~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/README.ccs

Version: ~ [ linux-5.13-rc7 ] ~ [ linux-5.12.12 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.45 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.127 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.195 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.237 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.273 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.273 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 Notes for TOMOYO Linux project
  2 
  3 This is a handy Mandatory Access Control patch for Linux kernels.
  4 This patch is released under the GPLv2.
  5 
  6 Project URL: https://tomoyo.osdn.jp/
  7 
  8 The authors of this patch (hereafter, we) don't have much experience
  9 in kernel programming. We are worried that this patch would contain
 10 some mistakes such as missing hooks, improper location of hooks,
 11 potential deadlocks. There would be better way of implementation.
 12 All kinds of comments, pointing the errors and suggestions are welcome.
 13 
 14 We do hope this patch reduces the labor of server security management
 15 and you enjoy the life with Linux.
 16 
 17 This project was very inspired by the comic "Card Captor SAKURA",
 18 one of the CLAMP's masterworks.
 19 
 20 ChangeLog:
 21 
 22 Version 1.0   2005/11/11   First release.
 23 
 24 Fix 2005/11/18
 25 
 26     @ Add setattr() missing hook in SYAORAN fs.
 27 
 28       setattr() checking for special inode was missing.
 29 
 30 Fix 2005/11/25
 31 
 32     @ Allow initrd.img include /sbin/init .
 33 
 34       Since version 1.0 loads policy when /sbin/init is called
 35       for the first time, initrd.img without the policy directory
 36       mustn't start /sbin/init . This forced users not to use
 37       initrd.img that includes /sbin/init .
 38       I modified to delay loading policy if the policy directory
 39       doesn't exist and wait for /sbin/init being called again.
 40 
 41 Fix 2005/12/02
 42 
 43     @ Use lookup_one_len() instead of lookup_hash().
 44 
 45       Kernel 2.6.15 changed parameters for lookup_hash().
 46       I modified to use lookup_one_len() to keep compatibility.
 47 
 48 Fix 2005/12/06
 49 
 50     @ Add S_ISDIR() check in SYAORAN fs.
 51 
 52       Malicious configuration file that attempts to create an inode
 53       under non-directory inode caused segmentation fault.
 54 
 55 Version 1.0.1 2005/12/08   Minor update release.
 56 
 57 Fix 2006/01/04
 58 
 59     @ Add CheckWritePermission() check in unix_bind().
 60 
 61       I modified to check write permission in unix_bind(), for
 62       sys_mknod(S_IFSOCK) checks write permission.
 63 
 64     @ Show hook version in proc_misc_init().
 65 
 66       The hook part of this patch depends on the kernel's version,
 67       while the rest part of this patch doesn't.
 68       I added the hook version so that the administrator can
 69       know the last modified date of the hooks.
 70 
 71     @ Move permission checks from filp_open() to open_namei().
 72 
 73       I moved the location of checking MAC's permission
 74       from filp_open() to open_namei().
 75 
 76     @ Fix an error in filp_open().  (only 2.6.15-rc5)
 77 
 78       This error was only in the patch 2.6.15-rc5 and
 79       was fixed in the patch for 2.6.15.
 80 
 81 Fix 2006/01/12
 82 
 83     @ Add /proc/ccs/info/self_domain.
 84 
 85       I added /proc/ccs/info/self_domain so that the userland programs
 86       can know the name of domain they belong to if necessary.
 87 
 88 Fix 2006/01/13
 89 
 90     @ Merge constants for CheckTaskCapability().
 91 
 92       I merged *_INHERITABLE_* and *_LOCAL_* to avoid always
 93       calling CheckTaskCapability() with both constants.
 94 
 95     @ DropTaskCapability() returns -EAGAIN on success.
 96 
 97       DropTaskCapability() must not return 0 on success, for
 98       DropTaskCapability() is called from do_execve().
 99 
100     @ Fix an error for chroot() permission check.
101 
102       The chroot() restriction was not working due to the following mistake.
103       CheckChRootPermission() || CheckTaskCapability() returns 0 or 1, while
104       CheckChRootPermission() | CheckTaskCapability() returns 0 or -EPERM.
105 
106 Fix 2006/01/17
107 
108     @ Suppress some of debug messages in TOMOYO.
109 
110       I added KERN_DEBUG to suppress some of debug messages.
111 
112 Fix 2006/01/19
113 
114     @ Remove isRoot() checks in AddChrootACL() and AddMountACL().
115 
116       I found a program that needs to chroot by non-root.
117       So, I stopped checking uid=euid=0 for these functions so that
118       "accept mode" can append ACLs.
119       The isRoot() is checked at AddChrootPolicy() and AddMountPolicy().
120 
121     @ Map NULL device name to "<NULL>" in AddMountACL().
122 
123       VMware mounts vmware-hgfs with NULL device name.
124       So I mapped NULL device name to "<NULL>".
125 
126 Fix 2006/01/20
127 
128     @ Suppress some of debug messages in SAKURA.
129 
130       I added KERN_DEBUG to suppress some of debug messages.
131 
132     @ Call panic() if failed to load given profile.
133 
134       Call panic() if profile index was given via CCS= parameter
135       but the profile doesn't exist.
136       If CCS= parameter is not given, the kernel attempts to load
137       profile 0, but it doesn't call panic() if profile 0 doesn't exist.
138 
139 Fix 2006/01/24
140 
141     @ Use full_name_hash() for IsGloballyReadableFile().
142 
143       I modified to use full_name_hash() for faster scan.
144 
145     @ Add signal checking condition in CheckSignalACL().
146 
147       The documentation says "if the target domain's domainname
148       starts with the source domain's domainname, it is always granted"
149       but actually it isn't. I'll change the documentation instead of
150       changing the source code.
151 
152       Also, checking for pid = -1 was missing. This error was fixed.
153 
154 Fix 2006/02/09
155 
156     @ Use mutex_lock()/mutex_unlock instead of down()/up().
157 
158       Kernel 2.6.16 changed members of "struct inode".
159       I modified to use mutex_lock()/mutex_unlock() for after 2.6.16
160       and down()/up() for before 2.6.16.
161 
162 Version 1.0.2 2006/02/14   Many bug-fixes release.
163 
164 Fix 2006/02/21
165 
166     @ Divide generic-write permission into individual write permissions.
167 
168       Write permission was divided into the following permissions.
169 
170       'mkdir'     for creating directory.
171       'rmdir'     for deleting directory.
172       'create'    for creating regular file.
173       'unlink'    for deleting non-directory.
174       'mksock'    for creating UNIX domain socket.
175       'mkfifo'    for creating FIFO.
176       'mkchar'    for creating character device.
177       'mkblock'   for creating block device.
178       'link'      for creating hard link.
179       'symlink'   for creating symbolic link.
180       'rename'    for renaming directory or non-directory.
181       'truncate'  for truncating regular file.
182 
183       The permission check for opening files is done using
184       conventional read/write/execute permission.
185 
186     @ Add /proc/ccs/info/mapping.
187 
188       I added /proc/ccs/info/mapping so that the userland programs
189       can know the mapping of individual write permissions.
190 
191 Fix 2006/02/27
192 
193     @ Fix handling of trailing '\*' in PathMatchesToPattern().
194 
195       PathMatchesToPattern("/tmp/", "/tmp/\*") returned true
196       because "\*" matches "zero or more repetitions of characters
197       until '/' or end". But since this is a comparison between
198       directory and non-directory, this should not match.
199 
200       This behavior causes the following security risks.
201       In enforce mode, allowing "2 /tmp/\*" grants
202       "mkdir /tmp/" and "rmdir /tmp/" which should be
203       granted only when "2 /tmp/" is allowed.
204       In accept mode, "mkdir /tmp/" or "rmdir /tmp/" appends
205       "2 /tmp/\*" into the domain policy if "file_pattern /tmp/\*"
206       is in the exception policy.
207 
208       I changed not to ignore trailing '\*' in the pattern
209       if pathname ends with '/'.
210 
211 Fix 2006/03/01
212 
213     @ Add missing spinlock in GetAbsolutePath().
214 
215       vfsmount_lock was missing.
216 
217 Fix 2006/03/08
218 
219     @ Add support for "shared subtree" mount operations.
220 
221       Kernel 2.6.15 introduced "shared subtree" functionality.
222       But CheckMountPermission() couldn't recognize flags for
223       do_change_type().
224 
225     @ Add support for more mount flags.
226 
227       atime/noatime, diratime/nodiratime, recurse/norecurse flags
228       are supported.
229 
230 Fix 2006/03/20
231 
232     @ Check port numbers for only AF_INET/AF_INET6.
233 
234       CheckBindEntry() and CheckConnectEntry() should check port numbers
235       only when the given address family is either AF_INET or AF_INET6,
236       for address family such as AF_UNSPEC could be passed to bind()
237       and connect() for PF_INET/PF_INET6 sockets.
238 
239 Fix 2006/03/27
240 
241     @ Use /proc/self/ rather than /proc/\$/ for current process.
242 
243       GetAbsolutePath() now uses "self" instead of pid
244       if current process refers to information related to itself.
245       This exception violates the rule "TOMOYO Linux's pathnames don't
246       contain symbolic links before the last '/'", but I think it worth
247       to do so. The following are the merits gained by this exception.
248 
249       Prevent administrators from granting redundant permissions
250       when a process needs to refer to only current process's information.
251 
252       Allow administrators make current process's information always
253       readable using 'allow_read' directive.
254 
255 Version 1.1   2006/04/01   Functionality enhancement release.
256 
257 Fix 2006/04/03
258 
259     @ Use queue instead of fixed sized array for audit log.
260 
261       WriteAuditLog() now uses queue to save statically allocated memory.
262       Administrators can give any size for audit logs at runtime.
263 
264     @ Use kzalloc() instead of kmalloc() + memset().
265 
266       kmalloc() + memset() were replaced with kzalloc().
267 
268 Fix 2006/04/04
269 
270     @ Support "delayed enforcing" mode.
271 
272       Until now, access request was immediately rejected
273       if policy doesn't allow that access and the system is
274       running in enforce mode.
275       Sometimes, especially after updating softwares,
276       some unexpected access requests arise from proper procedure.
277       Such access requests should be granted because
278       they are not caused by malicious attacks.
279       So I introduced a mechanism to allow administrator some grace
280       to decide to grant or reject such access requests.
281       This mechanism is implemented in the following manner.
282         "Don't return immediately if permission denied."
283         "Sleep for a while waiting administrator's decision."
284         "Return successfully if administrator tells to do so."
285 
286 Fix 2006/04/12
287 
288     @ Fix handling of prefix in GetAbsolutePath().
289 
290       Some objects doesn't have prefix "/".
291       Pipe has prefix "pipe:" and socket has prefix "socket:".
292       GetAbsolutePath() couldn't handle prefixes other than '/' properly.
293 
294     @ Remove IsCorrectPath() checks for File Access Control functions.
295 
296       File Access Control functions accepted only pathnames that start
297       with '/' because these functions assumed pathnames returned by
298       GetAbsolutePath() always start with '/'.
299       However, I found a program that opens an unnamed pipe via
300       (probably) /proc/PID/fd/ directory. (You can see entries like
301       "pipe:[number]" if you run "ls -l /proc/*/fd/".)
302       Now, File Access Control functions have to accept pathnames
303       that don't start with '/'. So, I stopped checking IsCorrectPath().
304 
305 Fix 2006/04/19
306 
307     @ Fix handling of NULL nameidata in vfs_open().
308 
309       In 2.6 kernels, NFS daemon and sys_mq_open() call
310       vfs_create() with NULL nameidata. In such cases,
311       CheckSingleWritePermission() must not be called.
312 
313 Version 1.1.1 2006/05/15   Functionality enhancement release.
314 
315 Fix 2006/05/16
316 
317     @ Support program files aggregation.
318 
319       Until now, programs that have no fixed names and their
320       parent programs had to be run in a trusted domain
321       since it is impossible to use patterns for granting
322       execute permission and defining domains.
323       I introduced a mechanism to aggregate similar programs
324       using 'aggregator' directive.
325       Some examples:
326 
327         'aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp'
328         to run all temporary programs for logrotate as /tmp/logrotate.tmp
329 
330         'aggregator /usr/bin/tac /bin/cat'
331         to run /usr/bin/tac and /bin/cat as /bin/cat
332 
333 Fix 2006/05/18
334 
335     @ Unlimit max count for audit log.
336 
337       I forgot to replace MAX_GRANT_LOG and MAX_REJECT_LOG with INT_MAX
338       so that administrators can give any size for audit logs at runtime.
339 
340 Fix 2006/05/22
341 
342     @ Support individual domain ACL removal.
343 
344       Until now, to remove ACLs from a domain, administrator had to
345       once delete and recreate that domain, which wastes a lot of memory.
346       I introduced a mechanism to remove domain ACL without deleting and
347       recreating domains.
348       Administrator can delete domains or remove ACLs from domains
349       via /proc/ccs/policy/domain_policy .
350       /proc/ccs/policy/delete_domain and /proc/ccs/policy/update_domain
351       were removed.
352 
353 Fix 2006/05/30
354 
355     @ Add missing spinlock in SAKURA_MayMount().
356 
357       vfsmount_lock was missing.
358 
359 Version 1.1.2 2006/06/02   Functionality enhancement release.
360 
361 Fix 2006/06/13
362 
363     @ Merge tomoyo_connect.c and tomoyo_bind.c into tomoyo_port.c
364 
365       I merged these files that have only difference CONNECT and BIND,
366       that are likely to be enabled both or neither.
367 
368     @ Add CONFIG_TOMOYO_AUDIT option.
369 
370       I made auditing functions as optional because some Linux boxes
371       may have not enough disk space to store audit logs.
372 
373 Fix 2006/06/15
374 
375     @ Support use of symbolic links for program execution.
376 
377       Until now, domains for programs executed by dereferencing
378       symbolic links were defined using dereferenced pathnames.
379       This was inconvenient for some Linux boxes who use busybox but
380       can't keep hard links of busybox.
381       I introduced a mechanism to allow using pathnames of
382       symbolic links using 'alias' directive.
383       Some examples:
384 
385         'alias /sbin/busybox /bin/ls' to run /bin/ls
386         (which is a symbolic link to /sbin/busybox) as /bin/ls
387         if /bin/ls is executed.
388 
389         'alias /bin/bash /bin/sh' to run /bin/sh
390         (which is a symbolic link to /bin/bash) as /bin/sh
391         if /bin/sh is executed.
392 
393 Fix 2006/06/21
394 
395     @ Use ccs_alloc() instead of kzalloc().
396 
397       To detect memory leaks,
398       I added a wrapper for tracing kmalloc() and kfree().
399       There is no way to detect memory leaks caused by ccs-*.txt .
400 
401 Version 1.1.3 2006/07/13   Functionality enhancement release.
402 
403 Fix 2006/07/14
404 
405     @ Change behavior of pathname pattern matching.
406 
407       Until now, it was impossible to use patterns like "\*.txt" because
408       "\*" matched zero or more repetitions of characters until next '/'.
409       Now, "\*" matches zero or more repetitions of characters.
410 
411       Until now, it was impossible to use patterns like "\$00"
412       because "\$" matched one or more repetitions of digits until next
413       non digit character.
414       Now, "\$" matches one or more repetitions of digits.
415 
416       Also, new patterns "\x" "\X" "\a" "\A" "\@" are added.
417 
418 Fix 2006/07/21
419 
420     @ Add CONFIG_TOMOYO_NETWORK option.
421 
422       Until now, only port numbers for TCP and UDP were controllable.
423       Now, the combination of IPv4/IPv6 address and port numbers
424       for TCP and UDP is controllable.
425       CONFIG_TOMOYO_NETWORKPORT became obsolete.
426 
427 Fix 2006/07/25
428 
429     @ Change matching rule for CheckFileACL().
430 
431       Until now, only first entry that matched the requested pathname
432       was used for permission checking. For example, two entries
433 
434       "2 /tmp/file-\$.txt"
435       "4 /tmp/fil\?-0.txt"
436 
437       are given in this order and requested pathname is "/tmp/file-0.txt",
438       the "2 /tmp/file-\$.txt" is used. But if two entries
439 
440       "4 /tmp/fil\?-0.txt"
441       "2 /tmp/file-\$.txt"
442 
443       are given in this order, the "4 /tmp/fil\?-0.txt" is used.
444       This may potentially cause trouble because the result of
445       permission checks depends on the order of entries.
446 
447       Now, all entries that matched the requested pathname
448       are used for permission checking so that the result of
449       permission checks doesn't depend on the order of entries.
450 
451 Fix 2006/07/27
452 
453     @ Support RAW IPv4/IPv6 control.
454 
455       Some programs such as 'ping' and 'traceroute' use raw IP socket.
456       Now, the combination of IPv4/IPv6 address and protocol numbers
457       for IP is controllable.
458 
459 Fix 2006/08/04
460 
461     @ Add filename and argv[0] comparison check.
462 
463       The domain transition was done based on filename passed to do_execve(),
464       while the behavior was defined based on argv[0].
465       There is no problem if the filename is argv[0]-unaware application.
466       But if argv[0]-aware, access control bypassing happens if the process
467       transits to trusted domain but behaves as different program.
468       For example, when the administrator specifies domain for /bin/ls as
469       trusted but both /bin/ls and /bin/cat are links to /sbin/busybox ,
470       a cracker can run /bin/cat in a trusted domain if the cracker
471       succeeds to invoke do_execve() with filename = "/bin/ls" and
472       argv[0] = "/bin/cat".
473 
474       I introduced a directive that permits the mismatch of
475       basename of filename and argv[0].
476 
477 Fix 2006/08/10
478 
479     @ Support ID based condition checks.
480 
481       It was impossible to use process id (uid and gid and so on) for
482       checking individual domain ACL.
483 
484       Now it became possible to use process id for checking individual
485       domain ACL. For example,
486 
487         "1 /bin/sh if task.euid!=0"
488 
489       allows the domain to execute /bin/sh only when the process's euid
490       is not 0, and
491 
492         "6 /home/\*/\* if task.uid=path1.uid"
493 
494       allows the domain to read-write user's home directory
495       only when the file's owner matches the process's uid.
496 
497 Fix 2006/08/22
498 
499     @ Fix ROUNDUP() in fs/realpath.c .
500 
501       Alignment using sizeof(int) may be inappropriate for 64bit environment.
502       I changed to use the larger size of 'void *' and 'long'
503       instead of 'int'.
504       For environment where sizeof(int) = sizeof(long) = sizeof(void *),
505       this change has no effect.
506 
507 Version 1.2   2006/09/03   Functionality enhancement release.
508 
509 Fix 2006/09/30
510 
511     @ Fix CheckFilePerm() in fs/tomoyo_file.c .
512 
513       The location to call path_release() was too early.
514 
515 Fix 2006/10/02
516 
517     @ Support per-domain profile.
518 
519       It became possible to assign different profiles for different domains.
520       This will help administrators using building up approach.
521 
522 Fix 2006/10/05
523 
524     @ Change parameters for CheckFilePerm().
525 
526       I was re-resolving pathnames inside CheckFilePerm() even though
527       the caller function already resolved them.
528       So I changed to pass dentry and vfsmount instead of pathname,
529       and removed changes made on 2006/09/30.
530 
531 Fix 2006/10/06
532 
533     @ Support deny_rewrite and allow_rewrite permission.
534 
535       It became possible to make regular files append-only
536       using "deny_rewrite" directive in exception policy and
537       override it using "allow_rewrite" directive in domain policy.
538 
539       Regular files specified using "deny_rewrite" directive
540         can't be open()ed with O_TRUNC or without O_APPEND,
541         can't be truncate()ed or ftruncate()ed,
542         can't be turned O_APPEND flag off using fcntl(F_SETFL)
543       unless specified using "allow_rewrite" directive.
544 
545 Fix 2006/10/12
546 
547     @ Enable configuration options by default for kernel config.
548 
549       CONFIG_SAKURA and CONFIG_TOMOYO are now 'y' by default
550       and CONFIG_SYAORAN is now 'm' by default.
551 
552 Fix 2006/10/13
553 
554     @ Use external policy loader.
555 
556       Until now, policies are loaded when /sbin/init starts and
557       initial control levels are switched using CCS= parameter.
558       But since some boxes have to fixate kernel command line options
559       at compilation time, I think it will become more flexible
560       by running external policy loader using init= parameter so that
561       initial control levels can be specified before /sbin/init starts.
562 
563       Call panic() if initial control levels are not specified.
564 
565 Fix 2006/10/16
566 
567     @ Add missing parameter in FindNextDomain().
568 
569       'struct file' was needed for allowing 'if path1.*' checks.
570 
571 Fix 2006/10/23
572 
573     @ Print error messages in CheckFlags().
574 
575       Some users seem to have troubles picking up all necessary
576       entries for the configuration file of SYAORAN filesystem
577       since makesyaoranconf can't pick up entries that are
578       nonexistent at the time.
579       I added error message so that users can find missing entries
580       using dmesg.
581 
582 Fix 2006/10/24
583 
584     @ Change /proc/ccs/info/self_domain .
585 
586       I changed /proc/ccs/info/self_domain to return
587       the domain of open time rather than first read time.
588       This modification makes shell's redirection usage
589       more convenient since redirection opens file
590       but doesn't read at the time.
591 
592       'cat < /proc/ccs/info/self_domain' will return
593       the domain of shell, and
594       'cat /proc/ccs/info/self_domain' will return
595       the domain of cat .
596 
597 Fix 2006/11/06
598 
599     @ Replace MAX_ENFORCE_GRACE with ALLOW_ENFORCE_GRACE.
600 
601       Since it was inconvenient that requests that are waiting for
602       supervisor's decision are rejected automatically when
603       MAX_ENFORCE_GRACE seconds has elapsed, I modified WriteAnswer()
604       reset timeout counter whenever a supervisor's decision is written
605       and I modified ccs-queryd write a dummy decision every seconds
606       so that the requests won't be rejected automatically as long as
607       ccs-queryd is running.
608       This change made MAX_ENFORCE_GRACE's meaning boolean.
609       So I fixated MAX_ENFORCE_GRACE to 10 seconds and removed
610       MAX_ENFORCE_GRACE parameter.
611       To allow administrators selectively enable "delayed enforcing"
612       mode, I added ALLOW_ENFORCE_GRACE parameter.
613       The behavior of "delayed enforcing" mode is defined
614       in the following order.
615 
616       (1) The requests are rejected immediately if ALLOW_ENFORCE_GRACE=0.
617       (2) The requests are rejected immediately
618           if nobody is opening /proc/ccs/policy/query interface.
619       (3) The requests won't be rejected automatically
620           if ALLOW_ENFORCE_GRACE=1 and ccs-queryd is running.
621       (4) The requests will be rejected in 10 seconds
622           if somebody other than ccs-queryd (such as less(1)) is
623           opening /proc/ccs/policy/query interface, for
624           such process doesn't write dummy decisions.
625 
626 Version 1.3   2006/11/11   First anniversary release.
627 
628 Fix 2006/11/13
629 
630     @ Replace trust_domain with keep_domain.
631 
632       Since it was troublesome that there are two elements that can disable MAC
633       (assigning a profile that doesn't enable MAC or registering domains
634       with trust_domain directive), I removed trust_domain directive.
635       Instead, I introduced keep_domain directive to not to transit domains
636       unless a program registered with initializer directive is executed.
637       This change has the following advantages.
638 
639       (1) Allows administrator use "enforce mode" for operations after login.
640           Since it was difficult to know what commands and files are invoked
641           and accessed in what sequences beforehand, we had to use trust_domain
642           directive for such domain, allowing users invoke any commands and
643           access any files in any sequence.
644           But now, we can use keep_domain directive and assign a profile for
645           "enforce mode" for such domain, forcing users invoke only allowed
646           commands and access only allowed files in any sequence
647           while these operations are kept under the control of "enforce mode".
648 
649       (2) Allows administrator determine easily whether the domain is
650           under MAC or not because only the profile currently assigned to
651           the domain determines it.
652 
653       (3) Saves total number of domains and memory.
654 
655 Fix 2006/11/22
656 
657     @ Don't allow use of undefined profile.
658 
659       To avoid assigning undefined profile to domains by error,
660       I added checks before assigning profiles to domains.
661       Now, profiles have to be defined prior to assigning them to domains.
662 
663 Version 1.3.1 2006/12/08   Minor update release.
664 
665 Fix 2006/12/10
666 
667     @ Allow pathname grouping.
668 
669       To reduce the labor of repeating '/\*' to allow access recursively,
670       I introduced a macro 'path_group' to make group such pathnames.
671       For example, you had to give like
672 
673         4 /var/www/html/\*
674         4 /var/www/html/\*/\*
675         4 /var/www/html/\*/\*/\*
676         4 /var/www/html/\*/\*/\*/\*
677 
678       but now, you can give just
679 
680         4 @WEB-CONTENTS
681 
682       if you give
683 
684         path_group WEB-CONTENTS /var/www/html/\*
685         path_group WEB-CONTENTS /var/www/html/\*/\*
686         path_group WEB-CONTENTS /var/www/html/\*/\*/\*
687         path_group WEB-CONTENTS /var/www/html/\*/\*/\*/\*
688 
689       in the exception policy.
690       This macro will be useful when grouping different directories.
691 
692 Fix 2006/12/15
693 
694     @ Use structured pathnames instead for simple 'char *'.
695 
696       To reduce the cost of strcmp(), I changed the return value of
697       SaveName() from 'const char *' to 'const struct path_info *'.
698       This change will speed up PathMatchesToPattern() comparison.
699 
700 Fix 2006/12/19
701 
702     @ Allow registering policy managers using domainnames.
703 
704       It was difficult to restrict programs that can update policies
705       via /proc/ccs/ interfaces using pathnames of these programs, for
706       these programs could be unintendedly invoked.
707       Now, it became possible to restrict domains that can update policies
708       via /proc/ccs/ interfaces as well as programs.
709       By restricting using domainnames, it becomes easier to avoid
710       unintended invocation.
711 
712 Fix 2006/12/22
713 
714     @ Add initialize_domain,no_initizlize_domain,no_keep_domain
715 
716       To control domain transitions more strictly,
717       initialize_domain,no_initizlize_domain,no_keep_domain directives
718       were introduced.
719 
720       "initialize_domain /some/program" means
721       jump to "<kernel> /some/program" domain if /some/program is
722       called from any domain.
723       This is equivalent to conventional "initializer /some/program".
724 
725       "initialize_domain /some/program from some_domain" means
726       jump to "<kernel> /some/program" domain only if /some/program is
727       called from "some_domain" domain.
728 
729       "no_initialize_domain /some/program" means
730       don't jump to "<kernel> /some/program" domain even if
731       "initialize_domain /some/program" or
732       "initialize_domain /some/program from some_domain" are given
733       if /some/program is called from any domain.
734 
735       "no_initialize_domain /some/program from some_domain" means
736       don't jump to "<kernel> /some/program" domain even if
737       "initialize_domain /some/program" or
738       "initialize_domain /some/program from some_domain" are given
739       if /some/program is called from "some_domain" domain.
740 
741       "keep_domain some_domain" means don't jump to child domain
742       if any programs are called from "some_domain" domain.
743 
744       "keep_domain /some/program from some_domain" means
745       don't jump to child domain only if /some/program is
746       called from "some_domain" domain.
747 
748       "no_keep_domain some_domain" means
749       jump to child domain even if
750       "keep_domain /some/program" or
751       "keep_domain /some/program from some_domain" are given
752       if any programs are called from "some_domain" domain.
753 
754       "no_keep_domain /some/program from some_domain" means
755       jump to child domain even if
756       "keep_domain /some/program" or
757       "keep_domain /some/program from some_domain" are given
758       if /some/program is called from "some_domain" domain.
759 
760       "some_domain" can be just the last component of domainname.
761       For example, giving "/bin/mail" as "some_domain" matches
762       all domains whose domainname ends with "/bin/mail".
763 
764 Fix 2007/01/19
765 
766     @ Allow reuse of memory allocated for domain policy.
767 
768       Regarding domain policy, unlike other policies, didn't have
769       "is_deleted" flag and new memory were allocated
770       if the deleted entries are given again.
771       But to allow administrators switch domain policy periodically,
772       I introduced "is_deleted" flag.
773 
774       Writing "some_domain" to /proc/ccs/policy/domain_policy
775       creates "some_domain" using new memory if it didn't exist.
776 
777       Writing "select some_domain" doesn't create "some_domain"
778       if it didn't exist.
779 
780       Writing "delete some_domain" deletes "some_domain"
781       but does not delete entries in "some_domain".
782 
783       Writing "undelete some_domain" undeletes "some_domain"
784       if it was deleted by "delete some_domain".
785 
786 Fix 2007/01/22
787 
788     @ Allow getting already deleted pathnames.
789 
790       To allow getting pathnames that are already deleted,
791       I removed (IS_ROOT(dentry) || !d_unhashed(dentry)) check.
792 
793 Fix 2007/01/26
794 
795     @ Limit string length to 4000.
796 
797       I was using PAGE_SIZE (4096 in many environments)
798       as the max length of any string data.
799       But for environments that have larger PAGE_SIZE,
800       doing memset(ptr, 0, PAGE_SIZE) every time is too wasteful.
801 
802 Fix 2007/01/29
803 
804     @ Add garbage collector for domain policy.
805 
806       Writing "some_domain" to /proc/ccs/policy/domain_policy
807       creates "some_domain" using new memory only if
808       some process is staying at that deleted domain.
809       If no process is staying at that deleted domain,
810       "some_domain" is undeleted with all ACLs deleted.
811 
812 Version 1.3.2 2007/02/14   Usability enhancement release.
813 
814 Fix 2007/02/20
815 
816     @ Allow address grouping.
817 
818       To reduce the labor of repeating similar IPv4/IPv6 addresses,
819       I introduced a macro 'address_group' to make group such addresses.
820       For example, you had to give like
821 
822         allow_network TCP accept 10.0.0.0-10.255.255.255 1024-65535
823         allow_network TCP accept 172.16.0.0-172.31.255.255 1024-65535
824         allow_network TCP accept 192.168.0.0-192.168.255.255 1024-65535
825 
826       but now, you can give just
827 
828         allow_network TCP accept @localnet 1024-65535
829 
830       if you give
831 
832         address_group localnet 10.0.0.0-10.255.255.255
833         address_group localnet 172.16.0.0-172.31.255.255
834         address_group localnet 192.168.0.0-192.168.255.255
835 
836       in the exception policy.
837 
838 Fix 2007/03/03
839 
840     @ Remove obsolete functions.
841 
842     @ Add some hooks.
843 
844       Read permission check is done if open_exec()
845       is called from search_binary_handler().
846       Read permission check is not done if open_exec()
847       is called from do_execve(), instead,
848       execute permission check is done at
849       search_binary_handler_with_transition().
850 
851       I moved the location of calling CheckCapabilityACL()
852       and CheckMountPermission() from sys_mount() to do_mount().
853 
854 Fix 2007/03/07
855 
856     @ Use 'unsigned int' for sscanf().
857 
858       I compiled SYAORAN fs on x86_64 environment and found
859       the compiler showing warning messages about size of data types.
860       Since size of data types may mismatch for sscanf(),
861       I replaced some types with 'unsigned int'.
862 
863 Version 1.4   2007/04/01   x86_64 support release.
864 
865 Fix 2007/04/18
866 
867     @ Change argv[0] checking rule.
868 
869       I was comparing the basename of symbolic link's pathname and argv[0].
870       Since execute permission check and domain transition are done
871       based on realpath while argv[0] check is done based on the symlink's
872       pathname and argv[0], this specification will allow attackers behave
873       as /bin/cat in the domain of /bin/ls if "/bin/ls and /bin/cat are
874       links to /sbin/busybox" and "the attacker is permitted to create
875       a symlink named ~/cat that points to /bin/ls" and "the attacker is
876       permitted to run /bin/ls".
877       So, I changed to compare the basename of realpath and argv[0].
878       Also, I moved the location to compare before processing
879       "aggregator" directive so that
880       "aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp"
881       won't cause the mismatch of the basename of realpath and argv[0].
882 
883       If /bin/ls is a symlink to /sbin/busybox, then
884       creating a symlink named ~/cat that points to /bin/ls and
885       executing ~/cat won't work as expected because permission check and
886       domain transition are done using /sbin/busybox (realpath of /bin/ls)
887       and will be rejected since the administrator won't grant
888       "1 /sbin/busybox".
889 
890 Fix 2007/05/07
891 
892     @ Support pathname subtraction.
893 
894       There was no way to exclude specific pathnames when granting
895       permissions using wildcards.
896       There would be a need to exclude specific files and directories.
897       I introduced "\-" as subtraction operator.
898 
899         "A\-B" means "A" other than "B".
900         "A\-B\-C" means "A" other than "B" and "C".
901         "A\-B\-C\-D" means "A" other than "B" and "C" and "D".
902 
903       "A", "B", "C", "D" may contain wildcards.
904 
905       An example usage is "/home/\*/\*\-.ssh/\*", which means
906       "/home/\*/\*/\*" other than "/home/\*/.ssh/\*".
907 
908       "A" should contain wildcards because subtraction from constants
909       (e.g. "/usr\-usr/" or "/usr\-home/") is meaningless.
910 
911       Don't try "A\-B\+C" because "\+" is not addition operator.
912 
913 Fix 2007/05/24
914 
915     @ Fix autobind hook.
916 
917       The location to call SAKURA_MayAutobind() in net/ipv4/udp.c
918       and net/ipv6/udp.c were wrong.
919 
920 Fix 2007/06/03
921 
922     @ Add a space in MakeMountOptions().
923 
924       I forgot to add a space after "atime" and "noatime".
925 
926 Version 1.4.1 2007/06/05   Minor update release.
927 
928 Fix 2007/07/04
929 
930     @ Fix ReadAddressGroupPolicy() bug.
931 
932       ReadAddressGroupPolicy() fails if both "path_group" and "address_group"
933       are used because I forgot to set "head->read_var1 = NULL".
934 
935 Fix 2007/07/10
936 
937     @ Add compat_sys_stime() hook.
938 
939       Some of 64bit kernels support compat_sys_stime()
940       but permission check was missing.
941 
942 Version 1.4.2 2007/07/13   Bug fix release.
943 
944 Fix 2007/08/06
945 
946     @ Remove mount-flags manipulation.
947 
948       Until now, administrator is permitted to turn on/off specific mount
949       options regardless of mount options passed to kernel.
950       I removed this feature because "exact option matching" sounds better than
951       "automatic option enabler/disabler".
952 
953     @ Remove /proc/ccs/info/mapping .
954 
955       I removed /proc/ccs/info/mapping because nobody seems to use this
956       feature.
957 
958     @ Call external policy loader automatically.
959 
960       Until now, users had to add init=/.init parameter to load policy
961       before /sbin/init starts.
962       I inserted call_usermodehelper() to call external policy loader when
963       execve("/sbin/init") is requested and external policy loader exists.
964 
965       This change will remove init=/.init parameter from most environment,
966       although call_usermodehelper() can't handle interactive operations.
967 
968     @ Move external policy loader from /.init to /sbin/ccs-init .
969 
970       Installing programs in / directory is not good for packaging.
971 
972 Fix 2007/08/13
973 
974     @ Update external policy loader.
975 
976       It turned out that /sbin/ccs-init invoked via call_usermodehelper()
977       can handle interactive operations by opening /dev/console .
978       Now, there is no difference between init=/sbin/ccs-init and
979       call_usermodehelper("/sbin/ccs-init"), and users no longer need to
980       add init=/sbin/ccs-init parameter to load policy before /sbin/init
981       starts.
982 
983 Fix 2007/08/14
984 
985     @ Update recvmsg() hooks.
986 
987       Until now, it was impossible to apply network access control for
988       incoming UDP and RAW packets if they are brought to userland using
989       read() or recvmsg() with NULL address because address buffer is NULL.
990       I moved hooks from sock_recvmsg() to skb_recv_datagram() so that
991       network access control for incoming UDP and RAW packets always work.
992 
993 Fix 2007/08/16
994 
995     @ Return appropriate error code for CheckMountPermission().
996 
997       I was returning -EPERM if something is wrong with CheckMountPermission().
998       But SELinux determines whether selinuxfs is supported by kernel
999       based on whether error code is -ENODEV or not.
1000       So I stopped returning -EPERM unconditionally.
1001 
1002 Fix 2007/08/17
1003 
1004     @ Remove initializer directive.
1005 
1006       Use "initialize_domain" instead of "initializer".
1007 
1008 Fix 2007/08/21
1009 
1010     @ Fix "allow_argv0 ... if if ..." bug.
1011 
1012       It was impossible to use a word "if" to the second argument of
1013       allow_argv0 if condition part is used.
1014 
1015 Fix 2007/08/24
1016 
1017     @ Move /proc/ccs/\*/\* to /proc/ccs/\* .
1018 
1019       Some pathnames for /proc/ccs/ interface were changed.
1020 
1021 Fix 2007/09/05
1022 
1023     @ Drop MSG_PEEK'ed message before skb_free_datagram().
1024 
1025       I need to remove head message from unwanted source
1026       from socket's receive queue so that the caller can pick up
1027       next message from wanted source with MSG_PEEK flags.
1028 
1029 Version 1.5.0 2007/09/20   Usability enhancement release.
1030 
1031 Fix 2007/09/27
1032 
1033     @ Avoid eating memory after quota exceeded.
1034 
1035       Although ACL entries in a domain won't be added if the domain's quota
1036       has exceeded, SaveName() in AddFileACL() is called anyway.
1037       This caused unneeded memory consumption.
1038 
1039       Now, quota checking is done before getting domain_acl_lock lock.
1040       This may exceed quota by one or two entries, but that won't matter.
1041 
1042 Fix 2007/10/16
1043 
1044     @ Add environment variable check.
1045 
1046       There are environment variables that may cause dangerous behavior
1047       like LD_\* .
1048       So I introduced 'allow_env' directive that allows specified
1049       environment variable inherited to next domain.
1050       Unlike other permissions, this check is done at execve() time
1051       using next domain's ACL information.
1052 
1053       To manage commonly inherited environments like PATH ,
1054       you can use 'allow_env' directive in exception policy
1055       to globally grant specified environment variable.
1056 
1057 Fix 2007/11/05
1058 
1059     @ Replace semaphore with mutex.
1060 
1061       I replaced semaphore with mutex.
1062 
1063     @ Add missing down() in AddReservedEntry().
1064 
1065       Mutex debugging capability told me that I had forgotten to call down()
1066       since TOMOYO version 1.3.2 .
1067       This function is not called by learning mode,
1068       so the semaphore's counter will not overflow for normal usage.
1069 
1070 Fix 2005/11/27
1071 
1072     @ Fix ReadTable() truncation bug.
1073 
1074       "snprintf(str, size, format, ...) >= size" means truncated.
1075       But I was checking for "snprintf(str, size, format, ...) > size".
1076       As a result, some entries might be dumped without '\n'.
1077 
1078     @ Purge direct "->prev"/"->next" manipulation.
1079 
1080       All list manipulations use "struct list_head" or "struct list1_head".
1081       "struct list1_head" doesn't have "->prev" member to save memory usage.
1082 
1083 Fix 2007/11/29
1084 
1085     @ Add missing semaphore in GetEXE().
1086 
1087       mm->mmap_sem was missing.
1088 
1089 Fix 2007/12/17
1090 
1091     @ Remove unused EXPORT_SYMBOL().
1092 
1093       Mark some functions static.
1094 
1095 Fix 2007/12/18
1096 
1097     @ Fix AddMountACL() rejection bug.
1098 
1099       To my surprise, "mount --bind source dest" accepts
1100       not only "both source and dest are directory"
1101       but also "both source and dest are non-directory".
1102       I was rejecting if dest is not a directory in AddMountACL().
1103 
1104     @ Change log format.
1105 
1106       Profile number and mode is added in audit logs.
1107 
1108 Fix 2008/01/03
1109 
1110     @ Change directive for file's read/write/execute permission.
1111 
1112       Directives for file's read/write/execute permissions were
1113       4/2/1 respectively. But for easier understanding, they are now
1114       replaced by read/write/execute (e.g. "allow_read" instead of "4").
1115       But for easier inputting, 4/2/1 are still accepted instead of
1116       allow_read/allow_write/allow_execute respectively.
1117 
1118     @ Change internal data structure.
1119 
1120       Since I don't have more than 16 types of file permissions,
1121       I combined them using bit-fields.
1122 
1123       Each entry had a field for conditional permission support.
1124       But since this field is unlikely used, I separated the field from
1125       common part.
1126 
1127       These changes will reduce memory used by policy.
1128 
1129 Fix 2008/01/15
1130 
1131     @ Add ptrace() hook.
1132 
1133       To prevent attackers from controlling important processes using
1134       ptrace(), I added a hook for ptrace().
1135       Most programs (except strace(1) and gdb(1)) won't use ptrace(2).
1136 
1137     @ Fix sleep condition check in CheckSocketRecvDatagramPermission().
1138 
1139       It seems that correct method to use is in_atomic()
1140       rather than in_interrupt() because in_atomic() returns nonzero
1141       whenever scheduling is not allowed.
1142 
1143 Fix 2008/02/05
1144 
1145     @ Use find_task_by_vpid() instead of find_task_by_pid().
1146 
1147       Kernel 2.6.24 introduced PID namespace.
1148       To search PID given from userland, the kernel needs to use
1149       find_task_by_vpid() instead of find_task_by_pid().
1150 
1151 Fix 2008/02/14
1152 
1153     @ Add execve() parameter checking.
1154 
1155       Until now, it was impossible to check argv[] and envp[] parameters
1156       passed to execve().
1157       I expanded conditional permission syntax so that
1158       { argc, envc, argv[] , envp[] } parameters can be checked if needed.
1159       This will allow administrator permit execution of /bin/sh only when
1160       /bin/sh is invoked in the form of "/bin/sh -c" and environment variable
1161       HOME is set by specifying
1162 
1163         allow_execute /bin/sh if exec.argv[1]="-c" exec.envp["HOME"]!=NULL
1164 
1165       in the policy.
1166       This extension will make exploit codes difficult to start /bin/sh because
1167       they unlikely set up environment variables and unlikely specify "-c"
1168       option when invoking /bin/sh , whereas proper functions likely set up
1169       environment variables and likely specify "-c" option.
1170 
1171 Fix 2008/02/18
1172 
1173     @ Add process state checking.
1174 
1175       Until now, it was impossible to change ACL without executing program.
1176       I added three variables for performing stateful checking within a domain.
1177       You can set current process's state like:
1178 
1179         allow_network TCP accept @TRUSTED_HOSTS 1024-65535 ; set task.state[0]=1
1180         allow_network TCP accept @UNTRUSTED_HOSTS 1024-65535 ; set task.state[0]=0
1181 
1182       and you can use the state like
1183 
1184         allow_read /path/to/important/file if task.state[0]=1
1185 
1186       in the policy.
1187       The state changes when the request was granted by the MAC's policy,
1188       so please be careful with situations where the state has changed
1189       successfully but the request was not processed because of other reasons
1190       (e.g. out of memory).
1191 
1192 Fix 2008/02/26
1193 
1194     @ Support /proc/ccs/ access by non-root user.
1195 
1196       Until now, only root user can access /proc/ccs/ interface.
1197       But to permit /proc/ccs/ access by non-root user so that it won't require
1198       ssh login by root user when administrating from remote host,
1199       I made "(current->uid == 0 && current->euid == 0)" requirement optional.
1200       If this requirement is disabled, only "conventional DAC permission
1201       checks" and "/proc/ccs/manager checks" are used.
1202 
1203 Fix 2008/02/29
1204 
1205     @ Add sleep_on_violation feature.
1206 
1207       Some exploit codes (e.g. trans2open for Samba) continue running
1208       until it achieves the purpose of the exploit code (e.g. invoke /bin/sh).
1209 
1210       If such code is injected due to buffer overflow but the kernel
1211       rejects the request, it triggers infinite "Permission denied" loop.
1212       As a result, the CPU usage becomes 100% and gives bad effects to
1213       the rest of processes.
1214       This is a side effect of rejecting the request from the exploit code
1215       which wouldn't happen if the request from the exploit code was granted.
1216 
1217       To avoid such CPU consumption, I added a penalty that forcibly
1218       sleeps for specified period when a request is rejected.
1219 
1220       This penalty doesn't work if the exploit code does nothing but
1221       continue running, but I think most exploit code's purpose is
1222       to start some program rather than to slow down the target system.
1223 
1224     @ Add alt_exec feature.
1225 
1226       Since TOMOYO Linux's approach is "know all essential requests in advance
1227       and create policy that permits only them", you can regard anomalous
1228       requests as attacks (if you want to do so).
1229 
1230       Common MAC implementations merely reject requests that violate policy.
1231       But I added a special handler for execve() to TOMOYO Linux.
1232 
1233       This handler is triggered when a process requested to execute a program
1234       but the request was rejected by the policy.
1235       This handler executes a program specified by the administrator
1236       instead of a program requested by the process.
1237 
1238       Most attackers attempt to execute /bin/sh to start something malicious.
1239       Attackers execute an exploit code using buffer overflow vulnerability
1240       to steal control of a process. But this handler can get back control
1241       if an exploit code requests execve() that is not permitted by policy.
1242 
1243       By default, this handler does nothing (i.e. merely reject execve()
1244       request). You can specify any program to start what you want to do.
1245 
1246       You can redirect attackers to somewhere else (e.g. honey pot).
1247       This makes it possible to act your Linux box as an on-demand honey pot
1248       while keeping regular services for your usage.
1249 
1250       You can collect information of the attacker (e.g. IP address) and
1251       update firewall configuration.
1252 
1253       You can silently terminate a process who requested execve()
1254       that is not permitted by policy.
1255 
1256 Fix 2008/03/03
1257 
1258     @ Add "force_alt_exec" directive.
1259 
1260       To be able to fully utilize "alt_exec" feature,
1261       I added "force_alt_exec" directive so that
1262       all execute requests are replaced by the execute request of a program
1263       specified by alt_exec feature.
1264 
1265       If this directive is specified for a domain, the domain no longer
1266       executes any programs regardless of the mode of file access control
1267       (i.e. the domain won't execute even if MAC_FOR_FILE=0 ).
1268       Instead, the domain executes the program specified by alt_exec feature
1269       and the program specified by alt_exec feature validates the execute
1270       request and executes it if it is appropriate to execute.
1271 
1272       If you can tolerate that there is no chance to return an error code
1273       to the caller to tell the execute request was rejected,
1274       this is more flexible approach than in-kernel execve() parameter
1275       checking because we can do argv[] and envp[] checking easily.
1276 
1277 Fix 2008/03/04
1278 
1279     @ Use string for access control mode.
1280 
1281       An integer expression for access control mode sometimes confuses
1282       administrators because profile number is also an integer expression.
1283       To avoid confusion between profile number and access control mode,
1284       I introduced a string expression for access control mode.
1285 
1286         Modes which take an integer between 0 and 3.
1287 
1288           0 -> disabled
1289           1 -> learning
1290           2 -> permissive
1291           3 -> enforcing
1292 
1293         Modes which take 0 or 1.
1294 
1295           0 -> disabled
1296           1 -> enabled
1297 
1298 Fix 2008/03/10
1299 
1300     @ Rename "force_alt_exec" directive to "execute_handler".
1301 
1302       To be able to use different programs for validating execve() parameters,
1303       I moved the location to specify the program's pathname from profile
1304       to domain policy.
1305 
1306       The "execute_handler" directive takes one pathname which is
1307       invoked whenever execve() request is issued. Thus, any "allow_execute"
1308       directives in a domain with "execute_handler" are ignored.
1309       This directive is designed for validating expected/desirable execve()
1310       requests in userspace, although there is no way to tell the caller
1311       that the execve() request was rejected.
1312 
1313     @ Rename "alt_exec" directive to "denied_execute_handler".
1314 
1315       The "denied_execute_handler" directive takes one pathname which is
1316       invoked only when execve() request was rejected. In other words,
1317       this program is invoked only when the following conditions are met.
1318 
1319         (1) None of "allow_execute" directives in the domain matched.
1320         (2) The execve() request was rejected in enforcing mode.
1321         (3) "execute_handler" directive is not used by the domain.
1322 
1323       This directive is designed for handling unexpected/undesirable execve()
1324       requests, to redirect the process issuing such requests to somewhere.
1325 
1326 Fix 2008/03/18
1327 
1328     @ Fix wrong/redundant locks in pre-vfs functions.
1329 
1330       lock_kernel()/unlock_kernel() in pre_vfs_rename() were redundant for
1331       2.6 kernels.
1332 
1333       Locking order in pre_vfs_link() and pre_vfs_unlink() for 2.4 kernels
1334       after 2.4.33 were different from before 2.4.32 .
1335 
1336 Fix 2008/03/28
1337 
1338     @ Disable execute handler loop.
1339 
1340       To be able to use "execute_handler" in a "keep_domain" domain,
1341       ignore "execute_handler" and "denied_execute_handler" directives
1342       if the current process is executing programs specified by
1343       "execute_handler" or "denied_execute_handler" directive.
1344 
1345       This exception is needed to avoid infinite execute handler loop.
1346       If a domain has both "keep_domain" and "execute_handler",
1347       any execute request by that domain is handled by an execute handler,
1348       and the execute handler attempts to process original execute request.
1349       But the original execute request is handled by the same execute handler
1350       unless the execute handler ignores "execute_handler".
1351 
1352     @ Update coding style.
1353 
1354       I rewrote the code to pass scripts/checkpatch.pl as much as possible.
1355       Function names were changed to use only lower letters.
1356 
1357 Version 1.6.0 2008/04/01   Feature enhancement release.
1358 
1359 Fix 2008/04/14
1360 
1361     @ Fix "Compilation failures" and "Initialization ordering bugs"
1362       with kernels before 2.4.30/2.6.11 .
1363 
1364       2.6 kernels before 2.6.9 didn't have include/linux/hardirq.h ,
1365       resulting compilation error at #include <linux/hardirq.h> .
1366       I added #elif condition.
1367 
1368       CentOS 4.6's 2.6.9 kernel calls do_execve() before initialization of
1369       ccs_alloc(), resulting NULL pointer dereference.
1370       I changed __initcall to core_initcall.
1371 
1372       CentOS 4.6's 2.6.9 kernel backported kzalloc() from 2.6.14 ,
1373       resulting compilation error at kzalloc().
1374       I modified prototype of kzalloc().
1375 
1376 Fix 2008/04/20
1377 
1378     @ Fix "Compilation failures" with kernels before 2.4.30/2.6.11 .
1379 
1380       Turbolinux 10 Server's 2.6.8 kernel backported kzalloc() as an inlined
1381       function, resulting compilation error at kzalloc().
1382       I converted kzalloc() from an inlined function into a macro.
1383 
1384 Fix 2008/04/21
1385 
1386     @ Add workaround for gcc 3.2.2's inline bug.
1387 
1388       RedHat Linux 9's gcc 3.2.2 generated a bad code
1389          if ((var_of_u8 & 0x000000BF) & 0x80000000) { }
1390       where the expected code is
1391          if ((var_of_u8 & 0xBF) & 0x80) { }
1392       when embedding ccs_acl_type2() into print_entry(),
1393       resulting runtime BUG().
1394       I added the expected code explicitly as a workaround.
1395 
1396 Fix 2008/05/06
1397 
1398     @ Add memory quota.
1399 
1400       1.5.x returns -ENOMEM when FindNextDomain() failed to create a new
1401       domain, but I forgot to return -ENOMEM when find_next_domain() failed to
1402       create a new domain.
1403 
1404       A domain is automatically created by find_next_domain() only if
1405       the domain for the requested program doesn't exist.
1406       This behavior is for the administrator's convenience.
1407       The administrator needn't to know how many domains are needed for running
1408       the whole programs in the system beforehand when developing the policy.
1409       But the administrator does not want the kernel to reject execution of the
1410       requested program when developing the policy.
1411 
1412       So, I think it is better to grant execution of programs even if
1413       find_next_domain() failed to create a new domain than reject execution.
1414       Thus, I decided not to return -ENOMEM when find_next_domain() failed to
1415       create a new domain. This exception breaks the domain transition rules,
1416       so I print "transition_failed" warning in /proc/ccs/domain_policy
1417       when this exception happened.
1418 
1419       Also, to prevent the system from being halted by unexpectedly allocating
1420       all kernel memory for the policy, I added memory quota.
1421       This quota is configurable via /proc/ccs/meminfo like
1422 
1423         echo Shared:  1048576 > /proc/ccs/meminfo
1424         echo Private: 1048576 > /proc/ccs/meminfo
1425 
1426 Version 1.6.1 2008/05/10   Bug fix release.
1427 
1428 Fix 2008/06/04
1429 
1430     @ Check open mode of /proc/ccs/ interface.
1431 
1432       It turned out that I can avoid allocating memory for reading if
1433       FMODE_READ is not set and memory for writing if FMODE_WRITE is not set.
1434 
1435     @ Wait for completion of /sbin/ccs-init .
1436 
1437       Since 2.4 kernel's call_usermodehelper() can't wait for termination of
1438       the executed program, I was using the close() request of
1439       /proc/ccs/meminfo to indicate that loading policy has finished.
1440       But since /proc/ccs/meminfo could be accessed for setting memory quota
1441       by /etc/ccs/ccs-post-init , I stopped using the close() request.
1442       The policy loader no longer need to access /proc/ccs/meminfo to notify
1443       the kernel that loading policy has finished.
1444 
1445 Fix 2008/06/05
1446 
1447     @ Fix realpath for pipes and sockets.
1448 
1449       Kernel 2.6.22 and later use different method for calculating d_path().
1450       Since fs/realpath.c didn't notice the change, the realpath of pipes
1451       appeared as "pipe:" rather than "pipe:[\$]" when they are opened via
1452       /proc/PID/fd/ directory.
1453 
1454     @ Add process's information into /proc/ccs/query .
1455 
1456       While /proc/ccs/grant_log and /proc/ccs/reject_log contain process's
1457       information, /proc/ccs/query doesn't contain it.
1458       To be able to utilize ccs-queryd and ccs-notifyd more, I added it into
1459       /proc/ccs/query .
1460 
1461 Fix 2008/06/10
1462 
1463     @ Allow using patterns for globally readable files.
1464 
1465       To allow users specify locale specific files to globally readable files,
1466       I relaxed checking in update_globally_readable_entry().
1467 
1468 Fix 2008/06/11
1469 
1470     @ Remove ALLOW_ENFORCE_GRACE parameter.
1471 
1472       Since unexpected requests caused by doing software updates can happen
1473       in all profiles, users likely have to write ALLOW_ENFORCE_GRACE=enabled
1474       to all profiles. And it makes meaningless to allow users to selectively
1475       enable specific profile's ALLOW_ENFORCE_GRACE parameter.
1476       So, I removed ALLOW_ENFORCE_GRACE parameter.
1477       Now, the system behaves as if ALLOW_ENFORCE_GRACE=enabled is specified.
1478       The behavior of "delayed enforcing" mode is defined in the following
1479       order.
1480 
1481       (1) The requests are rejected immediately if nobody is opening
1482           /proc/ccs/query interface.
1483       (2) The requests will be rejected in 10 seconds if somebody other than
1484           ccs-queryd (such as less(1)) is opening /proc/ccs/query interface,
1485           for such process doesn't write dummy decisions.
1486 
1487 Fix 2008/06/22
1488 
1489     @ Pass escaped pathname to audit_execute_handler_log().
1490 
1491       I was passing unescaped pathname to audit_execute_handler_log()
1492       which causes /proc/ccs/grant_log contain whitespace characters
1493       if execute handler's pathname contains whitespace characters.
1494 
1495 Fix 2008/06/25
1496 
1497     @ Return 0 when ccs_may_umount() succeeds.
1498 
1499       I forgot to clear error value in ccs_may_umount() when the requested
1500       directory didn't match "deny_unmount" directive. As a result, any umount()
1501       request with RESTRICT_UNMOUNT=enforcing returned -EPERM error.
1502 
1503 Version 1.6.2 2008/06/25   Usability enhancement release.
1504 
1505 Fix 2008/07/01
1506 
1507     @ Fix "Compilation failure" with 2.4.20 kernel.
1508 
1509       RedHat Linux 9's 2.4.20 kernel backported O(1) scheduler patch,
1510       resulting compilation error at ccs_load_policy().
1511       I added defined(TASK_DEAD) check.
1512 
1513 Fix 2008/07/08
1514 
1515     @ Don't check permissions if vfsmount is NULL.
1516 
1517       Some filesystems (e.g. unionfs) pass NULL vfsmount.
1518       I changed fs/tomoyo_file.c not to try to calculate pathnames
1519       if vfsmount is NULL.
1520 
1521 Version 1.6.3 2008/07/15   Bug fix release.
1522 
1523 Fix 2008/08/21
1524 
1525     @ Add workaround for gcc 4.3's bug.
1526 
1527       In some environments, fs/tomoyo_network.c could not be compiled
1528       because of gcc 4.3's bug.
1529       I modified save_ipv6_address() to use "integer literal" value
1530       instead for "static const u8" variable.
1531 
1532     @ Change prototypes of some functions.
1533 
1534       To support 2.6.27 kernels, I replaced "struct nameidata" with
1535       "struct path" for some functions.
1536 
1537     @ Detect distributor specific patches automatically.
1538 
1539       Since kernels with AppArmor patch applied is increasing,
1540       I introduced a mechanism which determines whether specific patches
1541       are applied or not, based on "#define" directives in the patches.
1542 
1543 Fix 2008/08/29
1544 
1545     @ Remove "-ccs" suffix from Makefile's EXTRAVERSION.
1546 
1547       To reduce conflicts on Makefile's EXTRAVERSION,
1548       I removed "-ccs" suffix from ccs-patch-2.\*.diff .
1549       Those who build kernels without using specs/build-\*.sh ,
1550       please edit EXTRAVERSION tag manually so that original kernels
1551       will not be overwritten by TOMOYO Linux kernels.
1552 
1553 Version 1.6.4 2008/09/03   Minor update release.
1554 
1555 Fix 2008/09/09
1556 
1557     @ Add "try again" response to "delayed enforcing" mode.
1558 
1559       To be able to handle pathname changes caused by software updates,
1560       "delayed enforcing" mode was introduced. It allows administrator to
1561       grant access requests which are about to be rejected by the kernel.
1562 
1563       To be able to handle pathname changes caused by software updates better,
1564       I introduced "try again" response. As "delayed enforcing" mode sleeps
1565       a process which violated policy, administrator can update policy while
1566       the process is sleeping. This "try again" response allows administrator
1567       to restart policy checks from the beginning after updating policy.
1568 
1569 Fix 2008/09/11
1570 
1571     @ Remember whether the process is allowed to write to /proc/ccs/ interface.
1572 
1573       Since programs for manipulating policy (e.g. ccs-queryd ) are installed
1574       in the form of RPM/DEB packages, these programs lose the original
1575       pathnames when they are updated by the package manager. The package
1576       manager renames these programs before deleting these programs so that
1577       the package manager can rollback the operation.
1578       This causes a problem when the programs are listed into /proc/ccs/manager
1579       using pathnames, as the programs will no longer be allowed to write to
1580       /proc/ccs/ interface while the process of old version of the program is
1581       alive.
1582 
1583       To solve this problem, I modified to remember the fact that the process
1584       is once allowed to write to /proc/ccs/ interface until the process
1585       attempts to execute a different program.
1586       This change makes it impossible to revoke permission to write to
1587       /proc/ccs/ interface without killing the process, but it will be better
1588       than nonfunctioning ccs-queryd program.
1589 
1590 Fix 2008/09/19
1591 
1592     @ Allow selecting a domain by PID.
1593 
1594       Sometimes we want to know what ACLs are given to specific PID, but
1595       finding a domainname for that PID from /proc/ccs/.process_status and
1596       reading ACLs from /proc/ccs/domain_policy by the domainname is very slow.
1597       Thus, I modified /proc/ccs/domain_policy to allow selecting a domain by
1598       PID. For example, to read domain ACL of current process from bash,
1599       run as follows.
1600 
1601       # exec 100<>/proc/ccs/domain_policy
1602       # echo select pid=$$ >&100
1603       # while read -u 100; do echo $REPLY; done
1604 
1605       If a domain is once selected by PID, reading /proc/ccs/domain_policy will
1606       print only that domain if that PID exists or print nothing otherwise.
1607 
1608     @ Disallow concurrent /proc/ccs/ access using the same file descriptor.
1609 
1610       Until now, one process can read() from /proc/ccs/ while other process
1611       that shares the file descriptor can write() to /proc/ccs/ .
1612       But to implement "Allow selecting a domain by PID" feature, I disabled
1613       concurrent read()/write() because the feature need to modify read buffer
1614       while writing.
1615 
1616 Fix 2008/10/01
1617 
1618     @ Add retry counter into /proc/ccs/query .
1619 
1620       To be able to handle some of queries from /proc/ccs/query without user's
1621       interaction, I added retry counter for avoiding infinite loop caused by
1622       "try again" response.
1623 
1624 Fix 2008/10/07
1625 
1626     @ Don't transit to new domain until do_execve() succeeds.
1627 
1628       Until now, a process's domain was updated to new domain which the process
1629       will belong to before do_execve() succeeds so that the kernel can do
1630       permission checks for interpreters and environment variables based on
1631       new domain. But this caused a subtle problem when other process sends
1632       signals to the process, for the process returns to old domain if
1633       do_execve() failed.
1634 
1635       So, I modified to pass new domain to functions so that I can avoid
1636       modifying a process's domain before do_execve() succeeds.
1637 
1638     @ Use old task state for audit logs.
1639 
1640       Until now, audit logs were generated using the task state after
1641       processing "; set task.state" part. But to generate accurate logs,
1642       I modified to save the task state before processing "; set task.state"
1643       part and use the saved state for audit logs.
1644 
1645     @ Use a structure for passing parameters.
1646 
1647       As the number of parameters is increasing, I modified to use a structure
1648       for passing parameters.
1649 
1650 Fix 2008/10/11
1651 
1652     @ Remove domain_acl_lock mutex.
1653 
1654       I noticed that I don't need to keep all functions that modify an ACL of
1655       a domain mutually exclusive. Since each functions handles different type
1656       of ACL, locking is needed only when they append an ACL to a domain.
1657       So, I modified to use local locks.
1658 
1659 Fix 2008/10/14
1660 
1661     @ Fix ccs_check_condition() bug.
1662 
1663       Due to a bug in ccs_check_condition(), it was impossible to use
1664       task.state[0] task.state[1] task.state[2] inside condition part
1665       if the ACL does not treat a pathname. For example, an ACL like
1666 
1667         allow_network TCP connect @HTTP_SERVERS 80 if task.state[0]=100
1668 
1669       didn't work.
1670 
1671 Fix 2008/10/15
1672 
1673     @ Show process information in /proc/ccs/.process_status .
1674 
1675       To be able to determine a process's type, I added a command "info PID"
1676       which returns process information of the specified PID in
1677       "PID manager=\* execute_handler=\* state[0]=\$ state[1]=\$ state[2]=\$"
1678       format.
1679 
1680 Fix 2008/10/20
1681 
1682     @ Use rcu_dereference() when walking the list.
1683 
1684       I was using "dependency ordering" for appending an element to a list
1685       without asking the reader to take a lock. But "dependency ordering"
1686       is not respected by DEC Alpha or by some aggressive value-speculation
1687       compiler optimizations.
1688 
1689       On such environment, use of "dependency ordering" can lead to system
1690       crash because the reader might read uninitialized value of newly
1691       appended element.
1692 
1693       To prevent the reader from reading uninitialized value of newly appended
1694       element, I inserted rcu_dereference() when walking the list.
1695 
1696 Fix 2008/11/04
1697 
1698     @ Use sys_getpid() instead for current->pid.
1699 
1700       Kernel 2.6.24 introduced PID namespace.
1701 
1702       To compare PID given from userland, I can't use current->pid.
1703       So, I modified to use sys_getpid() instead for current->pid.
1704 
1705       I modified to use task_tgid_nr_ns() for 2.6.25 and later instead for
1706       current->tgid when checking /proc/self/ in get_absolute_path().
1707 
1708 Fix 2008/11/07
1709 
1710     @ Fix is_alphabet_char().
1711 
1712       is_alphabet_char() should match 'A' - 'Z' and 'a' - 'z',
1713       but was matching from 'A' - 'F' and 'a' - 'f'.
1714 
1715     @ Add /proc/ccs/.execute_handler .
1716 
1717       Process information became visible to userspace by
1718       "Show process information in /proc/ccs/.process_status" feature.
1719       However, programs specified by execute_handler directive may run as
1720       non root user, making it impossible to see process information.
1721 
1722       So, I added a new interface that allows execute handler processes
1723       to see process information. The content of /proc/ccs/.execute_handler is
1724       identical to /proc/ccs/.process_status .
1725 
1726 Version 1.6.5 2008/11/11   Third anniversary release.
1727 
1728 Fix 2008/12/01
1729 
1730     @ Introduce "task.type=execute_handler" condition.
1731 
1732       The execute_handler directive is very very powerful. You can use this
1733       directive to do anything you want to do (e.g. logging and validating and
1734       modifying command line parameters and environment variables, opening and
1735       closing and redirecting files, creating pipes to implement antivirus and
1736       spam filtering, deploying a DMZ between the ssh daemon and the login
1737       shells).
1738 
1739       To be able to use this directive in a domain with keep_domain directive
1740       while limiting access to resources needed for such purposes to only
1741       programs invoked as an execute handler process, I added a new condition.
1742 
1743       In learning mode, "if task.type=execute_handler" condition part will be
1744       automatically added for requests issued by an execute_handler process.
1745 
1746     @ Introduce file's type and permissions as conditions.
1747 
1748       To be able to limit file types a process can access, I added
1749       new conditions for checking file's type and permissions.
1750       For example,
1751 
1752         allow_read /etc/fstab if path1.type=file path1.perm=0644
1753 
1754       will allow opening /etc/fstab for reading only if /etc/fstab is a regular
1755       file and it's permission is 0644, and
1756 
1757         allow_write /dev/null if path1.type=char path1.dev_major=1 path1.dev_minor=3
1758 
1759       will allow opening /dev/null for writing only if /dev/null is a character
1760       device file with major=1 and minor=3 attributes.
1761 
1762     @ Add memory quota for temporary memory used for auditing.
1763 
1764       Although there are MAX_GRANT_LOG and MAX_REJECT_LOG parameters
1765       which limit the number of entries for audit logs so that we can avoid
1766       memory consumption by audit logs, it would be more convenient if we can
1767       also limit the size in bytes.
1768       Thus, I added a new quota line.
1769 
1770         echo Dynamic: 1048576 > /proc/ccs/meminfo
1771 
1772       This quota is not applied to temporary memory used for permission checks.
1773 
1774 Fix 2008/12/09
1775 
1776     @ Fix ccs_can_save_audit_log() checks.
1777 
1778       Due to incorrect statement "if (ccs_can_save_audit_log() < 0)"
1779       while ccs_can_save_audit_log() is boolean, MAX_GRANT_LOG and
1780       MAX_REJECT_LOG were not working.
1781 
1782       This bug will trigger OOM killer if /usr/sbin/ccs-auditd is not working.
1783 
1784 Fix 2008/12/24
1785 
1786     @ Add "ccs_" prefix.
1787 
1788       To be able to tell whether a symbol is TOMOYO Linux related or not,
1789       I added "ccs_" prefix as much as possible.
1790 
1791     @ Fix ccs_check_flags() error message.
1792 
1793       I meant to print SYAORAN-ERROR: message when error == -EPERM,
1794       but I was printing it when error == 0 since 1.6.0 .
1795 
1796 Fix 2009/01/05
1797 
1798     @ Use kmap_atomic()/kunmap_atomic() for reading "struct linux_binprm".
1799 
1800       As remove_arg_zero() uses kmap_atomic(KM_USER0), I modified to use
1801       kmap_atomic(KM_USER0) rather than kmap().
1802 
1803 Fix 2009/01/28
1804 
1805     @ Fix "allow_read" + "allow_write" != "allow_read/write" problem.
1806 
1807       Since 1.6.0 , due to a bug in ccs_update_single_path_acl(),
1808       appending "allow_read/write" entry didn't update internal "allow_read"
1809       and "allow_write" entries. As a result, attempt to open(O_RDWR) succeeds
1810       but open(O_RDONLY) and open(O_WRONLY) fail.
1811 
1812       Workaround is to write an entry twice when newly appending that entry.
1813       If written twice, internal "allow_read" and "allow_write" entries
1814       are updated.
1815 
1816 Fix 2009/02/26
1817 
1818     @ Fix profile read error.
1819 
1820       Incorrect profiles were shown in /proc/ccs/profile
1821       if either CONFIG_SAKURA or CONFIG_TOMOYO is disabled.
1822 
1823 Fix 2009/03/02
1824 
1825     @ Undelete CONFIG_TOMOYO_AUDIT option.
1826 
1827       While HDD-less systems can use profiles with MAX_GRANT_LOG=0 and
1828       MAX_REJECT_LOG=0 , I undeleted CONFIG_TOMOYO_AUDIT option for saving
1829       memory used for /proc/ccs/grant_log and /proc/ccs/reject_log interfaces.
1830 
1831 Fix 2009/03/13
1832 
1833     @ Show only profile entry names ever specified.
1834 
1835       Even if an administrator specifies only COMMENT= and MAC_FOR_FILE=
1836       entries for /proc/ccs/profile , all available profile entries are shown.
1837       This was designed to help administrators to know what entries are
1838       available, but sometimes makes administrators feel noisy because of
1839       entries showing default values.
1840 
1841       Thus, I modified to show only profile entry names ever specified.
1842 
1843 Fix 2009/03/18
1844 
1845     @ Add MAC_FOR_IOCTL functionality.
1846 
1847       To be able to restrict ioctl() requests, I added MAC_FOR_IOCTL
1848       functionality.
1849 
1850       This functionality requires modification of ccs-patch-\*.diff .
1851 
1852     @ Use better name for socket's pathname.
1853 
1854       Until now, socket's pathname was represented as "socket:[\$]" format
1855       where \$ is inode's number. But inode's number is useless for name based
1856       access control. Therefore, I modified to represent socket's pathname as
1857       "socket:[family=\$:type=\$:protocol=\$]" format.
1858 
1859       This will help administrator to control ioctl() against sockets more
1860       precisely.
1861 
1862     @ Fix misplaced ccs_capable() call.  (only 2.6.8-\* and 2.6.9-\*)
1863 
1864       Location to insert ccs_capable(TOMOYO_SYS_IOCTL) in sys_ioctl() was
1865       wrong since version 1.1 .
1866 
1867     @ Insert ccs_check_ioctl_permission() call.
1868 
1869       To make MAC_FOR_IOCTL functionality working, I inserted
1870       ccs_check_ioctl_permission() call into ccs-patch-\*.diff .
1871 
1872 Fix 2009/03/23
1873 
1874     @ Move sysctl()'s check from ccs-patch-\*.diff to fs/tomoyo_file.c .
1875 
1876       Since try_parse_table() in kernel/sysctl.c is almost identical between
1877       all versions, I moved that function to fs/tomoyo_file.c .
1878 
1879     @ Relocate definitions and functions.
1880 
1881       To reduce exposed symbols, I relocated some definitions and functions.
1882 
1883 Fix 2009/03/24
1884 
1885     @ Add CONFIG_TOMOYO_BUILTIN_INITIALIZERS option.
1886 
1887       Some systems don't have /sbin/modprobe and /sbin/hotplug .
1888       Thus, I made these pathnames configurable.
1889 
1890 Version 1.6.7 2009/04/01   Feature enhancement release.
1891 
1892 Fix 2009/04/06
1893 
1894     @ Drop "undelete domain" command.
1895 
1896       I added "undelete domain" command on 2007/01/19, but never used by policy
1897       management tools. The garbage collector I added on 2007/01/29 will
1898       automatically reuse memory and allow administrators switch domain policy
1899       periodically, provided that the administrator kills processes in old
1900       domains before recreating new domains with the same domainnames.
1901 
1902       Thus, I dropped "undelete domain" command.
1903 
1904     @ Escape invalid characters in ccs_check_mount_permission2().
1905 
1906       ccs_check_mount_permission2() was passing unencoded strings to printk()
1907       and ccs_update_mount_acl() and ccs_check_supervisor(). This may cause
1908       /proc/ccs/system_policy and /proc/ccs/query to contain invalid
1909       characters within a string.
1910 
1911 Fix 2009/04/07
1912 
1913     @ Fix IPv4's "address_group" handling error.
1914 
1915       Since 1.6.5 , due to lack of ntohl() (byte order conversion) in
1916       ccs_update_address_group_entry(), "address_group" with IPv4 address was
1917       not working.
1918 
1919       This problem happens on little endian platforms (e.g. x86).
1920 
1921 Fix 2009/05/08
1922 
1923     @ Add condition for symlink's target pathname.
1924 
1925       Until now, "allow_symlink" keyword allows creation of a symlink but does
1926       not check the symlink's target. Usually it is no problem because
1927       permission checks are done using dereferenced pathname. But in some
1928       cases, we should restrict the symlink's target. For example,
1929       "ln -s .htpasswd /var/www/html/readme.html" by CGI program should be
1930       blocked because we will allow Apache to read both
1931       /var/www/html/readme.html and /var/www/html/.htpasswd .
1932 
1933       Thus, I added new condition, "symlink.target".
1934 
1935         allow_symlink /var/www/html/\*.html if symlink.target="\*.html"
1936 
1937         allow_symlink /var/www/html/\*\-.\* if symlink.target="\*\-.\*"
1938 
1939     @ Don't return -EAGAIN at ccs_socket_recvmsg_permission().
1940 
1941       It turned out that it is not permitted for accept() and recvmsg() to
1942       return -EAGAIN if poll() said connections/datagrams are ready. However,
1943       recvmsg() may return -EAGAIN and potentially confuse some applications
1944       because ccs_socket_recvmsg_permission() is returning -EAGAIN.
1945 
1946       Thus, I modified ccs_socket_recvmsg_permission() to return -ENOMEM
1947       rather than -EAGAIN.
1948 
1949 Fix 2009/05/19
1950 
1951     @ Don't call get_fs_type() with a mutex held.
1952 
1953       Until now, when ccs_update_mount_acl() is called with unsupported
1954       filesystem, /sbin/modprobe is executed from get_fs_type() to load
1955       filesystem module. And get_fs_type() does not return until /sbin/modprobe
1956       finishes.
1957 
1958       This means that it will cause deadlock if /sbin/modprobe (which is
1959       executed via get_fs_type() in ccs_update_mount_acl()) calls
1960       ccs_update_mount_acl(); although it won't happen unless an administrator
1961       inserts execute_handler to call mount() requests in learning mode or to
1962       add "allow_mount" entries to /proc/ccs/system_policy .
1963 
1964       I modified to unlock the mutex before calling get_fs_type().
1965 
1966 Fix 2009/05/20
1967 
1968     @ Update recvmsg() hooks.
1969 
1970       Since 1.5.0, I was doing network access control for incoming UDP and RAW
1971       packets inside skb_recv_datagram(). But to synchronize with LSM version,
1972       I moved ccs_recv_datagram_permission() hook from skb_recv_datagram() to
1973       udp_recvmsg()/udpv6_recvmsg()/raw_recvmsg()/rawv6_recvmsg() with name
1974       change to ccs_recvmsg_permission().
1975 
1976 Version 1.6.8 2009/05/28   Feature enhancement release.
1977 
1978 Fix 2009/07/03
1979 
1980     @ Fix buffer overrun when used with CONFIG_SLOB=y .
1981 
1982       Since 1.6.7 , ccs_allocate_execve_entry() was requesting for only 4000
1983       bytes while the comment says it is 4096 bytes. This may lead to buffer
1984       overrun when slob allocator is used, for slob allocator allocates exactly
1985       4000 bytes whereas slab and slub allocators allocate 4096 bytes.
1986 
1987 Fix 2009/09/01
1988 
1989     @ Add garbage collector support.
1990 
1991       Until now, it was impossible to release memory used by deleted policy.
1992       I added SRCU based garbage collector so that memory used by deleted
1993       policy will be automatically released.
1994 
1995     @ Remove word length limitation and line length limitation.
1996 
1997       Until now, the max length of a word is 4000 and the max length of a line
1998       is 8192. To be able to handle longer pathnames, I removed these
1999       limitations. Now, the max length (except the domainname and
2000       argv[]/envp[]) is 128K (which is the max amount of memory kmalloc()
2001       can allocate in most environments).
2002 
2003     @ Support more fine grained profile configuration.
2004 
2005       Profile was reconstructed.
2006 
2007     @ Support more fine grained parameters restrictions.
2008 
2009       "allow_create", "allow_mkdir", "allow_mkfifo", "allow_mksock" check
2010       create mode. "allow_mkblock" and "allow_mkchar" check create mode and
2011       major/minor device numbers. "allow_chmod" check new mode. "allow_chown"
2012       checks new owner. "allow_chgrp" checks new group.
2013 
2014     @ Allow number grouping.
2015 
2016       To help specifying numeric values, a new directive "number_group" is
2017       introduced.
2018 
2019     @ Remove "alias" directive and "allow_argv0" directive.
2020 
2021       Until now, "allow_execute" used dereferenced pathname if it is a symlink
2022       unless explicitly specified by "alias" directive.
2023 
2024       Now, "allow_execute" uses symlink's pathname if it is a symlink.
2025       "exec.realpath" in "if" clause checks the dereferenced pathname.
2026       "exec.argv[0]" in "if" clause checks the invocation name.
2027 
2028     @ Remove /proc/ccs/system_policy and /etc/ccs/system_policy.conf .
2029 
2030       "deny_autobind" was moved to /proc/ccs/exception_policy and
2031       /etc/ccs/exception_policy.conf . Other directives were moved to
2032       /proc/ccs/domain_policy and /etc/ccs/domain_policy.conf .
2033 
2034     @ Remove syaoran filesystem.
2035 
2036       Since "allow_create"/"allow_mkdir"/"allow_mkfifo"/"allow_mksock"/
2037       "allow_mkblock"/"allow_mkchar"/"allow_chmod"/"allow_chown"/"allow_chgrp"
2038       can restrict mode changes and owner/group changes, there is no need to
2039       restrict these changes at filesystem level.
2040 
2041       Thus, I removed syaoran filesystem.
2042 
2043     @ Reduce spinlocks.
2044 
2045       Until now, TOMOYO was using own list for detecting memory leak. But as
2046       kernel 2.6.31 introduced memory leak detection mechanism
2047       ( CONFIG_DEBUG_KMEMLEAK ), TOMOYO no longer needs to use own list.
2048 
2049       I removed the list to reduce use of spinlocks.
2050 
2051     @ Rewrite ccs-patch-2.\*.diff .
2052 
2053       ccs-patch-2.\*.diff was rewritten like LSM hooks.
2054 
2055     @ Don't check "allow_read/write" for open-for-ioctl-only.
2056 
2057       open(pathname, 3) means open for ioctl() only.
2058       Until now, TOMOYO was checking "allow_read/write" for open(pathname, 3).
2059       But since TOMOYO checks "allow_ioctl" for ioctl(), I modified not to
2060       require "allow_read/write" for open(pathname, 3).
2061 
2062     @ Add missing sigqueue() and tgsigqueue() hooks.
2063 
2064       Until now, kill(), tkill(), tgkill() had hooks but sigqueue() and
2065       tgsigqueue() didn't.
2066 
2067     @ Move files from fs/ to security/ccsecurity.
2068 
2069       Config menu section changed from "File systems" to "Security options".
2070 
2071       Kernel config symbols changed from CONFIG_SAKURA CONFIG_TOMOYO
2072       CONFIG_SYAORAN to CONFIG_CCSECURITY .
2073 
2074     @ Add global PID to audit logs.
2075 
2076       ccs-queryd was using domainname for reaching the domain which the process
2077       belongs to, but the domain could be deleted while ccs-queryd is handling
2078       policy violation. If the domain is deleted, ccs-queryd no longer can
2079       reach the domain by domainname. Thus, ccs-queryd now uses PID for
2080       reaching the domain which the process belongs to.
2081 
2082       Kernel 2.6.24 introduced PID namespace. The PID in access logs generated
2083       by a process inside a container is useless for ccs-queryd for reaching
2084       the domain which the process belongs to.
2085 
2086       Thus, I added global PID in audit logs.
2087 
2088     @ Transit to new domain before do_execve() succeeds.
2089 
2090       Permission checks for interpreters and environment variables are
2091       done using new domain. In order to allow ccs-queryd to reach the new
2092       domain via global PID, I reverted "Don't transit to new domain until
2093       do_execve() succeeds." made on 2008/10/07.
2094 
2095 Version 1.7.0 2009/09/03   Feature enhancement release.
2096 
2097 Fix 2009/09/04
2098 
2099     @ Fix wrong ccs_profile() calls.
2100 
2101       I can't call ccs_profile() for profile existence test because
2102       ccs_profile() never returns NULL.
2103 
2104 Fix 2009/09/06
2105 
2106     @ Fix wrong error code in ccs_try_alt_exec().
2107 
2108       ccs_try_alt_exec() was returning ENOMEM when kmalloc() failed.
2109       It needs to return -ENOMEM to fail.
2110 
2111 Fix 2009/09/10
2112 
2113     @ Do not check umount() permission for mount(MS_MOVE) requests.
2114 
2115       Until 1.6.x , umount() restriction was black listing. In 1.7.0 , it is
2116       white listing. This change caused "mount --move old new" requests to
2117       require "allow_unmount old" permission in addition to
2118       "allow_mount old new --move 0" permission.
2119       But we don't want to allow umount(old) requests when we want to allow
2120       only mount(old, new, MS_MOVE) requests. Thus, I modified not to check
2121       "allow_unmount old" permission for mount(old, new, MS_MOVE) requests.
2122 
2123 Fix 2009/09/11
2124 
2125     @ Support recursive match operators.
2126 
2127       Until now, ccs_path_matches_pattern() did not support recursive
2128       comparison. Thus, users had to repeat "/\*" when they want to specify
2129       recursively.
2130 
2131       I introduced "\{" and "\}" as repetition operator.
2132       To ensure consistency with TOMOYO's '/'-tokenized pattern matching rules
2133       and "\-" operator, only "/\{dir\}/" sequences (where dir does not contain
2134       '/') is permitted.
2135 
2136 Fix 2009/09/24
2137 
2138     @ Don't check chmod/chown capability for requests from kernel.
2139 
2140       Until now, ccs_setattr_permission() was inserted in notify_change().
2141       But notify_change() is also called by requests from kernel (e.g. UnionFS)
2142       and it made difficult to use TOMOYO on UnionFS.
2143 
2144       Thus, I moved ccs_capable() checks from ccs_setattr_permission() to
2145       ccs_chmod_permission() and ccs_chown_permission(), and removed
2146       ccs_setattr_permission().
2147 
2148 Fix 2009/09/25
2149 
2150     @ Embed more information into audit logs.
2151 
2152       Until now, /proc/ccs/grant_log /proc/ccs/reject_log /proc/ccs/query were
2153       not printing file's information (e.g. file's uid/gid/mode).
2154 
2155       Recently, users who started using "if" clause expect that the learning
2156       mode automatically adds various conditions like "if task.uid=path1.uid".
2157 
2158       But the profile will become too complicated if I support all possible
2159       conditions. Thus, I added all information which is enough to generate
2160       "if" clause with all possible conditions from audit logs.
2161 
2162       Now, the learning mode got different usage. Users can specify
2163       "CONFIG::learning={ max_entry=0 }" in the profile. All requests which
2164       are not permitted by policy will be sent to /proc/ccs/reject_log with
2165       "mode=learning" header lines. Users can selectively append conditions
2166       and append to the policy using "/usr/sbin/ccs-loadpolicy -d".
2167       The learning mode with "CONFIG::learning={ max_entry=0 }" is almost
2168       the same with the permissive mode, only difference is "mode=learning"
2169       and "mode=permissive".
2170 
2171 Fix 2009/10/05
2172 
2173     @ Fix size truncation bug at ccs_memcmp().
2174 
2175       ccs_memcmp() was using "u8" for size parameter by error. Therefore, when
2176       size >= 256 was passed to ccs_memcmp(), it was doing partial comparison
2177       (incorrect result) or read overrun (CPU stall).
2178 
2179       ccs_memcmp() should use "size_t" for size parameter because size of
2180       "struct ccs_condition" may exceed 256 bytes if complicated condition was
2181       given.
2182 
2183 Fix 2009/10/08
2184 
2185     @ Add CONFIG_CCSECURITY_DEFAULT_LOADER option.
2186 
2187       I made the default policy loader's pathname ( /sbin/ccs-init )
2188       configurable.
2189 
2190     @ Add CONFIG_CCSECURITY_ALTERNATIVE_TRIGGER option.
2191 
2192       Some environments do not have /sbin/init . In such environments, we need
2193       to use different program's pathname (e.g. /init or /linuxrc ) as
2194       activation trigger.
2195 
2196       Thus, I made the alternative trigger ( /sbin/ccs-start ) configurable.
2197 
2198 Fix 2009/11/02
2199 
2200     @ Fix buffer contention.
2201 
2202       A permission like
2203 
2204         allow_env PATH if exec.envp["PATH"]="/"
2205 
2206       was not working since I was using the same buffer for both environment
2207       variable's name and value.
2208 
2209 Fix 2009/11/03
2210 
2211     @ Fix memory leak in ccs_write_address_group_policy().
2212 
2213       I forgot to call kfree() if same entry was added.
2214 
2215     @ Reduce mutexes.
2216 
2217       I was using mutex_lock()/mutex_unlock() so that I can use
2218       atomic_dec_and_test() for removing an element from a list.
2219       I moved that operation to garbage collector in order to reduce frequency
2220       of mutex_lock()/mutex_unlock() calls.
2221 
2222     @ Escape from nested loops correctly.
2223 
2224       In ccs_read_address_group_policy(), I was escaping from nested loops
2225       correctly. But in ccs_read_path_group_policy() and
2226       ccs_read_number_group_policy(), I wasn't.
2227 
2228       As a result, reading path_group and number_group caused kernel oops
2229       when they were not read atomically.
2230 
2231 Fix 2009/11/06
2232 
2233     @ Fix incorrect allow_mount audit log.
2234 
2235       Audit log for allow_mount was using decimal format.
2236       It needs to use hexadecimal format.
2237 
2238 Fix 2009/11/09
2239 
2240     @ Add profile version check.
2241 
2242       To avoid upgrading from TOMOYO 1.6.x to TOMOYO 1.7.x without upgrading
2243       /proc/ccs/profile (which results in not protecting the system at all),
2244       I added a check for PROFILE_VERSION= .
2245 
2246 Version 1.7.1 2009/11/11   Fourth anniversary release.
2247 
2248 Fix 2009/11/13
2249 
2250     @ Don't use core_initcall() for initializing lock for GC.
2251 
2252      Some kernels call TOMOYO's hooks before processing core_initcall().
2253      Thus, I can't use core_initcall() for initializing lock for GC.
2254 
2255 Fix 2009/11/18
2256 
2257     @ Don't check "allow_write" permission for open(O_RDONLY | O_TRUNC).
2258 
2259       Since TOMOYO checks "allow_truncate" permission rather than "allow_write"
2260       permission for O_TRUNC, I need to distinguish open(O_RDONLY | O_TRUNC)
2261       and open(O_RDWR | O_TRUNC). But I made a mistake between TOMOYO 1.7.0 and
2262       1.7.1 which made it impossible for TOMOYO for kernels 2.6.14 and earlier
2263       to distinguish them.
2264 
2265 Fix 2009/11/27
2266 
2267     @ Use newly created domain's name for domain creation audit log.
2268 
2269       Since 1.7.0 , /proc/ccs/reject_log was by error using existing domain's
2270       name when auditing newly created domain's "use_profile" line.
2271 
2272 Fix 2009/12/12
2273 
2274     @ Use rcu_read_lock() for find_task_by_pid().
2275 
2276       Since kernel 2.6.18 , caller of find_task_by_pid() needs to call
2277       rcu_read_lock() rather than read_lock(&tasklist_lock) because find_pid()
2278       uses RCU primitives but spinlock does not prevent RCU callback if
2279       preemptive RCU ( CONFIG_PREEMPT_RCU or CONFIG_TREE_PREEMPT_RCU ) is
2280       enabled.
2281 
2282 Fix 2009/12/15
2283 
2284     @ Allow deleting "quota_exceeded" and "transition_failed" entries.
2285 
2286       To notify users of "this domain has too many entries to hold" and "some
2287       process in this domain was not able to perform domain transition",
2288       "quota_exceeded" and "transition_failed" messages are used respectively.
2289       These messages were not deletable. But it is more convenient for users
2290       to be notified again if such events occurred again after tuning policy.
2291       Thus, I made these messages deletable.
2292 
2293 Fix 2009/12/17
2294 
2295     @ Don't check read permission in ccs_try_alt_exec().
2296 
2297       While I was trying to remove ccs_execve_list list for GC optimization
2298       between TOMOYO 1.7.0 and 1.7.1 , I made a mistake which made TOMOYO to
2299       check allow_read permission of the programs specified by execute_handler
2300       and denied_execute_handler keywords.
2301 
2302     @ Don't check DAC permission if disabled mode.
2303 
2304       I was checking DAC permissions regarding directory entry modification
2305       operations (e.g. mkdir()) even if mode=disabled . It is a waste of CPU
2306       resource to check DAC permissions when MAC permissions are not checked.
2307       Thus, I modified to skip DAC permission checks if mode=disabled .
2308 
2309 Fix 2009/12/19
2310 
2311     @ Fix memory leak in ccs_environ().
2312 
2313       When I fixed a bug that a permission like
2314 
2315         allow_env PATH if exec.envp["PATH"]="/"
2316 
2317       was not working (2009/11/02), I allocated two buffers but only one buffer
2318       was released.
2319 
2320       This bug will trigger OOM killer if environment variable checking is
2321       enabled.
2322 
2323 Fix 2010/01/17
2324 
2325     @ Use current domain's name for execute_handler audit log.
2326 
2327       Since 1.6.7 , /proc/ccs/grant_log was by error using next domain's name
2328       when auditing current domain's "execute_handler" line.
2329 
2330 Fix 2010/03/02
2331 
2332     @ Allow domain transition without execve().
2333 
2334       To be able to split permissions for Apache's CGI programs which are
2335       executed without execve(), I added special domain transition which is
2336       performed by atomically writing '\0'-terminated binary string to
2337       /proc/ccs/.transition interface. For example, a process which belongs to
2338       "<kernel> /usr/sbin/httpd" domain will transit to
2339       "<kernel> /usr/sbin/httpd //app=cgi1\040id=10000" domain by atomically
2340       writing "app=cgi1 id=10000" + '\0' to /proc/ccs/.transition using
2341       Apache's ap_hook_handler() functionality.
2342 
2343       Note that '\0'-terminated binary string is converted to TOMOYO's string
2344       inside kernel and prefix "//" is automatically added to the string so
2345       that domainname does not conflict with domainnames created by execve().
2346       Without this prefix, if "<kernel> /usr/sbin/sshd /bin/bash" domain is
2347       allowed to open /proc/ccs/.transition for writing and
2348       "<kernel> /usr/sbin/sshd /bin/bash /usr/bin/passwd" domain is allowed to
2349       access /etc/shadow , /bin/bash will be able to access /etc/shadow by
2350       atomically writing "/usr/bin/passwd" + '\0' to /proc/ccs/.transition .
2351       Allowing /bin/bash to access /etc/shadow is not what people want.
2352 
2353       Permission for this operation is checked by "allow_transit" keyword.
2354       Unlike "allow_execute" keyword, the string parameter for "allow_transit"
2355       keyword does not refer a real file on filesystem's namespace. Therefore,
2356       you can store any combination of parameters like LDAP's DN entry in the
2357       string parameter for "allow_transit" keyword.
2358 
2359 Fix 2010/03/08
2360 
2361     @ Allow building as loadable kernel module.
2362 
2363       To be able to minimize filesize increment of vmlinux, I made it
2364       possible to compile TOMOYO Linux as loadable kernel module.
2365       Although patching the kernel source and recompiling the kernel are
2366       inevitable, this change will make it easier to enable TOMOYO Linux
2367       when there is a filesize limitation on vmlinux (e.g. embedded systems).
2368 
2369 Fix 2010/03/25
2370 
2371     @ Fix ccs_get_ipv6_address() bug.
2372 
2373       Since 1.7.0 , ccs_get_ipv6_address() was by error returning address of
2374       "struct list_head ccs_address_list" if memory allocation failed.
2375       As a result, ccs_put_ipv6_address() will modify memory near
2376       "struct list_head ccs_address_list" if memory allocation failed.
2377 
2378 Fix 2010/03/26
2379 
2380     @ Fix ccs_lport_reserved() bug.
2381 
2382       Since 1.7.0 , ccs_lport_reserved() was by error checking wrong port
2383       number. As a result, "deny_autobind" keyword was not working as expected.
2384 
2385 Version 1.7.2 2010/04/01   Feature enhancement release.
2386 
2387 Fix 2010/04/10
2388 
2389     @ Fix invalid "struct nameidata" to "struct path" conversion macro.
2390 
2391       Regarding kernels 2.6.24 and earlier, I was converting "struct nameidata"
2392       to "struct path" in caller side so that I can unify the callee function's
2393       parameter type. But it turned out that the macro I used did not follow C
2394       standards and did not work with gcc 4.x . As a result, "allow_pivot_root"
2395       keyword was not working as expected.
2396 
2397 Fix 2010/05/05
2398 
2399     @ Fix incorrect audit on/off control.
2400 
2401       The grant_log= and reject_log= parameters of CONFIG::misc::env were not
2402       used because I forgot to update request type. As a result, those of
2403       CONFIG::file::execute were used for CONFIG::misc::env .
2404 
2405       Those of CONFIG::file::rewrite were not used because I forgot to update
2406       request type. As a result, those of CONFIG::file::truncate were used for
2407       CONFIG::file::rewrite .
2408 
2409 Fix 2010/05/10
2410 
2411     @ Fix incorrect out of memory warning.
2412 
2413       Out of memory warnings were not printed in some cases by error.
2414 
2415 Fix 2010/05/27
2416 
2417     @ Add missing rcu_dereference() for ccs_find_execute_handler().
2418 
2419       Since 1.7.0 , ccs_find_execute_handler() was by error using
2420       list_for_each_entry() rather than list_for_each_entry_rcu().
2421       This bug affects only Alpha architecture.
2422 
2423 Fix 2010/06/03
2424 
2425     @ Fix missing sanity check for "file_pattern".
2426 
2427       Since 1.7.0 , ccs_write_pattern_policy() was by error accepting
2428       invalid pathname.
2429 
2430 Fix 2010/06/09
2431 
2432     @ Add missing ccs_put_name() in ccs_parse_envp().
2433 
2434       Since 1.7.0 , ccs_parse_envp() was not calling ccs_put_name() if
2435       environment variable's value ('if exec.envp["name"]="value"' condition)
2436       was invalid.
2437 
2438     @ Add missing NULL check in ccs_condition().
2439 
2440       Since 1.7.0 , if 'if symlink.target=' part was given against non-file
2441       permissions (e.g. allow_env PATH if symlink.target="/"), it triggered
2442       NULL pointer dereference.
2443 
2444 Fix 2010/10/28
2445 
2446     @ Fix umount() pathname calculation.
2447 
2448       "mount --bind /path/to/file1 /path/to/file2" is legal.
2449       Therefore, "umount /path/to/file2" is also legal.
2450       Do not automatically append trailing '/' if pathname to be unmounted
2451       does not end with '/'.
2452 
2453     @ Add preserve KABI compatibility option. (2.6 kernels only)
2454 
2455       TOMOYO needs "struct ccs_domain_info *" and "u32" for each
2456       "struct task_struct". But embedding these variables into
2457       "struct task_struct" breaks KABI for prebuilt kernel modules (which
2458       means that you will need to rebuild prebuilt kernel modules).
2459 
2460       Since KABI is commonly used (compared to 5 years ago), asking users to
2461       rebuild kernel modules which are not included in kernel package is no
2462       longer preferable. Therefore, I added a new option that keeps
2463       "struct task_struct" unmodified in order to keep KABI.
2464 
2465       Note that you have to use ccs-patch-2.6.\*.diff which patches
2466       kernel/fork.c in order to use this option. Otherwise, TOMOYO will leak
2467       memory whenever "struct task_struct" is released.
2468 
2469     @ Change directives.
2470 
2471       I removed "allow_" prefix from directives. New directives for files are
2472       prefixed with "file ". For example, "allow_read" changed to "file read",
2473       "allow_ioctl" changed to "file ioctl". New directive for "allow_network
2474       TCP" is "network inet stream", "allow_network UDP" is "network inet
2475       dgram", "allow_network RAW" is "network inet raw". New directive for
2476       "allow_env" is "misc env". New directive for "allow_signal" is "ipc
2477       signal". New directive for "allow_capability" is "capability". These new
2478       directives correspond with keywords used by profile's CONFIG lines.
2479 
2480       I removed "deny_rewrite" and "allow_rewrite" directives and introduced
2481       "file append" directive. Thus, permission for open(O_WRONLY | O_APPEND)
2482       changed from "allow_write" + "allow_rewrite" to "file append".
2483 
2484       I removed "SYS_MOUNT", "SYS_UMOUNT", "SYS_CHROOT", "SYS_KILL",
2485       "SYS_LINK", "SYS_SYMLINK", "SYS_RENAME", "SYS_UNLINK", "SYS_CHMOD",
2486       "SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_ROOT" keywords from capabilities
2487       because these permissions can be checked by other directives (e.g.
2488       "file mount", "ipc signal").
2489 
2490       I also removed "conceal_mount" keyword from capabilities because this
2491       check requires hooks in filesystem part while almost all hooks for
2492       filesystem part have moved to LSM by Linux 2.6.34.
2493 
2494       New directive for "execute_handler" is "task auto_execute_handler",
2495       "denied_execute_handler" is "task denied_execute_handler".
2496 
2497     @ Distinguish send() and recv() operations.
2498 
2499       Until now, it was impossible for UDP and IP sockets to allow either
2500       only sending or only receiving because permissions were aggregated with
2501       "connect" keyword. I broke "connect" keyword into "send" and "recv"
2502       keywords so that you can keep access control for send() operation enabled
2503       when you have to disable access control for recv() operation due to
2504       application breakage by discarding incoming datagram.
2505 
2506     @ Add Unix domain socket restriction support.
2507 
2508       Until now, it was possible to restrict only inet domain sockets (i.e.
2509       TCP/UDP/RAW). I added restriction for Unix domain sockets (i.e. stream/
2510       dgram/seqpacket). New directive "network unix" is added as well as
2511       "network inet" directive.
2512 
2513     @ Allow specifying multiple permissions in a line.
2514 
2515       Until now, only "allow_read/write" can be specified for combination of
2516       "allow_read" + "allow_write". Now, you can combine other permissions as
2517       long as type of parameters for these permissions is same. For example,
2518       "file read/write/append/execute/unlink/truncate /tmp/file" is correct
2519       but "file read/write/create /tmp/file" is wrong because "file create"
2520       requires create mode whereas "file read" and "file write" do not.
2521 
2522     @ Allow wildcard for execute permission and domainname.
2523 
2524       Until now, to execute programs with temporary names, "aggregator" is
2525       needed. To simplify code, I modified to accept wildcards for execute
2526       permission and domainname. Now, you can directly specify
2527       "file execute /tmp/logrotate.\?\?\?\?\?\?" and use
2528       "/tmp/logrotate.\?\?\?\?\?\?" within domainnames.
2529 
2530     @ Change pathname for non-rename()able filesystems.
2531 
2532       LSM version of TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if
2533       $PID matches current thread's process ID in order to prevent current
2534       thread from accessing other process's information unless needed.
2535       But since procfs can be mounted on various locations (e.g. /proc/ /proc2/
2536       /p/ /tmp/foo/100/p/ ), LSM version of TOMOYO cannot tell that whether the
2537       numeric part in the string returned by __d_path() represents process ID
2538       or not.
2539 
2540       Therefore, to be able to convert from $PID to self no matter where procfs
2541       is mounted, I changed pathname representations for filesystems which do
2542       not support rename() operation (e.g. proc, sysfs, securityfs).
2543 
2544       Now, "/proc/self/mounts" changed to "proc:/self/mounts" and
2545       "/sys/kernel/security/" changed to "sys:/kernel/security/" and
2546       "/dev/pts/0" changed to "devpts:/0".
2547 
2548     @ Add a new keyword "any" for domain transition control.
2549 
2550       To be able to make it easier to apply auto_execute_handler on each
2551       domain, I added "any" keyword to domain transition control keywords. Now,
2552       "initialize_domain /usr/sbin/sshd" changed to
2553       "initialize_domain /usr/sbin/sshd from any" and
2554       "keep_domain <kernel> /usr/sbin/sshd /bin/bash" changed to
2555       "keep_domain any from <kernel> /usr/sbin/sshd /bin/bash".
2556 
2557       "keep_domain /path/to/auto_execute_handler from any" will allow you to
2558       apply auto_execute_handler for any domains without creating domains for
2559       auto_execute_handler.
2560 
2561     @ Change buffering mode for reading policy.
2562 
2563       To be able to read() very very long lines correctly, I changed the way
2564       TOMOYO buffers policy for reading.
2565 
2566     @ Introduce "acl_group" keyword.
2567 
2568       Until now, it was possible to specify only "allow_read" and "allow_env"
2569       keywords in the exception policy.
2570 
2571       Since some operations like "file read/write/append /dev/null" and
2572       "network UDP send/recv @DNS_SERVER 53" are very common and should be
2573       permitted to all domains, I introduced "acl_group" keyword for giving
2574       such permissions.
2575 
2576       For example, specify "acl_group 0 file read/write/append /dev/null" in
2577       the exception policy and specify "use_group 0" from the domains in the
2578       domain policy.
2579 
2580       "ignore_global_allow_read" and "ignore_global_allow_env" directives were
2581       removed from domain policy and "use_group" keyword was added.
2582 
2583     @ Remove "if" and "; set" keyword.
2584 
2585       I removed need for specifying these keyword.
2586       You can simply specify like below.
2587 
2588         file read /etc/shadow task.uid=0
2589 
2590     @ Remove "file_pattern" keyword.
2591 
2592       I removed "file_pattern" keyword because it is impossible to predefine
2593       all possible pathname patterns. Also, learning pathnames using incomplete
2594       patterns makes it difficult to later replace using "path_group" keyword.
2595 
2596     @ Replace verbose= parameter with statistic interface.
2597 
2598       Since it is noisy if a lot of policy violation messages are printed,
2599       I removed printk(). To be able to check whether policy violation occurred
2600       or not, I introduced /proc/ccs/stat interface which counts number of
2601       policy violations occurred. You can firstly check /proc/ccs/stat and then
2602       check /proc/ccs/reject_log .
2603 
2604     @ Remove global preference.
2605 
2606       I removed global preference in order to make code simpler.
2607 
2608     @ Allow controlling generation of access granted logs for per an entry
2609       basis.
2610 
2611       I added per-entry flag which controls generation of grant logs because
2612       Xen and KVM issues ioctl requests so frequently. For example,
2613 
2614         file ioctl /dev/null 0x5401 grant_log=no
2615 
2616       will suppress /proc/ccs/grant_log even if preference says grant_log=yes .
2617 
2618         file ioctl /dev/null 0x5401 grant_log=yes
2619 
2620       will generate /proc/ccs/grant_log even if preference says grant_log=no .
2621 
2622         file ioctl /dev/null 0x5401
2623 
2624       will generate /proc/ccs/grant_log only if preference says grant_log=yes .
2625 
2626       This flag is intended for frequently accessed resources like
2627 
2628         file read /var/www/html/\{\*\}/\*.html grant_log=no
2629 
2630       .
2631 
2632     @ Automatically create domain by execve() even if enforcing mode.
2633 
2634       Until now, new domains are not created if the domain was not defined and
2635       current domain is enforcing mode ("CONFIG::file::execute=enforcing").
2636 
2637       To be able to restrict shell session without using "keep_domain",
2638       I changed to create new domains automatically even if current domain is
2639       enforcing mode.
2640 
2641     @ Replace "task.state" with "auto_domain_transition".
2642 
2643       task.state is difficult to use. Thus, I replaced task.state with
2644       auto_domain_transition which performs domain transition instead of
2645       changing current process's state variables.
2646 
2647       If domain transition failed, current process will be killed by SIGKILL
2648       signal. This should not happen in normal circumstances, for you know the
2649       domain to transit to and thereby you will define the domain beforehand
2650       when you use "auto_domain_transition" keyword.
2651 
2652     @ Replace "allow_transit" with "task manual_domain_transition".
2653 
2654       I changed this directive to specify absolute domainname (e.g.
2655       "<kernel> /usr/sbin/httpd //app=cgi1\040id=10000") rather than virtual
2656       pathname (e.g. "//app=cgi1\040id=10000") because you know the domain to
2657       transit to and thereby you will define the domain beforehand when you use
2658       "task manual_domain_transition" directive.
2659 
2660       This change allows you to jump to arbitrary domain.
2661 
2662       Note that this change also reverts "Change /proc/ccs/info/self_domain ."
2663       made on 2006/10/24. Now, 'cat < /proc/ccs/info/self_domain' will act like
2664       'cat /proc/ccs/info/self_domain'. Programs depending on old assumption
2665       need to be updated.
2666 
2667     @ Add "task auto_domain_transition".
2668 
2669       This is similar to "task manual_domain_transition", but is automatically
2670       applied whenever conditions are met. For example,
2671 
2672         task auto_domain_transition <kernel> //./non-root task.uid!=0
2673 
2674       will automatically jump to "<kernel> //./non-root" domain if current
2675       process's UID is not 0 whereas
2676 
2677         task manual_domain_transition <kernel> //./non-root task.uid!=0
2678 
2679       will jump to "<kernel> //./non-root" domain if current process's UID is
2680       not 0 and current process wrote "<kernel> //./non-root" to
2681       /proc/ccs/self_domain interface.
2682 
2683       If domain transition failed, current process will be killed by SIGKILL
2684       signal.
2685 
2686     @ Optimize for object's size.
2687 
2688       I merged similar code in order to reduce object's filesize.
2689 
2690 Version 1.8.0 2010/11/11   Fifth anniversary release.
2691 
2692 Fix 2010/12/01
2693 
2694     @ Use same interface for audit logs.
2695 
2696       To be able to perform fine grained filtering by /usr/sbin/ccs-auditd ,
2697       I merged /proc/ccs/grant_log and /proc/ccs/reject_log as
2698       /proc/ccs/audit and added granted=yes or granted=no to audit logs.
2699 
2700 Fix 2010/12/17
2701 
2702     @ Split ccs_null_security into ccs_default_security and ccs_oom_security.
2703 
2704       ccs_null_security is used by preserve KABI compatibility option and is
2705       used for providing default values against threads which have not yet
2706       allocated memory for their security contexts.
2707 
2708       If current thread failed to allocate memory for current thread's security
2709       context, current thread uses ccs_null_security. Since current thread is
2710       allowed to modify current thread's security context, current thread might
2711       modify ccs_null_security which should not be modified for any reason.
2712 
2713       Therefore, I split ccs_null_security into ccs_default_security and
2714       ccs_oom_security and use ccs_oom_security when current thread failed to
2715       allocate memory for current thread's security context.
2716 
2717       Threads which do not share ccs_oom_security are not affected by threads
2718       which share ccs_oom_security. Threads which share ccs_oom_security will
2719       experience temporary inconsistency, but such threads are about to be
2720       killed by SIGKILL signal.
2721 
2722 Fix 2011/01/11
2723 
2724     @ Use filesystem name for unnamed devices when vfsmount is missing.
2725 
2726       "Change pathname for non-rename()able filesystems." changed to use
2727       "$fsname:" if the filesystem does not support rename() operation and
2728       "dev($major,$minor):" otherwise when vfsmount is missing. But it turned
2729       out that it is useless to use "dev($major,$minor):" for unnamed devices
2730       (filesystems with $major == 0). Thus, I changed to use "$fsname:" rather
2731       than "dev($major,$minor):" for filesystems with $major == 0 when vfsmount
2732       is missing.
2733 
2734 Fix 2011/02/07
2735 
2736     @ Fix infinite loop bug when reading /proc/ccs/audit or /proc/ccs/query .
2737 
2738       In ccs_flush(), head->r.w[0] holds pointer to string data to be printed.
2739       But head->r.w[0] was updated only when the string data was partially
2740       printed (because head->r.w[0] will be updated by head->r.w[1] later if
2741       completely printed). However, regarding /proc/ccs/audit and
2742       /proc/ccs/query , an additional '\0' is printed after the string data was
2743       completely printed. But if free space for read buffer became 0 before
2744       printing the additional '\0', ccs_flush() was returning without updating
2745       head->r.w[0]. As a result, ccs_flush() forever reprints already printed
2746       string data.
2747 
2748 Fix 2011/03/01
2749 
2750     @ Run garbage collector without waiting for /proc/ccs/ users.
2751 
2752       Currently TOMOYO holds SRCU lock upon open() and releases it upon close()
2753       because list elements stored in the "struct ccs_io_buffer" instances are
2754       accessed until close() is called. However, such SRCU usage causes lockdep
2755       to complain about leaving the kernel with SRCU lock held. Therefore,
2756       I changed to hold/release SRCU upon each read()/write() by selectively
2757       deferring kfree() by keeping track of the "struct ccs_io_buffer"
2758       instances.
2759 
2760 Fix 2011/03/05
2761 
2762     @ Support built-in policy configuration.
2763 
2764       To be able to start using enforcing mode from the early stage of boot
2765       sequence, I added support for built-in policy configuration and
2766       activating access control without calling external policy loader program.
2767 
2768       This will be useful for systems where operations which can lead to the
2769       hijacking of the boot sequence are needed before loading the policy.
2770       For example, you can activate immediately after loading the fixed part of
2771       policy which will allow only operations needed for mounting a partition
2772       which contains the variant part of policy and verifying (e.g. running GPG
2773       check) and loading the variant part of policy. Since you can start using
2774       enforcing mode from the beginning, you can reduce the possibility of
2775       hijacking the boot sequence.
2776 
2777 Fix 2011/03/10
2778 
2779     @ Remove /proc/ccs/meminfo interface.
2780 
2781       Please use /proc/ccs/stat interface instead.
2782 
2783 Fix 2011/03/15
2784 
2785     @ Pack policy when printing via /proc/ccs/ interface.
2786 
2787       The kernel side is ready for accepting packed input like
2788 
2789         file read/write/execute /path/to/file
2790 
2791       but was using unpacked output like
2792 
2793         file read /path/to/file
2794         file write /path/to/file
2795         file execute /path/to/file
2796 
2797       because most of userland tools were not ready for accepting packed input.
2798 
2799       The advantages of using packed policy are that it makes policy files
2800       smaller and it speeds up loading/saving policy files.
2801 
2802       Since most of userland tools are ready for accepting packed input by now,
2803       I changed to use packed policy for both input and output.
2804 
2805 Fix 2011/03/31
2806 
2807     @ Fix conditional policy parsing.
2808 
2809       Since exec.realpath= and symlink.target= accept path_group,
2810       symlink.target="@foo" was by error parsed as symlink.target=@foo .
2811 
2812     @ Serialize updating profile's comment line.
2813 
2814       We need to serialize when updating COMMENT= line in /proc/ccs/profile .
2815 
2816 Version 1.8.1   2011/04/01   Usability enhancement with "Zettai, Daijoubudayo" release!
2817 
2818 Fix 2011/04/03
2819 
2820     @ Fix fcntl(F_SETFL, O_APPEND) handling.
2821 
2822       Since 1.8.0, TOMOYO was by error checking "file write" permission rather
2823       than "file append" permission when changing file's writing mode from
2824       "overwriting" to "append".
2825 
2826       This error should impact little (except CentOS 6.0 kernels) because once
2827       a file was opened for "overwriting" mode, changing that file to "append"
2828       mode cannot undo overwriting the file. Regarding CentOS 6.0 kernels,
2829       due to different ACC_MODE definition, TOMOYO was by error needlessly
2830       checking "file read" permission when fcntl() was requested.
2831 
2832 Fix 2011/04/20
2833 
2834     @ Remove unused "struct inode *" parameter from hooks.
2835 
2836       Since pre-vfs functions were removed on 2010/09/18, "struct inode *"
2837       parameter which was used for checking parent directory's DAC permission
2838       is no longer used.
2839 
2840       Note that "struct ccsecurity_operations ccsecurity_ops" has changed.
2841       Loadable kernel modules that depends on it need to be rebuilt.
2842 
2843 Fix 2011/05/05
2844 
2845     @ Fix wrong profile number in audit logs for "misc env" permission.
2846 
2847       Profile number used for "file execute" permission was by error reused
2848       when generating audit logs for "misc env" permission.
2849 
2850 Fix 2011/05/11
2851 
2852     @ Fix wrong domainname validation.
2853 
2854       "<kernel>" + "/foo/\" + "/bar" was by error checked when
2855       "<kernel> /foo/\* /bar" was given. As a result, legal domainnames like
2856       "<kernel> /foo/\* /bar" are rejected.
2857 
2858 Fix 2011/06/06
2859 
2860     @ Add policy namespace support.
2861 
2862       To be able to use TOMOYO in LXC environments, I introduced policy
2863       namespace. Each policy namespace has its own set of domain policy,
2864       exception policy and profiles, which are all independent of other
2865       namespaces.
2866 
2867     @ Remove CONFIG_CCSECURITY_BUILTIN_INITIALIZERS option.
2868 
2869       From now on, exception policy and manager need to be able to handle
2870       policy namespace (which is a <$namespace> prefix added to each line).
2871       Thus, space-separated list for CONFIG_CCSECURITY_BUILTIN_INITIALIZERS is
2872       no longer suitable for handling policy namespace.
2873 
2874 Fix 2011/06/10
2875 
2876     @ Allow specifying trigger for activation.
2877 
2878       To be able to use TOMOYO under systemd environments where init= parameter
2879       is used, I changed to allow overriding the trigger for calling external
2880       policy loader and activating MAC via kernel command line options.
2881 
2882 Fix 2011/06/14
2883 
2884     @ Remove unused "struct inode *" parameter from ccs-patch-\*.diff .
2885 
2886       To follow changes I made on 2011/04/20, I removed "struct inode *" from
2887       ccs_mknod_permission(), ccs_mkdir_permission(), ccs_rmdir_permission(),
2888       ccs_unlink_permission(), ccs_symlink_permission(), ccs_link_permission(),
2889       ccs_rename_permission() that are called from fs/namei.c
2890       net/unix/af_unix.c include/linux/security.c security/security.c .
2891       If you have your own ccs-patch-*.diff , please update accordingly.
2892 
2893 Version 1.8.2   2011/06/20   Usability enhancement release.
2894 
2895 Fix 2011/07/07
2896 
2897     @ Remove /proc/ccs/.domain_status interface.
2898 
2899       Writing to /proc/ccs/.domain_status can be emulated by
2900 
2901         ( echo "select " $domainname; echo "use_profile " $profile ) |
2902         /usr/sbin/ccs-loadpolicy -d
2903 
2904       and reading from /proc/ccs/.domain_status can be emulated by
2905 
2906         grep -A 1 '^<' /proc/ccs/domain_policy |
2907         awk ' { if ( domainname == "" ) { if ( substr($1, 1, 1) == "<" )
2908         domainname = $0; } else if ( $1 == "use_profile" ) {
2909         print $2 " " domainname; domainname = ""; } } ; '
2910 
2911       . Since this interface is used by only /usr/sbin/ccs-setprofile ,
2912       remove this interface by updating /usr/sbin/ccs-setprofile .
2913 
2914 Fix 2011/07/09
2915 
2916     @ Fix /proc/ccs/stat parser.
2917 
2918       For optimization, I changed to use simple_strtoul() rather than sscanf()
2919       in ccs_write_stat(). But it caused parsing failure if space is inserted
2920       before value (e.g. "Memory used by policy: $value").
2921 
2922 Fix 2011/07/13
2923 
2924     @ Accept "::" notation for IPv6 address.
2925 
2926       In order to add network access restriction to TOMOYO 2.4, I backported
2927       routines for parsing/printing IPv4/IPv6 address from kernel 3.0 into
2928       TOMOYO 1.8.2.
2929       Now, IPv6 address accepts "::1" instead of "0:0:0:0:0:0:0:1".
2930 
2931 Fix 2011/09/03
2932 
2933     @ Avoid race when retrying "file execute" permission check.
2934 
2935       There was a race window that the pathname which is subjected to
2936       "file execute" permission check when retrying via supervisor's decision
2937       because the pathname was recalculated upon retry. Though, there is an
2938       inevitable race window even without supervisor, for we have to calculate
2939       the symbolic link's pathname from "struct linux_binprm"->filename rather
2940       than from "struct linux_binprm"->file because we cannot back calculate
2941       the symbolic link's pathname from the dereferenced pathname.
2942 
2943     @ Remove unneeded daemonize().
2944 
2945       Garbage collector thread is created using kthread_create() since 2.6.7.
2946       Kernel threads created by kthread_create() does not need to call
2947       daemonize().
2948 
2949 Fix 2011/09/16
2950 
2951     @ Allow specifying domain transition preference.
2952 
2953       I got an opinion that it is difficult to use exception policy's domain
2954       transition control directives because they need to match the pathname
2955       specified to "file execute" directives. For example, if "file execute
2956       /bin/\*\-ls\-cat" is given, corresponding domain transition control
2957       directive needs to be like "no_keep_domain /bin/\*\-ls\-cat from any".
2958 
2959       To solve this difficulty, I introduced optional argument that supersedes
2960       exception policy's domain transition control directives.
2961 
2962         file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls"
2963         file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat"
2964         file execute /bin/\*\-ls\-cat child
2965         file execute /usr/sbin/httpd <apache> exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd"
2966 
2967       This argument allows transition to different domains based on conditions.
2968 
2969         <kernel> /usr/sbin/sshd
2970         file execute /bin/bash <kernel> /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c"
2971         file execute /bin/bash <kernel> /usr/sbin/sshd //root-session task.uid=0
2972         file execute /bin/bash <kernel> /usr/sbin/sshd //nonroot-session task.uid!=0
2973 
2974 Fix 2011/09/25
2975 
2976     @ Simplify garbage collector.
2977 
2978       It turned out that use of batched processing tends to choke garbage
2979       collector when certain pattern of entries are queued. Thus, I replaced it
2980       with sequential processing.
2981 
2982 Version 1.8.3   2011/09/29   Usability enhancement release.
2983 
2984 Fix 2011/10/24
2985 
2986     @ Fix incomplete read after seek.
2987 
2988       ccs_flush() tries to flush data to be read as soon as possible.
2989       ccs_select_domain() (which is called by write()) enqueues data which
2990       meant to be read by next read(), but previous read()'s read buffer's
2991       size was not cleared. As a result, since 1.8.0, sequence like
2992 
2993         char *cp = "select global-pid=1\n";
2994         read(fd, buf1, sizeof(buf1));
2995         write(fd, cp, strlen(cp));
2996         read(fd, buf2, sizeof(buf2));
2997 
2998       causes enqueued data to be flushed to buf1 rather than buf2.
2999 
3000     @ Use query id for reaching target process's domain policy.
3001 
3002       Use query id for reaching target process's domain policy rather than
3003       target process's global PID. This is for synchronizing with TOMOYO 2.x,
3004       but this change makes /usr/sbin/ccs-queryd more reliable because the
3005       kernel will return empty domain policy when the query has expired before
3006       ccs-queryd reaches target process's domain policy.
3007 
3008     @ Fix quota counting.
3009 
3010       "task manual_domain_transition" should not be counted for quota as with
3011       "task auto_domain_transition"/"task auto_execute_handler"/
3012       "task denied_execute_handler" because these are not appended by learning
3013       mode.
3014 
3015 Fix 2011/11/11
3016 
3017     @ Optimize for object's size.
3018 
3019       I rearranged functions/variables into three groups in order to reduce
3020       object's filesize. Also, I added kernel config options for reducing more
3021       by excluding unnecessary functionality.
3022 
3023 Fix 2011/11/18
3024 
3025     @ Fix kernel config mapping error.
3026 
3027       Due to a typo in ccs_p2mac definition, mode for CONFIG::file::execute was
3028       by error used when checking "file getattr" permission. Most users will
3029       not be affected by this error because CONFIG::file::execute and
3030       CONFIG::file::getattr are by default configured to use CONFIG::file or
3031       CONFIG settings.
3032 
3033 Fix 2011/12/13
3034 
3035     @ Follow __d_path() behavior change. (Only 2.6.36 and later)
3036 
3037       The behavior of __d_path() has changed in 3.2-rc5. __d_path() now returns
3038       NULL when the pathname cannot be calculated. You must update to this
3039       version when using with 3.2-rc5 and later kernels, or the kernel will
3040       panic because ccs_get_absolute_path() triggers NULL pointer dereference.
3041 
3042       The patch that changed the behavior of __d_path() might be backported to
3043       2.6.36 to 3.1 kernels. You must update to this version if the patch was
3044       backported, or you will experience the kernel panic as with 3.2-rc5.
3045 
3046       The patch that changed the behavior of __d_path() also changed the way of
3047       handling pathnames under lazy-unmounted directory. Until now, TOMOYO was
3048       using incomplete pathnames returned by __d_path() when the pathname is
3049       under lazy-unmounted directory. But from now on, TOMOYO uses different
3050       pathnames returned by ccs_get_local_path() when the pathname is under
3051       lazy-unmounted directory (because __d_path() no longer returns it).
3052 
3053       Since applications unlikely do lazy unmounts, requesting pathnames under
3054       lazy-unmounted directory should not happen unless the administrator
3055       explicitly does lazy unmounts. But pathnames which is defined for such
3056       conditions in the policy file (if any) will need to be rewritten.
3057 
3058 Fix 2012/01/20
3059 
3060     @ Follow changes in 3.3-rc1.
3061 
3062       Use umode_t rather than mode_t.
3063       Remove ipv6_addr_copy() usage.
3064 
3065 Fix 2012/02/25
3066 
3067     @ Follow changes in linux-next.
3068 
3069       UMH_WAIT_PROC constant (currently 1) is scheduled for renumbering in 3.4.
3070 
3071       Use UMH_WAIT_PROC constant instead of hardcoded constant in preparation
3072       for backporting call_usermodehelper() related changes. If renumbering was
3073       backported, you will start experiencing the kernel panic upon execution
3074       of external policy loader (i.e. /sbin/ccs-init), for the kernel will no
3075       longer wait for completion of external policy loader process.
3076 
3077       Although I changed to use UMH_WAIT_PROC constant, this change could fail
3078       to detect renumbering in 2.6.22 and earlier kernels, for UMH_WAIT_PROC
3079       constant is currently available to only 2.6.23 and later kernels. If you
3080       started to experience the kernel panic, please check whether renumbering
3081       was backported or not.
3082 
3083 Fix 2012/02/29
3084 
3085     @ Fix mount flags checking order.
3086 
3087       Userspace can pass in arbitrary combinations of MS_* flags to mount().
3088 
3089       If both MS_BIND and one of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE
3090       are passed, device name which should be checked for MS_BIND was not
3091       checked because MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE had higher
3092       priority than MS_BIND.
3093 
3094       If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name
3095       which should not be checked for MS_REMOUNT was checked because MS_BIND/
3096       MS_MOVE had higher priority than MS_REMOUNT.
3097 
3098       Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND ->
3099       MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount()
3100       does. Also, I changed to unconditionally return -EINVAL if more than one
3101       of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE is passed so that TOMOYO
3102       will not generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity
3103       check mount flags passed to change_mnt_propagation()" clarified that
3104       these flags must be exclusively passed.
3105 
3106 Fix 2012/03/08
3107 
3108     @ Allow returning other errors when ptrace permission cannot be checked.
3109 
3110       Currently -EPERM is returned when ccs_ptrace_permission() returned an
3111       error code. I changed to return return value from ccs_ptrace_permission()
3112       so that we can return -ESRCH when target process was not found.
3113 
3114 Fix 2012/03/16
3115 
3116     @ Return appropriate value to poll().
3117 
3118       Return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM if ready to read/write,
3119       POLLOUT | POLLWRNORM otherwise.
3120 
3121 Fix 2012/04/22
3122 
3123     @ Readd RHEL_MINOR/AX_MINOR checks.
3124 
3125       This check was added in revision 2346 and was removed in revision 4084.
3126 
3127       Add it back in order to support RHEL 5.0, 5.1, 5.2 kernels.
3128 
3129     @ Fix skb_kill_datagram() for kernels 2.6.0 - 2.6.11.
3130 
3131       Commit 208d8984 "[IPV4]: Fix BUG() in 2.6.x, udp_poll(), fragments +
3132       CONFIG_HIGHMEM" clarified that skb_kill_datagram() should use
3133       spin_lock_bh()/spin_unlock_bh() rather than
3134       spin_lock_irq()/spin_unlock_irq().
3135 
3136       RHEL 4.9 (2.6.9) kernel has that patch backported. So do I.
3137 
3138     @ Fix missing locks for RHEL 5.2-5.8 kernels.
3139 
3140       Since RHEL 5.2 and later kernels have backported commit 95766fff
3141       "[UDP]: Add memory accounting." patch, TOMOYO needs to call
3142       lock_sock()/release_sock() around skb_kill_datagram() call when UDP
3143       packet was dropped by TOMOYO.
3144 
3145 Fix 2012/04/28
3146 
3147     @ Accept manager programs which do not start with / .
3148 
3149       The pathname of /usr/sbin/ccs-editpolicy seen from Ubuntu 12.04 Live
3150       CD is squashfs:/usr/sbin/ccs-editpolicy rather than
3151       /usr/sbin/ccs-editpolicy . Therefore, we need to accept manager
3152       programs which do not start with / .
3153 
3154 Fix 2012/10/08
3155 
3156     @ Fix KABI breakage on Ubuntu 12.10.
3157 
3158       I was using include/linux/security.h as the common path for pulling in
3159       include/linux/ccsecurity.h so that I can avoid scattering #include line.
3160 
3161       When scripts/genksyms/genksyms calculates hash values for Module.symvers
3162       file, it uses the extracted form of involved structures if the structure
3163       layout is known but it instead uses UNKNOWN if the structure layout is
3164       not known. Therefore, pulling in include files that define structure's
3165       layout from include/linux/ccsecurity.h causes changes in the hash values
3166       and causes KABI breakage, even if no changes were made to the involved
3167       structures.
3168 
3169       Fix this breakage by avoiding pulling in include/linux/sched.h and
3170       include/linux/dcache.h from include/linux/ccsecurity.h where possible.
3171 
3172 Fix 2015/01/01
3173 
3174     @ Fix missing chmod(-1) check in Linux 3.1 and later kernels.
3175 
3176       Commit e57712ebebbb9db7 "merge fchmod() and fchmodat() guts, kill
3177       ancient broken kludge" changed chmod(-1) from no-op to setting to
3178       07777. Therefore, TOMOYO must not ignore chmod(-1) case.
3179 
3180     @ Fix potentially using bogus attributes when stat() fails.
3181 
3182       We should reset attributes information when executing execute_handler
3183       program, or attributes of original program could be used when stat()
3184       on execute_handler program failed.
3185 
3186 Fix 2015/04/08
3187 
3188     @ Fix incorrect readdir() permission check.
3189 
3190       CONFIG_CCSECURITY_FILE_READDIR was meant for allowing users to control
3191       readdir() permission check. However, CONFIG_CCSECURITY_FILE_GETATTR was
3192       by error used for controlling readdir() permission check. This fix
3193       should not affect kernels built with default configuration, for both
3194       CONFIG_CCSECURITY_FILE_READDIR and CONFIG_CCSECURITY_FILE_GETATTR are
3195       defined by default.
3196 
3197 Fix 2015/04/15
3198 
3199     @ Fix incorrect retry request check.
3200 
3201       When a request was asked to retry, acl_group referenced by domain's
3202       use_group keyword was by error ignored. As a result, retrying was not
3203       able to use permissions defined by acl_group.
3204 
3205 Fix 2015/05/01
3206 
3207     @ Support multiple use_group entries.
3208 
3209       Until now, each domain can include only one use_group entry.
3210       I changed to allow each domain to include up to 256 use_group entries.
3211       As a result, you will be able to reduce duplication of policy by
3212       defining multiple acl_group entries based on use cases and including
3213       them from each domain as needed.
3214 
3215 Version 1.8.4   2015/05/05   Usability enhancement release.
3216 
3217 Fix 2015/11/08
3218 
3219     @ Use memory allocation flags used by TOMOYO 2.x.
3220 
3221       Until now, TOMOYO 1.x was using memory allocation flags which are weaker
3222       than TOMOYO 2.x in order to make sure that memory allocation request by
3223       TOMOYO 1.x shall not cause silent livelock problem.
3224 
3225       But as I learn about this livelock problem, I understood that this is
3226       not a problem which TOMOYO can manage. While hitting a silent livelock
3227       at memory allocation is a problem, refusing critical access requests
3228       by critical processes due to memory allocation failure caused by use of
3229       weaker memory allocation flags is also a problem.
3230 
3231       Since situations regarding memory allocation flags in upstream kernels
3232       are changing, it will be safer to use memory allocation flags used by
3233       TOMOYO 2.x.
3234 
3235 Fix 2015/11/10
3236 
3237     @ Limit wildcard recursion depth.
3238 
3239       Since wildcards that need recursion consume kernel stack memory,
3240       we cannot allow infinite recursion.
3241 
3242 Version 1.8.5   2015/11/11   Tenth anniversary release.
3243 
3244 Fix 2017/02/02
3245 
3246     @ Use for_each_thread() for GC operation.
3247 
3248       while_each_thread() without tasklist_lock is not safe.
3249       Use for_each_process_thread() if it is available, hold
3250       tasklist_lock otherwise.
3251 
3252 Fix 2018/04/01
3253 
3254     @ Use smb_rmb() when waiting for initialization.
3255 
3256       "while (!cond);" is implicitly optimized like "if (!cond) while (1);".
3257       Use "while (!cond) smp_rmb();" in order to prevent such optimization.

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp