--- trunk/1.8.x/ccs-patch/README.ccs 2010/10/28 05:37:26 4096 +++ trunk/1.8.x/ccs-patch/README.ccs 2011/12/08 07:06:04 5691 @@ -797,7 +797,7 @@ I was using PAGE_SIZE (4096 in many environments) as the max length of any string data. But for environments that have larger PAGE_SIZE, - doing memset(ptr, 0, PAGE_SIZE) everytime is too wasteful. + doing memset(ptr, 0, PAGE_SIZE) every time is too wasteful. Fix 2007/01/29 @@ -1723,7 +1723,7 @@ to see process information. The content of /proc/ccs/.execute_handler is identical to /proc/ccs/.process_status . -Version 1.6.5 2008/11/11 Third anniversary release. +Version 1.6.5 2008/11/11 Third anniversary release. Fix 2008/12/01 @@ -2243,7 +2243,7 @@ /proc/ccs/profile (which results in not protecting the system at all), I added a check for PROFILE_VERSION= . -Version 1.7.1 2009/11/11 Fourth anniversary release. +Version 1.7.1 2009/11/11 Fourth anniversary release. Fix 2009/11/13 @@ -2382,7 +2382,7 @@ Since 1.7.0 , ccs_lport_reserved() was by error checking wrong port number. As a result, "deny_autobind" keyword was not working as expected. -Version 1.7.2 2010/04/01 Feature enhancement release. +Version 1.7.2 2010/04/01 Feature enhancement release. Fix 2010/04/10 @@ -2659,6 +2659,11 @@ This change allows you to jump to arbitrary domain. + Note that this change also reverts "Change /proc/ccs/info/self_domain ." + made on 2006/10/24. Now, 'cat < /proc/ccs/info/self_domain' will act like + 'cat /proc/ccs/info/self_domain'. Programs depending on old assumption + need to be updated. + @ Add "task auto_domain_transition". This is similar to "task manual_domain_transition", but is automatically @@ -2672,8 +2677,8 @@ task manual_domain_transition //./non-root task.uid!=0 will jump to " //./non-root" domain if current process's UID is - not 0 and current process wrote " //./non-root" + '\n' to - /proc/ccs/.transition interface. + not 0 and current process wrote " //./non-root" to + /proc/ccs/self_domain interface. If domain transition failed, current process will be killed by SIGKILL signal. @@ -2682,4 +2687,370 @@ I merged similar code in order to reduce object's filesize. -Version 1.8.0 2010/XX/XX Feature enhancement release. +Version 1.8.0 2010/11/11 Fifth anniversary release. + +Fix 2010/12/01 + + @ Use same interface for audit logs. + + To be able to perform fine grained filtering by /usr/sbin/ccs-auditd , + I merged /proc/ccs/grant_log and /proc/ccs/reject_log as + /proc/ccs/audit and added granted=yes or granted=no to audit logs. + +Fix 2010/12/17 + + @ Split ccs_null_security into ccs_default_security and ccs_oom_security. + + ccs_null_security is used by preserve KABI compatibility option and is + used for providing default values against threads which have not yet + allocated memory for their security contexts. + + If current thread failed to allocate memory for current thread's security + context, current thread uses ccs_null_security. Since current thread is + allowed to modify current thread's security context, current thread might + modify ccs_null_security which should not be modified for any reason. + + Therefore, I split ccs_null_security into ccs_default_security and + ccs_oom_security and use ccs_oom_security when current thread failed to + allocate memory for current thread's security context. + + Threads which do not share ccs_oom_security are not affected by threads + which share ccs_oom_security. Threads which share ccs_oom_security will + experience temporary inconsistency, but such threads are about to be + killed by SIGKILL signal. + +Fix 2011/01/11 + + @ Use filesystem name for unnamed devices when vfsmount is missing. + + "Change pathname for non-rename()able filesystems." changed to use + "$fsname:" if the filesystem does not support rename() operation and + "dev($major,$minor):" otherwise when vfsmount is missing. But it turned + out that it is useless to use "dev($major,$minor):" for unnamed devices + (filesystems with $major == 0). Thus, I changed to use "$fsname:" rather + than "dev($major,$minor):" for filesystems with $major == 0 when vfsmount + is missing. + +Fix 2011/02/07 + + @ Fix infinite loop bug when reading /proc/ccs/audit or /proc/ccs/query . + + In ccs_flush(), head->r.w[0] holds pointer to string data to be printed. + But head->r.w[0] was updated only when the string data was partially + printed (because head->r.w[0] will be updated by head->r.w[1] later if + completely printed). However, regarding /proc/ccs/audit and + /proc/ccs/query , an additional '\0' is printed after the string data was + completely printed. But if free space for read buffer became 0 before + printing the additional '\0', ccs_flush() was returning without updating + head->r.w[0]. As a result, ccs_flush() forever reprints already printed + string data. + +Fix 2011/03/01 + + @ Run garbage collector without waiting for /proc/ccs/ users. + + Currently TOMOYO holds SRCU lock upon open() and releases it upon close() + because list elements stored in the "struct ccs_io_buffer" instances are + accessed until close() is called. However, such SRCU usage causes lockdep + to complain about leaving the kernel with SRCU lock held. Therefore, + I changed to hold/release SRCU upon each read()/write() by selectively + deferring kfree() by keeping track of the "struct ccs_io_buffer" + instances. + +Fix 2011/03/05 + + @ Support built-in policy configuration. + + To be able to start using enforcing mode from the early stage of boot + sequence, I added support for built-in policy configuration and + activating access control without calling external policy loader program. + + This will be useful for systems where operations which can lead to the + hijacking of the boot sequence are needed before loading the policy. + For example, you can activate immediately after loading the fixed part of + policy which will allow only operations needed for mounting a partition + which contains the variant part of policy and verifying (e.g. running GPG + check) and loading the variant part of policy. Since you can start using + enforcing mode from the beginning, you can reduce the possibility of + hijacking the boot sequence. + +Fix 2011/03/10 + + @ Remove /proc/ccs/meminfo interface. + + Please use /proc/ccs/stat interface instead. + +Fix 2011/03/15 + + @ Pack policy when printing via /proc/ccs/ interface. + + The kernel side is ready for accepting packed input like + + file read/write/execute /path/to/file + + but was using unpacked output like + + file read /path/to/file + file write /path/to/file + file execute /path/to/file + + because most of userland tools were not ready for accepting packed input. + + The advantages of using packed policy are that it makes policy files + smaller and it speeds up loading/saving policy files. + + Since most of userland tools are ready for accepting packed input by now, + I changed to use packed policy for both input and output. + +Fix 2011/03/31 + + @ Fix conditional policy parsing. + + Since exec.realpath= and symlink.target= accept path_group, + symlink.target="@foo" was by error parsed as symlink.target=@foo . + + @ Serialize updating profile's comment line. + + We need to serialize when updating COMMENT= line in /proc/ccs/profile . + +Version 1.8.1 2011/04/01 Usability enhancement with "Zettai, Daijoubudayo" release! + +Fix 2011/04/03 + + @ Fix fcntl(F_SETFL, O_APPEND) handling. + + Since 1.8.0, TOMOYO was by error checking "file write" permission rather + than "file append" permission when changing file's writing mode from + "overwriting" to "append". + + This error should impact little (except CentOS 6.0 kernels) because once + a file was opened for "overwriting" mode, changing that file to "append" + mode cannot undo overwriting the file. Regarding CentOS 6.0 kernels, + due to different ACC_MODE definition, TOMOYO was by error needlessly + checking "file read" permission when fcntl() was requested. + +Fix 2011/04/20 + + @ Remove unused "struct inode *" parameter from hooks. + + Since pre-vfs functions were removed on 2010/09/18, "struct inode *" + parameter which was used for checking parent directory's DAC permission + is no longer used. + + Note that "struct ccsecurity_operations ccsecurity_ops" has changed. + Loadable kernel modules that depends on it need to be rebuilt. + +Fix 2011/05/05 + + @ Fix wrong profile number in audit logs for "misc env" permission. + + Profile number used for "file execute" permission was by error reused + when generating audit logs for "misc env" permission. + +Fix 2011/05/11 + + @ Fix wrong domainname validation. + + "" + "/foo/\" + "/bar" was by error checked when + " /foo/\* /bar" was given. As a result, legal domainnames like + " /foo/\* /bar" are rejected. + +Fix 2011/06/06 + + @ Add policy namespace support. + + To be able to use TOMOYO in LXC environments, I introduced policy + namespace. Each policy namespace has its own set of domain policy, + exception policy and profiles, which are all independent of other + namespaces. + + @ Remove CONFIG_CCSECURITY_BUILTIN_INITIALIZERS option. + + From now on, exception policy and manager need to be able to handle + policy namespace (which is a <$namespace> prefix added to each line). + Thus, space-separated list for CONFIG_CCSECURITY_BUILTIN_INITIALIZERS is + no longer suitable for handling policy namespace. + +Fix 2011/06/10 + + @ Allow specifying trigger for activation. + + To be able to use TOMOYO under systemd environments where init= parameter + is used, I changed to allow overriding the trigger for calling external + policy loader and activating MAC via kernel command line options. + +Fix 2011/06/14 + + @ Remove unused "struct inode *" parameter from ccs-patch-\*.diff . + + To follow changes I made on 2011/04/20, I removed "struct inode *" from + ccs_mknod_permission(), ccs_mkdir_permission(), ccs_rmdir_permission(), + ccs_unlink_permission(), ccs_symlink_permission(), ccs_link_permission(), + ccs_rename_permission() that are called from fs/namei.c + net/unix/af_unix.c include/linux/security.c security/security.c . + If you have your own ccs-patch-*.diff , please update accordingly. + +Version 1.8.2 2011/06/20 Usability enhancement release. + +Fix 2011/07/07 + + @ Remove /proc/ccs/.domain_status interface. + + Writing to /proc/ccs/.domain_status can be emulated by + + ( echo "select " $domainname; echo "use_profile " $profile ) | + /usr/sbin/ccs-loadpolicy -d + + and reading from /proc/ccs/.domain_status can be emulated by + + grep -A 1 '^<' /proc/ccs/domain_policy | + awk ' { if ( domainname == "" ) { if ( substr($1, 1, 1) == "<" ) + domainname = $0; } else if ( $1 == "use_profile" ) { + print $2 " " domainname; domainname = ""; } } ; ' + + . Since this interface is used by only /usr/sbin/ccs-setprofile , + remove this interface by updating /usr/sbin/ccs-setprofile . + +Fix 2011/07/09 + + @ Fix /proc/ccs/stat parser. + + For optimization, I changed to use simple_strtoul() rather than sscanf() + in ccs_write_stat(). But it caused parsing failure if space is inserted + before value (e.g. "Memory used by policy: $value"). + +Fix 2011/07/13 + + @ Accept "::" notation for IPv6 address. + + In order to add network access restriction to TOMOYO 2.4, I backported + routines for parsing/printing IPv4/IPv6 address from kernel 3.0 into + TOMOYO 1.8.2. + Now, IPv6 address accepts "::1" instead of "0:0:0:0:0:0:0:1". + +Fix 2011/09/03 + + @ Avoid race when retrying "file execute" permission check. + + There was a race window that the pathname which is subjected to + "file execute" permission check when retrying via supervisor's decision + because the pathname was recalculated upon retry. Though, there is an + inevitable race window even without supervisor, for we have to calculate + the symbolic link's pathname from "struct linux_binprm"->filename rather + than from "struct linux_binprm"->file because we cannot back calculate + the symbolic link's pathname from the dereferenced pathname. + + @ Remove unneeded daemonize(). + + Garbage collector thread is created using kthread_create() since 2.6.7. + Kernel threads created by kthread_create() does not need to call + daemonize(). + +Fix 2011/09/16 + + @ Allow specifying domain transition preference. + + I got an opinion that it is difficult to use exception policy's domain + transition control directives because they need to match the pathname + specified to "file execute" directives. For example, if "file execute + /bin/\*\-ls\-cat" is given, corresponding domain transition control + directive needs to be like "no_keep_domain /bin/\*\-ls\-cat from any". + + To solve this difficulty, I introduced optional argument that supersedes + exception policy's domain transition control directives. + + file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls" + file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat" + file execute /bin/\*\-ls\-cat child + file execute /usr/sbin/httpd exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd" + + This argument allows transition to different domains based on conditions. + + /usr/sbin/sshd + file execute /bin/bash /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c" + file execute /bin/bash /usr/sbin/sshd //root-session task.uid=0 + file execute /bin/bash /usr/sbin/sshd //nonroot-session task.uid!=0 + +Fix 2011/09/25 + + @ Simplify garbage collector. + + It turned out that use of batched processing tends to choke garbage + collector when certain pattern of entries are queued. Thus, I replaced it + with sequential processing. + +Version 1.8.3 2011/09/29 Usability enhancement release. + +Fix 2011/10/24 + + @ Fix incomplete read after seek. + + ccs_flush() tries to flush data to be read as soon as possible. + ccs_select_domain() (which is called by write()) enqueues data which + meant to be read by next read(), but previous read()'s read buffer's + size was not cleared. As a result, since 1.8.0, sequence like + + char *cp = "select global-pid=1\n"; + read(fd, buf1, sizeof(buf1)); + write(fd, cp, strlen(cp)); + read(fd, buf2, sizeof(buf2)); + + causes enqueued data to be flushed to buf1 rather than buf2. + + @ Use query id for reaching target process's domain policy. + + Use query id for reaching target process's domain policy rather than + target process's global PID. This is for synchronizing with TOMOYO 2.x, + but this change makes /usr/sbin/ccs-queryd more reliable because the + kernel will return empty domain policy when the query has expired before + ccs-queryd reaches target process's domain policy. + + @ Fix quota counting. + + "task manual_domain_transition" should not be counted for quota as with + "task auto_domain_transition"/"task auto_execute_handler"/ + "task denied_execute_handler" because these are not appended by learning + mode. + +Fix 2011/11/11 + + @ Optimize for object's size. + + I rearranged functions/variables into three groups in order to reduce + object's filesize. Also, I added kernel config options for reducing more + by excluding unnecessary functionality. + +Fix 2011/11/18 + + @ Fix kernel config mapping error. + + Due to a typo in ccs_p2mac definition, mode for CONFIG::file::execute was + by error used when checking "file getattr" permission. Most users will + not be affected by this error because CONFIG::file::execute and + CONFIG::file::getattr are by default configured to use CONFIG::file or + CONFIG settings. + +Fix 2011/12/08 + + @ Follow __d_path() behavior change. (Only 2.6.36 and later) + + The behavior of __d_path() has changed in 3.2-rc5. __d_path() now returns + NULL when the pathname cannot be calculated. You must update to this + version when using with 3.2-rc5 and later kernels, or the kernel will + panic because ccs_get_absolute_path() triggers NULL pointer dereference. + + The patch that changed the behavior of __d_path() might be backported to + 2.6.36 to 3.1 kernels. You must update to this version if the patch was + backported, for you will experience the kernel panic as with 3.2-rc5. + + The patch that changed the behavior of __d_path() also changed the way of + handling pathnames under lazy-unmounted directory. Until now, TOMOYO was + using incomplete pathnames returned by __d_path() when the pathname is + under lazy-unmounted directory. But from now on, TOMOYO uses different + pathnames returned by ccs_get_local_path() when the pathname is under + lazy-unmounted directory (because __d_path() no longer returns it). + + Since applications unlikely do lazy unmounts, requesting pathnames under + lazy-unmounted directory should not happen unless the administrator + explicitly does lazy unmounts. But pathnames which is defined for such + conditions in the policy file (if any) will need to be rewritten.