#
8fbe71f0 |
| 16-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Make read function to void. Read functions do not fail. Make them from int to void. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James
TOMOYO: Make read function to void. Read functions do not fail. Make them from int to void. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
71c28236 |
| 16-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Remove wrapper function for reading keyword. Keyword strings are read-only. We can directly access them to reduce code size. Signed-off-by: Tetsuo Handa <penguin-kernel@I-lo
TOMOYO: Remove wrapper function for reading keyword. Keyword strings are read-only. We can directly access them to reduce code size. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
75093152 |
| 16-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Rename symbols. Use shorter name in order to make it easier to fix 80 columns limit. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Jame
TOMOYO: Rename symbols. Use shorter name in order to make it easier to fix 80 columns limit. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
99a85259 |
| 16-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use callback for permission check. We can use callback function since parameters are passed via "const struct tomoyo_request_info". Signed-off-by: Tetsuo Handa <penguin-
TOMOYO: Use callback for permission check. We can use callback function since parameters are passed via "const struct tomoyo_request_info". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
cf6e9a64 |
| 16-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Pass parameters via structure. To make it possible to use callback function, pass parameters via "struct tomoyo_request_info". Signed-off-by: Tetsuo Handa <penguin-kerne
TOMOYO: Pass parameters via structure. To make it possible to use callback function, pass parameters via "struct tomoyo_request_info". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
05336dee |
| 16-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use common code for open and mkdir etc. tomoyo_file_perm() and tomoyo_path_permission() are similar. We can embed tomoyo_file_perm() into tomoyo_path_permission(). Signe
TOMOYO: Use common code for open and mkdir etc. tomoyo_file_perm() and tomoyo_path_permission() are similar. We can embed tomoyo_file_perm() into tomoyo_path_permission(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
36f5e1ff |
| 14-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use callback for updating entries. Use common code for elements using "struct list_head" + "bool" structure. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
TOMOYO: Use callback for updating entries. Use common code for elements using "struct list_head" + "bool" structure. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
82e0f001 |
| 14-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use common structure for list element. Use common "struct list_head" + "bool" structure. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by:
TOMOYO: Use common structure for list element. Use common "struct list_head" + "bool" structure. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
237ab459 |
| 12-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use callback for updating entries. Use common "struct list_head" + "bool" + "u8" structure and use common code for elements using that structure. Signed-off-by: Tetsuo H
TOMOYO: Use callback for updating entries. Use common "struct list_head" + "bool" + "u8" structure and use common code for elements using that structure. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.35-rc3, v2.6.35-rc2 |
|
#
57c2590f |
| 03-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Update profile structure. This patch allows users to change access control mode for per-operation basis. This feature comes from non LSM version of TOMOYO which is designed for
TOMOYO: Update profile structure. This patch allows users to change access control mode for per-operation basis. This feature comes from non LSM version of TOMOYO which is designed for permitting users to use SELinux and TOMOYO at the same time. SELinux does not care filename in a directory whereas TOMOYO does. Change of filename can change how the file is used. For example, renaming index.txt to .htaccess will change how the file is used. Thus, letting SELinux to enforce read()/write()/mmap() etc. restriction and letting TOMOYO to enforce rename() restriction is an example usage of this feature. What is unfortunate for me is that currently LSM does not allow users to use SELinux and LSM version of TOMOYO at the same time... Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
1084307c |
| 03-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add pathname aggregation support. This patch allows users to aggregate programs which provide similar functionality (e.g. /usr/bin/vi and /usr/bin/emacs ). Signed-off-by
TOMOYO: Add pathname aggregation support. This patch allows users to aggregate programs which provide similar functionality (e.g. /usr/bin/vi and /usr/bin/emacs ). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
3f629636 |
| 03-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Allow wildcard for execute permission. Some applications create and execute programs dynamically. We need to accept wildcard for execute permission because such programs contain
TOMOYO: Allow wildcard for execute permission. Some applications create and execute programs dynamically. We need to accept wildcard for execute permission because such programs contain random suffix in their filenames. This patch loosens up regulation of string parameters. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
c8c57e84 |
| 03-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Support longer pathname. Allow pathnames longer than 4000 bytes. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@na
TOMOYO: Support longer pathname. Allow pathnames longer than 4000 bytes. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
9b244373 |
| 03-Jun-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Several fixes for TOMOYO's management programs. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
|
Revision tags: v2.6.35-rc1 |
|
#
c3ef1500 |
| 16-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Split files into some pieces. security/tomoyo/common.c became too large to read. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Mo
TOMOYO: Split files into some pieces. security/tomoyo/common.c became too large to read. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
17fcfbd9 |
| 16-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add interactive enforcing mode. Since the behavior of the system is restricted by policy, we may need to update policy when you update packages. We need to update policy
TOMOYO: Add interactive enforcing mode. Since the behavior of the system is restricted by policy, we may need to update policy when you update packages. We need to update policy in the following cases. * The pathname of files has changed. * The dependency of files has changed. * The access permissions required has increased. The ideal way to update policy is to rebuild from the scratch using learning mode. But it is not desirable to change from enforcing mode to other mode if the system has once entered in production state. Suppose MAC could support per-application enforcing mode, the MAC becomes useless if an application that is not running in enforcing mode was cracked. For example, the whole system becomes vulnerable if only HTTP server application is running in learning mode to rebuild policy for the application. So, in TOMOYO Linux, updating policy is done while the system is running in enforcing mode. This patch implements "interactive enforcing mode" which allows administrators to judge whether to accept policy violation in enforcing mode or not. A demo movie is available at http://www.youtube.com/watch?v=b9q1Jo25LPA . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
2106ccd9 |
| 16-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add mount restriction. mount(2) has three string and one numeric parameters. Split mount restriction code from security/tomoyo/file.c . Signed-off-by: Tetsuo Handa <peng
TOMOYO: Add mount restriction. mount(2) has three string and one numeric parameters. Split mount restriction code from security/tomoyo/file.c . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
a1f9bb6a |
| 16-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Split file access control functions by type of parameters. Check numeric parameters for operations that deal them (e.g. chmod/chown/ioctl). Signed-off-by: Tetsuo Handa <
TOMOYO: Split file access control functions by type of parameters. Check numeric parameters for operations that deal them (e.g. chmod/chown/ioctl). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
cb0abe6a |
| 16-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use structure for passing common arguments. Use "struct tomoyo_request_info" instead of passing individual arguments. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKU
TOMOYO: Use structure for passing common arguments. Use "struct tomoyo_request_info" instead of passing individual arguments. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
4c3e9e2d |
| 16-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add numeric values grouping support. This patch adds numeric values grouping support, which is useful for grouping numeric values such as file's UID, DAC's mode, ioctl()'s cmd nu
TOMOYO: Add numeric values grouping support. This patch adds numeric values grouping support, which is useful for grouping numeric values such as file's UID, DAC's mode, ioctl()'s cmd number. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.34 |
|
#
7762fbff |
| 10-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Add pathname grouping support. This patch adds pathname grouping support, which is useful for grouping pathnames that cannot be represented using /\{dir\}/ pattern. Sign
TOMOYO: Add pathname grouping support. This patch adds pathname grouping support, which is useful for grouping pathnames that cannot be represented using /\{dir\}/ pattern. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.34-rc7 |
|
#
9e4b50e9 |
| 05-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use stack memory for pending entry. Use stack memory for pending entry to reduce kmalloc() which will be kfree()d. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.
TOMOYO: Use stack memory for pending entry. Use stack memory for pending entry to reduce kmalloc() which will be kfree()d. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
29282381 |
| 05-May-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Use mutex_lock_interruptible. Some of TOMOYO's functions may sleep after mutex_lock(). If OOM-killer selected a process which is waiting at mutex_lock(), the to-be-killed process
TOMOYO: Use mutex_lock_interruptible. Some of TOMOYO's functions may sleep after mutex_lock(). If OOM-killer selected a process which is waiting at mutex_lock(), the to-be-killed process can't be killed. Thus, replace mutex_lock() with mutex_lock_interruptible() so that the to-be-killed process can immediately return from TOMOYO's functions. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.34-rc6, v2.6.34-rc5, v2.6.34-rc4, v2.6.34-rc3, v2.6.34-rc2, v2.6.34-rc1, v2.6.33 |
|
#
17080008 |
| 16-Feb-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Remove __func__ from tomoyo_is_correct_path/domain __func__ is used for only debug printk(). We can remove it. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.j
TOMOYO: Remove __func__ from tomoyo_is_correct_path/domain __func__ is used for only debug printk(). We can remove it. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
97d6931e |
| 15-Feb-2010 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
TOMOYO: Remove unneeded parameter. tomoyo_path_perm() tomoyo_path2_perm() and tomoyo_check_rewrite_permission() always receive tomoyo_domain(). We can move it from caller to callee.
TOMOYO: Remove unneeded parameter. tomoyo_path_perm() tomoyo_path2_perm() and tomoyo_check_rewrite_permission() always receive tomoyo_domain(). We can move it from caller to callee. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|