| 475 |
succeeds to invoke do_execve() with filename = "/bin/ls" and |
succeeds to invoke do_execve() with filename = "/bin/ls" and |
| 476 |
argv[0] = "/bin/cat". |
argv[0] = "/bin/cat". |
| 477 |
|
|
| 478 |
I introduced a keyword that permits the mismatch of |
I introduced a directive that permits the mismatch of |
| 479 |
basename of filename and argv[0]. |
basename of filename and argv[0]. |
| 480 |
|
|
| 481 |
Fix 2006/08/10 |
Fix 2006/08/10 |
| 1259 |
|
|
| 1260 |
Fix 2008/03/03 |
Fix 2008/03/03 |
| 1261 |
|
|
| 1262 |
@ Add "force_alt_exec" keyword. |
@ Add "force_alt_exec" directive. |
| 1263 |
|
|
| 1264 |
To be able to fully utilize "alt_exec" feature, |
To be able to fully utilize "alt_exec" feature, |
| 1265 |
I added "force_alt_exec" keyword so that |
I added "force_alt_exec" directive so that |
| 1266 |
all execute requests are replaced by the execute request of a program |
all execute requests are replaced by the execute request of a program |
| 1267 |
specified by alt_exec feature. |
specified by alt_exec feature. |
| 1268 |
|
|
| 1269 |
If this keyword is specified for a domain, the domain no longer |
If this directive is specified for a domain, the domain no longer |
| 1270 |
executes any programs regardless of the mode of file access control |
executes any programs regardless of the mode of file access control |
| 1271 |
(i.e. the domain won't execute even if MAC_FOR_FILE=0 ). |
(i.e. the domain won't execute even if MAC_FOR_FILE=0 ). |
| 1272 |
Instead, the domain executes the program specified by alt_exec feature |
Instead, the domain executes the program specified by alt_exec feature |
| 1301 |
|
|
| 1302 |
Fix 2008/03/10 |
Fix 2008/03/10 |
| 1303 |
|
|
| 1304 |
@ Rename "force_alt_exec" keyword to "execute_handler". |
@ Rename "force_alt_exec" directive to "execute_handler". |
| 1305 |
|
|
| 1306 |
To be able to use different programs for validating execve() parameters, |
To be able to use different programs for validating execve() parameters, |
| 1307 |
I moved the location to specify the program's pathname from profile |
I moved the location to specify the program's pathname from profile |
| 1308 |
to domain policy. |
to domain policy. |
| 1309 |
|
|
| 1310 |
The "execute_handler" keyword takes one pathname which is |
The "execute_handler" directive takes one pathname which is |
| 1311 |
invoked whenever execve() request is issued. Thus, any "allow_execute" |
invoked whenever execve() request is issued. Thus, any "allow_execute" |
| 1312 |
keywords in a domain with "execute_handler" are ignored. |
directives in a domain with "execute_handler" are ignored. |
| 1313 |
This keyword is designed for validating expected/desirable execve() |
This directive is designed for validating expected/desirable execve() |
| 1314 |
requests in userspace, although there is no way to tell the caller |
requests in userspace, although there is no way to tell the caller |
| 1315 |
that the execve() request was rejected. |
that the execve() request was rejected. |
| 1316 |
|
|
| 1317 |
@ Rename "alt_exec" keyword to "denied_execute_handler". |
@ Rename "alt_exec" directive to "denied_execute_handler". |
| 1318 |
|
|
| 1319 |
The "denied_execute_handler" keyword takes one pathname which is |
The "denied_execute_handler" directive takes one pathname which is |
| 1320 |
invoked only when execve() request was rejected. In other words, |
invoked only when execve() request was rejected. In other words, |
| 1321 |
this program is invoked only when the following conditions are met. |
this program is invoked only when the following conditions are met. |
| 1322 |
|
|
| 1323 |
(1) None of "allow_execute" keywords in the domain matched. |
(1) None of "allow_execute" directives in the domain matched. |
| 1324 |
(2) The execve() request was rejected in enforcing mode. |
(2) The execve() request was rejected in enforcing mode. |
| 1325 |
(3) "execute_handler" keyword is not used by the domain. |
(3) "execute_handler" directive is not used by the domain. |
| 1326 |
|
|
| 1327 |
This keyword is designed for handling unexpected/undesirable execve() |
This directive is designed for handling unexpected/undesirable execve() |
| 1328 |
requests, to redirect the process issuing such requests to somewhere. |
requests, to redirect the process issuing such requests to somewhere. |
| 1329 |
|
|
| 1330 |
Fix 2008/03/18 |
Fix 2008/03/18 |
| 1342 |
@ Disable execute handler loop. |
@ Disable execute handler loop. |
| 1343 |
|
|
| 1344 |
To be able to use "execute_handler" in a "keep_domain" domain, |
To be able to use "execute_handler" in a "keep_domain" domain, |
| 1345 |
ignore "execute_handler" and "denied_execute_handler" keywords |
ignore "execute_handler" and "denied_execute_handler" directives |
| 1346 |
if the current process is executing programs specified by |
if the current process is executing programs specified by |
| 1347 |
"execute_handler" or "denied_execute_handler" keyword. |
"execute_handler" or "denied_execute_handler" directive. |
| 1348 |
|
|
| 1349 |
This exception is needed to avoid infinite execute handler loop. |
This exception is needed to avoid infinite execute handler loop. |
| 1350 |
If a domain has both "keep_domain" and "execute_handler", |
If a domain has both "keep_domain" and "execute_handler", |
| 1501 |
@ Return 0 when ccs_may_umount() succeeds. |
@ Return 0 when ccs_may_umount() succeeds. |
| 1502 |
|
|
| 1503 |
I forgot to clear error value in ccs_may_umount() when the requested |
I forgot to clear error value in ccs_may_umount() when the requested |
| 1504 |
directory didn't match "deny_unmount" keyword. As a result, any umount() |
directory didn't match "deny_unmount" directive. As a result, any umount() |
| 1505 |
request with RESTRICT_UNMOUNT=enforcing returned -EPERM error. |
request with RESTRICT_UNMOUNT=enforcing returned -EPERM error. |
| 1506 |
|
|
| 1507 |
Version 1.6.2 2008/06/25 Usability enhancement release. |
Version 1.6.2 2008/06/25 Usability enhancement release. |
| 1630 |
@ Don't transit to new domain until do_execve() succeeds. |
@ Don't transit to new domain until do_execve() succeeds. |
| 1631 |
|
|
| 1632 |
Until now, a process's domain was updated to new domain which the process |
Until now, a process's domain was updated to new domain which the process |
| 1633 |
will belongs to before do_execve() succeeds so that the kernel can do |
will belong to before do_execve() succeeds so that the kernel can do |
| 1634 |
permission checks for interpreters and environment variables based on |
permission checks for interpreters and environment variables based on |
| 1635 |
new domain. But this caused a subtle problem when other process sends |
new domain. But this caused a subtle problem when other process sends |
| 1636 |
signals to the process, for the process returns to old domain if |
signals to the process, for the process returns to old domain if |
| 1708 |
|
|
| 1709 |
I modified to use task_tgid_nr_ns() for 2.6.25 and later instead for |
I modified to use task_tgid_nr_ns() for 2.6.25 and later instead for |
| 1710 |
current->tgid when checking /proc/self/ in get_absolute_path(). |
current->tgid when checking /proc/self/ in get_absolute_path(). |
| 1711 |
|
|
| 1712 |
|
Fix 2008/11/07 |
| 1713 |
|
|
| 1714 |
|
@ Fix is_alphabet_char(). |
| 1715 |
|
|
| 1716 |
|
is_alphabet_char() should match 'A' - 'Z' and 'a' - 'z', |
| 1717 |
|
but was matching from 'A' - 'F' and 'a' - 'f'. |
| 1718 |
|
|
| 1719 |
|
@ Add /proc/ccs/.execute_handler . |
| 1720 |
|
|
| 1721 |
|
Process information became visible to userspace by |
| 1722 |
|
"Show process information in /proc/ccs/.process_status" feature. |
| 1723 |
|
However, programs specified by execute_handler directive may run as |
| 1724 |
|
non root user, making it impossible to see process information. |
| 1725 |
|
|
| 1726 |
|
So, I added a new interface that allows execute handler processes |
| 1727 |
|
to see process information. The content of /proc/ccs/.execute_handler is |
| 1728 |
|
identical to /proc/ccs/.process_status . |
| 1729 |
|
|
| 1730 |
|
Version 1.6.5 2008/11/11 Third anniversary release. |
| 1731 |
|
|
| 1732 |
|
Fix 2008/12/01 |
| 1733 |
|
|
| 1734 |
|
@ Introduce "task.type=execute_handler" condition. |
| 1735 |
|
|
| 1736 |
|
The execute_handler directive is very very powerful. You can use this |
| 1737 |
|
directive to do anything you want to do (e.g. logging and validating and |
| 1738 |
|
modifying command line parameters and environment variables, opening and |
| 1739 |
|
closing and redirecting files, creating pipes to implement antivirus and |
| 1740 |
|
spam filtering, deploying a DMZ between the ssh daemon and the login |
| 1741 |
|
shells). |
| 1742 |
|
|
| 1743 |
|
To be able to use this directive in a domain with keep_domain directive |
| 1744 |
|
while limiting access to resources needed for such purposes to only |
| 1745 |
|
programs invoked as an execute handler process, I added a new condition. |
| 1746 |
|
|
| 1747 |
|
In learning mode, "if task.type=execute_handler" condition part will be |
| 1748 |
|
automatically added for requests issued by an execute_handler process. |
| 1749 |
|
|
| 1750 |
|
@ Introduce file's type and permissions as conditions. |
| 1751 |
|
|
| 1752 |
|
To be able to limit file types a process can access, I added |
| 1753 |
|
new conditions for checking file's type and permissions. |
| 1754 |
|
For example, |
| 1755 |
|
|
| 1756 |
|
allow_read /etc/fstab if path1.type=regular path1.perm=0644 |
| 1757 |
|
|
| 1758 |
|
will allow opening /etc/fstab for reading only if /etc/fstab is a regular |
| 1759 |
|
file and it's permission is 0644, and |
| 1760 |
|
|
| 1761 |
|
allow_write /dev/null if path1.type=char path1.dev_major=1 path1.dev_minor=3 |
| 1762 |
|
|
| 1763 |
|
will allow opening /dev/null for writing only if /dev/null is a character |
| 1764 |
|
device file with major=1 and minor=3 attributes. |
| 1765 |
|
|
| 1766 |
|
@ Add memory quota for temporary memory used for auditing. |
| 1767 |
|
|
| 1768 |
|
Although there are MAX_GRANT_LOG and MAX_REJECT_LOG parameters |
| 1769 |
|
which limit the number of entries for audit logs so that we can avoid |
| 1770 |
|
memory consumption by audit logs, it would be more convenient if we can |
| 1771 |
|
also limit the size in bytes. |
| 1772 |
|
Thus, I added a new quota line. |
| 1773 |
|
|
| 1774 |
|
echo Dynamic: 1048576 > /proc/ccs/meminfo |
| 1775 |
|
|
| 1776 |
|
This quota is not applied to temporary memory used for permission checks. |
| 1777 |
|
|
| 1778 |
|
Fix 2008/12/09 |
| 1779 |
|
|
| 1780 |
|
@ Fix ccs_can_save_audit_log() checks. |
| 1781 |
|
|
| 1782 |
|
Due to incorrect statement "if (ccs_can_save_audit_log() < 0)" |
| 1783 |
|
while ccs_can_save_audit_log() is boolean, MAX_GRANT_LOG and |
| 1784 |
|
MAX_REJECT_LOG were not working. |
| 1785 |
|
|
| 1786 |
|
This bug will trigger OOM killer if /usr/sbin/ccs-auditd is not working. |
| 1787 |
|
|
| 1788 |
|
Fix 2008/12/24 |
| 1789 |
|
|
| 1790 |
|
@ Add "ccs_" prefix. |
| 1791 |
|
|
| 1792 |
|
To be able to tell whether a symbol is TOMOYO Linux related or not, |
| 1793 |
|
I added "ccs_" prefix as much as possible. |
| 1794 |
|
|
| 1795 |
|
@ Fix ccs_check_flags() error message. |
| 1796 |
|
|
| 1797 |
|
I meant to print SYAORAN-ERROR: message when error == -EPERM, |
| 1798 |
|
but I was printing it when error == 0 since 1.6.0 . |
TOMOYO
Parent Directory
Revision Log
Patch