オープンソース・ソフトウェアの開発とダウンロード

TOMOYO

Subversion リポジトリの参照

/[tomoyo]/trunk/1.8.x/ccs-patch/README.ccs

Diff of /trunk/1.8.x/ccs-patch/README.ccs

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

trunk/1.5.x/ccs-patch/README.ccs revision 815 by kumaneko, Tue Dec 18 07:13:08 2007 UTC trunk/1.6.x/ccs-patch/README.ccs revision 2317 by kumaneko, Thu Mar 26 04:47:03 2009 UTC
# Line 1  Line 1 
1  Notes for TOMOYO Linux project  Notes for TOMOYO Linux project
2    
3  This is a handy Mandatory Access Control patch for Linux kernels.  This is a handy Mandatory Access Control patch for Linux kernels.
4  This patch is released under the GPL.  This patch is released under the GPLv2.
5    
6  Project URL: http://tomoyo.sourceforge.jp/  Project URL: http://tomoyo.sourceforge.jp/
7    
# Line 475  Fix 2006/08/04 Line 475  Fix 2006/08/04
475        succeeds to invoke do_execve() with filename = "/bin/ls" and        succeeds to invoke do_execve() with filename = "/bin/ls" and
476        argv[0] = "/bin/cat".        argv[0] = "/bin/cat".
477    
478        I introduced a keyword that permits the mismatch of        I introduced a directive that permits the mismatch of
479        basename of filename and argv[0].        basename of filename and argv[0].
480    
481  Fix 2006/08/10  Fix 2006/08/10
# Line 933  Fix 2007/07/04 Line 933  Fix 2007/07/04
933    
934      @ Fix ReadAddressGroupPolicy() bug.      @ Fix ReadAddressGroupPolicy() bug.
935    
936        ReadAddressGroupPolicy() fails if both "path_group" and "address_group" are used        ReadAddressGroupPolicy() fails if both "path_group" and "address_group"
937        because I forgot to set "head->read_var1 = NULL".        are used because I forgot to set "head->read_var1 = NULL".
938    
939  Fix 2007/07/10  Fix 2007/07/10
940    
# Line 949  Fix 2007/08/06 Line 949  Fix 2007/08/06
949    
950      @ Remove mount-flags manipulation.      @ Remove mount-flags manipulation.
951    
952        Until now, administrator is permitted to turn on/off specific mount options        Until now, administrator is permitted to turn on/off specific mount
953        regardless of mount options passed to kernel.        options regardless of mount options passed to kernel.
954        I removed this feature because "exact option matching" sounds better than        I removed this feature because "exact option matching" sounds better than
955        "automatic option enabler/disabler".        "automatic option enabler/disabler".
956    
957      @ Remove /proc/ccs/info/mapping .      @ Remove /proc/ccs/info/mapping .
958    
959        I removed /proc/ccs/info/mapping because nobody seems to use this feature.        I removed /proc/ccs/info/mapping because nobody seems to use this
960          feature.
961    
962      @ Call external policy loader automatically.      @ Call external policy loader automatically.
963    
# Line 980  Fix 2007/08/13 Line 981  Fix 2007/08/13
981        can handle interactive operations by opening /dev/console .        can handle interactive operations by opening /dev/console .
982        Now, there is no difference between init=/sbin/ccs-init and        Now, there is no difference between init=/sbin/ccs-init and
983        call_usermodehelper("/sbin/ccs-init"), and users no longer need to        call_usermodehelper("/sbin/ccs-init"), and users no longer need to
984        add init=/sbin/ccs-init parameter to load policy before /sbin/init starts.        add init=/sbin/ccs-init parameter to load policy before /sbin/init
985          starts.
986    
987  Fix 2007/08/14  Fix 2007/08/14
988    
# Line 1101  Fix 2007/12/18 Line 1103  Fix 2007/12/18
1103        To my surprise, "mount --bind source dest" accepts        To my surprise, "mount --bind source dest" accepts
1104        not only "both source and dest are directory"        not only "both source and dest are directory"
1105        but also "both source and dest are non-directory".        but also "both source and dest are non-directory".
1106        I was rejecting if dest is not a derectory in AddMountACL().        I was rejecting if dest is not a directory in AddMountACL().
1107    
1108      @ Change log format.      @ Change log format.
1109    
1110        Profile number and mode is added in audit logs.        Profile number and mode is added in audit logs.
1111    
1112    Fix 2008/01/03
1113    
1114        @ Change directive for file's read/write/execute permission.
1115    
1116          Directives for file's read/write/execute permissions were
1117          4/2/1 respectively. But for easier understanding, they are now
1118          replaced by read/write/execute (e.g. "allow_read" instead of "4").
1119          But for easier inputting, 4/2/1 are still accepted instead of
1120          allow_read/allow_write/allow_execute respectively.
1121    
1122        @ Change internal data structure.
1123    
1124          Since I don't have more than 16 types of file permissions,
1125          I combined them using bit-fields.
1126    
1127          Each entry had a field for conditional permission support.
1128          But since this field is unlikely used, I separated the field from
1129          common part.
1130    
1131          These changes will reduce memory used by policy.
1132    
1133    Fix 2008/01/15
1134    
1135        @ Add ptrace() hook.
1136    
1137          To prevent attackers from controlling important processes using
1138          ptrace(), I added a hook for ptrace().
1139          Most programs (except strace(1) and gdb(1)) won't use ptrace(2).
1140    
1141        @ Fix sleep condition check in CheckSocketRecvDatagramPermission().
1142    
1143          It seems that correct method to use is in_atomic()
1144          rather than in_interrupt() because in_atomic() returns nonzero
1145          whenever scheduling is not allowed.
1146    
1147    Fix 2008/02/05
1148    
1149        @ Use find_task_by_vpid() instead of find_task_by_pid().
1150    
1151          Kernel 2.6.24 introduced PID namespace.
1152          To search PID given from userland, the kernel needs to use
1153          find_task_by_vpid() instead of find_task_by_pid().
1154    
1155    Fix 2008/02/14
1156    
1157        @ Add execve() parameter checking.
1158    
1159          Until now, it was impossible to check argv[] and envp[] parameters
1160          passed to execve().
1161          I expanded conditional permission syntax so that
1162          { argc, envc, argv[] , envp[] } parameters can be checked if needed.
1163          This will allow administrator permit execution of /bin/sh only when
1164          /bin/sh is invoked in the form of "/bin/sh -c" and environment variable
1165          HOME is set by specifying
1166    
1167            allow_execute /bin/sh if exec.argv[1]="-c" exec.envp["HOME"]!=NULL
1168    
1169          in the policy.
1170          This extension will make exploit codes difficult to start /bin/sh because
1171          they unlikely set up environment variables and unlikely specify "-c"
1172          option when invoking /bin/sh , whereas proper functions likely set up
1173          environment variables and likely specify "-c" option.
1174    
1175    Fix 2008/02/18
1176    
1177        @ Add process state checking.
1178    
1179          Until now, it was impossible to change ACL without executing program.
1180          I added three variables for performing stateful checking within a domain.
1181          You can set current process's state like:
1182    
1183            allow_network TCP accept @TRUSTED_HOSTS 1024-65535 ; set task.state[0]=1
1184            allow_network TCP accept @UNTRUSTED_HOSTS 1024-65535 ; set task.state[0]=0
1185    
1186          and you can use the state like
1187    
1188            allow_read /path/to/important/file if task.state[0]=1
1189    
1190          in the policy.
1191          The state changes when the request was granted by the MAC's policy,
1192          so please be careful with situations where the state has changed
1193          successfully but the request was not processed because of other reasons
1194          (e.g. out of memory).
1195    
1196    Fix 2008/02/26
1197    
1198        @ Support /proc/ccs/ access by non-root user.
1199    
1200          Until now, only root user can access /proc/ccs/ interface.
1201          But to permit /proc/ccs/ access by non-root user so that it won't require
1202          ssh login by root user when administrating from remote host,
1203          I made "(current->uid == 0 && current->euid == 0)" requirement optional.
1204          If this requirement is disabled, only "conventional DAC permission
1205          checks" and "/proc/ccs/manager checks" are used.
1206    
1207    Fix 2008/02/29
1208    
1209        @ Add sleep_on_violation feature.
1210    
1211          Some exploit codes (e.g. trans2open for Samba) continue running
1212          until it achieves the purpose of the exploit code (e.g. invoke /bin/sh).
1213    
1214          If such code is injected due to buffer overflow but the kernel
1215          rejects the request, it triggers infinite "Permission denied" loop.
1216          As a result, the CPU usage becomes 100% and gives bad effects to
1217          the rest of processes.
1218          This is a side effect of rejecting the request from the exploit code
1219          which wouldn't happen if the request from the exploit code was granted.
1220    
1221          To avoid such CPU consumption, I added a penalty that forcibly
1222          sleeps for specified period when a request is rejected.
1223    
1224          This penalty doesn't work if the exploit code does nothing but
1225          continue running, but I think most exploit code's purpose is
1226          to start some program rather than to slow down the target system.
1227    
1228        @ Add alt_exec feature.
1229    
1230          Since TOMOYO Linux's approach is "know all essential requests in advance
1231          and create policy that permits only them", you can regard anomalous
1232          requests as attacks (if you want to do so).
1233    
1234          Common MAC implementations merely reject requests that violate policy.
1235          But I added a special handler for execve() to TOMOYO Linux.
1236    
1237          This handler is triggered when a process requested to execute a program
1238          but the request was rejected by the policy.
1239          This handler executes a program specified by the administrator
1240          instead of a program requested by the process.
1241    
1242          Most attackers attempt to execute /bin/sh to start something malicious.
1243          Attackers execute an exploit code using buffer overflow vulnerability
1244          to steal control of a process. But this handler can get back control
1245          if an exploit code requests execve() that is not permitted by policy.
1246    
1247          By default, this handler does nothing (i.e. merely reject execve()
1248          request). You can specify any program to start what you want to do.
1249    
1250          You can redirect attackers to somewhere else (e.g. honey pot).
1251          This makes it possible to act your Linux box as an on-demand honey pot
1252          while keeping regular services for your usage.
1253    
1254          You can collect information of the attacker (e.g. IP address) and
1255          update firewall configuration.
1256    
1257          You can silently terminate a process who requested execve()
1258          that is not permitted by policy.
1259    
1260    Fix 2008/03/03
1261    
1262        @ Add "force_alt_exec" directive.
1263    
1264          To be able to fully utilize "alt_exec" feature,
1265          I added "force_alt_exec" directive so that
1266          all execute requests are replaced by the execute request of a program
1267          specified by alt_exec feature.
1268    
1269          If this directive is specified for a domain, the domain no longer
1270          executes any programs regardless of the mode of file access control
1271          (i.e. the domain won't execute even if MAC_FOR_FILE=0 ).
1272          Instead, the domain executes the program specified by alt_exec feature
1273          and the program specified by alt_exec feature validates the execute
1274          request and executes it if it is appropriate to execute.
1275    
1276          If you can tolerate that there is no chance to return an error code
1277          to the caller to tell the execute request was rejected,
1278          this is more flexible approach than in-kernel execve() parameter
1279          checking because we can do argv[] and envp[] checking easily.
1280    
1281    Fix 2008/03/04
1282    
1283        @ Use string for access control mode.
1284    
1285          An integer expression for access control mode sometimes confuses
1286          administrators because profile number is also an integer expression.
1287          To avoid confusion between profile number and access control mode,
1288          I introduced a string expression for access control mode.
1289    
1290            Modes which take an integer between 0 and 3.
1291    
1292              0 -> disabled
1293              1 -> learning
1294              2 -> permissive
1295              3 -> enforcing
1296    
1297            Modes which take 0 or 1.
1298    
1299              0 -> disabled
1300              1 -> enabled
1301    
1302    Fix 2008/03/10
1303    
1304        @ Rename "force_alt_exec" directive to "execute_handler".
1305    
1306          To be able to use different programs for validating execve() parameters,
1307          I moved the location to specify the program's pathname from profile
1308          to domain policy.
1309    
1310          The "execute_handler" directive takes one pathname which is
1311          invoked whenever execve() request is issued. Thus, any "allow_execute"
1312          directives in a domain with "execute_handler" are ignored.
1313          This directive is designed for validating expected/desirable execve()
1314          requests in userspace, although there is no way to tell the caller
1315          that the execve() request was rejected.
1316    
1317        @ Rename "alt_exec" directive to "denied_execute_handler".
1318    
1319          The "denied_execute_handler" directive takes one pathname which is
1320          invoked only when execve() request was rejected. In other words,
1321          this program is invoked only when the following conditions are met.
1322    
1323            (1) None of "allow_execute" directives in the domain matched.
1324            (2) The execve() request was rejected in enforcing mode.
1325            (3) "execute_handler" directive is not used by the domain.
1326    
1327          This directive is designed for handling unexpected/undesirable execve()
1328          requests, to redirect the process issuing such requests to somewhere.
1329    
1330    Fix 2008/03/18
1331    
1332        @ Fix wrong/redundant locks in pre-vfs functions.
1333    
1334          lock_kernel()/unlock_kernel() in pre_vfs_rename() were redundant for
1335          2.6 kernels.
1336    
1337          Locking order in pre_vfs_link() and pre_vfs_unlink() for 2.4 kernels
1338          after 2.4.33 were different from before 2.4.32 .
1339    
1340    Fix 2008/03/28
1341    
1342        @ Disable execute handler loop.
1343    
1344          To be able to use "execute_handler" in a "keep_domain" domain,
1345          ignore "execute_handler" and "denied_execute_handler" directives
1346          if the current process is executing programs specified by
1347          "execute_handler" or "denied_execute_handler" directive.
1348    
1349          This exception is needed to avoid infinite execute handler loop.
1350          If a domain has both "keep_domain" and "execute_handler",
1351          any execute request by that domain is handled by an execute handler,
1352          and the execute handler attempts to process original execute request.
1353          But the original execute request is handled by the same execute handler
1354          unless the execute handler ignores "execute_handler".
1355    
1356        @ Update coding style.
1357    
1358          I rewrote the code to pass scripts/checkpatch.pl as much as possible.
1359          Function names were changed to use only lower letters.
1360    
1361    Version 1.6.0 2008/04/01   Feature enhancement release.
1362    
1363    Fix 2008/04/14
1364    
1365        @ Fix "Compilation failures" and "Initialization ordering bugs"
1366          with kernels before 2.4.30/2.6.11 .
1367    
1368          2.6 kernels before 2.6.9 didn't have include/linux/hardirq.h ,
1369          resulting compilation error at #include <linux/hardirq.h> .
1370          I added #elif condition.
1371    
1372          CentOS 4.6's 2.6.9 kernel calls do_execve() before initialization of
1373          ccs_alloc(), resulting NULL pointer dereference.
1374          I changed __initcall to core_initcall.
1375    
1376          CentOS 4.6's 2.6.9 kernel backported kzalloc() from 2.6.14 ,
1377          resulting compilation error at kzalloc().
1378          I modified prototype of kzalloc().
1379    
1380    Fix 2008/04/20
1381    
1382        @ Fix "Compilation failures" with kernels before 2.4.30/2.6.11 .
1383    
1384          Turbolinux 10 Server's 2.6.8 kernel backported kzalloc() as an inlined
1385          function, resulting compilation error at kzalloc().
1386          I converted kzalloc() from an inlined function into a macro.
1387    
1388    Fix 2008/04/21
1389    
1390        @ Add workaround for gcc 3.2.2's inline bug.
1391    
1392          RedHat Linux 9's gcc 3.2.2 generated a bad code
1393             if ((var_of_u8 & 0x000000BF) & 0x80000000) { }
1394          where the expected code is
1395             if ((var_of_u8 & 0xBF) & 0x80) { }
1396          when embedding ccs_acl_type2() into print_entry(),
1397          resulting runtime BUG().
1398          I added the expected code explicitly as a workaround.
1399    
1400    Fix 2008/05/06
1401    
1402        @ Add memory quota.
1403    
1404          1.5.x returns -ENOMEM when FindNextDomain() failed to create a new
1405          domain, but I forgot to return -ENOMEM when find_next_domain() failed to
1406          create a new domain.
1407    
1408          A domain is automatically created by find_next_domain() only if
1409          the domain for the requested program doesn't exist.
1410          This behavior is for the administrator's convenience.
1411          The administrator needn't to know how many domains are needed for running
1412          the whole programs in the system beforehand when developing the policy.
1413          But the administrator does not want the kernel to reject execution of the
1414          requested program when developing the policy.
1415    
1416          So, I think it is better to grant execution of programs even if
1417          find_next_domain() failed to create a new domain than reject execution.
1418          Thus, I decided not to return -ENOMEM when find_next_domain() failed to
1419          create a new domain. This exception breaks the domain transition rules,
1420          so I print "transition_failed" warning in /proc/ccs/domain_policy
1421          when this exception happened.
1422    
1423          Also, to prevent the system from being halted by unexpectedly allocating
1424          all kernel memory for the policy, I added memory quota.
1425          This quota is configurable via /proc/ccs/meminfo like
1426    
1427            echo Shared:  1048576 > /proc/ccs/meminfo
1428            echo Private: 1048576 > /proc/ccs/meminfo
1429    
1430    Version 1.6.1 2008/05/10   Bug fix release.
1431    
1432    Fix 2008/06/04
1433    
1434        @ Check open mode of /proc/ccs/ interface.
1435    
1436          It turned out that I can avoid allocating memory for reading if
1437          FMODE_READ is not set and memory for writing if FMODE_WRITE is not set.
1438    
1439        @ Wait for completion of /sbin/ccs-init .
1440    
1441          Since 2.4 kernel's call_usermodehelper() can't wait for termination of
1442          the executed program, I was using the close() request of
1443          /proc/ccs/meminfo to indicate that loading policy has finished.
1444          But since /proc/ccs/meminfo could be accessed for setting memory quota
1445          by /etc/ccs/ccs-post-init , I stopped using the close() request.
1446          The policy loader no longer need to access /proc/ccs/meminfo to notify
1447          the kernel that loading policy has finished.
1448    
1449    Fix 2008/06/05
1450    
1451        @ Fix realpath for pipes and sockets.
1452    
1453          Kernel 2.6.22 and later use different method for calculating d_path().
1454          Since fs/realpath.c didn't notice the change, the realpath of pipes
1455          appeared as "pipe:" rather than "pipe:[\$]" when they are opened via
1456          /proc/PID/fd/ directory.
1457    
1458        @ Add process's information into /proc/ccs/query .
1459    
1460          While /proc/ccs/grant_log and /proc/ccs/reject_log contain process's
1461          information, /proc/ccs/query doesn't contain it.
1462          To be able to utilize ccs-queryd and ccs-notifyd more, I added it into
1463          /proc/ccs/query .
1464    
1465    Fix 2008/06/10
1466    
1467        @ Allow using patterns for globally readable files.
1468    
1469          To allow users specify locale specific files to globally readable files,
1470          I relaxed checking in update_globally_readable_entry().
1471    
1472    Fix 2008/06/11
1473    
1474        @ Remove ALLOW_ENFORCE_GRACE parameter.
1475    
1476          Since unexpected requests caused by doing software updates can happen
1477          in all profiles, users likely have to write ALLOW_ENFORCE_GRACE=enabled
1478          to all profiles. And it makes meaningless to allow users to selectively
1479          enable specific profile's ALLOW_ENFORCE_GRACE parameter.
1480          So, I removed ALLOW_ENFORCE_GRACE parameter.
1481          Now, the system behaves as if ALLOW_ENFORCE_GRACE=enabled is specified.
1482          The behavior of "delayed enforcing" mode is defined in the following
1483          order.
1484    
1485          (1) The requests are rejected immediately if nobody is opening
1486              /proc/ccs/query interface.
1487          (2) The requests will be rejected in 10 seconds if somebody other than
1488              ccs-queryd (such as less(1)) is opening /proc/ccs/query interface,
1489              for such process doesn't write dummy decisions.
1490    
1491    Fix 2008/06/22
1492    
1493        @ Pass escaped pathname to audit_execute_handler_log().
1494    
1495          I was passing unescaped pathname to audit_execute_handler_log()
1496          which causes /proc/ccs/grant_log contain whitespace characters
1497          if execute handler's pathname contains whitespace characters.
1498    
1499    Fix 2008/06/25
1500    
1501        @ Return 0 when ccs_may_umount() succeeds.
1502    
1503          I forgot to clear error value in ccs_may_umount() when the requested
1504          directory didn't match "deny_unmount" directive. As a result, any umount()
1505          request with RESTRICT_UNMOUNT=enforcing returned -EPERM error.
1506    
1507    Version 1.6.2 2008/06/25   Usability enhancement release.
1508    
1509    Fix 2008/07/01
1510    
1511        @ Fix "Compilation failure" with 2.4.20 kernel.
1512    
1513          RedHat Linux 9's 2.4.20 kernel backported O(1) scheduler patch,
1514          resulting compilation error at ccs_load_policy().
1515          I added defined(TASK_DEAD) check.
1516    
1517    Fix 2008/07/08
1518    
1519        @ Don't check permissions if vfsmount is NULL.
1520    
1521          Some filesystems (e.g. unionfs) pass NULL vfsmount.
1522          I changed fs/tomoyo_file.c not to try to calculate pathnames
1523          if vfsmount is NULL.
1524    
1525    Version 1.6.3 2008/07/15   Bug fix release.
1526    
1527    Fix 2008/08/21
1528    
1529        @ Add workaround for gcc 4.3's bug.
1530    
1531          In some environments, fs/tomoyo_network.c could not be compiled
1532          because of gcc 4.3's bug.
1533          I modified save_ipv6_address() to use "integer literal" value
1534          instead for "static const u8" variable.
1535    
1536        @ Change prototypes of some functions.
1537    
1538          To support 2.6.27 kernels, I replaced "struct nameidata" with
1539          "struct path" for some functions.
1540    
1541        @ Detect distributor specific patches automatically.
1542    
1543          Since kernels with AppArmor patch applied is increasing,
1544          I introduced a mechanism which determines whether specific patches
1545          are applied or not, based on "#define" directives in the patches.
1546    
1547    Fix 2008/08/29
1548    
1549        @ Remove "-ccs" suffix from Makefile's EXTRAVERSION.
1550    
1551          To reduce conflicts on Makefile's EXTRAVERSION,
1552          I removed "-ccs" suffix from ccs-patch-2.\*.diff .
1553          Those who build kernels without using specs/build-\*.sh ,
1554          please edit EXTRAVERSION tag manually so that original kernels
1555          will not be overwritten by TOMOYO Linux kernels.
1556    
1557    Version 1.6.4 2008/09/03   Minor update release.
1558    
1559    Fix 2008/09/09
1560    
1561        @ Add "try again" response to "delayed enforcing" mode.
1562    
1563          To be able to handle pathname changes caused by software updates,
1564          "delayed enforcing" mode was introduced. It allows administrator to
1565          grant access requests which are about to be rejected by the kernel.
1566    
1567          To be able to handle pathname changes caused by software updates better,
1568          I introduced "try again" response. As "delayed enforcing" mode sleeps
1569          a process which violated policy, administrator can update policy while
1570          the process is sleeping. This "try again" response allows administrator
1571          to restart policy checks from the beginning after updating policy.
1572    
1573    Fix 2008/09/11
1574    
1575        @ Remember whether the process is allowed to write to /proc/ccs/ interface.
1576    
1577          Since programs for manipulating policy (e.g. ccs-queryd ) are installed
1578          in the form of RPM/DEB packages, these programs lose the original
1579          pathnames when they are updated by the package manager. The package
1580          manager renames these programs before deleting these programs so that
1581          the package manager can rollback the operation.
1582          This causes a problem when the programs are listed into /proc/ccs/manager
1583          using pathnames, as the programs will no longer be allowed to write to
1584          /proc/ccs/ interface while the process of old version of the program is
1585          alive.
1586    
1587          To solve this problem, I modified to remember the fact that the process
1588          is once allowed to write to /proc/ccs/ interface until the process
1589          attempts to execute a different program.
1590          This change makes it impossible to revoke permission to write to
1591          /proc/ccs/ interface without killing the process, but it will be better
1592          than nonfunctioning ccs-queryd program.
1593    
1594    Fix 2008/09/19
1595    
1596        @ Allow selecting a domain by PID.
1597    
1598          Sometimes we want to know what ACLs are given to specific PID, but
1599          finding a domainname for that PID from /proc/ccs/.process_status and
1600          reading ACLs from /proc/ccs/domain_policy by the domainname is very slow.
1601          Thus, I modified /proc/ccs/domain_policy to allow selecting a domain by
1602          PID. For example, to read domain ACL of current process from bash,
1603          run as follows.
1604    
1605          # exec 100<>/proc/ccs/domain_policy
1606          # echo select pid=$$ >&100
1607          # while read -u 100; do echo $REPLY; done
1608    
1609          If a domain is once selected by PID, reading /proc/ccs/domain_policy will
1610          print only that domain if that PID exists or print nothing otherwise.
1611    
1612        @ Disallow concurrent /proc/ccs/ access using the same file descriptor.
1613    
1614          Until now, one process can read() from /proc/ccs/ while other process
1615          that shares the file descriptor can write() to /proc/ccs/ .
1616          But to implement "Allow selecting a domain by PID" feature, I disabled
1617          concurrent read()/write() because the feature need to modify read buffer
1618          while writing.
1619    
1620    Fix 2008/10/01
1621    
1622        @ Add retry counter into /proc/ccs/query .
1623    
1624          To be able to handle some of queries from /proc/ccs/query without user's
1625          interaction, I added retry counter for avoiding infinite loop caused by
1626          "try again" response.
1627    
1628    Fix 2008/10/07
1629    
1630        @ Don't transit to new domain until do_execve() succeeds.
1631    
1632          Until now, a process's domain was updated to new domain which the process
1633          will belong to before do_execve() succeeds so that the kernel can do
1634          permission checks for interpreters and environment variables based on
1635          new domain. But this caused a subtle problem when other process sends
1636          signals to the process, for the process returns to old domain if
1637          do_execve() failed.
1638    
1639          So, I modified to pass new domain to functions so that I can avoid
1640          modifying a process's domain before do_execve() succeeds.
1641    
1642        @ Use old task state for audit logs.
1643    
1644          Until now, audit logs were generated using the task state after
1645          processing "; set task.state" part. But to generate accurate logs,
1646          I modified to save the task state before processing "; set task.state"
1647          part and use the saved state for audit logs.
1648    
1649        @ Use a structure for passing parameters.
1650    
1651          As the number of parameters is increasing, I modified to use a structure
1652          for passing parameters.
1653    
1654    Fix 2008/10/11
1655    
1656        @ Remove domain_acl_lock mutex.
1657    
1658          I noticed that I don't need to keep all functions that modify an ACL of
1659          a domain mutually exclusive. Since each functions handles different type
1660          of ACL, locking is needed only when they append an ACL to a domain.
1661          So, I modified to use local locks.
1662    
1663    Fix 2008/10/14
1664    
1665        @ Fix ccs_check_condition() bug.
1666    
1667          Due to a bug in ccs_check_condition(), it was impossible to use
1668          task.state[0] task.state[1] task.state[2] inside condition part
1669          if the ACL does not treat a pathname. For example, an ACL like
1670    
1671            allow_network TCP connect @HTTP_SERVERS 80 if task.state[0]=100
1672    
1673          didn't work.
1674    
1675    Fix 2008/10/15
1676    
1677        @ Show process information in /proc/ccs/.process_status .
1678    
1679          To be able to determine a process's type, I added a command "info PID"
1680          which returns process information of the specified PID in
1681          "PID manager=\* execute_handler=\* state[0]=\$ state[1]=\$ state[2]=\$"
1682          format.
1683    
1684    Fix 2008/10/20
1685    
1686        @ Use rcu_dereference() when walking the list.
1687    
1688          I was using "dependency ordering" for appending an element to a list
1689          without asking the reader to take a lock. But "dependency ordering"
1690          is not respected by DEC Alpha or by some aggressive value-speculation
1691          compiler optimizations.
1692    
1693          On such environment, use of "dependency ordering" can lead to system
1694          crash because the reader might read uninitialized value of newly
1695          appended element.
1696    
1697          To prevent the reader from reading uninitialized value of newly appended
1698          element, I inserted rcu_dereference() when walking the list.
1699    
1700    Fix 2008/11/04
1701    
1702        @ Use sys_getpid() instead for current->pid.
1703    
1704          Kernel 2.6.24 introduced PID namespace.
1705    
1706          To compare PID given from userland, I can't use current->pid.
1707          So, I modified to use sys_getpid() instead for current->pid.
1708    
1709          I modified to use task_tgid_nr_ns() for 2.6.25 and later instead for
1710          current->tgid when checking /proc/self/ in get_absolute_path().
1711    
1712    Fix 2008/11/07
1713    
1714        @ Fix is_alphabet_char().
1715    
1716          is_alphabet_char() should match 'A' - 'Z' and 'a' - 'z',
1717          but was matching from 'A' - 'F' and 'a' - 'f'.
1718    
1719        @ Add /proc/ccs/.execute_handler .
1720    
1721          Process information became visible to userspace by
1722          "Show process information in /proc/ccs/.process_status" feature.
1723          However, programs specified by execute_handler directive may run as
1724          non root user, making it impossible to see process information.
1725    
1726          So, I added a new interface that allows execute handler processes
1727          to see process information. The content of /proc/ccs/.execute_handler is
1728          identical to /proc/ccs/.process_status .
1729    
1730    Version 1.6.5   2008/11/11   Third anniversary release.
1731    
1732    Fix 2008/12/01
1733    
1734        @ Introduce "task.type=execute_handler" condition.
1735    
1736          The execute_handler directive is very very powerful. You can use this
1737          directive to do anything you want to do (e.g. logging and validating and
1738          modifying command line parameters and environment variables, opening and
1739          closing and redirecting files, creating pipes to implement antivirus and
1740          spam filtering, deploying a DMZ between the ssh daemon and the login
1741          shells).
1742    
1743          To be able to use this directive in a domain with keep_domain directive
1744          while limiting access to resources needed for such purposes to only
1745          programs invoked as an execute handler process, I added a new condition.
1746    
1747          In learning mode, "if task.type=execute_handler" condition part will be
1748          automatically added for requests issued by an execute_handler process.
1749    
1750        @ Introduce file's type and permissions as conditions.
1751    
1752          To be able to limit file types a process can access, I added
1753          new conditions for checking file's type and permissions.
1754          For example,
1755    
1756            allow_read /etc/fstab if path1.type=file path1.perm=0644
1757    
1758          will allow opening /etc/fstab for reading only if /etc/fstab is a regular
1759          file and it's permission is 0644, and
1760    
1761            allow_write /dev/null if path1.type=char path1.dev_major=1 path1.dev_minor=3
1762    
1763          will allow opening /dev/null for writing only if /dev/null is a character
1764          device file with major=1 and minor=3 attributes.
1765    
1766        @ Add memory quota for temporary memory used for auditing.
1767    
1768          Although there are MAX_GRANT_LOG and MAX_REJECT_LOG parameters
1769          which limit the number of entries for audit logs so that we can avoid
1770          memory consumption by audit logs, it would be more convenient if we can
1771          also limit the size in bytes.
1772          Thus, I added a new quota line.
1773    
1774            echo Dynamic: 1048576 > /proc/ccs/meminfo
1775    
1776          This quota is not applied to temporary memory used for permission checks.
1777    
1778    Fix 2008/12/09
1779    
1780        @ Fix ccs_can_save_audit_log() checks.
1781    
1782          Due to incorrect statement "if (ccs_can_save_audit_log() < 0)"
1783          while ccs_can_save_audit_log() is boolean, MAX_GRANT_LOG and
1784          MAX_REJECT_LOG were not working.
1785    
1786          This bug will trigger OOM killer if /usr/sbin/ccs-auditd is not working.
1787    
1788    Fix 2008/12/24
1789    
1790        @ Add "ccs_" prefix.
1791    
1792          To be able to tell whether a symbol is TOMOYO Linux related or not,
1793          I added "ccs_" prefix as much as possible.
1794    
1795        @ Fix ccs_check_flags() error message.
1796    
1797          I meant to print SYAORAN-ERROR: message when error == -EPERM,
1798          but I was printing it when error == 0 since 1.6.0 .
1799    
1800    Fix 2009/01/05
1801    
1802        @ Use kmap_atomic()/kunmap_atomic() for reading "struct linux_binprm".
1803    
1804          As remove_arg_zero() uses kmap_atomic(KM_USER0), I modified to use
1805          kmap_atomic(KM_USER0) rather than kmap().
1806    
1807    Fix 2009/01/28
1808    
1809        @ Fix "allow_read" + "allow_write" != "allow_read/write" problem.
1810    
1811          Since 1.6.0 , due to a bug in ccs_update_single_path_acl(),
1812          appending "allow_read/write" entry didn't update internal "allow_read"
1813          and "allow_write" entries. As a result, attempt to open(O_RDWR) succeeds
1814          but open(O_RDONLY) and open(O_WRONLY) fail.
1815    
1816          Workaround is to write an entry twice when newly appending that entry.
1817          If written twice, internal "allow_read" and "allow_write" entries
1818          are updated.
1819    
1820    Fix 2009/02/26
1821    
1822        @ Fix profile read error.
1823    
1824          Incorrect profiles were shown in /proc/ccs/profile
1825          if either CONFIG_SAKURA or CONFIG_TOMOYO is disabled.
1826    
1827    Fix 2009/03/02
1828    
1829        @ Undelete CONFIG_TOMOYO_AUDIT option.
1830    
1831          While HDD-less systems can use profiles with MAX_GRANT_LOG=0 and
1832          MAX_REJECT_LOG=0 , I undeleted CONFIG_TOMOYO_AUDIT option for saving
1833          memory used for /proc/ccs/grant_log and /proc/ccs/reject_log interfaces.
1834    
1835    Fix 2009/03/13
1836    
1837        @ Show only profile entry names ever specified.
1838    
1839          Even if an administrator specifies only COMMENT= and MAC_FOR_FILE=
1840          entries for /proc/ccs/profile , all available profile entries are shown.
1841          This was designed to help administrators to know what entries are
1842          available, but sometimes makes administrators feel noisy because of
1843          entries showing default values.
1844    
1845          Thus, I modified to show only profile entry names ever specified.
1846    
1847    Fix 2009/03/18
1848    
1849        @ Add MAC_FOR_IOCTL functionality.
1850    
1851          To be able to restrict ioctl() requests, I added MAC_FOR_IOCTL
1852          functionality.
1853    
1854          This functionality requires modification of ccs-patch-\*.diff .
1855    
1856        @ Use better name for socket's pathname.
1857    
1858          Until now, socket's pathname was represented as "socket:[\$]" format
1859          where \$ is inode's number. But inode's number is useless for name based
1860          access control. Therefore, I modified to represent socket's pathname as
1861          "socket:[family=\$:type=\$:protocol=\$]" format.
1862    
1863          This will help administrator to control ioctl() against sockets more
1864          precisely.
1865    
1866        @ Fix misplaced ccs_capable() call.  (only 2.6.8-\* and 2.6.9-\*)
1867    
1868          Location to insert ccs_capable(TOMOYO_SYS_IOCTL) in sys_ioctl() was
1869          wrong since version 1.1 .
1870    
1871        @ Insert ccs_check_ioctl_permission() call.
1872    
1873          To make MAC_FOR_IOCTL functionality working, I inserted
1874          ccs_check_ioctl_permission() call into ccs-patch-\*.diff .
1875    
1876    Fix 2009/03/23
1877    
1878        @ Move sysctl()'s check from ccs-patch-\*.diff to fs/tomoyo_file.c .
1879    
1880          Since try_parse_table() in kernel/sysctl.c is almost identical between
1881          all versions, I moved that function to fs/tomoyo_file.c .
1882    
1883        @ Relocate definitions and functions.
1884    
1885          To reduce exposed symbols, I relocated some definitions and functions.
1886    
1887    Fix 2009/03/24
1888    
1889        @ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS option.
1890    
1891          Some systems don't have /sbin/modprobe and /sbin/hotplug .
1892          Thus, I made these pathnames configurable.
1893    
1894    Version 1.6.7 2009/04/01   Feature enhancement release.
Legend:
Removed from v.815  
changed lines
  Added in v.2317
Back to OSDN">Back to OSDN
 ViewVC Help
Powered by ViewVC 1.1.26  
サイト情報
ソフトウェアを探す
ソフトウェアを作る
コミュニティ
ヘルプ