LOMAC Changelog

v0.1

15 June 1999

• First release.

v0.2pre1

12 July 1999

• Simplified FSOLM.
• Added a number of test scripts in Src/Test.

v0.2

20 August 1999

• Compatibility with both the 2.0 and 2.2 series of Linux kernels.
• Demotion problems with shell pipelines eliminated.
• Increased stability.

v0.3pre1

10 May 2000

• The 0.3 series was a complete re-write of LOMAC. v0.3pre1 demonstrated the key implementation strategies that eventually lead to LOMAC 0.3.
• Dropped support for Linux 2.0 kernels.

v0.3pre2

19 June 2000

• A better-organized logging facility.
• Monitoring of reads on files and network sockets.
• Proper subject demotion behavior.
• Logging of illegal writes to files (no accesses are denied as of yet).
• An interface to provide information to the user-space lps and lls scripts, and the scripts themselves.

v0.3pre3

30 June 2000

• An improved means of assigning levels to objects in the filesystem. The old mechanism was capable of expressing relationships like: "/home and everything under it is level 2." The new mechanism is capable of expressing more complex relationships like: "/home is level 2. /home/httpd is level 2. All else under /home is level 1." (The "all else" is the new bit).
• Constraints on the use of unnamed pipes as described in the LOMAC paper in the doc section of the distribution (logging only, no access denials as of yet).

v0.3pre4

28 August 2000

• A new "floating levels" scheme for constraining the use of unnamed pipes which cures compatibility problems with some common cron jobs.
• A function for predicting the canonical absolute form of paths that describe non-existent files (needed to mediate creat's and trunc's).
• A collection of scripts to test LOMAC's mediation of the system calls listed above.

v0.3pre5

29 November 2000

• The implementation of a new pipe constraint scheme that uses floating pipe "levels" to accommodate cron jobs that like to use unnamed pipes across job boundaries.
• Added code to predict canonical absolute paths based on parameters passed to open and mknod paths. This addition was needed to do real mediation on creat/truncs.
• Added mediation/monitoring of FIFOs.
• Added mediation for link, unlink, rename, truncate, and ftruncate.
• You can now turn mediation on/off with a compile-time flag.
• Added a bunch of test scripts.

v0.3pre6

21 December 2000

• Added mediation/monitoring of UNIX (local) domain sockets.
• Improved default PLM configuration, and included a secondary configuration tailored for laptops that use DHCP.
• Fixed ps-output parsing bug in lps.

v0.3

30 December 2000

• Added mediation on signals.
• Added trust functionality and an upgrader like cp "lup".
• Updated policy to put /var/log/messages high, now that syslogd is trusted.
• Added monitoring of the SYS_RECV* calls on UNIX-domain sockets.
• "Finalized" the PLM.
• Added mediation on mkdir, rmdir, mknod, mount, umount.
• Added read monitoring on sys_execve().
• Combined laptop-specific policy with main policy to create single default policy.

v1.0

2 January 2001

• Revised manual.

v1.0.1

9 January 2001

• This version fixes a dentry reference-counting bug reported by debut at swbell.net. When handling BIND operations, LOMAC would increment the reference count on socket dentries without decrementing. As a result, port would remain bound even after applications closed all their sockets.
• This version also makes a few corrections to the performance section of the manual, as suggested by mark_feldman@nai.com. He pointed out that the kernel-build benchmark numbers were good measurements after all - I had misinterpreted the meaning of the standard deviation numbers.

v1.0.2

22 January 2001

• Tweaked the PLM to make /mnt/cdrom and /mnt/floppy level-2, but all other children of /mnt low. This change allows level-1 users to access filesystems NFS-mounted under /mnt. As reported by lee_badger at nai.com, before this change, write access to NFS-mounted filesystems was effectively impossible. LOMAC prevented level-1 users from writing to the level-2 mounted files. Although LOMAC would permit writes from level-2 users, LOMAC's default policy effectively permits only the root user to operate at level-2, and the existing NFS access control mechanisms are generally configured to prevent root writes.
• Added a description of the related SubDomain project to the LOMAC manual.
• Changed a printk to a PANIC in kernel_interface.c:set_subject_level().

v1.0.3

7 February 2001

• I finally fixed the unnamed IPC object bug that Lee Badger found when he ran "xscreensaver-command -lock". It turned out that LOMAC was not assigning levels to UNIX-domain sockets in two cases: (1) when the sockets were created with sys_socketpair, and (2) when the sockets were bound to names in the abstract namespace. These problems are now fixed, although the solution may be sub-optimal. LOMAC now gives UNIX domain sockets created with socketpair the same level as the process that created them. This works, but in the future, we may want a better solution based on the way LOMAC currently handles unnamed pipes. LOMAC now assigns all UNIX domain sockets bound to names in the abstract namespace to LOMAC_LOWEST_LEVEL (1). This simple solution works, but it prevents high-level processes from making use of UNIX domain sockets bound to abstract names without being demoted. A better solution for this may be needed someday, as well.
• I shortened the TPL - the list of trusted programs. I removed initlog and klogd - they didn't need to be trusted after all.
• Added a description of the Pitbull LX project to the LOMAC manual.

v1.0.4

13 February 2001

• Improved performance of lps and lls scripts by moving the functionality of the linfo and level scripts into a Perl module. Many thanks to John Thiltges who submitted the code to solve this problem.
• Updated manual to reflect the above fix.

v1.0.5

5 April 2001

• LOMAC now allows remote level-2 root logins via ssh.
• Fixed mediation logging to accurately report which operation (open, unlink, etc.) was denied.
• Took RedHat-specific code out of initialization scripts to allow installation on other distributions.
• Updated manual to include specific installations instructions for RedHat and Debian distributions, as well as some new text on using lup and ssh.
• Tweaked the lup program to retain the names of upgraded files.

v1.1.0

11 May 2001

• Restructured argument handling to avoid time-of-check/time-of-use errors.
• Added mediation on the addition and removal of directory entries.
• Changed all -EPERM ("operation not permitted") return values to the proper value: -EACCES ("permission denied").

v1.1.1

12 July 2001

• Changed the LKM's license from GPL to a 3-clause BSD-style license in order to support the upcoming FreeBSD port. For a discussion of this issue, consult the lomac-users mailing list archive for 9 July 2001. Some of the Perl utility scripts presently remain under the GPL.
• Changed the notion of "subject" to a process, instead of a process group. This means that LOMAC now demotes individual processes within a process group independently. Although this change has little effect on LOMAC's protection, it should be more efficient and cause less compatibility problems due to process demotions during boot and initialization.
• Reorganized the source tree to support builds with different kernel interfaces. The Linux2.2 interface is still the only one supported by this distribution, but ports for Linux-2.4, Linux/RSBAC, Linux/LSM, and FreeBSD are all underway.
• Added controls on the LKM loading and unloading system calls to prevent remote agents from using them to install LKM-based rootkits.
• Added rule to PLM to put /var/lib/pcmcia into the high-level part of the system, to keep pcmcia card management programs happy.