オープンソース・ソフトウェアの開発とダウンロード

Subversion リポジトリの参照

Diff of /trunk/1.8.x/ccs-patch/README.ccs

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 3263 by kumaneko, Thu Dec 17 05:35:31 2009 UTC revision 3643 by kumaneko, Mon May 10 13:52:22 2010 UTC
# Line 2088  Fix 2009/09/01 Line 2088  Fix 2009/09/01
2088      @ Transit to new domain before do_execve() succeeds.      @ Transit to new domain before do_execve() succeeds.
2089    
2090        Permission checks for interpreters and environment variables are        Permission checks for interpreters and environment variables are
2091        done using new domain. In order to be allow ccs-queryd to reach the new        done using new domain. In order to allow ccs-queryd to reach the new
2092        domain via global PID, I reverted "Don't transit to new domain until        domain via global PID, I reverted "Don't transit to new domain until
2093        do_execve() succeeds." made on 2008/10/07.        do_execve() succeeds." made on 2008/10/07.
2094    
# Line 2305  Fix 2009/12/17 Line 2305  Fix 2009/12/17
2305        operations (e.g. mkdir()) even if mode=disabled . It is a waste of CPU        operations (e.g. mkdir()) even if mode=disabled . It is a waste of CPU
2306        resource to check DAC permissions when MAC permissions are not checked.        resource to check DAC permissions when MAC permissions are not checked.
2307        Thus, I modified to skip DAC permission checks if mode=disabled .        Thus, I modified to skip DAC permission checks if mode=disabled .
2308    
2309    Fix 2009/12/19
2310    
2311        @ Fix memory leak in ccs_environ().
2312    
2313          When I fixed a bug that a permission like
2314    
2315            allow_env PATH if exec.envp["PATH"]="/"
2316    
2317          was not working (2009/11/02), I allocated two buffers but only one buffer
2318          was released.
2319    
2320          This bug will trigger OOM killer if environment variable checking is
2321          enabled.
2322    
2323    Fix 2010/01/17
2324    
2325        @ Use current domain's name for execute_handler audit log.
2326    
2327          Since 1.6.7 , /proc/ccs/grant_log was by error using next domain's name
2328          when auditing current domain's "execute_handler" line.
2329    
2330    Fix 2010/03/02
2331    
2332        @ Allow domain transition without execve().
2333    
2334          To be able to split permissions for Apache's CGI programs which are
2335          executed without execve(), I added special domain transition which is
2336          performed by atomically writing '\0'-terminated binary string to
2337          /proc/ccs/.transition interface. For example, a process which belongs to
2338          "<kernel> /usr/sbin/httpd" domain will transit to
2339          "<kernel> /usr/sbin/httpd //app=cgi1\040id=10000" domain by atomically
2340          writing "app=cgi1 id=10000" + '\0' to /proc/ccs/.transition using
2341          Apache's ap_hook_handler() functionality.
2342    
2343          Note that '\0'-terminated binary string is converted to TOMOYO's string
2344          inside kernel and prefix "//" is automatically added to the string so
2345          that domainname does not conflict with domainnames created by execve().
2346          Without this prefix, if "<kernel> /usr/sbin/sshd /bin/bash" domain is
2347          allowed to open /proc/ccs/.transition for writing and
2348          "<kernel> /usr/sbin/sshd /bin/bash /usr/bin/passwd" domain is allowed to
2349          access /etc/shadow , /bin/bash will be able to access /etc/shadow by
2350          atomically writing "/usr/bin/passwd" + '\0' to /proc/ccs/.transition .
2351          Allowing /bin/bash to access /etc/shadow is not what people want.
2352    
2353          Permission for this operation is checked by "allow_transit" keyword.
2354          Unlike "allow_execute" keyword, the string parameter for "allow_transit"
2355          keyword does not refer a real file on filesystem's namespace. Therefore,
2356          you can store any combination of parameters like LDAP's DN entry in the
2357          string parameter for "allow_transit" keyword.
2358    
2359    Fix 2010/03/08
2360    
2361        @ Allow building as loadable kernel module.
2362    
2363          To be able to minimize filesize increment of vmlinux, I made it
2364          possible to compile TOMOYO Linux as loadable kernel module.
2365          Although patching the kernel source and recompiling the kernel are
2366          inevitable, this change will make it easier to enable TOMOYO Linux
2367          when there is a filesize limitation on vmlinux (e.g. embedded systems).
2368    
2369    Fix 2010/03/25
2370    
2371        @ Fix ccs_get_ipv6_address() bug.
2372    
2373          Since 1.7.0 , ccs_get_ipv6_address() was by error returning address of
2374          "struct list_head ccs_address_list" if memory allocation failed.
2375          As a result, ccs_put_ipv6_address() will modify memory near
2376          "struct list_head ccs_address_list" if memory allocation failed.
2377    
2378    Fix 2010/03/26
2379    
2380        @ Fix ccs_lport_reserved() bug.
2381    
2382          Since 1.7.0 , ccs_lport_reserved() was by error checking wrong port
2383          number. As a result, "deny_autobind" keyword was not working as expected.
2384    
2385    Version 1.7.2   2010/04/01   Feature enhancement release.
2386    
2387    Fix 2010/04/10
2388    
2389        @ Fix invalid "struct nameidata" to "struct path" conversion macro.
2390    
2391          Regarding kernels 2.6.24 and earlier, I was converting "struct nameidata"
2392          to "struct path" in caller side so that I can unify the callee function's
2393          parameter type. But it turned out that the macro I used did not follow C
2394          standards and did not work with gcc 4.x . As a result, "allow_pivot_root"
2395          keyword was not working as expected.
2396    
2397    Fix 2010/05/05
2398    
2399        @ Fix incorrect audit on/off control.
2400    
2401          The grant_log= and reject_log= parameters of CONFIG::misc::env were not
2402          used because I forgot to update request type. As a result, those of
2403          CONFIG::file::execute were used for CONFIG::misc::env .
2404    
2405          Those of CONFIG::file::rewrite were not used because I forgot to update
2406          request type. As a result, those of CONFIG::file::truncate were used for
2407          CONFIG::file::rewrite .
2408    
2409    Fix 2010/05/10
2410    
2411        @ Fix incorrect out of memory warning.
2412    
2413          Out of memory warnings were not printed in some cases by error.

Legend:
Removed from v.3263  
changed lines
  Added in v.3643

Back to OSDN">Back to OSDN
ViewVC Help
Powered by ViewVC 1.1.26