TOMOYO
ForkHello.
Luiz found a bug that when an execve() request was rejected by CaitSith's
policy, retrying the same execve() request causes being granted due to
incomplete error handling in previous execve() request.
For example, this bug affects when running a program shown below when
there is a CaitSith's policy which rejects execution of /usr/bin/top .
----------
#include <unistd.h>
int main(int argc, char *argv[])
{
execl("/usr/bin/top", "top", NULL); // <= Rejected by policy.
execl("/usr/bin/top", "top", NULL); // <= By error granted.
return 0;
}
----------
This bug existed in both AKARI and LKM-based LSM version of CaitSith
since Linux 2.6.29 where a LSM hook which is always called when an
execve() request finishes was removed.
This bug does not exist in TOMOYO 1.8 and fully featured version of
CaitSith. (AKARI is LKM-based LSM version of TOMOYO 1.8.)
Therefore, please update if you are using AKARI or LKM-based LSM version
of CaitSith.
Regards.
MD5 Filename
666667388cb548898521c2f64bc84979 akari-1.0.48-20230527.tar.gz
3333fd38701319b60a0f35ae413eea44 caitsith-patch-0.2-20230527.tar.gz
aaaa00bcf527233be826b58b57dc58f6 ccs-patch-1.8.9-20230527.tar.gz