Difference between revisions of "TOMOYO"

From CBLFS
Jump to navigationJump to search
(Update for TOMOYO 1.6.7 and TOMOYO 2.2.0)
m
Line 10: Line 10:
 
----
 
----
  
{{Package-Introduction|The fundamental concept of TOMOYO Linux is "tracking process invocation history". TOMOYO Linux splits domains using "process invocation history" and the process transits to a different domain whenever execution of a program (i.e. do_execve()) is requested. By transiting to a different domain whenever execution of a program is requested, each domain will have the minimal permissions that are essential for processes in that domain to do their roles. For more information, see http://tomoyo.sourceforge.jp/wiki-e/?WhatIs.|http://tomoyo.sourceforge.jp/en/2.2.x/}}
+
{{Package-Introduction|The fundamental concept of TOMOYO Linux is "tracking process invocation history". TOMOYO Linux splits domains using "process invocation history" and the process transits to a different domain whenever execution of a program (i.e. do_execve()) is requested. By transiting to a different domain whenever execution of a program is requested, each domain will have the minimal permissions that are essential for processes in that domain to do their roles. For more information, see http://tomoyo.sourceforge.jp/wiki-e/?WhatIs .|http://tomoyo.sourceforge.jp/}}
  
 
== Dependencies ==
 
== Dependencies ==
  
* None   (no more package required for LFS Linux.)
+
* None (no more package required for LFS Linux.)
  
== Rebuild Kernel ==
+
= Building TOMOYO aware kernels =
  
=== Version 2.6.29.1 Kernel and TOMOYO {{TOMOYO-Version}} ===
+
== Kernel 2.6.29.1 with TOMOYO {{TOMOYO-Version}} ==
  
 
Download the ccs-patch-{{TOMOYO-Version}}.tar.gz file and put it in kernel source directory, Patch the kernel source:
 
Download the ccs-patch-{{TOMOYO-Version}}.tar.gz file and put it in kernel source directory, Patch the kernel source:
Line 25: Line 25:
 
  patch -Np1 -i patches/ccs-patch-2.6.29.diff
 
  patch -Np1 -i patches/ccs-patch-2.6.29.diff
  
Compile and install a new TOMOYO aware kernel.  Ensure you enable the TOMOYO features.
+
Run "make menuconfig" and go to "File systems" screen and select as below.
  
=== Version 2.6.30-rc1 Kernel and TOMOYO 2.2 ===
+
[*] SAKURA (Domain-Free Mandatory Access Control) support
 +
[*] TOMOYO (Domain-Based Mandatory Access Control) support
 +
(2048) Default maximal count for learning mode
 +
(/sbin/modprobe /sbin/hotplug) Built-in domain initializer programs
 +
[*]  Auditing interface support
 +
(1024)  Default maximal count for grant log
 +
(1024)  Default maximal count for reject log
 +
<M> SYAORAN (Tamper-Proof Device Filesystem) support
  
Download 2.6.30-rc1 or later and extract it.
+
Compile and install a new TOMOYO aware kernel.
  
Compile and install a new TOMOYO aware kernel. Ensure you enable the TOMOYO features. Go to "Security options" screen and select "TOMOYO Linux support" as shown below.
+
== Kernel 2.6.30-rc1 with TOMOYO 2.2.0 ==
 +
 
 +
Download 2.6.30-rc1 (or later) from http://www.kernel.org/ and extract it.
 +
 
 +
Run "make menuconfig" and go to "Security options" screen and select "TOMOYO Linux support" as shown below.
  
 
  [ ] Enable access key retention support
 
  [ ] Enable access key retention support
Line 42: Line 53:
 
  [*] TOMOYO Linux Support
 
  [*] TOMOYO Linux Support
  
= Build TOMOYO Tools =
+
Compile and install a new TOMOYO aware kernel.
 +
 
 +
= Building TOMOYO Tools =
  
 
Download the ccs-tools-1.6.7-20090401.tar.gz file and put it somewhere.
 
Download the ccs-tools-1.6.7-20090401.tar.gz file and put it somewhere.
Line 94: Line 107:
 
= Configuring =
 
= Configuring =
  
== Configuring TOMOYO {{TOMOYO-Version}} ==
+
== TOMOYO {{TOMOYO-Version}} ==
  
Run init_policy.sh to perform initial configuration for ccs patch
+
Run init_policy.sh to perform initial configuration.
  
 
  /usr/lib/ccs/init_policy.sh
 
  /usr/lib/ccs/init_policy.sh
Line 102: Line 115:
 
You will get initial configuration files in /etc/ccs/ directory.
 
You will get initial configuration files in /etc/ccs/ directory.
  
== Configuring TOMOYO 2.2.0 ==
+
You can save audit logs if you do below steps.
 
 
Run tomoyo_init_policy.sh to perform initial configuration for TOMOYO 2.x.
 
 
 
/usr/lib/ccs/tomoyo_init_policy.sh
 
 
 
You will get initial configuration files in /etc/tomoyo/ directory.
 
 
 
== Configuring TOMOYO Audit Logging ==
 
  
 
  cat > /etc/rc.d/init.d/ccs-auditd << EOF
 
  cat > /etc/rc.d/init.d/ccs-auditd << EOF
Line 124: Line 129:
 
  mkdir -p /var/log/tomoyo
 
  mkdir -p /var/log/tomoyo
  
== Configuring TOMOYO to Begin from Learning Mode ==
+
You can start your system from Learning Mode if you do below steps.
  
Configure TOMOYO Linux to learn system behavior.
+
echo '<kernel>' > /etc/ccs/domain_policy.conf
 +
echo 'use_profile 1' >> /etc/ccs/domain_policy.conf
 +
 
 +
== TOMOYO 2.2.0 ==
 +
 
 +
Run tomoyo_init_policy.sh to perform initial configuration.
 +
 
 +
/usr/lib/ccs/tomoyo_init_policy.sh
 +
 
 +
You will get initial configuration files in /etc/tomoyo/ directory.
 +
 
 +
You can start your system from Learning Mode if you do below steps.
  
 
  echo '<kernel>' > /etc/tomoyo/domain_policy.conf
 
  echo '<kernel>' > /etc/tomoyo/domain_policy.conf
 
  echo 'use_profile 1' >> /etc/tomoyo/domain_policy.conf
 
  echo 'use_profile 1' >> /etc/tomoyo/domain_policy.conf
  
= Boot TOMOYO Linux =
+
= Booting TOMOYO Linux =
 +
 
 +
== TOMOYO {{TOMOYO-Version}} ==
  
boot parameter CCS=<name> can be used to load profile /etc/ccs/profile-<name>.conf; without CCS being set or CCS=default, /etc/ccs/profile.conf will be loaded; with CCS=ask to let user select from available policies in /etc/ccs/ at boot time; with CCS=disable to boot as usual Linux without TOMOYO protection.  
+
You can use boot parameter CCS=<name> to load profile /etc/ccs/profile-<name>.conf .
 +
Without CCS= parameter or <name> is "default", /etc/ccs/profile.conf will be loaded.
 +
You can use CCS=ask to let user select from available profiles in /etc/ccs/ at boot time
 +
You can use CCS=disable to boot as usual Linux (i.e. without TOMOYO protection).
  
 
  root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default
 
  root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default
  
Add boot parameter security=tomoyo to enable TOMOYO Linux 2.2.0, as shown below.
+
== TOMOYO 2.2.0 ==
 +
 
 +
Same as TOMOYO {{TOMOYO-Version}}, except that the policies are loaded from /etc/tomoyo/ directory.
 +
 
 +
But, be sure to add security=tomoyo parameter.
  
 
  root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default security=tomoyo
 
  root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default security=tomoyo

Revision as of 17:58, 11 April 2009


Introduction to TOMOYO

The fundamental concept of TOMOYO Linux is "tracking process invocation history". TOMOYO Linux splits domains using "process invocation history" and the process transits to a different domain whenever execution of a program (i.e. do_execve()) is requested. By transiting to a different domain whenever execution of a program is requested, each domain will have the minimal permissions that are essential for processes in that domain to do their roles. For more information, see http://tomoyo.sourceforge.jp/wiki-e/?WhatIs .

Project Homepage: http://tomoyo.sourceforge.jp/

Dependencies

  • None (no more package required for LFS Linux.)

Building TOMOYO aware kernels

Kernel 2.6.29.1 with TOMOYO 1.7.2-2010804

Download the ccs-patch-1.7.2-2010804.tar.gz file and put it in kernel source directory, Patch the kernel source:

tar xzvf ccs-patch-1.7.2-2010804.tar.gz &&
patch -Np1 -i patches/ccs-patch-2.6.29.diff

Run "make menuconfig" and go to "File systems" screen and select as below.

[*] SAKURA (Domain-Free Mandatory Access Control) support
[*] TOMOYO (Domain-Based Mandatory Access Control) support
(2048) Default maximal count for learning mode
(/sbin/modprobe /sbin/hotplug) Built-in domain initializer programs
[*]   Auditing interface support
(1024)  Default maximal count for grant log
(1024)  Default maximal count for reject log
<M> SYAORAN (Tamper-Proof Device Filesystem) support

Compile and install a new TOMOYO aware kernel.

Kernel 2.6.30-rc1 with TOMOYO 2.2.0

Download 2.6.30-rc1 (or later) from http://www.kernel.org/ and extract it.

Run "make menuconfig" and go to "Security options" screen and select "TOMOYO Linux support" as shown below.

[ ] Enable access key retention support
[*] Enable different security models
-*- Enable the securityfs filesystem
[ ] Socket and Networking Security Hooks
-*- Security hooks for pathname based access control
[ ] File POSIX Capabilities
(0) Low address space to protect from user allocation
[*] TOMOYO Linux Support

Compile and install a new TOMOYO aware kernel.

Building TOMOYO Tools

Download the ccs-tools-1.6.7-20090401.tar.gz file and put it somewhere.

Change directory to ccstools/ .

Non-Multilib

Compile the package:

make

Install the package:

make install

Multilib

32Bit

Compile the package:

make CC="gcc ${BUILD32}"

Install the package:

make install

N32

Compile the package:

sed -i 's@/usr/lib@/usr/lib32@g' Makefile &&
make CC="gcc ${BUILDN32}"

Install the package:

make install

64Bit

Compile the package:

sed -i 's@/usr/lib@/usr/lib64@g' Makefile &&
make CC="gcc ${BUILD64}"

Install the package:

make install

Configuring

TOMOYO 1.7.2-2010804

Run init_policy.sh to perform initial configuration.

/usr/lib/ccs/init_policy.sh

You will get initial configuration files in /etc/ccs/ directory.

You can save audit logs if you do below steps.

cat > /etc/rc.d/init.d/ccs-auditd << EOF
#!/bin/sh
/usr/lib/ccs/ccs-auditd /dev/null /var/log/tomoyo/reject_log.txt
EOF
chmod +x /etc/rc.d/init.d/ccs-auditd
for i in 2 3 4 5; do
ln -sv ../init.d/ccs-auditd /etc/rc.d/rc${i}.d/S99ccs-auditd; done
mkdir -p /var/log/tomoyo

You can start your system from Learning Mode if you do below steps.

echo '<kernel>' > /etc/ccs/domain_policy.conf
echo 'use_profile 1' >> /etc/ccs/domain_policy.conf

TOMOYO 2.2.0

Run tomoyo_init_policy.sh to perform initial configuration.

/usr/lib/ccs/tomoyo_init_policy.sh

You will get initial configuration files in /etc/tomoyo/ directory.

You can start your system from Learning Mode if you do below steps.

echo '<kernel>' > /etc/tomoyo/domain_policy.conf
echo 'use_profile 1' >> /etc/tomoyo/domain_policy.conf

Booting TOMOYO Linux

TOMOYO 1.7.2-2010804

You can use boot parameter CCS=<name> to load profile /etc/ccs/profile-<name>.conf . Without CCS= parameter or <name> is "default", /etc/ccs/profile.conf will be loaded. You can use CCS=ask to let user select from available profiles in /etc/ccs/ at boot time You can use CCS=disable to boot as usual Linux (i.e. without TOMOYO protection).

root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default

TOMOYO 2.2.0

Same as TOMOYO 1.7.2-2010804, except that the policies are loaded from /etc/tomoyo/ directory.

But, be sure to add security=tomoyo parameter.

root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default security=tomoyo

Configuring Policy to Guard Linux as Needed

Login to the system as root user, and run editpolicy included in TOMOYO Linux tools.

/usr/sbin/ccs-editpolicy

Contents

Download Tools Source: http://jaist.dl.sourceforge.jp/tomoyo/30298/ccs-tools-1.6.7-20090401.tar.gz
Download Kernel Patch: http://jaist.dl.sourceforge.jp/tomoyo/30297/ccs-patch-1.7.2-2010804.tar.gz
Installed Directories: /sbin
Installed Programs: ccs-init, tomoyo-init
Installed Libraries:


Installed Directories: /usr/sbin
Installed Programs: ccs-editpolicy, ccs-setlevel, ccs-setprofile, ccs-ccstree, ccs-savepolicy, ccs-auditd, ccs-findtemp, ccs-sortpolicy, ccs-ld-watch, ccs-queryd, ccs-checkpolicy
Installed Libraries:


Installed Directories: /usr/lib/ccs
Installed Programs: tomoyo_init_policy.sh, init_policy.sh, editpolicy, setlevel, setprofile, ccstree, savepolicy, makesyaoranconf, ccs-auditd, ccs-notifyd, findtemp, sortpolicy, ld-watch, ccs-queryd, checkpolicy
Installed Libraries:

Short Descriptions

ccs-editpolicy Edits the current policy in /proc/ccs/ or /sys/kernel/security/tomoyo/ directory
ccs-setlevel Changes the current control level (i.e. writing to /proc/ccs/profile or /sys/kernel/security/tomoyo/profile ) and displays the new control level.
ccs-setprofile Assigns a profile to domains.
ccs-ccstree Lists the domainnames of currently running processes belong to and the profile numbers the domains currently assigned to.
ccs-savepolicy Saves the on-memory policy onto disk.
makesyaoranconf Generates syaoran.conf, the configuration file for SYAORAN (the Tamper-Proof /dev filesystem). You can use SYAORAN filesystem if you want to run the system with read-only root fs or you want to prevent device files from tampering.
ccs-auditd Reads from /proc/ccs/grant_log and /proc/ccs/reject_log and writes to the location given in the commandline parameters.
ccs-sortpolicy Remove duplicated entry from logs written by "ccs-auditd".
ccs-findtemp Reads domain policy from standard input and checks the existence of pathnames, and dumps the nonexistent pathnames.
ccs-ld-watch Appends shared libraries to exception policy automatically using "allow_read" directive when the location of shared libraries in /etc/ld.so.cache has changed.
ccs-queryd Detects policy violation and displays the access request. You can tell the system whether the access request should be granted (or granted and policy should be appended to grant the access request) or rejected after you validate the access request.

By running this program while updating packages, you can avoid errors due to insufficient permissions.

Never grant access requests unconditionally. The cause of policy violation is not always updating packages, but may by malicious requests by attackers. If you grant access requests caused by malicious requests by attackers, the system gets intruded.

ccs-checkpolicy Reads policy files from standard input and checks syntaxes.
ccs-init Loads policy files from /etc/ccs/ directory. Put this program as /sbin/ccs-init , and this program will be invoked automatically when execution of /sbin/init is requested by initrd.
tomoyo-init Loads policy files from /etc/tomoyo/ directory. Put this program as /sbin/tomoyo-init , and this program will be invoked automatically when execution of /sbin/init is requested by initrd.
Retrieved from "?title=TOMOYO&oldid=18087"