开发和下载开源软件

查看 1.6.0-20080401 - Change Log

类别(标签)树

文件信息

类别(标签)
文件名
ccs-patch_1.6.0-20080401_-_Changes
最后更新
2008-05-10 01:08
类型
Plain Text
编辑器
Tetsuo Handa
描述
1.6.0-20080401 - Change Log
语言
英语
翻译
Fix 2007/09/27

    @ Avoid eating memory after quota exceeded.

      Although ACL entries in a domain won't be added if the domain's quota
      has exceeded, SaveName() in AddFileACL() is called anyway.
      This caused unneeded memory consumption.

      Now, quota checking is done before getting domain_acl_lock lock.
      This may exceed quota by one or two entries, but that won't matter.

Fix 2007/10/16

    @ Add environment variable check.

      There are environment variables that may cause dangerous behavior
      like LD_\* .
      So I introduced 'allow_env' directive that allows specified
      environment variable inherited to next domain.
      Unlike other permissions, this check is done at execve() time
      using next domain's ACL information.

      To manage commonly inherited environments like PATH ,
      you can use 'allow_env' directive in exception policy
      to globally grant specified environment variable.

Fix 2007/11/05

    @ Replace semaphore with mutex.

      I replaced semaphore with mutex.

    @ Add missing down() in AddReservedEntry().

      Mutex debugging capability told me that I had forgotten to call down()
      since TOMOYO version 1.3.2 .
      This function is not called by learning mode,
      so the semaphore's counter will not overflow for normal usage.

Fix 2005/11/27

    @ Fix ReadTable() truncation bug.

      "snprintf(str, size, format, ...) >= size" means truncated.
      But I was checking for "snprintf(str, size, format, ...) > size".
      As a result, some entries might be dumped without '\n'.

    @ Purge direct "->prev"/"->next" manipulation.

      All list manipulations use "struct list_head" or "struct list1_head".
      "struct list1_head" doesn't have "->prev" member to save memory usage.

Fix 2007/11/29

    @ Add missing semaphore in GetEXE().

      mm->mmap_sem was missing.

Fix 2007/12/17

    @ Remove unused EXPORT_SYMBOL().

      Mark some functions static.

Fix 2007/12/18

    @ Fix AddMountACL() rejection bug.

      To my surprise, "mount --bind source dest" accepts
      not only "both source and dest are directory"
      but also "both source and dest are non-directory".
      I was rejecting if dest is not a directory in AddMountACL().

    @ Change log format.

      Profile number and mode is added in audit logs.

Fix 2008/01/03

    @ Change directive for file's read/write/execute permission.

      Directives for file's read/write/execute permissions were
      4/2/1 respectively. But for easier understanding, they are now
      replaced by read/write/execute (e.g. "allow_read" instead of "4").
      But for easier inputting, 4/2/1 are still accepted instead of
      allow_read/allow_write/allow_execute respectively.

    @ Change internal data structure.

      Since I don't have more than 16 types of file permissions,
      I combined them using bit-fields.

      Each entry had a field for conditional permission support.
      But since this field is unlikely used, I separated the field from
      common part.

      These changes will reduce memory used by policy.

Fix 2008/01/15

    @ Add ptrace() hook.

      To prevent attackers from controlling important processes using
      ptrace(), I added a hook for ptrace().
      Most programs (except strace(1) and gdb(1)) won't use ptrace(2).

    @ Fix sleep condition check in CheckSocketRecvDatagramPermission().

      It seems that correct method to use is in_atomic()
      rather than in_interrupt() because in_atomic() returns nonzero
      whenever scheduling is not allowed.

Fix 2008/02/05

    @ Use find_task_by_vpid() instead of find_task_pid().

      Kernel 2.6.24 introduced PID namespace.
      To search PID given from userland, the kernel needs to use
      find_task_by_vpid() instead of find_task_pid().

Fix 2008/02/14

    @ Add execve() parameter checking.

      Until now, it was impossible to check argv[] and envp[] parameters
      passed to execve().
      I expanded conditional permission syntax so that
      { argc, envc, argv[] , envp[] } parameters can be checked if needed.
      This will allow administrator permit execution of /bin/sh only when
      /bin/sh is invoked in the form of "/bin/sh -c" and environment variable
      HOME is set by specifying

        allow_execute /bin/sh if exec.argv[1]="-c" exec.envp["HOME"]!=NULL

      in the policy.
      This extension will make exploit codes difficult to start /bin/sh because
      they unlikely set up environment variables and unlikely specify "-c"
      option when invoking /bin/sh , whereas proper functions likely set up
      environment variables and likely specify "-c" option.

Fix 2008/02/18

    @ Add process state checking.

      Until now, it was impossible to change ACL without executing program.
      I added three variables for performing stateful checking within a domain.
      You can set current process's state like:

        allow_network TCP accept @TRUSTED_HOSTS 1024-65535 ; set task.state[0]=1
        allow_network TCP accept @UNTRUSTED_HOSTS 1024-65535 ; set task.state[0]=0

      and you can use the state like

        allow_read /path/to/important/file if task.state[0]=1

      in the policy.
      The state changes when the request was granted by the MAC's policy,
      so please be careful with situations where the state has changed
      successfully but the request was not processed because of other reasons
      (e.g. out of memory).

Fix 2008/02/26

    @ Support /proc/ccs/ access by non-root user.

      Until now, only root user can access /proc/ccs/ interface.
      But to permit /proc/ccs/ access by non-root user so that it won't require
      ssh login by root user when administrating from remote host,
      I made "(current->uid == 0 && current->euid == 0)" requirement optional.
      If this requirement is disabled, only "conventional DAC permission
      checks" and "/proc/ccs/manager checks" are used.

Fix 2008/02/29

    @ Add sleep_on_violation feature.

      Some exploit codes (e.g. trans2open for Samba) continue running
      until it achieves the purpose of the exploit code (e.g. invoke /bin/sh).

      If such code is injected due to buffer overflow but the kernel
      rejects the request, it triggers infinite "Permission denied" loop.
      As a result, the CPU usage becomes 100% and gives bad effects to
      the rest of processes.
      This is a side effect of rejecting the request from the exploit code
      which wouldn't happen if the request from the exploit code was granted.

      To avoid such CPU consumption, I added a penalty that forcibly
      sleeps for specified period when a request is rejected.

      This penalty doesn't work if the exploit code does nothing but
      continue running, but I think most exploit code's purpose is
      to start some program rather than to slow down the target system.

    @ Add alt_exec feature.

      Since TOMOYO Linux's approach is "know all essential requests in advance
      and create policy that permits only them", you can regard anomalous
      requests as attacks (if you want to do so).

      Common MAC implementations merely reject requests that violate policy.
      But I added a special handler for execve() to TOMOYO Linux.

      This handler is triggered when a process requested to execute a program
      but the request was rejected by the policy.
      This handler executes a program specified by the administrator
      instead of a program requested by the process.

      Most attackers attempt to execute /bin/sh to start something malicious.
      Attackers execute an exploit code using buffer overflow vulnerability
      to steal control of a process. But this handler can get back control
      if an exploit code requests execve() that is not permitted by policy.

      By default, this handler does nothing (i.e. merely reject execve()
      request). You can specify any program to start what you want to do.

      You can redirect attackers to somewhere else (e.g. honey pot).
      This makes it possible to act your Linux box as an on-demand honey pot
      while keeping regular services for your usage.

      You can collect information of the attacker (e.g. IP address) and
      update firewall configuration.

      You can silently terminate a process who requested execve()
      that is not permitted by policy.

Fix 2008/03/03

    @ Add "force_alt_exec" keyword.

      To be able to fully utilize "alt_exec" feature,
      I added "force_alt_exec" keyword so that
      all execute requests are replaced by the execute request of a program
      specified by alt_exec feature.

      If this keyword is specified for a domain, the domain no longer
      executes any programs regardless of the mode of file access control
      (i.e. the domain won't execute even if MAC_FOR_FILE=0 ).
      Instead, the domain executes the program specified by alt_exec feature
      and the program specified by alt_exec feature validates the execute
      request and executes it if it is appropriate to execute.

      If you can tolerate that there is no chance to return an error code
      to the caller to tell the execute request was rejected,
      this is more flexible approach than in-kernel execve() parameter
      checking because we can do argv[] and envp[] checking easily.

Fix 2008/03/04

    @ Use string for access control mode.

      An integer expression for access control mode sometimes confuses
      administrators because profile number is also an integer expression.
      To avoid confusion between profile number and access control mode,
      I introduced a string expression for access control mode.

        Modes which take an integer between 0 and 3.

          0 -> disabled
          1 -> learning
          2 -> permissive
          3 -> enforcing

        Modes which take 0 or 1.

          0 -> disabled
          1 -> enabled

Fix 2008/03/10

    @ Rename "force_alt_exec" keyword to "execute_handler".

      To be able to use different programs for validating execve() parameters,
      I moved the location to specify the program's pathname from profile
      to domain policy.

      The "execute_handler" keyword takes one pathname which is
      invoked whenever execve() request is issued. Thus, any "allow_execute"
      keywords in a domain with "execute_handler" are ignored.
      This keyword is designed for validating expected/desirable execve()
      requests in userspace, although there is no way to tell the caller
      that the execve() request was rejected.

    @ Rename "alt_exec" keyword to "denied_execute_handler".

      The "denied_execute_handler" keyword takes one pathname which is
      invoked only when execve() request was rejected. In other words,
      this program is invoked only when the following conditions are met.

        (1) None of "allow_execute" keywords in the domain matched.
        (2) The execve() request was rejected in enforcing mode.
        (3) "execute_handler" keyword is not used by the domain.

      This keyword is designed for handling unexpected/undesirable execve()
      requests, to redirect the process issuing such requests to somewhere.

Fix 2008/03/18

    @ Fix wrong/redundant locks in pre-vfs functions.

      lock_kernel()/unlock_kernel() in pre_vfs_rename() were redundant for
      2.6 kernels.

      Locking order in pre_vfs_link() and pre_vfs_unlink() for 2.4 kernels
      after 2.4.33 were different from before 2.4.32 .

Fix 2008/03/28

    @ Disable execute handler loop.

      To be able to use "execute_handler" in a "keep_domain" domain,
      ignore "execute_handler" and "denied_execute_handler" keywords
      if the current process is executing programs specified by
      "execute_handler" or "denied_execute_handler" keyword.

      This exception is needed to avoid infinite execute handler loop.
      If a domain has both "keep_domain" and "execute_handler",
      any execute request by that domain is handled by an execute handler,
      and the execute handler attempts to process original execute request.
      But the original execute request is handled by the same execute handler
      unless the execute handler ignores "execute_handler".

    @ Update coding style.

      I rewrote the code to pass scripts/checkpatch.pl as much as possible.
      Function names were changed to use only lower letters.

Version 1.6.0 2008/04/01   Feature enhancement release.