Tetsuo Handa wrote:
> Displaying domain transition tree is a very complicated part for the policy
> editor.
> Although there may be still bugs, I'll release it as
> ccs-tools-1.8.2-20110626.tar.gz
> today because several other bugs have been found and fixed.
Some more bugs were fixed and I uploaded ccs-tools-1.8.2-20110707.tar.gz .
Also, a bug was found in /proc/ccs/.domain_status in TOMOYO 1.8.2 and
/sys/kernel/security/tomoyo/.domain_status in TOMOYO 2.4.
This bug can be fixed with
--- a/security/ccsecurity/policy_io.c
+++ b/security/ccsecurity/policy_io.c
@@ -1846,7 +1846,7 @@
return -EINVAL;
domain = ccs_find_domain(cp + 1);
if (domain && (!ccs_policy_loaded ||
- head->w.ns->profile_ptr[(u8) profile]))
+ domain->ns->profile_ptr[(u8) profile]))
domain->profile = (u8) profile;
return 0;
}
but I decided to remove /proc/ccs/.domain_status rather than fixing this bug
because /proc/ccs/.domain_status is used by only /usr/sbin/ccs-setlevel and
/proc/ccs/.domain_status can be easily emulated using /proc/ccs/domain_policy .
Therefore, I removed /proc/ccs/.domain_status and uploaded
ccs-patch-1.8.2-20110707.tar.gz and akari-1.0.16-20110707.tar.gz .
Please replace proc:/ccs/.domain_status in your policy files with
proc:/ccs/domain_policy if needed.
Also, a flaw was found in TOMOYO 2.3. (CVE-2011-2518)
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4e78c724d47e2342aa8fde61f6b8536f662f795f
Please update your kernel if you allow untrusted users to use shells.
This flaw does not exist in TOMOYO 1.x because TOMOYO 1.x is using a wrapper
that checks for !NULL.
_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
