| 2854 |
"<kernel>" + "/foo/\" + "/bar" was by error checked when |
"<kernel>" + "/foo/\" + "/bar" was by error checked when |
| 2855 |
"<kernel> /foo/\* /bar" was given. As a result, legal domainnames like |
"<kernel> /foo/\* /bar" was given. As a result, legal domainnames like |
| 2856 |
"<kernel> /foo/\* /bar" are rejected. |
"<kernel> /foo/\* /bar" are rejected. |
| 2857 |
|
|
| 2858 |
|
Fix 2011/06/06 |
| 2859 |
|
|
| 2860 |
|
@ Add policy namespace support. |
| 2861 |
|
|
| 2862 |
|
To be able to use TOMOYO in LXC environments, I introduced policy |
| 2863 |
|
namespace. Each policy namespace has its own set of domain policy, |
| 2864 |
|
exception policy and profiles, which are all independent of other |
| 2865 |
|
namespaces. |
| 2866 |
|
|
| 2867 |
|
@ Remove CONFIG_CCSECURITY_BUILTIN_INITIALIZERS option. |
| 2868 |
|
|
| 2869 |
|
From now on, exception policy and manager need to be able to handle |
| 2870 |
|
policy namespace (which is a <$namespace> prefix added to each line). |
| 2871 |
|
Thus, space-separated list for CONFIG_CCSECURITY_BUILTIN_INITIALIZERS is |
| 2872 |
|
no longer suitable for handling policy namespace. |
| 2873 |
|
|
| 2874 |
|
Fix 2011/06/10 |
| 2875 |
|
|
| 2876 |
|
@ Allow specifying trigger for activation. |
| 2877 |
|
|
| 2878 |
|
To be able to use TOMOYO under systemd environments where init= parameter |
| 2879 |
|
is used, I changed to allow overriding the trigger for calling external |
| 2880 |
|
policy loader and activating MAC via kernel command line options. |
| 2881 |
|
|
| 2882 |
|
Fix 2011/06/14 |
| 2883 |
|
|
| 2884 |
|
@ Remove unused "struct inode *" parameter from ccs-patch-\*.diff . |
| 2885 |
|
|
| 2886 |
|
To follow changes I made on 2011/04/20, I removed "struct inode *" from |
| 2887 |
|
ccs_mknod_permission(), ccs_mkdir_permission(), ccs_rmdir_permission(), |
| 2888 |
|
ccs_unlink_permission(), ccs_symlink_permission(), ccs_link_permission(), |
| 2889 |
|
ccs_rename_permission() that are called from fs/namei.c |
| 2890 |
|
net/unix/af_unix.c include/linux/security.c security/security.c . |
| 2891 |
|
If you have your own ccs-patch-*.diff , please update accordingly. |
| 2892 |
|
|
| 2893 |
|
Version 1.8.2 2011/06/20 Usability enhancement release. |
| 2894 |
|
|
| 2895 |
|
Fix 2011/07/07 |
| 2896 |
|
|
| 2897 |
|
@ Remove /proc/ccs/.domain_status interface. |
| 2898 |
|
|
| 2899 |
|
Writing to /proc/ccs/.domain_status can be emulated by |
| 2900 |
|
|
| 2901 |
|
( echo "select " $domainname; echo "use_profile " $profile ) | |
| 2902 |
|
/usr/sbin/ccs-loadpolicy -d |
| 2903 |
|
|
| 2904 |
|
and reading from /proc/ccs/.domain_status can be emulated by |
| 2905 |
|
|
| 2906 |
|
grep -A 1 '^<' /proc/ccs/domain_policy | |
| 2907 |
|
awk ' { if ( domainname == "" ) { if ( substr($1, 1, 1) == "<" ) |
| 2908 |
|
domainname = $0; } else if ( $1 == "use_profile" ) { |
| 2909 |
|
print $2 " " domainname; domainname = ""; } } ; ' |
| 2910 |
|
|
| 2911 |
|
. Since this interface is used by only /usr/sbin/ccs-setprofile , |
| 2912 |
|
remove this interface by updating /usr/sbin/ccs-setprofile . |
TOMOYO
Parent Directory
Revision Log
Patch