--- trunk/1.8.x/ccs-patch/README.ccs 2011/07/07 11:58:12 5235 +++ trunk/1.8.x/ccs-patch/README.ccs 2012/03/28 07:30:14 5966 @@ -2910,3 +2910,210 @@ . Since this interface is used by only /usr/sbin/ccs-setprofile , remove this interface by updating /usr/sbin/ccs-setprofile . + +Fix 2011/07/09 + + @ Fix /proc/ccs/stat parser. + + For optimization, I changed to use simple_strtoul() rather than sscanf() + in ccs_write_stat(). But it caused parsing failure if space is inserted + before value (e.g. "Memory used by policy: $value"). + +Fix 2011/07/13 + + @ Accept "::" notation for IPv6 address. + + In order to add network access restriction to TOMOYO 2.4, I backported + routines for parsing/printing IPv4/IPv6 address from kernel 3.0 into + TOMOYO 1.8.2. + Now, IPv6 address accepts "::1" instead of "0:0:0:0:0:0:0:1". + +Fix 2011/09/03 + + @ Avoid race when retrying "file execute" permission check. + + There was a race window that the pathname which is subjected to + "file execute" permission check when retrying via supervisor's decision + because the pathname was recalculated upon retry. Though, there is an + inevitable race window even without supervisor, for we have to calculate + the symbolic link's pathname from "struct linux_binprm"->filename rather + than from "struct linux_binprm"->file because we cannot back calculate + the symbolic link's pathname from the dereferenced pathname. + + @ Remove unneeded daemonize(). + + Garbage collector thread is created using kthread_create() since 2.6.7. + Kernel threads created by kthread_create() does not need to call + daemonize(). + +Fix 2011/09/16 + + @ Allow specifying domain transition preference. + + I got an opinion that it is difficult to use exception policy's domain + transition control directives because they need to match the pathname + specified to "file execute" directives. For example, if "file execute + /bin/\*\-ls\-cat" is given, corresponding domain transition control + directive needs to be like "no_keep_domain /bin/\*\-ls\-cat from any". + + To solve this difficulty, I introduced optional argument that supersedes + exception policy's domain transition control directives. + + file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls" + file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat" + file execute /bin/\*\-ls\-cat child + file execute /usr/sbin/httpd exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd" + + This argument allows transition to different domains based on conditions. + + /usr/sbin/sshd + file execute /bin/bash /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c" + file execute /bin/bash /usr/sbin/sshd //root-session task.uid=0 + file execute /bin/bash /usr/sbin/sshd //nonroot-session task.uid!=0 + +Fix 2011/09/25 + + @ Simplify garbage collector. + + It turned out that use of batched processing tends to choke garbage + collector when certain pattern of entries are queued. Thus, I replaced it + with sequential processing. + +Version 1.8.3 2011/09/29 Usability enhancement release. + +Fix 2011/10/24 + + @ Fix incomplete read after seek. + + ccs_flush() tries to flush data to be read as soon as possible. + ccs_select_domain() (which is called by write()) enqueues data which + meant to be read by next read(), but previous read()'s read buffer's + size was not cleared. As a result, since 1.8.0, sequence like + + char *cp = "select global-pid=1\n"; + read(fd, buf1, sizeof(buf1)); + write(fd, cp, strlen(cp)); + read(fd, buf2, sizeof(buf2)); + + causes enqueued data to be flushed to buf1 rather than buf2. + + @ Use query id for reaching target process's domain policy. + + Use query id for reaching target process's domain policy rather than + target process's global PID. This is for synchronizing with TOMOYO 2.x, + but this change makes /usr/sbin/ccs-queryd more reliable because the + kernel will return empty domain policy when the query has expired before + ccs-queryd reaches target process's domain policy. + + @ Fix quota counting. + + "task manual_domain_transition" should not be counted for quota as with + "task auto_domain_transition"/"task auto_execute_handler"/ + "task denied_execute_handler" because these are not appended by learning + mode. + +Fix 2011/11/11 + + @ Optimize for object's size. + + I rearranged functions/variables into three groups in order to reduce + object's filesize. Also, I added kernel config options for reducing more + by excluding unnecessary functionality. + +Fix 2011/11/18 + + @ Fix kernel config mapping error. + + Due to a typo in ccs_p2mac definition, mode for CONFIG::file::execute was + by error used when checking "file getattr" permission. Most users will + not be affected by this error because CONFIG::file::execute and + CONFIG::file::getattr are by default configured to use CONFIG::file or + CONFIG settings. + +Fix 2011/12/13 + + @ Follow __d_path() behavior change. (Only 2.6.36 and later) + + The behavior of __d_path() has changed in 3.2-rc5. __d_path() now returns + NULL when the pathname cannot be calculated. You must update to this + version when using with 3.2-rc5 and later kernels, or the kernel will + panic because ccs_get_absolute_path() triggers NULL pointer dereference. + + The patch that changed the behavior of __d_path() might be backported to + 2.6.36 to 3.1 kernels. You must update to this version if the patch was + backported, or you will experience the kernel panic as with 3.2-rc5. + + The patch that changed the behavior of __d_path() also changed the way of + handling pathnames under lazy-unmounted directory. Until now, TOMOYO was + using incomplete pathnames returned by __d_path() when the pathname is + under lazy-unmounted directory. But from now on, TOMOYO uses different + pathnames returned by ccs_get_local_path() when the pathname is under + lazy-unmounted directory (because __d_path() no longer returns it). + + Since applications unlikely do lazy unmounts, requesting pathnames under + lazy-unmounted directory should not happen unless the administrator + explicitly does lazy unmounts. But pathnames which is defined for such + conditions in the policy file (if any) will need to be rewritten. + +Fix 2012/01/20 + + @ Follow changes in 3.3-rc1. + + Use umode_t rather than mode_t. + Remove ipv6_addr_copy() usage. + +Fix 2012/02/25 + + @ Follow changes in linux-next. + + UMH_WAIT_PROC constant (currently 1) is scheduled for renumbering in 3.4. + + Use UMH_WAIT_PROC constant instead of hardcoded constant in preparation + for backporting call_usermodehelper() related changes. If renumbering was + backported, you will start experiencing the kernel panic upon execution + of external policy loader (i.e. /sbin/ccs-init), for the kernel will no + longer wait for completion of external policy loader process. + + Although I changed to use UMH_WAIT_PROC constant, this change could fail + to detect renumbering in 2.6.22 and earlier kernels, for UMH_WAIT_PROC + constant is currently available to only 2.6.23 and later kernels. If you + started to experience the kernel panic, please check whether renumbering + was backported or not. + +Fix 2012/02/29 + + @ Fix mount flags checking order. + + Userspace can pass in arbitrary combinations of MS_* flags to mount(). + + If both MS_BIND and one of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE + are passed, device name which should be checked for MS_BIND was not + checked because MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE had higher + priority than MS_BIND. + + If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name + which should not be checked for MS_REMOUNT was checked because MS_BIND/ + MS_MOVE had higher priority than MS_REMOUNT. + + Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND -> + MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount() + does. Also, I changed to unconditionally return -EINVAL if more than one + of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE is passed so that TOMOYO + will not generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity + check mount flags passed to change_mnt_propagation()" clarified that + these flags must be exclusively passed. + +Fix 2012/03/08 + + @ Allow returning other errors when ptrace permission cannot be checked. + + Currently -EPERM is returned when ccs_ptrace_permission() returned an + error code. I changed to return return value from ccs_ptrace_permission() + so that we can return -ESRCH when target process was not found. + +Fix 2012/03/16 + + @ Return appropriate value to poll(). + + Return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM if ready to read/write, + POLLOUT | POLLWRNORM otherwise.