login
Search
The following patches are TOMOYO Linux 2.0. TOMOYO Linux 2.0 is implemented as a LSM module. If you want to use older kernel, please download from http://osdn.dl.sourceforge.jp/tomoyo/25693/tomoyo-lsm-2.0-20070605.tar.gz -
This patch makes access logs sent to auditing subsystem. Although TOMOYO Linux has /proc interface for access logs, we were advised to use auditing subsystem (after we introduced TOMOYO Linux 1.0 on December 2005, http://lkml.org/lkml/2005/12/21/63 ) and we did so in TOMOYO Linux 2.0. Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> --------------- security/tomoyo/audit.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff -ubBpErN linux-2.6.21.5/security/tomoyo/audit.c linux-2.6.21.5-tomoyo/security/tomoyo/audit.c --- linux-2.6.21.5/security/tomoyo/audit.c 1970-01-01 09:00:00.000000000 +0900 +++ linux-2.6.21.5-tomoyo/security/tomoyo/audit.c 2007-06-14 15:06:10.000000000 +0900 @@ -0,0 +1,52 @@ +/* + * security/tomoyo/audit.c + * + * Audit functions for TOMOYO Linux + * + * Copyright (C) 2005-2007 NTT DATA CORPORATION + * + * Version: 2.0 2007/06/05 + */ + +#include "tomoyo.h" +#include <linux/audit.h> + +/* move to include/linux/audit.h */ +#define AUDIT_TOMOYO 2001 + +char *tomoyo_init_audit_log(int *len) +{ + char *buf; + struct timeval tv; + struct task_struct *task = current; + const char *domainname = + ((struct tomoyo_security *) current->security)->domain_info->domainname->name; + do_gettimeofday(&tv); + *len += strlen(domainname) + 256; + if ((buf = tomoyo_alloc(*len)) != NULL) + snprintf(buf, + (*len) - 1, + "#timestamp=%lu pid=%d uid=%d gid=%d euid=%d egid=%d " + "suid=%d sgid=%d fsuid=%d fsgid=%d\n%s\n", + tv.tv_sec, task->pid, task->uid, task->gid, task->euid, task->egid, + task->suid, task->sgid, task->fsuid, task->fsgid, domainname); + return buf; +} + +/* + * Write audit log. + * Caller must allocate buf with tomoyo_init_audit_log(). + */ +int tomoyo_write_audit_log(char *buf, const int is_granted) +{ + struct audit_buffer *ab; + ab = ...
This is the main part for domain transition. In TOMOYO Linux, domains are automatically created at runtime. To make discussion smooth by reducing the amount of patches, we pruned argv[0] checks (although we referred the need of argv[0] checking at AppArmor's thread, http://lkml.org/lkml/2007/5/26/52 ). Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> --------------- security/tomoyo/domain.c | 782 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 782 insertions(+) diff -ubBpErN linux-2.6.21.5/security/tomoyo/domain.c linux-2.6.21.5-tomoyo/security/tomoyo/domain.c --- linux-2.6.21.5/security/tomoyo/domain.c 1970-01-01 09:00:00.000000000 +0900 +++ linux-2.6.21.5-tomoyo/security/tomoyo/domain.c 2007-06-05 00:00:00.000000000 +0900 @@ -0,0 +1,782 @@ +/* + * security/tomoyo/domain.c + * + * Domain transition functions for TOMOYO Linux. + * + * Copyright (C) 2005-2007 NTT DATA CORPORATION + * + * Version: 2.0 2007/06/05 + */ + +#include "tomoyo.h" +#include "realpath.h" +#include <linux/highmem.h> +#include <linux/binfmts.h> + +#ifndef for_each_process +#define for_each_process for_each_task +#endif + +/************************* VARIABLES *************************/ + +/* /sbin/init started? */ +extern int sbin_init_started; + +/* Lock for appending domain's ACL. */ +DECLARE_MUTEX(domain_acl_lock); + +/***** The structure for program files to force domain reconstruction. *****/ + +struct domain_initializer_entry { + struct domain_initializer_entry *next; + const struct path_info *domainname; /* This may be NULL */ + const struct path_info *program; + u8 is_deleted; + u8 is_not; + u8 is_last_name; + u8 is_oldstyle; +}; + +/***** The structure for domains to not to transit domains. *****/ + +struct domain_keeper_entry { + struct domain_keeper_entry *next; + const struct path_info *domainname; + const struct path_info *program; /* This may ...
This is the main part for profiling and controlling file access.
We thought checking old pathname and new pathname separately
for rename() and link() operation is a too rough access control
and we are checking both pathnames using tomoyo_check_double_write_acl().
Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---------------
security/tomoyo/file.c | 1126 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 1126 insertions(+)
diff -ubBpErN linux-2.6.21.5/security/tomoyo/file.c linux-2.6.21.5-tomoyo/security/tomoyo/file.c
--- linux-2.6.21.5/security/tomoyo/file.c 1970-01-01 09:00:00.000000000 +0900
+++ linux-2.6.21.5-tomoyo/security/tomoyo/file.c 2007-06-05 00:00:00.000000000 +0900
@@ -0,0 +1,1126 @@
+/*
+ * security/tomoyo/file.c
+ *
+ * File access control functions for TOMOYO Linux.
+ *
+ * Copyright (C) 2005-2007 NTT DATA CORPORATION
+ *
+ * Version: 2.0 2007/06/05
+ */
+
+#include "tomoyo.h"
+#include "realpath.h"
+#define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
+
+/************************* VARIABLES *************************/
+
+extern struct semaphore domain_acl_lock;
+
+/***** The structure for globally readable files. *****/
+
+struct globally_readable_file_entry {
+ struct globally_readable_file_entry *next;
+ const struct path_info *filename;
+ int is_deleted;
+};
+
+/***** The structure for filename patterns. *****/
+
+struct pattern_entry {
+ struct pattern_entry *next;
+ const struct path_info *pattern;
+ int is_deleted;
+};
+
+/***** The structure for non-rewritable-by-default file patterns. *****/
+
+struct no_rewrite_entry {
+ struct no_rewrite_entry *next;
+ const struct path_info *pattern;
+ int is_deleted;
+};
+
+/***** The structure for detailed write operations. *****/
+
+static struct {
+ const char *keyword;
+ const int paths;
+ int check_type;
+} acl_type_array[] = { /* mapping.txt */
+ { "create", 1, ...This is prototypes and structures definition.
Many of structures are single-linked list and memory allocated for them are never freed,
because entries used for access control needn't to be removed from the list so frequently
compared to general other entries in the kernel. This saves the amount of memory needed by TOMOYO.
Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---------------
security/tomoyo/include/tomoyo.h | 319 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 319 insertions(+)
diff -ubBpErN linux-2.6.21.5/security/tomoyo/include/tomoyo.h linux-2.6.21.5-tomoyo/security/tomoyo/include/tomoyo.h
--- linux-2.6.21.5/security/tomoyo/include/tomoyo.h 1970-01-01 09:00:00.000000000 +0900
+++ linux-2.6.21.5-tomoyo/security/tomoyo/include/tomoyo.h 2007-06-05 00:00:00.000000000 +0900
@@ -0,0 +1,319 @@
+/*
+ * security/tomoyo/include/tomoyo.h
+ *
+ * Implementation of the Domain-Based Mandatory Access Control.
+ *
+ * Copyright (C) 2005-2007 NTT DATA CORPORATION
+ *
+ * Version: 2.0 2007/06/05
+ *
+ */
+#ifndef _TOMOYO_H
+#define _TOMOYO_H
+
+#include <linux/string.h>
+#include <linux/mm.h>
+#include <linux/utime.h>
+#include <linux/file.h>
+#include <linux/smp_lock.h>
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/slab.h>
+#include <linux/poll.h>
+#include <asm/uaccess.h>
+#include <stdarg.h>
+#include <linux/delay.h>
+
+/***** TOMOYO Linux start. *****/
+
+struct tomoyo_security {
+ struct domain_info *domain_info;
+ u32 flags;
+};
+
+struct path_info {
+ const char *name;
+ u32 hash; /* = full_name_hash(name, strlen(name)) */
+ u16 total_len; /* = strlen(name) */
+ u16 const_len; /* = tomoyo_const_part_length(name) */
+ u8 is_dir; /* = tomoyo_strendswith(name, "/") */
+ u8 is_patterned; /* = PathContainsPattern(name) */
+ u16 depth; /* = ...TOMOYO Linux uses pathnames for auditing and controlling file access. Therefore, namespace_sem is needed. Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> --------------- fs/namespace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -ubBpErN linux-2.6.21.5/fs/namespace.c linux-2.6.21.5-tomoyo/fs/namespace.c --- linux-2.6.21.5/fs/namespace.c 2007-06-12 03:37:06.000000000 +0900 +++ linux-2.6.21.5-tomoyo/fs/namespace.c 2007-06-14 15:02:38.000000000 +0900 @@ -37,7 +37,7 @@ static int event; static struct list_head *mount_hashtable __read_mostly; static int hash_mask __read_mostly, hash_bits __read_mostly; static struct kmem_cache *mnt_cache __read_mostly; -static struct rw_semaphore namespace_sem; +struct rw_semaphore namespace_sem; /* /sys/fs */ decl_subsys(fs, NULL, NULL); --------------- -
Looks whitespace-damaged to me. Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -
Oops, I sent patches with "Content-type: format=flowed" header. I think your mail client converted tabs into spaces. The orignal patches themselves are not whitespace-damaged. http://kb.mozillazine.org/Plain_text_e-mail_(Thunderbird) Kentaro Takeda -
This file contains wrapper functions for TOMOYO's file access control functions.
The main job is to find "struct vfsmount" that corresponds to "struct dentry"
passed to LSM hooks.
Since "struct vfsmount" is not passed to LSM hooks,
TOMOYO can't determine which pathnames was requested by the process
if bind mounts are used.
If bind mounts are used, TOMOYO requires all permissions for
all possible pathnames (whereas AppArmor requires one of possible pathnames).
If "struct vfsmount" is passed to LSM hooks as AppArmor proposes,
this file will become more simpler and "namespace_sem" can remain "static".
Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---------------
security/tomoyo/tomoyo.c | 283 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 283 insertions(+)
diff -ubBpErN linux-2.6.21.5/security/tomoyo/tomoyo.c linux-2.6.21.5-tomoyo/security/tomoyo/tomoyo.c
--- linux-2.6.21.5/security/tomoyo/tomoyo.c 1970-01-01 09:00:00.000000000 +0900
+++ linux-2.6.21.5-tomoyo/security/tomoyo/tomoyo.c 2007-06-14 15:11:57.000000000 +0900
@@ -0,0 +1,283 @@
+/*
+ * security/tomoyo/tomoyo.c
+ *
+ * LSM hooks for TOMOYO Linux.
+ *
+ * Copyright (C) 2005-2007 NTT DATA CORPORATION
+ *
+ * Version: 2.0 2007/06/05
+ */
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/security.h>
+#include <linux/highmem.h>
+#include <linux/namei.h>
+#include <linux/mnt_namespace.h>
+#include <linux/sysctl.h>
+#include <linux/proc_fs.h>
+#include <linux/sched.h>
+
+#include "tomoyo.h"
+
+/* The initial domain. */
+struct domain_info KERNEL_DOMAIN = { NULL, NULL, NULL, 0, 0, 0 };
+extern struct rw_semaphore namespace_sem;
+
+static struct kmem_cache *tomoyo_cachep = NULL;
+
+static int tomoyo_task_alloc_security(struct task_struct *p)
+{
+ struct tomoyo_security *ptr = kmem_cache_alloc(tomoyo_cachep, GFP_KERNEL);
+ if (!ptr)
+ return ...TOMOYO Linux 2.0 is implemented using LSM and auditing subsystem. When you use TOMOYO, you need to enable auditing support and disable all features (other than TOMOYO Linux) that use LSM because TOMOYO Linux 2.0 has to be built-in. If you don't want to disable any features that use LSM, please use TOMOYO Linux 1.4.1 instead. Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> --------------- security/Kconfig | 1 + security/Makefile | 1 + security/tomoyo/Kconfig | 22 ++++++++++++++++++++++ security/tomoyo/Makefile | 3 +++ 4 files changed, 27 insertions(+) diff -ubBpErN linux-2.6.21.5/security/Kconfig linux-2.6.21.5-tomoyo/security/Kconfig --- linux-2.6.21.5/security/Kconfig 2007-06-12 03:37:06.000000000 +0900 +++ linux-2.6.21.5-tomoyo/security/Kconfig 2007-06-14 15:02:38.000000000 +0900 @@ -94,6 +94,7 @@ config SECURITY_ROOTPLUG If you are unsure how to answer this question, answer N. source security/selinux/Kconfig +source security/tomoyo/Kconfig endmenu diff -ubBpErN linux-2.6.21.5/security/Makefile linux-2.6.21.5-tomoyo/security/Makefile --- linux-2.6.21.5/security/Makefile 2007-06-12 03:37:06.000000000 +0900 +++ linux-2.6.21.5-tomoyo/security/Makefile 2007-06-14 15:02:38.000000000 +0900 @@ -16,3 +16,4 @@ obj-$(CONFIG_SECURITY) += security.o d obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o +obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/ diff -ubBpErN linux-2.6.21.5/security/tomoyo/Kconfig linux-2.6.21.5-tomoyo/security/tomoyo/Kconfig --- linux-2.6.21.5/security/tomoyo/Kconfig 1970-01-01 09:00:00.000000000 +0900 +++ linux-2.6.21.5-tomoyo/security/tomoyo/Kconfig 2007-06-05 00:00:00.000000000 +0900 @@ -0,0 +1,22 @@ +config SECURITY_TOMOYO + bool "TOMOYO Linux support" + depends on SECURITY && AUDIT + help + Say Y here to ...
We limit the maximum length of any string data (such as domainname and pathnames) to TOMOYO_MAX_PATHNAME_LEN (which is 4000) bytes to fit within a single page. Userland programs can obtain the amount of RAM currently used by TOMOYO from /proc interface. Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> --------------- security/tomoyo/include/realpath.h | 46 +++++ security/tomoyo/realpath.c | 445 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 491 insertions(+) diff -ubBpErN linux-2.6.21.5/security/tomoyo/include/realpath.h linux-2.6.21.5-tomoyo/security/tomoyo/include/realpath.h --- linux-2.6.21.5/security/tomoyo/include/realpath.h 1970-01-01 09:00:00.000000000 +0900 +++ linux-2.6.21.5-tomoyo/security/tomoyo/include/realpath.h 2007-06-05 00:00:00.000000000 +0900 @@ -0,0 +1,46 @@ +/* + * security/tomoyo/include/realpath.h + * + * Get the canonicalized absolute pathnames. The basis for TOMOYO. + * + * Copyright (C) 2005-2007 NTT DATA CORPORATION + * + * Version: 2.0 2007/06/05 + * + */ + +#ifndef _TOMOYO_REALPATH_H +#define _TOMOYO_REALPATH_H + +struct path_info; + +/* Returns realpath(3) of the given pathname but ignores chroot'ed root. */ +int tomoyo_realpath_from_dentry2(struct dentry *dentry, + struct vfsmount *mnt, + char *newname, + int newname_len); + +/* Returns realpath(3) of the given pathname but ignores chroot'ed root. */ +/* These functions use tomoyo_alloc(), so caller must tomoyo_free() */ +/* if these functions didn't return NULL. */ +char *tomoyo_realpath(const char *pathname); +char *tomoyo_realpath_nofollow(const char *pathname); +char *tomoyo_realpath_from_dentry(struct dentry *dentry, struct vfsmount *mnt); + +/* Allocate memory for structures. */ +/* The RAM is chunked, so NEVER try to kfree() the returned pointer. */ +void ...
Same NACK for this as for AppArmor, on exactly the same grounds. Please stop wasting your time on pathname-based non-solutions. -
TOMOYO Linux is a pathname-based MAC, that is true. But what that patch aimed for was sharing the idea of having Linux kernel to keep "process invocation history" information for each process. In that sense, TOMOYO Linux is just a sample implementation. Please take a look at the following message: http://lkml.org/lkml/2007/6/13/58 Best regards, Toshiharu Harada -
This file contains utility functions for TOMOYO.
Any string data in TOMOYO Linux consists with ASCII printable characters (0x21 to 0x7E)
so that userland application can separate monotonically using whitespaces and carrige returns.
Any wildcard character consists with "\" + one ASCII printable character,
so that wildcard characters can be expanded without changing existing names.
Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---------------
security/tomoyo/common.c | 1576 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 1576 insertions(+)
diff -ubBpErN linux-2.6.21.5/security/tomoyo/common.c linux-2.6.21.5-tomoyo/security/tomoyo/common.c
--- linux-2.6.21.5/security/tomoyo/common.c 1970-01-01 09:00:00.000000000 +0900
+++ linux-2.6.21.5-tomoyo/security/tomoyo/common.c 2007-06-05 00:00:00.000000000 +0900
@@ -0,0 +1,1576 @@
+/*
+ * security/tomoyo/common.c
+ *
+ * Common functions for TOMOYO Linux.
+ *
+ * Copyright (C) 2005-2007 NTT DATA CORPORATION
+ *
+ * Version: 2.0 2007/06/05
+ */
+
+#include <linux/string.h>
+#include <linux/mm.h>
+#include <linux/utime.h>
+#include <linux/file.h>
+#include <linux/module.h>
+#include <linux/slab.h>
+#include <asm/uaccess.h>
+#include <stdarg.h>
+#include <linux/namei.h>
+#include <linux/mount.h>
+#include <linux/proc_fs.h>
+#include "realpath.h"
+#include "tomoyo.h"
+
+#if defined (CONFIG_TOMOYO_MAX_ACCEPT_ENTRY)
+#define MAX_ACCEPT_ENTRY (CONFIG_TOMOYO_MAX_ACCEPT_ENTRY)
+#else
+#define MAX_ACCEPT_ENTRY 2048
+#endif
+
+static int tomoyo_read_control(struct file *file, char __user *buffer, const int buffer_len);
+
+/************************* VARIABLES *************************/
+
+/* /sbin/init started? */
+int sbin_init_started = 0;
+
+const char *ccs_log_level = KERN_DEBUG;
+
+static struct {
+ const char *keyword;
+ unsigned int current_value;
+ const unsigned int max_value;
+} ...Uh, can we get some docs? Like how this is better than selinux, what it does, how is it configured...? Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -
That message and its children were meant to be put under the bellow message. Sorry for the confusion. http://lkml.org/lkml/2007/6/13/58 Kentaro Takeda -
| Greg KH | Og dreams of kernels |
| Jens Axboe | [PATCH 31/33] Fusion: sg chaining support |
| Arnd Bergmann | Re: finding your own dead "CONFIG_" variables |
| Mark Brown | [PATCH 2/2] Subject: natsemi: Allow users to disable workaround for DspCfg reset |
| Tony Breeds | [LGUEST] Look in object dir for .config |
git: | |
| Brian Downing | Re: Git in a Nutshell guide |
| John Benes | Re: master has some toys |
| Matthias Lederhofer | [PATCH 4/7] introduce GIT_WORK_ |