Diff of /trunk/1.8.x/ccs-patch/README.ccs

TOMOYO

 Subversion リポジトリの参照



/[tomoyo]/trunk/1.8.x/ccs-patch/README.ccs




Diff of /trunk/1.8.x/ccs-patch/README.ccs



 Parent Directory

|  Revision Log



|  Patch














revision 2519 by kumaneko,
Fri May  8 05:45:21 2009 UTC




revision 2596 by kumaneko,
Wed May 27 07:48:43 2009 UTC






#

Line 1922 
 Fix 2009/04/07


Line 1922 
 Fix 2009/04/07












1922
 
 

















1923
       This problem happens on little endian platforms (e.g. x86).
       This problem happens on little endian platforms (e.g. x86).

















1924
 
 














 Fix 2009/04/20
 










 
 










     @ Update recvmsg() hooks.
 










 
 










       Since 1.5.0, I was doing network access control for incoming UDP and RAW
 










       packets inside skb_recv_datagram(). But to synchronize with LSM version,
 










       I moved ccs_recv_datagram_permission() hook from skb_recv_datagram() to
 










       udp_recvmsg()/udpv6_recvmsg()/raw_recvmsg()/rawv6_recvmsg() with name
 










       change to ccs_recvmsg_permission().
 










 
 













1925
 Fix 2009/05/08
 Fix 2009/05/08

















1926
 
 

















1927
     @ Add condition for symlink's target pathname.
     @ Add condition for symlink's target pathname.











#

Line 1959 
 Fix 2009/05/08


Line 1949 
 Fix 2009/05/08












1949
 
 

















1950
       Thus, I modified ccs_socket_recvmsg_permission() to return -ENOMEM
       Thus, I modified ccs_socket_recvmsg_permission() to return -ENOMEM

















1951
       rather than -EAGAIN.
       rather than -EAGAIN.












1952
 
 







1953
 
 Fix 2009/05/19







1954
 
 







1955
 
     @ Don't call get_fs_type() with a mutex held.







1956
 
 







1957
 
       Until now, when ccs_update_mount_acl() is called with unsupported







1958
 
       filesystem, /sbin/modprobe is executed from get_fs_type() to load







1959
 
       filesystem module. And get_fs_type() does not return until /sbin/modprobe







1960
 
       finishes.







1961
 
 







1962
 
       This means that it will cause deadlock if /sbin/modprobe (which is







1963
 
       executed via get_fs_type() in ccs_update_mount_acl()) calls







1964
 
       ccs_update_mount_acl(); although it won't happen unless an administrator







1965
 
       inserts execute_handler to call mount() requests in learning mode or to







1966
 
       add "allow_mount" entries to /proc/ccs/system_policy .







1967
 
 







1968
 
       I modified to unlock the mutex before calling get_fs_type().







1969
 
 







1970
 
 Fix 2009/05/20







1971
 
 







1972
 
     @ Update recvmsg() hooks.







1973
 
 







1974
 
       Since 1.5.0, I was doing network access control for incoming UDP and RAW







1975
 
       packets inside skb_recv_datagram(). But to synchronize with LSM version,







1976
 
       I moved ccs_recv_datagram_permission() hook from skb_recv_datagram() to







1977
 
       udp_recvmsg()/udpv6_recvmsg()/raw_recvmsg()/rawv6_recvmsg() with name







1978
 
       change to ccs_recvmsg_permission().







1979
 
 







1980
 
 Version 1.6.8 2009/05/28   Feature enhancement release.
























Legend:



Removed from v.2519
 


changed lines


 
Added in v.2596













Back to OSDN">Back to OSDN
ViewVC Help


Powered by ViewVC 1.1.26
 /[tomoyo]/trunk/1.8.x/ccs-patch/README.ccs
-revision 2519 by kumaneko,
Fri May  8 05:45:21 2009 UTC
+revision 2596 by kumaneko,
Wed May 27 07:48:43 2009 UTC
 Line 1922 
 Fix 2009/04/07
        This problem happens on little endian platforms (e.g. x86).
- Fix 2009/04/20
-     @ Update recvmsg() hooks.
-       Since 1.5.0, I was doing network access control for incoming UDP and RAW
-       packets inside skb_recv_datagram(). But to synchronize with LSM version,
-       I moved ccs_recv_datagram_permission() hook from skb_recv_datagram() to
-       udp_recvmsg()/udpv6_recvmsg()/raw_recvmsg()/rawv6_recvmsg() with name
-       change to ccs_recvmsg_permission().
  Fix 2009/05/08
      @ Add condition for symlink's target pathname.
-Line 1959 
 Fix 2009/05/08
+Line 1949 
 Fix 2009/05/08
        Thus, I modified ccs_socket_recvmsg_permission() to return -ENOMEM
        rather than -EAGAIN.
+ Fix 2009/05/19
+     @ Don't call get_fs_type() with a mutex held.
+       Until now, when ccs_update_mount_acl() is called with unsupported
+       filesystem, /sbin/modprobe is executed from get_fs_type() to load
+       filesystem module. And get_fs_type() does not return until /sbin/modprobe
+       finishes.
+       This means that it will cause deadlock if /sbin/modprobe (which is
+       executed via get_fs_type() in ccs_update_mount_acl()) calls
+       ccs_update_mount_acl(); although it won't happen unless an administrator
+       inserts execute_handler to call mount() requests in learning mode or to
+       add "allow_mount" entries to /proc/ccs/system_policy .
+       I modified to unlock the mutex before calling get_fs_type().
+ Fix 2009/05/20
+     @ Update recvmsg() hooks.
+       Since 1.5.0, I was doing network access control for incoming UDP and RAW
+       packets inside skb_recv_datagram(). But to synchronize with LSM version,
+       I moved ccs_recv_datagram_permission() hook from skb_recv_datagram() to
+       udp_recvmsg()/udpv6_recvmsg()/raw_recvmsg()/rawv6_recvmsg() with name
+       change to ccs_recvmsg_permission().
+ Version 1.6.8 2009/05/28   Feature enhancement release.
 Legend:



Removed from v.2519
 


changed lines


 
Added in v.2596
 Legend:



Removed from v.2519
 


changed lines


 
Added in v.2596
-Removed from v.2519
+Added in v.2596
-Back to OSDN">Back to OSDN
+ViewVC Help
 Powered by ViewVC 1.1.26

オープンソース・ソフトウェアの開発とダウンロード

TOMOYO

Subversion リポジトリの参照