Develop and Download Open Source Software

[tomoyo-users-en 111] About TOMOYO 1.7.1

Tetsuo Handa from-tomoyo-users-en at
Tue Nov 3 20:59:20 JST 2009


I'm planning to release TOMOYO 1.7.1 ("4th anniversary release") on November
11th. It contains various bug fixes and some enhancements. Major changes are
shown below.

(1) Added recursive directory matching operators.

    "/\{" and "\}/" are added. The pattern /\{dir\}/ matches '/' + 'One or more
    repetitions of dir/' (e.g. /dir/ /dir/dir/ /dir/dir/dir/ ).

(2) Embedded more information into audit logs.

    Until now, /proc/ccs/grant_log /proc/ccs/reject_log /proc/ccs/query were
    not printing file's information (e.g. file's uid/gid/mode).

    Recently, users who started using "if" clause expect that the learning
    mode automatically adds various conditions like "if task.uid=path1.uid".

    But the profile will become too complicated if I support all possible
    conditions. Thus, I added all information which is enough to generate
    "if" clause with all possible conditions from audit logs to audit logs.

    Now, the learning mode got different usage. Users can specify
    "CONFIG::learning={ max_entry=0 }" in the profile. All requests which
    are not permitted by policy will be sent to /proc/ccs/reject_log with
    "mode=learning" header lines. Users can selectively append conditions
    and append to the policy using "/usr/sbin/ccs-loadpolicy -d".
    The learning mode with "CONFIG::learning={ max_entry=0 }" is almost
    the same with the permissive mode, only difference is "mode=learning"
    and "mode=permissive".

(3) Made pathname for activating TOMOYO configurable.

    Until now, pathnames we can use for activating TOMOYO's functionality were
    hard coded (either /sbin/init or /sbin/ccs-init ). Android does not have
    /sbin/init but it is difficult to start /sbin/ccs-init before daemon
    processes starts. Thus, I decided to activate TOMOYO when /init starts.

    I made the alternative trigger ( /sbin/ccs-start ) and the default policy
    loader ( /sbin/ccs-init ) configurable. You can specify different pathnames
    (e.g. /init or /linuxrc ) instead of /sbin/ccs-init for environments which
    do not have /sbin/init .

(4) Fixed oops when path_group and number_group were not read out atomically.

    I forgot to escape from nested loops correctly when reading path_group and
    number_group. As a result, reading path_group and number_group caused
    kernel oops when they were not read atomically.

(5) Fixed memory leak when the same address_group was added.

    I forgot to call kfree() if same address_group was added.

(6) Fixed buffer contention when allow_env is used with argv[]/envp[].

    A permission like

      allow_env PATH if exec.envp["PATH"]="/"

    was not working since I was using the same buffer for both environment
    variable's name and value.

(7) Fixed stall or incorrect comparison when "if" clause exceeded 255 bytes.

    I was using  "u8" for size parameter by error. As a result, when
    size >= 256 was passed to ccs_memcmp(), it was doing partial comparison
    (incorrect result) or read overrun (CPU stall). "if" clause can exceeded
    255 bytes if complicated condition was given.

(8) Fixed error code when execute_handler and denied_execute_handler failed.

    ccs_try_alt_exec() was returning ENOMEM when kmalloc() failed.
    It needs to return -ENOMEM to fail.

You can download a snapshot from

Ubuntu 9.10's kernel is built with both AppArmor and TOMOYO, but TOMOYO 2.2.0
is terribly lacking in functionality (e.g. no audit logs, no network). Thus, I
will provide TOMOYO 1.7.x binary packages for Ubuntu 9.10 . You can download
binary kernel packages for Ubuntu 9.10 (made using above snapshot) from


More information about the tomoyo-users-en mailing list