Diff of /trunk/1.6.x/ccs-patch/README.ccs

TOMOYO

 Subversion リポジトリの参照



/[tomoyo]/trunk/1.6.x/ccs-patch/README.ccs




Diff of /trunk/1.6.x/ccs-patch/README.ccs



 Parent Directory

|  Revision Log



|  Patch













trunk/1.5.x/ccs-patch/README.ccs
revision 815 by kumaneko,
Tue Dec 18 07:13:08 2007 UTC



trunk/1.6.x/ccs-patch/README.ccs
revision 899 by kumaneko,
Tue Jan 15 08:04:43 2008 UTC






#

Line 1101 
 Fix 2007/12/18


Line 1101 
 Fix 2007/12/18












1101
       To my surprise, "mount --bind source dest" accepts
       To my surprise, "mount --bind source dest" accepts

















1102
       not only "both source and dest are directory"
       not only "both source and dest are directory"

















1103
       but also "both source and dest are non-directory".
       but also "both source and dest are non-directory".















1104


       I was rejecting if dest is not a derectory in AddMountACL().


       I was rejecting if dest is not a directory in AddMountACL().















1105
 
 

















1106
     @ Change log format.
     @ Change log format.

















1107
 
 

















1108
       Profile number and mode is added in audit logs.
       Profile number and mode is added in audit logs.












1109
 
 







1110
 
 Fix 2008/01/03







1111
 
 







1112
 
     @ Change directive for file's read/write/execute permission.







1113
 
 







1114
 
       Directives for file's read/write/execute permissions were







1115
 
       4/2/1 respectively. But for easier understanding, they are now







1116
 
       replaced by read/write/execute (e.g. "allow_read" instead of "4").







1117
 
       But for easier inputting, 4/2/1 are still accepted instead of







1118
 
       allow_read/allow_write/allow_execute respectively.







1119
 
 







1120
 
     @ Change internal data structure.







1121
 
 







1122
 
       Since I don't have more than 16 types of file permissions,







1123
 
       I combined them using bit-fields.







1124
 
 







1125
 
       Each entry had a field for conditional permission support.







1126
 
       But since this field is unlikely used, I separated the field from







1127
 
       common part.







1128
 
 







1129
 
       These changes will reduce memory used by policy.







1130
 
 







1131
 
 Fix 2008/01/15







1132
 
 







1133
 
     @ Add ptrace() hook.







1134
 
 







1135
 
       To prevent attackers from controlling important processes using







1136
 
       ptrace(), I added a hook for ptrace().







1137
 
       Most programs (except strace(1) and gdb(1)) won't use ptrace(2).







1138
 
 







1139
 
     @ Fix sleep condition check in CheckSocketRecvDatagramPermission().







1140
 
 







1141
 
       It seems that correct method to use is in_atomic()







1142
 
       rather than in_interrupt() because in_atomic() returns nonzero







1143
 
       whenever scheduling is not allowed.
























Legend:



Removed from v.815
 


changed lines


 
Added in v.899













Back to OSDN">Back to OSDN
ViewVC Help


Powered by ViewVC 1.1.26
 /[tomoyo]/trunk/1.6.x/ccs-patch/README.ccs
-trunk/1.5.x/ccs-patch/README.ccs
revision 815 by kumaneko,
Tue Dec 18 07:13:08 2007 UTC
+trunk/1.6.x/ccs-patch/README.ccs
revision 899 by kumaneko,
Tue Jan 15 08:04:43 2008 UTC
 Line 1101 
 Fix 2007/12/18
        To my surprise, "mount --bind source dest" accepts
        not only "both source and dest are directory"
        but also "both source and dest are non-directory".
-       I was rejecting if dest is not a derectory in AddMountACL().
+       I was rejecting if dest is not a directory in AddMountACL().
      @ Change log format.
        Profile number and mode is added in audit logs.
+ Fix 2008/01/03
+     @ Change directive for file's read/write/execute permission.
+       Directives for file's read/write/execute permissions were
+/2/1 respectively. But for easier understanding, they are now
+       replaced by read/write/execute (e.g. "allow_read" instead of "4").
+       But for easier inputting, 4/2/1 are still accepted instead of
+       allow_read/allow_write/allow_execute respectively.
+     @ Change internal data structure.
+       Since I don't have more than 16 types of file permissions,
+       I combined them using bit-fields.
+       Each entry had a field for conditional permission support.
+       But since this field is unlikely used, I separated the field from
+       common part.
+       These changes will reduce memory used by policy.
+ Fix 2008/01/15
+     @ Add ptrace() hook.
+       To prevent attackers from controlling important processes using
+       ptrace(), I added a hook for ptrace().
+       Most programs (except strace(1) and gdb(1)) won't use ptrace(2).
+     @ Fix sleep condition check in CheckSocketRecvDatagramPermission().
+       It seems that correct method to use is in_atomic()
+       rather than in_interrupt() because in_atomic() returns nonzero
+       whenever scheduling is not allowed.
 Legend:



Removed from v.815
 


changed lines


 
Added in v.899
 Legend:



Removed from v.815
 


changed lines


 
Added in v.899
-Removed from v.815
+Added in v.899
-Back to OSDN">Back to OSDN
+ViewVC Help
 Powered by ViewVC 1.1.26

オープンソース・ソフトウェアの開発とダウンロード

TOMOYO

Subversion リポジトリの参照