Difference between revisions of "TOMOYO"
(New page: kernel 2.6.22.x: [http://tomoyo.sourceforge.jp/wiki-e/?TomoyoOnLFS] kernel 2.6.23.x: [http://tomoyo.sourceforge.jp/en/2.1.x/] The fundamental concept of TOMOYO Linux is "tracking proces...) |
(Update instructions, and various fixes to make it better English.) |
||
(66 intermediate revisions by 16 users not shown) | |||
Line 1: | Line 1: | ||
− | + | {|style="text-align: left; background-color: AliceBlue;" | |
+ | |- | ||
+ | !Download Tools Source: | ||
+ | |http://jaist.dl.sourceforge.jp/tomoyo/43376/ccs-tools-1.7.2-20100401.tar.gz (for TOMOYO 1.7) | ||
+ | |http://jaist.dl.sourceforge.jp/tomoyo/41908/tomoyo-tools-2.2.0-20100225.tar.gz (for TOMOYO 2.2) | ||
+ | |- | ||
+ | !Download Kernel Patch: | ||
+ | |http://jaist.dl.sourceforge.jp/tomoyo/43375/ccs-patch-{{TOMOYO-Version}}.tar.gz | ||
+ | |-} | ||
− | + | ---- | |
+ | {{Package-Introduction|The fundamental concept of TOMOYO Linux is "tracking process invocation history". TOMOYO Linux splits domains using "process invocation history" and the process transits to a different domain whenever execution of a program (i.e. do_execve()) is requested. By transiting to a different domain whenever execution of a program is requested, each domain will have the minimal permissions that are essential for processes in that domain to do their roles. For more information, see http://tomoyo.sourceforge.jp/wiki-e/?WhatIs .|http://tomoyo.sourceforge.jp/}} | ||
− | + | == Dependencies == | |
− | |||
− | + | * None | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | TOMOYO | + | = Building TOMOYO aware kernels = |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | == Kernel 2.6.35.* with TOMOYO {{TOMOYO-Version}} == | |
− | |||
− | |||
− | |||
− | |||
− | TOMOYO | + | Download ccs-patch-{{TOMOYO-Version}}.tar.gz and put it in the kernel source dir. Then patch the kernel: |
− | + | tar xzvf ccs-patch-{{TOMOYO-Version}}.tar.gz && | |
− | + | patch -Np1 -i patches/ccs-patch-2.6.35.diff | |
− | |||
− | + | Run "make menuconfig" and enable these options in the "Security Options" section: | |
− | + | [*] CCSecurity support | |
− | + | (2048) Default maximal count for learning mode | |
− | + | (/sbin/ccs-init) Default policy loader | |
+ | (/sbin/ccs-start) Alternative activation trigger | ||
+ | (/sbin/modprobe /sbin/hotplug) Built-in domain initializer programs | ||
+ | [*] Auditing interface support | ||
+ | (1024) Default maximal count for grant log | ||
+ | (1024) Default maximal count for reject log | ||
+ | These can be built as modules if you use a initramfs. Now, compile and install the kernel with the instructions in the book. | ||
− | + | == TOMOYO 2.2.0 == | |
− | + | Download 2.6.30 (or later) from http://www.kernel.org/ and extract it. | |
− | |||
− | |||
− | (or | ||
− | |||
− | + | Run "make menuconfig" and go to "Security options" screen and select "TOMOYO Linux support" as shown below. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | [ ] Enable access key retention support | |
− | + | [*] Enable different security models | |
− | + | -*- Enable the securityfs filesystem | |
− | + | [ ] Socket and Networking Security Hooks | |
− | + | -*- Security hooks for pathname based access control | |
− | + | [ ] File POSIX Capabilities | |
+ | (0) Low address space to protect from user allocation | ||
+ | [*] TOMOYO Linux Support | ||
− | + | Again, these can be built as modules if you use an initramfs. Compile the kernel according to the book. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | = Building TOMOYO Tools = | |
− | + | Download tomoyo-tools-2.2.0-20100225.tar.gz (for TOMOYO 2.2) or ccs-tools-1.7.2-20100401.tar.gz (for TOMOYO 1.7), depending on your version, and put it the source directory (either /sources or /usr/src). | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | == Non-Multilib == | |
− | |||
+ | Compile the package: | ||
− | + | make | |
− | + | Install the package: | |
− | |||
− | |||
− | |||
− | + | make install | |
− | |||
− | |||
− | + | == Multilib == | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | === 32Bit === | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Compile the package: | |
− | + | ||
− | + | make CC="gcc ${BUILD32}" | |
+ | |||
+ | Install the package: | ||
+ | |||
+ | make install | ||
+ | |||
+ | === N32 === | ||
+ | |||
+ | Compile the package: | ||
+ | |||
+ | sed -i 's@/usr/lib@/usr/lib32@g' Makefile && | ||
+ | make CC="gcc ${BUILDN32}" | ||
+ | |||
+ | Install the package: | ||
+ | |||
+ | make install | ||
+ | |||
+ | === 64Bit === | ||
+ | |||
+ | Compile the package: | ||
+ | |||
+ | sed -i 's@/usr/lib@/usr/lib64@g' Makefile && | ||
+ | make CC="gcc ${BUILD64}" | ||
+ | |||
+ | Install the package: | ||
+ | |||
+ | make install | ||
+ | |||
+ | = Configuring = | ||
+ | |||
+ | == TOMOYO {{TOMOYO-Version}} == | ||
+ | |||
+ | Run init_policy to perform the initial configuration. | ||
+ | |||
+ | /usr/lib/ccs/init_policy | ||
+ | |||
+ | You should get various files in /etc/ccs/ directory. | ||
+ | |||
+ | If you want to, create an audit log in /var/log/tomoyo: | ||
+ | |||
+ | cat > /etc/rc.d/init.d/ccs-auditd << EOF | ||
+ | #!/bin/sh | ||
+ | /usr/sbin/ccs-auditd /dev/null /var/log/tomoyo/reject_log.txt | ||
+ | EOF | ||
+ | |||
+ | chmod +x /etc/rc.d/init.d/ccs-auditd | ||
+ | |||
+ | for i in 2 3 4 5; do | ||
+ | ln -sv ../init.d/ccs-auditd /etc/rc.d/rc${i}.d/S99ccs-auditd; done | ||
+ | |||
+ | mkdir -p /var/log/tomoyo | ||
+ | |||
+ | Now, start the system from Learning Mode, so that you can apply future restrictions later if you want to: | ||
+ | |||
+ | echo '<kernel>' > /etc/ccs/domain_policy.conf | ||
+ | echo 'use_profile 1' >> /etc/ccs/domain_policy.conf | ||
+ | |||
+ | == TOMOYO 2.2.0 == | ||
+ | |||
+ | Run tomoyo_init_policy.sh to perform the initial configuration. | ||
+ | |||
+ | /usr/lib/ccs/tomoyo_init_policy.sh | ||
+ | |||
+ | You should get initial configuration files in /etc/tomoyo/ directory. | ||
+ | |||
+ | Now, start the system from Learning Mode, so that you can apply future restrictions later if you want to: | ||
+ | |||
+ | echo '<kernel>' > /etc/tomoyo/domain_policy.conf | ||
+ | echo 'use_profile 1' >> /etc/tomoyo/domain_policy.conf | ||
+ | |||
+ | = Booting TOMOYO Linux = | ||
+ | |||
+ | == TOMOYO {{TOMOYO-Version}} == | ||
+ | |||
+ | You can use boot parameter CCS=<name> to load profile /etc/ccs/profile-<name>.conf . | ||
+ | Without CCS= parameter or <name> is "default", /etc/ccs/profile.conf will be loaded. | ||
+ | You can use CCS=ask to let user select from available profiles in /etc/ccs/ at boot time | ||
+ | You can use CCS=disable to boot as usual Linux (i.e. without TOMOYO protection). This is just an example: | ||
+ | |||
+ | root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default | ||
+ | |||
+ | == TOMOYO 2.2.0 == | ||
+ | |||
+ | Same as TOMOYO {{TOMOYO-Version}}, except that the policies are loaded from /etc/tomoyo/ directory. | ||
+ | |||
+ | But, be sure to add the security=tomoyo parameter. This is, again, just an example: | ||
+ | |||
+ | root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default security=tomoyo | ||
+ | |||
+ | = Configuring Policy to Guard Linux as Needed = | ||
+ | |||
+ | Login to the system as root user, and run editpolicy included in TOMOYO Linux tools. | ||
+ | |||
+ | /usr/sbin/ccs-editpolicy | ||
+ | |||
+ | = Contents = | ||
+ | |||
+ | {| style="text-align: left;" | ||
+ | |-valign="top" | ||
+ | !Installed Directories: | ||
+ | | /sbin | ||
+ | |-valign="top" | ||
+ | !Installed Programs: | ||
+ | |ccs-init, tomoyo-init | ||
+ | |-valign="top" | ||
+ | !Installed Libraries: | ||
+ | | | ||
+ | |} | ||
+ | |||
+ | |||
+ | {| style="text-align: left;" | ||
+ | |-valign="top" | ||
+ | !Installed Directories: | ||
+ | |/usr/sbin | ||
+ | |-valign="top" | ||
+ | !Installed Programs: | ||
+ | |ccs-editpolicy, ccs-setlevel, ccs-setprofile, ccs-ccstree, ccs-savepolicy, ccs-auditd, ccs-findtemp, ccs-sortpolicy, ccs-ld-watch, ccs-queryd, ccs-checkpolicy | ||
+ | |-valign="top" | ||
+ | !Installed Libraries: | ||
+ | | | ||
+ | |} | ||
+ | |||
+ | |||
+ | {| style="text-align: left;" | ||
+ | |-valign="top" | ||
+ | !Installed Directories: | ||
+ | |/usr/lib/ccs | ||
+ | |-valign="top" | ||
+ | !Installed Programs: | ||
+ | |tomoyo_init_policy.sh, init_policy.sh, editpolicy, setlevel, setprofile, ccstree, savepolicy, makesyaoranconf, ccs-auditd, ccs-notifyd, findtemp, sortpolicy, ld-watch, ccs-queryd, checkpolicy | ||
+ | |-valign="top" | ||
+ | !Installed Libraries: | ||
+ | | | ||
+ | |} | ||
+ | |||
+ | == Short Descriptions == | ||
+ | |||
+ | {| style="text-align: left;" | ||
+ | |-valign="top" | ||
+ | !ccs-editpolicy | ||
+ | |Edits the current policy in /proc/ccs/ or /sys/kernel/security/tomoyo/ directory | ||
+ | |-valign="top" | ||
+ | !ccs-setlevel | ||
+ | |Changes the current control level (i.e. writing to /proc/ccs/profile or /sys/kernel/security/tomoyo/profile ) and displays the new control level. | ||
+ | |-valign="top" | ||
+ | !ccs-setprofile | ||
+ | |Assigns a profile to domains. | ||
+ | |-valign="top" | ||
+ | !ccs-pstree (for TOMOYO 1.7) ccs-ccstree (for TOMOYO 2.2) | ||
+ | |Lists the domainnames of currently running processes belong to and the profile numbers the domains currently assigned to. | ||
+ | |-valign="top" | ||
+ | !ccs-savepolicy | ||
+ | |Saves the on-memory policy onto disk. | ||
+ | |-valign="top" | ||
+ | !ccs-auditd | ||
+ | |Reads from /proc/ccs/grant_log and /proc/ccs/reject_log and writes to the location given in the commandline parameters. | ||
+ | |-valign="top" | ||
+ | !ccs-sortpolicy | ||
+ | |Remove duplicated entry from logs written by "ccs-auditd". | ||
+ | |-valign="top" | ||
+ | !ccs-findtemp | ||
+ | |Reads domain policy from standard input and checks the existence of pathnames, and dumps the nonexistent pathnames. | ||
+ | |-valign="top" | ||
+ | !ccs-ld-watch | ||
+ | |Appends shared libraries to exception policy automatically using "allow_read" directive when the location of shared libraries in /etc/ld.so.cache has changed. | ||
+ | |-valign="top" | ||
+ | !ccs-queryd | ||
+ | |Detects policy violation and displays the access request. You can tell the system whether the access request should be granted (or granted and policy should be appended to grant the access request) or rejected after you validate the access request. | ||
+ | |||
+ | By running this program while updating packages, you can avoid errors due to insufficient permissions. | ||
+ | |||
+ | Never grant access requests unconditionally. The cause of policy violation is not always updating packages, but may by malicious requests by attackers. If you grant access requests caused by malicious requests by attackers, the system gets intruded. | ||
+ | |||
+ | |-valign="top" | ||
+ | !ccs-checkpolicy | ||
+ | |Reads policy files from standard input and checks syntaxes. | ||
+ | |-valign="top" | ||
+ | !ccs-init | ||
+ | |Loads policy files from /etc/ccs/ directory. Put this program as /sbin/ccs-init , and this program will be invoked automatically when execution of /sbin/init is requested by initrd. | ||
+ | |-valign="top" | ||
+ | !tomoyo-init | ||
+ | |Loads policy files from /etc/tomoyo/ directory. Put this program as /sbin/tomoyo-init , and this program will be invoked automatically when execution of /sbin/init is requested by initrd. | ||
+ | |} | ||
+ | |||
+ | [[Category:Security]] |
Latest revision as of 07:23, 25 August 2010
Contents
Introduction to TOMOYO
The fundamental concept of TOMOYO Linux is "tracking process invocation history". TOMOYO Linux splits domains using "process invocation history" and the process transits to a different domain whenever execution of a program (i.e. do_execve()) is requested. By transiting to a different domain whenever execution of a program is requested, each domain will have the minimal permissions that are essential for processes in that domain to do their roles. For more information, see http://tomoyo.sourceforge.jp/wiki-e/?WhatIs .
Project Homepage: http://tomoyo.sourceforge.jp/
Dependencies
- None
Building TOMOYO aware kernels
Kernel 2.6.35.* with TOMOYO 1.7.2-2010804
Download ccs-patch-1.7.2-2010804.tar.gz and put it in the kernel source dir. Then patch the kernel:
tar xzvf ccs-patch-1.7.2-2010804.tar.gz && patch -Np1 -i patches/ccs-patch-2.6.35.diff
Run "make menuconfig" and enable these options in the "Security Options" section:
[*] CCSecurity support (2048) Default maximal count for learning mode (/sbin/ccs-init) Default policy loader (/sbin/ccs-start) Alternative activation trigger (/sbin/modprobe /sbin/hotplug) Built-in domain initializer programs [*] Auditing interface support (1024) Default maximal count for grant log (1024) Default maximal count for reject log
These can be built as modules if you use a initramfs. Now, compile and install the kernel with the instructions in the book.
TOMOYO 2.2.0
Download 2.6.30 (or later) from http://www.kernel.org/ and extract it.
Run "make menuconfig" and go to "Security options" screen and select "TOMOYO Linux support" as shown below.
[ ] Enable access key retention support [*] Enable different security models -*- Enable the securityfs filesystem [ ] Socket and Networking Security Hooks -*- Security hooks for pathname based access control [ ] File POSIX Capabilities (0) Low address space to protect from user allocation [*] TOMOYO Linux Support
Again, these can be built as modules if you use an initramfs. Compile the kernel according to the book.
Building TOMOYO Tools
Download tomoyo-tools-2.2.0-20100225.tar.gz (for TOMOYO 2.2) or ccs-tools-1.7.2-20100401.tar.gz (for TOMOYO 1.7), depending on your version, and put it the source directory (either /sources or /usr/src).
Non-Multilib
Compile the package:
make
Install the package:
make install
Multilib
32Bit
Compile the package:
make CC="gcc ${BUILD32}"
Install the package:
make install
N32
Compile the package:
sed -i 's@/usr/lib@/usr/lib32@g' Makefile && make CC="gcc ${BUILDN32}"
Install the package:
make install
64Bit
Compile the package:
sed -i 's@/usr/lib@/usr/lib64@g' Makefile && make CC="gcc ${BUILD64}"
Install the package:
make install
Configuring
TOMOYO 1.7.2-2010804
Run init_policy to perform the initial configuration.
/usr/lib/ccs/init_policy
You should get various files in /etc/ccs/ directory.
If you want to, create an audit log in /var/log/tomoyo:
cat > /etc/rc.d/init.d/ccs-auditd << EOF #!/bin/sh /usr/sbin/ccs-auditd /dev/null /var/log/tomoyo/reject_log.txt EOF
chmod +x /etc/rc.d/init.d/ccs-auditd
for i in 2 3 4 5; do ln -sv ../init.d/ccs-auditd /etc/rc.d/rc${i}.d/S99ccs-auditd; done
mkdir -p /var/log/tomoyo
Now, start the system from Learning Mode, so that you can apply future restrictions later if you want to:
echo '<kernel>' > /etc/ccs/domain_policy.conf echo 'use_profile 1' >> /etc/ccs/domain_policy.conf
TOMOYO 2.2.0
Run tomoyo_init_policy.sh to perform the initial configuration.
/usr/lib/ccs/tomoyo_init_policy.sh
You should get initial configuration files in /etc/tomoyo/ directory.
Now, start the system from Learning Mode, so that you can apply future restrictions later if you want to:
echo '<kernel>' > /etc/tomoyo/domain_policy.conf echo 'use_profile 1' >> /etc/tomoyo/domain_policy.conf
Booting TOMOYO Linux
TOMOYO 1.7.2-2010804
You can use boot parameter CCS=<name> to load profile /etc/ccs/profile-<name>.conf . Without CCS= parameter or <name> is "default", /etc/ccs/profile.conf will be loaded. You can use CCS=ask to let user select from available profiles in /etc/ccs/ at boot time You can use CCS=disable to boot as usual Linux (i.e. without TOMOYO protection). This is just an example:
root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default
TOMOYO 2.2.0
Same as TOMOYO 1.7.2-2010804, except that the policies are loaded from /etc/tomoyo/ directory.
But, be sure to add the security=tomoyo parameter. This is, again, just an example:
root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default security=tomoyo
Configuring Policy to Guard Linux as Needed
Login to the system as root user, and run editpolicy included in TOMOYO Linux tools.
/usr/sbin/ccs-editpolicy
Contents
Download Tools Source: | http://jaist.dl.sourceforge.jp/tomoyo/43376/ccs-tools-1.7.2-20100401.tar.gz (for TOMOYO 1.7) | http://jaist.dl.sourceforge.jp/tomoyo/41908/tomoyo-tools-2.2.0-20100225.tar.gz (for TOMOYO 2.2) |
---|---|---|
Download Kernel Patch: | http://jaist.dl.sourceforge.jp/tomoyo/43375/ccs-patch-1.7.2-2010804.tar.gz |
Installed Directories: | /sbin |
---|---|
Installed Programs: | ccs-init, tomoyo-init |
Installed Libraries: |
Installed Directories: | /usr/sbin |
---|---|
Installed Programs: | ccs-editpolicy, ccs-setlevel, ccs-setprofile, ccs-ccstree, ccs-savepolicy, ccs-auditd, ccs-findtemp, ccs-sortpolicy, ccs-ld-watch, ccs-queryd, ccs-checkpolicy |
Installed Libraries: |
Installed Directories: | /usr/lib/ccs |
---|---|
Installed Programs: | tomoyo_init_policy.sh, init_policy.sh, editpolicy, setlevel, setprofile, ccstree, savepolicy, makesyaoranconf, ccs-auditd, ccs-notifyd, findtemp, sortpolicy, ld-watch, ccs-queryd, checkpolicy |
Installed Libraries: |
Short Descriptions
ccs-editpolicy | Edits the current policy in /proc/ccs/ or /sys/kernel/security/tomoyo/ directory |
---|---|
ccs-setlevel | Changes the current control level (i.e. writing to /proc/ccs/profile or /sys/kernel/security/tomoyo/profile ) and displays the new control level. |
ccs-setprofile | Assigns a profile to domains. |
ccs-pstree (for TOMOYO 1.7) ccs-ccstree (for TOMOYO 2.2) | Lists the domainnames of currently running processes belong to and the profile numbers the domains currently assigned to. |
ccs-savepolicy | Saves the on-memory policy onto disk. |
ccs-auditd | Reads from /proc/ccs/grant_log and /proc/ccs/reject_log and writes to the location given in the commandline parameters. |
ccs-sortpolicy | Remove duplicated entry from logs written by "ccs-auditd". |
ccs-findtemp | Reads domain policy from standard input and checks the existence of pathnames, and dumps the nonexistent pathnames. |
ccs-ld-watch | Appends shared libraries to exception policy automatically using "allow_read" directive when the location of shared libraries in /etc/ld.so.cache has changed. |
ccs-queryd | Detects policy violation and displays the access request. You can tell the system whether the access request should be granted (or granted and policy should be appended to grant the access request) or rejected after you validate the access request.
By running this program while updating packages, you can avoid errors due to insufficient permissions. Never grant access requests unconditionally. The cause of policy violation is not always updating packages, but may by malicious requests by attackers. If you grant access requests caused by malicious requests by attackers, the system gets intruded. |
ccs-checkpolicy | Reads policy files from standard input and checks syntaxes. |
ccs-init | Loads policy files from /etc/ccs/ directory. Put this program as /sbin/ccs-init , and this program will be invoked automatically when execution of /sbin/init is requested by initrd. |
tomoyo-init | Loads policy files from /etc/tomoyo/ directory. Put this program as /sbin/tomoyo-init , and this program will be invoked automatically when execution of /sbin/init is requested by initrd. |