)]}' { "log": [ { "commit": "7762fbfffdbce8191f5236d5053b290035d3d749", "tree": "08b6de0c09c5571d3bdb61c429e1ec68e748f796", "parents": [ "ba0c1709f4946a5ca1a678f4318ed72c0d409b3c" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon May 10 17:30:26 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon May 17 09:25:57 2010 +1000" }, "message": "TOMOYO: Add pathname grouping support.\n\nThis patch adds pathname grouping support, which is useful for grouping\npathnames that cannot be represented using /\\{dir\\}/ pattern.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9e4b50e93786d00c703f16ed46e6a4029c0dfdd1", "tree": "51bf6072802888592ae98b9a6c8a26fcb2e1988f", "parents": [ "83c36ccfe4d849f482ea0a62402c7624f4e59f0e" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Thu May 06 12:40:02 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon May 10 17:59:02 2010 +1000" }, "message": "TOMOYO: Use stack memory for pending entry.\n\nUse stack memory for pending entry to reduce kmalloc() which will be kfree()d.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "292823814261e085cdcef06b6b691e6c2563fbd4", "tree": "8c1eaebcf8f698ea13ac2a9291b9769abde1905e", "parents": [ "2b9e4688fad8867b6e918610f396af3ab9246898" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Thu May 06 00:18:15 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 13:19:18 2010 +1000" }, "message": "TOMOYO: Use mutex_lock_interruptible.\n\nSome of TOMOYO\u0027s functions may sleep after mutex_lock(). If OOM-killer selected\na process which is waiting at mutex_lock(), the to-be-killed process can\u0027t be\nkilled. Thus, replace mutex_lock() with mutex_lock_interruptible() so that the\nto-be-killed process can immediately return from TOMOYO\u0027s functions.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "170800088666963de1111d62fb503889c8c82eda", "tree": "1c8f1671fd48a7688ec8253508dd2cd460e0aff1", "parents": [ "2da5d31bc72d0a36dc16af7f5d5baa4f86df9c76" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Feb 16 21:14:48 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Feb 17 11:37:58 2010 +1100" }, "message": "TOMOYO: Remove __func__ from tomoyo_is_correct_path/domain\n\n__func__ is used for only debug printk(). We can remove it.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "97d6931ead3e89a764cdaa3ad0924037367f0d34", "tree": "ad69e76208832699a97e897af73b6aa23a655609", "parents": [ "7ef612331fb219620cc1abfc2446bb027d388aa0" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Feb 16 09:46:15 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Feb 16 17:26:36 2010 +1100" }, "message": "TOMOYO: Remove unneeded parameter.\n\ntomoyo_path_perm() tomoyo_path2_perm() and tomoyo_check_rewrite_permission()\nalways receive tomoyo_domain(). We can move it from caller to callee.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7ef612331fb219620cc1abfc2446bb027d388aa0", "tree": "3912acecc7437303e824d26a9ae124b765ce35d3", "parents": [ "084da356f6e55ce42f1d2739178502023908c107" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Feb 16 08:03:30 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Feb 16 11:17:16 2010 +1100" }, "message": "TOMOYO: Use shorter names.\n\nUse shorter name to reduce newlines needed for 80 columns limit.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "084da356f6e55ce42f1d2739178502023908c107", "tree": "bdb021a9e0aa6e48ea0a9a4f1248c87c03e00525", "parents": [ "847b173ea3d6f50936823d07f2245059bf44713b" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Feb 15 15:10:39 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Feb 16 09:25:13 2010 +1100" }, "message": "TOMOYO: Use enum for index numbers.\n\nUse enum to declare index numbers.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "847b173ea3d6f50936823d07f2245059bf44713b", "tree": "b53c6d0536af73a078bcff0375f9f4d837f79bba", "parents": [ "ec8e6a4e062e2edebef91e930c20572c9f4c0dda" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Thu Feb 11 09:43:54 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 15 09:00:24 2010 +1100" }, "message": "TOMOYO: Add garbage collector.\n\nThis patch adds garbage collector support to TOMOYO.\nElements are protected by \"struct srcu_struct tomoyo_ss\".\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ec8e6a4e062e2edebef91e930c20572c9f4c0dda", "tree": "1c48fb2aa2220b3bdc138e0fb33e1ac632d0dffe", "parents": [ "76bb0895d038be7bcdb6ccfcd2dd7deb30371d6b" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Thu Feb 11 09:43:20 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 15 09:00:21 2010 +1100" }, "message": "TOMOYO: Add refcounter on domain structure.\n\nAdd refcounter to \"struct tomoyo_domain_info\" since garbage collector needs to\ndetermine whether this struct is referred by \"struct cred\"-\u003esecurity or not.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "76bb0895d038be7bcdb6ccfcd2dd7deb30371d6b", "tree": "5948c68b08561deb20d155853faed475a15a4235", "parents": [ "bf24fb016c861b7f52be0c36c4cedd3e89afa2e2" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Thu Feb 11 09:42:40 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 15 09:00:18 2010 +1100" }, "message": "TOMOYO: Merge headers.\n\nGather structures and constants scattered around security/tomoyo/ directory.\nThis is for preparation for adding garbage collector since garbage collector\nneeds to know structures and constants which TOMOYO uses.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ea13ddbad0eb4be9cdc406cd7e0804fa4011f6e4", "tree": "4068bb5baad6f6819242b36a00bf395a6db7f1e1", "parents": [ "f40a70861ace69001524644473cc389543b06c3c" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Wed Feb 03 06:43:06 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Feb 08 14:10:20 2010 +1100" }, "message": "TOMOYO: Extract bitfield\n\nSince list elements are rounded up to kmalloc() size rather than sizeof(int),\nsaving one byte by using bitfields is no longer helpful.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8e2d39a1665e680c095545993aac2fcac6916eb9", "tree": "41687f7e7f4fb37416b7948b6d2e09d0a383459b", "parents": [ "7d52a155e38d5a165759dbbee656455861bf7801" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Jan 26 20:45:27 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 27 08:20:48 2010 +1100" }, "message": "TOMOYO: Remove usage counter for temporary memory.\n\nTOMOYO was using own memory usage counter for detecting memory leak.\nBut as kernel 2.6.31 introduced memory leak detection mechanism\n( CONFIG_DEBUG_KMEMLEAK ), we no longer need to have own counter.\n\nWe remove usage counter for memory used for permission checks, but we keep\nusage counter for memory used for policy so that we can apply quota.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cd7bec6ad80188394a8ea857ff1aa3512fc2282a", "tree": "598e7d59c29966e0d8fa8abf24eb51bbb2f567a6", "parents": [ "e41035a996356c257183e53a70abfb46fa84908b" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Jan 05 06:39:37 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 11 09:27:40 2010 +1100" }, "message": "TOMOYO: Remove memory pool for list elements.\n\nCurrently, TOMOYO allocates memory for list elements from memory pool allocated\nby kmalloc(PAGE_SIZE). But that makes it difficult to kfree() when garbage\ncollector is added. Thus, remove memory pool and use kmalloc(sizeof()).\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f737d95ddfea4df68a36ffc9231db4bf34b06d13", "tree": "28a1bf737c96ba8048abcf87a7acfc8412e92a2e", "parents": [ "fdb8ebb729bbb640e64028a4f579a02ebc405727" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Sun Jan 03 21:16:32 2010 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 11 07:57:44 2010 +1100" }, "message": "TOMOYO: Replace rw_semaphore by mutex.\n\nSince readers no longer use down_read(), writers no longer\nneed to use rw_semaphore. Replace individual rw_semaphore by\nsingle mutex.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "fdb8ebb729bbb640e64028a4f579a02ebc405727", "tree": "9dfca7422cb858cd05208734affab31d980030fe", "parents": [ "86fc80f16e8a2449d5827bf1a9838b7fd9f70097" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Dec 08 09:34:43 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Dec 15 15:46:31 2009 +1100" }, "message": "TOMOYO: Use RCU primitives for list operation\n\nReplace list operation with RCU primitives and replace\ndown_read()/up_read() with srcu_read_lock()/srcu_read_unlock().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "937bf6133b21b16965f75223085f4314ae32b8eb", "tree": "4a042bc9298ffddfaf4017a5796cae46e9594d2c", "parents": [ "5d0901a3a0c39c97ca504f73d24030f63cfc9fa2" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Wed Dec 02 21:09:48 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Dec 08 14:58:05 2009 +1100" }, "message": "TOMOYO: Add rest of file operation restrictions.\n\nLSM hooks for chmod()/chown()/chroot() are now ready.\nThis patch utilizes these hooks.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7539cf4b92be4aecc573ea962135f246a7a33401", "tree": "6ed5ada6206e788e937ce1325a70a9d6fb0d3c2f", "parents": [ "b3a222e52e4d4be77cc4520a57af1a4a0d8222d1" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Tue Nov 24 22:00:05 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Nov 25 18:51:16 2009 +1100" }, "message": "TOMOYO: Add recursive directory matching operator support.\n\nTOMOYO 1.7.1 has recursive directory matching operator support.\nI want to add it to TOMOYO for Linux 2.6.33 .\n----------\n[PATCH] TOMOYO: Add recursive directory matching operator support.\n\nThis patch introduces new operator /\\{dir\\}/ which matches\n\u0027/\u0027 + \u0027One or more repetitions of dir/\u0027 (e.g. /dir/ /dir/dir/ /dir/dir/dir/ ).\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nAcked-by: John Johansen \u003cjohn.johansen@canonical.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ccf135f509abdbf607e9a68f08ddeee2c66dc36e", "tree": "4641f30dc45901b619a86957efc72fd3d8d46228", "parents": [ "d905163c5b23f6d8511971e06081a1b525e8a0bd" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Fri Jun 19 10:29:34 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Jun 19 11:32:37 2009 +1000" }, "message": "TOMOYO: Move tomoyo_delete_domain().\n\nWe can mark tomoyo_delete_domain() as a \"static\" function\nby moving it from domain.c to common.c .\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c3fa109a5894077d1eaf8731ea741a15dd117b3c", "tree": "a3d5f58ea878868b48a1493055e6f2cb6dd3c9de", "parents": [ "5bf1692f65c12a8aa359dc883468284ffc3c4587" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Mon Jun 08 12:37:39 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 09 09:30:24 2009 +1000" }, "message": "TOMOYO: Add description of lists and structures.\n\nThis patch adds some descriptions of lists and structures.\nThis patch contains no code changes.\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5bf1692f65c12a8aa359dc883468284ffc3c4587", "tree": "bab96097b51791985d6361b6bdfaf0280b0fc995", "parents": [ "0b4ec6e4e01d98e55ae325a41304cccd87fa4c0f" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Fri Jun 05 14:44:58 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Jun 09 09:30:21 2009 +1000" }, "message": "TOMOYO: Remove unused field.\n\nTOMOYO 2.2.0 is not using total_len field of \"struct tomoyo_path_info\".\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "39826a1e17c1957bd7b5cd7815b83940e5e3a230", "tree": "c1452c0293b7f2f4bce2c36d3b5aea8e4020ff3e", "parents": [ "17a7b7b39056a82c5012539311850f202e6c3cd4" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Wed Apr 08 22:31:28 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 14 09:15:02 2009 +1000" }, "message": "tomoyo: version bump to 2.2.0.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a0558fc3491c0494feb8472cf6c0119e43fd9484", "tree": "e26a2baaa63c07761686f97cde9aa4aaa527f82f", "parents": [ "d508afb437daee7cf07da085b635c44a4ebf9b38" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Apr 06 20:49:14 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Apr 07 16:08:56 2009 +1000" }, "message": "tomoyo: remove \"undelete domain\" command.\n\nSince TOMOYO\u0027s policy management tools does not use the \"undelete domain\"\ncommand, we decided to remove that command.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a106cbfd1f3703402fc2d95d97e7a054102250f0", "tree": "f386efb92e2c68bbd15900b6f14a56c444c28556", "parents": [ "1987f17d2266e882862528841429b5bf67bc8fe5" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@i-love.sakura.ne.jp", "time": "Fri Mar 27 13:12:16 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Mar 27 19:03:44 2009 +1100" }, "message": "TOMOYO: Fix a typo.\n\nFix a typo.\n\nReported-by: Pavel Machek \u003cpavel@ucw.cz\u003e\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9590837b89aaa4523209ac91c52db5ea0d9142fd", "tree": "0e7e3febb1f6106be0e45c281309078f6c1cd7e6", "parents": [ "c73bd6d473ceb5d643d3afd7e75b7dc2e6918558" ], "author": { "name": "Kentaro Takeda", "email": "takedakn@nttdata.co.jp", "time": "Thu Feb 05 17:18:13 2009 +0900" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 12 15:15:04 2009 +1100" }, "message": "Common functions for TOMOYO Linux.\n\nThis file contains common functions (e.g. policy I/O, pattern matching).\n\n-------------------- About pattern matching --------------------\n\nSince TOMOYO Linux is a name based access control, TOMOYO Linux seriously\nconsiders \"safe\" string representation.\n\nTOMOYO Linux\u0027s string manipulation functions make reviewers feel crazy,\nbut there are reasons why TOMOYO Linux needs its own string manipulation\nfunctions.\n\n----- Part 1 : preconditions -----\n\nPeople definitely want to use wild card.\n\n To support pattern matching, we have to support wild card characters.\n\n In a typical Linux system, filenames are likely consists of only alphabets,\n numbers, and some characters (e.g. + - ~ . / ).\n But theoretically, the Linux kernel accepts all characters but NUL character\n (which is used as a terminator of a string).\n\n Some Linux systems can have filenames which contain * ? ** etc.\n\nTherefore, we have to somehow modify string so that we can distinguish\nwild card characters and normal characters.\n\n It might be possible for some application\u0027s configuration files to restrict\n acceptable characters.\n It is impossible for kernel to restrict acceptable characters.\n\n We can\u0027t accept approaches which will cause troubles for applications.\n\n----- Part 2 : commonly used approaches -----\n\nText formatted strings separated by space character (0x20) and new line\ncharacter (0x0A) is more preferable for users over array of NUL-terminated\nstring.\n\n Thus, people use text formatted configuration files separated by space\n character and new line.\n\nWe sometimes need to handle non-printable characters.\n\n Thus, people use \\ character (0x5C) as escape character and represent\n non-printable characters using octal or hexadecimal format.\n\nAt this point, we remind (at least) 3 approaches.\n\n (1) Shell glob style expression\n (2) POSIX regular expression (UNIX style regular expression)\n (3) Maverick wild card expression\n\nOn the surface, (1) and (2) sound good choices. But they have a big pitfall.\nAll meta-characters in (1) and (2) are legal characters for representing\na pathname, and users easily write incorrect expression. What is worse, users\nunlikely notice incorrect expressions because characters used for regular\npathnames unlikely contain meta-characters. This incorrect use of\nmeta-characters in pathname representation reveals vulnerability\n(e.g. unexpected results) only when irregular pathname is specified.\n\nThe authors of TOMOYO Linux think that approaches which adds some character\nfor interpreting meta-characters as normal characters (i.e. (1) and (2)) are\nnot suitable for security use.\n\nTherefore, the authors of TOMOYO Linux propose (3).\n\n----- Part 3: consideration points -----\n\nWe need to solve encoding problem.\n\n A single character can be represented in several ways using encodings.\n\n For Japanese language, there are \"ShiftJIS\", \"ISO-2022-JP\", \"EUC-JP\",\n \"UTF-8\" and more.\n\n Some languages (e.g. Japanese language) supports multi-byte characters\n (where a single character is represented using several bytes).\n\n Some multi-byte characters may match the escape character.\n\n For Japanese language, some characters in \"ShiftJIS\" encoding match\n \\ character, and bothering Web\u0027s CGI developers.\n\n It is important that the kernel string is not bothered by encoding problem.\n\n Linus said, \"I really would expect that kernel strings don\u0027t have\n an encoding. They\u0027re just C strings: a NUL-terminated stream of bytes.\"\n http://lkml.org/lkml/2007/11/6/142\n\n Yes. The kernel strings are just C strings.\n We are talking about how to store and carry \"kernel strings\" safely.\n\n If we store \"kernel string\" into policy file as-is, the \"kernel string\" will\n be interpreted differently depending on application\u0027s encoding settings.\n One application may interpret \"kernel string\" as \"UTF-8\",\n another application may interpret \"kernel string\" as \"ShiftJIS\".\n\n Therefore, we propose to represent strings using ASCII encoding.\n In this way, we are no longer bothered by encoding problems.\n\nWe need to avoid information loss caused by display.\n\n It is difficult to input and display non-printable characters, but we have to\n be able to handle such characters because the kernel string is a C string.\n\n If we use only ASCII printable characters (from 0x21 to 0x7E) and space\n character (0x20) and new line character (0x0A), it is easy to input from\n keyboard and display on all terminals which is running Linux.\n\n Therefore, we propose to represent strings using only characters which value\n is one of \"from 0x21 to 0x7E\", \"0x20\", \"0x0A\".\n\nWe need to consider ease of splitting strings from a line.\n\n If we use an approach which uses \"\\ \" for representing a space character\n within a string, we have to count the string from the beginning to check\n whether this space character is accompanied with \\ character or not.\n As a result, we cannot monotonically split a line using space character.\n\n If we use an approach which uses \"\\040\" for representing a space character\n within a string, we can monotonically split a line using space character.\n\n If we use an approach which uses NUL character as a delimiter, we cannot\n use string manipulation functions for splitting strings from a line.\n\n Therefore, we propose that we represent space character as \"\\040\".\n\nWe need to avoid wrong designations (incorrect use of special characters).\n\n Not all users can understand and utilize POSIX\u0027s regular expressions\n correctly and perfectly.\n\n If a character acts as a wild card by default, the user will get unexpected\n result if that user didn\u0027t know the meaning of that character.\n\n Therefore, we propose that all characters but \\ character act as\n a normal character and let the user add \\ character to make a character\n act as a wild card.\n\n In this way, users needn\u0027t to know all wild card characters beforehand.\n They can learn when they encountered an unseen wild card character\n for their first time.\n\n----- Part 4: supported wild card expressions -----\n\nAt this point, we have wild card expressions listed below.\n\n +-----------+--------------------------------------------------------------+\n | Wild card | Meaning and example |\n +-----------+--------------------------------------------------------------+\n | \\* | More than or equals to 0 character other than \u0027/\u0027. |\n | | /var/log/samba/\\* |\n +-----------+--------------------------------------------------------------+\n | \\@ | More than or equals to 0 character other than \u0027/\u0027 or \u0027.\u0027. |\n | | /var/www/html/\\@.html |\n +-----------+--------------------------------------------------------------+\n | \\? | 1 byte character other than \u0027/\u0027. |\n | | /tmp/mail.\\?\\?\\?\\?\\?\\? |\n +-----------+--------------------------------------------------------------+\n | \\$ | More than or equals to 1 decimal digit. |\n | | /proc/\\$/cmdline |\n +-----------+--------------------------------------------------------------+\n | \\+ | 1 decimal digit. |\n | | /var/tmp/my_work.\\+ |\n +-----------+--------------------------------------------------------------+\n | \\X | More than or equals to 1 hexadecimal digit. |\n | | /var/tmp/my-work.\\X |\n +-----------+--------------------------------------------------------------+\n | \\x | 1 hexadecimal digit. |\n | | /tmp/my-work.\\x |\n +-----------+--------------------------------------------------------------+\n | \\A | More than or equals to 1 alphabet character. |\n | | /var/log/my-work/\\$-\\A-\\$.log |\n +-----------+--------------------------------------------------------------+\n | \\a | 1 alphabet character. |\n | | /home/users/\\a/\\*/public_html/\\*.html |\n +-----------+--------------------------------------------------------------+\n | \\- | Pathname subtraction operator. |\n | | +---------------------+------------------------------------+ |\n | | | Example | Meaning | |\n | | +---------------------+------------------------------------+ |\n | | | /etc/\\* | All files in /etc/ directory. | |\n | | +---------------------+------------------------------------+ |\n | | | /etc/\\*\\-\\*shadow\\* | /etc/\\* other than /etc/\\*shadow\\* | |\n | | +---------------------+------------------------------------+ |\n | | | /\\*\\-proc\\-sys/ | /\\*/ other than /proc/ /sys/ | |\n | | +---------------------+------------------------------------+ |\n +-----------+--------------------------------------------------------------+\n\n +----------------+---------------------------------------------------------+\n | Representation | Meaning and example |\n +----------------+---------------------------------------------------------+\n | \\\\ | backslash character itself. |\n +----------------+---------------------------------------------------------+\n | \\ooo | 1 byte character. |\n | | ooo is 001 \u003c\u003d ooo \u003c\u003d 040 || 177 \u003c\u003d ooo \u003c\u003d 377. |\n | | |\n | | \\040 for space character. |\n | | \\177 for del character. |\n | | |\n +----------------+---------------------------------------------------------+\n\n----- Part 5: Advantages -----\n\nWe can obtain extensibility.\n\n Since our proposed approach adds \\ to a character to interpret as a wild\n card, we can introduce new wild card in future while maintaining backward\n compatibility.\n\nWe can process monotonically.\n\n Since our proposed approach separates strings using a space character,\n we can split strings using existing string manipulation functions.\n\nWe can reliably analyze access logs.\n\n It is guaranteed that a string doesn\u0027t contain space character (0x20) and\n new line character (0x0A).\n\n It is guaranteed that a string won\u0027t be converted by FTP and won\u0027t be damaged\n by a terminal\u0027s settings.\n\n It is guaranteed that a string won\u0027t be affected by encoding converters\n (except encodings which insert NUL character (e.g. UTF-16)).\n\n----- Part 6: conclusion -----\n\nTOMOYO Linux is using its own encoding with reasons described above.\nThere is a disadvantage that we need to introduce a series of new string\nmanipulation functions. But TOMOYO Linux\u0027s encoding is useful for all users\n(including audit and AppArmor) who want to perform pattern matching and\nsafely exchange string information between the kernel and the userspace.\n\n-------------------- About policy interface --------------------\n\nTOMOYO Linux creates the following files on securityfs (normally\nmounted on /sys/kernel/security) as interfaces between kernel and\nuserspace. These files are for TOMOYO Linux management tools *only*,\nnot for general programs.\n\n * profile\n * exception_policy\n * domain_policy\n * manager\n * meminfo\n * self_domain\n * version\n * .domain_status\n * .process_status\n\n** /sys/kernel/security/tomoyo/profile **\n\nThis file is used to read or write profiles.\n\n\"profile\" means a running mode of process. A profile lists up\nfunctions and their modes in \"$number-$variable\u003d$value\" format. The\n$number is profile number between 0 and 255. Each domain is assigned\none profile. To assign profile to domains, use \"ccs-setprofile\" or\n\"ccs-editpolicy\" or \"ccs-loadpolicy\" commands.\n\n(Example)\n[root@tomoyo]# cat /sys/kernel/security/tomoyo/profile\n0-COMMENT\u003d-----Disabled Mode-----\n0-MAC_FOR_FILE\u003ddisabled\n0-MAX_ACCEPT_ENTRY\u003d2048\n0-TOMOYO_VERBOSE\u003ddisabled\n1-COMMENT\u003d-----Learning Mode-----\n1-MAC_FOR_FILE\u003dlearning\n1-MAX_ACCEPT_ENTRY\u003d2048\n1-TOMOYO_VERBOSE\u003ddisabled\n2-COMMENT\u003d-----Permissive Mode-----\n2-MAC_FOR_FILE\u003dpermissive\n2-MAX_ACCEPT_ENTRY\u003d2048\n2-TOMOYO_VERBOSE\u003denabled\n3-COMMENT\u003d-----Enforcing Mode-----\n3-MAC_FOR_FILE\u003denforcing\n3-MAX_ACCEPT_ENTRY\u003d2048\n3-TOMOYO_VERBOSE\u003denabled\n\n- MAC_FOR_FILE:\nSpecifies access control level regarding file access requests.\n- MAX_ACCEPT_ENTRY:\nLimits the max number of ACL entries that are automatically appended\nduring learning mode. Default is 2048.\n- TOMOYO_VERBOSE:\nSpecifies whether to print domain policy violation messages or not.\n\n** /sys/kernel/security/tomoyo/manager **\n\nThis file is used to read or append the list of programs or domains\nthat can write to /sys/kernel/security/tomoyo interface. By default,\nonly processes with both UID \u003d 0 and EUID \u003d 0 can modify policy via\n/sys/kernel/security/tomoyo interface. You can use keyword\n\"manage_by_non_root\" to allow policy modification by non root user.\n\n(Example)\n[root@tomoyo]# cat /sys/kernel/security/tomoyo/manager\n/usr/lib/ccs/loadpolicy\n/usr/lib/ccs/editpolicy\n/usr/lib/ccs/setlevel\n/usr/lib/ccs/setprofile\n/usr/lib/ccs/ld-watch\n/usr/lib/ccs/ccs-queryd\n\n** /sys/kernel/security/tomoyo/exception_policy **\n\nThis file is used to read and write system global settings. Each line\nhas a directive and operand pair. Directives are listed below.\n\n- initialize_domain:\nTo initialize domain transition when specific program is executed,\nuse initialize_domain directive.\n * initialize_domain \"program\" from \"domain\"\n * initialize_domain \"program\" from \"the last program part of domain\"\n * initialize_domain \"program\"\nIf the part \"from\" and after is not given, the entry is applied to\nall domain. If the \"domain\" doesn\u0027t start with \"\u003ckernel\u003e\", the entry\nis applied to all domain whose domainname ends with \"the last program\npart of domain\".\nThis directive is intended to aggregate domain transitions for daemon\nprogram and program that are invoked by the kernel on demand, by\ntransiting to different domain.\n\n- keep_domain\nTo prevent domain transition when program is executed from specific\ndomain, use keep_domain directive.\n * keep_domain \"program\" from \"domain\"\n * keep_domain \"program\" from \"the last program part of domain\"\n * keep_domain \"domain\"\n * keep_domain \"the last program part of domain\"\nIf the part \"from\" and before is not given, this entry is applied to\nall program. If the \"domain\" doesn\u0027t start with \"\u003ckernel\u003e\", the entry\nis applied to all domain whose domainname ends with \"the last program\npart of domain\".\nThis directive is intended to reduce total number of domains and\nmemory usage by suppressing unneeded domain transitions.\nTo declare domain keepers, use keep_domain directive followed by\ndomain definition.\nAny process that belongs to any domain declared with this directive,\nthe process stays at the same domain unless any program registered\nwith initialize_domain directive is executed.\n\nIn order to control domain transition in detail, you can use\nno_keep_domain/no_initialize_domain keywrods.\n\n- alias:\nTo allow executing programs using the name of symbolic links, use\nalias keyword followed by dereferenced pathname and reference\npathname. For example, /sbin/pidof is a symbolic link to\n/sbin/killall5 . In normal case, if /sbin/pidof is executed, the\ndomain is defined as if /sbin/killall5 is executed. By specifying\n\"alias /sbin/killall5 /sbin/pidof\", you can run /sbin/pidof in the\ndomain for /sbin/pidof .\n(Example)\nalias /sbin/killall5 /sbin/pidof\n\n- allow_read:\nTo grant unconditionally readable permissions, use allow_read keyword\nfollowed by canonicalized file. This keyword is intended to reduce\nsize of domain policy by granting read access to library files such\nas GLIBC and locale files. Exception is, if ignore_global_allow_read\nkeyword is given to a domain, entries specified by this keyword are\nignored.\n(Example)\nallow_read /lib/libc-2.5.so\n\n- file_pattern:\nTo declare pathname pattern, use file_pattern keyword followed by\npathname pattern. The pathname pattern must be a canonicalized\nPathname. This keyword is not applicable to neither granting execute\npermissions nor domain definitions.\nFor example, canonicalized pathname that contains a process ID\n(i.e. /proc/PID/ files) needs to be grouped in order to make access\ncontrol work well.\n(Example)\nfile_pattern /proc/\\$/cmdline\n\n- path_group\nTo declare pathname group, use path_group keyword followed by name of\nthe group and pathname pattern. For example, if you want to group all\nfiles under home directory, you can define\n path_group HOME-DIR-FILE /home/\\*/\\*\n path_group HOME-DIR-FILE /home/\\*/\\*/\\*\n path_group HOME-DIR-FILE /home/\\*/\\*/\\*/\\*\nin the exception policy and use like\n allow_read @HOME-DIR-FILE\nto grant file access permission.\n\n- deny_rewrite:\nTo deny overwriting already written contents of file (such as log\nfiles) by default, use deny_rewrite keyword followed by pathname\npattern. Files whose pathname match the patterns are not permitted to\nopen for writing without append mode or truncate unless the pathnames\nare explicitly granted using allow_rewrite keyword in domain policy.\n(Example)\ndeny_rewrite /var/log/\\*\n\n- aggregator\nTo deal multiple programs as a single program, use aggregator keyword\nfollowed by name of original program and aggregated program. This\nkeyword is intended to aggregate similar programs.\nFor example, /usr/bin/tac and /bin/cat are similar. By specifying\n\"aggregator /usr/bin/tac /bin/cat\", you can run /usr/bin/tac in the\ndomain for /bin/cat .\nFor example, /usr/sbin/logrotate for Fedora Core 3 generates programs\nlike /tmp/logrotate.\\?\\?\\?\\?\\?\\? and run them, but TOMOYO Linux\ndoesn\u0027t allow using patterns for granting execute permission and\ndefining domains. By specifying\n\"aggregator /tmp/logrotate.\\?\\?\\?\\?\\?\\? /tmp/logrotate.tmp\", you can\nrun /tmp/logrotate.\\?\\?\\?\\?\\?\\? as if /tmp/logrotate.tmp is running.\n\n** /sys/kernel/security/tomoyo/domain_policy **\n\nThis file contains definition of all domains and permissions that are\ngranted to each domain.\n\nLines from the next line to a domain definition ( any lines starting\nwith \"\u003ckernel\u003e\") to the previous line to the next domain definitions\nare interpreted as access permissions for that domain.\n\n** /sys/kernel/security/tomoyo/meminfo **\n\nThis file is to show the total RAM used to keep policy in the kernel\nby TOMOYO Linux in bytes.\n(Example)\n[root@tomoyo]# cat /sys/kernel/security/tomoyo/meminfo\nShared: 61440\nPrivate: 69632\nDynamic: 768\nTotal: 131840\n\nYou can set memory quota by writing to this file.\n(Example)\n[root@tomoyo]# echo Shared: 2097152 \u003e /sys/kernel/security/tomoyo/meminfo\n[root@tomoyo]# echo Private: 2097152 \u003e /sys/kernel/security/tomoyo/meminfo\n\n** /sys/kernel/security/tomoyo/self_domain **\n\nThis file is to show the name of domain the caller process belongs to.\n(Example)\n[root@etch]# cat /sys/kernel/security/tomoyo/self_domain\n\u003ckernel\u003e /usr/sbin/sshd /bin/zsh /bin/cat\n\n** /sys/kernel/security/tomoyo/version **\n\nThis file is used for getting TOMOYO Linux\u0027s version.\n(Example)\n[root@etch]# cat /sys/kernel/security/tomoyo/version\n2.2.0-pre\n\n** /sys/kernel/security/tomoyo/.domain_status **\n\nThis is a view (of a DBMS) that contains only profile number and\ndomainnames of domain so that \"ccs-setprofile\" command can do\nline-oriented processing easily.\n\n** /sys/kernel/security/tomoyo/.process_status **\n\nThis file is used by \"ccs-ccstree\" command to show \"list of processes\ncurrently running\" and \"domains which each process belongs to\" and\n\"profile number which the domain is currently assigned\" like \"pstree\"\ncommand. This file is writable by programs that aren\u0027t registered as\npolicy manager.\n\nSigned-off-by: Kentaro Takeda \u003ctakedakn@nttdata.co.jp\u003e\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Toshiharu Harada \u003charadats@nttdata.co.jp\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ] }