20 Mar, 2012
1 commit
-
Acked-by: Tetsuo Handa
Signed-off-by: Cong Wang
28 Sep, 2011
1 commit
-
Commit bd03a3e4 "TOMOYO: Add policy namespace support." introduced policy
namespace. But as of /sbin/modprobe is executed from initramfs/initrd, profiles
for target domain's namespace is not defined because /sbin/tomoyo-init is not
yet called.Reported-by: Jamie Nguyen
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
26 Sep, 2011
2 commits
-
When TOMOYO started using garbage collector at commit 847b173e "TOMOYO: Add
garbage collector.", we waited for close() before kfree(). Thus, elements to be
kfree()d were queued up using tomoyo_gc_list list.But it turned out that tomoyo_element_linked_by_gc() tends to choke garbage
collector when certain pattern of entries are queued.Since garbage collector is no longer waiting for close() since commit 2e503bbb
"TOMOYO: Fix lockdep warning.", we can remove tomoyo_gc_list list and
tomoyo_element_linked_by_gc() by doing sequential processing.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Commit efe836ab "TOMOYO: Add built-in policy support." introduced
tomoyo_load_builtin_policy() but was by error called from nowhere.Commit b22b8b9f "TOMOYO: Rename meminfo to stat and show more statistics."
introduced tomoyo_update_stat() but was by error not called from
tomoyo_assign_domain().Also, mark tomoyo_io_printf() and tomoyo_path_permission() static functions,
as reported by "make namespacecheck".Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
19 Sep, 2011
1 commit
-
I got an opinion that it is difficult to use exception policy's domain
transition control directives because they need to match the pathname specified
to "file execute" directives. For example, if "file execute /bin/\*\-ls\-cat"
is given, corresponding domain transition control directive needs to be like
"no_keep_domain /bin/\*\-ls\-cat from any".If we can specify like below, it will become more convenient.
file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls"
file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat"
file execute /bin/\*\-ls\-cat child
file execute /usr/sbin/httpd exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd"In above examples, "keep" works as if keep_domain is specified, "child" works
as if "no_reset_domain" and "no_initialize_domain" and "no_keep_domain" are
specified, "" causes domain transition to domain upon
successful execve() operation.Moreover, we can also allow transition to different domains based on conditions
like below example./usr/sbin/sshd
file execute /bin/bash /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c"
file execute /bin/bash /usr/sbin/sshd //root-session task.uid=0
file execute /bin/bash /usr/sbin/sshd //nonroot-session task.uid!=0Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
14 Sep, 2011
3 commits
-
There was a race window that the pathname which is subjected to "file execute"
permission check when retrying via supervisor's decision because the pathname
was recalculated upon retry. Though, there is an inevitable race window even
without supervisor, for we have to calculate the symbolic link's pathname from
"struct linux_binprm"->filename rather than from "struct linux_binprm"->file
because we cannot back calculate the symbolic link's pathname from the
dereferenced pathname.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Add per-entry flag which controls generation of grant logs because Xen and KVM
issues ioctl requests so frequently. For example,file ioctl /dev/null 0x5401 grant_log=no
will suppress /sys/kernel/security/tomoyo/audit even if preference says
grant_log=yes .Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
This patch adds support for checking environment variable's names.
Although TOMOYO already provides ability to check argv[]/envp[] passed to
execve() requests,file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="bar"
will reject execution of /bin/sh if environment variable LD_LIBRARY_PATH is not
defined. To grant execution of /bin/sh if LD_LIBRARY_PATH is not defined,
administrators have to specify likefile execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="/system/lib"
file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]=NULL. Since there are many environment variables whereas conditional checks are
applied as "&&", it is difficult to cover all combinations. Therefore, this
patch supports conditional checks that are applied as "||", by specifying likefile execute /bin/sh
misc env LD_LIBRARY_PATH exec.envp["LD_LIBRARY_PATH"]="/system/lib"which means "grant execution of /bin/sh if environment variable is not defined
or is defined and its value is /system/lib".Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
14 Jul, 2011
1 commit
-
Update comments for scripts/kernel-doc and fix some of errors reported by
scripts/checkpatch.pl .Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
11 Jul, 2011
3 commits
-
Enable conditional ACL by passing object's pointers.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
This patch adds support for permission checks using argv[]/envp[] of execve()
request. Hooks are in the last patch of this pathset.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
This patch adds support for permission checks using current thread's UID/GID
etc. in addition to pathnames.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
29 Jun, 2011
7 commits
-
Gather string constants to one file in order to make the object size smaller.
Use unsigned type where appropriate.
read()/write() returns ssize_t.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Mauras Olivier reported that it is difficult to use TOMOYO in LXC environments,
for TOMOYO cannot distinguish between environments outside the container and
environments inside the container since LXC environments are created using
pivot_root(). To address this problem, this patch introduces policy namespace.Each policy namespace has its own set of domain policy, exception policy and
profiles, which are all independent of other namespaces. This independency
allows users to develop policy without worrying interference among namespaces.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
ACL group allows administrator to globally grant not only "file read"
permission but also other permissions.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Convert "allow_..." style directives to "file ..." style directives.
By converting to the latter style, we can pack policy like
"file read/write/execute /path/to/file".Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Use structure for passing ACL line, in preparation for supporting policy
namespace and conditional parameters.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Use common structure for ACL with "struct list_head" + "atomic_t".
Use array/struct where possible.
Remove is_group from "struct tomoyo_name_union"/"struct tomoyo_number_union".
Pass "struct file"->private_data rather than "struct file".
Update some of comments.
Bring tomoyo_same_acl_head() from common.h to domain.c .
Bring tomoyo_invalid()/tomoyo_valid() from common.h to util.c .Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
In order to synchronize with TOMOYO 1.8's syntax,
(1) Remove special handling for allow_read/write permission.
(2) Replace deny_rewrite/allow_rewrite permission with allow_append permission.
(3) Remove file_pattern keyword.
(4) Remove allow_read permission from exception policy.
(5) Allow creating domains in enforcing mode without calling supervisor.
(6) Add permission check for opening directory for reading.
(7) Add permission check for stat() operation.
(8) Make "cat < /sys/kernel/security/tomoyo/self_domain" behave as if
"cat /sys/kernel/security/tomoyo/self_domain".Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
02 Aug, 2010
19 commits
-
Commit c9e69318 "TOMOYO: Allow wildcard for execute permission." changed execute
permission and domainname to accept wildcards. But tomoyo_find_next_domain()
was using pathname passed to execve() rather than pathname specified by the
execute permission. As a result, processes were not able to transit to domains
which contain wildcards in their domainnames.This patch passes pathname specified by the execute permission back to
tomoyo_find_next_domain() so that processes can transit to domains which
contain wildcards in their domainnames.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Use shorter name in order to make it easier to fit 80 columns limit.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Use common code for "initialize_domain"/"no_initialize_domain"/"keep_domain"/
"no_keep_domain" keywords.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Some programs behave differently depending on argv[0] passed to execve().
TOMOYO has "alias" keyword in order to allow administrators to define different
domains if requested pathname passed to execve() is a symlink. But "alias"
keyword is incomplete because this keyword assumes that requested pathname and
argv[0] are identical. Thus, remove "alias" keyword (by this patch) and add
syntax for checking argv[0] (by future patches).Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Now lists are accessible via array index. Aggregate reader functions using index.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Assign list id and make the lists as array of "struct list_head".
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Use shorter name in order to make it easier to fix 80 columns limit.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
We can use callback function since parameters are passed via
"const struct tomoyo_request_info".Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
tomoyo_file_perm() and tomoyo_path_permission() are similar.
We can embed tomoyo_file_perm() into tomoyo_path_permission().Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Use common code for elements using "struct list_head" + "bool" structure.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Use common "struct list_head" + "bool" structure.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Use common "struct list_head" + "bool" + "u8" structure and
use common code for elements using that structure.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
This patch allows users to change access control mode for per-operation basis.
This feature comes from non LSM version of TOMOYO which is designed for
permitting users to use SELinux and TOMOYO at the same time.SELinux does not care filename in a directory whereas TOMOYO does. Change of
filename can change how the file is used. For example, renaming index.txt to
.htaccess will change how the file is used. Thus, letting SELinux to enforce
read()/write()/mmap() etc. restriction and letting TOMOYO to enforce rename()
restriction is an example usage of this feature.What is unfortunate for me is that currently LSM does not allow users to use
SELinux and LSM version of TOMOYO at the same time...Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
This patch allows users to aggregate programs which provide similar
functionality (e.g. /usr/bin/vi and /usr/bin/emacs ).Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Some applications create and execute programs dynamically. We need to accept
wildcard for execute permission because such programs contain random suffix
in their filenames. This patch loosens up regulation of string parameters.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Allow pathnames longer than 4000 bytes.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
security/tomoyo/common.c became too large to read.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Since the behavior of the system is restricted by policy, we may need to update
policy when you update packages.We need to update policy in the following cases.
* The pathname of files has changed.
* The dependency of files has changed.
* The access permissions required has increased.The ideal way to update policy is to rebuild from the scratch using learning
mode. But it is not desirable to change from enforcing mode to other mode if
the system has once entered in production state. Suppose MAC could support
per-application enforcing mode, the MAC becomes useless if an application that
is not running in enforcing mode was cracked. For example, the whole system
becomes vulnerable if only HTTP server application is running in learning mode
to rebuild policy for the application. So, in TOMOYO Linux, updating policy is
done while the system is running in enforcing mode.This patch implements "interactive enforcing mode" which allows administrators
to judge whether to accept policy violation in enforcing mode or not.
A demo movie is available at http://www.youtube.com/watch?v=b9q1Jo25LPA .Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Use "struct tomoyo_request_info" instead of passing individual arguments.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
10 May, 2010
1 commit
-
Use stack memory for pending entry to reduce kmalloc() which will be kfree()d.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
06 May, 2010
1 commit
-
Some of TOMOYO's functions may sleep after mutex_lock(). If OOM-killer selected
a process which is waiting at mutex_lock(), the to-be-killed process can't be
killed. Thus, replace mutex_lock() with mutex_lock_interruptible() so that the
to-be-killed process can immediately return from TOMOYO's functions.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris