--- trunk/1.6.x/ccs-patch/README.ccs 2008/10/11 08:46:59 1695 +++ trunk/1.6.x/ccs-patch/README.ccs 2008/11/04 04:30:02 1778 @@ -1651,21 +1651,6 @@ As the number of parameters is increasing, I modified to use a structure for passing parameters. - @ Always allow updating task state for signal operations. - - ccs_check_signal_acl() was skipping permission checks if signal is NULL - or sent to self or sent to same domain. To make it possible to update - task state when current process is sending NULL signal or to self or - to same domain, I modified to check ACL anyway. The result of access - control will not change, but this modification will generate granted logs - which were not generated until now. - - @ Show process type in /proc/ccs/.process_status . - - To be able to determine a process's type, I added "(manager)" if the - process is a policy manager and "(execute_handler)" if the process is an - execute handler. - Fix 2008/10/11 @ Remove domain_acl_lock mutex. @@ -1674,3 +1659,52 @@ a domain mutually exclusive. Since each functions handles different type of ACL, locking is needed only when they append an ACL to a domain. So, I modified to use local locks. + +Fix 2008/10/14 + + @ Fix ccs_check_condition() bug. + + Due to a bug in ccs_check_condition(), it was impossible to use + task.state[0] task.state[1] task.state[2] inside condition part + if the ACL does not treat a pathname. For example, an ACL like + + allow_network TCP connect @HTTP_SERVERS 80 if task.state[0]=100 + + didn't work. + +Fix 2008/10/15 + + @ Show process information in /proc/ccs/.process_status . + + To be able to determine a process's type, I added a command "info PID" + which returns process information of the specified PID in + "PID manager=\* execute_handler=\* state[0]=\$ state[1]=\$ state[2]=\$" + format. + +Fix 2008/10/20 + + @ Use rcu_dereference() when walking the list. + + I was using "dependency ordering" for appending an element to a list + without asking the reader to take a lock. But "dependency ordering" + is not respected by DEC Alpha or by some aggressive value-speculation + compiler optimizations. + + On such environment, use of "dependency ordering" can lead to system + crash because the reader might read uninitialized value of newly + appended element. + + To prevent the reader from reading uninitialized value of newly appended + element, I inserted rcu_dereference() when walking the list. + +Fix 2008/11/04 + + @ Use sys_getpid() instead for current->pid. + + Kernel 2.6.24 introduced PID namespace. + + To compare PID given from userland, I can't use current->pid. + So, I modified to use sys_getpid() instead for current->pid. + + I modified to use task_tgid_nr_ns() for 2.6.25 and later instead for + current->tgid when checking /proc/self/ in get_absolute_path().