[tomoyo-users-en 9] TOMOYO Linux version 1.6.5 released

アーカイブの一覧に戻る
Tetsuo Handa from-****@I-lov*****
Fri Nov 14 21:22:16 JST 2008


Hello.

On November 11th, 2008, TOMOYO Linux 1.6.5 was released.
TOMOYO Linux was released as GPL on November 11th, 2005.
Therefore, this is the third anniversary release. :-)

This release includes various modifications. Major change is done for making
TOMOYO Linux 1.6.5's source code easier to port to TOMOYO Linux 2.2.0-pre
(which is designed to use LSM for inclusion into upstream kernels).



Below is the list of changes regarding ccs-patch package.

(1) BUGFIX: An ACL entry without pathnames couldn't handle task.state keyword
    in "if" part of the ACL entry.

    Due to a bug in ccs_check_condition(), it was impossible to use
    task.state[0] task.state[1] task.state[2] inside condition part
    if the ACL entry does not treat a pathname. For example, an ACL entry like

        allow_network TCP connect @HTTP_SERVERS 80 if task.state[0]=100

    didn't work.

(2) BUGFIX: Pattern matching for \A and \a was incorrect.

    Due to a bug in is_alphabet_char(), TOMOYO Linux's wildcard characters
    '\a' and '\A' were matching only 'A' - 'F' and 'a' - 'f',
    while the documentation says they match 'A' - 'Z' and 'a' - 'z'.

    This bug was introduced in 1.6.0 , and was fixed in 1.6.5 .

(3) BUGFIX: Use rcu_dereference() when walking the list.

    I was using "dependency ordering" for appending an element to a list
    without asking the reader to take a lock. But "dependency ordering"
    is not respected by DEC Alpha or by some aggressive value-speculation
    compiler optimizations.

    On such environment, use of "dependency ordering" can lead to system
    crash because the reader might read uninitialized value of newly
    appended element.

    To prevent the reader from reading uninitialized value of newly appended
    element, I inserted rcu_dereference() when walking the list.

(4) BUGFIX: Use sys_getpid() instead for current->pid.

    Kernel 2.6.24 introduced PID namespace.

    To compare PID given from userland, I can't use current->pid.
    So, I modified to use sys_getpid() instead for current->pid.

(5) BUGFIX: Use task_tgid_nr_ns() instead for current->tgid when checking
    /proc/self/ in get_absolute_path().

    I modified to use task_tgid_nr_ns() for 2.6.25 and later instead for
    current->tgid when checking /proc/self/ .

(6) ENHANCEMENT: Remember whether the process is allowed to write to /proc/ccs/
    interface.

    Since programs for manipulating policy (e.g. ccs-queryd ) are installed
    in the form of RPM/DEB packages, these programs lose the original
    pathnames when they are updated by the package manager. The package
    manager renames these programs before deleting these programs so that
    the package manager can rollback the operation.
    This causes a problem when the programs are listed into /proc/ccs/manager
    using pathnames, as the programs will no longer be allowed to write to
    /proc/ccs/ interface while the process of old version of the program is
    alive.

    To solve this problem, I modified to remember the fact that the process
    is once allowed to write to /proc/ccs/ interface until the process
    attempts to execute a different program.
    This change makes it impossible to revoke permission to write to
    /proc/ccs/ interface without killing the process, but it will be better
    than nonfunctioning ccs-queryd program.

(7) ENHANCEMENT: Generate more accurate "access granted logs".

    If you gave an entry with "; set task.state" part, regarding 1.6.0 to
    1.6.4, the kernel generated "access granted logs" using process's state
    variables after processing that part.

    Regarding 1.6.5 , the kernel generates "access granted logs" using
    process's state variables before processing that part.

(8) ENHANCEMENT: Add "try again" response to "delayed enforcing" mode.

    To be able to handle pathname changes caused by software updates,
    "delayed enforcing" mode was introduced. It allows administrator to
    grant access requests which are about to be rejected by the kernel.

    To be able to handle pathname changes caused by software updates better,
    I introduced "try again" response. As "delayed enforcing" mode sleeps
    a process which violated policy, administrator can update policy while
    the process is sleeping. This "try again" response allows administrator
    to restart policy checks from the beginning after updating policy.

    Also, to be able to avoid infinite loop, I added "retry counter" to
    logs obtained from /proc/ccs/query .

(9) ENHANCEMENT: Allow reading process's information via
    /proc/ccs/.process_status interface.

    Until 1.6.4 , there was no interface for reading process's task.state
    variables.

    1.6.5 supports new command "info PID" (where PID is an integer) to read
    specified process's task.state variables.

(10) ENHANCEMENT: Add /proc/ccs/.execute_handler interface.

    The execute_handler keyword, which was introduced in 1.6.0 , is very very
    powerful. You can use this keyword to do anything you want to do (e.g.
    logging and validating and modifying command line parameters and
    environment variables, opening and closing and redirecting files,
    creating pipes to implement antivirus and spam filtering, deploying a DMZ
    between the ssh daemon and the login shells).

    However, there was no interface for telling whether the current process was
    executed by the kernel (i.e. as an execute_handler process) or by the user
    (i.e. as a regular process). If the current process was executed by the
    user, we can't trust command line parameters.

    To be able to tell whether the current process was executed by the kernel
    or by the user, a new interface /proc/ccs/.execute_handler which only
    processes executed as an execute_handler process can open was added.
    The contents available via this interface is identical to
    /proc/ccs/.process_status interface.

(11) ENHANCEMENT: Allow selecting single domain by PID or by domainname.

    Sometimes we want to know what ACLs are given to specific PID, but
    finding a domainname for that PID from /proc/ccs/.process_status and
    reading ACLs from /proc/ccs/domain_policy by the domainname is very slow.
    Thus, I modified /proc/ccs/domain_policy to allow selecting a domain by
    PID. For example, to read domain ACL of current process from bash,
    run as follows.

    # exec 100<>/proc/ccs/domain_policy
    # echo select pid=$$ >&100
    # while read -u 100; do echo $REPLY; done

    If a domain is once selected by PID, reading /proc/ccs/domain_policy will
    print only that domain if that PID exists or print nothing otherwise.

    Likewise, to read domain ACL of only "<kernel> /usr/sbin/sshd" domain from
    bash, run as follows.

    # exec 100<>/proc/ccs/domain_policy
    # echo 'select domain=<kernel> /usr/sbin/sshd' >&100
    # while read -u 100; do echo $REPLY; done

(12) ENHANCEMENT: Domain transition occurs only after do_execve() succeeds.

    Until now, a process's domain was updated to new domain which the process
    will belongs to before do_execve() succeeds so that the kernel can do
    permission checks for interpreters and environment variables based on
    new domain.

    But, "Copy on write credentials" patchset is proposed and a LSM hook
    which is called whenever do_execve() finished is going to be removed.
    This means that "TOMOYO Linux 2.2.x cannot rollback to old domain"
    if "a process's domain is updated to new domain which the process will
    belong to before do_execve() succeeds" and "do_execve() failed".

    Therefore, I modified TOMOYO Linux 1.6.5 not to update a process's domain
    before do_execve() succeeds. The amount of this modification is large, but
    this modification will make it easier to port TOMOYO Linux 1.6.5 to TOMOYO
    Linux 2.2.0-pre .

(13) MISC: Included patches for 26 vanilla kernels ( 2.4.30 - 2.4.37-rc2 /
     2.6.11 - 2.6.28-rc4 ) and 34 distributor's kernels.

    I'm building binary packages now, please wait...

(14) MISC: Changed the command line of making tar ball.

    Until 1.6.4, I was using the command line

      tar -zcf /path/to/tarball.tar.gz --exclude .svn -- .

    when making the tar ball.
    However, doing so changes directory's permission when the tar ball was
    extracted in a directory which has permissions other than 0755 .
    For example, extracting the tar ball in /tmp/ directory changes
    the permission from 1777 to 0755 and caused troubles.

    Therefore, I changed the command line to

      tar -zcf /path/to/tarball.tar.gz --exclude .svn -- *

    when making the tar ball.
    Please be careful when extracting the tar ball using pathname patterns,



Below is the list of changes regarding ccs-tools package.

(1) BUGFIX: ccs-editpolicy : Correct handling IPv6 address ranges for 'O'
    command.

    Due to a bug in parse_ip(), IPv6's end address was ignored when calculating
    entries for 'O' command.

(2) BUGFIX: ccs-editpolicy_offline : Clear buffer before saving policy.

    There are two policy editors. One is named "ccs-editpolicy" for editing
    /proc/ccs/ directory. The other is named "ccs-editpolicy_offline" for
    editing /etc/ccs/ directory.

    Only "ccs-editpolicy_offline" needs to save on memory policy into /etc/ccs/
    directory, but I forgot to clear the buffer used in
    "<<< Domain Transition Editor >>>" screen before saving policy.
    As a result part of invalid domain policy was written into
    /etc/ccs/domain_policy .

(3) BUGFIX: convert-exec-param : Handle logs with exec.argc=0 .

    convert-exec-param was not able to handle allow_execute logs with
    exec.argc=0 .

(4) BUGFIX: mailauth : Terminate password string.

    Since the buffer for password is 16 bytes and the length of the password
    was 16 bytes, the password string was not terminated by '\0' character.
    This bug may print garbage characters after the password.

(5) ENHANCEMENT: Support policy file splitting.

    Until 1.6.4 , policy files were only /etc/ccs/\*.conf .
    In 1.6.5 , policy files became splittable into /etc/ccs/\*.base and
    /etc/ccs/\*.conf . The former holds constant policy and is used for
    read-only. The latter holds diffs against the former and is used for
    read-write.

    For compatibility, you don't have to create /etc/ccs/\*.base .
    /etc/ccs/\*.base is intended to allow distributors to distribute ready made
    policy configurations.

(6) ENHANCEMENT: Display ACL entries aligned.

    Until 1.6.4 , there was only one space between directives and operands.
    In 1.6.5, they are aligned to the longest directives.
    This change will facilitate visualization.

    Until 1.6.4

        allow_create /tmp/file
        allow_read/write /tmp/file
        allow_unlink /tmp/file

    In 1.6.5

        allow_create     /tmp/file
        allow_read/write /tmp/file
        allow_unlink     /tmp/file

    Since directives related to networking operations are long,
    aligning the view to the longest networking directives makes goofy-looking.
    Therefore, I aggregated the below 8 directives (until 1.6.4)

      editpolicy.keyword_alias allow_network RAW bind    = allow_network RAW bind
      editpolicy.keyword_alias allow_network RAW connect = allow_network RAW connect
      editpolicy.keyword_alias allow_network TCP accept  = allow_network TCP accept
      editpolicy.keyword_alias allow_network TCP bind    = allow_network TCP bind
      editpolicy.keyword_alias allow_network TCP connect = allow_network TCP connect
      editpolicy.keyword_alias allow_network TCP listen  = allow_network TCP listen
      editpolicy.keyword_alias allow_network UDP bind    = allow_network UDP bind
      editpolicy.keyword_alias allow_network UDP connect = allow_network UDP connect

    into the below 1 directive (in 1.6.5)

      editpolicy.keyword_alias allow_network             = allow_network

    in /usr/lib/ccs/ccstools.conf configuration file.

(7) ENHANCEMENT: Update coding style.

    Not only C programs in ccs-patch package but also C programs in ccs-tools
    package can now pass coding style testing by scripts/checkpatch.pl .

    A lot of modification was made, and various bugs were fixed.
    But maybe some new bugs are embedded.

(8) ENHANCEMENT: ccs-editpolicy : Faster display "<<< Domain Policy Editor >>>"
    screen.

    As the kernel now supports "select domain=" command, the policy editor can
    read only single domain's domain policy. Thus, times needed for displaying
    "<<< Domain Policy Editor >>>" was shortened dramatically.

(9) CHANGE: timeauth : Echo key inputs.

    I planned to have "timeauth" demo in my PacSec2008's presentation.
    But I thought that echoing inputs as '*' character makes impossible to tell
    whether password is wrong or timing is wrong.
    Thus, I modified to echo inputs.
    If you are using "timeauth" in real systems, you can modify "timeauth.c"
    and recompile it.

(10) NEW: env_chk.c : An example of execute_handler keyword.

    I added this program for my PacSec2008's presentation to have
    environment-variable-based authentication.
    This is in a form of source code. Binary program is not included in binary
    ccs-tools packages.



Thanks.




More information about the tomoyo-users-en mailing list
アーカイブの一覧に戻る