--- trunk/1.8.x/ccs-patch/README.ccs 2011/05/11 04:30:22 4981 +++ trunk/1.8.x/ccs-patch/README.ccs 2011/09/30 19:03:37 5514 @@ -2854,3 +2854,129 @@ "" + "/foo/\" + "/bar" was by error checked when " /foo/\* /bar" was given. As a result, legal domainnames like " /foo/\* /bar" are rejected. + +Fix 2011/06/06 + + @ Add policy namespace support. + + To be able to use TOMOYO in LXC environments, I introduced policy + namespace. Each policy namespace has its own set of domain policy, + exception policy and profiles, which are all independent of other + namespaces. + + @ Remove CONFIG_CCSECURITY_BUILTIN_INITIALIZERS option. + + From now on, exception policy and manager need to be able to handle + policy namespace (which is a <$namespace> prefix added to each line). + Thus, space-separated list for CONFIG_CCSECURITY_BUILTIN_INITIALIZERS is + no longer suitable for handling policy namespace. + +Fix 2011/06/10 + + @ Allow specifying trigger for activation. + + To be able to use TOMOYO under systemd environments where init= parameter + is used, I changed to allow overriding the trigger for calling external + policy loader and activating MAC via kernel command line options. + +Fix 2011/06/14 + + @ Remove unused "struct inode *" parameter from ccs-patch-\*.diff . + + To follow changes I made on 2011/04/20, I removed "struct inode *" from + ccs_mknod_permission(), ccs_mkdir_permission(), ccs_rmdir_permission(), + ccs_unlink_permission(), ccs_symlink_permission(), ccs_link_permission(), + ccs_rename_permission() that are called from fs/namei.c + net/unix/af_unix.c include/linux/security.c security/security.c . + If you have your own ccs-patch-*.diff , please update accordingly. + +Version 1.8.2 2011/06/20 Usability enhancement release. + +Fix 2011/07/07 + + @ Remove /proc/ccs/.domain_status interface. + + Writing to /proc/ccs/.domain_status can be emulated by + + ( echo "select " $domainname; echo "use_profile " $profile ) | + /usr/sbin/ccs-loadpolicy -d + + and reading from /proc/ccs/.domain_status can be emulated by + + grep -A 1 '^<' /proc/ccs/domain_policy | + awk ' { if ( domainname == "" ) { if ( substr($1, 1, 1) == "<" ) + domainname = $0; } else if ( $1 == "use_profile" ) { + print $2 " " domainname; domainname = ""; } } ; ' + + . Since this interface is used by only /usr/sbin/ccs-setprofile , + remove this interface by updating /usr/sbin/ccs-setprofile . + +Fix 2011/07/09 + + @ Fix /proc/ccs/stat parser. + + For optimization, I changed to use simple_strtoul() rather than sscanf() + in ccs_write_stat(). But it caused parsing failure if space is inserted + before value (e.g. "Memory used by policy: $value"). + +Fix 2011/07/13 + + @ Accept "::" notation for IPv6 address. + + In order to add network access restriction to TOMOYO 2.4, I backported + routines for parsing/printing IPv4/IPv6 address from kernel 3.0 into + TOMOYO 1.8.2. + Now, IPv6 address accepts "::1" instead of "0:0:0:0:0:0:0:1". + +Fix 2011/09/03 + + @ Avoid race when retrying "file execute" permission check. + + There was a race window that the pathname which is subjected to + "file execute" permission check when retrying via supervisor's decision + because the pathname was recalculated upon retry. Though, there is an + inevitable race window even without supervisor, for we have to calculate + the symbolic link's pathname from "struct linux_binprm"->filename rather + than from "struct linux_binprm"->file because we cannot back calculate + the symbolic link's pathname from the dereferenced pathname. + + @ Remove unneeded daemonize(). + + Garbage collector thread is created using kthread_create() since 2.6.7. + Kernel threads created by kthread_create() does not need to call + daemonize(). + +Fix 2011/09/16 + + @ Allow specifying domain transition preference. + + I got an opinion that it is difficult to use exception policy's domain + transition control directives because they need to match the pathname + specified to "file execute" directives. For example, if "file execute + /bin/\*\-ls\-cat" is given, corresponding domain transition control + directive needs to be like "no_keep_domain /bin/\*\-ls\-cat from any". + + To solve this difficulty, I introduced optional argument that supersedes + exception policy's domain transition control directives. + + file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls" + file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat" + file execute /bin/\*\-ls\-cat child + file execute /usr/sbin/httpd exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd" + + This argument allows transition to different domains based on conditions. + + /usr/sbin/sshd + file execute /bin/bash /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c" + file execute /bin/bash /usr/sbin/sshd //root-session task.uid=0 + file execute /bin/bash /usr/sbin/sshd //nonroot-session task.uid!=0 + +Fix 2011/09/25 + + @ Simplify garbage collector. + + It turned out that use of batched processing tends to choke garbage + collector when certain pattern of entries are queued. Thus, I replaced it + with sequential processing. + +Version 1.8.3 2011/09/29 Usability enhancement release.