TOMOYO
ForkHello.
A bug was discovered in TOMOYO Linux 1.6.4 .
An ACL entry that doesn't handle a pathname (e.g.
allow_network TCP connect 10.0.0.1 80 if task.state[0]=100
) is always ignored if you specify "task.state" keyword in "if" block.
TOMOYO Linux from 1.6.0 to 1.6.4 are affected by this bug.
This bug does not affect ACL entries without "task.state" keyword (e.g.
allow_network TCP connect 10.0.0.1 80 if task.uid=100
).
I'll fix this bug on next release. If you want to fix immediately,
please apply the below patch and recompile the kernel.
Regards.
---
diff -urp 1.6.4/fs/tomoyo_cond.c 1.6.4-hotfix/fs/tomoyo_cond.c
--- 1.6.4/fs/tomoyo_cond.c 2008-09-03 00:00:00.000000000 +0900
+++ 1.6.4-hotfix/fs/tomoyo_cond.c 2008-10-14 16:38:51.000000000 +0900
@@ -1031,8 +1031,8 @@ bool ccs_check_condition(const struct ac
const u8 left = header >> 8;
const u8 right = header;
ptr++;
- if ((left >= PATH1_UID && left < MAX_KEYWORD) ||
- (right >= PATH1_UID && right < MAX_KEYWORD)) {
+ if ((left >= PATH1_UID && left < EXEC_ARGC) ||
+ (right >= PATH1_UID && right < EXEC_ARGC)) {
if (!obj)
goto out;
if (!obj->validate_done) {