)]}' { "log": [ { "commit": "b4ccebdd37ff70d349321a198f416ba737a5e833", "tree": "275d717070346722c3aacd8355fb4f743216e03b", "parents": [ "30ff056c42c665b9ea535d8515890857ae382540", "ef57471a73b67a7b65fd8708fd55c77cb7c619af" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Mar 01 09:36:31 2010 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Mar 01 09:36:31 2010 +1100" }, "message": "Merge branch \u0027next\u0027 into for-linus\n" }, { "commit": "97d6931ead3e89a764cdaa3ad0924037367f0d34", "tree": "ad69e76208832699a97e897af73b6aa23a655609", "parents": [ "7ef612331fb219620cc1abfc2446bb027d388aa0" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Feb 16 09:46:15 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Feb 16 17:26:36 2010 +1100" }, "message": "TOMOYO: Remove unneeded parameter.\n\ntomoyo_path_perm() tomoyo_path2_perm() and tomoyo_check_rewrite_permission()\nalways receive tomoyo_domain(). We can move it from caller to callee.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7ef612331fb219620cc1abfc2446bb027d388aa0", "tree": "3912acecc7437303e824d26a9ae124b765ce35d3", "parents": [ "084da356f6e55ce42f1d2739178502023908c107" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Feb 16 08:03:30 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Feb 16 11:17:16 2010 +1100" }, "message": "TOMOYO: Use shorter names.\n\nUse shorter name to reduce newlines needed for 80 columns limit.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ec8e6a4e062e2edebef91e930c20572c9f4c0dda", "tree": "1c48fb2aa2220b3bdc138e0fb33e1ac632d0dffe", "parents": [ "76bb0895d038be7bcdb6ccfcd2dd7deb30371d6b" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Thu Feb 11 09:43:20 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 15 09:00:21 2010 +1100" }, "message": "TOMOYO: Add refcounter on domain structure.\n\nAdd refcounter to \"struct tomoyo_domain_info\" since garbage collector needs to\ndetermine whether this struct is referred by \"struct cred\"-\u003esecurity or not.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "76bb0895d038be7bcdb6ccfcd2dd7deb30371d6b", "tree": "5948c68b08561deb20d155853faed475a15a4235", "parents": [ "bf24fb016c861b7f52be0c36c4cedd3e89afa2e2" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Thu Feb 11 09:42:40 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 15 09:00:18 2010 +1100" }, "message": "TOMOYO: Merge headers.\n\nGather structures and constants scattered around security/tomoyo/ directory.\nThis is for preparation for adding garbage collector since garbage collector\nneeds to know structures and constants which TOMOYO uses.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "6d125529c6cbfe570ce3bf9a0728548f087499da", "tree": "89ba434f76d224741bd0e0b0ef02b10a4ff95136", "parents": [ "4ecf09fd3a7c8858198875171b684c73338fad83" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Dec 24 06:58:56 2009 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Jan 14 09:05:26 2010 -0500" }, "message": "Fix ACC_MODE() for real\n\ncommit 5300990c0370e804e49d9a59d928c5d53fb73487 had stepped on a rather\nnasty mess: definitions of ACC_MODE used to be different. Fixed the\nresulting breakage, converting them to variant that takes O_... value;\nall callers have that and it actually simplifies life (see tomoyo part\nof changes).\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "fdb8ebb729bbb640e64028a4f579a02ebc405727", "tree": "9dfca7422cb858cd05208734affab31d980030fe", "parents": [ "86fc80f16e8a2449d5827bf1a9838b7fd9f70097" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Dec 08 09:34:43 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Dec 15 15:46:31 2009 +1100" }, "message": "TOMOYO: Use RCU primitives for list operation\n\nReplace list operation with RCU primitives and replace\ndown_read()/up_read() with srcu_read_lock()/srcu_read_unlock().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1ad1f10cd915744bbe52b19423653b38287d827d", "tree": "ae072aace36b45a55d80b8cbf1b6d92523a88ea0", "parents": [ "08e3daff217059c84c360cc71212686e0a7995af", "2b876f95d03e226394b5d360c86127cbefaf614b" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Dec 09 19:01:03 2009 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Dec 09 19:01:03 2009 +1100" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "937bf6133b21b16965f75223085f4314ae32b8eb", "tree": "4a042bc9298ffddfaf4017a5796cae46e9594d2c", "parents": [ "5d0901a3a0c39c97ca504f73d24030f63cfc9fa2" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Wed Dec 02 21:09:48 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Dec 08 14:58:05 2009 +1100" }, "message": "TOMOYO: Add rest of file operation restrictions.\n\nLSM hooks for chmod()/chown()/chroot() are now ready.\nThis patch utilizes these hooks.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c656ae95d1c5c8ed5763356263ace2d03087efec", "tree": "41409482c06e8d773a189dcfa8e3351f2a333e1f", "parents": [ "a4054b6b20e9c2cca63715a319759bf8d37d82fc" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Fri Nov 20 09:24:19 2009 -0800" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Fri Nov 20 09:37:51 2009 -0800" }, "message": "security/tomoyo: Remove now unnecessary handling of security_sysctl.\n\nNow that sys_sysctl is an emulation on top of proc sys all sysctl\noperations look like normal filesystem operations and we don\u0027t need\nto use the special sysctl hook to authenticate them.\n\nAcked-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "86b1bc68e2f4244e4ea5db5458df9d19259fbb30", "tree": "a667f1fced80af12e75e28a8fd04f48ad3942ba7", "parents": [ "50469619999a0bc2ba8fa1365dc443b7aed190af" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Nov 09 09:12:15 2009 +0900" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Thu Nov 12 02:05:05 2009 -0800" }, "message": "sysctl security/tomoyo: Don\u0027t look at ctl_name\n\nctl_name field was removed. Always use procname field.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "ee18d64c1f632043a02e6f5ba5e045bb26a5465f", "tree": "80b5a4d530ec7d5fd69799920f0db7b78aba6b9d", "parents": [ "d0420c83f39f79afb82010c2d2cafd150eef651b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:14:21 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:22 2009 +1000" }, "message": "KEYS: Add a keyctl to install a process\u0027s session keyring on its parent [try #6]\n\nAdd a keyctl to install a process\u0027s session keyring onto its parent. This\nreplaces the parent\u0027s session keyring. Because the COW credential code does\nnot permit one process to change another process\u0027s credentials directly, the\nchange is deferred until userspace next starts executing again. Normally this\nwill be after a wait*() syscall.\n\nTo support this, three new security hooks have been provided:\ncred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in\nthe blank security creds and key_session_to_parent() - which asks the LSM if\nthe process may replace its parent\u0027s session keyring.\n\nThe replacement may only happen if the process has the same ownership details\nas its parent, and the process has LINK permission on the session keyring, and\nthe session keyring is owned by the process, and the LSM permits it.\n\nNote that this requires alteration to each architecture\u0027s notify_resume path.\nThis has been done for all arches barring blackfin, m68k* and xtensa, all of\nwhich need assembly alteration to support TIF_NOTIFY_RESUME. This allows the\nreplacement to be performed at the point the parent process resumes userspace\nexecution.\n\nThis allows the userspace AFS pioctl emulation to fully emulate newpag() and\nthe VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to\nalter the parent process\u0027s PAG membership. However, since kAFS doesn\u0027t use\nPAGs per se, but rather dumps the keys into the session keyring, the session\nkeyring of the parent must be replaced if, for example, VIOCSETTOK is passed\nthe newpag flag.\n\nThis can be tested with the following program:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\n\t#define KEYCTL_SESSION_TO_PARENT\t18\n\n\t#define OSERROR(X, S) do { if ((long)(X) \u003d\u003d -1) { perror(S); exit(1); } } while(0)\n\n\tint main(int argc, char **argv)\n\t{\n\t\tkey_serial_t keyring, key;\n\t\tlong ret;\n\n\t\tkeyring \u003d keyctl_join_session_keyring(argv[1]);\n\t\tOSERROR(keyring, \"keyctl_join_session_keyring\");\n\n\t\tkey \u003d add_key(\"user\", \"a\", \"b\", 1, keyring);\n\t\tOSERROR(key, \"add_key\");\n\n\t\tret \u003d keyctl(KEYCTL_SESSION_TO_PARENT);\n\t\tOSERROR(ret, \"KEYCTL_SESSION_TO_PARENT\");\n\n\t\treturn 0;\n\t}\n\nCompiled and linked with -lkeyutils, you should see something like:\n\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t355907932 --alswrv 4043 -1 \\_ keyring: _uid.4043\n\t[dhowells@andromeda ~]$ /tmp/newpag\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t1055658746 --alswrv 4043 4043 \\_ user: a\n\t[dhowells@andromeda ~]$ /tmp/newpag hello\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: hello\n\t340417692 --alswrv 4043 4043 \\_ user: a\n\nWhere the test program creates a new session keyring, sticks a user key named\n\u0027a\u0027 into it and then installs it on its parent.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "56f8c9bc410deb55f21698e6a0d59f559ae1d794", "tree": "57536190ade898da7449eb8c369c32c80019cef5", "parents": [ "ccf135f509abdbf607e9a68f08ddeee2c66dc36e" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Fri Jun 19 14:13:27 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 19 18:48:18 2009 +1000" }, "message": "TOMOYO: Remove next_domain from tomoyo_find_next_domain().\n\nWe can update bprm-\u003ecred-\u003esecurity inside tomoyo_find_next_domain().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c3fa109a5894077d1eaf8731ea741a15dd117b3c", "tree": "a3d5f58ea878868b48a1493055e6f2cb6dd3c9de", "parents": [ "5bf1692f65c12a8aa359dc883468284ffc3c4587" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Mon Jun 08 12:37:39 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 09 09:30:24 2009 +1000" }, "message": "TOMOYO: Add description of lists and structures.\n\nThis patch adds some descriptions of lists and structures.\nThis patch contains no code changes.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b1338d199dda6681d9af0297928af0a7eb9cba7b", "tree": "bdfcdf710df69eed78e7c4a2b86383ec3db9a230", "parents": [ "e2a1b9ee2335c35e0e34c88a024481b194b3c9cc" ], "author": { "name": "Herton Ronaldo Krzesinski", "email": "herton@mandriva.com.br", "time": "Tue May 26 12:15:53 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 27 09:46:48 2009 +1000" }, "message": "tomoyo: add missing call to cap_bprm_set_creds\n\ncap_bprm_set_creds() has to be called from security_bprm_set_creds().\nTOMOYO forgot to call cap_bprm_set_creds() from tomoyo_bprm_set_creds()\nand suid executables were not being working.\n\nMake sure we call cap_bprm_set_creds() with TOMOYO, to set credentials\nproperly inside tomoyo_bprm_set_creds().\n\nSigned-off-by: Herton Ronaldo Krzesinski \u003cherton@mandriva.com.br\u003e\nAcked-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "39826a1e17c1957bd7b5cd7815b83940e5e3a230", "tree": "c1452c0293b7f2f4bce2c36d3b5aea8e4020ff3e", "parents": [ "17a7b7b39056a82c5012539311850f202e6c3cd4" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Wed Apr 08 22:31:28 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 14 09:15:02 2009 +1000" }, "message": "tomoyo: version bump to 2.2.0.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1581e7ddbdd97443a134e1a0cc9d81256baf77a4", "tree": "54134783d9b61dea08b434e0d6e447ac8f8924b2", "parents": [ "0da0a420bb542b13ebae142109a9d2045ade0cb1" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Sat Feb 21 20:40:50 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 23 09:45:05 2009 +1100" }, "message": "TOMOYO: Do not call tomoyo_realpath_init unless registered.\n\ntomoyo_realpath_init() is unconditionally called by security_initcall().\nBut nobody will use realpath related functions if TOMOYO is not registered.\n\nSo, let tomoyo_init() call tomoyo_realpath_init().\n\nThis patch saves 4KB of memory allocation if TOMOYO is not registered.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "35d50e60e8b12e4adc2fa317343a176d87294a72", "tree": "d4374d08677dafdf940fc8bdaaadc0aeefa06126", "parents": [ "42d5aaa2d826f54924e260b58a8e410e59d54163" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Thu Feb 12 15:53:38 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 20:21:10 2009 +1100" }, "message": "tomoyo: fix sparse warning\n\nFix sparse warning.\n\n$ make C\u003d2 SUBDIRS\u003dsecurity/tomoyo CF\u003d\"-D__cold__\u003d\"\n CHECK security/tomoyo/common.c\n CHECK security/tomoyo/realpath.c\n CHECK security/tomoyo/tomoyo.c\nsecurity/tomoyo/tomoyo.c:110:8: warning: symbol \u0027buf\u0027 shadows an earlier one\nsecurity/tomoyo/tomoyo.c:100:7: originally declared here\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f7433243770c77979c396b4c7449a10e9b3521db", "tree": "8bcb3d92ddb65b73f1802c5476d75f92814477d8", "parents": [ "26a2a1c9eb88d9aca8891575b3b986812e073872" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:16 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:05 2009 +1100" }, "message": "LSM adapter functions.\n\nDAC\u0027s permissions and TOMOYO\u0027s permissions are not one-to-one mapping.\n\nRegarding DAC, there are \"read\", \"write\", \"execute\" permissions.\nRegarding TOMOYO, there are \"allow_read\", \"allow_write\", \"allow_read/write\",\n\"allow_execute\", \"allow_create\", \"allow_unlink\", \"allow_mkdir\", \"allow_rmdir\",\n\"allow_mkfifo\", \"allow_mksock\", \"allow_mkblock\", \"allow_mkchar\",\n\"allow_truncate\", \"allow_symlink\", \"allow_rewrite\", \"allow_link\",\n\"allow_rename\" permissions.\n\n+----------------------------------+----------------------------------+\n| requested operation | required TOMOYO\u0027s permission |\n+----------------------------------+----------------------------------+\n| sys_open(O_RDONLY) | allow_read |\n+----------------------------------+----------------------------------+\n| sys_open(O_WRONLY) | allow_write |\n+----------------------------------+----------------------------------+\n| sys_open(O_RDWR) | allow_read/write |\n+----------------------------------+----------------------------------+\n| open_exec() from do_execve() | allow_execute |\n+----------------------------------+----------------------------------+\n| open_exec() from !do_execve() | allow_read |\n+----------------------------------+----------------------------------+\n| sys_read() | (none) |\n+----------------------------------+----------------------------------+\n| sys_write() | (none) |\n+----------------------------------+----------------------------------+\n| sys_mmap() | (none) |\n+----------------------------------+----------------------------------+\n| sys_uselib() | allow_read |\n+----------------------------------+----------------------------------+\n| sys_open(O_CREAT) | allow_create |\n+----------------------------------+----------------------------------+\n| sys_open(O_TRUNC) | allow_truncate |\n+----------------------------------+----------------------------------+\n| sys_truncate() | allow_truncate |\n+----------------------------------+----------------------------------+\n| sys_ftruncate() | allow_truncate |\n+----------------------------------+----------------------------------+\n| sys_open() without O_APPEND | allow_rewrite |\n+----------------------------------+----------------------------------+\n| setfl() without O_APPEND | allow_rewrite |\n+----------------------------------+----------------------------------+\n| sys_sysctl() for writing | allow_write |\n+----------------------------------+----------------------------------+\n| sys_sysctl() for reading | allow_read |\n+----------------------------------+----------------------------------+\n| sys_unlink() | allow_unlink |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFREG) | allow_create |\n+----------------------------------+----------------------------------+\n| sys_mknod(0) | allow_create |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFIFO) | allow_mkfifo |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFSOCK) | allow_mksock |\n+----------------------------------+----------------------------------+\n| sys_bind(AF_UNIX) | allow_mksock |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFBLK) | allow_mkblock |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFCHR) | allow_mkchar |\n+----------------------------------+----------------------------------+\n| sys_symlink() | allow_symlink |\n+----------------------------------+----------------------------------+\n| sys_mkdir() | allow_mkdir |\n+----------------------------------+----------------------------------+\n| sys_rmdir() | allow_rmdir |\n+----------------------------------+----------------------------------+\n| sys_link() | allow_link |\n+----------------------------------+----------------------------------+\n| sys_rename() | allow_rename |\n+----------------------------------+----------------------------------+\n\nTOMOYO requires \"allow_execute\" permission of a pathname passed to do_execve()\nbut does not require \"allow_read\" permission of that pathname.\nLet\u0027s consider 3 patterns (statically linked, dynamically linked,\nshell script). This description is to some degree simplified.\n\n $ cat hello.c\n #include \u003cstdio.h\u003e\n int main() {\n printf(\"Hello\\n\");\n return 0;\n }\n $ cat hello.sh\n #! /bin/sh\n echo \"Hello\"\n $ gcc -static -o hello-static hello.c\n $ gcc -o hello-dynamic hello.c\n $ chmod 755 hello.sh\n\nCase 1 -- Executing hello-static from bash.\n\n (1) The bash process calls fork() and the child process requests\n do_execve(\"hello-static\").\n\n (2) The kernel checks \"allow_execute hello-static\" from \"bash\" domain.\n\n (3) The kernel calculates \"bash hello-static\" as the domain to transit to.\n\n (4) The kernel overwrites the child process by \"hello-static\".\n\n (5) The child process transits to \"bash hello-static\" domain.\n\n (6) The \"hello-static\" starts and finishes.\n\nCase 2 -- Executing hello-dynamic from bash.\n\n (1) The bash process calls fork() and the child process requests\n do_execve(\"hello-dynamic\").\n\n (2) The kernel checks \"allow_execute hello-dynamic\" from \"bash\" domain.\n\n (3) The kernel calculates \"bash hello-dynamic\" as the domain to transit to.\n\n (4) The kernel checks \"allow_read ld-linux.so\" from \"bash hello-dynamic\"\n domain. I think permission to access ld-linux.so should be charged\n hello-dynamic program, for \"hello-dynamic needs ld-linux.so\" is not\n a fault of bash program.\n\n (5) The kernel overwrites the child process by \"hello-dynamic\".\n\n (6) The child process transits to \"bash hello-dynamic\" domain.\n\n (7) The \"hello-dynamic\" starts and finishes.\n\nCase 3 -- Executing hello.sh from bash.\n\n (1) The bash process calls fork() and the child process requests\n do_execve(\"hello.sh\").\n\n (2) The kernel checks \"allow_execute hello.sh\" from \"bash\" domain.\n\n (3) The kernel calculates \"bash hello.sh\" as the domain to transit to.\n\n (4) The kernel checks \"allow_read /bin/sh\" from \"bash hello.sh\" domain.\n I think permission to access /bin/sh should be charged hello.sh program,\n for \"hello.sh needs /bin/sh\" is not a fault of bash program.\n\n (5) The kernel overwrites the child process by \"/bin/sh\".\n\n (6) The child process transits to \"bash hello.sh\" domain.\n\n (7) The \"/bin/sh\" requests open(\"hello.sh\").\n\n (8) The kernel checks \"allow_read hello.sh\" from \"bash hello.sh\" domain.\n\n (9) The \"/bin/sh\" starts and finishes.\n\nWhether a file is interpreted as a program or not depends on an application.\nThe kernel cannot know whether the file is interpreted as a program or not.\nThus, TOMOYO treats \"hello-static\" \"hello-dynamic\" \"ld-linux.so\" \"hello.sh\"\n\"/bin/sh\" equally as merely files; no distinction between executable and\nnon-executable. Therefore, TOMOYO doesn\u0027t check DAC\u0027s execute permission.\nTOMOYO checks \"allow_read\" permission instead.\n\nCalling do_execve() is a bold gesture that an old program\u0027s instance (i.e.\ncurrent process) is ready to be overwritten by a new program and is ready to\ntransfer control to the new program. To split purview of programs, TOMOYO\nrequires \"allow_execute\" permission of the new program against the old\nprogram\u0027s instance and performs domain transition. If do_execve() succeeds,\nthe old program is no longer responsible against the consequence of the new\nprogram\u0027s behavior. Only the new program is responsible for all consequences.\n\nBut TOMOYO doesn\u0027t require \"allow_read\" permission of the new program.\nIf TOMOYO requires \"allow_read\" permission of the new program, TOMOYO will\nallow an attacker (who hijacked the old program\u0027s instance) to open the new\nprogram and steal data from the new program. Requiring \"allow_read\" permission\nwill widen purview of the old program.\n\nNot requiring \"allow_read\" permission of the new program against the old\nprogram\u0027s instance is my design for reducing purview of the old program.\nTo be able to know whether the current process is in do_execve() or not,\nI want to add in_execve flag to \"task_struct\".\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ] }