#
254a8ed6 |
|
11-Aug-2023 |
GONG, Ruiqi <gongruiqi1@huawei.com> |
tomoyo: remove unused function declaration The last usage of tomoyo_check_flags() has been removed by commit 57c2590fb7fd ("TOMOYO: Update profile structure."). Clean up its residual declaration. Signed-off-by: GONG, Ruiqi <gongruiqi1@huawei.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
|
#
a959dbd9 |
|
19-Jul-2023 |
Christian Göttsche <cgzones@googlemail.com> |
tomoyo: add format attributes to functions Format attributes on functions taking format string can help compilers detect argument type or count mismatches. Please the compiler when building with W=1: security/tomoyo/audit.c: In function ‘tomoyo_init_log’: security/tomoyo/audit.c:290:9: error: function ‘tomoyo_init_log’ might be a candidate for ‘gnu_printf’ format attribute [-Werror=suggest-attribute=format] 290 | vsnprintf(buf + pos, len - pos, fmt, args); | ^~~~~~~~~ security/tomoyo/audit.c: In function ‘tomoyo_write_log2’: security/tomoyo/audit.c:376:9: error: function ‘tomoyo_write_log2’ might be a candidate for ‘gnu_printf’ format attribute [-Werror=suggest-attribute=format] 376 | buf = tomoyo_init_log(r, len, fmt, args); | ^~~ security/tomoyo/common.c: In function ‘tomoyo_addprintf’: security/tomoyo/common.c:193:9: error: function ‘tomoyo_addprintf’ might be a candidate for ‘gnu_printf’ format attribute [-Werror=suggest-attribute=format] 193 | vsnprintf(buffer + pos, len - pos - 1, fmt, args); | ^~~~~~~~~ Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
|
#
c120c984 |
|
28-Feb-2023 |
Vlastimil Babka <vbabka@suse.cz> |
tomoyo: replace tomoyo_round2() with kmalloc_size_roundup() It seems tomoyo has had its own implementation of what kmalloc_size_roundup() does today. Remove the function tomoyo_round2() and replace it with kmalloc_size_roundup(). It provides more accurate results and doesn't contain a while loop. Signed-off-by: Vlastimil Babka <vbabka@suse.cz> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
|
#
ea181a34 |
|
26-Jan-2022 |
Lucas De Marchi <lucas.demarchi@intel.com> |
tomoyo: Use str_yes_no() Remove the local yesno() implementation and adopt the str_yes_no() from linux/string_helpers.h. Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com> Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20220126093951.1470898-11-lucas.demarchi@intel.com
|
#
be619f7f |
|
12-Jul-2020 |
Eric W. Biederman <ebiederm@xmission.com> |
exec: Implement kernel_execve To allow the kernel not to play games with set_fs to call exec implement kernel_execve. The function kernel_execve takes pointers into kernel memory and copies the values pointed to onto the new userspace stack. The calls with arguments from kernel space of do_execve are replaced with calls to kernel_execve. The calls do_execve and do_execveat are made static as there are now no callers outside of exec. The comments that mention do_execve are updated to refer to kernel_execve or execve depending on the circumstances. In addition to correcting the comments, this makes it easy to grep for do_execve and verify it is not used. Inspired-by: https://lkml.kernel.org/r/20200627072704.2447163-1-hch@lst.de Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lkml.kernel.org/r/87wo365ikj.fsf@x220.int.ebiederm.org Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
|
#
861f4bcf |
|
16-Feb-2019 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
tomoyo: Bump version. Update URLs and profile version. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.morris@microsoft.com>
|
#
4b425641 |
|
24-Jan-2019 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
tomoyo: Allow multiple use_group lines. Being able to specify multiple "use_group" lines makes it easier to write whitelisted policies. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.morris@microsoft.com>
|
#
cdcf6723 |
|
24-Jan-2019 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
tomoyo: Coding style fix. Follow many of recommendations by scripts/checkpatch.pl, and follow "lift switch variables out of switches" by Kees Cook. This patch makes no functional change. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.morris@microsoft.com>
|
#
8c6cb983 |
|
19-Jan-2019 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
tomoyo: Swicth from cred->security to task_struct->security. TOMOYO security module is designed to use "struct task_struct"->security in order to allow per "struct task_struct" tracking without being disturbed by unable to update "struct cred"->security due to override mechanism. Now that infrastructure-managed security blob is ready, this patch updates TOMOYO to use "struct task_struct"->security. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.morris@microsoft.com>
|
#
bbd3662a |
|
12-Nov-2018 |
Casey Schaufler <casey@schaufler-ca.com> |
Infrastructure management of the cred security blob Move management of the cred security blob out of the security modules and into the security infrastructre. Instead of allocating and freeing space the security modules tell the infrastructure how much space they require. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> [kees: adjusted for ordered init series] Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
43fc4609 |
|
21-Sep-2018 |
Casey Schaufler <casey@schaufler-ca.com> |
TOMOYO: Abstract use of cred security blob Don't use the cred->security pointer directly. Provide helper functions that provide the security blob pointer. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> [kees: adjusted for ordered init series] Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
c0d4be28 |
|
02-Jul-2017 |
Al Viro <viro@zeniv.linux.org.uk> |
tomoyo: annotate ->poll() instances Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
b2441318 |
|
01-Nov-2017 |
Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
License cleanup: add SPDX GPL-2.0 license identifier to files with no license Many source files in the tree are missing licensing information, which makes it harder for compliance tools to determine the correct license. By default all files without license information are under the default license of the kernel, which is GPL version 2. Update the files which contain no license information with the 'GPL-2.0' SPDX license identifier. The SPDX identifier is a legally binding shorthand, which can be used instead of the full boiler plate text. This patch is based on work done by Thomas Gleixner and Kate Stewart and Philippe Ombredanne. How this work was done: Patches were generated and checked against linux-4.14-rc6 for a subset of the use cases: - file had no licensing information it it. - file was a */uapi/* one with no licensing information in it, - file was a */uapi/* one with existing licensing information, Further patches will be generated in subsequent months to fix up cases where non-standard license headers were used, and references to license had to be inferred by heuristics based on keywords. The analysis to determine which SPDX License Identifier to be applied to a file was done in a spreadsheet of side by side results from of the output of two independent scanners (ScanCode & Windriver) producing SPDX tag:value files created by Philippe Ombredanne. Philippe prepared the base worksheet, and did an initial spot review of a few 1000 files. The 4.13 kernel was the starting point of the analysis with 60,537 files assessed. Kate Stewart did a file by file comparison of the scanner results in the spreadsheet to determine which SPDX license identifier(s) to be applied to the file. She confirmed any determination that was not immediately clear with lawyers working with the Linux Foundation. Criteria used to select files for SPDX license identifier tagging was: - Files considered eligible had to be source code files. - Make and config files were included as candidates if they contained >5 lines of source - File already had some variant of a license header in it (even if <5 lines). All documentation files were explicitly excluded. The following heuristics were used to determine which SPDX license identifiers to apply. - when both scanners couldn't find any license traces, file was considered to have no license information in it, and the top level COPYING file license applied. For non */uapi/* files that summary was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 11139 and resulted in the first patch in this series. If that file was a */uapi/* path one, it was "GPL-2.0 WITH Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 WITH Linux-syscall-note 930 and resulted in the second patch in this series. - if a file had some form of licensing information in it, and was one of the */uapi/* ones, it was denoted with the Linux-syscall-note if any GPL family license was found in the file or had no licensing in it (per prior point). Results summary: SPDX license identifier # files ---------------------------------------------------|------ GPL-2.0 WITH Linux-syscall-note 270 GPL-2.0+ WITH Linux-syscall-note 169 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17 LGPL-2.1+ WITH Linux-syscall-note 15 GPL-1.0+ WITH Linux-syscall-note 14 ((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5 LGPL-2.0+ WITH Linux-syscall-note 4 LGPL-2.1 WITH Linux-syscall-note 3 ((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3 ((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1 and that resulted in the third patch in this series. - when the two scanners agreed on the detected license(s), that became the concluded license(s). - when there was disagreement between the two scanners (one detected a license but the other didn't, or they both detected different licenses) a manual inspection of the file occurred. - In most cases a manual inspection of the information in the file resulted in a clear resolution of the license that should apply (and which scanner probably needed to revisit its heuristics). - When it was not immediately clear, the license identifier was confirmed with lawyers working with the Linux Foundation. - If there was any question as to the appropriate license identifier, the file was flagged for further research and to be revisited later in time. In total, over 70 hours of logged manual review was done on the spreadsheet to determine the SPDX license identifiers to apply to the source files by Kate, Philippe, Thomas and, in some cases, confirmation by lawyers working with the Linux Foundation. Kate also obtained a third independent scan of the 4.13 code base from FOSSology, and compared selected files where the other two scanners disagreed against that SPDX file, to see if there was new insights. The Windriver scanner is based on an older version of FOSSology in part, so they are related. Thomas did random spot checks in about 500 files from the spreadsheets for the uapi headers and agreed with SPDX license identifier in the files he inspected. For the non-uapi files Thomas did random spot checks in about 15000 files. In initial set of patches against 4.14-rc6, 3 files were found to have copy/paste license identifier errors, and have been fixed to reflect the correct identifier. Additionally Philippe spent 10 hours this week doing a detailed manual inspection and review of the 12,461 patched files from the initial patch version early this week with: - a full scancode scan run, collecting the matched texts, detected license ids and scores - reviewing anything where there was a license detected (about 500+ files) to ensure that the applied SPDX license was correct - reviewing anything where there was no detection but the patch license was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied SPDX license was correct This produced a worksheet with 20 files needing minor correction. This worksheet was then exported into 3 different .csv files for the different types of files to be modified. These .csv files were then reviewed by Greg. Thomas wrote a script to parse the csv files and add the proper SPDX tag to the file, in the format that the file expected. This script was further refined by Greg based on the output to detect more types of files automatically and to distinguish between header and source .c files (which need different comment types.) Finally Greg ran the script using the .csv files to generate the patches. Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
92734092 |
|
19-Oct-2017 |
Arnd Bergmann <arnd@arndb.de> |
tomoyo: fix timestamping for y2038 Tomoyo uses an open-coded version of time_to_tm() to create a timestamp from the current time as read by get_seconds(). This will overflow and give wrong results on 32-bit systems in 2038. To correct this, this changes the code to use ktime_get_real_seconds() and the generic time64_to_tm() function that are both y2038-safe. Using the library function avoids adding an expensive 64-bit division in this code and can benefit from any optimizations we do in common code. Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: James Morris <james.l.morris@oracle.com>
|
#
e6641edd |
|
25-Mar-2016 |
Al Viro <viro@zeniv.linux.org.uk> |
tomoyo: constify assorted struct path * Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
3f7036a0 |
|
08-Mar-2015 |
Al Viro <viro@zeniv.linux.org.uk> |
switch security_inode_getattr() to struct path * Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
22473862 |
|
08-Mar-2015 |
Al Viro <viro@zeniv.linux.org.uk> |
constify tomoyo_realpath_from_path() Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
e53cfda5 |
|
14-Apr-2013 |
Al Viro <viro@zeniv.linux.org.uk> |
tomoyo_close_control: don't bother with return value Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
808d4e3c |
|
11-Oct-2012 |
Al Viro <viro@zeniv.linux.org.uk> |
consitify do_mount() arguments Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
609fcd1b |
|
07-Feb-2012 |
Eric W. Biederman <ebiederm@xmission.com> |
userns: Convert tomoyo to use kuid and kgid where appropriate Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
|
#
77b513dd |
|
13-May-2012 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Accept manager programs which do not start with / . The pathname of /usr/sbin/tomoyo-editpolicy seen from Ubuntu 12.04 Live CD is squashfs:/usr/sbin/tomoyo-editpolicy rather than /usr/sbin/tomoyo-editpolicy . Therefore, we need to accept manager programs which do not start with / . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.l.morris@oracle.com>
|
#
6041e834 |
|
14-Mar-2012 |
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> |
TOMOYO: Return appropriate value to poll(). "struct file_operations"->poll() expects "unsigned int" return value. All files in /sys/kernel/security/tomoyo/ directory other than /sys/kernel/security/tomoyo/query and /sys/kernel/security/tomoyo/audit should return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM rather than -ENOSYS. Also, /sys/kernel/security/tomoyo/query and /sys/kernel/security/tomoyo/audit should return POLLOUT | POLLWRNORM rather than 0 when there is no data to read. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.l.morris@oracle.com>
|
#
d179333f |
|
26-Aug-2011 |
Al Viro <viro@zeniv.linux.org.uk> |
tomoyo_mini_stat: switch to umode_t Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
bb80d880 |
|
08-Dec-2011 |
Kees Cook <keescook@chromium.org> |
tomoyo: add missing rcu_dereference() Adds a missed rcu_dereference() around real_parent. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
a427fd14 |
|
25-Sep-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Remove tomoyo_policy_memory_lock spinlock. tomoyo_policy_lock mutex already protects it. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
f9732ea1 |
|
25-Sep-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Simplify garbage collector. When TOMOYO started using garbage collector at commit 847b173e "TOMOYO: Add garbage collector.", we waited for close() before kfree(). Thus, elements to be kfree()d were queued up using tomoyo_gc_list list. But it turned out that tomoyo_element_linked_by_gc() tends to choke garbage collector when certain pattern of entries are queued. Since garbage collector is no longer waiting for close() since commit 2e503bbb "TOMOYO: Fix lockdep warning.", we can remove tomoyo_gc_list list and tomoyo_element_linked_by_gc() by doing sequential processing. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
778c4a4d |
|
25-Sep-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Fix make namespacecheck warnings. Commit efe836ab "TOMOYO: Add built-in policy support." introduced tomoyo_load_builtin_policy() but was by error called from nowhere. Commit b22b8b9f "TOMOYO: Rename meminfo to stat and show more statistics." introduced tomoyo_update_stat() but was by error not called from tomoyo_assign_domain(). Also, mark tomoyo_io_printf() and tomoyo_path_permission() static functions, as reported by "make namespacecheck". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
6bce98ed |
|
16-Sep-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Allow specifying domain transition preference. I got an opinion that it is difficult to use exception policy's domain transition control directives because they need to match the pathname specified to "file execute" directives. For example, if "file execute /bin/\*\-ls\-cat" is given, corresponding domain transition control directive needs to be like "no_keep_domain /bin/\*\-ls\-cat from any". If we can specify like below, it will become more convenient. file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls" file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat" file execute /bin/\*\-ls\-cat child file execute /usr/sbin/httpd <apache> exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd" In above examples, "keep" works as if keep_domain is specified, "child" works as if "no_reset_domain" and "no_initialize_domain" and "no_keep_domain" are specified, "<apache>" causes domain transition to <apache> domain upon successful execve() operation. Moreover, we can also allow transition to different domains based on conditions like below example. <kernel> /usr/sbin/sshd file execute /bin/bash <kernel> /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c" file execute /bin/bash <kernel> /usr/sbin/sshd //root-session task.uid=0 file execute /bin/bash <kernel> /usr/sbin/sshd //nonroot-session task.uid!=0 Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
843d183c |
|
14-Sep-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Bump version. Tell userland tools that this is TOMOYO 2.5. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
731d37aa |
|
10-Sep-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Allow domain transition without execve(). To be able to split permissions for Apache's CGI programs which are executed without execve(), add special domain transition which is performed by writing a TOMOYO's domainname to /sys/kernel/security/tomoyo/self_domain interface. This is an API for TOMOYO-aware userland applications. However, since I expect TOMOYO and other LSM modules to run in parallel, this patch does not use /proc/self/attr/ interface in order to avoid conflicts with other LSM modules when it became possible to run multiple LSM modules in parallel. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
1f067a68 |
|
10-Sep-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Allow controlling generation of access granted logs for per an entry basis. Add per-entry flag which controls generation of grant logs because Xen and KVM issues ioctl requests so frequently. For example, file ioctl /dev/null 0x5401 grant_log=no will suppress /sys/kernel/security/tomoyo/audit even if preference says grant_log=yes . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
059d84db |
|
10-Sep-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add socket operation restriction support. This patch adds support for permission checks for PF_INET/PF_INET6/PF_UNIX socket's bind()/listen()/connect()/send() operations. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
d58e0da8 |
|
10-Sep-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add environment variable name restriction support. This patch adds support for checking environment variable's names. Although TOMOYO already provides ability to check argv[]/envp[] passed to execve() requests, file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="bar" will reject execution of /bin/sh if environment variable LD_LIBRARY_PATH is not defined. To grant execution of /bin/sh if LD_LIBRARY_PATH is not defined, administrators have to specify like file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="/system/lib" file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]=NULL . Since there are many environment variables whereas conditional checks are applied as "&&", it is difficult to cover all combinations. Therefore, this patch supports conditional checks that are applied as "||", by specifying like file execute /bin/sh misc env LD_LIBRARY_PATH exec.envp["LD_LIBRARY_PATH"]="/system/lib" which means "grant execution of /bin/sh if environment variable is not defined or is defined and its value is /system/lib". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
97fb35e4 |
|
07-Jul-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Enable conditional ACL. Enable conditional ACL by passing object's pointers. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
5b636857 |
|
07-Jul-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Allow using argv[]/envp[] of execve() as conditions. This patch adds support for permission checks using argv[]/envp[] of execve() request. Hooks are in the last patch of this pathset. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
2ca9bf45 |
|
07-Jul-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Allow using executable's realpath and symlink's target as conditions. This patch adds support for permission checks using executable file's realpath upon execve() and symlink's target upon symlink(). Hooks are in the last patch of this pathset. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
8761afd4 |
|
07-Jul-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Allow using owner/group etc. of file objects as conditions. This patch adds support for permission checks using file object's DAC attributes (e.g. owner/group) when checking file's pathnames. Hooks for passing file object's pointers are in the last patch of this pathset. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
2066a361 |
|
07-Jul-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Allow using UID/GID etc. of current thread as conditions. This patch adds support for permission checks using current thread's UID/GID etc. in addition to pathnames. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
5c4274f1 |
|
07-Jul-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Remove /sys/kernel/security/tomoyo/.domain_status interface. /sys/kernel/security/tomoyo/.domain_status can be easily emulated using /sys/kernel/security/tomoyo/domain_policy . We can remove this interface by updating /usr/sbin/tomoyo-setprofile utility. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
3ddf17f0 |
|
28-Jun-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Cleanup header file. Sort by alphabetic order. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
efe836ab |
|
26-Jun-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add built-in policy support. To be able to start using enforcing mode from the early stage of boot sequence, this patch adds support for built-in policy configuration (and next patch adds support for activating access control without calling external policy loader program). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
b22b8b9f |
|
26-Jun-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Rename meminfo to stat and show more statistics. Show statistics such as last policy update time and last policy violation time in addition to memory usage. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
2c47ab93 |
|
26-Jun-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Cleanup part 4. Gather string constants to one file in order to make the object size smaller. Use unsigned type where appropriate. read()/write() returns ssize_t. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
2e503bbb |
|
26-Jun-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Fix lockdep warning. Currently TOMOYO holds SRCU lock upon open() and releases it upon close() because list elements stored in the "struct tomoyo_io_buffer" instances are accessed until close() is called. However, such SRCU usage causes lockdep to complain about leaving the kernel with SRCU lock held. This patch solves the warning by holding/releasing SRCU upon each read()/write(). This patch is doing something similar to calling kfree() without calling synchronize_srcu(), by selectively deferring kfree() by keeping track of the "struct tomoyo_io_buffer" instances. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
bd03a3e4 |
|
26-Jun-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add policy namespace support. Mauras Olivier reported that it is difficult to use TOMOYO in LXC environments, for TOMOYO cannot distinguish between environments outside the container and environments inside the container since LXC environments are created using pivot_root(). To address this problem, this patch introduces policy namespace. Each policy namespace has its own set of domain policy, exception policy and profiles, which are all independent of other namespaces. This independency allows users to develop policy without worrying interference among namespaces. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
32997144 |
|
26-Jun-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add ACL group support. ACL group allows administrator to globally grant not only "file read" permission but also other permissions. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
eadd99cc |
|
26-Jun-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add auditing interface. Add /sys/kernel/security/tomoyo/audit interface. This interface generates audit logs in the form of domain policy so that /usr/sbin/tomoyo-auditd can reuse audit logs for appending to /sys/kernel/security/tomoyo/domain_policy interface. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
d5ca1725 |
|
26-Jun-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Simplify profile structure. Remove global preference from profile structure in order to make code simpler. Due to this structure change, printk() warnings upon policy violation are temporarily disabled. They will be replaced by /sys/kernel/security/tomoyo/audit by next patch. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
0d2171d7 |
|
26-Jun-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Rename directives. Convert "allow_..." style directives to "file ..." style directives. By converting to the latter style, we can pack policy like "file read/write/execute /path/to/file". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
a238cf5b |
|
26-Jun-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use struct for passing ACL line. Use structure for passing ACL line, in preparation for supporting policy namespace and conditional parameters. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
0df7e8b8 |
|
26-Jun-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Cleanup part 3. Use common structure for ACL with "struct list_head" + "atomic_t". Use array/struct where possible. Remove is_group from "struct tomoyo_name_union"/"struct tomoyo_number_union". Pass "struct file"->private_data rather than "struct file". Update some of comments. Bring tomoyo_same_acl_head() from common.h to domain.c . Bring tomoyo_invalid()/tomoyo_valid() from common.h to util.c . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
b5bc60b4 |
|
26-Jun-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Cleanup part 2. Update (or temporarily remove) comments. Remove or replace some of #define lines. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
7c75964f |
|
26-Jun-2011 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Cleanup part 1. In order to synchronize with TOMOYO 1.8's syntax, (1) Remove special handling for allow_read/write permission. (2) Replace deny_rewrite/allow_rewrite permission with allow_append permission. (3) Remove file_pattern keyword. (4) Remove allow_read permission from exception policy. (5) Allow creating domains in enforcing mode without calling supervisor. (6) Add permission check for opening directory for reading. (7) Add permission check for stat() operation. (8) Make "cat < /sys/kernel/security/tomoyo/self_domain" behave as if "cat /sys/kernel/security/tomoyo/self_domain". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
c8da96e8 |
|
25-Sep-2010 |
Ben Hutchings <ben@decadent.org.uk> |
TOMOYO: Don't abuse sys_getpid(), sys_getppid() System call entry functions sys_*() are never to be called from general kernel code. The fact that they aren't declared in header files should have been a clue. These functions also don't exist on Alpha since it has sys_getxpid() instead. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
484ca79c |
|
28-Jul-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use pathname specified by policy rather than execve() Commit c9e69318 "TOMOYO: Allow wildcard for execute permission." changed execute permission and domainname to accept wildcards. But tomoyo_find_next_domain() was using pathname passed to execve() rather than pathname specified by the execute permission. As a result, processes were not able to transit to domains which contain wildcards in their domainnames. This patch passes pathname specified by the execute permission back to tomoyo_find_next_domain() so that processes can transit to domains which contain wildcards in their domainnames. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
0849e3ba |
|
24-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add missing poll() hook. Commit 1dae08c "TOMOYO: Add interactive enforcing mode." forgot to register poll() hook. As a result, /usr/sbin/tomoyo-queryd was doing busy loop. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
e2bf6907 |
|
24-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Rename symbols. Use shorter name in order to make it easier to fit 80 columns limit. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
f23571e8 |
|
23-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Copy directly to userspace buffer. When userspace program reads policy from /sys/kernel/security/tomoyo/ interface, TOMOYO uses line buffered mode. A line has at least one word. Commit 006dacc "TOMOYO: Support longer pathname." changed a word's max length from 4000 bytes to max kmalloc()able bytes. By that commit, a line's max length changed from 8192 bytes to more than max kmalloc()able bytes. Max number of words in a line remains finite. This patch changes the way of buffering so that all words in a line are firstly directly copied to userspace buffer as much as possible and are secondly queued for next read request. Words queued are guaranteed to be valid until /sys/kernel/security/tomoyo/ interface is close()d. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
063821c8 |
|
23-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Allow reading only execute permission. Policy editor needs to know allow_execute entries in order to build domain transition tree. Reading all entries is slow. Thus, allow reading only allow_execute entries. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
475e6fa3 |
|
23-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Change list iterator. Change list_for_each_cookie to (1) start from current position rather than next position (2) remove temporary cursor (3) check that srcu_read_lock() is held Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
5448ec4f |
|
20-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use common code for domain transition control. Use common code for "initialize_domain"/"no_initialize_domain"/"keep_domain"/ "no_keep_domain" keywords. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
0617c7ff |
|
20-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Remove alias keyword. Some programs behave differently depending on argv[0] passed to execve(). TOMOYO has "alias" keyword in order to allow administrators to define different domains if requested pathname passed to execve() is a symlink. But "alias" keyword is incomplete because this keyword assumes that requested pathname and argv[0] are identical. Thus, remove "alias" keyword (by this patch) and add syntax for checking argv[0] (by future patches). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
7c2ea22e |
|
17-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Merge path_group and number_group. Use common code for "path_group" and "number_group". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
31845e8c |
|
17-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Aggregate reader functions. Now lists are accessible via array index. Aggregate reader functions using index. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
a230f9e7 |
|
17-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use array of "struct list_head". Assign list id and make the lists as array of "struct list_head". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
a98aa4de |
|
17-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Merge tomoyo_path_group and tomoyo_number_group "struct tomoyo_path_group" and "struct tomoyo_number_group" are identical. Rename tomoyo_path_group/tomoyo_number_group to tomoyo_group and tomoyo_path_group_member to tomoyo_path_group and tomoyo_number_group_member to tomoyo_unmber_group. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
8fbe71f0 |
|
16-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Make read function to void. Read functions do not fail. Make them from int to void. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
71c28236 |
|
16-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Remove wrapper function for reading keyword. Keyword strings are read-only. We can directly access them to reduce code size. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
75093152 |
|
16-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Rename symbols. Use shorter name in order to make it easier to fix 80 columns limit. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
99a85259 |
|
16-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use callback for permission check. We can use callback function since parameters are passed via "const struct tomoyo_request_info". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
cf6e9a64 |
|
16-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Pass parameters via structure. To make it possible to use callback function, pass parameters via "struct tomoyo_request_info". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
05336dee |
|
16-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use common code for open and mkdir etc. tomoyo_file_perm() and tomoyo_path_permission() are similar. We can embed tomoyo_file_perm() into tomoyo_path_permission(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
36f5e1ff |
|
14-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use callback for updating entries. Use common code for elements using "struct list_head" + "bool" structure. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
82e0f001 |
|
14-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use common structure for list element. Use common "struct list_head" + "bool" structure. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
237ab459 |
|
12-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use callback for updating entries. Use common "struct list_head" + "bool" + "u8" structure and use common code for elements using that structure. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
57c2590f |
|
03-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Update profile structure. This patch allows users to change access control mode for per-operation basis. This feature comes from non LSM version of TOMOYO which is designed for permitting users to use SELinux and TOMOYO at the same time. SELinux does not care filename in a directory whereas TOMOYO does. Change of filename can change how the file is used. For example, renaming index.txt to .htaccess will change how the file is used. Thus, letting SELinux to enforce read()/write()/mmap() etc. restriction and letting TOMOYO to enforce rename() restriction is an example usage of this feature. What is unfortunate for me is that currently LSM does not allow users to use SELinux and LSM version of TOMOYO at the same time... Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
1084307c |
|
03-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add pathname aggregation support. This patch allows users to aggregate programs which provide similar functionality (e.g. /usr/bin/vi and /usr/bin/emacs ). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
3f629636 |
|
03-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Allow wildcard for execute permission. Some applications create and execute programs dynamically. We need to accept wildcard for execute permission because such programs contain random suffix in their filenames. This patch loosens up regulation of string parameters. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
c8c57e84 |
|
03-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Support longer pathname. Allow pathnames longer than 4000 bytes. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
9b244373 |
|
03-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Several fixes for TOMOYO's management programs. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
c3ef1500 |
|
16-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Split files into some pieces. security/tomoyo/common.c became too large to read. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
17fcfbd9 |
|
16-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add interactive enforcing mode. Since the behavior of the system is restricted by policy, we may need to update policy when you update packages. We need to update policy in the following cases. * The pathname of files has changed. * The dependency of files has changed. * The access permissions required has increased. The ideal way to update policy is to rebuild from the scratch using learning mode. But it is not desirable to change from enforcing mode to other mode if the system has once entered in production state. Suppose MAC could support per-application enforcing mode, the MAC becomes useless if an application that is not running in enforcing mode was cracked. For example, the whole system becomes vulnerable if only HTTP server application is running in learning mode to rebuild policy for the application. So, in TOMOYO Linux, updating policy is done while the system is running in enforcing mode. This patch implements "interactive enforcing mode" which allows administrators to judge whether to accept policy violation in enforcing mode or not. A demo movie is available at http://www.youtube.com/watch?v=b9q1Jo25LPA . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
2106ccd9 |
|
16-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add mount restriction. mount(2) has three string and one numeric parameters. Split mount restriction code from security/tomoyo/file.c . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
a1f9bb6a |
|
16-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Split file access control functions by type of parameters. Check numeric parameters for operations that deal them (e.g. chmod/chown/ioctl). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
cb0abe6a |
|
16-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use structure for passing common arguments. Use "struct tomoyo_request_info" instead of passing individual arguments. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
4c3e9e2d |
|
16-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add numeric values grouping support. This patch adds numeric values grouping support, which is useful for grouping numeric values such as file's UID, DAC's mode, ioctl()'s cmd number. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
7762fbff |
|
10-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add pathname grouping support. This patch adds pathname grouping support, which is useful for grouping pathnames that cannot be represented using /\{dir\}/ pattern. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
9e4b50e9 |
|
05-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use stack memory for pending entry. Use stack memory for pending entry to reduce kmalloc() which will be kfree()d. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
29282381 |
|
05-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use mutex_lock_interruptible. Some of TOMOYO's functions may sleep after mutex_lock(). If OOM-killer selected a process which is waiting at mutex_lock(), the to-be-killed process can't be killed. Thus, replace mutex_lock() with mutex_lock_interruptible() so that the to-be-killed process can immediately return from TOMOYO's functions. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
17080008 |
|
16-Feb-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Remove __func__ from tomoyo_is_correct_path/domain __func__ is used for only debug printk(). We can remove it. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
97d6931e |
|
15-Feb-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Remove unneeded parameter. tomoyo_path_perm() tomoyo_path2_perm() and tomoyo_check_rewrite_permission() always receive tomoyo_domain(). We can move it from caller to callee. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
7ef61233 |
|
15-Feb-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use shorter names. Use shorter name to reduce newlines needed for 80 columns limit. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
084da356 |
|
14-Feb-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use enum for index numbers. Use enum to declare index numbers. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
847b173e |
|
10-Feb-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add garbage collector. This patch adds garbage collector support to TOMOYO. Elements are protected by "struct srcu_struct tomoyo_ss". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
|
#
ec8e6a4e |
|
10-Feb-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add refcounter on domain structure. Add refcounter to "struct tomoyo_domain_info" since garbage collector needs to determine whether this struct is referred by "struct cred"->security or not. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
|
#
76bb0895 |
|
10-Feb-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Merge headers. Gather structures and constants scattered around security/tomoyo/ directory. This is for preparation for adding garbage collector since garbage collector needs to know structures and constants which TOMOYO uses. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
|
#
ea13ddba |
|
02-Feb-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Extract bitfield Since list elements are rounded up to kmalloc() size rather than sizeof(int), saving one byte by using bitfields is no longer helpful. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
|
#
8e2d39a1 |
|
26-Jan-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Remove usage counter for temporary memory. TOMOYO was using own memory usage counter for detecting memory leak. But as kernel 2.6.31 introduced memory leak detection mechanism ( CONFIG_DEBUG_KMEMLEAK ), we no longer need to have own counter. We remove usage counter for memory used for permission checks, but we keep usage counter for memory used for policy so that we can apply quota. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
cd7bec6a |
|
04-Jan-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Remove memory pool for list elements. Currently, TOMOYO allocates memory for list elements from memory pool allocated by kmalloc(PAGE_SIZE). But that makes it difficult to kfree() when garbage collector is added. Thus, remove memory pool and use kmalloc(sizeof()). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
f737d95d |
|
03-Jan-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Replace rw_semaphore by mutex. Since readers no longer use down_read(), writers no longer need to use rw_semaphore. Replace individual rw_semaphore by single mutex. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
|
#
fdb8ebb7 |
|
07-Dec-2009 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use RCU primitives for list operation Replace list operation with RCU primitives and replace down_read()/up_read() with srcu_read_lock()/srcu_read_unlock(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
|
#
937bf613 |
|
02-Dec-2009 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add rest of file operation restrictions. LSM hooks for chmod()/chown()/chroot() are now ready. This patch utilizes these hooks. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
7539cf4b |
|
24-Nov-2009 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add recursive directory matching operator support. TOMOYO 1.7.1 has recursive directory matching operator support. I want to add it to TOMOYO for Linux 2.6.33 . ---------- [PATCH] TOMOYO: Add recursive directory matching operator support. This patch introduces new operator /\{dir\}/ which matches '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/ /dir/dir/dir/ ). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
|
#
ccf135f5 |
|
18-Jun-2009 |
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> |
TOMOYO: Move tomoyo_delete_domain(). We can mark tomoyo_delete_domain() as a "static" function by moving it from domain.c to common.c . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
c3fa109a |
|
07-Jun-2009 |
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> |
TOMOYO: Add description of lists and structures. This patch adds some descriptions of lists and structures. This patch contains no code changes. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
5bf1692f |
|
04-Jun-2009 |
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> |
TOMOYO: Remove unused field. TOMOYO 2.2.0 is not using total_len field of "struct tomoyo_path_info". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
39826a1e |
|
08-Apr-2009 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
tomoyo: version bump to 2.2.0. Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
a0558fc3 |
|
06-Apr-2009 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
tomoyo: remove "undelete domain" command. Since TOMOYO's policy management tools does not use the "undelete domain" command, we decided to remove that command. Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
7ba57795 |
|
06-Apr-2009 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
tomoyo: remove "undelete domain" command. Since TOMOYO's policy management tools does not use the "undelete domain" command, we decided to remove that command. Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
a106cbfd |
|
26-Mar-2009 |
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> |
TOMOYO: Fix a typo. Fix a typo. Reported-by: Pavel Machek <pavel@ucw.cz> Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
#
9590837b |
|
05-Feb-2009 |
Kentaro Takeda <takedakn@nttdata.co.jp> |
Common functions for TOMOYO Linux. This file contains common functions (e.g. policy I/O, pattern matching). -------------------- About pattern matching -------------------- Since TOMOYO Linux is a name based access control, TOMOYO Linux seriously considers "safe" string representation. TOMOYO Linux's string manipulation functions make reviewers feel crazy, but there are reasons why TOMOYO Linux needs its own string manipulation functions. ----- Part 1 : preconditions ----- People definitely want to use wild card. To support pattern matching, we have to support wild card characters. In a typical Linux system, filenames are likely consists of only alphabets, numbers, and some characters (e.g. + - ~ . / ). But theoretically, the Linux kernel accepts all characters but NUL character (which is used as a terminator of a string). Some Linux systems can have filenames which contain * ? ** etc. Therefore, we have to somehow modify string so that we can distinguish wild card characters and normal characters. It might be possible for some application's configuration files to restrict acceptable characters. It is impossible for kernel to restrict acceptable characters. We can't accept approaches which will cause troubles for applications. ----- Part 2 : commonly used approaches ----- Text formatted strings separated by space character (0x20) and new line character (0x0A) is more preferable for users over array of NUL-terminated string. Thus, people use text formatted configuration files separated by space character and new line. We sometimes need to handle non-printable characters. Thus, people use \ character (0x5C) as escape character and represent non-printable characters using octal or hexadecimal format. At this point, we remind (at least) 3 approaches. (1) Shell glob style expression (2) POSIX regular expression (UNIX style regular expression) (3) Maverick wild card expression On the surface, (1) and (2) sound good choices. But they have a big pitfall. All meta-characters in (1) and (2) are legal characters for representing a pathname, and users easily write incorrect expression. What is worse, users unlikely notice incorrect expressions because characters used for regular pathnames unlikely contain meta-characters. This incorrect use of meta-characters in pathname representation reveals vulnerability (e.g. unexpected results) only when irregular pathname is specified. The authors of TOMOYO Linux think that approaches which adds some character for interpreting meta-characters as normal characters (i.e. (1) and (2)) are not suitable for security use. Therefore, the authors of TOMOYO Linux propose (3). ----- Part 3: consideration points ----- We need to solve encoding problem. A single character can be represented in several ways using encodings. For Japanese language, there are "ShiftJIS", "ISO-2022-JP", "EUC-JP", "UTF-8" and more. Some languages (e.g. Japanese language) supports multi-byte characters (where a single character is represented using several bytes). Some multi-byte characters may match the escape character. For Japanese language, some characters in "ShiftJIS" encoding match \ character, and bothering Web's CGI developers. It is important that the kernel string is not bothered by encoding problem. Linus said, "I really would expect that kernel strings don't have an encoding. They're just C strings: a NUL-terminated stream of bytes." http://lkml.org/lkml/2007/11/6/142 Yes. The kernel strings are just C strings. We are talking about how to store and carry "kernel strings" safely. If we store "kernel string" into policy file as-is, the "kernel string" will be interpreted differently depending on application's encoding settings. One application may interpret "kernel string" as "UTF-8", another application may interpret "kernel string" as "ShiftJIS". Therefore, we propose to represent strings using ASCII encoding. In this way, we are no longer bothered by encoding problems. We need to avoid information loss caused by display. It is difficult to input and display non-printable characters, but we have to be able to handle such characters because the kernel string is a C string. If we use only ASCII printable characters (from 0x21 to 0x7E) and space character (0x20) and new line character (0x0A), it is easy to input from keyboard and display on all terminals which is running Linux. Therefore, we propose to represent strings using only characters which value is one of "from 0x21 to 0x7E", "0x20", "0x0A". We need to consider ease of splitting strings from a line. If we use an approach which uses "\ " for representing a space character within a string, we have to count the string from the beginning to check whether this space character is accompanied with \ character or not. As a result, we cannot monotonically split a line using space character. If we use an approach which uses "\040" for representing a space character within a string, we can monotonically split a line using space character. If we use an approach which uses NUL character as a delimiter, we cannot use string manipulation functions for splitting strings from a line. Therefore, we propose that we represent space character as "\040". We need to avoid wrong designations (incorrect use of special characters). Not all users can understand and utilize POSIX's regular expressions correctly and perfectly. If a character acts as a wild card by default, the user will get unexpected result if that user didn't know the meaning of that character. Therefore, we propose that all characters but \ character act as a normal character and let the user add \ character to make a character act as a wild card. In this way, users needn't to know all wild card characters beforehand. They can learn when they encountered an unseen wild card character for their first time. ----- Part 4: supported wild card expressions ----- At this point, we have wild card expressions listed below. +-----------+--------------------------------------------------------------+ | Wild card | Meaning and example | +-----------+--------------------------------------------------------------+ | \* | More than or equals to 0 character other than '/'. | | | /var/log/samba/\* | +-----------+--------------------------------------------------------------+ | \@ | More than or equals to 0 character other than '/' or '.'. | | | /var/www/html/\@.html | +-----------+--------------------------------------------------------------+ | \? | 1 byte character other than '/'. | | | /tmp/mail.\?\?\?\?\?\? | +-----------+--------------------------------------------------------------+ | \$ | More than or equals to 1 decimal digit. | | | /proc/\$/cmdline | +-----------+--------------------------------------------------------------+ | \+ | 1 decimal digit. | | | /var/tmp/my_work.\+ | +-----------+--------------------------------------------------------------+ | \X | More than or equals to 1 hexadecimal digit. | | | /var/tmp/my-work.\X | +-----------+--------------------------------------------------------------+ | \x | 1 hexadecimal digit. | | | /tmp/my-work.\x | +-----------+--------------------------------------------------------------+ | \A | More than or equals to 1 alphabet character. | | | /var/log/my-work/\$-\A-\$.log | +-----------+--------------------------------------------------------------+ | \a | 1 alphabet character. | | | /home/users/\a/\*/public_html/\*.html | +-----------+--------------------------------------------------------------+ | \- | Pathname subtraction operator. | | | +---------------------+------------------------------------+ | | | | Example | Meaning | | | | +---------------------+------------------------------------+ | | | | /etc/\* | All files in /etc/ directory. | | | | +---------------------+------------------------------------+ | | | | /etc/\*\-\*shadow\* | /etc/\* other than /etc/\*shadow\* | | | | +---------------------+------------------------------------+ | | | | /\*\-proc\-sys/ | /\*/ other than /proc/ /sys/ | | | | +---------------------+------------------------------------+ | +-----------+--------------------------------------------------------------+ +----------------+---------------------------------------------------------+ | Representation | Meaning and example | +----------------+---------------------------------------------------------+ | \\ | backslash character itself. | +----------------+---------------------------------------------------------+ | \ooo | 1 byte character. | | | ooo is 001 <= ooo <= 040 || 177 <= ooo <= 377. | | | | | | \040 for space character. | | | \177 for del character. | | | | +----------------+---------------------------------------------------------+ ----- Part 5: Advantages ----- We can obtain extensibility. Since our proposed approach adds \ to a character to interpret as a wild card, we can introduce new wild card in future while maintaining backward compatibility. We can process monotonically. Since our proposed approach separates strings using a space character, we can split strings using existing string manipulation functions. We can reliably analyze access logs. It is guaranteed that a string doesn't contain space character (0x20) and new line character (0x0A). It is guaranteed that a string won't be converted by FTP and won't be damaged by a terminal's settings. It is guaranteed that a string won't be affected by encoding converters (except encodings which insert NUL character (e.g. UTF-16)). ----- Part 6: conclusion ----- TOMOYO Linux is using its own encoding with reasons described above. There is a disadvantage that we need to introduce a series of new string manipulation functions. But TOMOYO Linux's encoding is useful for all users (including audit and AppArmor) who want to perform pattern matching and safely exchange string information between the kernel and the userspace. -------------------- About policy interface -------------------- TOMOYO Linux creates the following files on securityfs (normally mounted on /sys/kernel/security) as interfaces between kernel and userspace. These files are for TOMOYO Linux management tools *only*, not for general programs. * profile * exception_policy * domain_policy * manager * meminfo * self_domain * version * .domain_status * .process_status ** /sys/kernel/security/tomoyo/profile ** This file is used to read or write profiles. "profile" means a running mode of process. A profile lists up functions and their modes in "$number-$variable=$value" format. The $number is profile number between 0 and 255. Each domain is assigned one profile. To assign profile to domains, use "ccs-setprofile" or "ccs-editpolicy" or "ccs-loadpolicy" commands. (Example) [root@tomoyo]# cat /sys/kernel/security/tomoyo/profile 0-COMMENT=-----Disabled Mode----- 0-MAC_FOR_FILE=disabled 0-MAX_ACCEPT_ENTRY=2048 0-TOMOYO_VERBOSE=disabled 1-COMMENT=-----Learning Mode----- 1-MAC_FOR_FILE=learning 1-MAX_ACCEPT_ENTRY=2048 1-TOMOYO_VERBOSE=disabled 2-COMMENT=-----Permissive Mode----- 2-MAC_FOR_FILE=permissive 2-MAX_ACCEPT_ENTRY=2048 2-TOMOYO_VERBOSE=enabled 3-COMMENT=-----Enforcing Mode----- 3-MAC_FOR_FILE=enforcing 3-MAX_ACCEPT_ENTRY=2048 3-TOMOYO_VERBOSE=enabled - MAC_FOR_FILE: Specifies access control level regarding file access requests. - MAX_ACCEPT_ENTRY: Limits the max number of ACL entries that are automatically appended during learning mode. Default is 2048. - TOMOYO_VERBOSE: Specifies whether to print domain policy violation messages or not. ** /sys/kernel/security/tomoyo/manager ** This file is used to read or append the list of programs or domains that can write to /sys/kernel/security/tomoyo interface. By default, only processes with both UID = 0 and EUID = 0 can modify policy via /sys/kernel/security/tomoyo interface. You can use keyword "manage_by_non_root" to allow policy modification by non root user. (Example) [root@tomoyo]# cat /sys/kernel/security/tomoyo/manager /usr/lib/ccs/loadpolicy /usr/lib/ccs/editpolicy /usr/lib/ccs/setlevel /usr/lib/ccs/setprofile /usr/lib/ccs/ld-watch /usr/lib/ccs/ccs-queryd ** /sys/kernel/security/tomoyo/exception_policy ** This file is used to read and write system global settings. Each line has a directive and operand pair. Directives are listed below. - initialize_domain: To initialize domain transition when specific program is executed, use initialize_domain directive. * initialize_domain "program" from "domain" * initialize_domain "program" from "the last program part of domain" * initialize_domain "program" If the part "from" and after is not given, the entry is applied to all domain. If the "domain" doesn't start with "<kernel>", the entry is applied to all domain whose domainname ends with "the last program part of domain". This directive is intended to aggregate domain transitions for daemon program and program that are invoked by the kernel on demand, by transiting to different domain. - keep_domain To prevent domain transition when program is executed from specific domain, use keep_domain directive. * keep_domain "program" from "domain" * keep_domain "program" from "the last program part of domain" * keep_domain "domain" * keep_domain "the last program part of domain" If the part "from" and before is not given, this entry is applied to all program. If the "domain" doesn't start with "<kernel>", the entry is applied to all domain whose domainname ends with "the last program part of domain". This directive is intended to reduce total number of domains and memory usage by suppressing unneeded domain transitions. To declare domain keepers, use keep_domain directive followed by domain definition. Any process that belongs to any domain declared with this directive, the process stays at the same domain unless any program registered with initialize_domain directive is executed. In order to control domain transition in detail, you can use no_keep_domain/no_initialize_domain keywrods. - alias: To allow executing programs using the name of symbolic links, use alias keyword followed by dereferenced pathname and reference pathname. For example, /sbin/pidof is a symbolic link to /sbin/killall5 . In normal case, if /sbin/pidof is executed, the domain is defined as if /sbin/killall5 is executed. By specifying "alias /sbin/killall5 /sbin/pidof", you can run /sbin/pidof in the domain for /sbin/pidof . (Example) alias /sbin/killall5 /sbin/pidof - allow_read: To grant unconditionally readable permissions, use allow_read keyword followed by canonicalized file. This keyword is intended to reduce size of domain policy by granting read access to library files such as GLIBC and locale files. Exception is, if ignore_global_allow_read keyword is given to a domain, entries specified by this keyword are ignored. (Example) allow_read /lib/libc-2.5.so - file_pattern: To declare pathname pattern, use file_pattern keyword followed by pathname pattern. The pathname pattern must be a canonicalized Pathname. This keyword is not applicable to neither granting execute permissions nor domain definitions. For example, canonicalized pathname that contains a process ID (i.e. /proc/PID/ files) needs to be grouped in order to make access control work well. (Example) file_pattern /proc/\$/cmdline - path_group To declare pathname group, use path_group keyword followed by name of the group and pathname pattern. For example, if you want to group all files under home directory, you can define path_group HOME-DIR-FILE /home/\*/\* path_group HOME-DIR-FILE /home/\*/\*/\* path_group HOME-DIR-FILE /home/\*/\*/\*/\* in the exception policy and use like allow_read @HOME-DIR-FILE to grant file access permission. - deny_rewrite: To deny overwriting already written contents of file (such as log files) by default, use deny_rewrite keyword followed by pathname pattern. Files whose pathname match the patterns are not permitted to open for writing without append mode or truncate unless the pathnames are explicitly granted using allow_rewrite keyword in domain policy. (Example) deny_rewrite /var/log/\* - aggregator To deal multiple programs as a single program, use aggregator keyword followed by name of original program and aggregated program. This keyword is intended to aggregate similar programs. For example, /usr/bin/tac and /bin/cat are similar. By specifying "aggregator /usr/bin/tac /bin/cat", you can run /usr/bin/tac in the domain for /bin/cat . For example, /usr/sbin/logrotate for Fedora Core 3 generates programs like /tmp/logrotate.\?\?\?\?\?\? and run them, but TOMOYO Linux doesn't allow using patterns for granting execute permission and defining domains. By specifying "aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp", you can run /tmp/logrotate.\?\?\?\?\?\? as if /tmp/logrotate.tmp is running. ** /sys/kernel/security/tomoyo/domain_policy ** This file contains definition of all domains and permissions that are granted to each domain. Lines from the next line to a domain definition ( any lines starting with "<kernel>") to the previous line to the next domain definitions are interpreted as access permissions for that domain. ** /sys/kernel/security/tomoyo/meminfo ** This file is to show the total RAM used to keep policy in the kernel by TOMOYO Linux in bytes. (Example) [root@tomoyo]# cat /sys/kernel/security/tomoyo/meminfo Shared: 61440 Private: 69632 Dynamic: 768 Total: 131840 You can set memory quota by writing to this file. (Example) [root@tomoyo]# echo Shared: 2097152 > /sys/kernel/security/tomoyo/meminfo [root@tomoyo]# echo Private: 2097152 > /sys/kernel/security/tomoyo/meminfo ** /sys/kernel/security/tomoyo/self_domain ** This file is to show the name of domain the caller process belongs to. (Example) [root@etch]# cat /sys/kernel/security/tomoyo/self_domain <kernel> /usr/sbin/sshd /bin/zsh /bin/cat ** /sys/kernel/security/tomoyo/version ** This file is used for getting TOMOYO Linux's version. (Example) [root@etch]# cat /sys/kernel/security/tomoyo/version 2.2.0-pre ** /sys/kernel/security/tomoyo/.domain_status ** This is a view (of a DBMS) that contains only profile number and domainnames of domain so that "ccs-setprofile" command can do line-oriented processing easily. ** /sys/kernel/security/tomoyo/.process_status ** This file is used by "ccs-ccstree" command to show "list of processes currently running" and "domains which each process belongs to" and "profile number which the domain is currently assigned" like "pstree" command. This file is writable by programs that aren't registered as policy manager. Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org>
|