changelog

关于LINUX安全内核的源代码

2002-04-30 1.1.1r2 Philippe Biondi  <pbi@deneb.intranet.cartel-info.fr>

	* include/linux/sched.h: changed capable() to call capable2() and make it behave like one expects to : 
	  capable=(cap or (root and (lids_cap or lids_off)))
	* fs/namespace.c: bugfix: the alert condition was inversed! (discovered by Radek Bohunsky)
	* kernel/klids.c: qmail compatibility: applied a part of the patch from Yannick Le Briquer 
	  that I did not applied: I did not realize that qmail does not consider ?\r\n ok if ?=\n.
	* fs/proc/base.c: reorganized instruction flow to avoid a little memory leak (discovered by Radek Bohunsky)
	* Created a contrib dir in the archive 
	* Added in the contrib dir: a shell script to configure LIDS with simple rules contributed by Rodrigo P.Telles

2002-03-05 1.1.1 Philippe Biondi  <pbi@deneb.intranet.cartel-info.fr>

	* lidsconf.c: removed the forgotten debug flag.
	* man pages are up to date now (I hope).

2002-01-29 1.1.1pre5 Philippe Biondi  <pbi@deneb.intranet.cartel-info.fr>

	* lidsconf.c: fixed some possible segmentation faults.
	* kernel/lids.c: fixed the infinite (-1) inheritance bug (acl were not inherited :().
	* kernel/exec.c: when executing an unprotected program, really compute wether it is ought to get privileges 
	  before raising an alert.
	* kernel/lids.c,kernel/signal.c,lids_capflags.c,include/linux/capability.h, kernel/Config.in: added 
	  CAP_PROTECTED and renamed CAP_INIT_KILL to CAP_KILL_PROTECTED
	* kernel/Config.in: lowered arrays sizes from 1024 to 256 to reduce heap overflow risks
	* fs/namespace.c: suppressed two exceedent \n in security alert messages

2002-01-22 1.1.1pre4  Philippe Biondi  <pbi@deneb.intranet.cartel-info.fr>

	* include/linux/lidsif.h: moved a kernel-only struct def into #ifdef __KERNEL__
	* kernel/lids.c: replaced some lids_security_alerts() by lids_log() calls to log switches even when LIDS is deactivated
	* lidsadm.c: display capabilities changes during a switch instead of returning an error if it was not aware of that (ie if
	  it was a configuration change in lids.cap)

2002-01-21 1.1.1pre3  Philippe Biondi  <pbi@deneb.intranet.cartel-info.fr>

	* kernel/lids.c,fs/exec.c,kernel/fork.c: changed the implementation of inheritage
	  computations. Added better debugging messages to fix configuration problems.
	* fs/exec.c: changed the use of LD_* policy : LD_ use won't prevent a program to be launched
	  but if the program should have obtained privileges a security alert is  raised and the 
	  privileges are dropped
	

2002-01-09 1.1.1pre2 Phil  <pbi@deneb.intranet.cartel-info.fr>

	* fs/exec.c: SECURITY FIX! change the order of some tests in the previous fix!

2002-01-07 1.1.1pre1 Phil  <pbi@deneb.intranet.cartel-info.fr>

	* fs/exec.c: BIG SECURITY FIX! prevent the use of LD_* environment variables if CAP_SYS_PTRACE is off
	* sched.h: SECURITY FIX! drop non needed capabilities fro process launched before sealing LIDS
	* fs/exec.c: SECURITY FIX! do not transmit privileges to unprotected programs
	* lids.h,lids.c,lids_log.c: include slab.h instead of malloc.h
	* lidsconf.h: fixed bad test for inexistant files (patch from Przemyslaw Wegrzyn)
	* kernel/ksyms.c: added missing symbols (lids_log and lids_bind_checker) for modules
	* Documentation/Configure.help: s/lidsadm -P/lidsconf -P/
	* kernel/lids_net.c,kernel/lids_mail_script.c: added some \r or \r\n for better RFC conformance. qmail says it's ok :)
	* lidsadm.c: added a warning for RELOAD_CONF about restarting daemons for changes to be effective

2001-12-20 1.1.0 Phil  <pbi@deneb.intranet.cartel-info.fr>

	* Port to 2.4.16
	* fs/namei.c: mknod lockup fixed (patch from Przemyslaw Wegrzyn)
	* net/af_inet6.c: binding port < 1024 granting problems (patch from Erik M錸sson)
	* kernel/lids.c: fixed lids_local_on got LIDS_FLAGS_LIDS_LOCAL_ON value instead of 1

2001-12-04  Phil  <pbi@deneb.intranet.cartel-info.fr>

	* lidsconf.c: bugfixed the -P parameter (patch from Jan Kurik)

2001-11-26 1.1.0pre6 Phil  <pbi@deneb.intranet.cartel-info.fr> 

	* lids.c: bugfixed probable compilation bug if CONFIG_LIDS_RELOAD_CONF 
	  and not CONFIG_LIDS_ALLOW_SWITCH
	* lidsif.h,lids.c: changed LIDS flags handling to uniformize user space
	  and kernel space code
	* configure.ac: added --enable-debug and --disable-versions-checks
	* lids.c: it's now possible to use RELOAD_CONF at sealing time, or without
	  LIDS disabled.
	* lidsif.h: magic numbers, because lidsadm must be the same version as the patch

2001-11-22  Phil  <pbi@deneb.intranet.cartel-info.fr>

	* lidsconf.c: bugfix the broken way lidsconf handled LIDS types. 
	* arch/../ptrace.c: fixed a regression for CAP_SYS_PTRACE
	* arch/../ioport.c: added some logs (regression fix)
	* arch/../vm86.c: added some logs (regression fix)
	* lidsext.h: lids_hangup_console() prototype corrected
	* lids.c: correct the fact that a tty become unhangable after a LFS
	* main.c: renaming security=0 to lids=0
	* lids_log.c: no more logging or hanging if lids is off (LFS or lids=0)
	* lids.c: removed the hardcoded "-o /etc/lids -j DENY" rule
	* lids.c: you can reload the config while sealing the kernel
	* lidsconf.c: added long options
	* lidsadm.c: some code cleaning

2001-11-13 1.1.0pre5   <pbi@boromir.intranet.cartel-info.fr> 

	* Added some details in unprotected programs execed before sealing
	* fixed the possible coredump in lidsadm
	* put back the forgotten -static flag for lidsadm
	* removed the -S option from the help of lidsconf

2001-11-12 1.1.0pre4   <pbi@boromir.intranet.cartel-info.fr>

	* klids.c: use dotted IP notation when printing errors.
	* corrected the dependency to lids_send_message problem


2001-11-07 1.1.0pre3   <pbi@boromir.intranet.cartel-info.fr>

	* bugfix the portscan detector (oops when scanning a box with security=0)
	* bugfix scan detector debugging sentences
	* get central part of lids_security_alert out of the macro and clean : 
	the uncompressed kernel is 87k lighter.
	* readdir.c bugfix inheritance. Patch from Andreas Steinmetz
	

2001-11-02 1.1.0pre2   <pbi@boromir.intranet.cartel-info.fr>

	* porting the patch to 2.4.13
	* adding one or two more logs in fs/ stuff
	* lidsif.h: created. Contains everything needed both in kernel and
	user space.
	* lids.h: adding some missing prototypes 
	* lids.c,fork.c: format corrections 
	* s/Try/Attempt/ cosmetic patch

2001-10-31 1.1.0pre1   <pbi@boromir.intranet.cartel-info.fr>

	* New packaging with automake/autoconf
	* Split of lidsadm in two parts : lidsconf for config files
	management and lidsadm for live administration