relocated some definitions and functions. |
1810 |
|
|
1811 |
|
Fix 2009/01/28 |
1812 |
|
|
1813 |
|
@ Fix "allow_read" + "allow_write" != "allow_read/write" problem. |
1814 |
|
|
1815 |
|
Since 1.6.0 , due to a bug in ccs_update_single_path_acl(), |
1816 |
|
appending "allow_read/write" entry didn't update internal "allow_read" |
1817 |
|
and "allow_write" entries. As a result, attempt to open(O_RDWR) succeeds |
1818 |
|
but open(O_RDONLY) and open(O_WRONLY) fail. |
1819 |
|
|
1820 |
|
Workaround is to write an entry twice when newly appending that entry. |
1821 |
|
If written twice, internal "allow_read" and "allow_write" entries |
1822 |
|
are updated. |