Develop and Download Open Source Software

Browse Subversion Repository

Contents of /trunk/1.8.x/ccs-patch/README.ccs

Parent Directory Parent Directory | Revision Log Revision Log


Revision 3262 - (hide annotations) (download)
Thu Dec 17 04:32:40 2009 UTC (4 years, 4 months ago) by kumaneko
Original Path: trunk/1.7.x/ccs-patch/README.ccs
File size: 84989 byte(s)
1 kumaneko 111 Notes for TOMOYO Linux project
2    
3     This is a handy Mandatory Access Control patch for Linux kernels.
4 kumaneko 1057 This patch is released under the GPLv2.
5 kumaneko 111
6     Project URL: http://tomoyo.sourceforge.jp/
7    
8     The authors of this patch (hereafter, we) don't have much experience
9     in kernel programming. We are worried that this patch would contain
10     some mistakes such as missing hooks, improper location of hooks,
11     potential deadlocks. There would be better way of implementation.
12     All kinds of comments, pointing the errors and suggestions are welcome.
13    
14     We do hope this patch reduces the labor of server security management
15     and you enjoy the life with Linux.
16    
17     This project was very inspired by the comic "Card Captor SAKURA",
18     one of the CLAMP's masterworks.
19    
20     ChangeLog:
21    
22     Version 1.0 2005/11/11 First release.
23    
24     Fix 2005/11/18
25    
26     @ Add setattr() missing hook in SYAORAN fs.
27    
28     setattr() checking for special inode was missing.
29    
30     Fix 2005/11/25
31    
32     @ Allow initrd.img include /sbin/init .
33    
34     Since version 1.0 loads policy when /sbin/init is called
35     for the first time, initrd.img without the policy directory
36     mustn't start /sbin/init . This forced users not to use
37     initrd.img that includes /sbin/init .
38     I modified to delay loading policy if the policy directory
39     doesn't exist and wait for /sbin/init being called again.
40    
41     Fix 2005/12/02
42    
43     @ Use lookup_one_len() instead of lookup_hash().
44    
45     Kernel 2.6.15 changed parameters for lookup_hash().
46     I modified to use lookup_one_len() to keep compatibility.
47    
48     Fix 2005/12/06
49    
50     @ Add S_ISDIR() check in SYAORAN fs.
51    
52     Malicious configuration file that attempts to create an inode
53     under non-directory inode caused segmentation fault.
54    
55     Version 1.0.1 2005/12/08 Minor update release.
56    
57     Fix 2006/01/04
58    
59     @ Add CheckWritePermission() check in unix_bind().
60    
61     I modified to check write permission in unix_bind(), for
62     sys_mknod(S_IFSOCK) checks write permission.
63    
64     @ Show hook version in proc_misc_init().
65    
66     The hook part of this patch depends on the kernel's version,
67     while the rest part of this patch doesn't.
68     I added the hook version so that the administrator can
69     know the last modified date of the hooks.
70    
71     @ Move permission checks from filp_open() to open_namei().
72    
73     I moved the location of checking MAC's permission
74     from filp_open() to open_namei().
75    
76     @ Fix an error in filp_open(). (only 2.6.15-rc5)
77    
78     This error was only in the patch 2.6.15-rc5 and
79     was fixed in the patch for 2.6.15.
80    
81     Fix 2006/01/12
82    
83     @ Add /proc/ccs/info/self_domain.
84    
85     I added /proc/ccs/info/self_domain so that the userland programs
86     can know the name of domain they belong to if necessary.
87    
88     Fix 2006/01/13
89    
90     @ Merge constants for CheckTaskCapability().
91    
92     I merged *_INHERITABLE_* and *_LOCAL_* to avoid always
93     calling CheckTaskCapability() with both constants.
94    
95     @ DropTaskCapability() returns -EAGAIN on success.
96    
97     DropTaskCapability() must not return 0 on success, for
98     DropTaskCapability() is called from do_execve().
99    
100     @ Fix an error for chroot() permission check.
101    
102     The chroot() restriction was not working due to the following mistake.
103     CheckChRootPermission() || CheckTaskCapability() returns 0 or 1, while
104     CheckChRootPermission() | CheckTaskCapability() returns 0 or -EPERM.
105    
106     Fix 2006/01/17
107    
108     @ Suppress some of debug messages in TOMOYO.
109    
110     I added KERN_DEBUG to suppress some of debug messages.
111    
112     Fix 2006/01/19
113    
114     @ Remove isRoot() checks in AddChrootACL() and AddMountACL().
115    
116     I found a program that needs to chroot by non-root.
117     So, I stopped checking uid=euid=0 for these functions so that
118     "accept mode" can append ACLs.
119     The isRoot() is checked at AddChrootPolicy() and AddMountPolicy().
120    
121     @ Map NULL device name to "<NULL>" in AddMountACL().
122    
123     VMware mounts vmware-hgfs with NULL device name.
124     So I mapped NULL device name to "<NULL>".
125    
126     Fix 2006/01/20
127    
128     @ Suppress some of debug messages in SAKURA.
129    
130     I added KERN_DEBUG to suppress some of debug messages.
131    
132     @ Call panic() if failed to load given profile.
133    
134     Call panic() if profile index was given via CCS= parameter
135     but the profile doesn't exist.
136     If CCS= parameter is not given, the kernel attempts to load
137     profile 0, but it doesn't call panic() if profile 0 doesn't exist.
138    
139     Fix 2006/01/24
140    
141     @ Use full_name_hash() for IsGloballyReadableFile().
142    
143     I modified to use full_name_hash() for faster scan.
144    
145     @ Add signal checking condition in CheckSignalACL().
146    
147     The documentation says "if the target domain's domainname
148     starts with the source domain's domainname, it is always granted"
149     but actually it isn't. I'll change the documentation instead of
150     changing the source code.
151    
152     Also, checking for pid = -1 was missing. This error was fixed.
153    
154     Fix 2006/02/09
155    
156     @ Use mutex_lock()/mutex_unlock instead of down()/up().
157    
158     Kernel 2.6.16 changed members of "struct inode".
159     I modified to use mutex_lock()/mutex_unlock() for after 2.6.16
160     and down()/up() for before 2.6.16.
161    
162     Version 1.0.2 2006/02/14 Many bug-fixes release.
163    
164     Fix 2006/02/21
165    
166     @ Divide generic-write permission into individual write permissions.
167    
168     Write permission was divided into the following permissions.
169    
170     'mkdir' for creating directory.
171     'rmdir' for deleting directory.
172     'create' for creating regular file.
173     'unlink' for deleting non-directory.
174     'mksock' for creating UNIX domain socket.
175     'mkfifo' for creating FIFO.
176     'mkchar' for creating character device.
177     'mkblock' for creating block device.
178     'link' for creating hard link.
179     'symlink' for creating symbolic link.
180     'rename' for renaming directory or non-directory.
181     'truncate' for truncating regular file.
182    
183     The permission check for opening files is done using
184     conventional read/write/execute permission.
185    
186     @ Add /proc/ccs/info/mapping.
187    
188     I added /proc/ccs/info/mapping so that the userland programs
189     can know the mapping of individual write permissions.
190    
191     Fix 2006/02/27
192    
193     @ Fix handling of trailing '\*' in PathMatchesToPattern().
194    
195     PathMatchesToPattern("/tmp/", "/tmp/\*") returned true
196 kumaneko 3014 because "\*" matches "zero or more repetitions of characters
197 kumaneko 111 until '/' or end". But since this is a comparison between
198     directory and non-directory, this should not match.
199    
200     This behavior causes the following security risks.
201     In enforce mode, allowing "2 /tmp/\*" grants
202     "mkdir /tmp/" and "rmdir /tmp/" which should be
203     granted only when "2 /tmp/" is allowed.
204     In accept mode, "mkdir /tmp/" or "rmdir /tmp/" appends
205     "2 /tmp/\*" into the domain policy if "file_pattern /tmp/\*"
206     is in the exception policy.
207    
208     I changed not to ignore trailing '\*' in the pattern
209     if pathname ends with '/'.
210    
211     Fix 2006/03/01
212    
213     @ Add missing spinlock in GetAbsolutePath().
214    
215     vfsmount_lock was missing.
216    
217     Fix 2006/03/08
218    
219     @ Add support for "shared subtree" mount operations.
220    
221     Kernel 2.6.15 introduced "shared subtree" functionality.
222     But CheckMountPermission() couldn't recognize flags for
223     do_change_type().
224    
225     @ Add support for more mount flags.
226    
227     atime/noatime, diratime/nodiratime, recurse/norecurse flags
228     are supported.
229    
230     Fix 2006/03/20
231    
232     @ Check port numbers for only AF_INET/AF_INET6.
233    
234     CheckBindEntry() and CheckConnectEntry() should check port numbers
235     only when the given address family is either AF_INET or AF_INET6,
236     for address family such as AF_UNSPEC could be passed to bind()
237     and connect() for PF_INET/PF_INET6 sockets.
238    
239     Fix 2006/03/27
240    
241     @ Use /proc/self/ rather than /proc/\$/ for current process.
242    
243     GetAbsolutePath() now uses "self" instead of pid
244     if current process refers to information related to itself.
245     This exception violates the rule "TOMOYO Linux's pathnames don't
246     contain symbolic links before the last '/'", but I think it worth
247     to do so. The following are the merits gained by this exception.
248    
249     Prevent administrators from granting redundant permissions
250     when a process needs to refer to only current process's information.
251    
252     Allow administrators make current process's information always
253     readable using 'allow_read' directive.
254    
255     Version 1.1 2006/04/01 Functionality enhancement release.
256    
257     Fix 2006/04/03
258    
259     @ Use queue instead of fixed sized array for audit log.
260    
261     WriteAuditLog() now uses queue to save statically allocated memory.
262     Administrators can give any size for audit logs at runtime.
263    
264     @ Use kzalloc() instead of kmalloc() + memset().
265    
266     kmalloc() + memset() were replaced with kzalloc().
267    
268     Fix 2006/04/04
269    
270     @ Support "delayed enforcing" mode.
271    
272     Until now, access request was immediately rejected
273     if policy doesn't allow that access and the system is
274     running in enforce mode.
275     Sometimes, especially after updating softwares,
276     some unexpected access requests arise from proper procedure.
277     Such access requests should be granted because
278     they are not caused by malicious attacks.
279     So I introduced a mechanism to allow administrator some grace
280     to decide to grant or reject such access requests.
281     This mechanism is implemented in the following manner.
282     "Don't return immediately if permission denied."
283     "Sleep for a while waiting administrator's decision."
284     "Return successfully if administrator tells to do so."
285    
286     Fix 2006/04/12
287    
288     @ Fix handling of prefix in GetAbsolutePath().
289    
290     Some objects doesn't have prefix "/".
291     Pipe has prefix "pipe:" and socket has prefix "socket:".
292     GetAbsolutePath() couldn't handle prefixes other than '/' properly.
293    
294     @ Remove IsCorrectPath() checks for File Access Control functions.
295    
296     File Access Control functions accepted only pathnames that start
297     with '/' because these functions assumed pathnames returned by
298     GetAbsolutePath() always start with '/'.
299     However, I found a program that opens an unnamed pipe via
300     (probably) /proc/PID/fd/ directory. (You can see entries like
301     "pipe:[number]" if you run "ls -l /proc/*/fd/".)
302     Now, File Access Control functions have to accept pathnames
303     that don't start with '/'. So, I stopped checking IsCorrectPath().
304    
305     Fix 2006/04/19
306    
307     @ Fix handling of NULL nameidata in vfs_open().
308    
309     In 2.6 kernels, NFS daemon and sys_mq_open() call
310     vfs_create() with NULL nameidata. In such cases,
311     CheckSingleWritePermission() must not be called.
312    
313     Version 1.1.1 2006/05/15 Functionality enhancement release.
314    
315     Fix 2006/05/16
316    
317     @ Support program files aggregation.
318    
319     Until now, programs that have no fixed names and their
320     parent programs had to be run in a trusted domain
321     since it is impossible to use patterns for granting
322     execute permission and defining domains.
323     I introduced a mechanism to aggregate similar programs
324     using 'aggregator' directive.
325     Some examples:
326    
327     'aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp'
328     to run all temporary programs for logrotate as /tmp/logrotate.tmp
329    
330     'aggregator /usr/bin/tac /bin/cat'
331     to run /usr/bin/tac and /bin/cat as /bin/cat
332    
333     Fix 2006/05/18
334    
335     @ Unlimit max count for audit log.
336    
337     I forgot to replace MAX_GRANT_LOG and MAX_REJECT_LOG with INT_MAX
338     so that administrators can give any size for audit logs at runtime.
339    
340     Fix 2006/05/22
341    
342     @ Support individual domain ACL removal.
343    
344     Until now, to remove ACLs from a domain, administrator had to
345     once delete and recreate that domain, which wastes a lot of memory.
346     I introduced a mechanism to remove domain ACL without deleting and
347     recreating domains.
348     Administrator can delete domains or remove ACLs from domains
349     via /proc/ccs/policy/domain_policy .
350     /proc/ccs/policy/delete_domain and /proc/ccs/policy/update_domain
351     were removed.
352    
353     Fix 2006/05/30
354    
355     @ Add missing spinlock in SAKURA_MayMount().
356    
357     vfsmount_lock was missing.
358    
359     Version 1.1.2 2006/06/02 Functionality enhancement release.
360    
361     Fix 2006/06/13
362    
363     @ Merge tomoyo_connect.c and tomoyo_bind.c into tomoyo_port.c
364    
365     I merged these files that have only difference CONNECT and BIND,
366     that are likely to be enabled both or neither.
367    
368     @ Add CONFIG_TOMOYO_AUDIT option.
369    
370     I made auditing functions as optional because some Linux boxes
371     may have not enough disk space to store audit logs.
372    
373     Fix 2006/06/15
374    
375     @ Support use of symbolic links for program execution.
376    
377     Until now, domains for programs executed by dereferencing
378     symbolic links were defined using dereferenced pathnames.
379     This was inconvenient for some Linux boxes who use busybox but
380     can't keep hard links of busybox.
381     I introduced a mechanism to allow using pathnames of
382     symbolic links using 'alias' directive.
383     Some examples:
384    
385     'alias /sbin/busybox /bin/ls' to run /bin/ls
386     (which is a symbolic link to /sbin/busybox) as /bin/ls
387     if /bin/ls is executed.
388    
389     'alias /bin/bash /bin/sh' to run /bin/sh
390     (which is a symbolic link to /bin/bash) as /bin/sh
391     if /bin/sh is executed.
392    
393     Fix 2006/06/21
394    
395     @ Use ccs_alloc() instead of kzalloc().
396    
397     To detect memory leaks,
398     I added a wrapper for tracing kmalloc() and kfree().
399     There is no way to detect memory leaks caused by ccs-*.txt .
400    
401     Version 1.1.3 2006/07/13 Functionality enhancement release.
402    
403     Fix 2006/07/14
404    
405     @ Change behavior of pathname pattern matching.
406    
407 kumaneko 3014 Until now, it was impossible to use patterns like "\*.txt" because
408     "\*" matched zero or more repetitions of characters until next '/'.
409     Now, "\*" matches zero or more repetitions of characters.
410 kumaneko 111
411     Until now, it was impossible to use patterns like "\$00"
412 kumaneko 3014 because "\$" matched one or more repetitions of digits until next
413 kumaneko 111 non digit character.
414 kumaneko 3014 Now, "\$" matches one or more repetitions of digits.
415 kumaneko 111
416     Also, new patterns "\x" "\X" "\a" "\A" "\@" are added.
417    
418     Fix 2006/07/21
419    
420     @ Add CONFIG_TOMOYO_NETWORK option.
421    
422     Until now, only port numbers for TCP and UDP were controllable.
423     Now, the combination of IPv4/IPv6 address and port numbers
424     for TCP and UDP is controllable.
425     CONFIG_TOMOYO_NETWORKPORT became obsolete.
426    
427     Fix 2006/07/25
428    
429     @ Change matching rule for CheckFileACL().
430    
431 kumaneko 3014 Until now, only first entry that matched the requested pathname
432 kumaneko 111 was used for permission checking. For example, two entries
433    
434     "2 /tmp/file-\$.txt"
435     "4 /tmp/fil\?-0.txt"
436    
437     are given in this order and requested pathname is "/tmp/file-0.txt",
438     the "2 /tmp/file-\$.txt" is used. But if two entries
439    
440     "4 /tmp/fil\?-0.txt"
441     "2 /tmp/file-\$.txt"
442    
443     are given in this order, the "4 /tmp/fil\?-0.txt" is used.
444     This may potentially cause trouble because the result of
445     permission checks depends on the order of entries.
446    
447 kumaneko 3014 Now, all entries that matched the requested pathname
448 kumaneko 111 are used for permission checking so that the result of
449     permission checks doesn't depend on the order of entries.
450    
451     Fix 2006/07/27
452    
453     @ Support RAW IPv4/IPv6 control.
454    
455     Some programs such as 'ping' and 'traceroute' use raw IP socket.
456     Now, the combination of IPv4/IPv6 address and protocol numbers
457     for IP is controllable.
458    
459     Fix 2006/08/04
460    
461     @ Add filename and argv[0] comparison check.
462    
463     The domain transition was done based on filename passed to do_execve(),
464     while the behavior was defined based on argv[0].
465     There is no problem if the filename is argv[0]-unaware application.
466     But if argv[0]-aware, access control bypassing happens if the process
467     transits to trusted domain but behaves as different program.
468     For example, when the administrator specifies domain for /bin/ls as
469     trusted but both /bin/ls and /bin/cat are links to /sbin/busybox ,
470     a cracker can run /bin/cat in a trusted domain if the cracker
471     succeeds to invoke do_execve() with filename = "/bin/ls" and
472     argv[0] = "/bin/cat".
473    
474 kumaneko 1903 I introduced a directive that permits the mismatch of
475 kumaneko 111 basename of filename and argv[0].
476    
477     Fix 2006/08/10
478    
479     @ Support ID based condition checks.
480    
481     It was impossible to use process id (uid and gid and so on) for
482     checking individual domain ACL.
483    
484     Now it became possible to use process id for checking individual
485     domain ACL. For example,
486    
487     "1 /bin/sh if task.euid!=0"
488 kumaneko 3146
489 kumaneko 111 allows the domain to execute /bin/sh only when the process's euid
490     is not 0, and
491    
492     "6 /home/\*/\* if task.uid=path1.uid"
493    
494     allows the domain to read-write user's home directory
495 kumaneko 3014 only when the file's owner matches the process's uid.
496 kumaneko 111
497     Fix 2006/08/22
498    
499     @ Fix ROUNDUP() in fs/realpath.c .
500    
501     Alignment using sizeof(int) may be inappropriate for 64bit environment.
502     I changed to use the larger size of 'void *' and 'long'
503     instead of 'int'.
504     For environment where sizeof(int) = sizeof(long) = sizeof(void *),
505     this change has no effect.
506    
507     Version 1.2 2006/09/03 Functionality enhancement release.
508    
509     Fix 2006/09/30
510    
511     @ Fix CheckFilePerm() in fs/tomoyo_file.c .
512    
513     The location to call path_release() was too early.
514    
515     Fix 2006/10/02
516    
517     @ Support per-domain profile.
518    
519     It became possible to assign different profiles for different domains.
520     This will help administrators using building up approach.
521    
522     Fix 2006/10/05
523    
524     @ Change parameters for CheckFilePerm().
525    
526     I was re-resolving pathnames inside CheckFilePerm() even though
527     the caller function already resolved them.
528     So I changed to pass dentry and vfsmount instead of pathname,
529     and removed changes made on 2006/09/30.
530    
531     Fix 2006/10/06
532    
533     @ Support deny_rewrite and allow_rewrite permission.
534    
535     It became possible to make regular files append-only
536     using "deny_rewrite" directive in exception policy and
537     override it using "allow_rewrite" directive in domain policy.
538    
539     Regular files specified using "deny_rewrite" directive
540     can't be open()ed with O_TRUNC or without O_APPEND,
541     can't be truncate()ed or ftruncate()ed,
542     can't be turned O_APPEND flag off using fcntl(F_SETFL)
543     unless specified using "allow_rewrite" directive.
544    
545     Fix 2006/10/12
546    
547     @ Enable configuration options by default for kernel config.
548    
549     CONFIG_SAKURA and CONFIG_TOMOYO are now 'y' by default
550     and CONFIG_SYAORAN is now 'm' by default.
551    
552     Fix 2006/10/13
553    
554     @ Use external policy loader.
555    
556     Until now, policies are loaded when /sbin/init starts and
557     initial control levels are switched using CCS= parameter.
558     But since some boxes have to fixate kernel command line options
559     at compilation time, I think it will become more flexible
560     by running external policy loader using init= parameter so that
561     initial control levels can be specified before /sbin/init starts.
562    
563     Call panic() if initial control levels are not specified.
564    
565     Fix 2006/10/16
566    
567     @ Add missing parameter in FindNextDomain().
568    
569     'struct file' was needed for allowing 'if path1.*' checks.
570    
571     Fix 2006/10/23
572    
573     @ Print error messages in CheckFlags().
574    
575     Some users seem to have troubles picking up all necessary
576     entries for the configuration file of SYAORAN filesystem
577     since makesyaoranconf can't pick up entries that are
578     nonexistent at the time.
579     I added error message so that users can find missing entries
580     using dmesg.
581    
582     Fix 2006/10/24
583    
584     @ Change /proc/ccs/info/self_domain .
585    
586     I changed /proc/ccs/info/self_domain to return
587     the domain of open time rather than first read time.
588     This modification makes shell's redirection usage
589     more convenient since redirection opens file
590     but doesn't read at the time.
591    
592     'cat < /proc/ccs/info/self_domain' will return
593     the domain of shell, and
594     'cat /proc/ccs/info/self_domain' will return
595     the domain of cat .
596    
597     Fix 2006/11/06
598    
599     @ Replace MAX_ENFORCE_GRACE with ALLOW_ENFORCE_GRACE.
600    
601     Since it was inconvenient that requests that are waiting for
602     supervisor's decision are rejected automatically when
603     MAX_ENFORCE_GRACE seconds has elapsed, I modified WriteAnswer()
604     reset timeout counter whenever a supervisor's decision is written
605     and I modified ccs-queryd write a dummy decision every seconds
606     so that the requests won't be rejected automatically as long as
607     ccs-queryd is running.
608     This change made MAX_ENFORCE_GRACE's meaning boolean.
609     So I fixated MAX_ENFORCE_GRACE to 10 seconds and removed
610     MAX_ENFORCE_GRACE parameter.
611     To allow administrators selectively enable "delayed enforcing"
612     mode, I added ALLOW_ENFORCE_GRACE parameter.
613     The behavior of "delayed enforcing" mode is defined
614     in the following order.
615    
616     (1) The requests are rejected immediately if ALLOW_ENFORCE_GRACE=0.
617     (2) The requests are rejected immediately
618     if nobody is opening /proc/ccs/policy/query interface.
619     (3) The requests won't be rejected automatically
620     if ALLOW_ENFORCE_GRACE=1 and ccs-queryd is running.
621     (4) The requests will be rejected in 10 seconds
622     if somebody other than ccs-queryd (such as less(1)) is
623     opening /proc/ccs/policy/query interface, for
624     such process doesn't write dummy decisions.
625    
626     Version 1.3 2006/11/11 First anniversary release.
627    
628     Fix 2006/11/13
629    
630     @ Replace trust_domain with keep_domain.
631    
632     Since it was troublesome that there are two elements that can disable MAC
633     (assigning a profile that doesn't enable MAC or registering domains
634     with trust_domain directive), I removed trust_domain directive.
635     Instead, I introduced keep_domain directive to not to transit domains
636     unless a program registered with initializer directive is executed.
637     This change has the following advantages.
638    
639     (1) Allows administrator use "enforce mode" for operations after login.
640     Since it was difficult to know what commands and files are invoked
641     and accessed in what sequences beforehand, we had to use trust_domain
642     directive for such domain, allowing users invoke any commands and
643     access any files in any sequence.
644     But now, we can use keep_domain directive and assign a profile for
645     "enforce mode" for such domain, forcing users invoke only allowed
646     commands and access only allowed files in any sequence
647     while these operations are kept under the control of "enforce mode".
648    
649     (2) Allows administrator determine easily whether the domain is
650     under MAC or not because only the profile currently assigned to
651     the domain determines it.
652    
653     (3) Saves total number of domains and memory.
654    
655     Fix 2006/11/22
656    
657     @ Don't allow use of undefined profile.
658    
659     To avoid assigning undefined profile to domains by error,
660     I added checks before assigning profiles to domains.
661     Now, profiles have to be defined prior to assigning them to domains.
662    
663     Version 1.3.1 2006/12/08 Minor update release.
664    
665     Fix 2006/12/10
666    
667     @ Allow pathname grouping.
668    
669     To reduce the labor of repeating '/\*' to allow access recursively,
670     I introduced a macro 'path_group' to make group such pathnames.
671     For example, you had to give like
672    
673     4 /var/www/html/\*
674     4 /var/www/html/\*/\*
675     4 /var/www/html/\*/\*/\*
676     4 /var/www/html/\*/\*/\*/\*
677    
678     but now, you can give just
679    
680     4 @WEB-CONTENTS
681    
682     if you give
683    
684     path_group WEB-CONTENTS /var/www/html/\*
685     path_group WEB-CONTENTS /var/www/html/\*/\*
686     path_group WEB-CONTENTS /var/www/html/\*/\*/\*
687     path_group WEB-CONTENTS /var/www/html/\*/\*/\*/\*
688    
689     in the exception policy.
690     This macro will be useful when grouping different directories.
691    
692     Fix 2006/12/15
693    
694     @ Use structured pathnames instead for simple 'char *'.
695    
696     To reduce the cost of strcmp(), I changed the return value of
697     SaveName() from 'const char *' to 'const struct path_info *'.
698     This change will speed up PathMatchesToPattern() comparison.
699    
700     Fix 2006/12/19
701    
702     @ Allow registering policy managers using domainnames.
703    
704     It was difficult to restrict programs that can update policies
705     via /proc/ccs/ interfaces using pathnames of these programs, for
706     these programs could be unintendedly invoked.
707     Now, it became possible to restrict domains that can update policies
708     via /proc/ccs/ interfaces as well as programs.
709     By restricting using domainnames, it becomes easier to avoid
710     unintended invocation.
711    
712     Fix 2006/12/22
713    
714     @ Add initialize_domain,no_initizlize_domain,no_keep_domain
715    
716     To control domain transitions more strictly,
717     initialize_domain,no_initizlize_domain,no_keep_domain directives
718     were introduced.
719    
720     "initialize_domain /some/program" means
721     jump to "<kernel> /some/program" domain if /some/program is
722     called from any domain.
723     This is equivalent to conventional "initializer /some/program".
724    
725     "initialize_domain /some/program from some_domain" means
726     jump to "<kernel> /some/program" domain only if /some/program is
727     called from "some_domain" domain.
728    
729     "no_initialize_domain /some/program" means
730     don't jump to "<kernel> /some/program" domain even if
731     "initialize_domain /some/program" or
732     "initialize_domain /some/program from some_domain" are given
733     if /some/program is called from any domain.
734    
735     "no_initialize_domain /some/program from some_domain" means
736     don't jump to "<kernel> /some/program" domain even if
737     "initialize_domain /some/program" or
738     "initialize_domain /some/program from some_domain" are given
739     if /some/program is called from "some_domain" domain.
740    
741     "keep_domain some_domain" means don't jump to child domain
742     if any programs are called from "some_domain" domain.
743    
744     "keep_domain /some/program from some_domain" means
745     don't jump to child domain only if /some/program is
746     called from "some_domain" domain.
747    
748     "no_keep_domain some_domain" means
749     jump to child domain even if
750     "keep_domain /some/program" or
751     "keep_domain /some/program from some_domain" are given
752     if any programs are called from "some_domain" domain.
753    
754     "no_keep_domain /some/program from some_domain" means
755     jump to child domain even if
756     "keep_domain /some/program" or
757     "keep_domain /some/program from some_domain" are given
758     if /some/program is called from "some_domain" domain.
759    
760     "some_domain" can be just the last component of domainname.
761 kumaneko 3014 For example, giving "/bin/mail" as "some_domain" matches
762 kumaneko 111 all domains whose domainname ends with "/bin/mail".
763    
764     Fix 2007/01/19
765    
766     @ Allow reuse of memory allocated for domain policy.
767    
768 kumaneko 813 Regarding domain policy, unlike other policies, didn't have
769 kumaneko 111 "is_deleted" flag and new memory were allocated
770     if the deleted entries are given again.
771     But to allow administrators switch domain policy periodically,
772     I introduced "is_deleted" flag.
773    
774     Writing "some_domain" to /proc/ccs/policy/domain_policy
775     creates "some_domain" using new memory if it didn't exist.
776    
777     Writing "select some_domain" doesn't create "some_domain"
778     if it didn't exist.
779    
780     Writing "delete some_domain" deletes "some_domain"
781     but does not delete entries in "some_domain".
782    
783     Writing "undelete some_domain" undeletes "some_domain"
784     if it was deleted by "delete some_domain".
785    
786     Fix 2007/01/22
787    
788     @ Allow getting already deleted pathnames.
789    
790     To allow getting pathnames that are already deleted,
791     I removed (IS_ROOT(dentry) || !d_unhashed(dentry)) check.
792    
793     Fix 2007/01/26
794    
795     @ Limit string length to 4000.
796    
797     I was using PAGE_SIZE (4096 in many environments)
798     as the max length of any string data.
799     But for environments that have larger PAGE_SIZE,
800     doing memset(ptr, 0, PAGE_SIZE) everytime is too wasteful.
801    
802     Fix 2007/01/29
803    
804     @ Add garbage collector for domain policy.
805    
806     Writing "some_domain" to /proc/ccs/policy/domain_policy
807     creates "some_domain" using new memory only if
808     some process is staying at that deleted domain.
809     If no process is staying at that deleted domain,
810     "some_domain" is undeleted with all ACLs deleted.
811    
812     Version 1.3.2 2007/02/14 Usability enhancement release.
813    
814     Fix 2007/02/20
815    
816     @ Allow address grouping.
817    
818     To reduce the labor of repeating similar IPv4/IPv6 addresses,
819     I introduced a macro 'address_group' to make group such addresses.
820     For example, you had to give like
821    
822     allow_network TCP accept 10.0.0.0-10.255.255.255 1024-65535
823     allow_network TCP accept 172.16.0.0-172.31.255.255 1024-65535
824     allow_network TCP accept 192.168.0.0-192.168.255.255 1024-65535
825    
826     but now, you can give just
827    
828     allow_network TCP accept @localnet 1024-65535
829    
830     if you give
831    
832     address_group localnet 10.0.0.0-10.255.255.255
833     address_group localnet 172.16.0.0-172.31.255.255
834     address_group localnet 192.168.0.0-192.168.255.255
835    
836     in the exception policy.
837 kumaneko 115
838     Fix 2007/03/03
839    
840     @ Remove obsolete functions.
841    
842     @ Add some hooks.
843    
844     Read permission check is done if open_exec()
845     is called from search_binary_handler().
846     Read permission check is not done if open_exec()
847     is called from do_execve(), instead,
848     execute permission check is done at
849     search_binary_handler_with_transition().
850    
851     I moved the location of calling CheckCapabilityACL()
852     and CheckMountPermission() from sys_mount() to do_mount().
853 kumaneko 118
854     Fix 2007/03/07
855    
856     @ Use 'unsigned int' for sscanf().
857    
858     I compiled SYAORAN fs on x86_64 environment and found
859     the compiler showing warning messages about size of data types.
860     Since size of data types may mismatch for sscanf(),
861     I replaced some types with 'unsigned int'.
862 kumaneko 162
863     Version 1.4 2007/04/01 x86_64 support release.
864 kumaneko 183
865     Fix 2007/04/18
866    
867     @ Change argv[0] checking rule.
868    
869     I was comparing the basename of symbolic link's pathname and argv[0].
870     Since execute permission check and domain transition are done
871     based on realpath while argv[0] check is done based on the symlink's
872     pathname and argv[0], this specification will allow attackers behave
873     as /bin/cat in the domain of /bin/ls if "/bin/ls and /bin/cat are
874 kumaneko 3146 links to /sbin/busybox" and "the attacker is permitted to create
875 kumaneko 183 a symlink named ~/cat that points to /bin/ls" and "the attacker is
876     permitted to run /bin/ls".
877     So, I changed to compare the basename of realpath and argv[0].
878     Also, I moved the location to compare before processing
879     "aggregator" directive so that
880     "aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp"
881     won't cause the mismatch of the basename of realpath and argv[0].
882    
883     If /bin/ls is a symlink to /sbin/busybox, then
884     creating a symlink named ~/cat that points to /bin/ls and
885     executing ~/cat won't work as expected because permission check and
886     domain transition are done using /sbin/busybox (realpath of /bin/ls)
887     and will be rejected since the administrator won't grant
888     "1 /sbin/busybox".
889 kumaneko 206
890     Fix 2007/05/07
891    
892     @ Support pathname subtraction.
893    
894     There was no way to exclude specific pathnames when granting
895     permissions using wildcards.
896     There would be a need to exclude specific files and directories.
897     I introduced "\-" as subtraction operator.
898    
899     "A\-B" means "A" other than "B".
900     "A\-B\-C" means "A" other than "B" and "C".
901     "A\-B\-C\-D" means "A" other than "B" and "C" and "D".
902    
903     "A", "B", "C", "D" may contain wildcards.
904    
905     An example usage is "/home/\*/\*\-.ssh/\*", which means
906     "/home/\*/\*/\*" other than "/home/\*/.ssh/\*".
907    
908     "A" should contain wildcards because subtraction from constants
909     (e.g. "/usr\-usr/" or "/usr\-home/") is meaningless.
910    
911     Don't try "A\-B\+C" because "\+" is not addition operator.
912 kumaneko 229
913 kumaneko 238 Fix 2007/05/24
914 kumaneko 237
915     @ Fix autobind hook.
916    
917 kumaneko 238 The location to call SAKURA_MayAutobind() in net/ipv4/udp.c
918     and net/ipv6/udp.c were wrong.
919 kumaneko 237
920 kumaneko 258 Fix 2007/06/03
921    
922     @ Add a space in MakeMountOptions().
923    
924     I forgot to add a space after "atime" and "noatime".
925    
926 kumaneko 265 Version 1.4.1 2007/06/05 Minor update release.
927 kumaneko 286
928     Fix 2007/07/04
929    
930     @ Fix ReadAddressGroupPolicy() bug.
931    
932 kumaneko 1006 ReadAddressGroupPolicy() fails if both "path_group" and "address_group"
933     are used because I forgot to set "head->read_var1 = NULL".
934 kumaneko 290
935     Fix 2007/07/10
936    
937     @ Add compat_sys_stime() hook.
938    
939     Some of 64bit kernels support compat_sys_stime()
940     but permission check was missing.
941    
942     Version 1.4.2 2007/07/13 Bug fix release.
943 kumaneko 325
944     Fix 2007/08/06
945    
946     @ Remove mount-flags manipulation.
947    
948 kumaneko 1006 Until now, administrator is permitted to turn on/off specific mount
949     options regardless of mount options passed to kernel.
950 kumaneko 325 I removed this feature because "exact option matching" sounds better than
951     "automatic option enabler/disabler".
952    
953     @ Remove /proc/ccs/info/mapping .
954    
955 kumaneko 1006 I removed /proc/ccs/info/mapping because nobody seems to use this
956     feature.
957 kumaneko 325
958     @ Call external policy loader automatically.
959    
960     Until now, users had to add init=/.init parameter to load policy
961     before /sbin/init starts.
962 kumaneko 3146 I inserted call_usermodehelper() to call external policy loader when
963 kumaneko 325 execve("/sbin/init") is requested and external policy loader exists.
964    
965     This change will remove init=/.init parameter from most environment,
966     although call_usermodehelper() can't handle interactive operations.
967    
968     @ Move external policy loader from /.init to /sbin/ccs-init .
969    
970     Installing programs in / directory is not good for packaging.
971 kumaneko 352
972     Fix 2007/08/13
973    
974     @ Update external policy loader.
975    
976     It turned out that /sbin/ccs-init invoked via call_usermodehelper()
977     can handle interactive operations by opening /dev/console .
978     Now, there is no difference between init=/sbin/ccs-init and
979     call_usermodehelper("/sbin/ccs-init"), and users no longer need to
980 kumaneko 1006 add init=/sbin/ccs-init parameter to load policy before /sbin/init
981     starts.
982 kumaneko 352
983     Fix 2007/08/14
984    
985     @ Update recvmsg() hooks.
986    
987     Until now, it was impossible to apply network access control for
988     incoming UDP and RAW packets if they are brought to userland using
989     read() or recvmsg() with NULL address because address buffer is NULL.
990     I moved hooks from sock_recvmsg() to skb_recv_datagram() so that
991     network access control for incoming UDP and RAW packets always work.
992 kumaneko 358
993 kumaneko 360 Fix 2007/08/16
994 kumaneko 358
995     @ Return appropriate error code for CheckMountPermission().
996    
997     I was returning -EPERM if something is wrong with CheckMountPermission().
998     But SELinux determines whether selinuxfs is supported by kernel
999     based on whether error code is -ENODEV or not.
1000     So I stopped returning -EPERM unconditionally.
1001 kumaneko 366
1002     Fix 2007/08/17
1003    
1004     @ Remove initializer directive.
1005    
1006 kumaneko 3134 Use "initialize_domain" instead of "initializer".
1007 kumaneko 403
1008     Fix 2007/08/21
1009    
1010     @ Fix "allow_argv0 ... if if ..." bug.
1011    
1012     It was impossible to use a word "if" to the second argument of
1013     allow_argv0 if condition part is used.
1014 kumaneko 418
1015     Fix 2007/08/24
1016    
1017     @ Move /proc/ccs/\*/\* to /proc/ccs/\* .
1018    
1019     Some pathnames for /proc/ccs/ interface were changed.
1020 kumaneko 448
1021     Fix 2007/09/05
1022    
1023     @ Drop MSG_PEEK'ed message before skb_free_datagram().
1024    
1025     I need to remove head message from unwanted source
1026     from socket's receive queue so that the caller can pick up
1027     next message from wanted source with MSG_PEEK flags.
1028 kumaneko 473
1029 kumaneko 502 Version 1.5.0 2007/09/20 Usability enhancement release.
1030 kumaneko 512
1031     Fix 2007/09/27
1032    
1033     @ Avoid eating memory after quota exceeded.
1034    
1035     Although ACL entries in a domain won't be added if the domain's quota
1036     has exceeded, SaveName() in AddFileACL() is called anyway.
1037     This caused unneeded memory consumption.
1038    
1039     Now, quota checking is done before getting domain_acl_lock lock.
1040     This may exceed quota by one or two entries, but that won't matter.
1041 kumaneko 581
1042     Fix 2007/10/16
1043    
1044     @ Add environment variable check.
1045    
1046     There are environment variables that may cause dangerous behavior
1047     like LD_\* .
1048     So I introduced 'allow_env' directive that allows specified
1049     environment variable inherited to next domain.
1050     Unlike other permissions, this check is done at execve() time
1051     using next domain's ACL information.
1052    
1053     To manage commonly inherited environments like PATH ,
1054     you can use 'allow_env' directive in exception policy
1055     to globally grant specified environment variable.
1056 kumaneko 652
1057     Fix 2007/11/05
1058    
1059     @ Replace semaphore with mutex.
1060    
1061     I replaced semaphore with mutex.
1062    
1063     @ Add missing down() in AddReservedEntry().
1064    
1065     Mutex debugging capability told me that I had forgotten to call down()
1066     since TOMOYO version 1.3.2 .
1067     This function is not called by learning mode,
1068     so the semaphore's counter will not overflow for normal usage.
1069 kumaneko 731
1070     Fix 2005/11/27
1071    
1072     @ Fix ReadTable() truncation bug.
1073    
1074     "snprintf(str, size, format, ...) >= size" means truncated.
1075     But I was checking for "snprintf(str, size, format, ...) > size".
1076     As a result, some entries might be dumped without '\n'.
1077    
1078     @ Purge direct "->prev"/"->next" manipulation.
1079    
1080     All list manipulations use "struct list_head" or "struct list1_head".
1081     "struct list1_head" doesn't have "->prev" member to save memory usage.
1082 kumaneko 737
1083     Fix 2007/11/29
1084    
1085     @ Add missing semaphore in GetEXE().
1086    
1087     mm->mmap_sem was missing.
1088 kumaneko 808
1089     Fix 2007/12/17
1090    
1091     @ Remove unused EXPORT_SYMBOL().
1092    
1093     Mark some functions static.
1094 kumaneko 813
1095     Fix 2007/12/18
1096    
1097     @ Fix AddMountACL() rejection bug.
1098    
1099     To my surprise, "mount --bind source dest" accepts
1100     not only "both source and dest are directory"
1101     but also "both source and dest are non-directory".
1102 kumaneko 898 I was rejecting if dest is not a directory in AddMountACL().
1103 kumaneko 815
1104     @ Change log format.
1105    
1106     Profile number and mode is added in audit logs.
1107 kumaneko 856
1108     Fix 2008/01/03
1109    
1110     @ Change directive for file's read/write/execute permission.
1111    
1112     Directives for file's read/write/execute permissions were
1113     4/2/1 respectively. But for easier understanding, they are now
1114     replaced by read/write/execute (e.g. "allow_read" instead of "4").
1115     But for easier inputting, 4/2/1 are still accepted instead of
1116     allow_read/allow_write/allow_execute respectively.
1117    
1118     @ Change internal data structure.
1119    
1120 kumaneko 860 Since I don't have more than 16 types of file permissions,
1121     I combined them using bit-fields.
1122 kumaneko 856
1123     Each entry had a field for conditional permission support.
1124     But since this field is unlikely used, I separated the field from
1125     common part.
1126    
1127     These changes will reduce memory used by policy.
1128 kumaneko 893
1129     Fix 2008/01/15
1130    
1131     @ Add ptrace() hook.
1132    
1133     To prevent attackers from controlling important processes using
1134     ptrace(), I added a hook for ptrace().
1135     Most programs (except strace(1) and gdb(1)) won't use ptrace(2).
1136 kumaneko 899
1137     @ Fix sleep condition check in CheckSocketRecvDatagramPermission().
1138    
1139     It seems that correct method to use is in_atomic()
1140     rather than in_interrupt() because in_atomic() returns nonzero
1141     whenever scheduling is not allowed.
1142 kumaneko 924
1143 kumaneko 964 Fix 2008/02/05
1144    
1145 kumaneko 1194 @ Use find_task_by_vpid() instead of find_task_by_pid().
1146 kumaneko 964
1147     Kernel 2.6.24 introduced PID namespace.
1148     To search PID given from userland, the kernel needs to use
1149 kumaneko 1194 find_task_by_vpid() instead of find_task_by_pid().
1150 kumaneko 987
1151     Fix 2008/02/14
1152    
1153     @ Add execve() parameter checking.
1154    
1155     Until now, it was impossible to check argv[] and envp[] parameters
1156     passed to execve().
1157     I expanded conditional permission syntax so that
1158     { argc, envc, argv[] , envp[] } parameters can be checked if needed.
1159     This will allow administrator permit execution of /bin/sh only when
1160     /bin/sh is invoked in the form of "/bin/sh -c" and environment variable
1161     HOME is set by specifying
1162    
1163     allow_execute /bin/sh if exec.argv[1]="-c" exec.envp["HOME"]!=NULL
1164    
1165     in the policy.
1166     This extension will make exploit codes difficult to start /bin/sh because
1167     they unlikely set up environment variables and unlikely specify "-c"
1168     option when invoking /bin/sh , whereas proper functions likely set up
1169     environment variables and likely specify "-c" option.
1170 kumaneko 994
1171     Fix 2008/02/18
1172    
1173     @ Add process state checking.
1174    
1175     Until now, it was impossible to change ACL without executing program.
1176     I added three variables for performing stateful checking within a domain.
1177     You can set current process's state like:
1178    
1179     allow_network TCP accept @TRUSTED_HOSTS 1024-65535 ; set task.state[0]=1
1180     allow_network TCP accept @UNTRUSTED_HOSTS 1024-65535 ; set task.state[0]=0
1181    
1182     and you can use the state like
1183    
1184     allow_read /path/to/important/file if task.state[0]=1
1185    
1186     in the policy.
1187     The state changes when the request was granted by the MAC's policy,
1188 kumaneko 1006 so please be careful with situations where the state has changed
1189     successfully but the request was not processed because of other reasons
1190     (e.g. out of memory).
1191    
1192     Fix 2008/02/26
1193    
1194     @ Support /proc/ccs/ access by non-root user.
1195    
1196     Until now, only root user can access /proc/ccs/ interface.
1197     But to permit /proc/ccs/ access by non-root user so that it won't require
1198     ssh login by root user when administrating from remote host,
1199     I made "(current->uid == 0 && current->euid == 0)" requirement optional.
1200     If this requirement is disabled, only "conventional DAC permission
1201     checks" and "/proc/ccs/manager checks" are used.
1202 kumaneko 1010
1203     Fix 2008/02/29
1204    
1205     @ Add sleep_on_violation feature.
1206    
1207     Some exploit codes (e.g. trans2open for Samba) continue running
1208     until it achieves the purpose of the exploit code (e.g. invoke /bin/sh).
1209    
1210     If such code is injected due to buffer overflow but the kernel
1211     rejects the request, it triggers infinite "Permission denied" loop.
1212     As a result, the CPU usage becomes 100% and gives bad effects to
1213     the rest of processes.
1214     This is a side effect of rejecting the request from the exploit code
1215     which wouldn't happen if the request from the exploit code was granted.
1216    
1217     To avoid such CPU consumption, I added a penalty that forcibly
1218     sleeps for specified period when a request is rejected.
1219    
1220     This penalty doesn't work if the exploit code does nothing but
1221     continue running, but I think most exploit code's purpose is
1222     to start some program rather than to slow down the target system.
1223    
1224     @ Add alt_exec feature.
1225    
1226     Since TOMOYO Linux's approach is "know all essential requests in advance
1227     and create policy that permits only them", you can regard anomalous
1228     requests as attacks (if you want to do so).
1229    
1230     Common MAC implementations merely reject requests that violate policy.
1231     But I added a special handler for execve() to TOMOYO Linux.
1232    
1233     This handler is triggered when a process requested to execute a program
1234     but the request was rejected by the policy.
1235     This handler executes a program specified by the administrator
1236     instead of a program requested by the process.
1237    
1238     Most attackers attempt to execute /bin/sh to start something malicious.
1239     Attackers execute an exploit code using buffer overflow vulnerability
1240     to steal control of a process. But this handler can get back control
1241     if an exploit code requests execve() that is not permitted by policy.
1242    
1243     By default, this handler does nothing (i.e. merely reject execve()
1244     request). You can specify any program to start what you want to do.
1245    
1246 kumaneko 1064 You can redirect attackers to somewhere else (e.g. honey pot).
1247     This makes it possible to act your Linux box as an on-demand honey pot
1248 kumaneko 1010 while keeping regular services for your usage.
1249    
1250     You can collect information of the attacker (e.g. IP address) and
1251     update firewall configuration.
1252    
1253     You can silently terminate a process who requested execve()
1254     that is not permitted by policy.
1255 kumaneko 1012
1256     Fix 2008/03/03
1257    
1258 kumaneko 1903 @ Add "force_alt_exec" directive.
1259 kumaneko 1012
1260     To be able to fully utilize "alt_exec" feature,
1261 kumaneko 1903 I added "force_alt_exec" directive so that
1262 kumaneko 1012 all execute requests are replaced by the execute request of a program
1263     specified by alt_exec feature.
1264    
1265 kumaneko 1903 If this directive is specified for a domain, the domain no longer
1266 kumaneko 1012 executes any programs regardless of the mode of file access control
1267     (i.e. the domain won't execute even if MAC_FOR_FILE=0 ).
1268     Instead, the domain executes the program specified by alt_exec feature
1269     and the program specified by alt_exec feature validates the execute
1270     request and executes it if it is appropriate to execute.
1271    
1272     If you can tolerate that there is no chance to return an error code
1273     to the caller to tell the execute request was rejected,
1274     this is more flexible approach than in-kernel execve() parameter
1275     checking because we can do argv[] and envp[] checking easily.
1276 kumaneko 1014
1277     Fix 2008/03/04
1278    
1279     @ Use string for access control mode.
1280    
1281     An integer expression for access control mode sometimes confuses
1282     administrators because profile number is also an integer expression.
1283     To avoid confusion between profile number and access control mode,
1284     I introduced a string expression for access control mode.
1285    
1286     Modes which take an integer between 0 and 3.
1287    
1288     0 -> disabled
1289     1 -> learning
1290     2 -> permissive
1291     3 -> enforcing
1292    
1293     Modes which take 0 or 1.
1294    
1295     0 -> disabled
1296     1 -> enabled
1297 kumaneko 1029
1298     Fix 2008/03/10
1299    
1300 kumaneko 1903 @ Rename "force_alt_exec" directive to "execute_handler".
1301 kumaneko 1029
1302     To be able to use different programs for validating execve() parameters,
1303     I moved the location to specify the program's pathname from profile
1304     to domain policy.
1305    
1306 kumaneko 1903 The "execute_handler" directive takes one pathname which is
1307 kumaneko 1029 invoked whenever execve() request is issued. Thus, any "allow_execute"
1308 kumaneko 1903 directives in a domain with "execute_handler" are ignored.
1309     This directive is designed for validating expected/desirable execve()
1310 kumaneko 1029 requests in userspace, although there is no way to tell the caller
1311     that the execve() request was rejected.
1312    
1313 kumaneko 1903 @ Rename "alt_exec" directive to "denied_execute_handler".
1314 kumaneko 1029
1315 kumaneko 1903 The "denied_execute_handler" directive takes one pathname which is
1316 kumaneko 1029 invoked only when execve() request was rejected. In other words,
1317     this program is invoked only when the following conditions are met.
1318    
1319 kumaneko 1903 (1) None of "allow_execute" directives in the domain matched.
1320 kumaneko 1029 (2) The execve() request was rejected in enforcing mode.
1321 kumaneko 1903 (3) "execute_handler" directive is not used by the domain.
1322 kumaneko 1029
1323 kumaneko 1903 This directive is designed for handling unexpected/undesirable execve()
1324 kumaneko 1029 requests, to redirect the process issuing such requests to somewhere.
1325 kumaneko 1052
1326     Fix 2008/03/18
1327    
1328     @ Fix wrong/redundant locks in pre-vfs functions.
1329    
1330     lock_kernel()/unlock_kernel() in pre_vfs_rename() were redundant for
1331     2.6 kernels.
1332    
1333     Locking order in pre_vfs_link() and pre_vfs_unlink() for 2.4 kernels
1334     after 2.4.33 were different from before 2.4.32 .
1335 kumaneko 1056
1336 kumaneko 1064 Fix 2008/03/28
1337    
1338     @ Disable execute handler loop.
1339    
1340     To be able to use "execute_handler" in a "keep_domain" domain,
1341 kumaneko 1903 ignore "execute_handler" and "denied_execute_handler" directives
1342 kumaneko 1064 if the current process is executing programs specified by
1343 kumaneko 1903 "execute_handler" or "denied_execute_handler" directive.
1344 kumaneko 1064
1345     This exception is needed to avoid infinite execute handler loop.
1346     If a domain has both "keep_domain" and "execute_handler",
1347     any execute request by that domain is handled by an execute handler,
1348     and the execute handler attempts to process original execute request.
1349     But the original execute request is handled by the same execute handler
1350     unless the execute handler ignores "execute_handler".
1351    
1352 kumaneko 1065 @ Update coding style.
1353    
1354     I rewrote the code to pass scripts/checkpatch.pl as much as possible.
1355     Function names were changed to use only lower letters.
1356    
1357 kumaneko 1076 Version 1.6.0 2008/04/01 Feature enhancement release.
1358 kumaneko 1084
1359 kumaneko 1106 Fix 2008/04/14
1360 kumaneko 1084
1361     @ Fix "Compilation failures" and "Initialization ordering bugs"
1362     with kernels before 2.4.30/2.6.11 .
1363    
1364     2.6 kernels before 2.6.9 didn't have include/linux/hardirq.h ,
1365     resulting compilation error at #include <linux/hardirq.h> .
1366     I added #elif condition.
1367    
1368 kumaneko 1106 CentOS 4.6's 2.6.9 kernel calls do_execve() before initialization of
1369 kumaneko 1084 ccs_alloc(), resulting NULL pointer dereference.
1370 kumaneko 1106 I changed __initcall to core_initcall.
1371 kumaneko 1084
1372 kumaneko 1106 CentOS 4.6's 2.6.9 kernel backported kzalloc() from 2.6.14 ,
1373 kumaneko 1084 resulting compilation error at kzalloc().
1374 kumaneko 1089 I modified prototype of kzalloc().
1375 kumaneko 1117
1376     Fix 2008/04/20
1377    
1378     @ Fix "Compilation failures" with kernels before 2.4.30/2.6.11 .
1379    
1380     Turbolinux 10 Server's 2.6.8 kernel backported kzalloc() as an inlined
1381     function, resulting compilation error at kzalloc().
1382     I converted kzalloc() from an inlined function into a macro.
1383 kumaneko 1120
1384     Fix 2008/04/21
1385    
1386     @ Add workaround for gcc 3.2.2's inline bug.
1387    
1388     RedHat Linux 9's gcc 3.2.2 generated a bad code
1389     if ((var_of_u8 & 0x000000BF) & 0x80000000) { }
1390     where the expected code is
1391     if ((var_of_u8 & 0xBF) & 0x80) { }
1392     when embedding ccs_acl_type2() into print_entry(),
1393     resulting runtime BUG().
1394     I added the expected code explicitly as a workaround.
1395 kumaneko 1135
1396 kumaneko 1180 Fix 2008/05/06
1397 kumaneko 1139
1398 kumaneko 1180 @ Add memory quota.
1399 kumaneko 1139
1400     1.5.x returns -ENOMEM when FindNextDomain() failed to create a new
1401 kumaneko 1180 domain, but I forgot to return -ENOMEM when find_next_domain() failed to
1402     create a new domain.
1403 kumaneko 1139
1404 kumaneko 1180 A domain is automatically created by find_next_domain() only if
1405     the domain for the requested program doesn't exist.
1406     This behavior is for the administrator's convenience.
1407     The administrator needn't to know how many domains are needed for running
1408     the whole programs in the system beforehand when developing the policy.
1409     But the administrator does not want the kernel to reject execution of the
1410     requested program when developing the policy.
1411    
1412     So, I think it is better to grant execution of programs even if
1413     find_next_domain() failed to create a new domain than reject execution.
1414     Thus, I decided not to return -ENOMEM when find_next_domain() failed to
1415     create a new domain. This exception breaks the domain transition rules,
1416     so I print "transition_failed" warning in /proc/ccs/domain_policy
1417     when this exception happened.
1418    
1419     Also, to prevent the system from being halted by unexpectedly allocating
1420     all kernel memory for the policy, I added memory quota.
1421     This quota is configurable via /proc/ccs/meminfo like
1422    
1423     echo Shared: 1048576 > /proc/ccs/meminfo
1424     echo Private: 1048576 > /proc/ccs/meminfo
1425    
1426 kumaneko 1191 Version 1.6.1 2008/05/10 Bug fix release.
1427 kumaneko 1255
1428     Fix 2008/06/04
1429    
1430     @ Check open mode of /proc/ccs/ interface.
1431    
1432     It turned out that I can avoid allocating memory for reading if
1433     FMODE_READ is not set and memory for writing if FMODE_WRITE is not set.
1434    
1435     @ Wait for completion of /sbin/ccs-init .
1436    
1437     Since 2.4 kernel's call_usermodehelper() can't wait for termination of
1438     the executed program, I was using the close() request of
1439     /proc/ccs/meminfo to indicate that loading policy has finished.
1440     But since /proc/ccs/meminfo could be accessed for setting memory quota
1441     by /etc/ccs/ccs-post-init , I stopped using the close() request.
1442     The policy loader no longer need to access /proc/ccs/meminfo to notify
1443     the kernel that loading policy has finished.
1444 kumaneko 1259
1445     Fix 2008/06/05
1446    
1447     @ Fix realpath for pipes and sockets.
1448    
1449     Kernel 2.6.22 and later use different method for calculating d_path().
1450     Since fs/realpath.c didn't notice the change, the realpath of pipes
1451     appeared as "pipe:" rather than "pipe:[\$]" when they are opened via
1452     /proc/PID/fd/ directory.
1453 kumaneko 1260
1454     @ Add process's information into /proc/ccs/query .
1455    
1456     While /proc/ccs/grant_log and /proc/ccs/reject_log contain process's
1457     information, /proc/ccs/query doesn't contain it.
1458     To be able to utilize ccs-queryd and ccs-notifyd more, I added it into
1459     /proc/ccs/query .
1460 kumaneko 1278
1461     Fix 2008/06/10
1462    
1463     @ Allow using patterns for globally readable files.
1464    
1465     To allow users specify locale specific files to globally readable files,
1466     I relaxed checking in update_globally_readable_entry().
1467 kumaneko 1279
1468 kumaneko 1283 Fix 2008/06/11
1469    
1470     @ Remove ALLOW_ENFORCE_GRACE parameter.
1471    
1472     Since unexpected requests caused by doing software updates can happen
1473 kumaneko 1286 in all profiles, users likely have to write ALLOW_ENFORCE_GRACE=enabled
1474     to all profiles. And it makes meaningless to allow users to selectively
1475     enable specific profile's ALLOW_ENFORCE_GRACE parameter.
1476     So, I removed ALLOW_ENFORCE_GRACE parameter.
1477 kumaneko 1283 Now, the system behaves as if ALLOW_ENFORCE_GRACE=enabled is specified.
1478     The behavior of "delayed enforcing" mode is defined in the following
1479     order.
1480    
1481     (1) The requests are rejected immediately if nobody is opening
1482     /proc/ccs/query interface.
1483     (2) The requests will be rejected in 10 seconds if somebody other than
1484     ccs-queryd (such as less(1)) is opening /proc/ccs/query interface,
1485     for such process doesn't write dummy decisions.
1486 kumaneko 1286
1487 kumaneko 1319 Fix 2008/06/22
1488    
1489     @ Pass escaped pathname to audit_execute_handler_log().
1490    
1491     I was passing unescaped pathname to audit_execute_handler_log()
1492     which causes /proc/ccs/grant_log contain whitespace characters
1493     if execute handler's pathname contains whitespace characters.
1494    
1495 kumaneko 1333 Fix 2008/06/25
1496    
1497     @ Return 0 when ccs_may_umount() succeeds.
1498    
1499     I forgot to clear error value in ccs_may_umount() when the requested
1500 kumaneko 1903 directory didn't match "deny_unmount" directive. As a result, any umount()
1501 kumaneko 1333 request with RESTRICT_UNMOUNT=enforcing returned -EPERM error.
1502    
1503 kumaneko 1330 Version 1.6.2 2008/06/25 Usability enhancement release.
1504 kumaneko 1366
1505     Fix 2008/07/01
1506    
1507     @ Fix "Compilation failure" with 2.4.20 kernel.
1508    
1509     RedHat Linux 9's 2.4.20 kernel backported O(1) scheduler patch,
1510     resulting compilation error at ccs_load_policy().
1511     I added defined(TASK_DEAD) check.
1512 kumaneko 1377
1513     Fix 2008/07/08
1514    
1515     @ Don't check permissions if vfsmount is NULL.
1516    
1517     Some filesystems (e.g. unionfs) pass NULL vfsmount.
1518     I changed fs/tomoyo_file.c not to try to calculate pathnames
1519     if vfsmount is NULL.
1520 kumaneko 1379
1521 kumaneko 1384 Version 1.6.3 2008/07/15 Bug fix release.
1522 kumaneko 1471
1523     Fix 2008/08/21
1524    
1525     @ Add workaround for gcc 4.3's bug.
1526    
1527     In some environments, fs/tomoyo_network.c could not be compiled
1528     because of gcc 4.3's bug.
1529     I modified save_ipv6_address() to use "integer literal" value
1530     instead for "static const u8" variable.
1531    
1532     @ Change prototypes of some functions.
1533    
1534     To support 2.6.27 kernels, I replaced "struct nameidata" with
1535     "struct path" for some functions.
1536    
1537     @ Detect distributor specific patches automatically.
1538    
1539     Since kernels with AppArmor patch applied is increasing,
1540     I introduced a mechanism which determines whether specific patches
1541     are applied or not, based on "#define" directives in the patches.
1542 kumaneko 1498
1543     Fix 2008/08/29
1544    
1545     @ Remove "-ccs" suffix from Makefile's EXTRAVERSION.
1546    
1547     To reduce conflicts on Makefile's EXTRAVERSION,
1548     I removed "-ccs" suffix from ccs-patch-2.\*.diff .
1549     Those who build kernels without using specs/build-\*.sh ,
1550     please edit EXTRAVERSION tag manually so that original kernels
1551     will not be overwritten by TOMOYO Linux kernels.
1552    
1553 kumaneko 1505 Version 1.6.4 2008/09/03 Minor update release.
1554 kumaneko 1561
1555     Fix 2008/09/09
1556    
1557     @ Add "try again" response to "delayed enforcing" mode.
1558    
1559     To be able to handle pathname changes caused by software updates,
1560     "delayed enforcing" mode was introduced. It allows administrator to
1561     grant access requests which are about to be rejected by the kernel.
1562    
1563     To be able to handle pathname changes caused by software updates better,
1564     I introduced "try again" response. As "delayed enforcing" mode sleeps
1565     a process which violated policy, administrator can update policy while
1566     the process is sleeping. This "try again" response allows administrator
1567     to restart policy checks from the beginning after updating policy.
1568 kumaneko 1578
1569     Fix 2008/09/11
1570    
1571     @ Remember whether the process is allowed to write to /proc/ccs/ interface.
1572    
1573     Since programs for manipulating policy (e.g. ccs-queryd ) are installed
1574     in the form of RPM/DEB packages, these programs lose the original
1575     pathnames when they are updated by the package manager. The package
1576     manager renames these programs before deleting these programs so that
1577     the package manager can rollback the operation.
1578     This causes a problem when the programs are listed into /proc/ccs/manager
1579     using pathnames, as the programs will no longer be allowed to write to
1580     /proc/ccs/ interface while the process of old version of the program is
1581     alive.
1582    
1583     To solve this problem, I modified to remember the fact that the process
1584     is once allowed to write to /proc/ccs/ interface until the process
1585     attempts to execute a different program.
1586     This change makes it impossible to revoke permission to write to
1587     /proc/ccs/ interface without killing the process, but it will be better
1588     than nonfunctioning ccs-queryd program.
1589 kumaneko 1606
1590     Fix 2008/09/19
1591    
1592     @ Allow selecting a domain by PID.
1593    
1594     Sometimes we want to know what ACLs are given to specific PID, but
1595     finding a domainname for that PID from /proc/ccs/.process_status and
1596     reading ACLs from /proc/ccs/domain_policy by the domainname is very slow.
1597     Thus, I modified /proc/ccs/domain_policy to allow selecting a domain by
1598     PID. For example, to read domain ACL of current process from bash,
1599     run as follows.
1600    
1601     # exec 100<>/proc/ccs/domain_policy
1602 kumaneko 1609 # echo select pid=$$ >&100
1603 kumaneko 1606 # while read -u 100; do echo $REPLY; done
1604    
1605     If a domain is once selected by PID, reading /proc/ccs/domain_policy will
1606     print only that domain if that PID exists or print nothing otherwise.
1607    
1608     @ Disallow concurrent /proc/ccs/ access using the same file descriptor.
1609    
1610     Until now, one process can read() from /proc/ccs/ while other process
1611     that shares the file descriptor can write() to /proc/ccs/ .
1612     But to implement "Allow selecting a domain by PID" feature, I disabled
1613     concurrent read()/write() because the feature need to modify read buffer
1614     while writing.
1615 kumaneko 1644
1616     Fix 2008/10/01
1617    
1618     @ Add retry counter into /proc/ccs/query .
1619    
1620     To be able to handle some of queries from /proc/ccs/query without user's
1621     interaction, I added retry counter for avoiding infinite loop caused by
1622     "try again" response.
1623 kumaneko 1657
1624     Fix 2008/10/07
1625    
1626     @ Don't transit to new domain until do_execve() succeeds.
1627    
1628     Until now, a process's domain was updated to new domain which the process
1629 kumaneko 1903 will belong to before do_execve() succeeds so that the kernel can do
1630 kumaneko 1657 permission checks for interpreters and environment variables based on
1631     new domain. But this caused a subtle problem when other process sends
1632     signals to the process, for the process returns to old domain if
1633     do_execve() failed.
1634    
1635     So, I modified to pass new domain to functions so that I can avoid
1636     modifying a process's domain before do_execve() succeeds.
1637    
1638     @ Use old task state for audit logs.
1639    
1640     Until now, audit logs were generated using the task state after
1641     processing "; set task.state" part. But to generate accurate logs,
1642     I modified to save the task state before processing "; set task.state"
1643     part and use the saved state for audit logs.
1644    
1645     @ Use a structure for passing parameters.
1646    
1647     As the number of parameters is increasing, I modified to use a structure
1648     for passing parameters.
1649    
1650 kumaneko 1695 Fix 2008/10/11
1651    
1652     @ Remove domain_acl_lock mutex.
1653    
1654     I noticed that I don't need to keep all functions that modify an ACL of
1655     a domain mutually exclusive. Since each functions handles different type
1656     of ACL, locking is needed only when they append an ACL to a domain.
1657     So, I modified to use local locks.
1658 kumaneko 1703
1659     Fix 2008/10/14
1660    
1661     @ Fix ccs_check_condition() bug.
1662    
1663     Due to a bug in ccs_check_condition(), it was impossible to use
1664     task.state[0] task.state[1] task.state[2] inside condition part
1665     if the ACL does not treat a pathname. For example, an ACL like
1666    
1667     allow_network TCP connect @HTTP_SERVERS 80 if task.state[0]=100
1668    
1669     didn't work.
1670 kumaneko 1705
1671     Fix 2008/10/15
1672    
1673     @ Show process information in /proc/ccs/.process_status .
1674    
1675     To be able to determine a process's type, I added a command "info PID"
1676     which returns process information of the specified PID in
1677     "PID manager=\* execute_handler=\* state[0]=\$ state[1]=\$ state[2]=\$"
1678     format.
1679 kumaneko 1712
1680     Fix 2008/10/20
1681    
1682     @ Use rcu_dereference() when walking the list.
1683    
1684     I was using "dependency ordering" for appending an element to a list
1685     without asking the reader to take a lock. But "dependency ordering"
1686     is not respected by DEC Alpha or by some aggressive value-speculation
1687     compiler optimizations.
1688    
1689     On such environment, use of "dependency ordering" can lead to system
1690     crash because the reader might read uninitialized value of newly
1691     appended element.
1692    
1693     To prevent the reader from reading uninitialized value of newly appended
1694     element, I inserted rcu_dereference() when walking the list.
1695 kumaneko 1778
1696     Fix 2008/11/04
1697    
1698     @ Use sys_getpid() instead for current->pid.
1699    
1700     Kernel 2.6.24 introduced PID namespace.
1701    
1702     To compare PID given from userland, I can't use current->pid.
1703     So, I modified to use sys_getpid() instead for current->pid.
1704    
1705     I modified to use task_tgid_nr_ns() for 2.6.25 and later instead for
1706     current->tgid when checking /proc/self/ in get_absolute_path().
1707 kumaneko 1785
1708 kumaneko 1794 Fix 2008/11/07
1709    
1710     @ Fix is_alphabet_char().
1711    
1712     is_alphabet_char() should match 'A' - 'Z' and 'a' - 'z',
1713     but was matching from 'A' - 'F' and 'a' - 'f'.
1714    
1715 kumaneko 1798 @ Add /proc/ccs/.execute_handler .
1716    
1717     Process information became visible to userspace by
1718     "Show process information in /proc/ccs/.process_status" feature.
1719 kumaneko 1903 However, programs specified by execute_handler directive may run as
1720 kumaneko 1798 non root user, making it impossible to see process information.
1721    
1722     So, I added a new interface that allows execute handler processes
1723     to see process information. The content of /proc/ccs/.execute_handler is
1724     identical to /proc/ccs/.process_status .
1725    
1726 kumaneko 1817 Version 1.6.5 2008/11/11 Third anniversary release.
1727 kumaneko 1903
1728     Fix 2008/12/01
1729    
1730     @ Introduce "task.type=execute_handler" condition.
1731    
1732     The execute_handler directive is very very powerful. You can use this
1733     directive to do anything you want to do (e.g. logging and validating and
1734     modifying command line parameters and environment variables, opening and
1735     closing and redirecting files, creating pipes to implement antivirus and
1736     spam filtering, deploying a DMZ between the ssh daemon and the login
1737     shells).
1738    
1739     To be able to use this directive in a domain with keep_domain directive
1740     while limiting access to resources needed for such purposes to only
1741     programs invoked as an execute handler process, I added a new condition.
1742    
1743     In learning mode, "if task.type=execute_handler" condition part will be
1744     automatically added for requests issued by an execute_handler process.
1745    
1746     @ Introduce file's type and permissions as conditions.
1747    
1748     To be able to limit file types a process can access, I added
1749     new conditions for checking file's type and permissions.
1750     For example,
1751    
1752 kumaneko 2178 allow_read /etc/fstab if path1.type=file path1.perm=0644
1753 kumaneko 1903
1754     will allow opening /etc/fstab for reading only if /etc/fstab is a regular
1755     file and it's permission is 0644, and
1756    
1757 kumaneko 1992 allow_write /dev/null if path1.type=char path1.dev_major=1 path1.dev_minor=3
1758 kumaneko 1903
1759     will allow opening /dev/null for writing only if /dev/null is a character
1760     device file with major=1 and minor=3 attributes.
1761    
1762     @ Add memory quota for temporary memory used for auditing.
1763    
1764     Although there are MAX_GRANT_LOG and MAX_REJECT_LOG parameters
1765     which limit the number of entries for audit logs so that we can avoid
1766     memory consumption by audit logs, it would be more convenient if we can
1767     also limit the size in bytes.
1768     Thus, I added a new quota line.
1769    
1770     echo Dynamic: 1048576 > /proc/ccs/meminfo
1771    
1772     This quota is not applied to temporary memory used for permission checks.
1773 kumaneko 1928
1774     Fix 2008/12/09
1775    
1776     @ Fix ccs_can_save_audit_log() checks.
1777    
1778     Due to incorrect statement "if (ccs_can_save_audit_log() < 0)"
1779     while ccs_can_save_audit_log() is boolean, MAX_GRANT_LOG and
1780     MAX_REJECT_LOG were not working.
1781    
1782     This bug will trigger OOM killer if /usr/sbin/ccs-auditd is not working.
1783 kumaneko 2002
1784     Fix 2008/12/24
1785    
1786     @ Add "ccs_" prefix.
1787    
1788     To be able to tell whether a symbol is TOMOYO Linux related or not,
1789     I added "ccs_" prefix as much as possible.
1790 kumaneko 2003
1791     @ Fix ccs_check_flags() error message.
1792    
1793     I meant to print SYAORAN-ERROR: message when error == -EPERM,
1794     but I was printing it when error == 0 since 1.6.0 .
1795 kumaneko 2037
1796     Fix 2009/01/05
1797    
1798     @ Use kmap_atomic()/kunmap_atomic() for reading "struct linux_binprm".
1799    
1800     As remove_arg_zero() uses kmap_atomic(KM_USER0), I modified to use
1801     kmap_atomic(KM_USER0) rather than kmap().
1802    
1803 kumaneko 2079 Fix 2009/01/28
1804    
1805     @ Fix "allow_read" + "allow_write" != "allow_read/write" problem.
1806    
1807     Since 1.6.0 , due to a bug in ccs_update_single_path_acl(),
1808     appending "allow_read/write" entry didn't update internal "allow_read"
1809     and "allow_write" entries. As a result, attempt to open(O_RDWR) succeeds
1810     but open(O_RDONLY) and open(O_WRONLY) fail.
1811    
1812     Workaround is to write an entry twice when newly appending that entry.
1813 kumaneko 2080 If written twice, internal "allow_read" and "allow_write" entries
1814 kumaneko 2079 are updated.
1815 kumaneko 2201
1816     Fix 2009/02/26
1817    
1818     @ Fix profile read error.
1819    
1820     Incorrect profiles were shown in /proc/ccs/profile
1821     if either CONFIG_SAKURA or CONFIG_TOMOYO is disabled.
1822 kumaneko 2213
1823     Fix 2009/03/02
1824    
1825     @ Undelete CONFIG_TOMOYO_AUDIT option.
1826    
1827     While HDD-less systems can use profiles with MAX_GRANT_LOG=0 and
1828     MAX_REJECT_LOG=0 , I undeleted CONFIG_TOMOYO_AUDIT option for saving
1829     memory used for /proc/ccs/grant_log and /proc/ccs/reject_log interfaces.
1830    
1831 kumaneko 2254 Fix 2009/03/13
1832    
1833     @ Show only profile entry names ever specified.
1834    
1835     Even if an administrator specifies only COMMENT= and MAC_FOR_FILE=
1836     entries for /proc/ccs/profile , all available profile entries are shown.
1837     This was designed to help administrators to know what entries are
1838     available, but sometimes makes administrators feel noisy because of
1839     entries showing default values.
1840    
1841     Thus, I modified to show only profile entry names ever specified.
1842    
1843 kumaneko 2271 Fix 2009/03/18
1844    
1845     @ Add MAC_FOR_IOCTL functionality.
1846    
1847     To be able to restrict ioctl() requests, I added MAC_FOR_IOCTL
1848     functionality.
1849    
1850     This functionality requires modification of ccs-patch-\*.diff .
1851    
1852     @ Use better name for socket's pathname.
1853    
1854     Until now, socket's pathname was represented as "socket:[\$]" format
1855     where \$ is inode's number. But inode's number is useless for name based
1856     access control. Therefore, I modified to represent socket's pathname as
1857     "socket:[family=\$:type=\$:protocol=\$]" format.
1858    
1859 kumaneko 2281 This will help administrator to control ioctl() against sockets more
1860 kumaneko 2271 precisely.
1861    
1862 kumaneko 2281 @ Fix misplaced ccs_capable() call. (only 2.6.8-\* and 2.6.9-\*)
1863    
1864     Location to insert ccs_capable(TOMOYO_SYS_IOCTL) in sys_ioctl() was
1865     wrong since version 1.1 .
1866    
1867     @ Insert ccs_check_ioctl_permission() call.
1868    
1869 kumaneko 2317 To make MAC_FOR_IOCTL functionality working, I inserted
1870 kumaneko 2281 ccs_check_ioctl_permission() call into ccs-patch-\*.diff .
1871    
1872 kumaneko 2298 Fix 2009/03/23
1873    
1874     @ Move sysctl()'s check from ccs-patch-\*.diff to fs/tomoyo_file.c .
1875    
1876     Since try_parse_table() in kernel/sysctl.c is almost identical between
1877     all versions, I moved that function to fs/tomoyo_file.c .
1878    
1879     @ Relocate definitions and functions.
1880    
1881     To reduce exposed symbols, I relocated some definitions and functions.
1882    
1883 kumaneko 2308 Fix 2009/03/24
1884    
1885     @ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS option.
1886    
1887     Some systems don't have /sbin/modprobe and /sbin/hotplug .
1888     Thus, I made these pathnames configurable.
1889    
1890 kumaneko 2311 Version 1.6.7 2009/04/01 Feature enhancement release.
1891 kumaneko 2393
1892     Fix 2009/04/06
1893    
1894     @ Drop "undelete domain" command.
1895    
1896     I added "undelete domain" command on 2007/01/19, but never used by policy
1897     management tools. The garbage collector I added on 2007/01/29 will
1898     automatically reuse memory and allow administrators switch domain policy
1899 kumaneko 2394 periodically, provided that the administrator kills processes in old
1900 kumaneko 2393 domains before recreating new domains with the same domainnames.
1901    
1902     Thus, I dropped "undelete domain" command.
1903    
1904     @ Escape invalid characters in ccs_check_mount_permission2().
1905    
1906     ccs_check_mount_permission2() was passing unencoded strings to printk()
1907     and ccs_update_mount_acl() and ccs_check_supervisor(). This may cause
1908     /proc/ccs/system_policy and /proc/ccs/query to contain invalid
1909     characters within a string.
1910 kumaneko 2399
1911     Fix 2009/04/07
1912    
1913     @ Fix IPv4's "address_group" handling error.
1914    
1915 kumaneko 2408 Since 1.6.5 , due to lack of ntohl() (byte order conversion) in
1916 kumaneko 2399 ccs_update_address_group_entry(), "address_group" with IPv4 address was
1917     not working.
1918    
1919     This problem happens on little endian platforms (e.g. x86).
1920 kumaneko 2459
1921 kumaneko 2519 Fix 2009/05/08
1922    
1923     @ Add condition for symlink's target pathname.
1924    
1925     Until now, "allow_symlink" keyword allows creation of a symlink but does
1926     not check the symlink's target. Usually it is no problem because
1927     permission checks are done using dereferenced pathname. But in some
1928     cases, we should restrict the symlink's target. For example,
1929     "ln -s .htpasswd /var/www/html/readme.html" by CGI program should be
1930     blocked because we will allow Apache to read both
1931     /var/www/html/readme.html and /var/www/html/.htpasswd .
1932    
1933     Thus, I added new condition, "symlink.target".
1934    
1935     allow_symlink /var/www/html/\*.html if symlink.target="\*.html"
1936    
1937     allow_symlink /var/www/html/\*\-.\* if symlink.target="\*\-.\*"
1938    
1939     @ Don't return -EAGAIN at ccs_socket_recvmsg_permission().
1940    
1941     It turned out that it is not permitted for accept() and recvmsg() to
1942     return -EAGAIN if poll() said connections/datagrams are ready. However,
1943     recvmsg() may return -EAGAIN and potentially confuse some applications
1944     because ccs_socket_recvmsg_permission() is returning -EAGAIN.
1945    
1946     Thus, I modified ccs_socket_recvmsg_permission() to return -ENOMEM
1947     rather than -EAGAIN.
1948 kumaneko 2562
1949     Fix 2009/05/19
1950    
1951     @ Don't call get_fs_type() with a mutex held.
1952    
1953     Until now, when ccs_update_mount_acl() is called with unsupported
1954     filesystem, /sbin/modprobe is executed from get_fs_type() to load
1955     filesystem module. And get_fs_type() does not return until /sbin/modprobe
1956     finishes.
1957    
1958     This means that it will cause deadlock if /sbin/modprobe (which is
1959     executed via get_fs_type() in ccs_update_mount_acl()) calls
1960     ccs_update_mount_acl(); although it won't happen unless an administrator
1961     inserts execute_handler to call mount() requests in learning mode or to
1962     add "allow_mount" entries to /proc/ccs/system_policy .
1963    
1964     I modified to unlock the mutex before calling get_fs_type().
1965    
1966 kumaneko 2569 Fix 2009/05/20
1967    
1968 kumaneko 2573 @ Update recvmsg() hooks.
1969 kumaneko 2569
1970 kumaneko 2573 Since 1.5.0, I was doing network access control for incoming UDP and RAW
1971     packets inside skb_recv_datagram(). But to synchronize with LSM version,
1972     I moved ccs_recv_datagram_permission() hook from skb_recv_datagram() to
1973     udp_recvmsg()/udpv6_recvmsg()/raw_recvmsg()/rawv6_recvmsg() with name
1974     change to ccs_recvmsg_permission().
1975 kumaneko 2569
1976 kumaneko 2596 Version 1.6.8 2009/05/28 Feature enhancement release.
1977 kumaneko 2723
1978     Fix 2009/07/03
1979    
1980     @ Fix buffer overrun when used with CONFIG_SLOB=y .
1981    
1982     Since 1.6.7 , ccs_allocate_execve_entry() was requesting for only 4000
1983     bytes while the comment says it is 4096 bytes. This may lead to buffer
1984     overrun when slob allocator is used, for slob allocator allocates exactly
1985     4000 bytes whereas slab and slub allocators allocate 4096 bytes.
1986 kumaneko 2975
1987 kumaneko 3012 Fix 2009/09/01
1988 kumaneko 2975
1989     @ Add garbage collector support.
1990    
1991     Until now, it was impossible to release memory used by deleted policy.
1992     I added SRCU based garbage collector so that memory used by deleted
1993     policy will be automatically released.
1994    
1995     @ Remove word length limitation and line length limitation.
1996    
1997     Until now, the max length of a word is 4000 and the max length of a line
1998     is 8192. To be able to handle longer pathnames, I removed these
1999 kumaneko 2980 limitations. Now, the max length (except the domainname and
2000     argv[]/envp[]) is 128K (which is the max amount of memory kmalloc()
2001 kumaneko 2975 can allocate in most environments).
2002    
2003     @ Support more fine grained profile configuration.
2004    
2005     Profile was reconstructed.
2006    
2007     @ Support more fine grained parameters restrictions.
2008    
2009     "allow_create", "allow_mkdir", "allow_mkfifo", "allow_mksock" check
2010 kumaneko 2980 create mode. "allow_mkblock" and "allow_mkchar" check create mode and
2011     major/minor device numbers. "allow_chmod" check new mode. "allow_chown"
2012     checks new owner. "allow_chgrp" checks new group.
2013 kumaneko 2975
2014     @ Allow number grouping.
2015    
2016 kumaneko 2980 To help specifying numeric values, a new directive "number_group" is
2017 kumaneko 2975 introduced.
2018    
2019     @ Remove "alias" directive and "allow_argv0" directive.
2020    
2021     Until now, "allow_execute" used dereferenced pathname if it is a symlink
2022     unless explicitly specified by "alias" directive.
2023    
2024     Now, "allow_execute" uses symlink's pathname if it is a symlink.
2025     "exec.realpath" in "if" clause checks the dereferenced pathname.
2026     "exec.argv[0]" in "if" clause checks the invocation name.
2027    
2028     @ Remove /proc/ccs/system_policy and /etc/ccs/system_policy.conf .
2029    
2030     "deny_autobind" was moved to /proc/ccs/exception_policy and
2031     /etc/ccs/exception_policy.conf . Other directives were moved to
2032     /proc/ccs/domain_policy and /etc/ccs/domain_policy.conf .
2033    
2034     @ Remove syaoran filesystem.
2035    
2036     Since "allow_create"/"allow_mkdir"/"allow_mkfifo"/"allow_mksock"/
2037     "allow_mkblock"/"allow_mkchar"/"allow_chmod"/"allow_chown"/"allow_chgrp"
2038     can restrict mode changes and owner/group changes, there is no need to
2039     restrict these changes at filesystem level.
2040    
2041     Thus, I removed syaoran filesystem.
2042    
2043     @ Reduce spinlocks.
2044    
2045     Until now, TOMOYO was using own list for detecting memory leak. But as
2046     kernel 2.6.31 introduced memory leak detection mechanism
2047     ( CONFIG_DEBUG_KMEMLEAK ), TOMOYO no longer needs to use own list.
2048    
2049 kumaneko 3134 I removed the list to reduce use of spinlocks.
2050 kumaneko 2975
2051     @ Rewrite ccs-patch-2.\*.diff .
2052    
2053 kumaneko 3134 ccs-patch-2.\*.diff was rewritten like LSM hooks.
2054 kumaneko 2975
2055     @ Don't check "allow_read/write" for open-for-ioctl-only.
2056    
2057     open(pathname, 3) means open for ioctl() only.
2058     Until now, TOMOYO was checking "allow_read/write" for open(pathname, 3).
2059     But since TOMOYO checks "allow_ioctl" for ioctl(), I modified not to
2060     require "allow_read/write" for open(pathname, 3).
2061    
2062     @ Add missing sigqueue() and tgsigqueue() hooks.
2063    
2064     Until now, kill(), tkill(), tgkill() had hooks but sigqueue() and
2065     tgsigqueue() didn't.
2066    
2067     @ Move files from fs/ to security/ccsecurity.
2068    
2069 kumaneko 3146 Config menu section changed from "File systems" to "Security options".
2070 kumaneko 2975
2071     Kernel config symbols changed from CONFIG_SAKURA CONFIG_TOMOYO
2072     CONFIG_SYAORAN to CONFIG_CCSECURITY .
2073    
2074     @ Add global PID to audit logs.
2075    
2076     ccs-queryd was using domainname for reaching the domain which the process
2077     belongs to, but the domain could be deleted while ccs-queryd is handling
2078     policy violation. If the domain is deleted, ccs-queryd no longer can
2079     reach the domain by domainname. Thus, ccs-queryd now uses PID for
2080     reaching the domain which the process belongs to.
2081    
2082     Kernel 2.6.24 introduced PID namespace. The PID in access logs generated
2083     by a process inside a container is useless for ccs-queryd for reaching
2084     the domain which the process belongs to.
2085    
2086     Thus, I added global PID in audit logs.
2087 kumaneko 3146
2088 kumaneko 3061 @ Transit to new domain before do_execve() succeeds.
2089 kumaneko 2975
2090     Permission checks for interpreters and environment variables are
2091     done using new domain. In order to be allow ccs-queryd to reach the new
2092     domain via global PID, I reverted "Don't transit to new domain until
2093     do_execve() succeeds." made on 2008/10/07.
2094    
2095 kumaneko 3013 Version 1.7.0 2009/09/03 Feature enhancement release.
2096 kumaneko 2991
2097 kumaneko 3012 Fix 2009/09/04
2098 kumaneko 2991
2099     @ Fix wrong ccs_profile() calls.
2100    
2101     I can't call ccs_profile() for profile existence test because
2102     ccs_profile() never returns NULL.
2103 kumaneko 2998
2104 kumaneko 3012 Fix 2009/09/06
2105 kumaneko 2998
2106     @ Fix wrong error code in ccs_try_alt_exec().
2107    
2108     ccs_try_alt_exec() was returning ENOMEM when kmalloc() failed.
2109     It needs to return -ENOMEM to fail.
2110 kumaneko 3009
2111 kumaneko 3012 Fix 2009/09/10
2112 kumaneko 3009
2113     @ Do not check umount() permission for mount(MS_MOVE) requests.
2114    
2115     Until 1.6.x , umount() restriction was black listing. In 1.7.0 , it is
2116     white listing. This change caused "mount --move old new" requests to
2117     require "allow_unmount old" permission in addition to
2118     "allow_mount old new --move 0" permission.
2119     But we don't want to allow umount(old) requests when we want to allow
2120     only mount(old, new, MS_MOVE) requests. Thus, I modified not to check
2121     "allow_unmount old" permission for mount(old, new, MS_MOVE) requests.
2122 kumaneko 3012
2123     Fix 2009/09/11
2124    
2125     @ Support recursive match operators.
2126    
2127     Until now, ccs_path_matches_pattern() did not support recursive
2128     comparison. Thus, users had to repeat "/\*" when they want to specify
2129     recursively.
2130    
2131     I introduced "\{" and "\}" as repetition operator.
2132     To ensure consistency with TOMOYO's '/'-tokenized pattern matching rules
2133     and "\-" operator, only "/\{dir\}/" sequences (where dir does not contain
2134     '/') is permitted.
2135 kumaneko 3061
2136     Fix 2009/09/24
2137    
2138     @ Don't check chmod/chown capability for requests from kernel.
2139    
2140     Until now, ccs_setattr_permission() was inserted in notify_change().
2141     But notify_change() is also called by requests from kernel (e.g. UnionFS)
2142     and it made difficult to use TOMOYO on UnionFS.
2143    
2144     Thus, I moved ccs_capable() checks from ccs_setattr_permission() to
2145     ccs_chmod_permission() and ccs_chown_permission(), and removed
2146     ccs_setattr_permission().
2147 kumaneko 3064
2148     Fix 2009/09/25
2149    
2150     @ Embed more information into audit logs.
2151    
2152     Until now, /proc/ccs/grant_log /proc/ccs/reject_log /proc/ccs/query were
2153     not printing file's information (e.g. file's uid/gid/mode).
2154    
2155     Recently, users who started using "if" clause expect that the learning
2156     mode automatically adds various conditions like "if task.uid=path1.uid".
2157    
2158     But the profile will become too complicated if I support all possible
2159     conditions. Thus, I added all information which is enough to generate
2160     "if" clause with all possible conditions from audit logs.
2161    
2162     Now, the learning mode got different usage. Users can specify
2163     "CONFIG::learning={ max_entry=0 }" in the profile. All requests which
2164     are not permitted by policy will be sent to /proc/ccs/reject_log with
2165     "mode=learning" header lines. Users can selectively append conditions
2166     and append to the policy using "/usr/sbin/ccs-loadpolicy -d".
2167     The learning mode with "CONFIG::learning={ max_entry=0 }" is almost
2168     the same with the permissive mode, only difference is "mode=learning"
2169     and "mode=permissive".
2170 kumaneko 3088
2171     Fix 2009/10/05
2172    
2173     @ Fix size truncation bug at ccs_memcmp().
2174    
2175     ccs_memcmp() was using "u8" for size parameter by error. Therefore, when
2176 kumaneko 3134 size >= 256 was passed to ccs_memcmp(), it was doing partial comparison
2177 kumaneko 3088 (incorrect result) or read overrun (CPU stall).
2178    
2179     ccs_memcmp() should use "size_t" for size parameter because size of
2180     "struct ccs_condition" may exceed 256 bytes if complicated condition was
2181     given.
2182 kumaneko 3096
2183     Fix 2009/10/08
2184    
2185     @ Add CONFIG_CCSECURITY_DEFAULT_LOADER option.
2186    
2187     I made the default policy loader's pathname ( /sbin/ccs-init )
2188     configurable.
2189    
2190     @ Add CONFIG_CCSECURITY_ALTERNATIVE_TRIGGER option.
2191    
2192     Some environments do not have /sbin/init . In such environments, we need
2193     to use different program's pathname (e.g. /init or /linuxrc ) as
2194     activation trigger.
2195    
2196     Thus, I made the alternative trigger ( /sbin/ccs-start ) configurable.
2197 kumaneko 3128
2198     Fix 2009/11/02
2199    
2200     @ Fix buffer contention.
2201    
2202     A permission like
2203    
2204     allow_env PATH if exec.envp["PATH"]="/"
2205    
2206     was not working since I was using the same buffer for both environment
2207     variable's name and value.
2208 kumaneko 3130
2209     Fix 2009/11/03
2210    
2211     @ Fix memory leak in ccs_write_address_group_policy().
2212    
2213     I forgot to call kfree() if same entry was added.
2214 kumaneko 3131
2215     @ Reduce mutexes.
2216    
2217     I was using mutex_lock()/mutex_unlock() so that I can use
2218     atomic_dec_and_test() for removing an element from a list.
2219     I moved that operation to garbage collector in order to reduce frequency
2220     of mutex_lock()/mutex_unlock() calls.
2221 kumaneko 3132
2222     @ Escape from nested loops correctly.
2223    
2224     In ccs_read_address_group_policy(), I was escaping from nested loops
2225     correctly. But in ccs_read_path_group_policy() and
2226     ccs_read_number_group_policy(), I wasn't.
2227    
2228     As a result, reading path_group and number_group caused kernel oops
2229     when they were not read atomically.
2230 kumaneko 3148
2231     Fix 2009/11/06
2232    
2233     @ Fix incorrect allow_mount audit log.
2234    
2235 kumaneko 3149 Audit log for allow_mount was using decimal format.
2236 kumaneko 3148 It needs to use hexadecimal format.
2237 kumaneko 3158
2238     Fix 2009/11/09
2239    
2240     @ Add profile version check.
2241    
2242     To avoid upgrading from TOMOYO 1.6.x to TOMOYO 1.7.x without upgrading
2243     /proc/ccs/profile (which results in not protecting the system at all),
2244     I added a check for PROFILE_VERSION= .
2245    
2246     Version 1.7.1 2009/11/11 Fourth anniversary release.
2247 kumaneko 3187
2248     Fix 2009/11/13
2249    
2250     @ Don't use core_initcall() for initializing lock for GC.
2251    
2252     Some kernels call TOMOYO's hooks before processing core_initcall().
2253     Thus, I can't use core_initcall() for initializing lock for GC.
2254 kumaneko 3204
2255     Fix 2009/11/18
2256    
2257     @ Don't check "allow_write" permission for open(O_RDONLY | O_TRUNC).
2258    
2259     Since TOMOYO checks "allow_truncate" permission rather than "allow_write"
2260     permission for O_TRUNC, I need to distinguish open(O_RDONLY | O_TRUNC)
2261     and open(O_RDWR | O_TRUNC). But I made a mistake between TOMOYO 1.7.0 and
2262     1.7.1 which made it impossible for TOMOYO for kernels 2.6.14 and earlier
2263     to distinguish them.
2264 kumaneko 3215
2265     Fix 2009/11/27
2266    
2267     @ Use newly created domain's name for domain creation audit log.
2268    
2269     Since 1.7.0 , /proc/ccs/reject_log was by error using existing domain's
2270     name when auditing newly created domain's "use_profile" line.
2271 kumaneko 3248
2272     Fix 2009/12/12
2273    
2274     @ Use rcu_read_lock() for find_task_by_pid().
2275    
2276 kumaneko 3254 Since kernel 2.6.18 , caller of find_task_by_pid() needs to call
2277 kumaneko 3248 rcu_read_lock() rather than read_lock(&tasklist_lock) because find_pid()
2278     uses RCU primitives but spinlock does not prevent RCU callback if
2279     preemptive RCU ( CONFIG_PREEMPT_RCU or CONFIG_TREE_PREEMPT_RCU ) is
2280     enabled.
2281 kumaneko 3256
2282     Fix 2009/12/15
2283    
2284     @ Don't check DAC permission if disabled mode.
2285    
2286     I was checking DAC permissions regarding directory entry modification
2287     operations (e.g. mkdir()) even if mode=disabled . It is a waste of CPU
2288     resource to check DAC permissions when MAC permissions are not checked.
2289     Thus, I modified to skip DAC permission checks if mode=disabled .
2290 kumaneko 3258
2291     @ Allow deleting "quota_exceeded" and "transition_failed" entries.
2292    
2293     To notify users of "this domain has too many entries to hold" and "some
2294     process in this domain was not able to perform domain transition",
2295     "quota_exceeded" and "transition_failed" messages are used respectively.
2296     These messages were not deletable. But it is more convenient for users
2297     to be notified again if such events occurred again after tuning policy.
2298     Thus, I made these messages deletable.
2299 kumaneko 3261
2300     Fix 2009/12/17
2301    
2302     @ Don't check read permission in ccs_try_alt_exec().
2303    
2304     While I was trying to remove ccs_execve_list list for GC optimization
2305 kumaneko 3262 between TOMOYO 1.7.0 and 1.7.1 , I made a mistake which made TOMOYO to
2306     check allow_read permission of the programs specified by execute_handler
2307     and denied_execute_handler keywords.