's approach.
How about submitting only vfsmount patches before submitting AppArmor/TOMOYO
main module?
We think the patches relate to not only LSM folks but also fsdevel folks.
So we are going to post the brief description of the patches to fsdevel.
Regards,
Kentaro Takeda
--
To unsubscri
e not merged yet.
What prevents AppArmor's vfsmount patches from merging into -mm tree?
Regards.
Kentaro Takeda
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Hello.
James Morris wrote:
> Why aren't you using securityfs for this? (It was designed for LSMs).
We are using securityfs mounted on /sys/kernel/security/ .
Thanks.
Kentaro Takeda
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a
To avoid namespace_sem deadlock, this patch uses
"current->last_vfsmount" associated by wrapper functions.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/tomoyo.c | 825 ++
layed enforcing" mode which allows administrator judge interactively.
You can try TOMOYO Linux without this patch, but in that case, you
can't use access control functionality for restricting signal transmission.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by:
This patch allows administrators use conditional permission.
TOMOYO Linux supports conditional permission based on
process's UID,GID etc. and/or requested pathname's UID/GID.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
TOMOYO Linux is placed in security/tomoyo .
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/Kconfig |1 +
security/Makefile|1 +
security/tomoyo/Kconfig | 26 ++
sec
to enable system call auditing for all processes,
which may cause performance and log flooding problem?
Each permission can be automatically accumulated into
the policy of each domain using 'learning mode'.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Te
TOMOYO Linux checks mount permission based on
device name, mount point, filesystem type and optional flags.
TOMOYO Linux also checks permission in umount and pivot_root.
Each permission can be automatically accumulated into
the policy using 'learning mode'.
Signed-off-by: Kentaro Take
TOMOYO Linux checks sending signal by signal number and
the domain of target process. In order to check signal
permission, modification against kernel/signal.c is needed.
Each permission can be automatically accumulated into
the policy of each domain using 'learning mode'.
Signed-off-b
TOMOYO Linux checks environment variable's names passed to execve()
because some envorinment variables affects to the behavior of program
like argv[0].
Each permission can be automatically accumulated into
the policy of each domain using 'learning mode'.
Signed-off-by: Kentaro
against net/socket.c and net/core/datagram.c is needed.
Each permission can be automatically accumulated into
the policy of each domain using 'learning mode'.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTEC
TOMOYO Linux checks permission in
open/creat/unlink/truncate/ftruncate/mknod/mkdir/
rmdir/symlink/link/rename/uselib/sysctl .
Each permission can be automatically accumulated into
the policy of each domain using 'learning mode'.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]&g
If the executed program name and argv[0] is different,
TOMOYO Linux checks permission.
Each permission can be automatically accumulated into
the policy of each domain using 'learning mode'.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa &
Every process belongs to a domain in TOMOYO Linux.
Domain transition occurs when execve(2) is called
and the domain is expressed as 'process invocation history',
such as ' /sbin/init /etc/init.d/rc'.
Domain information is stored in task_struct->security.
Signed-off-by:
in the TOMOYO Linux policy.
The userland daemon /usr/lib/ccs/ccs-auditd will save these logs.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/audit.c | 239
Basic functions to get canonicalized absolute pathnames
for TOMOYO Linux. Even the requested pathname is symlink()ed
or chroot()ed, TOMOYO Linux uses the original pathname.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
sec
cess who must not be able to pick up this datagram
will repeat recvmsg() forever, which is a worse side effect.
So, don't give different permissions between processes who shares one socket.
Otherwise, some connections/datagrams cannot be delivered to intended process.
Signed-off-by: Kentaro
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/include/realpath.h | 45 ++
security/tomoyo/include/tomoyo.h | 695 +
2 files changed, 740 insertions(+)
--- /dev/null
+++
This patch allows LSM hooks refer previously associated "struct vfsmount"
parameter so that they can calculate pathname of given "struct dentry".
AppArmor's approach is to add "struct vfsmount" parameter to all related
functions, while my approach is to store "struct vfsmount" parameter
in "struct
This patch replaces VFS helper function calls caused by
userland process's request with VFS wrapper functions call.
I don't have a plan to control VFS helper function calls
caused by the kernel. Therefore, this patch doesn't modify
individual filesystems in fs/*/ directory.
I need to know the vfsm
This patch allows VFS wrapper functions associate "struct vfsmount"
with "struct task_struct" so that LSM hooks can calculate
pathname of given "struct dentry".
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
include/linux/init_task.h |1 +
include/linux/sched.h |2 ++
2 files cha
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
Signed-off-by: Toshiharu Harada <[EMAIL PROTECTED]>
---
Documentation/TOMOYO.txt | 266 +++
1 file changed, 266 insertions(+)
--- /dev/
"TOMOYO Linux" is our work in the field of security enhancement for Linux.
This is the 6th submission of TOMOYO Linux.
(http://tomoyo.sourceforge.jp/wiki-e/?WhatIs#mainlining)
Changes since previous (November 17th) submission:
* Added security goal document. (Documentation/TOMOYO.txt)
This doc
I'm sorry. I sent inlined patches with quilt,
but MTA converted them to attached files.
I'll retry soon.
Regards,
Kentaro Takeda
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at ht
tomoyo-file.patch
Description: application/octect-stream
tomoyo-headers.patch
Description: application/octect-stream
tomoyo-domain.patch
Description: application/octect-stream
tomoyo-net.patch
Description: application/octect-stream
tomoyo-hooks.patch
Description: application/octect-stream
tomoyo-mount.patch
Description: application/octect-stream
tomoyo-documentation.patch
Description: application/octect-stream
add-packet-filtering-based-on-process-security-context.patch
Description: application/octect-stream
add-signal-hooks-at-sleepable-locations.patch
Description: application/octect-stream
tomoyo-environ.patch
Description: application/octect-stream
tomoyo-exec.patch
Description: application/octect-stream
tomoyo-condition.patch
Description: application/octect-stream
tomoyo-realpath.patch
Description: application/octect-stream
replace-vfs-with-wrapper-functions.patch
Description: application/octect-stream
tomoyo-capability.patch
Description: application/octect-stream
tomoyo-audit.patch
Description: application/octect-stream
tomoyo-signal.patch
Description: application/octect-stream
add-wrapper-functions-for-vfs-helper-functions.patch
Description: application/octect-stream
tomoyo-kconfig.patch
Description: application/octect-stream
"TOMOYO Linux" is our work in the field of security enhancement for Linux.
This is the 6th submission of TOMOYO Linux.
(http://tomoyo.sourceforge.jp/wiki-e/?WhatIs#mainlining)
Changes since previous (November 17th) submission:
* Added security goal document. (Documentation/TOMOYO.txt)
This doc
add-struct-vfsmount-to-struct-task_struct.patch
Description: application/octect-stream
Basic functions to get canonicalized absolute pathnames
for TOMOYO Linux. Even the requested pathname is symlink()ed
or chroot()ed, TOMOYO Linux uses the original pathname.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
sec
moyo.sourceforge.jp/en/2.1.x/ . Please try TOMOYO Linux.
Feedbacks are most welcome.
<>
OLS BoF material:
http://sourceforge.jp/projects/tomoyo/document/ols2007-tomoyo-20070629.pdf
Previous submissions: http://lkml.org/lkml/2007/6/13/58 ,
http://lkml.org/lkml/2007/6/14/55, http://lkml.or
Data structures and prototype defitions for TOMOYO Linux.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/include/realpath.h | 44 +++
security/tomoyo/include/tomoyo.h | 517 ++
TOMOYO Linux uses pathnames for auditing and controlling file access.
Therefore, namespace_sem is needed.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
fs/namespace.c |2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
-
essage [00/15] is in the three.
If the [00/15] will be delivered, everything goes just fine.
We are going to wait some more time and decide to repost them again.
Thanks again.
Kentaro Takeda
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a messag
On 2007/08/27 21:11, Kyle Moffett wrote:
>This is probably not acceptable; I doubt there's a chance in hell
>that TOMOYO will get merged as long as it has text-based-language
>parsing in the kernel. You also have $NEW_RANDOM_ABUSE_OF_PROCFS and
>$PATH_BASED_LSM_ISSUES. See the long flamewars on A
Kconfig and Makefile for TOMOYO Linux.
TOMOYO Linux is placed in security/tomoyo .
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/Kconfig |1 +
security/Makefile|1 +
security/tomoyo/Kco
.
* post_recv_datagram is added in skb_recv_datagram.
You can try TOMOYO Linux without this patch, but in that case, you
can't use access control functionality for restricting signal
transmission and incoming network data.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: T
This patch allows administrators use conditional permission.
TOMOYO Linux supports conditional permission based on
process's UID,GID etc. and/or requested pathname's UID/GID.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
impler and "namespace_sem" can remain "static".
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/tomoyo.c | 748 +++
1 files changed, 748 inser
'learning mode'.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/signal.c | 229 +++
1 files changed, 229 insertions(+)
--- /dev/null 1970-01-01 00:00:00.000
rning mode'.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/mount.c | 1019
1 files changed, 1019 insertions(+)
--- /dev/null 1970-01-01 00:00:00.000
' and 'UDP connect',
LSM expansion patch ([TOMOYO 14/15]) is needed.
Each permission can be automatically accumulated into
the policy of each domain using 'learning mode'.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTEC
argv[0] check functions for TOMOYO Linux.
If the executed program name and argv[0] is different,
TOMOYO Linux checks permission.
Each permission can be automatically accumulated into
the policy of each domain using 'learning mode'.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]&g
ned-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/file.c | 1544 +
1 files changed, 1544 insertions(+)
--- /dev/null 1970-01-01 00:00:00.0 +
+++ linux-2.6/security
e not granted in the TOMOYO Linux policy.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
include/linux/audit.h |3 ++
security/tomoyo/audit.c | 68
2 files changed, 71 insertion
tored in task_struct->security.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/domain.c | 1256 +++
1 files changed, 1256 insertions(+)
--- /dev/null 1970-01-01 00:00:00.000
.
* post_recv_datagram is added in skb_recv_datagram.
You can try TOMOYO Linux without this patch, but in that case, you
can't use access control functionality for restricting signal
transmission and incoming network data.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: T
impler and "namespace_sem" can remain "static".
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/tomoyo.c | 745 +++
1 files changed, 745 inser
This patch allows administrators use conditional permission.
TOMOYO Linux supports conditional permission based on
process's UID,GID etc. and/or requested pathname's UID/GID.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
rning mode'.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/mount.c | 1019
1 files changed, 1019 insertions(+)
--- /dev/null 1970-01-01 00:00:00.000
'learning mode'.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/signal.c | 238 +++
1 files changed, 238 insertions(+)
--- /dev/null 1970-01-01 00:00:00.000
' and 'UDP accept'(recv),
LSM expansion patch ([TOMOYO /]) is needed.
Each permission can be automatically accumulated into
the policy of each domain using 'learning mode'.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL
argv[0] check functions for TOMOYO Linux.
If the executed program name and argv[0] is different,
TOMOYO Linux checks permission.
Each permission can be automatically accumulated into
the policy of each domain using 'learning mode'.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]&g
ned-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/file.c | 1565 +
1 files changed, 1565 insertions(+)
--- /dev/null 1970-01-01 00:00:00.0 +
+++ linux-2.6/security
e not granted in the TOMOYO Linux policy.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
include/linux/audit.h |3 ++
security/tomoyo/audit.c | 68
2 files changed, 71 insertion
tored in task_struct->security.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/domain.c | 1291 +++
1 files changed, 1291 insertions(+)
--- /dev/null 1970-01-01 00:00:00.000
Basic functions to get canonicalized absolute pathnames
for TOMOYO Linux. Even the requested pathname is symlink()ed
or chroot()ed, TOMOYO Linux uses the original pathname.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
sec
Data structures and prototype defitions for TOMOYO Linux.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/include/realpath.h | 44 +++
security/tomoyo/include/tomoyo.h | 516 ++
Kconfig and Makefile for TOMOYO Linux.
TOMOYO Linux is placed in security/tomoyo .
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/Kconfig |1 +
security/Makefile|1 +
security/tomoyo/Kco
TOMOYO Linux uses pathnames for auditing and controlling file access.
Therefore, namespace_sem is needed.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
fs/namespace.c|2 +-
include/linux/mnt_namespace.h
OMOYO Linux.
Feedbacks are most welcome.
<>
OLS BoF material:
http://sourceforge.jp/projects/tomoyo/document/ols2007-tomoyo-20070629.pdf
Previous submission: http://lkml.org/lkml/2007/6/13/58 ,
http://lkml.org/lkml/2007/6/14/55
Kentaro Takeda
NTT DATA CORPORATION
-
To unsubscribe from this lis
.mozillazine.org/Plain_text_e-mail_(Thunderbird)
Kentaro Takeda
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
/13/58
Kentaro Takeda
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
We limit the maximum length of any string data (such as domainname and
pathnames)
to TOMOYO_MAX_PATHNAME_LEN (which is 4000) bytes to fit within a single page.
Userland programs can obtain the amount of RAM currently used by TOMOYO from
/proc interface.
Signed-off-by: Kentaro Takeda <[EM
printable character,
so that wildcard characters can be expanded without changing existing names.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/
become more simpler and "namespace_sem" can remain "static".
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/tomoyo.c | 283
++
lease use TOMOYO Linux
1.4.1 instead.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/Kconfig |1 +
security/Makefile|1 +
security/tomoyo/Kconfig | 22 ++
securit
TOMOYO Linux uses pathnames for auditing and controlling file access.
Therefore, namespace_sem is needed.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
fs/namespace.c |2 +-
1 file changed, 1 insertion(+)
s the amount of
memory needed by TOMOYO.
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/include/tomoyo.h | 319
+++
1 file changed, 319 insertions(
007/5/26/52 ).
Signed-off-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/domain.c | 782
+++
1 file changed, 782 insertions(+)
diff -ubBpErN linux-2.6.21.
This is the main part for profiling and controlling file access.
We thought checking old pathname and new pathname separately
for rename() and link() operation is a too rough access control
and we are checking both pathnames using tomoyo_check_double_write_acl().
Signed-off-by: Kentaro Takeda
-by: Kentaro Takeda <[EMAIL PROTECTED]>
Signed-off-by: Tetsuo Handa <[EMAIL PROTECTED]>
---
security/tomoyo/audit.c | 52
1 file changed, 52 insertions(+)
diff -ubBpErN linux-2.6.21.5/security/tomoyo/audit.c
linux-2.6
The following patches are TOMOYO Linux 2.0.
TOMOYO Linux 2.0 is implemented as a LSM module.
If you want to use older kernel, please download from
http://osdn.dl.sourceforge.jp/tomoyo/25693/tomoyo-lsm-2.0-20070605.tar.gz
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
90 matches
Mail list logo