[TOMOYO #16 00/25] Starting TOMOYO 2.3

[Tetsuo Handa]

Hello.

This is the beginning of TOMOYO 2.3. TOMOYO 2.2 (which is in kernel 2.6.30 and
later) is terribly lacking in functionality (e.g. no audit logs, no network).
I hope TOMOYO 2.3 can provide practically sufficient functionality.

This patchset provides almost all functionality in TOMOYO 1.7.0 except
(1) DAC before MAC checks for directory modification operations.
(2) Incoming UDP/RAW packet filtering.
(3) Signal transmission restriction.
(4) Many of non-posix capabilities support.

Since this patchset is not yet accepted, I haven't written documentation for
TOMOYO 2.3. You can see http://tomoyo.sourceforge.jp/1.7/policy-reference.html
instead.

Conventionally, patches should be submitted in the form of diff file.
But this time, I submit in the form of entire file due to amount of changes.

# diff -u security/tomoyo.2.2/realpath.c security/tomoyo/new-realpath.c | diffstat -f0
new-realpath.c | 609 186 + 423 - 0 !
1 file changed, 186 insertions(+), 423 deletions(-)
# wc -l security/tomoyo/new-realpath.c
251 security/tomoyo/new-realpath.c

# diff -u security/tomoyo.2.2/file.c security/tomoyo/new-file.c | diffstat -f0
new-file.c | 2472 1693 + 779 - 0 !
1 file changed, 1693 insertions(+), 779 deletions(-)
# wc -l security/tomoyo/new-file.c
2249 security/tomoyo/new-file.c

# diff -u security/tomoyo.2.2/domain.c security/tomoyo/new-domain.c | diffstat -f0
new-domain.c | 1322 877 + 445 - 0 !
1 file changed, 877 insertions(+), 445 deletions(-)
# wc -l security/tomoyo/new-domain.c
1354 security/tomoyo/new-domain.c

# diff -u security/tomoyo.2.2/tomoyo.c security/tomoyo/lsm.c | diffstat -f0
lsm.c | 492 350 + 142 - 0 !
1 file changed, 350 insertions(+), 142 deletions(-)
# wc -l security/tomoyo/lsm.c
523 security/tomoyo/lsm.c

# diff -Nur security/tomoyo.2.2/ security/tomoyo/ | diffstat -f0
Kconfig | 67 67 + 0 - 0 !
Makefile | 2 1 + 1 - 0 !
address_group.c | 270 270 + 0 - 0 !
audit.c | 561 561 + 0 - 0 !
capability.c | 141 141 + 0 - 0 !
common.c | 2276 0 + 2276 - 0 !
common.h | 461 0 + 461 - 0 !
condition.c | 1332 1332 + 0 - 0 !
domain.c | 922 0 + 922 - 0 !
environ.c | 232 232 + 0 - 0 !
file.c | 1335 0 + 1335 - 0 !
gc.c | 606 606 + 0 - 0 !
internal.h | 1317 1317 + 0 - 0 !
load_policy.c | 97 97 + 0 - 0 !
lsm.c | 523 523 + 0 - 0 !
memory.c | 391 391 + 0 - 0 !
mount.c | 366 366 + 0 - 0 !
network.c | 757 757 + 0 - 0 !
new-domain.c | 1354 1354 + 0 - 0 !
new-file.c | 2249 2249 + 0 - 0 !
new-realpath.c | 251 251 + 0 - 0 !
number_group.c | 212 212 + 0 - 0 !
path_group.c | 210 210 + 0 - 0 !
policy_io.c | 2734 2734 + 0 - 0 !
realpath.c | 488 0 + 488 - 0 !
realpath.h | 66 0 + 66 - 0 !
securityfs_if.c | 148 148 + 0 - 0 !
tomoyo.c | 315 0 + 315 - 0 !
tomoyo.h | 96 0 + 96 - 0 !
util.c | 1144 1144 + 0 - 0 !
30 files changed, 14963 insertions(+), 5960 deletions(-)

Regards.
--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

[Tetsuo Handa]

[Tetsuo Handa]

[Tetsuo Handa]

[Tetsuo Handa]

[Tetsuo Handa]

[Tetsuo Handa]

[Tetsuo Handa]

[Tetsuo Handa]

[Tetsuo Handa]

[Tetsuo Handa]

[Tetsuo Handa]

[Tetsuo Handa]

[Tetsuo Handa]

[Pavel Machek]

On Sun 2009-10-04 21:49:46, Tetsuo Handa wrote:
> Hello.
>
> This is the beginning of TOMOYO 2.3. TOMOYO 2.2 (which is in kernel 2.6.30 and
> later) is terribly lacking in functionality (e.g. no audit logs, no network).
> I hope TOMOYO 2.3 can provide practically sufficient functionality.

...

> Since this patchset is not yet accepted, I haven't written documentation for
> TOMOYO 2.3. You can see http://tomoyo.sourceforge.jp/1.7/policy-reference.html
> instead.

New, undocumented user/kernel api is no-no.

> Conventionally, patches should be submitted in the form of diff file.
> But this time, I submit in the form of entire file due to amount of changes.

That's also no-no.

--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[Tetsuo Handa]

Hello.

Pavel Machek wrote:
>> Since this patchset is not yet accepted, I haven't written documentation for
>> TOMOYO 2.3. You can see http://tomoyo.sourceforge.jp/1.7/policy-reference.html
>> instead.
>
>New, undocumented user/kernel api is no-no.

I'll update api description by final submission.

Main purpose of this submission is to

(1) know whether 01, 02, 03, 05 and 06 are acceptable or not.
If 05 is not acceptable, the rest of patchset needs to be rewritten.
Please review 01, 02, 03, 05 and 06 before reviewing the rest.

(2) know which features are acceptable.
This submission includes proposal of new features.

Use of customized d_path().
Network filtering including incoming TCP connections.
Audit logs.
Conditional permissions.
Interactive enforcing mode.
Sleep penalty.
Execute handler.
Environment variable name checking.
Non POSIX capability checking.

Unacceptable features will be dropped from next submission.

>> Conventionally, patches should be submitted in the form of diff file.
>> But this time, I submit in the form of entire file due to amount of changes.
>
> That's also no-no.

I have a question.
Is the diff file based on existing files more preferable for reviewers to
review than totally rewritten files, even if "total lines of diff files" is
close to "total lines of rewritten files"?

Amount of rewritten files:
# cat security/tomoyo/* | wc -l
17250

Amount of diff based on existing files:
# diff -Nur security/tomoyo.2.2/ security/tomoyo/ | wc -l
16945

# diff -Nur security/tomoyo.2.2/ security/tomoyo/ | diffstat -f0

24 files changed, 13495 insertions(+), 2216 deletions(-)

I posted rewritten files because I thought reading 17250 insertions is less
difficult than reading 16945 lines of diff file with complicated mixture of
13495 insertions and 2216 deletions.

Regards.

[Pavel Machek]

On Wed 2009-10-07 13:09:24, Tetsuo Handa wrote:
> Hello.
>
> Pavel Machek wrote:
> >> Since this patchset is not yet accepted, I haven't written documentation for
> >> TOMOYO 2.3. You can see http://tomoyo.sourceforge.jp/1.7/policy-reference.html
> >> instead.
> >
> >New, undocumented user/kernel api is no-no.
>
> I'll update api description by final submission.

Well, then you'll get proper review by final submission.

> >> Conventionally, patches should be submitted in the form of diff file.
> >> But this time, I submit in the form of entire file due to amount of changes.
> >
> > That's also no-no.
>
> I have a question.
> Is the diff file based on existing files more preferable for reviewers to
> review than totally rewritten files, even if "total lines of diff files" is
> close to "total lines of rewritten files"?

You are expected to submit diffs in smaller steps, not "here it is,
totally rewritten, take it or leave it".
Pavel

--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[Tetsuo Handa]

Pavel Machek wrote:
> You are expected to submit diffs in smaller steps, not "here it is,
> totally rewritten, take it or leave it".

I see. I'll try to break this patchset into smaller steps.

Your comment ( http://lkml.org/lkml/2009/5/1/47 ) was the trigger for not only
garbage collector but also many usability and feature enhancements for TOMOYO.
Thank you. :-)