[Tomoyo-dev 1254] TOMOYO 2.3 および TOMOYO 1.8.0 の開発状況

Back to archive index

Tetsuo Handa from-****@I-lov*****
2010年 8月 4日 (水) 21:24:02 JST


 熊猫です。

カーネル 2.6.35 がリリースされました。よって、カーネル 2.6.36 に含まれることに
なる TOMOYO 2.3 の機能が確定しました。現在 TOMOYO 2.3 のためのユーザランド
ツールを準備中です。 http://tomoyo.sourceforge.jp/2.3/ から試すことができます。

TOMOYO 1.7.3 の開発状況を
http://sourceforge.jp/projects/tomoyo/lists/archive/users-en/2010-June/000177.html
でお知らせしましたが、
「独自フックの内、LSMフックから呼び出せるフックをLSMフックに移動させて、
あまり意味のない独自フックを削除する」ための良い機会だと考え、( TOMOYO 2.4 の
ベースとなる) TOMOYO 1.8.0 としてリリースすることにしました。

カーネル 2.6.36 のためのパッチの量を以下に示します。

 fs/compat.c               |    2 
 fs/exec.c                 |    2 
 fs/open.c                 |    2 
 fs/proc/version.c         |    7 ++
 include/linux/init_task.h |    9 +++
 include/linux/sched.h     |    6 ++
 include/linux/security.h  |   56 +++++++++++-------
 include/net/ip.h          |    2 
 kernel/kexec.c            |    3 +
 kernel/kmod.c             |    5 +
 kernel/module.c           |    5 +
 kernel/ptrace.c           |    4 +
 kernel/sched.c            |    2 
 kernel/signal.c           |   10 +++
 kernel/sys.c              |   10 +++
 kernel/time/ntp.c         |    6 ++
 net/ipv4/raw.c            |   11 ++-
 net/ipv4/udp.c            |    8 ++
 net/ipv6/raw.c            |   11 ++-
 net/ipv6/udp.c            |    8 ++
 net/socket.c              |    6 ++
 security/Kconfig          |    2 
 security/Makefile         |    3 +
 security/security.c       |  136 ++++++++++++++++++++++++++++++++++++++--------
 24 files changed, 260 insertions(+), 56 deletions(-)

ファイルシステムに関するフックのほとんどがLSMに移動されたことがおわかりだと
思います。そのため、各種ディストリビューション用のパッチを作成するのが容易に
なってきています。ネットワークの受信系のフックおよびシグナルの送信を制限する
ためのフック、および、独自のケイパビリティを扱うためのフックが残っています。

現時点までに変更された内容を以下に列挙します。

    @ Change keyword syntax.

      I removed "allow_" prefix from directives. New directives for files are
      prefixed with "file ". For example, "allow_read" changed to "file read",
      "allow_ioctl" changed to "file ioctl". New directive for "allow_network"
      is "network". New directive for "allow_env" is "misc env". New directive
      for "allow_signal" is "ipc signal". New directive for "allow_capability"
      is "capability". These directives correspond with keywords used by
      profile's CONFIG lines.

      I removed "deny_rewrite" and "allow_rewrite" directives and introduced
      "file append" directive. Thus, permission for open(O_WRONLY | O_APPEND)
      changed from "allow_write" + "allow_rewrite" to "file append".

      I removed "SYS_MOUNT", "SYS_UMOUNT", "SYS_CHROOT", "SYS_KILL",
      "SYS_LINK", "SYS_SYMLINK", "SYS_RENAME", "SYS_UNLINK", "SYS_CHMOD",
      "SYS_CHOWN", "SYS_IOCTL", "SYS_PIVOT_ROOT" keywords from capabilities
      because these permissions can be checked by other directives (e.g.
      "file mount", "ipc signal").

      I also removed "conceal_mount" keyword from capabilities because this
      check requires hooks in filesystem part while almost all hooks for
      filesystem part have moved to LSM by Linux 2.6.34.

    @ Distinguish send() and recv() operations for UDP and IP protocols.

      Until now, it was impossible for UDP and IP protocols to allow either
      only sending or only receiving because permissions were aggregated with
      "connect" keyword. I broke "connect" keyword into "send" and "recv"
      keywords so that you can keep access control for send() operation enabled
      when you have to turn access control for recv() operation off due to
      application breakage by filtering incoming datagram.

    @ Wait for next connection/datagram if current connection/datagram was
      discarded.

      Regarding "network TCP accept", "network UDP recv", "network RAW recv"
      keywords, I modified to wait for next connection/datagram if current
      connection/datagram was discarded. LSM hooks for these keywords are
      currently missing because this behavior may break applications.
      If you found applications broken by this behavior, you can set
      CONFIG::network::inet_tcp_accept and/or CONFIG::network::inet_udp_recv
      and/or CONFIG::network::inet_raw_recv to mode=disabled in order to
      disable filtering for incoming connection/datagram.

    @ Allow specifying multiple permissions in a line.

      Until now, only "allow_read/write" can be specified for combination of
      "allow_read" + "allow_write". Now, you can combine other permissions as
      long as type of parameters for these permissions is same. For example,
      "file read/write/append/execute/unlink/truncate /tmp/file" is correct
      but "file read/write/create /tmp/file" is wrong because "file create"
      requires create mode whereas "file read" and "file write" do not.

    @ Allow wildcard for execute permission and domainname.

      Until now, to execute programs with temporary names, "aggregator" is
      needed. To simplify code, I modified to accept wildcards for execute
      permission and domainname. Now, you can directly specify
      "file execute /tmp/logrotate.\?\?\?\?\?\?" and use
      "/tmp/logrotate.\?\?\?\?\?\?" within domainnames.

    @ Change pathname for non-rename()able filesystems.

      LSM version of TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if
      $PID matches current thread's process ID in order to prevent current
      thread from accessing other process's information unless needed.
      But since procfs can be mounted on various locations (e.g. /proc/ /proc2/
      /p/ /tmp/foo/100/p/ ), LSM version of TOMOYO cannot tell that whether the
      numeric part in the string returned by __d_path() represents process ID
      or not.

      Therefore, to be able to convert from $PID to self no matter where procfs
      is mounted, I changed pathname representations for filesystems which do
      not support rename() operation (e.g. proc, sysfs, securityfs).

      Now, "/proc/self/mounts" changed to "proc:/self/mounts" and
      "/sys/kernel/security/" changed to "sys:/kernel/security/" and
      "/dev/pts/0" changed to "devpts:/0".

    @ Add a new keyword "any" for domain transition control.

      To be able to make it easier to apply execute_handler on each domain,
      I added "any" keyword to domain transition control keywords. Now,
      "initialize_domain /usr/sbin/sshd" changed to
      "initialize_domain /usr/sbin/sshd from any" and
      "keep_domain <kernel> /usr/sbin/sshd /bin/bash" changed to
      "keep_domain any from <kernel> /usr/sbin/sshd /bin/bash".

      "keep_domain /path/to/execute_handler from any" will allow you to apply
      execute_handler for any domains without creating domains for
      execute_handler.

    @ Change buffering mode for reading policy.

      To be able to read() very very long lines correctly, I changed the way
      TOMOYO buffers policy for reading.

    @ Introduce "acl_group" keyword.

      Until now, it was possible to specify only "allow_read" and "allow_env"
      keywords in the exception policy.

      Since some operations like "file read/write/append /dev/null" and
      "network UDP send/recv @DNS_SERVER 53" are very common and should be
      permitted to all domains, I introduced "acl_group" keyword for giving
      such permissions.

      For example, specify "acl_group 0 file read/write/append /dev/null" in
      the exception policy and specify "use_group 0" from the domains in the
      domain policy.

      "ignore_global_allow_read" and "ignore_global_allow_env" keywords were
      removed from domain policy and "use_group" keyword was added.

    @ Allow controlling generation of access granted logs for per an entry
      basis.

      I added per-entry flag which controls generation of grant logs because
      Xen and KVM issues ioctl requests so frequently. For example,

        file ioctl /dev/null 0x5401 ; set audit=no

      will suppress /proc/ccs/grant_log even if profile says grant_log=yes .

        file ioctl /dev/null 0x5401 ; set audit=yes

      will generate /proc/ccs/grant_log even if profile says grant_log=no .

        file ioctl /dev/null 0x5401

      will generate /proc/ccs/grant_log only if profile says grant_log=yes .

      This flag is intended for frequently accessed resources like

        file read /var/www/html/\{\*\}/\*.html ; set audit=no

      .

    @ Optimize for object's size.

      I merged similar code in order to reduce object's filesize.

http://tomoyo.sourceforge.jp/1.8/ から試すことができます。
写真や動画やユーザランドツールのアップデートが必要ですが、
TOMOYO 1.8 および TOMOYO 2.4 がどんな風になるかを感じることはできると思います。
フィードバックをお待ちしています。




tomoyo-dev メーリングリストの案内
Back to archive index