TOMOYO
ForkHello.
On November 11th, 2008, TOMOYO Linux 1.6.5 was released.
TOMOYO Linux was released as GPL on November 11th, 2005.
Therefore, this is the third anniversary release. :-)
This release includes various modifications. Major change is done for making
TOMOYO Linux 1.6.5's source code easier to port to TOMOYO Linux 2.2.0-pre
(which is designed to use LSM for inclusion into upstream kernels).
Below is the list of changes regarding ccs-patch package.
(1) BUGFIX: An ACL entry without pathnames couldn't handle task.state keyword
in "if" part of the ACL entry.
Due to a bug in ccs_check_condition(), it was impossible to use
task.state[0] task.state[1] task.state[2] inside condition part
if the ACL entry does not treat a pathname. For example, an ACL entry like
allow_network TCP connect @HTTP_SERVERS 80 if task.state[0]=100
didn't work.
(2) BUGFIX: Pattern matching for \A and \a was incorrect.
Due to a bug in is_alphabet_char(), TOMOYO Linux's wildcard characters
'\a' and '\A' were matching only 'A' - 'F' and 'a' - 'f',
while the documentation says they match 'A' - 'Z' and 'a' - 'z'.
This bug was introduced in 1.6.0 , and was fixed in 1.6.5 .
(3) BUGFIX: Use rcu_dereference() when walking the list.
I was using "dependency ordering" for appending an element to a list
without asking the reader to take a lock. But "dependency ordering"
is not respected by DEC Alpha or by some aggressive value-speculation
compiler optimizations.
On such environment, use of "dependency ordering" can lead to system
crash because the reader might read uninitialized value of newly
appended element.
To prevent the reader from reading uninitialized value of newly appended
element, I inserted rcu_dereference() when walking the list.
(4) BUGFIX: Use sys_getpid() instead for current->pid.
Kernel 2.6.24 introduced PID namespace.
To compare PID given from userland, I can't use current->pid.
So, I modified to use sys_getpid() instead for current->pid.
(5) BUGFIX: Use task_tgid_nr_ns() instead for current->tgid when checking
/proc/self/ in get_absolute_path().
I modified to use task_tgid_nr_ns() for 2.6.25 and later instead for
current->tgid when checking /proc/self/ .
(6) ENHANCEMENT: Remember whether the process is allowed to write to /proc/ccs/
interface.
Since programs for manipulating policy (e.g. ccs-queryd ) are installed
in the form of RPM/DEB packages, these programs lose the original
pathnames when they are updated by the package manager. The package
manager renames these programs before deleting these programs so that
the package manager can rollback the operation.
This causes a problem when the programs are listed into /proc/ccs/manager
using pathnames, as the programs will no longer be allowed to write to
/proc/ccs/ interface while the process of old version of the program is
alive.
To solve this problem, I modified to remember the fact that the process
is once allowed to write to /proc/ccs/ interface until the process
attempts to execute a different program.
This change makes it impossible to revoke permission to write to
/proc/ccs/ interface without killing the process, but it will be better
than nonfunctioning ccs-queryd program.
(7) ENHANCEMENT: Generate more accurate "access granted logs".
If you gave an entry with "; set task.state" part, regarding 1.6.0 to
1.6.4, the kernel generated "access granted logs" using process's state
variables after processing that part.
Regarding 1.6.5 , the kernel generates "access granted logs" using
process's state variables before processing that part.
(8) ENHANCEMENT: Add "try again" response to "delayed enforcing" mode.
To be able to handle pathname changes caused by software updates,
"delayed enforcing" mode was introduced. It allows administrator to
grant access requests which are about to be rejected by the kernel.
To be able to handle pathname changes caused by software updates better,
I introduced "try again" response. As "delayed enforcing" mode sleeps
a process which violated policy, administrator can update policy while
the process is sleeping. This "try again" response allows administrator
to restart policy checks from the beginning after updating policy.
Also, to be able to avoid infinite loop, I added "retry counter" to
logs obtained from /proc/ccs/query .
(9) ENHANCEMENT: Allow reading process's information via
/proc/ccs/.process_status interface.
Until 1.6.4 , there was no interface for reading process's task.state
variables.
1.6.5 supports new command "info PID" (where PID is an integer) to read
specified process's task.state variables.
(10) ENHANCEMENT: Add /proc/ccs/.execute_handler interface.
The execute_handler keyword, which was introduced in 1.6.0 , is very very
powerful. You can use this keyword to do anything you want to do (e.g.
logging and validating and modifying command line parameters and
environment variables, opening and closing and redirecting files,
creating pipes to implement antivirus and spam filtering, deploying a DMZ
between the ssh daemon and the login shells).
However, there was no interface for telling whether the current process was
executed by the kernel (i.e. as an execute_handler process) or by the user
(i.e. as a regular process). If the current process was executed by the
user, we can't trust command line parameters.
To be able to tell whether the current process was executed by the kernel
or by the user, a new interface /proc/ccs/.execute_handler which only
processes executed as an execute_handler process can open was added.
The contents available via this interface is identical to
/proc/ccs/.process_status interface.
(11) ENHANCEMENT: Allow selecting single domain by PID or by domainname.
Sometimes we want to know what ACLs are given to specific PID, but
finding a domainname for that PID from /proc/ccs/.process_status and
reading ACLs from /proc/ccs/domain_policy by the domainname is very slow.
Thus, I modified /proc/ccs/domain_policy to allow selecting a domain by
PID. For example, to read domain ACL of current process from bash,
run as follows.
# exec 100<>/proc/ccs/domain_policy
# echo select pid=$$ >&100
# while read -u 100; do echo $REPLY; done
If a domain is once selected by PID, reading /proc/ccs/domain_policy will
print only that domain if that PID exists or print nothing otherwise.
Likewise, to read domain ACL of only "<kernel> /usr/sbin/sshd" domain from
bash, run as follows.
# exec 100<>/proc/ccs/domain_policy
# echo 'select domain=<kernel> /usr/sbin/sshd' >&100
# while read -u 100; do echo $REPLY; done
(12) ENHANCEMENT: Domain transition occurs only after do_execve() succeeds.
Until now, a process's domain was updated to new domain which the process
will belongs to before do_execve() succeeds so that the kernel can do
permission checks for interpreters and environment variables based on
new domain.
But, "Copy on write credentials" patchset is proposed and a LSM hook
which is called whenever do_execve() finished is going to be removed.
This means that "TOMOYO Linux 2.2.x cannot rollback to old domain"
if "a process's domain is updated to new domain which the process will
belong to before do_execve() succeeds" and "do_execve() failed".
Therefore, I modified TOMOYO Linux 1.6.5 not to update a process's domain
before do_execve() succeeds. The amount of this modification is large, but
this modification will make it easier to port TOMOYO Linux 1.6.5 to TOMOYO
Linux 2.2.0-pre .
(13) MISC: Included patches for 26 vanilla kernels ( 2.4.30 - 2.4.37-rc2 /
2.6.11 - 2.6.28-rc4 ) and 34 distributor's kernels.
I'm building binary packages now, please wait...
(14) MISC: Changed the command line of making tar ball.
Until 1.6.4, I was using the command line
tar -zcf /path/to/tarball.tar.gz --exclude .svn -- .
when making the tar ball.
However, doing so changes directory's permission when the tar ball was
extracted in a directory which has permissions other than 0755 .
For example, extracting the tar ball in /tmp/ directory changes
the permission from 1777 to 0755 and caused troubles.
Therefore, I changed the command line to
tar -zcf /path/to/tarball.tar.gz --exclude .svn -- *
when making the tar ball.
Please be careful when extracting the tar ball using pathname patterns,
Below is the list of changes regarding ccs-tools package.
(1) BUGFIX: ccs-editpolicy : Correct handling IPv6 address ranges for 'O'
command.
Due to a bug in parse_ip(), IPv6's end address was ignored when calculating
entries for 'O' command.
(2) BUGFIX: ccs-editpolicy_offline : Clear buffer before saving policy.
There are two policy editors. One is named "ccs-editpolicy" for editing
/proc/ccs/ directory. The other is named "ccs-editpolicy_offline" for
editing /etc/ccs/ directory.
Only "ccs-editpolicy_offline" needs to save on memory policy into /etc/ccs/
directory, but I forgot to clear the buffer used in
"<<< Domain Transition Editor >>>" screen before saving policy.
As a result part of invalid domain policy was written into
/etc/ccs/domain_policy .
(3) BUGFIX: convert-exec-param : Handle logs with exec.argc=0 .
convert-exec-param was not able to handle allow_execute logs with
exec.argc=0 .
(4) BUGFIX: mailauth : Terminate password string.
Since the buffer for password is 16 bytes and the length of the password
was 16 bytes, the password string was not terminated by '\0' character.
This bug may print garbage characters after the password.
(5) ENHANCEMENT: Support policy file splitting.
Until 1.6.4 , policy files were only /etc/ccs/\*.conf .
In 1.6.5 , policy files became splittable into /etc/ccs/\*.base and
/etc/ccs/\*.conf . The former holds constant policy and is used for
read-only. The latter holds diffs against the former and is used for
read-write.
For compatibility, you don't have to create /etc/ccs/\*.base .
/etc/ccs/\*.base is intended to allow distributors to distribute ready made
policy configurations.
(6) ENHANCEMENT: Display ACL entries aligned.
Until 1.6.4 , there was only one space between directives and operands.
In 1.6.5, they are aligned to the longest directives.
This change will facilitate visualization.
Until 1.6.4
allow_create /tmp/file
allow_read/write /tmp/file
allow_unlink /tmp/file
In 1.6.5
allow_create /tmp/file
allow_read/write /tmp/file
allow_unlink /tmp/file
Since directives related to networking operations are long,
aligning the view to the longest networking directives makes goofy-looking.
Therefore, I aggregated the below 8 directives (until 1.6.4)
editpolicy.keyword_alias allow_network RAW bind = allow_network RAW bind
editpolicy.keyword_alias allow_network RAW connect = allow_network RAW connect
editpolicy.keyword_alias allow_network TCP accept = allow_network TCP accept
editpolicy.keyword_alias allow_network TCP bind = allow_network TCP bind
editpolicy.keyword_alias allow_network TCP connect = allow_network TCP connect
editpolicy.keyword_alias allow_network TCP listen = allow_network TCP listen
editpolicy.keyword_alias allow_network UDP bind = allow_network UDP bind
editpolicy.keyword_alias allow_network UDP connect = allow_network UDP connect
into the below 1 directive (in 1.6.5)
editpolicy.keyword_alias allow_network = allow_network
in /usr/lib/ccs/ccstools.conf configuration file.
(7) ENHANCEMENT: Update coding style.
Not only C programs in ccs-patch package but also C programs in ccs-tools
package can now pass coding style testing by scripts/checkpatch.pl .
A lot of modification was made, and various bugs were fixed.
But maybe some new bugs are embedded.
(8) ENHANCEMENT: ccs-editpolicy : Faster display "<<< Domain Policy Editor >>>"
screen.
As the kernel now supports "select domain=" command, the policy editor can
read only single domain's domain policy. Thus, times needed for displaying
"<<< Domain Policy Editor >>>" was shortened dramatically.
(9) CHANGE: timeauth : Echo key inputs.
I planned to have "timeauth" demo in my PacSec2008's presentation.
But I thought that echoing inputs as '*' character makes impossible to tell
whether password is wrong or timing is wrong.
Thus, I modified to echo inputs.
If you are using "timeauth" in real systems, you can modify "timeauth.c"
and recompile it.
(10) NEW: env_chk.c : An example of execute_handler keyword.
I added this program for my PacSec2008's presentation to have
environment-variable-based authentication.
This is in a form of source code. Binary program is not included in binary
ccs-tools packages.
Thanks.