オープンソース・ソフトウェアの開発とダウンロード

Subversion リポジトリの参照

Contents of /trunk/1.8.x/ccs-patch/README.ccs

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1006 - (show annotations) (download)
Tue Feb 26 08:37:13 2008 UTC (16 years, 1 month ago) by kumaneko
Original Path: trunk/1.6.x/ccs-patch/README.ccs
File size: 41950 byte(s)


1 Notes for TOMOYO Linux project
2
3 This is a handy Mandatory Access Control patch for Linux kernels.
4 This patch is released under the GPL.
5
6 Project URL: http://tomoyo.sourceforge.jp/
7
8 The authors of this patch (hereafter, we) don't have much experience
9 in kernel programming. We are worried that this patch would contain
10 some mistakes such as missing hooks, improper location of hooks,
11 potential deadlocks. There would be better way of implementation.
12 All kinds of comments, pointing the errors and suggestions are welcome.
13
14 We do hope this patch reduces the labor of server security management
15 and you enjoy the life with Linux.
16
17 This project was very inspired by the comic "Card Captor SAKURA",
18 one of the CLAMP's masterworks.
19 The names SAKURA and TOMOYO and SYAORAN were borrowed from the comic
20 with the heartfelt thanks to CLAMP.
21
22
23
24 ChangeLog:
25
26 Version 1.0 2005/11/11 First release.
27
28 Fix 2005/11/18
29
30 @ Add setattr() missing hook in SYAORAN fs.
31
32 setattr() checking for special inode was missing.
33
34 Fix 2005/11/25
35
36 @ Allow initrd.img include /sbin/init .
37
38 Since version 1.0 loads policy when /sbin/init is called
39 for the first time, initrd.img without the policy directory
40 mustn't start /sbin/init . This forced users not to use
41 initrd.img that includes /sbin/init .
42 I modified to delay loading policy if the policy directory
43 doesn't exist and wait for /sbin/init being called again.
44
45 Fix 2005/12/02
46
47 @ Use lookup_one_len() instead of lookup_hash().
48
49 Kernel 2.6.15 changed parameters for lookup_hash().
50 I modified to use lookup_one_len() to keep compatibility.
51
52 Fix 2005/12/06
53
54 @ Add S_ISDIR() check in SYAORAN fs.
55
56 Malicious configuration file that attempts to create an inode
57 under non-directory inode caused segmentation fault.
58
59 Version 1.0.1 2005/12/08 Minor update release.
60
61 Fix 2006/01/04
62
63 @ Add CheckWritePermission() check in unix_bind().
64
65 I modified to check write permission in unix_bind(), for
66 sys_mknod(S_IFSOCK) checks write permission.
67
68 @ Show hook version in proc_misc_init().
69
70 The hook part of this patch depends on the kernel's version,
71 while the rest part of this patch doesn't.
72 I added the hook version so that the administrator can
73 know the last modified date of the hooks.
74
75 @ Move permission checks from filp_open() to open_namei().
76
77 I moved the location of checking MAC's permission
78 from filp_open() to open_namei().
79
80 @ Fix an error in filp_open(). (only 2.6.15-rc5)
81
82 This error was only in the patch 2.6.15-rc5 and
83 was fixed in the patch for 2.6.15.
84
85 Fix 2006/01/12
86
87 @ Add /proc/ccs/info/self_domain.
88
89 I added /proc/ccs/info/self_domain so that the userland programs
90 can know the name of domain they belong to if necessary.
91
92 Fix 2006/01/13
93
94 @ Merge constants for CheckTaskCapability().
95
96 I merged *_INHERITABLE_* and *_LOCAL_* to avoid always
97 calling CheckTaskCapability() with both constants.
98
99 @ DropTaskCapability() returns -EAGAIN on success.
100
101 DropTaskCapability() must not return 0 on success, for
102 DropTaskCapability() is called from do_execve().
103
104 @ Fix an error for chroot() permission check.
105
106 The chroot() restriction was not working due to the following mistake.
107 CheckChRootPermission() || CheckTaskCapability() returns 0 or 1, while
108 CheckChRootPermission() | CheckTaskCapability() returns 0 or -EPERM.
109
110 Fix 2006/01/17
111
112 @ Suppress some of debug messages in TOMOYO.
113
114 I added KERN_DEBUG to suppress some of debug messages.
115
116 Fix 2006/01/19
117
118 @ Remove isRoot() checks in AddChrootACL() and AddMountACL().
119
120 I found a program that needs to chroot by non-root.
121 So, I stopped checking uid=euid=0 for these functions so that
122 "accept mode" can append ACLs.
123 The isRoot() is checked at AddChrootPolicy() and AddMountPolicy().
124
125 @ Map NULL device name to "<NULL>" in AddMountACL().
126
127 VMware mounts vmware-hgfs with NULL device name.
128 So I mapped NULL device name to "<NULL>".
129
130 Fix 2006/01/20
131
132 @ Suppress some of debug messages in SAKURA.
133
134 I added KERN_DEBUG to suppress some of debug messages.
135
136 @ Call panic() if failed to load given profile.
137
138 Call panic() if profile index was given via CCS= parameter
139 but the profile doesn't exist.
140 If CCS= parameter is not given, the kernel attempts to load
141 profile 0, but it doesn't call panic() if profile 0 doesn't exist.
142
143 Fix 2006/01/24
144
145 @ Use full_name_hash() for IsGloballyReadableFile().
146
147 I modified to use full_name_hash() for faster scan.
148
149 @ Add signal checking condition in CheckSignalACL().
150
151 The documentation says "if the target domain's domainname
152 starts with the source domain's domainname, it is always granted"
153 but actually it isn't. I'll change the documentation instead of
154 changing the source code.
155
156 Also, checking for pid = -1 was missing. This error was fixed.
157
158 Fix 2006/02/09
159
160 @ Use mutex_lock()/mutex_unlock instead of down()/up().
161
162 Kernel 2.6.16 changed members of "struct inode".
163 I modified to use mutex_lock()/mutex_unlock() for after 2.6.16
164 and down()/up() for before 2.6.16.
165
166 Version 1.0.2 2006/02/14 Many bug-fixes release.
167
168 Fix 2006/02/21
169
170 @ Divide generic-write permission into individual write permissions.
171
172 Write permission was divided into the following permissions.
173
174 'mkdir' for creating directory.
175 'rmdir' for deleting directory.
176 'create' for creating regular file.
177 'unlink' for deleting non-directory.
178 'mksock' for creating UNIX domain socket.
179 'mkfifo' for creating FIFO.
180 'mkchar' for creating character device.
181 'mkblock' for creating block device.
182 'link' for creating hard link.
183 'symlink' for creating symbolic link.
184 'rename' for renaming directory or non-directory.
185 'truncate' for truncating regular file.
186
187 The permission check for opening files is done using
188 conventional read/write/execute permission.
189
190 @ Add /proc/ccs/info/mapping.
191
192 I added /proc/ccs/info/mapping so that the userland programs
193 can know the mapping of individual write permissions.
194
195 Fix 2006/02/27
196
197 @ Fix handling of trailing '\*' in PathMatchesToPattern().
198
199 PathMatchesToPattern("/tmp/", "/tmp/\*") returned true
200 because "\*" matches to "more than or equals to 0 character
201 until '/' or end". But since this is a comparison between
202 directory and non-directory, this should not match.
203
204 This behavior causes the following security risks.
205 In enforce mode, allowing "2 /tmp/\*" grants
206 "mkdir /tmp/" and "rmdir /tmp/" which should be
207 granted only when "2 /tmp/" is allowed.
208 In accept mode, "mkdir /tmp/" or "rmdir /tmp/" appends
209 "2 /tmp/\*" into the domain policy if "file_pattern /tmp/\*"
210 is in the exception policy.
211
212 I changed not to ignore trailing '\*' in the pattern
213 if pathname ends with '/'.
214
215 Fix 2006/03/01
216
217 @ Add missing spinlock in GetAbsolutePath().
218
219 vfsmount_lock was missing.
220
221 Fix 2006/03/08
222
223 @ Add support for "shared subtree" mount operations.
224
225 Kernel 2.6.15 introduced "shared subtree" functionality.
226 But CheckMountPermission() couldn't recognize flags for
227 do_change_type().
228
229 @ Add support for more mount flags.
230
231 atime/noatime, diratime/nodiratime, recurse/norecurse flags
232 are supported.
233
234 Fix 2006/03/20
235
236 @ Check port numbers for only AF_INET/AF_INET6.
237
238 CheckBindEntry() and CheckConnectEntry() should check port numbers
239 only when the given address family is either AF_INET or AF_INET6,
240 for address family such as AF_UNSPEC could be passed to bind()
241 and connect() for PF_INET/PF_INET6 sockets.
242
243 Fix 2006/03/27
244
245 @ Use /proc/self/ rather than /proc/\$/ for current process.
246
247 GetAbsolutePath() now uses "self" instead of pid
248 if current process refers to information related to itself.
249 This exception violates the rule "TOMOYO Linux's pathnames don't
250 contain symbolic links before the last '/'", but I think it worth
251 to do so. The following are the merits gained by this exception.
252
253 Prevent administrators from granting redundant permissions
254 when a process needs to refer to only current process's information.
255
256 Allow administrators make current process's information always
257 readable using 'allow_read' directive.
258
259 Version 1.1 2006/04/01 Functionality enhancement release.
260
261 Fix 2006/04/03
262
263 @ Use queue instead of fixed sized array for audit log.
264
265 WriteAuditLog() now uses queue to save statically allocated memory.
266 Administrators can give any size for audit logs at runtime.
267
268 @ Use kzalloc() instead of kmalloc() + memset().
269
270 kmalloc() + memset() were replaced with kzalloc().
271
272 Fix 2006/04/04
273
274 @ Support "delayed enforcing" mode.
275
276 Until now, access request was immediately rejected
277 if policy doesn't allow that access and the system is
278 running in enforce mode.
279 Sometimes, especially after updating softwares,
280 some unexpected access requests arise from proper procedure.
281 Such access requests should be granted because
282 they are not caused by malicious attacks.
283 So I introduced a mechanism to allow administrator some grace
284 to decide to grant or reject such access requests.
285 This mechanism is implemented in the following manner.
286 "Don't return immediately if permission denied."
287 "Sleep for a while waiting administrator's decision."
288 "Return successfully if administrator tells to do so."
289
290 Fix 2006/04/12
291
292 @ Fix handling of prefix in GetAbsolutePath().
293
294 Some objects doesn't have prefix "/".
295 Pipe has prefix "pipe:" and socket has prefix "socket:".
296 GetAbsolutePath() couldn't handle prefixes other than '/' properly.
297
298 @ Remove IsCorrectPath() checks for File Access Control functions.
299
300 File Access Control functions accepted only pathnames that start
301 with '/' because these functions assumed pathnames returned by
302 GetAbsolutePath() always start with '/'.
303 However, I found a program that opens an unnamed pipe via
304 (probably) /proc/PID/fd/ directory. (You can see entries like
305 "pipe:[number]" if you run "ls -l /proc/*/fd/".)
306 Now, File Access Control functions have to accept pathnames
307 that don't start with '/'. So, I stopped checking IsCorrectPath().
308
309 Fix 2006/04/19
310
311 @ Fix handling of NULL nameidata in vfs_open().
312
313 In 2.6 kernels, NFS daemon and sys_mq_open() call
314 vfs_create() with NULL nameidata. In such cases,
315 CheckSingleWritePermission() must not be called.
316
317 Version 1.1.1 2006/05/15 Functionality enhancement release.
318
319 Fix 2006/05/16
320
321 @ Support program files aggregation.
322
323 Until now, programs that have no fixed names and their
324 parent programs had to be run in a trusted domain
325 since it is impossible to use patterns for granting
326 execute permission and defining domains.
327 I introduced a mechanism to aggregate similar programs
328 using 'aggregator' directive.
329 Some examples:
330
331 'aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp'
332 to run all temporary programs for logrotate as /tmp/logrotate.tmp
333
334 'aggregator /usr/bin/tac /bin/cat'
335 to run /usr/bin/tac and /bin/cat as /bin/cat
336
337 Fix 2006/05/18
338
339 @ Unlimit max count for audit log.
340
341 I forgot to replace MAX_GRANT_LOG and MAX_REJECT_LOG with INT_MAX
342 so that administrators can give any size for audit logs at runtime.
343
344 Fix 2006/05/22
345
346 @ Support individual domain ACL removal.
347
348 Until now, to remove ACLs from a domain, administrator had to
349 once delete and recreate that domain, which wastes a lot of memory.
350 I introduced a mechanism to remove domain ACL without deleting and
351 recreating domains.
352 Administrator can delete domains or remove ACLs from domains
353 via /proc/ccs/policy/domain_policy .
354 /proc/ccs/policy/delete_domain and /proc/ccs/policy/update_domain
355 were removed.
356
357 Fix 2006/05/30
358
359 @ Add missing spinlock in SAKURA_MayMount().
360
361 vfsmount_lock was missing.
362
363 Version 1.1.2 2006/06/02 Functionality enhancement release.
364
365 Fix 2006/06/13
366
367 @ Merge tomoyo_connect.c and tomoyo_bind.c into tomoyo_port.c
368
369 I merged these files that have only difference CONNECT and BIND,
370 that are likely to be enabled both or neither.
371
372 @ Add CONFIG_TOMOYO_AUDIT option.
373
374 I made auditing functions as optional because some Linux boxes
375 may have not enough disk space to store audit logs.
376
377 Fix 2006/06/15
378
379 @ Support use of symbolic links for program execution.
380
381 Until now, domains for programs executed by dereferencing
382 symbolic links were defined using dereferenced pathnames.
383 This was inconvenient for some Linux boxes who use busybox but
384 can't keep hard links of busybox.
385 I introduced a mechanism to allow using pathnames of
386 symbolic links using 'alias' directive.
387 Some examples:
388
389 'alias /sbin/busybox /bin/ls' to run /bin/ls
390 (which is a symbolic link to /sbin/busybox) as /bin/ls
391 if /bin/ls is executed.
392
393 'alias /bin/bash /bin/sh' to run /bin/sh
394 (which is a symbolic link to /bin/bash) as /bin/sh
395 if /bin/sh is executed.
396
397 Fix 2006/06/21
398
399 @ Use ccs_alloc() instead of kzalloc().
400
401 To detect memory leaks,
402 I added a wrapper for tracing kmalloc() and kfree().
403 There is no way to detect memory leaks caused by ccs-*.txt .
404
405 Version 1.1.3 2006/07/13 Functionality enhancement release.
406
407 Fix 2006/07/14
408
409 @ Change behavior of pathname pattern matching.
410
411 Until now, it was impossible to use patterns like "\*.txt"
412 because "\*" matched to more than 0 characters until next '/'.
413 Now, "\*" matches to more than 0 characters.
414
415 Until now, it was impossible to use patterns like "\$00"
416 because "\$" matched to more than 1 digits until next
417 non digit character.
418 Now, "\$" matches to more than 1 digits.
419
420 Also, new patterns "\x" "\X" "\a" "\A" "\@" are added.
421
422 Fix 2006/07/21
423
424 @ Add CONFIG_TOMOYO_NETWORK option.
425
426 Until now, only port numbers for TCP and UDP were controllable.
427 Now, the combination of IPv4/IPv6 address and port numbers
428 for TCP and UDP is controllable.
429 CONFIG_TOMOYO_NETWORKPORT became obsolete.
430
431 Fix 2006/07/25
432
433 @ Change matching rule for CheckFileACL().
434
435 Until now, only first entry that matched to the requested pathname
436 was used for permission checking. For example, two entries
437
438 "2 /tmp/file-\$.txt"
439 "4 /tmp/fil\?-0.txt"
440
441 are given in this order and requested pathname is "/tmp/file-0.txt",
442 the "2 /tmp/file-\$.txt" is used. But if two entries
443
444 "4 /tmp/fil\?-0.txt"
445 "2 /tmp/file-\$.txt"
446
447 are given in this order, the "4 /tmp/fil\?-0.txt" is used.
448 This may potentially cause trouble because the result of
449 permission checks depends on the order of entries.
450
451 Now, all entries that matched to the requested pathname
452 are used for permission checking so that the result of
453 permission checks doesn't depend on the order of entries.
454
455 Fix 2006/07/27
456
457 @ Support RAW IPv4/IPv6 control.
458
459 Some programs such as 'ping' and 'traceroute' use raw IP socket.
460 Now, the combination of IPv4/IPv6 address and protocol numbers
461 for IP is controllable.
462
463 Fix 2006/08/04
464
465 @ Add filename and argv[0] comparison check.
466
467 The domain transition was done based on filename passed to do_execve(),
468 while the behavior was defined based on argv[0].
469 There is no problem if the filename is argv[0]-unaware application.
470 But if argv[0]-aware, access control bypassing happens if the process
471 transits to trusted domain but behaves as different program.
472 For example, when the administrator specifies domain for /bin/ls as
473 trusted but both /bin/ls and /bin/cat are links to /sbin/busybox ,
474 a cracker can run /bin/cat in a trusted domain if the cracker
475 succeeds to invoke do_execve() with filename = "/bin/ls" and
476 argv[0] = "/bin/cat".
477
478 I introduced a keyword that permits the mismatch of
479 basename of filename and argv[0].
480
481 Fix 2006/08/10
482
483 @ Support ID based condition checks.
484
485 It was impossible to use process id (uid and gid and so on) for
486 checking individual domain ACL.
487
488 Now it became possible to use process id for checking individual
489 domain ACL. For example,
490
491 "1 /bin/sh if task.euid!=0"
492
493 allows the domain to execute /bin/sh only when the process's euid
494 is not 0, and
495
496 "6 /home/\*/\* if task.uid=path1.uid"
497
498 allows the domain to read-write user's home directory
499 only when the file's owner matches to the process's uid.
500
501 Fix 2006/08/22
502
503 @ Fix ROUNDUP() in fs/realpath.c .
504
505 Alignment using sizeof(int) may be inappropriate for 64bit environment.
506 I changed to use the larger size of 'void *' and 'long'
507 instead of 'int'.
508 For environment where sizeof(int) = sizeof(long) = sizeof(void *),
509 this change has no effect.
510
511 Version 1.2 2006/09/03 Functionality enhancement release.
512
513 Fix 2006/09/30
514
515 @ Fix CheckFilePerm() in fs/tomoyo_file.c .
516
517 The location to call path_release() was too early.
518
519 Fix 2006/10/02
520
521 @ Support per-domain profile.
522
523 It became possible to assign different profiles for different domains.
524 This will help administrators using building up approach.
525
526 Fix 2006/10/05
527
528 @ Change parameters for CheckFilePerm().
529
530 I was re-resolving pathnames inside CheckFilePerm() even though
531 the caller function already resolved them.
532 So I changed to pass dentry and vfsmount instead of pathname,
533 and removed changes made on 2006/09/30.
534
535 Fix 2006/10/06
536
537 @ Support deny_rewrite and allow_rewrite permission.
538
539 It became possible to make regular files append-only
540 using "deny_rewrite" directive in exception policy and
541 override it using "allow_rewrite" directive in domain policy.
542
543 Regular files specified using "deny_rewrite" directive
544 can't be open()ed with O_TRUNC or without O_APPEND,
545 can't be truncate()ed or ftruncate()ed,
546 can't be turned O_APPEND flag off using fcntl(F_SETFL)
547 unless specified using "allow_rewrite" directive.
548
549 Fix 2006/10/12
550
551 @ Enable configuration options by default for kernel config.
552
553 CONFIG_SAKURA and CONFIG_TOMOYO are now 'y' by default
554 and CONFIG_SYAORAN is now 'm' by default.
555
556 Fix 2006/10/13
557
558 @ Use external policy loader.
559
560 Until now, policies are loaded when /sbin/init starts and
561 initial control levels are switched using CCS= parameter.
562 But since some boxes have to fixate kernel command line options
563 at compilation time, I think it will become more flexible
564 by running external policy loader using init= parameter so that
565 initial control levels can be specified before /sbin/init starts.
566
567 Call panic() if initial control levels are not specified.
568
569 Fix 2006/10/16
570
571 @ Add missing parameter in FindNextDomain().
572
573 'struct file' was needed for allowing 'if path1.*' checks.
574
575 Fix 2006/10/23
576
577 @ Print error messages in CheckFlags().
578
579 Some users seem to have troubles picking up all necessary
580 entries for the configuration file of SYAORAN filesystem
581 since makesyaoranconf can't pick up entries that are
582 nonexistent at the time.
583 I added error message so that users can find missing entries
584 using dmesg.
585
586 Fix 2006/10/24
587
588 @ Change /proc/ccs/info/self_domain .
589
590 I changed /proc/ccs/info/self_domain to return
591 the domain of open time rather than first read time.
592 This modification makes shell's redirection usage
593 more convenient since redirection opens file
594 but doesn't read at the time.
595
596 'cat < /proc/ccs/info/self_domain' will return
597 the domain of shell, and
598 'cat /proc/ccs/info/self_domain' will return
599 the domain of cat .
600
601 Fix 2006/11/06
602
603 @ Replace MAX_ENFORCE_GRACE with ALLOW_ENFORCE_GRACE.
604
605 Since it was inconvenient that requests that are waiting for
606 supervisor's decision are rejected automatically when
607 MAX_ENFORCE_GRACE seconds has elapsed, I modified WriteAnswer()
608 reset timeout counter whenever a supervisor's decision is written
609 and I modified ccs-queryd write a dummy decision every seconds
610 so that the requests won't be rejected automatically as long as
611 ccs-queryd is running.
612 This change made MAX_ENFORCE_GRACE's meaning boolean.
613 So I fixated MAX_ENFORCE_GRACE to 10 seconds and removed
614 MAX_ENFORCE_GRACE parameter.
615 To allow administrators selectively enable "delayed enforcing"
616 mode, I added ALLOW_ENFORCE_GRACE parameter.
617 The behavior of "delayed enforcing" mode is defined
618 in the following order.
619
620 (1) The requests are rejected immediately if ALLOW_ENFORCE_GRACE=0.
621 (2) The requests are rejected immediately
622 if nobody is opening /proc/ccs/policy/query interface.
623 (3) The requests won't be rejected automatically
624 if ALLOW_ENFORCE_GRACE=1 and ccs-queryd is running.
625 (4) The requests will be rejected in 10 seconds
626 if somebody other than ccs-queryd (such as less(1)) is
627 opening /proc/ccs/policy/query interface, for
628 such process doesn't write dummy decisions.
629
630 Version 1.3 2006/11/11 First anniversary release.
631
632 Fix 2006/11/13
633
634 @ Replace trust_domain with keep_domain.
635
636 Since it was troublesome that there are two elements that can disable MAC
637 (assigning a profile that doesn't enable MAC or registering domains
638 with trust_domain directive), I removed trust_domain directive.
639 Instead, I introduced keep_domain directive to not to transit domains
640 unless a program registered with initializer directive is executed.
641 This change has the following advantages.
642
643 (1) Allows administrator use "enforce mode" for operations after login.
644 Since it was difficult to know what commands and files are invoked
645 and accessed in what sequences beforehand, we had to use trust_domain
646 directive for such domain, allowing users invoke any commands and
647 access any files in any sequence.
648 But now, we can use keep_domain directive and assign a profile for
649 "enforce mode" for such domain, forcing users invoke only allowed
650 commands and access only allowed files in any sequence
651 while these operations are kept under the control of "enforce mode".
652
653 (2) Allows administrator determine easily whether the domain is
654 under MAC or not because only the profile currently assigned to
655 the domain determines it.
656
657 (3) Saves total number of domains and memory.
658
659 Fix 2006/11/22
660
661 @ Don't allow use of undefined profile.
662
663 To avoid assigning undefined profile to domains by error,
664 I added checks before assigning profiles to domains.
665 Now, profiles have to be defined prior to assigning them to domains.
666
667 Version 1.3.1 2006/12/08 Minor update release.
668
669 Fix 2006/12/10
670
671 @ Allow pathname grouping.
672
673 To reduce the labor of repeating '/\*' to allow access recursively,
674 I introduced a macro 'path_group' to make group such pathnames.
675 For example, you had to give like
676
677 4 /var/www/html/\*
678 4 /var/www/html/\*/\*
679 4 /var/www/html/\*/\*/\*
680 4 /var/www/html/\*/\*/\*/\*
681
682 but now, you can give just
683
684 4 @WEB-CONTENTS
685
686 if you give
687
688 path_group WEB-CONTENTS /var/www/html/\*
689 path_group WEB-CONTENTS /var/www/html/\*/\*
690 path_group WEB-CONTENTS /var/www/html/\*/\*/\*
691 path_group WEB-CONTENTS /var/www/html/\*/\*/\*/\*
692
693 in the exception policy.
694 This macro will be useful when grouping different directories.
695
696 Fix 2006/12/15
697
698 @ Use structured pathnames instead for simple 'char *'.
699
700 To reduce the cost of strcmp(), I changed the return value of
701 SaveName() from 'const char *' to 'const struct path_info *'.
702 This change will speed up PathMatchesToPattern() comparison.
703
704 Fix 2006/12/19
705
706 @ Allow registering policy managers using domainnames.
707
708 It was difficult to restrict programs that can update policies
709 via /proc/ccs/ interfaces using pathnames of these programs, for
710 these programs could be unintendedly invoked.
711 Now, it became possible to restrict domains that can update policies
712 via /proc/ccs/ interfaces as well as programs.
713 By restricting using domainnames, it becomes easier to avoid
714 unintended invocation.
715
716 Fix 2006/12/22
717
718 @ Add initialize_domain,no_initizlize_domain,no_keep_domain
719
720 To control domain transitions more strictly,
721 initialize_domain,no_initizlize_domain,no_keep_domain directives
722 were introduced.
723
724 "initialize_domain /some/program" means
725 jump to "<kernel> /some/program" domain if /some/program is
726 called from any domain.
727 This is equivalent to conventional "initializer /some/program".
728
729 "initialize_domain /some/program from some_domain" means
730 jump to "<kernel> /some/program" domain only if /some/program is
731 called from "some_domain" domain.
732
733 "no_initialize_domain /some/program" means
734 don't jump to "<kernel> /some/program" domain even if
735 "initialize_domain /some/program" or
736 "initialize_domain /some/program from some_domain" are given
737 if /some/program is called from any domain.
738
739 "no_initialize_domain /some/program from some_domain" means
740 don't jump to "<kernel> /some/program" domain even if
741 "initialize_domain /some/program" or
742 "initialize_domain /some/program from some_domain" are given
743 if /some/program is called from "some_domain" domain.
744
745 "keep_domain some_domain" means don't jump to child domain
746 if any programs are called from "some_domain" domain.
747
748 "keep_domain /some/program from some_domain" means
749 don't jump to child domain only if /some/program is
750 called from "some_domain" domain.
751
752 "no_keep_domain some_domain" means
753 jump to child domain even if
754 "keep_domain /some/program" or
755 "keep_domain /some/program from some_domain" are given
756 if any programs are called from "some_domain" domain.
757
758 "no_keep_domain /some/program from some_domain" means
759 jump to child domain even if
760 "keep_domain /some/program" or
761 "keep_domain /some/program from some_domain" are given
762 if /some/program is called from "some_domain" domain.
763
764 "some_domain" can be just the last component of domainname.
765 For example, giving "/bin/mail" as "some_domain" matches to
766 all domains whose domainname ends with "/bin/mail".
767
768 Fix 2007/01/19
769
770 @ Allow reuse of memory allocated for domain policy.
771
772 Regarding domain policy, unlike other policies, didn't have
773 "is_deleted" flag and new memory were allocated
774 if the deleted entries are given again.
775 But to allow administrators switch domain policy periodically,
776 I introduced "is_deleted" flag.
777
778 Writing "some_domain" to /proc/ccs/policy/domain_policy
779 creates "some_domain" using new memory if it didn't exist.
780
781 Writing "select some_domain" doesn't create "some_domain"
782 if it didn't exist.
783
784 Writing "delete some_domain" deletes "some_domain"
785 but does not delete entries in "some_domain".
786
787 Writing "undelete some_domain" undeletes "some_domain"
788 if it was deleted by "delete some_domain".
789
790 Fix 2007/01/22
791
792 @ Allow getting already deleted pathnames.
793
794 To allow getting pathnames that are already deleted,
795 I removed (IS_ROOT(dentry) || !d_unhashed(dentry)) check.
796
797 Fix 2007/01/26
798
799 @ Limit string length to 4000.
800
801 I was using PAGE_SIZE (4096 in many environments)
802 as the max length of any string data.
803 But for environments that have larger PAGE_SIZE,
804 doing memset(ptr, 0, PAGE_SIZE) everytime is too wasteful.
805
806 Fix 2007/01/29
807
808 @ Add garbage collector for domain policy.
809
810 Writing "some_domain" to /proc/ccs/policy/domain_policy
811 creates "some_domain" using new memory only if
812 some process is staying at that deleted domain.
813 If no process is staying at that deleted domain,
814 "some_domain" is undeleted with all ACLs deleted.
815
816 Version 1.3.2 2007/02/14 Usability enhancement release.
817
818 Fix 2007/02/20
819
820 @ Allow address grouping.
821
822 To reduce the labor of repeating similar IPv4/IPv6 addresses,
823 I introduced a macro 'address_group' to make group such addresses.
824 For example, you had to give like
825
826 allow_network TCP accept 10.0.0.0-10.255.255.255 1024-65535
827 allow_network TCP accept 172.16.0.0-172.31.255.255 1024-65535
828 allow_network TCP accept 192.168.0.0-192.168.255.255 1024-65535
829
830 but now, you can give just
831
832 allow_network TCP accept @localnet 1024-65535
833
834 if you give
835
836 address_group localnet 10.0.0.0-10.255.255.255
837 address_group localnet 172.16.0.0-172.31.255.255
838 address_group localnet 192.168.0.0-192.168.255.255
839
840 in the exception policy.
841
842 Fix 2007/03/03
843
844 @ Remove obsolete functions.
845
846 @ Add some hooks.
847
848 Read permission check is done if open_exec()
849 is called from search_binary_handler().
850 Read permission check is not done if open_exec()
851 is called from do_execve(), instead,
852 execute permission check is done at
853 search_binary_handler_with_transition().
854
855 I moved the location of calling CheckCapabilityACL()
856 and CheckMountPermission() from sys_mount() to do_mount().
857
858 Fix 2007/03/07
859
860 @ Use 'unsigned int' for sscanf().
861
862 I compiled SYAORAN fs on x86_64 environment and found
863 the compiler showing warning messages about size of data types.
864 Since size of data types may mismatch for sscanf(),
865 I replaced some types with 'unsigned int'.
866
867 Version 1.4 2007/04/01 x86_64 support release.
868
869 Fix 2007/04/18
870
871 @ Change argv[0] checking rule.
872
873 I was comparing the basename of symbolic link's pathname and argv[0].
874 Since execute permission check and domain transition are done
875 based on realpath while argv[0] check is done based on the symlink's
876 pathname and argv[0], this specification will allow attackers behave
877 as /bin/cat in the domain of /bin/ls if "/bin/ls and /bin/cat are
878 links to /sbin/busybox" and "the attacker is permitted to create
879 a symlink named ~/cat that points to /bin/ls" and "the attacker is
880 permitted to run /bin/ls".
881 So, I changed to compare the basename of realpath and argv[0].
882 Also, I moved the location to compare before processing
883 "aggregator" directive so that
884 "aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp"
885 won't cause the mismatch of the basename of realpath and argv[0].
886
887 If /bin/ls is a symlink to /sbin/busybox, then
888 creating a symlink named ~/cat that points to /bin/ls and
889 executing ~/cat won't work as expected because permission check and
890 domain transition are done using /sbin/busybox (realpath of /bin/ls)
891 and will be rejected since the administrator won't grant
892 "1 /sbin/busybox".
893
894 Fix 2007/05/07
895
896 @ Support pathname subtraction.
897
898 There was no way to exclude specific pathnames when granting
899 permissions using wildcards.
900 There would be a need to exclude specific files and directories.
901 I introduced "\-" as subtraction operator.
902
903 "A\-B" means "A" other than "B".
904 "A\-B\-C" means "A" other than "B" and "C".
905 "A\-B\-C\-D" means "A" other than "B" and "C" and "D".
906
907 "A", "B", "C", "D" may contain wildcards.
908
909 An example usage is "/home/\*/\*\-.ssh/\*", which means
910 "/home/\*/\*/\*" other than "/home/\*/.ssh/\*".
911
912 "A" should contain wildcards because subtraction from constants
913 (e.g. "/usr\-usr/" or "/usr\-home/") is meaningless.
914
915 Don't try "A\-B\+C" because "\+" is not addition operator.
916
917 Fix 2007/05/24
918
919 @ Fix autobind hook.
920
921 The location to call SAKURA_MayAutobind() in net/ipv4/udp.c
922 and net/ipv6/udp.c were wrong.
923
924 Fix 2007/06/03
925
926 @ Add a space in MakeMountOptions().
927
928 I forgot to add a space after "atime" and "noatime".
929
930 Version 1.4.1 2007/06/05 Minor update release.
931
932 Fix 2007/07/04
933
934 @ Fix ReadAddressGroupPolicy() bug.
935
936 ReadAddressGroupPolicy() fails if both "path_group" and "address_group"
937 are used because I forgot to set "head->read_var1 = NULL".
938
939 Fix 2007/07/10
940
941 @ Add compat_sys_stime() hook.
942
943 Some of 64bit kernels support compat_sys_stime()
944 but permission check was missing.
945
946 Version 1.4.2 2007/07/13 Bug fix release.
947
948 Fix 2007/08/06
949
950 @ Remove mount-flags manipulation.
951
952 Until now, administrator is permitted to turn on/off specific mount
953 options regardless of mount options passed to kernel.
954 I removed this feature because "exact option matching" sounds better than
955 "automatic option enabler/disabler".
956
957 @ Remove /proc/ccs/info/mapping .
958
959 I removed /proc/ccs/info/mapping because nobody seems to use this
960 feature.
961
962 @ Call external policy loader automatically.
963
964 Until now, users had to add init=/.init parameter to load policy
965 before /sbin/init starts.
966 I inserted call_usermodehelper() to call external policy loader when
967 execve("/sbin/init") is requested and external policy loader exists.
968
969 This change will remove init=/.init parameter from most environment,
970 although call_usermodehelper() can't handle interactive operations.
971
972 @ Move external policy loader from /.init to /sbin/ccs-init .
973
974 Installing programs in / directory is not good for packaging.
975
976 Fix 2007/08/13
977
978 @ Update external policy loader.
979
980 It turned out that /sbin/ccs-init invoked via call_usermodehelper()
981 can handle interactive operations by opening /dev/console .
982 Now, there is no difference between init=/sbin/ccs-init and
983 call_usermodehelper("/sbin/ccs-init"), and users no longer need to
984 add init=/sbin/ccs-init parameter to load policy before /sbin/init
985 starts.
986
987 Fix 2007/08/14
988
989 @ Update recvmsg() hooks.
990
991 Until now, it was impossible to apply network access control for
992 incoming UDP and RAW packets if they are brought to userland using
993 read() or recvmsg() with NULL address because address buffer is NULL.
994 I moved hooks from sock_recvmsg() to skb_recv_datagram() so that
995 network access control for incoming UDP and RAW packets always work.
996
997 Fix 2007/08/16
998
999 @ Return appropriate error code for CheckMountPermission().
1000
1001 I was returning -EPERM if something is wrong with CheckMountPermission().
1002 But SELinux determines whether selinuxfs is supported by kernel
1003 based on whether error code is -ENODEV or not.
1004 So I stopped returning -EPERM unconditionally.
1005
1006 Fix 2007/08/17
1007
1008 @ Remove initializer directive.
1009
1010 Use "initialize_domain" instrad of "initializer".
1011
1012 Fix 2007/08/21
1013
1014 @ Fix "allow_argv0 ... if if ..." bug.
1015
1016 It was impossible to use a word "if" to the second argument of
1017 allow_argv0 if condition part is used.
1018
1019 Fix 2007/08/24
1020
1021 @ Move /proc/ccs/\*/\* to /proc/ccs/\* .
1022
1023 Some pathnames for /proc/ccs/ interface were changed.
1024
1025 Fix 2007/09/05
1026
1027 @ Drop MSG_PEEK'ed message before skb_free_datagram().
1028
1029 I need to remove head message from unwanted source
1030 from socket's receive queue so that the caller can pick up
1031 next message from wanted source with MSG_PEEK flags.
1032
1033 Version 1.5.0 2007/09/20 Usability enhancement release.
1034
1035 Fix 2007/09/27
1036
1037 @ Avoid eating memory after quota exceeded.
1038
1039 Although ACL entries in a domain won't be added if the domain's quota
1040 has exceeded, SaveName() in AddFileACL() is called anyway.
1041 This caused unneeded memory consumption.
1042
1043 Now, quota checking is done before getting domain_acl_lock lock.
1044 This may exceed quota by one or two entries, but that won't matter.
1045
1046 Fix 2007/10/16
1047
1048 @ Add environment variable check.
1049
1050 There are environment variables that may cause dangerous behavior
1051 like LD_\* .
1052 So I introduced 'allow_env' directive that allows specified
1053 environment variable inherited to next domain.
1054 Unlike other permissions, this check is done at execve() time
1055 using next domain's ACL information.
1056
1057 To manage commonly inherited environments like PATH ,
1058 you can use 'allow_env' directive in exception policy
1059 to globally grant specified environment variable.
1060
1061 Fix 2007/11/05
1062
1063 @ Replace semaphore with mutex.
1064
1065 I replaced semaphore with mutex.
1066
1067 @ Add missing down() in AddReservedEntry().
1068
1069 Mutex debugging capability told me that I had forgotten to call down()
1070 since TOMOYO version 1.3.2 .
1071 This function is not called by learning mode,
1072 so the semaphore's counter will not overflow for normal usage.
1073
1074 Fix 2005/11/27
1075
1076 @ Fix ReadTable() truncation bug.
1077
1078 "snprintf(str, size, format, ...) >= size" means truncated.
1079 But I was checking for "snprintf(str, size, format, ...) > size".
1080 As a result, some entries might be dumped without '\n'.
1081
1082 @ Purge direct "->prev"/"->next" manipulation.
1083
1084 All list manipulations use "struct list_head" or "struct list1_head".
1085 "struct list1_head" doesn't have "->prev" member to save memory usage.
1086
1087 Fix 2007/11/29
1088
1089 @ Add missing semaphore in GetEXE().
1090
1091 mm->mmap_sem was missing.
1092
1093 Fix 2007/12/17
1094
1095 @ Remove unused EXPORT_SYMBOL().
1096
1097 Mark some functions static.
1098
1099 Fix 2007/12/18
1100
1101 @ Fix AddMountACL() rejection bug.
1102
1103 To my surprise, "mount --bind source dest" accepts
1104 not only "both source and dest are directory"
1105 but also "both source and dest are non-directory".
1106 I was rejecting if dest is not a directory in AddMountACL().
1107
1108 @ Change log format.
1109
1110 Profile number and mode is added in audit logs.
1111
1112 Fix 2008/01/03
1113
1114 @ Change directive for file's read/write/execute permission.
1115
1116 Directives for file's read/write/execute permissions were
1117 4/2/1 respectively. But for easier understanding, they are now
1118 replaced by read/write/execute (e.g. "allow_read" instead of "4").
1119 But for easier inputting, 4/2/1 are still accepted instead of
1120 allow_read/allow_write/allow_execute respectively.
1121
1122 @ Change internal data structure.
1123
1124 Since I don't have more than 16 types of file permissions,
1125 I combined them using bit-fields.
1126
1127 Each entry had a field for conditional permission support.
1128 But since this field is unlikely used, I separated the field from
1129 common part.
1130
1131 These changes will reduce memory used by policy.
1132
1133 Fix 2008/01/15
1134
1135 @ Add ptrace() hook.
1136
1137 To prevent attackers from controlling important processes using
1138 ptrace(), I added a hook for ptrace().
1139 Most programs (except strace(1) and gdb(1)) won't use ptrace(2).
1140
1141 @ Fix sleep condition check in CheckSocketRecvDatagramPermission().
1142
1143 It seems that correct method to use is in_atomic()
1144 rather than in_interrupt() because in_atomic() returns nonzero
1145 whenever scheduling is not allowed.
1146
1147 Fix 2008/02/05
1148
1149 @ Use find_task_by_vpid() instead of find_task_pid().
1150
1151 Kernel 2.6.24 introduced PID namespace.
1152 To search PID given from userland, the kernel needs to use
1153 find_task_by_vpid() instead of find_task_pid().
1154
1155 Fix 2008/02/14
1156
1157 @ Add execve() parameter checking.
1158
1159 Until now, it was impossible to check argv[] and envp[] parameters
1160 passed to execve().
1161 I expanded conditional permission syntax so that
1162 { argc, envc, argv[] , envp[] } parameters can be checked if needed.
1163 This will allow administrator permit execution of /bin/sh only when
1164 /bin/sh is invoked in the form of "/bin/sh -c" and environment variable
1165 HOME is set by specifying
1166
1167 allow_execute /bin/sh if exec.argv[1]="-c" exec.envp["HOME"]!=NULL
1168
1169 in the policy.
1170 This extension will make exploit codes difficult to start /bin/sh because
1171 they unlikely set up environment variables and unlikely specify "-c"
1172 option when invoking /bin/sh , whereas proper functions likely set up
1173 environment variables and likely specify "-c" option.
1174
1175 Fix 2008/02/18
1176
1177 @ Add process state checking.
1178
1179 Until now, it was impossible to change ACL without executing program.
1180 I added three variables for performing stateful checking within a domain.
1181 You can set current process's state like:
1182
1183 allow_network TCP accept @TRUSTED_HOSTS 1024-65535 ; set task.state[0]=1
1184 allow_network TCP accept @UNTRUSTED_HOSTS 1024-65535 ; set task.state[0]=0
1185
1186 and you can use the state like
1187
1188 allow_read /path/to/important/file if task.state[0]=1
1189
1190 in the policy.
1191 The state changes when the request was granted by the MAC's policy,
1192 so please be careful with situations where the state has changed
1193 successfully but the request was not processed because of other reasons
1194 (e.g. out of memory).
1195
1196 Fix 2008/02/26
1197
1198 @ Support /proc/ccs/ access by non-root user.
1199
1200 Until now, only root user can access /proc/ccs/ interface.
1201 But to permit /proc/ccs/ access by non-root user so that it won't require
1202 ssh login by root user when administrating from remote host,
1203 I made "(current->uid == 0 && current->euid == 0)" requirement optional.
1204 If this requirement is disabled, only "conventional DAC permission
1205 checks" and "/proc/ccs/manager checks" are used.

Back to OSDN">Back to OSDN
ViewVC Help
Powered by ViewVC 1.1.26