ChangeLog for ccs-patch 1.8.8

Fix 2020/10/24

    @ Fix /proc pathname calculation for Linux 5.8+ kernels.

      ccs_realpath() for 5.8+ was by error not using proc_pid_ns() when
      calculating /proc pathname.

Fix 2020/08/19

    @ Fix wrong ccs_search_binary_handler() mapping.

      When support for 5.8 kernel was added, ccs_search_binary_handler() for
      3.7- was by error mapped to wrong function.

Fix 2020/08/17

    @ Fix ccs_realpath() fallback.

      ccs_realpath() for 3.17+ was by error not calling ccs_get_local_path()
      when ccs_get_absolute_path() returned -EINVAL.

Fix 2020/07/22

    @ Fix domain transition preference.

      The domain transition preference which was introduced in 1.8.3 is
      by error ignored since 1.8.3p4, for ccs_update_task_domain() from
      ccs_write_log2() from ccs_supervisor() from ccs_audit_log() always
      resets r->matched_acl to NULL. Change ccs_update_task_domain() not
      to reset r->matched_acl to NULL.

ChangeLog for ccs-patch 1.8.7

Fix 2020/05/01

    @ Loosen domainname validation and pathname validation.

      Currently a domainname must start with "<$namespace>" followed by
      zero or more repetitions of a pathname which starts with '/'.

      But situation is getting more and more difficult to enforce use of
      a pathname which starts with '/', for execve() request of a pathname
      on e.g. some filesystems cause ccs_realpath() to return a pathname
      in "$fsname:/$pathname" format.

      Fortunately, since $fsname must not contain '.' since Linux 2.6.22,
      we can recognize a token which appears '/' before '.' appears (e.g.
      proc:/self/exe ) as a pathname and a token which appears '.' before
      '/' appears (e.g. exec.realpath="/bin/bash" ) as a condition parameter,
      with an exception that a pathname cannot start with
      auto_domain_transition=" because it is reserved as a delimiter string
      for on-match domain transition. Also, we can recognize "<$namespace>"
      followed by such tokens (e.g. <kernel> /foo proc:/self/exe /bar ) as
      a domainname.

ChangeLog for ccs-patch 1.8.6

Fix 2020/04/09

    @ Fix wrong put_page() usage in ccs_dump_page().

      ccs_dump_page() for 5.6+ was by error using wrong function to put page.

Fix 2019/12/07

    @ Don't use nifty names on sockets.

      Revert "Don't check open/getattr permission on sockets.", and then
      get rid of special handling of sockets. As a side effect of this patch,
      "socket:[family=\$:type=\$:protocol=\$]" in the policy files has to be
      rewritten to "socket:[\$]".

Fix 2019/07/27

    @ Change pathname calculation for read-only filesystems.

      Commit 5625f2e3266319fd ("TOMOYO: Change pathname for non-rename()able
      filesystems.") intended to be applied to filesystems where the content is
      not controllable from the userspace (e.g. proc, sysfs, securityfs), based
      on an assumption that such filesystems do not support rename() operation.

      But it turned out that read-only filesystems also do not support rename()
      operation despite the content is controllable from the userspace, and that
      commit is annoying TOMOYO users who want to use e.g. squashfs as the root
      filesystem due to use of local name which does not start with '/'.

      Therefore, based on an assumption that filesystems which require the
      device argument upon mount() request is an indication that the content
      is controllable from the userspace, do not use local name if a filesystem
      does not support rename() operation but requires the device argument upon
      mount() request.

    @ Reject move_mount() system call for now.

      Commit 2db154b3ea8e14b0 ("vfs: syscall: Add move_mount(2) to move mounts
      around") introduced security_move_mount() LSM hook, but we missed that
      TOMOYO and AppArmor did not implement hooks for checking move_mount(2).
      Since unchecked mount manipulation is not acceptable, for now pretend
      as if move_mount(2) is unavailable.

    @ Don't check open/getattr permission on sockets.

      syzbot found that use of SOCKET_I()->sk from open() can result in
      use after free problem, for socket's inode is still reachable via
      /proc/pid/fd/n despite destruction of SOCKET_I()->sk already completed.

      But there is no point with calling security_file_open() on sockets
      because open("/proc/pid/fd/n", !O_PATH) on sockets fails with -ENXIO.

      There is some point with calling security_inode_getattr() on sockets
      because stat("/proc/pid/fd/n") and fstat(open("/proc/pid/fd/n", O_PATH))
      are valid. But since information which can be protected by checking
      security_inode_getattr() on sockets is trivial, let's not check it.

ChangeLog for ccs-patch 1.8.5

Fix 2018/04/01

    @ Use smb_rmb() when waiting for initialization.

      "while (!cond);" is implicitly optimized like "if (!cond) while (1);".
      Use "while (!cond) smp_rmb();" in order to prevent such optimization.

Fix 2017/02/02

    @ Use for_each_thread() for GC operation.

      while_each_thread() without tasklist_lock is not safe.
      Use for_each_process_thread() if it is available, hold
      tasklist_lock otherwise.

Fix 2015/11/10

    @ Limit wildcard recursion depth.

      Since wildcards that need recursion consume kernel stack memory,
      we cannot allow infinite recursion.

Fix 2015/11/08

    @ Use memory allocation flags used by TOMOYO 2.x.

      Until now, TOMOYO 1.x was using memory allocation flags which are weaker
      than TOMOYO 2.x in order to make sure that memory allocation request by
      TOMOYO 1.x shall not cause silent livelock problem.

      But as I learn about this livelock problem, I understood that this is
      not a problem which TOMOYO can manage. While hitting a silent livelock
      at memory allocation is a problem, refusing critical access requests
      by critical processes due to memory allocation failure caused by use of
      weaker memory allocation flags is also a problem.

      Since situations regarding memory allocation flags in upstream kernels
      are changing, it will be safer to use memory allocation flags used by
      TOMOYO 2.x.

ChangeLog for ccs-patch 1.8.4

Fix 2015/05/01

    @ Support multiple use_group entries.

      Until now, each domain can include only one use_group entry.
      I changed to allow each domain to include up to 256 use_group entries.
      As a result, you will be able to reduce duplication of policy by
      defining multiple acl_group entries based on use cases and including
      them from each domain as needed.

ChangeLog for ccs-patch 1.8.3

Fix 2015/04/15

    @ Fix incorrect retry request check.

      When a request was asked to retry, acl_group referenced by domain's
      use_group keyword was by error ignored. As a result, retrying was not
      able to use permissions defined by acl_group.

Fix 2015/04/08

    @ Fix incorrect readdir() permission check.

      CONFIG_CCSECURITY_FILE_READDIR was meant for allowing users to control
      readdir() permission check. However, CONFIG_CCSECURITY_FILE_GETATTR was
      by error used for controlling readdir() permission check. This fix
      should not affect kernels built with default configuration, for both
      defined by default.

Fix 2015/01/01

    @ Fix missing chmod(-1) check in Linux 3.1 and later kernels.

      Commit e57712ebebbb9db7 "merge fchmod() and fchmodat() guts, kill
      ancient broken kludge" changed chmod(-1) from no-op to setting to
      07777. Therefore, TOMOYO must not ignore chmod(-1) case.

    @ Fix potentially using bogus attributes when stat() fails.

      We should reset attributes information when executing execute_handler
      program, or attributes of original program could be used when stat()
      on execute_handler program failed.

Fix 2012/10/08

    @ Fix KABI breakage on Ubuntu 12.10.

      I was using include/linux/security.h as the common path for pulling in
      include/linux/ccsecurity.h so that I can avoid scattering #include line.

      When scripts/genksyms/genksyms calculates hash values for Module.symvers
      file, it uses the extracted form of involved structures if the structure
      layout is known but it instead uses UNKNOWN if the structure layout is
      not known. Therefore, pulling in include files that define structure's
      layout from include/linux/ccsecurity.h causes changes in the hash values
      and causes KABI breakage, even if no changes were made to the involved

      Fix this breakage by avoiding pulling in include/linux/sched.h and
      include/linux/dcache.h from include/linux/ccsecurity.h where possible.

Fix 2012/04/28

    @ Accept manager programs which do not start with / .

      The pathname of /usr/sbin/ccs-editpolicy seen from Ubuntu 12.04 Live
      CD is squashfs:/usr/sbin/ccs-editpolicy rather than
      /usr/sbin/ccs-editpolicy . Therefore, we need to accept manager
      programs which do not start with / .

Fix 2012/04/22

    @ Readd RHEL_MINOR/AX_MINOR checks.

      This check was added in revision 2346 and was removed in revision 4084.

      Add it back in order to support RHEL 5.0, 5.1, 5.2 kernels.

    @ Fix skb_kill_datagram() for kernels 2.6.0 - 2.6.11.

      Commit 208d8984 "[IPV4]: Fix BUG() in 2.6.x, udp_poll(), fragments +
      CONFIG_HIGHMEM" clarified that skb_kill_datagram() should use
      spin_lock_bh()/spin_unlock_bh() rather than

      RHEL 4.9 (2.6.9) kernel has that patch backported. So do I.

    @ Fix missing locks for RHEL 5.2-5.8 kernels.

      Since RHEL 5.2 and later kernels have backported commit 95766fff
      "[UDP]: Add memory accounting." patch, TOMOYO needs to call
      lock_sock()/release_sock() around skb_kill_datagram() call when UDP
      packet was dropped by TOMOYO.

Fix 2012/03/16

    @ Return appropriate value to poll().

      Return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM if ready to read/write,
      POLLOUT | POLLWRNORM otherwise.

Fix 2012/03/08

    @ Allow returning other errors when ptrace permission cannot be checked.

      Currently -EPERM is returned when ccs_ptrace_permission() returned an
      error code. I changed to return return value from ccs_ptrace_permission()
      so that we can return -ESRCH when target process was not found.

Fix 2012/02/29

    @ Fix mount flags checking order.

      Userspace can pass in arbitrary combinations of MS_* flags to mount().

      are passed, device name which should be checked for MS_BIND was not
      checked because MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE had higher
      priority than MS_BIND.

      If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name
      which should not be checked for MS_REMOUNT was checked because MS_BIND/
      MS_MOVE had higher priority than MS_REMOUNT.

      Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND ->
      does. Also, I changed to unconditionally return -EINVAL if more than one
      will not generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity
      check mount flags passed to change_mnt_propagation()" clarified that
      these flags must be exclusively passed.

Fix 2012/02/25

    @ Follow changes in linux-next.

      UMH_WAIT_PROC constant (currently 1) is scheduled for renumbering in 3.4.

      Use UMH_WAIT_PROC constant instead of hardcoded constant in preparation
      for backporting call_usermodehelper() related changes. If renumbering was
      backported, you will start experiencing the kernel panic upon execution
      of external policy loader (i.e. /sbin/ccs-init), for the kernel will no
      longer wait for completion of external policy loader process.

      Although I changed to use UMH_WAIT_PROC constant, this change could fail
      to detect renumbering in 2.6.22 and earlier kernels, for UMH_WAIT_PROC
      constant is currently available to only 2.6.23 and later kernels. If you
      started to experience the kernel panic, please check whether renumbering
      was backported or not.

Fix 2012/01/20

    @ Follow changes in 3.3-rc1.

      Use umode_t rather than mode_t.
      Remove ipv6_addr_copy() usage.

Fix 2011/12/13

    @ Follow __d_path() behavior change. (Only 2.6.36 and later)

      The behavior of __d_path() has changed in 3.2-rc5. __d_path() now returns
      NULL when the pathname cannot be calculated. You must update to this
      version when using with 3.2-rc5 and later kernels, or the kernel will
      panic because ccs_get_absolute_path() triggers NULL pointer dereference.

      The patch that changed the behavior of __d_path() might be backported to
      2.6.36 to 3.1 kernels. You must update to this version if the patch was
      backported, or you will experience the kernel panic as with 3.2-rc5.

      The patch that changed the behavior of __d_path() also changed the way of
      handling pathnames under lazy-unmounted directory. Until now, TOMOYO was
      using incomplete pathnames returned by __d_path() when the pathname is
      under lazy-unmounted directory. But from now on, TOMOYO uses different
      pathnames returned by ccs_get_local_path() when the pathname is under
      lazy-unmounted directory (because __d_path() no longer returns it).

      Since applications unlikely do lazy unmounts, requesting pathnames under
      lazy-unmounted directory should not happen unless the administrator
      explicitly does lazy unmounts. But pathnames which is defined for such
      conditions in the policy file (if any) will need to be rewritten.

Fix 2011/11/18

    @ Fix kernel config mapping error.

      Due to a typo in ccs_p2mac definition, mode for CONFIG::file::execute was
      by error used when checking "file getattr" permission. Most users will
      not be affected by this error because CONFIG::file::execute and
      CONFIG::file::getattr are by default configured to use CONFIG::file or
      CONFIG settings.

Fix 2011/11/11

    @ Optimize for object's size.

      I rearranged functions/variables into three groups in order to reduce
      object's filesize. Also, I added kernel config options for reducing more
      by excluding unnecessary functionality.

Fix 2011/10/24

    @ Fix incomplete read after seek.

      ccs_flush() tries to flush data to be read as soon as possible.
      ccs_select_domain() (which is called by write()) enqueues data which
      meant to be read by next read(), but previous read()'s read buffer's
      size was not cleared. As a result, since 1.8.0, sequence like

        char *cp = "select global-pid=1\n";
        read(fd, buf1, sizeof(buf1));
        write(fd, cp, strlen(cp));
        read(fd, buf2, sizeof(buf2));

      causes enqueued data to be flushed to buf1 rather than buf2.

    @ Use query id for reaching target process's domain policy.

      Use query id for reaching target process's domain policy rather than
      target process's global PID. This is for synchronizing with TOMOYO 2.x,
      but this change makes /usr/sbin/ccs-queryd more reliable because the
      kernel will return empty domain policy when the query has expired before
      ccs-queryd reaches target process's domain policy.

    @ Fix quota counting.

      "task manual_domain_transition" should not be counted for quota as with
      "task auto_domain_transition"/"task auto_execute_handler"/
      "task denied_execute_handler" because these are not appended by learning

Fix 2011/09/25

    @ Simplify garbage collector.

      It turned out that use of batched processing tends to choke garbage
      collector when certain pattern of entries are queued. Thus, I replaced it
      with sequential processing.

Fix 2011/09/16

    @ Allow specifying domain transition preference.

      I got an opinion that it is difficult to use exception policy's domain
      transition control directives because they need to match the pathname
      specified to "file execute" directives. For example, if "file execute
      /bin/\*\-ls\-cat" is given, corresponding domain transition control
      directive needs to be like "no_keep_domain /bin/\*\-ls\-cat from any".

      To solve this difficulty, I introduced optional argument that supersedes
      exception policy's domain transition control directives.

        file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls"
        file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat"
        file execute /bin/\*\-ls\-cat child
        file execute /usr/sbin/httpd <apache> exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd"

      This argument allows transition to different domains based on conditions.

        <kernel> /usr/sbin/sshd
        file execute /bin/bash <kernel> /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c"
        file execute /bin/bash <kernel> /usr/sbin/sshd //root-session task.uid=0
        file execute /bin/bash <kernel> /usr/sbin/sshd //nonroot-session task.uid!=0

ChangeLog for ccs-patch 1.8.2

Fix 2011/09/03

    @ Avoid race when retrying "file execute" permission check.

      There was a race window that the pathname which is subjected to
      "file execute" permission check when retrying via supervisor's decision
      because the pathname was recalculated upon retry. Though, there is an
      inevitable race window even without supervisor, for we have to calculate
      the symbolic link's pathname from "struct linux_binprm"->filename rather
      than from "struct linux_binprm"->file because we cannot back calculate
      the symbolic link's pathname from the dereferenced pathname.

    @ Remove unneeded daemonize().

      Garbage collector thread is created using kthread_create() since 2.6.7.
      Kernel threads created by kthread_create() does not need to call

Fix 2011/07/13

    @ Accept "::" notation for IPv6 address.

      In order to add network access restriction to TOMOYO 2.4, I backported
      routines for parsing/printing IPv4/IPv6 address from kernel 3.0 into
      TOMOYO 1.8.2.
      Now, IPv6 address accepts "::1" instead of "0:0:0:0:0:0:0:1".

Fix 2011/07/07

    @ Remove /proc/ccs/.domain_status interface.

      Writing to /proc/ccs/.domain_status can be emulated by

        ( echo "select " $domainname; echo "use_profile " $profile ) |
        /usr/sbin/ccs-loadpolicy -d

      and reading from /proc/ccs/.domain_status can be emulated by

        grep -A 1 '^<' /proc/ccs/domain_policy |
        awk ' { if ( domainname == "" ) { if ( substr($1, 1, 1) == "<" )
        domainname = $0; } else if ( $1 == "use_profile" ) {
        print $2 " " domainname; domainname = ""; } } ; '

      . Since this interface is used by only /usr/sbin/ccs-setprofile ,
      remove this interface by updating /usr/sbin/ccs-setprofile .

Fix 2011/06/14

    @ Remove unused "struct inode *" parameter from ccs-patch-\*.diff .

      To follow changes I made on 2011/04/20, I removed "struct inode *" from
      ccs_mknod_permission(), ccs_mkdir_permission(), ccs_rmdir_permission(),
      ccs_unlink_permission(), ccs_symlink_permission(), ccs_link_permission(),
      ccs_rename_permission() that are called from fs/namei.c
      net/unix/af_unix.c include/linux/security.c security/security.c .
      If you have your own ccs-patch-*.diff , please update accordingly.

Fix 2011/06/10

    @ Allow specifying trigger for activation.

      To be able to use TOMOYO under systemd environments where init= parameter
      is used, I changed to allow overriding the trigger for calling external
      policy loader and activating MAC via kernel command line options.

Fix 2011/06/06

    @ Add policy namespace support.

      To be able to use TOMOYO in LXC environments, I introduced policy
      namespace. Each policy namespace has its own set of domain policy,
      exception policy and profiles, which are all independent of other


      From now on, exception policy and manager need to be able to handle
      policy namespace (which is a <$namespace> prefix added to each line).
      Thus, space-separated list for CONFIG_CCSECURITY_BUILTIN_INITIALIZERS is
      no longer suitable for handling policy namespace.

ChangeLog for ccs-patch 1.8.1

Fix 2011/05/11

    @ Fix wrong domainname validation.

      "<kernel>" + "/foo/\" + "/bar" was by error checked when
      "<kernel> /foo/\* /bar" was given. As a result, legal domainnames like
      "<kernel> /foo/\* /bar" are rejected.

Fix 2011/05/05

    @ Fix wrong profile number in audit logs for "misc env" permission.

      Profile number used for "file execute" permission was by error reused
      when generating audit logs for "misc env" permission.

Fix 2011/04/20

    @ Remove unused "struct inode *" parameter from hooks.

      Since pre-vfs functions were removed on 2010/09/18, "struct inode *"
      parameter which was used for checking parent directory's DAC permission
      is no longer used.

      Note that "struct ccsecurity_operations ccsecurity_ops" has changed.
      Loadable kernel modules that depends on it need to be rebuilt.

Fix 2011/04/03

    @ Fix fcntl(F_SETFL, O_APPEND) handling.

      Since 1.8.0, TOMOYO was by error checking "file write" permission rather
      than "file append" permission when changing file's writing mode from
      "overwriting" to "append".

      This error should impact little (except CentOS 6.0 kernels) because once
      a file was opened for "overwriting" mode, changing that file to "append"
      mode cannot undo overwriting the file. Regarding CentOS 6.0 kernels,
      due to different ACC_MODE definition, TOMOYO was by error needlessly
      checking "file read" permission when fcntl() was requested.

Fix 2011/03/31

    @ Fix conditional policy parsing.

      Since exec.realpath= and accept path_group,"@foo" was by error parsed as .

    @ Serialize updating profile's comment line.

      We need to serialize when updating COMMENT= line in /proc/ccs/profile .

Fix 2011/03/15

    @ Pack policy when printing via /proc/ccs/ interface.

      The kernel side is ready for accepting packed input like

        file read/write/execute /path/to/file

      but was using unpacked output like

        file read /path/to/file
        file write /path/to/file
        file execute /path/to/file

      because most of userland tools were not ready for accepting packed input.

      The advantages of using packed policy are that it makes policy files
      smaller and it speeds up loading/saving policy files.

      Since most of userland tools are ready for accepting packed input by now,
      I changed to use packed policy for both input and output.

Fix 2011/03/10

    @ Remove /proc/ccs/meminfo interface.

      Please use /proc/ccs/stat interface instead.

Fix 2011/03/05

    @ Support built-in policy configuration.

      To be able to start using enforcing mode from the early stage of boot
      sequence, I added support for built-in policy configuration and
      activating access control without calling external policy loader program.

      This will be useful for systems where operations which can lead to the
      hijacking of the boot sequence are needed before loading the policy.
      For example, you can activate immediately after loading the fixed part of
      policy which will allow only operations needed for mounting a partition
      which contains the variant part of policy and verifying (e.g. running GPG
      check) and loading the variant part of policy. Since you can start using
      enforcing mode from the beginning, you can reduce the possibility of
      hijacking the boot sequence.

Fix 2011/03/01

    @ Run garbage collector without waiting for /proc/ccs/ users.

      Currently TOMOYO holds SRCU lock upon open() and releases it upon close()
      because list elements stored in the "struct ccs_io_buffer" instances are
      accessed until close() is called. However, such SRCU usage causes lockdep
      to complain about leaving the kernel with SRCU lock held. Therefore,
      I changed to hold/release SRCU upon each read()/write() by selectively
      deferring kfree() by keeping track of the "struct ccs_io_buffer"

ChangeLog for ccs-patch 1.8.0

Fix 2011/02/07

    @ Fix infinite loop bug when reading /proc/ccs/audit or /proc/ccs/query .

      In ccs_flush(), head->r.w[0] holds pointer to string data to be printed.
      But head->r.w[0] was updated only when the string data was partially
      printed (because head->r.w[0] will be updated by head->r.w[1] later if
      completely printed). However, regarding /proc/ccs/audit and
      /proc/ccs/query , an additional '\0' is printed after the string data was
      completely printed. But if free space for read buffer became 0 before
      printing the additional '\0', ccs_flush() was returning without updating
      head->r.w[0]. As a result, ccs_flush() forever reprints already printed
      string data.

Fix 2011/01/11

   @ Use filesystem name for unnamed devices when vfsmount is missing.

     "Change pathname for non-rename()able filesystems." changed to use
     "$fsname:" if the filesystem does not support rename() operation and
     "dev($major,$minor):" otherwise when vfsmount is missing. But it turned
     out that it is useless to use "dev($major,$minor):" for unnamed devices
     (filesystems with $major == 0). Thus, I changed to use "$fsname:" rather
     than "dev($major,$minor):" for filesystems with $major == 0 when vfsmount
     is missing.

Fix 2010/12/17

    @ Split ccs_null_security into ccs_default_security and ccs_oom_security.

      ccs_null_security is used by preserve KABI compatibility option and is
      used for providing default values against threads which have not yet
      allocated memory for their security contexts.

      If current thread failed to allocate memory for current thread's security
      context, current thread uses ccs_null_security. Since current thread is
      allowed to modify current thread's security context, current thread might
      modify ccs_null_security which should not be modified for any reason.

      Therefore, I split ccs_null_security into ccs_default_security and
      ccs_oom_security and use ccs_oom_security when current thread failed to
      allocate memory for current thread's security context.

      Threads which do not share ccs_oom_security are not affected by threads
      which share ccs_oom_security. Threads which share ccs_oom_security will
      experience temporary inconsistency, but such threads are about to be
      killed by SIGKILL signal.

Fix 2010/12/01

    @ Use same interface for audit logs.

      To be able to perform fine grained filtering by /usr/sbin/ccs-auditd ,
      I merged /proc/ccs/grant_log and /proc/ccs/reject_log as
      /proc/ccs/audit and added granted=yes or granted=no to audit logs.