Tetsuo Handa
from-****@I-lov*****
2010年 8月 4日 (水) 21:24:02 JST
熊猫です。 カーネル 2.6.35 がリリースされました。よって、カーネル 2.6.36 に含まれることに なる TOMOYO 2.3 の機能が確定しました。現在 TOMOYO 2.3 のためのユーザランド ツールを準備中です。 http://tomoyo.sourceforge.jp/2.3/ から試すことができます。 TOMOYO 1.7.3 の開発状況を http://sourceforge.jp/projects/tomoyo/lists/archive/users-en/2010-June/000177.html でお知らせしましたが、 「独自フックの内、LSMフックから呼び出せるフックをLSMフックに移動させて、 あまり意味のない独自フックを削除する」ための良い機会だと考え、( TOMOYO 2.4 の ベースとなる) TOMOYO 1.8.0 としてリリースすることにしました。 カーネル 2.6.36 のためのパッチの量を以下に示します。 fs/compat.c | 2 fs/exec.c | 2 fs/open.c | 2 fs/proc/version.c | 7 ++ include/linux/init_task.h | 9 +++ include/linux/sched.h | 6 ++ include/linux/security.h | 56 +++++++++++------- include/net/ip.h | 2 kernel/kexec.c | 3 + kernel/kmod.c | 5 + kernel/module.c | 5 + kernel/ptrace.c | 4 + kernel/sched.c | 2 kernel/signal.c | 10 +++ kernel/sys.c | 10 +++ kernel/time/ntp.c | 6 ++ net/ipv4/raw.c | 11 ++- net/ipv4/udp.c | 8 ++ net/ipv6/raw.c | 11 ++- net/ipv6/udp.c | 8 ++ net/socket.c | 6 ++ security/Kconfig | 2 security/Makefile | 3 + security/security.c | 136 ++++++++++++++++++++++++++++++++++++++-------- 24 files changed, 260 insertions(+), 56 deletions(-) ファイルシステムに関するフックのほとんどがLSMに移動されたことがおわかりだと 思います。そのため、各種ディストリビューション用のパッチを作成するのが容易に なってきています。ネットワークの受信系のフックおよびシグナルの送信を制限する ためのフック、および、独自のケイパビリティを扱うためのフックが残っています。 現時点までに変更された内容を以下に列挙します。 @ Change keyword syntax. I removed "allow_" prefix from directives. New directives for files are prefixed with "file ". For example, "allow_read" changed to "file read", "allow_ioctl" changed to "file ioctl". New directive for "allow_network" is "network". New directive for "allow_env" is "misc env". New directive for "allow_signal" is "ipc signal". New directive for "allow_capability" is "capability". These directives correspond with keywords used by profile's CONFIG lines. I removed "deny_rewrite" and "allow_rewrite" directives and introduced "file append" directive. Thus, permission for open(O_WRONLY | O_APPEND) changed from "allow_write" + "allow_rewrite" to "file append". I removed "SYS_MOUNT", "SYS_UMOUNT", "SYS_CHROOT", "SYS_KILL", "SYS_LINK", "SYS_SYMLINK", "SYS_RENAME", "SYS_UNLINK", "SYS_CHMOD", "SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_ROOT" keywords from capabilities because these permissions can be checked by other directives (e.g. "file mount", "ipc signal"). I also removed "conceal_mount" keyword from capabilities because this check requires hooks in filesystem part while almost all hooks for filesystem part have moved to LSM by Linux 2.6.34. @ Distinguish send() and recv() operations for UDP and IP protocols. Until now, it was impossible for UDP and IP protocols to allow either only sending or only receiving because permissions were aggregated with "connect" keyword. I broke "connect" keyword into "send" and "recv" keywords so that you can keep access control for send() operation enabled when you have to turn access control for recv() operation off due to application breakage by filtering incoming datagram. @ Wait for next connection/datagram if current connection/datagram was discarded. Regarding "network TCP accept", "network UDP recv", "network RAW recv" keywords, I modified to wait for next connection/datagram if current connection/datagram was discarded. LSM hooks for these keywords are currently missing because this behavior may break applications. If you found applications broken by this behavior, you can set CONFIG::network::inet_tcp_accept and/or CONFIG::network::inet_udp_recv and/or CONFIG::network::inet_raw_recv to mode=disabled in order to disable filtering for incoming connection/datagram. @ Allow specifying multiple permissions in a line. Until now, only "allow_read/write" can be specified for combination of "allow_read" + "allow_write". Now, you can combine other permissions as long as type of parameters for these permissions is same. For example, "file read/write/append/execute/unlink/truncate /tmp/file" is correct but "file read/write/create /tmp/file" is wrong because "file create" requires create mode whereas "file read" and "file write" do not. @ Allow wildcard for execute permission and domainname. Until now, to execute programs with temporary names, "aggregator" is needed. To simplify code, I modified to accept wildcards for execute permission and domainname. Now, you can directly specify "file execute /tmp/logrotate.\?\?\?\?\?\?" and use "/tmp/logrotate.\?\?\?\?\?\?" within domainnames. @ Change pathname for non-rename()able filesystems. LSM version of TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if $PID matches current thread's process ID in order to prevent current thread from accessing other process's information unless needed. But since procfs can be mounted on various locations (e.g. /proc/ /proc2/ /p/ /tmp/foo/100/p/ ), LSM version of TOMOYO cannot tell that whether the numeric part in the string returned by __d_path() represents process ID or not. Therefore, to be able to convert from $PID to self no matter where procfs is mounted, I changed pathname representations for filesystems which do not support rename() operation (e.g. proc, sysfs, securityfs). Now, "/proc/self/mounts" changed to "proc:/self/mounts" and "/sys/kernel/security/" changed to "sys:/kernel/security/" and "/dev/pts/0" changed to "devpts:/0". @ Add a new keyword "any" for domain transition control. To be able to make it easier to apply execute_handler on each domain, I added "any" keyword to domain transition control keywords. Now, "initialize_domain /usr/sbin/sshd" changed to "initialize_domain /usr/sbin/sshd from any" and "keep_domain <kernel> /usr/sbin/sshd /bin/bash" changed to "keep_domain any from <kernel> /usr/sbin/sshd /bin/bash". "keep_domain /path/to/execute_handler from any" will allow you to apply execute_handler for any domains without creating domains for execute_handler. @ Change buffering mode for reading policy. To be able to read() very very long lines correctly, I changed the way TOMOYO buffers policy for reading. @ Introduce "acl_group" keyword. Until now, it was possible to specify only "allow_read" and "allow_env" keywords in the exception policy. Since some operations like "file read/write/append /dev/null" and "network UDP send/recv @DNS_SERVER 53" are very common and should be permitted to all domains, I introduced "acl_group" keyword for giving such permissions. For example, specify "acl_group 0 file read/write/append /dev/null" in the exception policy and specify "use_group 0" from the domains in the domain policy. "ignore_global_allow_read" and "ignore_global_allow_env" keywords were removed from domain policy and "use_group" keyword was added. @ Allow controlling generation of access granted logs for per an entry basis. I added per-entry flag which controls generation of grant logs because Xen and KVM issues ioctl requests so frequently. For example, file ioctl /dev/null 0x5401 ; set audit=no will suppress /proc/ccs/grant_log even if profile says grant_log=yes . file ioctl /dev/null 0x5401 ; set audit=yes will generate /proc/ccs/grant_log even if profile says grant_log=no . file ioctl /dev/null 0x5401 will generate /proc/ccs/grant_log only if profile says grant_log=yes . This flag is intended for frequently accessed resources like file read /var/www/html/\{\*\}/\*.html ; set audit=no . @ Optimize for object's size. I merged similar code in order to reduce object's filesize. http://tomoyo.sourceforge.jp/1.8/ から試すことができます。 写真や動画やユーザランドツールのアップデートが必要ですが、 TOMOYO 1.8 および TOMOYO 2.4 がどんな風になるかを感じることはできると思います。 フィードバックをお待ちしています。
TOMOYO
Fork