)]}' { "log": [ { "commit": "6d125529c6cbfe570ce3bf9a0728548f087499da", "tree": "89ba434f76d224741bd0e0b0ef02b10a4ff95136", "parents": [ "4ecf09fd3a7c8858198875171b684c73338fad83" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Dec 24 06:58:56 2009 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Jan 14 09:05:26 2010 -0500" }, "message": "Fix ACC_MODE() for real\n\ncommit 5300990c0370e804e49d9a59d928c5d53fb73487 had stepped on a rather\nnasty mess: definitions of ACC_MODE used to be different. Fixed the\nresulting breakage, converting them to variant that takes O_... value;\nall callers have that and it actually simplifies life (see tomoyo part\nof changes).\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "5300990c0370e804e49d9a59d928c5d53fb73487", "tree": "08ed922afd172662039c082ec9e9410070f4afe8", "parents": [ "482928d59db668b8d82a48717f78986d8cea72e9" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat Dec 19 10:15:07 2009 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Dec 22 12:27:34 2009 -0500" }, "message": "Sanitize f_flags helpers\n\n* pull ACC_MODE to fs.h; we have several copies all over the place\n* nightmarish expression calculating f_mode by f_flags deserves a helper\ntoo (OPEN_FMODE(flags))\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "1557d33007f63dd96e5d15f33af389378e5f2e54", "tree": "06d05722b2ba5d2a67532f779fa8a88efe3c88f1", "parents": [ "6ec22f9b037fc0c2e00ddb7023fad279c365324d", "c656ae95d1c5c8ed5763356263ace2d03087efec" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Dec 08 07:38:50 2009 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Dec 08 07:38:50 2009 -0800" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/sysctl-2.6\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/sysctl-2.6: (43 commits)\n security/tomoyo: Remove now unnecessary handling of security_sysctl.\n security/tomoyo: Add a special case to handle accesses through the internal proc mount.\n sysctl: Drop \u0026 in front of every proc_handler.\n sysctl: Remove CTL_NONE and CTL_UNNUMBERED\n sysctl: kill dead ctl_handler definitions.\n sysctl: Remove the last of the generic binary sysctl support\n sysctl net: Remove unused binary sysctl code\n sysctl security/tomoyo: Don\u0027t look at ctl_name\n sysctl arm: Remove binary sysctl support\n sysctl x86: Remove dead binary sysctl support\n sysctl sh: Remove dead binary sysctl support\n sysctl powerpc: Remove dead binary sysctl support\n sysctl ia64: Remove dead binary sysctl support\n sysctl s390: Remove dead sysctl binary support\n sysctl frv: Remove dead binary sysctl support\n sysctl mips/lasat: Remove dead binary sysctl support\n sysctl drivers: Remove dead binary sysctl support\n sysctl crypto: Remove dead binary sysctl support\n sysctl security/keys: Remove dead binary sysctl support\n sysctl kernel: Remove binary sysctl logic\n ...\n" }, { "commit": "7539cf4b92be4aecc573ea962135f246a7a33401", "tree": "6ed5ada6206e788e937ce1325a70a9d6fb0d3c2f", "parents": [ "b3a222e52e4d4be77cc4520a57af1a4a0d8222d1" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Nov 24 22:00:05 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Nov 25 18:51:16 2009 +1100" }, "message": "TOMOYO: Add recursive directory matching operator support.\n\nTOMOYO 1.7.1 has recursive directory matching operator support.\nI want to add it to TOMOYO for Linux 2.6.33 .\n----------\n[PATCH] TOMOYO: Add recursive directory matching operator support.\n\nThis patch introduces new operator /\\{dir\\}/ which matches\n\u0027/\u0027 + \u0027One or more repetitions of dir/\u0027 (e.g. /dir/ /dir/dir/ /dir/dir/dir/ ).\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c656ae95d1c5c8ed5763356263ace2d03087efec", "tree": "41409482c06e8d773a189dcfa8e3351f2a333e1f", "parents": [ "a4054b6b20e9c2cca63715a319759bf8d37d82fc" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Fri Nov 20 09:24:19 2009 -0800" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Fri Nov 20 09:37:51 2009 -0800" }, "message": "security/tomoyo: Remove now unnecessary handling of security_sysctl.\n\nNow that sys_sysctl is an emulation on top of proc sys all sysctl\noperations look like normal filesystem operations and we don\u0027t need\nto use the special sysctl hook to authenticate them.\n\nAcked-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "a4054b6b20e9c2cca63715a319759bf8d37d82fc", "tree": "c7d17dda2b79fbc4faacd88514b01f49c3c05169", "parents": [ "6d4561110a3e9fa742aeec6717248a491dfb1878" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Fri Nov 20 09:12:22 2009 -0800" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Fri Nov 20 09:23:22 2009 -0800" }, "message": "security/tomoyo: Add a special case to handle accesses through the internal proc mount.\n\nWith the change of sys_sysctl going through the internal proc mount we no\nlonger need to handle security_sysctl in tomoyo as we have valid pathnames\nfor all sysctl accesses. There is one slight caveat to that in that\nall of the paths from the internal mount look like\n\"/sys/net/ipv4/ip_local_port_range\" instead of\n\"/proc/sys/net/ipv4/ip_local_port_range\" so tomoyo needs to add the\n\"/proc\" portion manually when resolving to full path names to get what it expects.\n\nThis change teaches tomoyo perform that modification.\n\nAcked-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "86b1bc68e2f4244e4ea5db5458df9d19259fbb30", "tree": "a667f1fced80af12e75e28a8fd04f48ad3942ba7", "parents": [ "50469619999a0bc2ba8fa1365dc443b7aed190af" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Nov 09 09:12:15 2009 +0900" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Thu Nov 12 02:05:05 2009 -0800" }, "message": "sysctl security/tomoyo: Don\u0027t look at ctl_name\n\nctl_name field was removed. Always use procname field.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "024e1a49411a1a7363e65db48edf1b09e9ee68ad", "tree": "628fb392d0230f2e46753c04dded209ef27124d1", "parents": [ "d6ba452128178091dab7a04d54f7e66fdc32fb39" ], "author": { "name": "Stephen Hemminger", "email": "shemminger@vyatta.com", "time": "Tue Oct 27 19:24:46 2009 -0700" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 29 11:17:33 2009 +1100" }, "message": "tomoyo: improve hash bucket dispersion\n\nWhen examining the network device name hash, it was discovered that\nthe low order bits of full_name_hash() are not very well dispersed\nacross the possible values. When used by filesystem code, this is handled\nby folding with the function hash_long().\n\nThe only other non-filesystem usage of full_name_hash() at this time\nappears to be in TOMOYO. This patch should fix that.\n\nI do not use TOMOYO at this time, so this patch is build tested only.\n\nSigned-off-by: Stephen Hemminger \u003cshemminger@vyatta.com\u003e\nAcked-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ee18d64c1f632043a02e6f5ba5e045bb26a5465f", "tree": "80b5a4d530ec7d5fd69799920f0db7b78aba6b9d", "parents": [ "d0420c83f39f79afb82010c2d2cafd150eef651b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:14:21 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:22 2009 +1000" }, "message": "KEYS: Add a keyctl to install a process\u0027s session keyring on its parent [try #6]\n\nAdd a keyctl to install a process\u0027s session keyring onto its parent. This\nreplaces the parent\u0027s session keyring. Because the COW credential code does\nnot permit one process to change another process\u0027s credentials directly, the\nchange is deferred until userspace next starts executing again. Normally this\nwill be after a wait*() syscall.\n\nTo support this, three new security hooks have been provided:\ncred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in\nthe blank security creds and key_session_to_parent() - which asks the LSM if\nthe process may replace its parent\u0027s session keyring.\n\nThe replacement may only happen if the process has the same ownership details\nas its parent, and the process has LINK permission on the session keyring, and\nthe session keyring is owned by the process, and the LSM permits it.\n\nNote that this requires alteration to each architecture\u0027s notify_resume path.\nThis has been done for all arches barring blackfin, m68k* and xtensa, all of\nwhich need assembly alteration to support TIF_NOTIFY_RESUME. This allows the\nreplacement to be performed at the point the parent process resumes userspace\nexecution.\n\nThis allows the userspace AFS pioctl emulation to fully emulate newpag() and\nthe VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to\nalter the parent process\u0027s PAG membership. However, since kAFS doesn\u0027t use\nPAGs per se, but rather dumps the keys into the session keyring, the session\nkeyring of the parent must be replaced if, for example, VIOCSETTOK is passed\nthe newpag flag.\n\nThis can be tested with the following program:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\n\t#define KEYCTL_SESSION_TO_PARENT\t18\n\n\t#define OSERROR(X, S) do { if ((long)(X) \u003d\u003d -1) { perror(S); exit(1); } } while(0)\n\n\tint main(int argc, char **argv)\n\t{\n\t\tkey_serial_t keyring, key;\n\t\tlong ret;\n\n\t\tkeyring \u003d keyctl_join_session_keyring(argv[1]);\n\t\tOSERROR(keyring, \"keyctl_join_session_keyring\");\n\n\t\tkey \u003d add_key(\"user\", \"a\", \"b\", 1, keyring);\n\t\tOSERROR(key, \"add_key\");\n\n\t\tret \u003d keyctl(KEYCTL_SESSION_TO_PARENT);\n\t\tOSERROR(ret, \"KEYCTL_SESSION_TO_PARENT\");\n\n\t\treturn 0;\n\t}\n\nCompiled and linked with -lkeyutils, you should see something like:\n\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t355907932 --alswrv 4043 -1 \\_ keyring: _uid.4043\n\t[dhowells@andromeda ~]$ /tmp/newpag\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t1055658746 --alswrv 4043 4043 \\_ user: a\n\t[dhowells@andromeda ~]$ /tmp/newpag hello\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: hello\n\t340417692 --alswrv 4043 4043 \\_ user: a\n\nWhere the test program creates a new session keyring, sticks a user key named\n\u0027a\u0027 into it and then installs it on its parent.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "56f8c9bc410deb55f21698e6a0d59f559ae1d794", "tree": "57536190ade898da7449eb8c369c32c80019cef5", "parents": [ "ccf135f509abdbf607e9a68f08ddeee2c66dc36e" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Fri Jun 19 14:13:27 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 19 18:48:18 2009 +1000" }, "message": "TOMOYO: Remove next_domain from tomoyo_find_next_domain().\n\nWe can update bprm-\u003ecred-\u003esecurity inside tomoyo_find_next_domain().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ccf135f509abdbf607e9a68f08ddeee2c66dc36e", "tree": "4641f30dc45901b619a86957efc72fd3d8d46228", "parents": [ "d905163c5b23f6d8511971e06081a1b525e8a0bd" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Fri Jun 19 10:29:34 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 19 11:32:37 2009 +1000" }, "message": "TOMOYO: Move tomoyo_delete_domain().\n\nWe can mark tomoyo_delete_domain() as a \"static\" function\nby moving it from domain.c to common.c .\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c3fa109a5894077d1eaf8731ea741a15dd117b3c", "tree": "a3d5f58ea878868b48a1493055e6f2cb6dd3c9de", "parents": [ "5bf1692f65c12a8aa359dc883468284ffc3c4587" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Mon Jun 08 12:37:39 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 09 09:30:24 2009 +1000" }, "message": "TOMOYO: Add description of lists and structures.\n\nThis patch adds some descriptions of lists and structures.\nThis patch contains no code changes.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5bf1692f65c12a8aa359dc883468284ffc3c4587", "tree": "bab96097b51791985d6361b6bdfaf0280b0fc995", "parents": [ "0b4ec6e4e01d98e55ae325a41304cccd87fa4c0f" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Fri Jun 05 14:44:58 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 09 09:30:21 2009 +1000" }, "message": "TOMOYO: Remove unused field.\n\nTOMOYO 2.2.0 is not using total_len field of \"struct tomoyo_path_info\".\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0b4ec6e4e01d98e55ae325a41304cccd87fa4c0f", "tree": "1e075fdf4aaf0c5c003564b3f3414bb4a92ef2ed", "parents": [ "04288f42033607099cebf5ca15ce8dcec3a9688b", "3af968e066d593bc4dacc021715f3e95ddf0996f" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 09 09:27:53 2009 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 09 09:27:53 2009 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "bcb86975dbcc24f820f1a37918d53914af29ace7", "tree": "887bf8bd4d7d896a1357a21ad1df576e5f3ad3b9", "parents": [ "e0a94c2a63f2644826069044649669b5e7ca75d3" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Thu Jun 04 15:14:34 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jun 04 17:35:18 2009 +1000" }, "message": "TOMOYO: Remove unused parameter.\n\nTOMOYO 2.2.0 does not check argv[] and envp[] upon execve().\nWe don\u0027t need to pass \"struct tomoyo_page_buffer\".\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7d2948b1248109dbc7f4aaf9867c54b1912d494c", "tree": "24edc8fa319598bc32b7d53c7b61fb3ec9ae9e92", "parents": [ "ab588ccadc80f6ef5495e83e176e88c5c0fc2d0e" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Jun 02 20:42:24 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jun 03 07:51:51 2009 +1000" }, "message": "TOMOYO: Simplify policy reader.\n\nWe can directly assign the result of tomoyo_io_printf() to done flag.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ab588ccadc80f6ef5495e83e176e88c5c0fc2d0e", "tree": "ffb995eba759218fd07795f00a1303518621c119", "parents": [ "850b0cee165576f969363a8c52021b5cf9ecbe67" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Tue Jun 02 14:23:39 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jun 03 07:50:06 2009 +1000" }, "message": "TOMOYO: Remove redundant markers.\n\nRemove \u0027/***** START/STOP *****/\u0027 markers.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "fe67e6f2d6df371b58ba721954d45a196df5e8b8", "tree": "b4b186aa4b222bdc45839ff4bdbde6f80c413395", "parents": [ "fbeb4a9c20d00e2550156f9e5a34473fbde59de2" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Tue Jun 02 17:00:45 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 02 21:19:54 2009 +1000" }, "message": "TOMOYO: Remove unused mutex.\n\nI forgot to remove on TOMOYO\u0027s 15th posting.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "fbeb4a9c20d00e2550156f9e5a34473fbde59de2", "tree": "d08881a9eb2d768722363d7022d2ae4da81494d9", "parents": [ "13b297d943828c4594527a2bd9c30ecd04e37886" ], "author": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Mon Jun 01 22:47:19 2009 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 02 15:13:13 2009 +1000" }, "message": "tomoyo: avoid get+put of task_struct\n\nUse task_cred_xxx(task, security) in tomoyo_real_domain() to\navoid a get+put of the target cred.\n\nSigned-off-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b1338d199dda6681d9af0297928af0a7eb9cba7b", "tree": "bdfcdf710df69eed78e7c4a2b86383ec3db9a230", "parents": [ "e2a1b9ee2335c35e0e34c88a024481b194b3c9cc" ], "author": { "name": "Herton Ronaldo Krzesinski", "email": "herton@mandriva.com.br", "time": "Tue May 26 12:15:53 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 27 09:46:48 2009 +1000" }, "message": "tomoyo: add missing call to cap_bprm_set_creds\n\ncap_bprm_set_creds() has to be called from security_bprm_set_creds().\nTOMOYO forgot to call cap_bprm_set_creds() from tomoyo_bprm_set_creds()\nand suid executables were not being working.\n\nMake sure we call cap_bprm_set_creds() with TOMOYO, to set credentials\nproperly inside tomoyo_bprm_set_creds().\n\nSigned-off-by: Herton Ronaldo Krzesinski \u003cherton@mandriva.com.br\u003e\nAcked-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e24977d45f45d1675e050dc1a0aaf4bfc4ca9866", "tree": "ee39b590596e9ca6cd18b8ece11a1f6d24278c29", "parents": [ "6b3304b531704711286c3359b06922b83fdba015" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Apr 02 21:17:03 2009 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sat May 09 10:49:42 2009 -0400" }, "message": "Reduce path_lookup() abuses\n\n... use kern_path() where possible\n\n[folded a fix from rdd]\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "39826a1e17c1957bd7b5cd7815b83940e5e3a230", "tree": "c1452c0293b7f2f4bce2c36d3b5aea8e4020ff3e", "parents": [ "17a7b7b39056a82c5012539311850f202e6c3cd4" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Wed Apr 08 22:31:28 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 14 09:15:02 2009 +1000" }, "message": "tomoyo: version bump to 2.2.0.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a0558fc3491c0494feb8472cf6c0119e43fd9484", "tree": "e26a2baaa63c07761686f97cde9aa4aaa527f82f", "parents": [ "d508afb437daee7cf07da085b635c44a4ebf9b38" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Apr 06 20:49:14 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 07 16:08:56 2009 +1000" }, "message": "tomoyo: remove \"undelete domain\" command.\n\nSince TOMOYO\u0027s policy management tools does not use the \"undelete domain\"\ncommand, we decided to remove that command.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5ad4e53bd5406ee214ddc5a41f03f779b8b2d526", "tree": "b3dab5140284b3edf02bf2b13f74bfddb25aa62a", "parents": [ "ce3b0f8d5c2203301fc87f3aaaed73e5819e2a48" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Mar 29 19:50:06 2009 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Mar 31 23:00:27 2009 -0400" }, "message": "Get rid of indirect include of fs_struct.h\n\nDon\u0027t pull it in sched.h; very few files actually need it and those\ncan include directly. sched.h itself only needs forward declaration\nof struct fs_struct;\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "a106cbfd1f3703402fc2d95d97e7a054102250f0", "tree": "f386efb92e2c68bbd15900b6f14a56c444c28556", "parents": [ "1987f17d2266e882862528841429b5bf67bc8fe5" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Fri Mar 27 13:12:16 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 27 19:03:44 2009 +1100" }, "message": "TOMOYO: Fix a typo.\n\nFix a typo.\n\nReported-by: Pavel Machek \u003cpavel@ucw.cz\u003e\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1581e7ddbdd97443a134e1a0cc9d81256baf77a4", "tree": "54134783d9b61dea08b434e0d6e447ac8f8924b2", "parents": [ "0da0a420bb542b13ebae142109a9d2045ade0cb1" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Sat Feb 21 20:40:50 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 23 09:45:05 2009 +1100" }, "message": "TOMOYO: Do not call tomoyo_realpath_init unless registered.\n\ntomoyo_realpath_init() is unconditionally called by security_initcall().\nBut nobody will use realpath related functions if TOMOYO is not registered.\n\nSo, let tomoyo_init() call tomoyo_realpath_init().\n\nThis patch saves 4KB of memory allocation if TOMOYO is not registered.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e5a3b95f581da62e2054ef79d3be2d383e9ed664", "tree": "6a55bf40033c92b2c82fa0643c2511dbe7124b32", "parents": [ "33043cbb9fd49a957089f5948fe814764d7abbd6" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Sat Feb 14 11:46:56 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 16 09:01:48 2009 +1100" }, "message": "TOMOYO: Don\u0027t create securityfs entries unless registered.\n\nTOMOYO should not create /sys/kernel/security/tomoyo/ interface unless\nTOMOYO is registered.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "33043cbb9fd49a957089f5948fe814764d7abbd6", "tree": "66be66415be5a1108788291194cc5b2bc89fb6fe", "parents": [ "26036651c562609d1f52d181f9d2cccbf89929b1" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Fri Feb 13 16:00:58 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Sat Feb 14 12:33:30 2009 +1100" }, "message": "TOMOYO: Fix exception policy read failure.\n\nDue to wrong initialization, \"cat /sys/kernel/security/tomoyo/exception_policy\"\nreturned nothing.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "35d50e60e8b12e4adc2fa317343a176d87294a72", "tree": "d4374d08677dafdf940fc8bdaaadc0aeefa06126", "parents": [ "42d5aaa2d826f54924e260b58a8e410e59d54163" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Thu Feb 12 15:53:38 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 20:21:10 2009 +1100" }, "message": "tomoyo: fix sparse warning\n\nFix sparse warning.\n\n$ make C\u003d2 SUBDIRS\u003dsecurity/tomoyo CF\u003d\"-D__cold__\u003d\"\n CHECK security/tomoyo/common.c\n CHECK security/tomoyo/realpath.c\n CHECK security/tomoyo/tomoyo.c\nsecurity/tomoyo/tomoyo.c:110:8: warning: symbol \u0027buf\u0027 shadows an earlier one\nsecurity/tomoyo/tomoyo.c:100:7: originally declared here\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "00d7d6f840ddc947237307e022de5e75ded4105f", "tree": "53669494101f93becdd401be2e70073bc7c6fe0b", "parents": [ "f7433243770c77979c396b4c7449a10e9b3521db" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:17 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:19:00 2009 +1100" }, "message": "Kconfig and Makefile\n\nTOMOYO uses LSM hooks for pathname based access control and securityfs support.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f7433243770c77979c396b4c7449a10e9b3521db", "tree": "8bcb3d92ddb65b73f1802c5476d75f92814477d8", "parents": [ "26a2a1c9eb88d9aca8891575b3b986812e073872" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:16 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:05 2009 +1100" }, "message": "LSM adapter functions.\n\nDAC\u0027s permissions and TOMOYO\u0027s permissions are not one-to-one mapping.\n\nRegarding DAC, there are \"read\", \"write\", \"execute\" permissions.\nRegarding TOMOYO, there are \"allow_read\", \"allow_write\", \"allow_read/write\",\n\"allow_execute\", \"allow_create\", \"allow_unlink\", \"allow_mkdir\", \"allow_rmdir\",\n\"allow_mkfifo\", \"allow_mksock\", \"allow_mkblock\", \"allow_mkchar\",\n\"allow_truncate\", \"allow_symlink\", \"allow_rewrite\", \"allow_link\",\n\"allow_rename\" permissions.\n\n+----------------------------------+----------------------------------+\n| requested operation | required TOMOYO\u0027s permission |\n+----------------------------------+----------------------------------+\n| sys_open(O_RDONLY) | allow_read |\n+----------------------------------+----------------------------------+\n| sys_open(O_WRONLY) | allow_write |\n+----------------------------------+----------------------------------+\n| sys_open(O_RDWR) | allow_read/write |\n+----------------------------------+----------------------------------+\n| open_exec() from do_execve() | allow_execute |\n+----------------------------------+----------------------------------+\n| open_exec() from !do_execve() | allow_read |\n+----------------------------------+----------------------------------+\n| sys_read() | (none) |\n+----------------------------------+----------------------------------+\n| sys_write() | (none) |\n+----------------------------------+----------------------------------+\n| sys_mmap() | (none) |\n+----------------------------------+----------------------------------+\n| sys_uselib() | allow_read |\n+----------------------------------+----------------------------------+\n| sys_open(O_CREAT) | allow_create |\n+----------------------------------+----------------------------------+\n| sys_open(O_TRUNC) | allow_truncate |\n+----------------------------------+----------------------------------+\n| sys_truncate() | allow_truncate |\n+----------------------------------+----------------------------------+\n| sys_ftruncate() | allow_truncate |\n+----------------------------------+----------------------------------+\n| sys_open() without O_APPEND | allow_rewrite |\n+----------------------------------+----------------------------------+\n| setfl() without O_APPEND | allow_rewrite |\n+----------------------------------+----------------------------------+\n| sys_sysctl() for writing | allow_write |\n+----------------------------------+----------------------------------+\n| sys_sysctl() for reading | allow_read |\n+----------------------------------+----------------------------------+\n| sys_unlink() | allow_unlink |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFREG) | allow_create |\n+----------------------------------+----------------------------------+\n| sys_mknod(0) | allow_create |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFIFO) | allow_mkfifo |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFSOCK) | allow_mksock |\n+----------------------------------+----------------------------------+\n| sys_bind(AF_UNIX) | allow_mksock |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFBLK) | allow_mkblock |\n+----------------------------------+----------------------------------+\n| sys_mknod(S_IFCHR) | allow_mkchar |\n+----------------------------------+----------------------------------+\n| sys_symlink() | allow_symlink |\n+----------------------------------+----------------------------------+\n| sys_mkdir() | allow_mkdir |\n+----------------------------------+----------------------------------+\n| sys_rmdir() | allow_rmdir |\n+----------------------------------+----------------------------------+\n| sys_link() | allow_link |\n+----------------------------------+----------------------------------+\n| sys_rename() | allow_rename |\n+----------------------------------+----------------------------------+\n\nTOMOYO requires \"allow_execute\" permission of a pathname passed to do_execve()\nbut does not require \"allow_read\" permission of that pathname.\nLet\u0027s consider 3 patterns (statically linked, dynamically linked,\nshell script). This description is to some degree simplified.\n\n $ cat hello.c\n #include \u003cstdio.h\u003e\n int main() {\n printf(\"Hello\\n\");\n return 0;\n }\n $ cat hello.sh\n #! /bin/sh\n echo \"Hello\"\n $ gcc -static -o hello-static hello.c\n $ gcc -o hello-dynamic hello.c\n $ chmod 755 hello.sh\n\nCase 1 -- Executing hello-static from bash.\n\n (1) The bash process calls fork() and the child process requests\n do_execve(\"hello-static\").\n\n (2) The kernel checks \"allow_execute hello-static\" from \"bash\" domain.\n\n (3) The kernel calculates \"bash hello-static\" as the domain to transit to.\n\n (4) The kernel overwrites the child process by \"hello-static\".\n\n (5) The child process transits to \"bash hello-static\" domain.\n\n (6) The \"hello-static\" starts and finishes.\n\nCase 2 -- Executing hello-dynamic from bash.\n\n (1) The bash process calls fork() and the child process requests\n do_execve(\"hello-dynamic\").\n\n (2) The kernel checks \"allow_execute hello-dynamic\" from \"bash\" domain.\n\n (3) The kernel calculates \"bash hello-dynamic\" as the domain to transit to.\n\n (4) The kernel checks \"allow_read ld-linux.so\" from \"bash hello-dynamic\"\n domain. I think permission to access ld-linux.so should be charged\n hello-dynamic program, for \"hello-dynamic needs ld-linux.so\" is not\n a fault of bash program.\n\n (5) The kernel overwrites the child process by \"hello-dynamic\".\n\n (6) The child process transits to \"bash hello-dynamic\" domain.\n\n (7) The \"hello-dynamic\" starts and finishes.\n\nCase 3 -- Executing hello.sh from bash.\n\n (1) The bash process calls fork() and the child process requests\n do_execve(\"hello.sh\").\n\n (2) The kernel checks \"allow_execute hello.sh\" from \"bash\" domain.\n\n (3) The kernel calculates \"bash hello.sh\" as the domain to transit to.\n\n (4) The kernel checks \"allow_read /bin/sh\" from \"bash hello.sh\" domain.\n I think permission to access /bin/sh should be charged hello.sh program,\n for \"hello.sh needs /bin/sh\" is not a fault of bash program.\n\n (5) The kernel overwrites the child process by \"/bin/sh\".\n\n (6) The child process transits to \"bash hello.sh\" domain.\n\n (7) The \"/bin/sh\" requests open(\"hello.sh\").\n\n (8) The kernel checks \"allow_read hello.sh\" from \"bash hello.sh\" domain.\n\n (9) The \"/bin/sh\" starts and finishes.\n\nWhether a file is interpreted as a program or not depends on an application.\nThe kernel cannot know whether the file is interpreted as a program or not.\nThus, TOMOYO treats \"hello-static\" \"hello-dynamic\" \"ld-linux.so\" \"hello.sh\"\n\"/bin/sh\" equally as merely files; no distinction between executable and\nnon-executable. Therefore, TOMOYO doesn\u0027t check DAC\u0027s execute permission.\nTOMOYO checks \"allow_read\" permission instead.\n\nCalling do_execve() is a bold gesture that an old program\u0027s instance (i.e.\ncurrent process) is ready to be overwritten by a new program and is ready to\ntransfer control to the new program. To split purview of programs, TOMOYO\nrequires \"allow_execute\" permission of the new program against the old\nprogram\u0027s instance and performs domain transition. If do_execve() succeeds,\nthe old program is no longer responsible against the consequence of the new\nprogram\u0027s behavior. Only the new program is responsible for all consequences.\n\nBut TOMOYO doesn\u0027t require \"allow_read\" permission of the new program.\nIf TOMOYO requires \"allow_read\" permission of the new program, TOMOYO will\nallow an attacker (who hijacked the old program\u0027s instance) to open the new\nprogram and steal data from the new program. Requiring \"allow_read\" permission\nwill widen purview of the old program.\n\nNot requiring \"allow_read\" permission of the new program against the old\nprogram\u0027s instance is my design for reducing purview of the old program.\nTo be able to know whether the current process is in do_execve() or not,\nI want to add in_execve flag to \"task_struct\".\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "26a2a1c9eb88d9aca8891575b3b986812e073872", "tree": "4abec8ee7800aa52c1055ad74185156c7894e743", "parents": [ "b69a54ee582373d76e4b5560970db5b8c618b12a" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:15 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:05 2009 +1100" }, "message": "Domain transition handler.\n\nThis file controls domain creation/deletion/transition.\n\nEvery process belongs to a domain in TOMOYO Linux.\nDomain transition occurs when execve(2) is called\nand the domain is expressed as \u0027process invocation history\u0027,\nsuch as \u0027\u003ckernel\u003e /sbin/init /etc/init.d/rc\u0027.\nDomain information is stored in current-\u003ecred-\u003esecurity field.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b69a54ee582373d76e4b5560970db5b8c618b12a", "tree": "5889c074f7885187104906c921da0bab318bfe64", "parents": [ "9590837b89aaa4523209ac91c52db5ea0d9142fd" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:14 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:05 2009 +1100" }, "message": "File operation restriction part.\n\nThis file controls file related operations of TOMOYO Linux.\n\ntomoyo/tomoyo.c calls the following six functions in this file.\nEach function handles the following access types.\n\n * tomoyo_check_file_perm\nsysctl()\u0027s \"read\" and \"write\".\n\n * tomoyo_check_exec_perm\n\"execute\".\n\n * tomoyo_check_open_permission\nopen(2) for \"read\" and \"write\".\n\n * tomoyo_check_1path_perm\n\"create\", \"unlink\", \"mkdir\", \"rmdir\", \"mkfifo\",\n\"mksock\", \"mkblock\", \"mkchar\", \"truncate\" and \"symlink\".\n\n * tomoyo_check_2path_perm\n\"rename\" and \"unlink\".\n\n * tomoyo_check_rewrite_permission\n\"rewrite\".\n(\"rewrite\" are operations which may lose already recorded data of a file,\ni.e. open(!O_APPEND) || open(O_TRUNC) || truncate() || ftruncate())\n\nThe functions which actually checks ACLs are the following three functions.\nEach function handles the following access types.\nACL directive is expressed by \"allow_\u003caccess type\u003e\".\n\n * tomoyo_check_file_acl\nOpen() operation and execve() operation.\n(\"read\", \"write\", \"read/write\" and \"execute\")\n\n * tomoyo_check_single_write_acl\nDirectory modification operations with 1 pathname.\n(\"create\", \"unlink\", \"mkdir\", \"rmdir\", \"mkfifo\", \"mksock\",\n \"mkblock\", \"mkchar\", \"truncate\", \"symlink\" and \"rewrite\")\n\n * tomoyo_check_double_write_acl\nDirectory modification operations with 2 pathname.\n(\"link\" and \"rename\")\n\nAlso, this file contains handlers of some utility directives\nfor file related operations.\n\n * \"allow_read\": specifies globally (for all domains) readable files.\n * \"path_group\": specifies pathname macro.\n * \"deny_rewrite\": restricts rewrite operation.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9590837b89aaa4523209ac91c52db5ea0d9142fd", "tree": "0e7e3febb1f6106be0e45c281309078f6c1cd7e6", "parents": [ "c73bd6d473ceb5d643d3afd7e75b7dc2e6918558" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:13 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:04 2009 +1100" }, "message": "Common functions for TOMOYO Linux.\n\nThis file contains common functions (e.g. policy I/O, pattern matching).\n\n-------------------- About pattern matching --------------------\n\nSince TOMOYO Linux is a name based access control, TOMOYO Linux seriously\nconsiders \"safe\" string representation.\n\nTOMOYO Linux\u0027s string manipulation functions make reviewers feel crazy,\nbut there are reasons why TOMOYO Linux needs its own string manipulation\nfunctions.\n\n----- Part 1 : preconditions -----\n\nPeople definitely want to use wild card.\n\n To support pattern matching, we have to support wild card characters.\n\n In a typical Linux system, filenames are likely consists of only alphabets,\n numbers, and some characters (e.g. + - ~ . / ).\n But theoretically, the Linux kernel accepts all characters but NUL character\n (which is used as a terminator of a string).\n\n Some Linux systems can have filenames which contain * ? ** etc.\n\nTherefore, we have to somehow modify string so that we can distinguish\nwild card characters and normal characters.\n\n It might be possible for some application\u0027s configuration files to restrict\n acceptable characters.\n It is impossible for kernel to restrict acceptable characters.\n\n We can\u0027t accept approaches which will cause troubles for applications.\n\n----- Part 2 : commonly used approaches -----\n\nText formatted strings separated by space character (0x20) and new line\ncharacter (0x0A) is more preferable for users over array of NUL-terminated\nstring.\n\n Thus, people use text formatted configuration files separated by space\n character and new line.\n\nWe sometimes need to handle non-printable characters.\n\n Thus, people use \\ character (0x5C) as escape character and represent\n non-printable characters using octal or hexadecimal format.\n\nAt this point, we remind (at least) 3 approaches.\n\n (1) Shell glob style expression\n (2) POSIX regular expression (UNIX style regular expression)\n (3) Maverick wild card expression\n\nOn the surface, (1) and (2) sound good choices. But they have a big pitfall.\nAll meta-characters in (1) and (2) are legal characters for representing\na pathname, and users easily write incorrect expression. What is worse, users\nunlikely notice incorrect expressions because characters used for regular\npathnames unlikely contain meta-characters. This incorrect use of\nmeta-characters in pathname representation reveals vulnerability\n(e.g. unexpected results) only when irregular pathname is specified.\n\nThe authors of TOMOYO Linux think that approaches which adds some character\nfor interpreting meta-characters as normal characters (i.e. (1) and (2)) are\nnot suitable for security use.\n\nTherefore, the authors of TOMOYO Linux propose (3).\n\n----- Part 3: consideration points -----\n\nWe need to solve encoding problem.\n\n A single character can be represented in several ways using encodings.\n\n For Japanese language, there are \"ShiftJIS\", \"ISO-2022-JP\", \"EUC-JP\",\n \"UTF-8\" and more.\n\n Some languages (e.g. Japanese language) supports multi-byte characters\n (where a single character is represented using several bytes).\n\n Some multi-byte characters may match the escape character.\n\n For Japanese language, some characters in \"ShiftJIS\" encoding match\n \\ character, and bothering Web\u0027s CGI developers.\n\n It is important that the kernel string is not bothered by encoding problem.\n\n Linus said, \"I really would expect that kernel strings don\u0027t have\n an encoding. They\u0027re just C strings: a NUL-terminated stream of bytes.\"\n http://lkml.org/lkml/2007/11/6/142\n\n Yes. The kernel strings are just C strings.\n We are talking about how to store and carry \"kernel strings\" safely.\n\n If we store \"kernel string\" into policy file as-is, the \"kernel string\" will\n be interpreted differently depending on application\u0027s encoding settings.\n One application may interpret \"kernel string\" as \"UTF-8\",\n another application may interpret \"kernel string\" as \"ShiftJIS\".\n\n Therefore, we propose to represent strings using ASCII encoding.\n In this way, we are no longer bothered by encoding problems.\n\nWe need to avoid information loss caused by display.\n\n It is difficult to input and display non-printable characters, but we have to\n be able to handle such characters because the kernel string is a C string.\n\n If we use only ASCII printable characters (from 0x21 to 0x7E) and space\n character (0x20) and new line character (0x0A), it is easy to input from\n keyboard and display on all terminals which is running Linux.\n\n Therefore, we propose to represent strings using only characters which value\n is one of \"from 0x21 to 0x7E\", \"0x20\", \"0x0A\".\n\nWe need to consider ease of splitting strings from a line.\n\n If we use an approach which uses \"\\ \" for representing a space character\n within a string, we have to count the string from the beginning to check\n whether this space character is accompanied with \\ character or not.\n As a result, we cannot monotonically split a line using space character.\n\n If we use an approach which uses \"\\040\" for representing a space character\n within a string, we can monotonically split a line using space character.\n\n If we use an approach which uses NUL character as a delimiter, we cannot\n use string manipulation functions for splitting strings from a line.\n\n Therefore, we propose that we represent space character as \"\\040\".\n\nWe need to avoid wrong designations (incorrect use of special characters).\n\n Not all users can understand and utilize POSIX\u0027s regular expressions\n correctly and perfectly.\n\n If a character acts as a wild card by default, the user will get unexpected\n result if that user didn\u0027t know the meaning of that character.\n\n Therefore, we propose that all characters but \\ character act as\n a normal character and let the user add \\ character to make a character\n act as a wild card.\n\n In this way, users needn\u0027t to know all wild card characters beforehand.\n They can learn when they encountered an unseen wild card character\n for their first time.\n\n----- Part 4: supported wild card expressions -----\n\nAt this point, we have wild card expressions listed below.\n\n +-----------+--------------------------------------------------------------+\n | Wild card | Meaning and example |\n +-----------+--------------------------------------------------------------+\n | \\* | More than or equals to 0 character other than \u0027/\u0027. |\n | | /var/log/samba/\\* |\n +-----------+--------------------------------------------------------------+\n | \\@ | More than or equals to 0 character other than \u0027/\u0027 or \u0027.\u0027. |\n | | /var/www/html/\\@.html |\n +-----------+--------------------------------------------------------------+\n | \\? | 1 byte character other than \u0027/\u0027. |\n | | /tmp/mail.\\?\\?\\?\\?\\?\\? |\n +-----------+--------------------------------------------------------------+\n | \\$ | More than or equals to 1 decimal digit. |\n | | /proc/\\$/cmdline |\n +-----------+--------------------------------------------------------------+\n | \\+ | 1 decimal digit. |\n | | /var/tmp/my_work.\\+ |\n +-----------+--------------------------------------------------------------+\n | \\X | More than or equals to 1 hexadecimal digit. |\n | | /var/tmp/my-work.\\X |\n +-----------+--------------------------------------------------------------+\n | \\x | 1 hexadecimal digit. |\n | | /tmp/my-work.\\x |\n +-----------+--------------------------------------------------------------+\n | \\A | More than or equals to 1 alphabet character. |\n | | /var/log/my-work/\\$-\\A-\\$.log |\n +-----------+--------------------------------------------------------------+\n | \\a | 1 alphabet character. |\n | | /home/users/\\a/\\*/public_html/\\*.html |\n +-----------+--------------------------------------------------------------+\n | \\- | Pathname subtraction operator. |\n | | +---------------------+------------------------------------+ |\n | | | Example | Meaning | |\n | | +---------------------+------------------------------------+ |\n | | | /etc/\\* | All files in /etc/ directory. | |\n | | +---------------------+------------------------------------+ |\n | | | /etc/\\*\\-\\*shadow\\* | /etc/\\* other than /etc/\\*shadow\\* | |\n | | +---------------------+------------------------------------+ |\n | | | /\\*\\-proc\\-sys/ | /\\*/ other than /proc/ /sys/ | |\n | | +---------------------+------------------------------------+ |\n +-----------+--------------------------------------------------------------+\n\n +----------------+---------------------------------------------------------+\n | Representation | Meaning and example |\n +----------------+---------------------------------------------------------+\n | \\\\ | backslash character itself. |\n +----------------+---------------------------------------------------------+\n | \\ooo | 1 byte character. |\n | | ooo is 001 \u003c\u003d ooo \u003c\u003d 040 || 177 \u003c\u003d ooo \u003c\u003d 377. |\n | | |\n | | \\040 for space character. |\n | | \\177 for del character. |\n | | |\n +----------------+---------------------------------------------------------+\n\n----- Part 5: Advantages -----\n\nWe can obtain extensibility.\n\n Since our proposed approach adds \\ to a character to interpret as a wild\n card, we can introduce new wild card in future while maintaining backward\n compatibility.\n\nWe can process monotonically.\n\n Since our proposed approach separates strings using a space character,\n we can split strings using existing string manipulation functions.\n\nWe can reliably analyze access logs.\n\n It is guaranteed that a string doesn\u0027t contain space character (0x20) and\n new line character (0x0A).\n\n It is guaranteed that a string won\u0027t be converted by FTP and won\u0027t be damaged\n by a terminal\u0027s settings.\n\n It is guaranteed that a string won\u0027t be affected by encoding converters\n (except encodings which insert NUL character (e.g. UTF-16)).\n\n----- Part 6: conclusion -----\n\nTOMOYO Linux is using its own encoding with reasons described above.\nThere is a disadvantage that we need to introduce a series of new string\nmanipulation functions. But TOMOYO Linux\u0027s encoding is useful for all users\n(including audit and AppArmor) who want to perform pattern matching and\nsafely exchange string information between the kernel and the userspace.\n\n-------------------- About policy interface --------------------\n\nTOMOYO Linux creates the following files on securityfs (normally\nmounted on /sys/kernel/security) as interfaces between kernel and\nuserspace. These files are for TOMOYO Linux management tools *only*,\nnot for general programs.\n\n * profile\n * exception_policy\n * domain_policy\n * manager\n * meminfo\n * self_domain\n * version\n * .domain_status\n * .process_status\n\n** /sys/kernel/security/tomoyo/profile **\n\nThis file is used to read or write profiles.\n\n\"profile\" means a running mode of process. A profile lists up\nfunctions and their modes in \"$number-$variable\u003d$value\" format. The\n$number is profile number between 0 and 255. Each domain is assigned\none profile. To assign profile to domains, use \"ccs-setprofile\" or\n\"ccs-editpolicy\" or \"ccs-loadpolicy\" commands.\n\n(Example)\n[root@tomoyo]# cat /sys/kernel/security/tomoyo/profile\n0-COMMENT\u003d-----Disabled Mode-----\n0-MAC_FOR_FILE\u003ddisabled\n0-MAX_ACCEPT_ENTRY\u003d2048\n0-TOMOYO_VERBOSE\u003ddisabled\n1-COMMENT\u003d-----Learning Mode-----\n1-MAC_FOR_FILE\u003dlearning\n1-MAX_ACCEPT_ENTRY\u003d2048\n1-TOMOYO_VERBOSE\u003ddisabled\n2-COMMENT\u003d-----Permissive Mode-----\n2-MAC_FOR_FILE\u003dpermissive\n2-MAX_ACCEPT_ENTRY\u003d2048\n2-TOMOYO_VERBOSE\u003denabled\n3-COMMENT\u003d-----Enforcing Mode-----\n3-MAC_FOR_FILE\u003denforcing\n3-MAX_ACCEPT_ENTRY\u003d2048\n3-TOMOYO_VERBOSE\u003denabled\n\n- MAC_FOR_FILE:\nSpecifies access control level regarding file access requests.\n- MAX_ACCEPT_ENTRY:\nLimits the max number of ACL entries that are automatically appended\nduring learning mode. Default is 2048.\n- TOMOYO_VERBOSE:\nSpecifies whether to print domain policy violation messages or not.\n\n** /sys/kernel/security/tomoyo/manager **\n\nThis file is used to read or append the list of programs or domains\nthat can write to /sys/kernel/security/tomoyo interface. By default,\nonly processes with both UID \u003d 0 and EUID \u003d 0 can modify policy via\n/sys/kernel/security/tomoyo interface. You can use keyword\n\"manage_by_non_root\" to allow policy modification by non root user.\n\n(Example)\n[root@tomoyo]# cat /sys/kernel/security/tomoyo/manager\n/usr/lib/ccs/loadpolicy\n/usr/lib/ccs/editpolicy\n/usr/lib/ccs/setlevel\n/usr/lib/ccs/setprofile\n/usr/lib/ccs/ld-watch\n/usr/lib/ccs/ccs-queryd\n\n** /sys/kernel/security/tomoyo/exception_policy **\n\nThis file is used to read and write system global settings. Each line\nhas a directive and operand pair. Directives are listed below.\n\n- initialize_domain:\nTo initialize domain transition when specific program is executed,\nuse initialize_domain directive.\n * initialize_domain \"program\" from \"domain\"\n * initialize_domain \"program\" from \"the last program part of domain\"\n * initialize_domain \"program\"\nIf the part \"from\" and after is not given, the entry is applied to\nall domain. If the \"domain\" doesn\u0027t start with \"\u003ckernel\u003e\", the entry\nis applied to all domain whose domainname ends with \"the last program\npart of domain\".\nThis directive is intended to aggregate domain transitions for daemon\nprogram and program that are invoked by the kernel on demand, by\ntransiting to different domain.\n\n- keep_domain\nTo prevent domain transition when program is executed from specific\ndomain, use keep_domain directive.\n * keep_domain \"program\" from \"domain\"\n * keep_domain \"program\" from \"the last program part of domain\"\n * keep_domain \"domain\"\n * keep_domain \"the last program part of domain\"\nIf the part \"from\" and before is not given, this entry is applied to\nall program. If the \"domain\" doesn\u0027t start with \"\u003ckernel\u003e\", the entry\nis applied to all domain whose domainname ends with \"the last program\npart of domain\".\nThis directive is intended to reduce total number of domains and\nmemory usage by suppressing unneeded domain transitions.\nTo declare domain keepers, use keep_domain directive followed by\ndomain definition.\nAny process that belongs to any domain declared with this directive,\nthe process stays at the same domain unless any program registered\nwith initialize_domain directive is executed.\n\nIn order to control domain transition in detail, you can use\nno_keep_domain/no_initialize_domain keywrods.\n\n- alias:\nTo allow executing programs using the name of symbolic links, use\nalias keyword followed by dereferenced pathname and reference\npathname. For example, /sbin/pidof is a symbolic link to\n/sbin/killall5 . In normal case, if /sbin/pidof is executed, the\ndomain is defined as if /sbin/killall5 is executed. By specifying\n\"alias /sbin/killall5 /sbin/pidof\", you can run /sbin/pidof in the\ndomain for /sbin/pidof .\n(Example)\nalias /sbin/killall5 /sbin/pidof\n\n- allow_read:\nTo grant unconditionally readable permissions, use allow_read keyword\nfollowed by canonicalized file. This keyword is intended to reduce\nsize of domain policy by granting read access to library files such\nas GLIBC and locale files. Exception is, if ignore_global_allow_read\nkeyword is given to a domain, entries specified by this keyword are\nignored.\n(Example)\nallow_read /lib/libc-2.5.so\n\n- file_pattern:\nTo declare pathname pattern, use file_pattern keyword followed by\npathname pattern. The pathname pattern must be a canonicalized\nPathname. This keyword is not applicable to neither granting execute\npermissions nor domain definitions.\nFor example, canonicalized pathname that contains a process ID\n(i.e. /proc/PID/ files) needs to be grouped in order to make access\ncontrol work well.\n(Example)\nfile_pattern /proc/\\$/cmdline\n\n- path_group\nTo declare pathname group, use path_group keyword followed by name of\nthe group and pathname pattern. For example, if you want to group all\nfiles under home directory, you can define\n path_group HOME-DIR-FILE /home/\\*/\\*\n path_group HOME-DIR-FILE /home/\\*/\\*/\\*\n path_group HOME-DIR-FILE /home/\\*/\\*/\\*/\\*\nin the exception policy and use like\n allow_read @HOME-DIR-FILE\nto grant file access permission.\n\n- deny_rewrite:\nTo deny overwriting already written contents of file (such as log\nfiles) by default, use deny_rewrite keyword followed by pathname\npattern. Files whose pathname match the patterns are not permitted to\nopen for writing without append mode or truncate unless the pathnames\nare explicitly granted using allow_rewrite keyword in domain policy.\n(Example)\ndeny_rewrite /var/log/\\*\n\n- aggregator\nTo deal multiple programs as a single program, use aggregator keyword\nfollowed by name of original program and aggregated program. This\nkeyword is intended to aggregate similar programs.\nFor example, /usr/bin/tac and /bin/cat are similar. By specifying\n\"aggregator /usr/bin/tac /bin/cat\", you can run /usr/bin/tac in the\ndomain for /bin/cat .\nFor example, /usr/sbin/logrotate for Fedora Core 3 generates programs\nlike /tmp/logrotate.\\?\\?\\?\\?\\?\\? and run them, but TOMOYO Linux\ndoesn\u0027t allow using patterns for granting execute permission and\ndefining domains. By specifying\n\"aggregator /tmp/logrotate.\\?\\?\\?\\?\\?\\? /tmp/logrotate.tmp\", you can\nrun /tmp/logrotate.\\?\\?\\?\\?\\?\\? as if /tmp/logrotate.tmp is running.\n\n** /sys/kernel/security/tomoyo/domain_policy **\n\nThis file contains definition of all domains and permissions that are\ngranted to each domain.\n\nLines from the next line to a domain definition ( any lines starting\nwith \"\u003ckernel\u003e\") to the previous line to the next domain definitions\nare interpreted as access permissions for that domain.\n\n** /sys/kernel/security/tomoyo/meminfo **\n\nThis file is to show the total RAM used to keep policy in the kernel\nby TOMOYO Linux in bytes.\n(Example)\n[root@tomoyo]# cat /sys/kernel/security/tomoyo/meminfo\nShared: 61440\nPrivate: 69632\nDynamic: 768\nTotal: 131840\n\nYou can set memory quota by writing to this file.\n(Example)\n[root@tomoyo]# echo Shared: 2097152 \u003e /sys/kernel/security/tomoyo/meminfo\n[root@tomoyo]# echo Private: 2097152 \u003e /sys/kernel/security/tomoyo/meminfo\n\n** /sys/kernel/security/tomoyo/self_domain **\n\nThis file is to show the name of domain the caller process belongs to.\n(Example)\n[root@etch]# cat /sys/kernel/security/tomoyo/self_domain\n\u003ckernel\u003e /usr/sbin/sshd /bin/zsh /bin/cat\n\n** /sys/kernel/security/tomoyo/version **\n\nThis file is used for getting TOMOYO Linux\u0027s version.\n(Example)\n[root@etch]# cat /sys/kernel/security/tomoyo/version\n2.2.0-pre\n\n** /sys/kernel/security/tomoyo/.domain_status **\n\nThis is a view (of a DBMS) that contains only profile number and\ndomainnames of domain so that \"ccs-setprofile\" command can do\nline-oriented processing easily.\n\n** /sys/kernel/security/tomoyo/.process_status **\n\nThis file is used by \"ccs-ccstree\" command to show \"list of processes\ncurrently running\" and \"domains which each process belongs to\" and\n\"profile number which the domain is currently assigned\" like \"pstree\"\ncommand. This file is writable by programs that aren\u0027t registered as\npolicy manager.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c73bd6d473ceb5d643d3afd7e75b7dc2e6918558", "tree": "76a800f3080d000215ec74f4c66fc73560b83a8f", "parents": [ "f9ce1f1cda8b73a36f47e424975a9dfa78b7840c" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:12 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:04 2009 +1100" }, "message": "Memory and pathname management functions.\n\nTOMOYO Linux performs pathname based access control.\nTo remove factors that make pathname based access control difficult\n(e.g. symbolic links, \"..\", \"//\" etc.), TOMOYO Linux derives realpath\nof requested pathname from \"struct dentry\" and \"struct vfsmount\".\n\nThe maximum length of string data is limited to 4000 including trailing \u0027\\0\u0027.\nSince TOMOYO Linux uses \u0027\\ooo\u0027 style representation for non ASCII printable\ncharacters, maybe TOMOYO Linux should be able to support 16336 (which means\n(NAME_MAX * (PATH_MAX / (NAME_MAX + 1)) * 4 + (PATH_MAX / (NAME_MAX + 1)))\nincluding trailing \u0027\\0\u0027), but I think 4000 is enough for practical use.\n\nTOMOYO uses only 0x21 - 0x7E (as printable characters) and 0x20 (as word\ndelimiter) and 0x0A (as line delimiter).\n0x01 - 0x20 and 0x80 - 0xFF is handled in \\ooo style representation.\nThe reason to use \\ooo is to guarantee that \"%s\" won\u0027t damage logs.\nUserland program can request\n\n open(\"/tmp/file granted.\\nAccess /tmp/file \", O_WRONLY | O_CREAT, 0600)\n\nand logging such crazy pathname using \"Access %s denied.\\n\" format will cause\n\"fabrication of logs\" like\n\n Access /tmp/file granted.\n Access /tmp/file denied.\n\nTOMOYO converts such characters to \\ooo so that the logs will become\n\n Access /tmp/file\\040granted.\\012Access\\040/tmp/file denied.\n\nand the administrator can read the logs safely using /bin/cat .\nLikewise, a crazy request like\n\n open(\"/tmp/\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\", O_WRONLY | O_CREAT, 0600)\n\nwill be processed safely by converting to\n\n Access /tmp/\\001\\002\\003\\004\\005\\006\\007\\010\\011 denied.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ] }