RSBAC Changes
-------------
1.2.1: - Added support for all other architectures.
       - Cleaned up rsbac syscall filesystem name lookup and target type
         checks.
       - New module JAIL: preconfigured process encapsulation (see kernel
         config help).

1.2.0: - Moved most lists to generic lists, splitting up between modules on
         the way (GEN = general for all modules).
       - DS for each module only included, if module is compiled in.
       - New Linux Capabilities (CAP) module
       - Split system_role into mac_role, fc_role, etc. Please do not use
         old A_system_role attribute any longer.
       - Changed rsbac_get/set_attr interface to include target module
       - Added module guessing from attribute into sys_rsbac_get/set_attr,
         if module is not given (value SW_NONE).
       - Added user and RC role based symlink redirection
       - Added network and firewall config protection as SCD network and
         firewall targets
       - Added NETDEV, NETTEMP and NETOBJ targets for network access control.
       - Added network templates for default NETOBJ attribute values
       - Renamed /rsbac dir to /rsbac.dat to avoid name conflicts.
       - RC model with unlimited roles and types
       - Selective dir tree disabling of Linux DAC
       - Generic list ordering (needed for templates and optimization)
       - List optimization
       - Generic time-to-live support in generic lists (new on-disk version)
       - Support time-to-live for ACL group members and ACL entries
       - copy_net_temp
       - Individual module soft mode
       - Support time-to-live for RC entries
       - Backport to 2.2.20

1.1.2: - Own RSBAC memory allocation functions. Own RSBAC mem slabs in 2.4
         kernels.
       - Generic lists - simply register your list item sizes with filename
         and persist flag, and a persistent list will be kept for you.
       - Generic lists of lists, two level version.
       - Moved pm_data_structures.c to new lists with proc backup files
         Attention: There is no auto-update from older versions possible!
       - proc backup files for RC and ACL are now optional
       - New proc subdir pm, replaces old write_list call
       - rsbac_pm write_list call removed
       - New FD aci version with new rc_initial_role and 16 bit ff_flags
       - New FF flag append_only, which limits all write accesses to
         APPEND_OPEN and WRITE
       - Fix for rename hole: rename could replace and thus delete an
         existing file without DELETE check. Also performs secure_delete, if
         necessary
       - New rsbac_mount hook in change_root for initial ramdisk
       - Fixed missing Linux check in bad_signal
       - Added optional switch rsbac_dac_disable to disable Linux filesystem
         access control
       - Added count support for multiple mounts
       - Added optional switch rsbac_nosyslog to temporarily disable logging
         to syslog
       - Added config option for DEBUG code

1.1.1: - New target type FIFO, with a lot of cleanup, e.g. IPC type fifo
         removed
       - MAC module reworked, including MAC-Light option
       - Several bugfixes
       - Port to 2.4.0, 2.4.1 and 2.4.2
       - New Makefiles with lists for 2.4 and without for 2.2 kernels
         (Thanks to Edward Brocklesby for samples)
       - init process default ACI now partly depends on root's ACI
       - Optional interception of sys_read and sys_write.
         Attention: you might have to add READ and WRITE rights to files,
         fifos, dirs and sockets first, if upgrading from an older version
       - REG overhaul. Now you can register syscall functions, everything is
         kept in unlimited lists instead of arrays and registering is
         versioned to allow for binary module shipping with REG version
         checks.
       - Inheritance is now fixed, except for MAC model
       - MAC: optional inheritance, new option Smart Inheritance that tries
         to avoid new attribute objects (see config help)
       - New soft mode option: all decisions and logging are performed, but
         DO_NOT_CARE is returned to enforcement. Off by default. See config
         help for details.
       - Optional initialization in extra rsbac_initd thread.

1.1.0: - Port to 2.4.0-test11
       - Interception of sys_mmap and sys_mprotect added. Now execution of
         library code requires EXECUTE privilege on the library file, and
         setting non-mmapped memory to EXEC mode requires EXECUTE on target
         NONE.
       - MAC Light option by Stanislav Ievlev added. See kernel config help or
         modules.htm.

1.0.9c:
       - Port to 2.4.0-test{[789]|10}, this means major changes to the lookup and
         inheritance code - of course #ifdef'd
       - Change string declarations to kmalloc. On the way moved
         MAX_PATH_LEN restriction from 1999 to max_kmalloc - 256
         (>127K).
       - Renamed several PM xy.class to xy.object_class for C++
         compatibility
       - Added SCD type ST_kmem
       - Changed rc_force_role default to rc_role_inherit_parent,
         terminated at root dir with old default rc_role_inherit_mixed.
         This makes it much easier to keep a dir of force-roled binaries.
1.0.9b:
       - Port to 2.3.42 - 2.3.99-pre3
       - Port to 2.2.14 - 2.2.16
       - 32 Bit Uid/Gid with new attribute versions
       - User and program based logging
       - AUTH capability ranges
       - Made write to MSDOS fs a config option, so use it on your own risk
         (see config help)
       - MAC levels 0-252
       - Added config option for ioport access (X support)
      
1.0.9a:
       - Added group management to ACL module.
       - Removed CONFIG_RSBAC_SYNC option.
       - Added module hints to logging
       - Added RC separation of duty (see models.htm)
       - Added RC force role inherit_up_mixed and made it default setting

1.0.9: - Added registration of additional decision modules (REG)
       - Wrote decision module examples (see README-reg and reg_samples dir)
       - Port to 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12 (pre versions)
       - Heavily changed RC model: Now it has a distinguished role-to-type
         compatibility setting for each request type, instead of one setting
         for all request types. This allows for much finer grained access
         control.
         Unfortunately there was no way to update existing role settings,
         so those have to be reentered by hand. Still, the types entries are
         kept.
       - Set all MSDOS based file systems to read-only, because inode
         numbers are likely to change between boots.
       - Added Access Control List module. ACLs are kept on FILE, DIR,
         DEV, IPC, SCD and PROCESS targets (IPC and PROCESS have only
         one default ACL each). Each entry contains subject type (user,
         rc_role, group), subject id and the rights this subject has. Also,
         rights are inherited from parents and from a target specific default
         ACL.
         See html/models.htm for details.
       - Added optional full path logging.

1.0.8a:
       - Port to 2.2.7
       - File Flag no_execute added to prevent execution, e.g. of user
         binaries under /home tree. Can be circumvented by scripts via
         'interpreter scriptname'.

1.0.8: - Port to 2.2.1
       - Added /proc/rsbac-info/backup to provide an easier means of backup
         for not device dependent stuff. To be extended.
       - Added new Role Compatibility (RC) module.
       - New on-disk binary layout, auto update from all versioned data
         (1.0.5 upwards).
       - AUTH module added to support proper authentification by enforcing
         externally granted CHANGE_OWNER capabilities.
       - Save to disk inconsistency in PM sets fixed.
       - MAC categories added, but limited to a fixed number of 64. Apart
         from that, the MAC module categories are as proposed in the
         Bell-LaPadula model.
       - Port to 2.2.2
       - Port to 2.2.3 with minor changes
       - Port to 2.2.4
       - Port to 2.2.5

1.0.7a:
       - Added alpha support (with Shaun Savage). Has different storage sizes,
         so default useraci does not work and you need a maint kernel.
       - Added new error detection features for file/dir entries.
       - Increasing of NR_FD_LISTS is now handled differently for error
         detection reasons. See README-nrlists.
       - Marked init functions as __init - though saving a few KB doesn't
         make such a big difference while using RSBAC... ;)
       - Fixed memory leaks in write_*_list while introducing vmalloc for
         large lists. The number of file/dir lists is now only a matter of
         performance and available memory.
       - Added two flags to File Flags
       - Port to 2.2.0-pre6
       - Added secure deletion/truncation, needs a config switch to be
         enabled. If on, all files marked with (inheritable) FF-flag
         secure_delete and all files marked as PM-personal data are zeroed on
         deletion and truncation - if the regarding modules are switched on.

1.0.7: - Port to 2.1.131
       - Added more fs types to non-writable: smbfs, ncpfs, codafs - so
         there should be no writing on network mounts (unfortunately there
         is no afs SUPER_MAGIC)
       - Added configuration option NO_DECISION_ON_NETMOUNTS, which
         additionally turns off all decisions for all these fs, so that
         they are completely ignored
       - Added attribute inheritance: Some attributes for files and dirs
         have a special value 'inherit'. If this is set, the value of the
         parent dir's attribute is used instead. This mechanism ends on
         fs boundaries - each fs root dir gets old style standard values,
         if attribute is set to 'inherit'.
         Currently security_level, object_category and data_type are
         inheritable.
       - Added configuration option DEF_INHERIT. If set, default values for
         inheritable attributes are *inherit, rather than the old default.
         This option setting should not differ between different RSBAC
         kernels to avoid deeper confusion for administrators and
         rsbac_check().
       - To support inheritance, added parameter inherit to both get_attr
         system calls. If on, the effective (possibly inherited) value is
         returned, if off, the real value is returned.
       - Corrected a security hole in receiving from / sending via datagram
         sockets (thanks to Simone). Now a read/append open and a close
         request are done for every datagram (if net support is configured,
         as usual).
         Attention: Programs that open an UDP socket as one user (e.g. root)
                    and then setuid to another (e.g. bin) may not be able
                    to access that socket, if the new user has insufficent
                    rights! (see config help)
         Checking of net access can as before be turned on/off via
         CONFIG_RSBAC_NET.
       - Worked on rsbac_check(). Is more stable now, but should only be
         called under maximum of moderate load.

1.0.6: - Moved to 2.1.128
       - Cleaned up old includes in syscalls.c
       - Added RSBAC own logging in /proc/rsbac-info/rmsg, to be accessed
         by modified klogd or sys_rsbac_log, restricted by most modules to
         security officers.
         Additionally, logging to standard syslog can be turned off to hide
         security relevant log from all but those with explicit access.
       - Added module File Flags with attribute ff_flags for FILE/DIR
         targets
       - Added auto-update of last version attributes (only FD changed
         though)
       - Changed ms_trusted from boolean to tristate: non-trusted, read,
         full
       - Fixed rm -r hang bug
       - Added consistency check for RSBAC items, which can remove items for
         deleted inodes (ext2 only) and entries containing only default
         values (FILE/DIR targets only). It also recalculates item counts.
       - Added sys_rsbac_check to trigger this check.

1.0.5:
       - Rewrote most of attribute saving to disk. Now disk writing is never
         done with a spinlock held, increasing stability significantly
         (is this a taboo? if yes, where is it documented?)
       - Changed write-to-disk behaviour: The old immediate write is no
         longer default, but optional (CONFIG_RSBAC_SYNC_WRITE). Instead,
         sys_rsbac_write can be used from user space or a kernel daemon can
         be activated to write changes automatically every n seconds
         (CONFIG_RSBAC_AUTO_WRITE)
       - Added kernel param rsbac_debug_auto for the daemon - gives a good
         overview of attribute change rate
       - Added proc interface for statistics and many RSBAC settings
       - Added rsbac_adf_request calls MODIFY_SYSTEM_DATA to sysctl.c
       - Wrote man pages for all RSBAC syscalls (in Documentation/rsbac/man)
       - Added version information and check for all file/dir/dev aci and
         for log_levels
       - Added some more scan strings to Malware Scan module, had to change
         string representation to a more general way

1.0.4:
       - Port via 2.1.115 and 2.1.124 to 2.1.125
       - IPC targets: changed ids for sockets from pid/fd combination to
         pointer to sock structure, including (many) changes in the
         handling.
       - Added socket level scanning (tcp and udp) to module Malware Scan.
         This feature can stop malware while still being transferred to
         your system. Added new attributes for IPC, process and file/dir
         targets to manage socket scan.
       - Reordered configuration options
       - Added CONFIG_RSBAC_NO_WRITE to totally disable writing to disk for
         testing purposes and kernel parameter rsbac_debug_no_write to
         temporarily disable disk writing 
       - Added CONFIG_RSBAC_*_ROLE_PROTection for all role dependant
         modules: Now change-owner (setuid etc.) can be restricted between
         users with special roles - see configuration help for details
       - Some more bugfixes, mostly to decision modules

1.0.4-pre2:
       - Port to 2.1.111
       - Attribute mac_trusted_for_user added to FILE aci. Value meanings:
         RSBAC_NO_USER (-3): program is not MAC-trusted
         RSBAC_ALL_USERS (-4): program is MAC-trusted for all users
         other user-ID: program is MAC-trusted, if invoked by this user
         Especially the last is useful for daemon programs that can be
         started by all users.
         Init process is checked, too, but is MAC-trusted by default.
       - Syscalls rsbac_mac_set/get_max_seclevel added. Now a process can
         reduce its own maximum security level. Useful for wrapper daemons
         like inetd after forking and before invoking another program.
       - Object dependent logging #ifdef'd with configuration option.
       - Configuration option 'Maintenance Kernel' added. Disables all other
         options.
       - removed CONFIG_RSBAC_ADMIN and rsbac_admin() stuff - now we have
         capabilities, and there is no suser() anymore to extend
       - changed locking for Data Structures component from semaphores to
         read/write spinlocks
       - added (U)MOUNT requests for target DEV to sys_(u)mount. Now both
         target dir and device are checked for access (MAC: dir: read-write,
         dev: depending on mount mode read or read-write). Note: After
         mount, all file/dir accesses on this device are checked as usual.
       - Moved checks for valid request/target combinations from MAC module
         to extra functions in rsbac/adf/check.c.

1.0.3: - Target DEV added. Now devices can get their own attributes based
         on major/minor numbers. Attributes based on their file representations
         in /dev are no longer used for open, but still for all other calls.
         MAC decisions on open requests for devices must be explicitely enabled
         by mac_check to keep system bootable.
         Short rule: Only if contents is accessed, DEV attributes apply.
       - Attribute object_type removed, was not used anyway and maintained in
         linux structures.
       - Attributes log_array_low and log_array_high for FILE/DIR/DEV added,
         providing individial request based logging for those objects.
       - PM module: if DEV is personal_data, neccessary access is checked
         for new class DEV (can be changed to custom class)
       - A couple of minor bugfixes done

1.0.2A: - Port to 2.0.34
        - A few #ifdef CONFIG_RSBAC_USE_RSBAC_OWNER were missing, causing
          error messages "rsbac_set/get_attr returned error" -> added


13/Jun/2001
Amon Ott <ao@rsbac.org>
