[TOMOYO #6 00/21] TOMOYO Linux - MAC based on process invocation history.

[TOMOYO #6 00/21] TOMOYO Linux - MAC based on process invocation history.

[Kentaro Takeda]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1957 bytes --]

"TOMOYO Linux" is our work in the field of security enhancement for Linux.
This is the 6th submission of TOMOYO Linux.
(http://tomoyo.sourceforge.jp/wiki-e/?WhatIs#mainlining)

Changes since previous (November 17th) submission:

* Added security goal document. (Documentation/TOMOYO.txt)
   This document is intended to specify the security goal that TOMOYO
   Linux is trying to achieve. Thread URL:
     http://lkml.org/lkml/2007/12/25/18

* Added environment variable name control functionality.
   Users can restrict the environment variable's names passed to
   execve() for each domain.

* Refreshed patches for the latest -mm tree.
   Patches are for 2.6.24-rc6-mm1

The possibility of AB-BA deadlock has been pointed out and argued in
http://lkml.org/lkml/2007/11/5/388 .
We believe that LSM functions shouldn't access namespace_sem, so
we chose to write a set of wrapper functions to pass "struct vfsmount" to
LSM functions using "struct task_struct". This method is suggested at
http://www.mail-archive.com/linux-security-module@vger.kernel.org/msg01712.html .

We wish Linux to merge either AppArmor's "Pass struct vfsmount to ..." patches or
our patches marked as [02/21], [03/21], [04/21] into mainline kernel
so that AppArmor and TOMOYO Linux can safely access "struct vfsmount" from LSM.

Patches consist of five types.
 * [TOMOYO 01/21]:    Documentation.
 * [TOMOYO 02-05/21]: Essential modifications against -mm kernel.
 * [TOMOYO 06-19/21]: LSM implementation of TOMOYO Linux.
 * [TOMOYO 20/21]:    Makefile and Kconfig.
 * [TOMOYO 21/21]:    Optional modifications against -mm kernel.

We are trying to make a fair ¡Èsecure Linux¡É comparison table, it should
explain the differences between TOMOYO Linux and AppArmor.
(http://tomoyo.sourceforge.jp/wiki-e/?WhatIs#comparison)

We would like TOMOYO Linux to be added into -mm tree so that more
people can try. Any kind of feedbacks for the patches and the table
would be appreciated.
-- 

[TOMOYO #6 01/21] TOMOYO Linux documentation.

[Kentaro Takeda]

[-- Attachment #1: tomoyo-documentation.patch --]
[-- Type: application/octect-stream, Size: 12977 bytes --]

[TOMOYO #6 02/21] Add struct vfsmount to struct task_struct.

[Kentaro Takeda]

[-- Attachment #1: add-struct-vfsmount-to-struct-task_struct.patch --]
[-- Type: application/octect-stream, Size: 974 bytes --]

[TOMOYO #6 03/21] Add wrapper functions for VFS helper functions.

[Kentaro Takeda]

[-- Attachment #1: add-wrapper-functions-for-vfs-helper-functions.patch --]
[-- Type: application/octect-stream, Size: 5810 bytes --]

[TOMOYO #6 04/21] Replace VFS with wrapper functions.

[Kentaro Takeda]

[-- Attachment #1: replace-vfs-with-wrapper-functions.patch --]
[-- Type: application/octect-stream, Size: 8603 bytes --]

[TOMOYO #6 05/21] Add packet filtering based on processs security context.

[Kentaro Takeda]

[-- Attachment #1: add-packet-filtering-based-on-process-security-context.patch --]
[-- Type: application/octect-stream, Size: 10621 bytes --]

[TOMOYO #6 06/21] Data structures and prototype defitions.

[Kentaro Takeda]

[-- Attachment #1: tomoyo-headers.patch --]
[-- Type: application/octect-stream, Size: 28258 bytes --]

[TOMOYO #6 07/21] Memory and pathname management functions.

[Kentaro Takeda]

[-- Attachment #1: tomoyo-realpath.patch --]
[-- Type: application/octect-stream, Size: 17030 bytes --]

[TOMOYO #6 08/21] Utility functions and policy manipulation interface.

[Kentaro Takeda]

[-- Attachment #1: tomoyo-common.patch --]
[-- Type: application/octect-stream, Size: 66922 bytes --]

[TOMOYO #6 09/21] Domain transition functions.

[Kentaro Takeda]

[-- Attachment #1: tomoyo-domain.patch --]
[-- Type: application/octect-stream, Size: 34115 bytes --]

[TOMOYO #6 10/21] Auditing interface.

[Kentaro Takeda]

[-- Attachment #1: tomoyo-audit.patch --]
[-- Type: application/octect-stream, Size: 6755 bytes --]

[TOMOYO #6 11/21] File access control functions.

[Kentaro Takeda]

[-- Attachment #1: tomoyo-file.patch --]
[-- Type: application/octect-stream, Size: 38454 bytes --]

[TOMOYO #6 12/21] argv0 check functions.

[Kentaro Takeda]

[-- Attachment #1: tomoyo-exec.patch --]
[-- Type: application/octect-stream, Size: 6086 bytes --]

[TOMOYO #6 13/21] environment variable name check functions.

[Kentaro Takeda]

[-- Attachment #1: tomoyo-environ.patch --]
[-- Type: application/octect-stream, Size: 7467 bytes --]

[TOMOYO #6 14/21] Network access control functions.

[Kentaro Takeda]

[-- Attachment #1: tomoyo-net.patch --]
[-- Type: application/octect-stream, Size: 25793 bytes --]

[TOMOYO #6 15/21] Namespace manipulation control functions.

[Kentaro Takeda]

[-- Attachment #1: tomoyo-mount.patch --]
[-- Type: application/octect-stream, Size: 24857 bytes --]

[TOMOYO #6 16/21] Signal control functions.

[Kentaro Takeda]

[-- Attachment #1: tomoyo-signal.patch --]
[-- Type: application/octect-stream, Size: 6670 bytes --]

[TOMOYO #6 17/21] Capability access control functions.

[Kentaro Takeda]

[-- Attachment #1: tomoyo-capability.patch --]
[-- Type: application/octect-stream, Size: 12208 bytes --]

[TOMOYO #6 18/21] LSM adapter functions.

[Kentaro Takeda]

[-- Attachment #1: tomoyo-hooks.patch --]
[-- Type: application/octect-stream, Size: 21774 bytes --]

[TOMOYO #6 19/21] Conditional permission support.

[Kentaro Takeda]

[-- Attachment #1: tomoyo-condition.patch --]
[-- Type: application/octect-stream, Size: 18610 bytes --]

[TOMOYO #6 20/21] Kconfig and Makefile

[Kentaro Takeda]

[-- Attachment #1: tomoyo-kconfig.patch --]
[-- Type: application/octect-stream, Size: 2221 bytes --]

[TOMOYO #6 21/21] Add signal hooks at sleepable location.

[Kentaro Takeda]

[-- Attachment #1: add-signal-hooks-at-sleepable-locations.patch --]
[-- Type: application/octect-stream, Size: 6428 bytes --]

Re: [TOMOYO #6 00/21] TOMOYO Linux - MAC based on process invocation history.

[Kentaro Takeda]

I'm sorry. I sent inlined patches with quilt,
but MTA converted them to attached files.
I'll retry soon.

Regards,
Kentaro Takeda

Re: [TOMOYO #6 02/21] Add struct vfsmount to struct task_struct.

[Christoph Hellwig]

Just FYI:  A NACK to such an addition doesn't simply go away by
ignoring it.

Re: [TOMOYO #6 02/21] Add struct vfsmount to struct task_struct.

[Tetsuo Handa]

Hello.

Christoph Hellwig wrote:
> Just FYI:  A NACK to such an addition doesn't simply go away by
> ignoring it.
Excuse me. What NACK is remaining?

About the below comments?
> > NACK to this. Passing function parameters through the task_struct is
> > definitely not an acceptable hack
> 
> Exactly.  Having a vfsmount other than the current processes root or
> current working directory in task_struct doesn't make any sense.

I explained that this approach pushes the parameter on the stack memory
and behaves as if the parameter was passed by function calls.
http://lkml.org/lkml/2007/11/19/80

But if this approach is still unacceptable,
please discuss and adopt AppArmor's patches as soon as possible.
Both AppArmor and TOMOYO needs vfsmount parameters, but
I'm sad to see no comments on AppArmor's vfsmount patches.

Regards.