--- trunk/1.6.x/ccs-patch/README.ccs 2008/07/01 07:57:13 1366 +++ trunk/1.6.x/ccs-patch/README.ccs 2009/05/19 01:11:55 2562 @@ -475,7 +475,7 @@ succeeds to invoke do_execve() with filename = "/bin/ls" and argv[0] = "/bin/cat". - I introduced a keyword that permits the mismatch of + I introduced a directive that permits the mismatch of basename of filename and argv[0]. Fix 2006/08/10 @@ -1259,14 +1259,14 @@ Fix 2008/03/03 - @ Add "force_alt_exec" keyword. + @ Add "force_alt_exec" directive. To be able to fully utilize "alt_exec" feature, - I added "force_alt_exec" keyword so that + I added "force_alt_exec" directive so that all execute requests are replaced by the execute request of a program specified by alt_exec feature. - If this keyword is specified for a domain, the domain no longer + If this directive is specified for a domain, the domain no longer executes any programs regardless of the mode of file access control (i.e. the domain won't execute even if MAC_FOR_FILE=0 ). Instead, the domain executes the program specified by alt_exec feature @@ -1301,30 +1301,30 @@ Fix 2008/03/10 - @ Rename "force_alt_exec" keyword to "execute_handler". + @ Rename "force_alt_exec" directive to "execute_handler". To be able to use different programs for validating execve() parameters, I moved the location to specify the program's pathname from profile to domain policy. - The "execute_handler" keyword takes one pathname which is + The "execute_handler" directive takes one pathname which is invoked whenever execve() request is issued. Thus, any "allow_execute" - keywords in a domain with "execute_handler" are ignored. - This keyword is designed for validating expected/desirable execve() + directives in a domain with "execute_handler" are ignored. + This directive is designed for validating expected/desirable execve() requests in userspace, although there is no way to tell the caller that the execve() request was rejected. - @ Rename "alt_exec" keyword to "denied_execute_handler". + @ Rename "alt_exec" directive to "denied_execute_handler". - The "denied_execute_handler" keyword takes one pathname which is + The "denied_execute_handler" directive takes one pathname which is invoked only when execve() request was rejected. In other words, this program is invoked only when the following conditions are met. - (1) None of "allow_execute" keywords in the domain matched. + (1) None of "allow_execute" directives in the domain matched. (2) The execve() request was rejected in enforcing mode. - (3) "execute_handler" keyword is not used by the domain. + (3) "execute_handler" directive is not used by the domain. - This keyword is designed for handling unexpected/undesirable execve() + This directive is designed for handling unexpected/undesirable execve() requests, to redirect the process issuing such requests to somewhere. Fix 2008/03/18 @@ -1342,9 +1342,9 @@ @ Disable execute handler loop. To be able to use "execute_handler" in a "keep_domain" domain, - ignore "execute_handler" and "denied_execute_handler" keywords + ignore "execute_handler" and "denied_execute_handler" directives if the current process is executing programs specified by - "execute_handler" or "denied_execute_handler" keyword. + "execute_handler" or "denied_execute_handler" directive. This exception is needed to avoid infinite execute handler loop. If a domain has both "keep_domain" and "execute_handler", @@ -1501,7 +1501,7 @@ @ Return 0 when ccs_may_umount() succeeds. I forgot to clear error value in ccs_may_umount() when the requested - directory didn't match "deny_unmount" keyword. As a result, any umount() + directory didn't match "deny_unmount" directive. As a result, any umount() request with RESTRICT_UNMOUNT=enforcing returned -EPERM error. Version 1.6.2 2008/06/25 Usability enhancement release. @@ -1513,3 +1513,468 @@ RedHat Linux 9's 2.4.20 kernel backported O(1) scheduler patch, resulting compilation error at ccs_load_policy(). I added defined(TASK_DEAD) check. + +Fix 2008/07/08 + + @ Don't check permissions if vfsmount is NULL. + + Some filesystems (e.g. unionfs) pass NULL vfsmount. + I changed fs/tomoyo_file.c not to try to calculate pathnames + if vfsmount is NULL. + +Version 1.6.3 2008/07/15 Bug fix release. + +Fix 2008/08/21 + + @ Add workaround for gcc 4.3's bug. + + In some environments, fs/tomoyo_network.c could not be compiled + because of gcc 4.3's bug. + I modified save_ipv6_address() to use "integer literal" value + instead for "static const u8" variable. + + @ Change prototypes of some functions. + + To support 2.6.27 kernels, I replaced "struct nameidata" with + "struct path" for some functions. + + @ Detect distributor specific patches automatically. + + Since kernels with AppArmor patch applied is increasing, + I introduced a mechanism which determines whether specific patches + are applied or not, based on "#define" directives in the patches. + +Fix 2008/08/29 + + @ Remove "-ccs" suffix from Makefile's EXTRAVERSION. + + To reduce conflicts on Makefile's EXTRAVERSION, + I removed "-ccs" suffix from ccs-patch-2.\*.diff . + Those who build kernels without using specs/build-\*.sh , + please edit EXTRAVERSION tag manually so that original kernels + will not be overwritten by TOMOYO Linux kernels. + +Version 1.6.4 2008/09/03 Minor update release. + +Fix 2008/09/09 + + @ Add "try again" response to "delayed enforcing" mode. + + To be able to handle pathname changes caused by software updates, + "delayed enforcing" mode was introduced. It allows administrator to + grant access requests which are about to be rejected by the kernel. + + To be able to handle pathname changes caused by software updates better, + I introduced "try again" response. As "delayed enforcing" mode sleeps + a process which violated policy, administrator can update policy while + the process is sleeping. This "try again" response allows administrator + to restart policy checks from the beginning after updating policy. + +Fix 2008/09/11 + + @ Remember whether the process is allowed to write to /proc/ccs/ interface. + + Since programs for manipulating policy (e.g. ccs-queryd ) are installed + in the form of RPM/DEB packages, these programs lose the original + pathnames when they are updated by the package manager. The package + manager renames these programs before deleting these programs so that + the package manager can rollback the operation. + This causes a problem when the programs are listed into /proc/ccs/manager + using pathnames, as the programs will no longer be allowed to write to + /proc/ccs/ interface while the process of old version of the program is + alive. + + To solve this problem, I modified to remember the fact that the process + is once allowed to write to /proc/ccs/ interface until the process + attempts to execute a different program. + This change makes it impossible to revoke permission to write to + /proc/ccs/ interface without killing the process, but it will be better + than nonfunctioning ccs-queryd program. + +Fix 2008/09/19 + + @ Allow selecting a domain by PID. + + Sometimes we want to know what ACLs are given to specific PID, but + finding a domainname for that PID from /proc/ccs/.process_status and + reading ACLs from /proc/ccs/domain_policy by the domainname is very slow. + Thus, I modified /proc/ccs/domain_policy to allow selecting a domain by + PID. For example, to read domain ACL of current process from bash, + run as follows. + + # exec 100<>/proc/ccs/domain_policy + # echo select pid=$$ >&100 + # while read -u 100; do echo $REPLY; done + + If a domain is once selected by PID, reading /proc/ccs/domain_policy will + print only that domain if that PID exists or print nothing otherwise. + + @ Disallow concurrent /proc/ccs/ access using the same file descriptor. + + Until now, one process can read() from /proc/ccs/ while other process + that shares the file descriptor can write() to /proc/ccs/ . + But to implement "Allow selecting a domain by PID" feature, I disabled + concurrent read()/write() because the feature need to modify read buffer + while writing. + +Fix 2008/10/01 + + @ Add retry counter into /proc/ccs/query . + + To be able to handle some of queries from /proc/ccs/query without user's + interaction, I added retry counter for avoiding infinite loop caused by + "try again" response. + +Fix 2008/10/07 + + @ Don't transit to new domain until do_execve() succeeds. + + Until now, a process's domain was updated to new domain which the process + will belong to before do_execve() succeeds so that the kernel can do + permission checks for interpreters and environment variables based on + new domain. But this caused a subtle problem when other process sends + signals to the process, for the process returns to old domain if + do_execve() failed. + + So, I modified to pass new domain to functions so that I can avoid + modifying a process's domain before do_execve() succeeds. + + @ Use old task state for audit logs. + + Until now, audit logs were generated using the task state after + processing "; set task.state" part. But to generate accurate logs, + I modified to save the task state before processing "; set task.state" + part and use the saved state for audit logs. + + @ Use a structure for passing parameters. + + As the number of parameters is increasing, I modified to use a structure + for passing parameters. + +Fix 2008/10/11 + + @ Remove domain_acl_lock mutex. + + I noticed that I don't need to keep all functions that modify an ACL of + a domain mutually exclusive. Since each functions handles different type + of ACL, locking is needed only when they append an ACL to a domain. + So, I modified to use local locks. + +Fix 2008/10/14 + + @ Fix ccs_check_condition() bug. + + Due to a bug in ccs_check_condition(), it was impossible to use + task.state[0] task.state[1] task.state[2] inside condition part + if the ACL does not treat a pathname. For example, an ACL like + + allow_network TCP connect @HTTP_SERVERS 80 if task.state[0]=100 + + didn't work. + +Fix 2008/10/15 + + @ Show process information in /proc/ccs/.process_status . + + To be able to determine a process's type, I added a command "info PID" + which returns process information of the specified PID in + "PID manager=\* execute_handler=\* state[0]=\$ state[1]=\$ state[2]=\$" + format. + +Fix 2008/10/20 + + @ Use rcu_dereference() when walking the list. + + I was using "dependency ordering" for appending an element to a list + without asking the reader to take a lock. But "dependency ordering" + is not respected by DEC Alpha or by some aggressive value-speculation + compiler optimizations. + + On such environment, use of "dependency ordering" can lead to system + crash because the reader might read uninitialized value of newly + appended element. + + To prevent the reader from reading uninitialized value of newly appended + element, I inserted rcu_dereference() when walking the list. + +Fix 2008/11/04 + + @ Use sys_getpid() instead for current->pid. + + Kernel 2.6.24 introduced PID namespace. + + To compare PID given from userland, I can't use current->pid. + So, I modified to use sys_getpid() instead for current->pid. + + I modified to use task_tgid_nr_ns() for 2.6.25 and later instead for + current->tgid when checking /proc/self/ in get_absolute_path(). + +Fix 2008/11/07 + + @ Fix is_alphabet_char(). + + is_alphabet_char() should match 'A' - 'Z' and 'a' - 'z', + but was matching from 'A' - 'F' and 'a' - 'f'. + + @ Add /proc/ccs/.execute_handler . + + Process information became visible to userspace by + "Show process information in /proc/ccs/.process_status" feature. + However, programs specified by execute_handler directive may run as + non root user, making it impossible to see process information. + + So, I added a new interface that allows execute handler processes + to see process information. The content of /proc/ccs/.execute_handler is + identical to /proc/ccs/.process_status . + +Version 1.6.5 2008/11/11 Third anniversary release. + +Fix 2008/12/01 + + @ Introduce "task.type=execute_handler" condition. + + The execute_handler directive is very very powerful. You can use this + directive to do anything you want to do (e.g. logging and validating and + modifying command line parameters and environment variables, opening and + closing and redirecting files, creating pipes to implement antivirus and + spam filtering, deploying a DMZ between the ssh daemon and the login + shells). + + To be able to use this directive in a domain with keep_domain directive + while limiting access to resources needed for such purposes to only + programs invoked as an execute handler process, I added a new condition. + + In learning mode, "if task.type=execute_handler" condition part will be + automatically added for requests issued by an execute_handler process. + + @ Introduce file's type and permissions as conditions. + + To be able to limit file types a process can access, I added + new conditions for checking file's type and permissions. + For example, + + allow_read /etc/fstab if path1.type=file path1.perm=0644 + + will allow opening /etc/fstab for reading only if /etc/fstab is a regular + file and it's permission is 0644, and + + allow_write /dev/null if path1.type=char path1.dev_major=1 path1.dev_minor=3 + + will allow opening /dev/null for writing only if /dev/null is a character + device file with major=1 and minor=3 attributes. + + @ Add memory quota for temporary memory used for auditing. + + Although there are MAX_GRANT_LOG and MAX_REJECT_LOG parameters + which limit the number of entries for audit logs so that we can avoid + memory consumption by audit logs, it would be more convenient if we can + also limit the size in bytes. + Thus, I added a new quota line. + + echo Dynamic: 1048576 > /proc/ccs/meminfo + + This quota is not applied to temporary memory used for permission checks. + +Fix 2008/12/09 + + @ Fix ccs_can_save_audit_log() checks. + + Due to incorrect statement "if (ccs_can_save_audit_log() < 0)" + while ccs_can_save_audit_log() is boolean, MAX_GRANT_LOG and + MAX_REJECT_LOG were not working. + + This bug will trigger OOM killer if /usr/sbin/ccs-auditd is not working. + +Fix 2008/12/24 + + @ Add "ccs_" prefix. + + To be able to tell whether a symbol is TOMOYO Linux related or not, + I added "ccs_" prefix as much as possible. + + @ Fix ccs_check_flags() error message. + + I meant to print SYAORAN-ERROR: message when error == -EPERM, + but I was printing it when error == 0 since 1.6.0 . + +Fix 2009/01/05 + + @ Use kmap_atomic()/kunmap_atomic() for reading "struct linux_binprm". + + As remove_arg_zero() uses kmap_atomic(KM_USER0), I modified to use + kmap_atomic(KM_USER0) rather than kmap(). + +Fix 2009/01/28 + + @ Fix "allow_read" + "allow_write" != "allow_read/write" problem. + + Since 1.6.0 , due to a bug in ccs_update_single_path_acl(), + appending "allow_read/write" entry didn't update internal "allow_read" + and "allow_write" entries. As a result, attempt to open(O_RDWR) succeeds + but open(O_RDONLY) and open(O_WRONLY) fail. + + Workaround is to write an entry twice when newly appending that entry. + If written twice, internal "allow_read" and "allow_write" entries + are updated. + +Fix 2009/02/26 + + @ Fix profile read error. + + Incorrect profiles were shown in /proc/ccs/profile + if either CONFIG_SAKURA or CONFIG_TOMOYO is disabled. + +Fix 2009/03/02 + + @ Undelete CONFIG_TOMOYO_AUDIT option. + + While HDD-less systems can use profiles with MAX_GRANT_LOG=0 and + MAX_REJECT_LOG=0 , I undeleted CONFIG_TOMOYO_AUDIT option for saving + memory used for /proc/ccs/grant_log and /proc/ccs/reject_log interfaces. + +Fix 2009/03/13 + + @ Show only profile entry names ever specified. + + Even if an administrator specifies only COMMENT= and MAC_FOR_FILE= + entries for /proc/ccs/profile , all available profile entries are shown. + This was designed to help administrators to know what entries are + available, but sometimes makes administrators feel noisy because of + entries showing default values. + + Thus, I modified to show only profile entry names ever specified. + +Fix 2009/03/18 + + @ Add MAC_FOR_IOCTL functionality. + + To be able to restrict ioctl() requests, I added MAC_FOR_IOCTL + functionality. + + This functionality requires modification of ccs-patch-\*.diff . + + @ Use better name for socket's pathname. + + Until now, socket's pathname was represented as "socket:[\$]" format + where \$ is inode's number. But inode's number is useless for name based + access control. Therefore, I modified to represent socket's pathname as + "socket:[family=\$:type=\$:protocol=\$]" format. + + This will help administrator to control ioctl() against sockets more + precisely. + + @ Fix misplaced ccs_capable() call. (only 2.6.8-\* and 2.6.9-\*) + + Location to insert ccs_capable(TOMOYO_SYS_IOCTL) in sys_ioctl() was + wrong since version 1.1 . + + @ Insert ccs_check_ioctl_permission() call. + + To make MAC_FOR_IOCTL functionality working, I inserted + ccs_check_ioctl_permission() call into ccs-patch-\*.diff . + +Fix 2009/03/23 + + @ Move sysctl()'s check from ccs-patch-\*.diff to fs/tomoyo_file.c . + + Since try_parse_table() in kernel/sysctl.c is almost identical between + all versions, I moved that function to fs/tomoyo_file.c . + + @ Relocate definitions and functions. + + To reduce exposed symbols, I relocated some definitions and functions. + +Fix 2009/03/24 + + @ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS option. + + Some systems don't have /sbin/modprobe and /sbin/hotplug . + Thus, I made these pathnames configurable. + +Version 1.6.7 2009/04/01 Feature enhancement release. + +Fix 2009/04/06 + + @ Drop "undelete domain" command. + + I added "undelete domain" command on 2007/01/19, but never used by policy + management tools. The garbage collector I added on 2007/01/29 will + automatically reuse memory and allow administrators switch domain policy + periodically, provided that the administrator kills processes in old + domains before recreating new domains with the same domainnames. + + Thus, I dropped "undelete domain" command. + + @ Escape invalid characters in ccs_check_mount_permission2(). + + ccs_check_mount_permission2() was passing unencoded strings to printk() + and ccs_update_mount_acl() and ccs_check_supervisor(). This may cause + /proc/ccs/system_policy and /proc/ccs/query to contain invalid + characters within a string. + +Fix 2009/04/07 + + @ Fix IPv4's "address_group" handling error. + + Since 1.6.5 , due to lack of ntohl() (byte order conversion) in + ccs_update_address_group_entry(), "address_group" with IPv4 address was + not working. + + This problem happens on little endian platforms (e.g. x86). + +Fix 2009/04/20 + + @ Update recvmsg() hooks. + + Since 1.5.0, I was doing network access control for incoming UDP and RAW + packets inside skb_recv_datagram(). But to synchronize with LSM version, + I moved ccs_recv_datagram_permission() hook from skb_recv_datagram() to + udp_recvmsg()/udpv6_recvmsg()/raw_recvmsg()/rawv6_recvmsg() with name + change to ccs_recvmsg_permission(). + +Fix 2009/05/08 + + @ Add condition for symlink's target pathname. + + Until now, "allow_symlink" keyword allows creation of a symlink but does + not check the symlink's target. Usually it is no problem because + permission checks are done using dereferenced pathname. But in some + cases, we should restrict the symlink's target. For example, + "ln -s .htpasswd /var/www/html/readme.html" by CGI program should be + blocked because we will allow Apache to read both + /var/www/html/readme.html and /var/www/html/.htpasswd . + + Thus, I added new condition, "symlink.target". + + allow_symlink /var/www/html/\*.html if symlink.target="\*.html" + + allow_symlink /var/www/html/\*\-.\* if symlink.target="\*\-.\*" + + @ Don't return -EAGAIN at ccs_socket_recvmsg_permission(). + + It turned out that it is not permitted for accept() and recvmsg() to + return -EAGAIN if poll() said connections/datagrams are ready. However, + recvmsg() may return -EAGAIN and potentially confuse some applications + because ccs_socket_recvmsg_permission() is returning -EAGAIN. + + Thus, I modified ccs_socket_recvmsg_permission() to return -ENOMEM + rather than -EAGAIN. + +Fix 2009/05/19 + + @ Don't call get_fs_type() with a mutex held. + + Until now, when ccs_update_mount_acl() is called with unsupported + filesystem, /sbin/modprobe is executed from get_fs_type() to load + filesystem module. And get_fs_type() does not return until /sbin/modprobe + finishes. + + This means that it will cause deadlock if /sbin/modprobe (which is + executed via get_fs_type() in ccs_update_mount_acl()) calls + ccs_update_mount_acl(); although it won't happen unless an administrator + inserts execute_handler to call mount() requests in learning mode or to + add "allow_mount" entries to /proc/ccs/system_policy . + + I modified to unlock the mutex before calling get_fs_type(). + +Version 1.6.8 2009/05/?? Feature enhancement release.