Difference between revisions of "TOMOYO"

From CBLFS
Jump to navigationJump to search
(Update instructions, and various fixes to make it better English.)
 
(61 intermediate revisions by 15 users not shown)
Line 1: Line 1:
[http://tomoyo.sourceforge.jp/wiki-e/?TomoyoOnLFS install for kernel 2.6.22.x]
+
{|style="text-align: left; background-color: AliceBlue;"
[http://tomoyo.sourceforge.jp/en/2.1.x/ install for kernel 2.6.23.x]
+
|-
 +
!Download Tools Source:
 +
|http://jaist.dl.sourceforge.jp/tomoyo/43376/ccs-tools-1.7.2-20100401.tar.gz (for TOMOYO 1.7)
 +
|http://jaist.dl.sourceforge.jp/tomoyo/41908/tomoyo-tools-2.2.0-20100225.tar.gz (for TOMOYO 2.2)
 +
|-
 +
!Download Kernel Patch:
 +
|http://jaist.dl.sourceforge.jp/tomoyo/43375/ccs-patch-{{TOMOYO-Version}}.tar.gz
 +
|-}
  
[http://tomoyo.sourceforge.jp/wiki-e/?WhatIs What is TOMOYO Linux?]
+
----
  
 +
{{Package-Introduction|The fundamental concept of TOMOYO Linux is "tracking process invocation history". TOMOYO Linux splits domains using "process invocation history" and the process transits to a different domain whenever execution of a program (i.e. do_execve()) is requested. By transiting to a different domain whenever execution of a program is requested, each domain will have the minimal permissions that are essential for processes in that domain to do their roles. For more information, see http://tomoyo.sourceforge.jp/wiki-e/?WhatIs .|http://tomoyo.sourceforge.jp/}}
  
 +
== Dependencies ==
  
The fundamental concept of TOMOYO Linux is "tracking process
+
* None
invocation history".
 
  
The "struct task_struct"->security member holds a pointer to the
+
= Building TOMOYO aware kernels =
"process invocation history". Thus, every process (the kernel,
 
/sbin/init process and any children/descendant of /sbin/init) knows
 
its "process invocation history" (or ancestors). Since every process
 
knows its ancestors, TOMOYO Linux can enforce access control over all
 
processes.
 
  
TOMOYO Linux splits domains using "process invocation history" and the
+
== Kernel 2.6.35.* with TOMOYO {{TOMOYO-Version}} ==
process transits to a different domain whenever execution of a program
 
(i.e. do_execve()) is requested. By transiting to a different domain
 
whenever execution of a program is requested, each domain will have
 
the minimal permissions that are essential for processes in that
 
domain to do their roles.
 
  
You don't need to define domains beforehand. TOMOYO Linux kernel will
+
Download ccs-patch-{{TOMOYO-Version}}.tar.gz and put it in the kernel source dir. Then patch the kernel:
automatically define new domains whenever execution of a program is
 
requested, and the process will automatically transit to the new
 
domain. (If the process's domain is in enforcing mode, TOMOYO Linux
 
kernel will not define new domains to avoid memory consumption attack.)
 
  
TOMOYO Linux can restrict the following requests on a per-a-domain basis:
+
tar xzvf ccs-patch-{{TOMOYO-Version}}.tar.gz &&
 +
patch -Np1 -i patches/ccs-patch-2.6.35.diff
  
    * opening files
+
Run "make menuconfig" and enable these options in the "Security Options" section:
    * communicating via PF_INET sockets
 
    * sending signals
 
  
TOMOYO Linux can also restrict the following namespace manipulation requests.
+
[*] CCSecurity support
 +
(2048) Default maximal count for learning mode
 +
(/sbin/ccs-init) Default policy loader
 +
(/sbin/ccs-start) Alternative activation trigger
 +
(/sbin/modprobe /sbin/hotplug) Built-in domain initializer programs
 +
[*]  Auditing interface support
 +
(1024)  Default maximal count for grant log
 +
(1024)  Default maximal count for reject log
  
    * mounting filesystems
+
These can be built as modules if you use a initramfs. Now, compile and install the kernel with the instructions in the book.
    * unmounting filesystems
 
    * using pivot_root
 
  
 +
== TOMOYO 2.2.0 ==
  
<<Example>>
+
Download 2.6.30 (or later) from http://www.kernel.org/ and extract it.
  
The tree below shows a part of domain transitions generated using
+
Run "make menuconfig" and go to "Security options" screen and select "TOMOYO Linux support" as shown below.
Debian Etch. The domain a process is in is determined based on the
 
process's "process invocation history". Each domain has permissions
 
(or ACL), and the behavior (or requests shown above) of a process is
 
restricted by the ACL of the domain that the process is in.
 
  
    <kernel>
+
[ ] Enable access key retention support
      + /sbin/init
+
[*] Enable different security models
          + /etc/init.d/rc
+
-*- Enable the securityfs filesystem
              + /etc/init.d/apache2
+
[ ] Socket and Networking Security Hooks
                  + /usr/bin/env
+
-*- Security hooks for pathname based access control
                      + /usr/sbin/apache2ctl
+
[ ] File POSIX Capabilities
                          + /usr/sbin/apache2
+
(0) Low address space to protect from user allocation
 +
[*] TOMOYO Linux Support
  
You can assign different access control modes (or profiles) on a
+
Again, these can be built as modules if you use an initramfs. Compile the kernel according to the book.
per-a-domain basis. Thus, you can enforce access control partially or
 
entirely. Also, by assigning "learning mode" to a domain, ACL that are
 
requested by processes in that domain are automatically (i.e. in
 
real-time) accumulated. The following ACL are an excerpt from
 
/usr/sbin/apache2 domain generated using "learning mode".
 
  
    4 /etc/apache2/apache2.conf
+
= Building TOMOYO Tools =
    4 /var/www/apache2-default/index.html
 
    allow_create /var/run/apache2.pid
 
    allow_unlink /var/run/apache2.pid
 
    allow_network TCP bind 192.168.1.135 80
 
    allow_network TCP listen 192.168.1.135 80
 
    allow_network TCP accept 192.168.1.1 2389
 
  
The above ACL allows Apache to do the following behavior.
+
Download tomoyo-tools-2.2.0-20100225.tar.gz (for TOMOYO 2.2) or ccs-tools-1.7.2-20100401.tar.gz (for TOMOYO 1.7), depending on your version, and put it the source directory (either /sources or /usr/src).
  
    * Opening /etc/apache2/apache2.conf and
+
== Non-Multilib ==
      /var/www/apache2-default/index.html for reading.
 
    * Creating and deleting /var/run/apache2.pid .
 
    * Binding to local address (IP = 192.168.1.135, port = 80).
 
    * Listening at local address (IP = 192.168.1.135, port = 80).
 
    * Accepting from remote address (IP = 192.168.1.1, port = 2389).
 
  
You may use wildcards for pathnames, ranges for IP addresses and port
+
Compile the package:
numbers, groups of pathnames and IP addresses for flexible definition.
 
  
 +
make
  
<<Features of TOMOYO Linux.>>
+
Install the package:
  
TOMOYO Linux is an implementation of MAC, but you can use TOMOYO Linux
+
make install
not only for MAC, but also to analyze a system's behavior, since
 
TOMOYO Linux can accumulate access requests raised by applications
 
sorted by each "process invocation history".
 
  
TOMOYO Linux and AppArmor are alike from the point of view of pathname
+
== Multilib ==
based access control, but TOMOYO Linux has differences in the
 
following points:
 
  
    * TOMOYO Linux can apply access control over the whole process
+
=== 32Bit ===
      (from the execution of /sbin/init at the startup procedure,
 
      till the power failure at the shutdown procedure).
 
    * TOMOYO Linux can apply access control not only over files but
 
      also over networking, signals, namespace manipulations.
 
    * TOMOYO Linux can accumulate ACL in real-time using
 
      "learning mode".
 
  
    * TOMOYO Linux allows the administrator to switch the access
+
Compile the package:
      control mode on a per-domain and per-functionality basis.
 
    * TOMOYO Linux allows the administrator to judge (grant/reject)
 
      requests which that violated ACL manually while operating in
 
      "enforcing mode" without once rejecting these requests.
 
    * TOMOYO Linux supports conditional ACL (e.g. owner of
 
      process/files etc.).
 
  
Documents about installing and experiencing TOMOYO Linux are available
+
make CC="gcc ${BUILD32}"
at [http://tomoyo.sourceforge.jp/en/2.1.x/ http://tomoyo.sourceforge.jp/en/2.1.x/] . Please try TOMOYO Linux.
+
 
Feedbacks are most welcome.
+
Install the package:
 +
 
 +
make install
 +
 
 +
=== N32 ===
 +
 
 +
Compile the package:
 +
 
 +
sed -i 's@/usr/lib@/usr/lib32@g' Makefile &&
 +
make CC="gcc ${BUILDN32}"
 +
 
 +
Install the package:
 +
 
 +
make install
 +
 
 +
=== 64Bit ===
 +
 
 +
Compile the package:
 +
 
 +
sed -i 's@/usr/lib@/usr/lib64@g' Makefile &&
 +
make CC="gcc ${BUILD64}"
 +
 
 +
Install the package:
 +
 
 +
make install
 +
 
 +
= Configuring =
 +
 
 +
== TOMOYO {{TOMOYO-Version}} ==
 +
 
 +
Run init_policy to perform the initial configuration.
 +
 
 +
/usr/lib/ccs/init_policy
 +
 
 +
You should get various files in /etc/ccs/ directory.
 +
 
 +
If you want to, create an audit log in /var/log/tomoyo:
 +
 
 +
cat > /etc/rc.d/init.d/ccs-auditd << EOF
 +
#!/bin/sh
 +
/usr/sbin/ccs-auditd /dev/null /var/log/tomoyo/reject_log.txt
 +
EOF
 +
 
 +
chmod +x /etc/rc.d/init.d/ccs-auditd
 +
 
 +
for i in 2 3 4 5; do
 +
ln -sv ../init.d/ccs-auditd /etc/rc.d/rc${i}.d/S99ccs-auditd; done
 +
 
 +
mkdir -p /var/log/tomoyo
 +
 
 +
Now, start the system from Learning Mode, so that you can apply future restrictions later if you want to:
 +
 
 +
echo '<kernel>' > /etc/ccs/domain_policy.conf
 +
echo 'use_profile 1' >> /etc/ccs/domain_policy.conf
 +
 
 +
== TOMOYO 2.2.0 ==
 +
 
 +
Run tomoyo_init_policy.sh to perform the initial configuration.
 +
 
 +
/usr/lib/ccs/tomoyo_init_policy.sh
 +
 
 +
You should get initial configuration files in /etc/tomoyo/ directory.
 +
 
 +
Now, start the system from Learning Mode, so that you can apply future restrictions later if you want to:
 +
 
 +
echo '<kernel>' > /etc/tomoyo/domain_policy.conf
 +
echo 'use_profile 1' >> /etc/tomoyo/domain_policy.conf
 +
 
 +
= Booting TOMOYO Linux =
 +
 
 +
== TOMOYO {{TOMOYO-Version}} ==
 +
 
 +
You can use boot parameter CCS=<name> to load profile /etc/ccs/profile-<name>.conf .
 +
Without CCS= parameter or <name> is "default", /etc/ccs/profile.conf will be loaded.
 +
You can use CCS=ask to let user select from available profiles in /etc/ccs/ at boot time
 +
You can use CCS=disable to boot as usual Linux (i.e. without TOMOYO protection). This is just an example:
 +
 
 +
root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default
 +
 
 +
== TOMOYO 2.2.0 ==
 +
 
 +
Same as TOMOYO {{TOMOYO-Version}}, except that the policies are loaded from /etc/tomoyo/ directory.
 +
 
 +
But, be sure to add the security=tomoyo parameter. This is, again, just an example:
 +
 
 +
root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default security=tomoyo
 +
 
 +
= Configuring Policy to Guard Linux as Needed =
 +
 
 +
Login to the system as root user, and run editpolicy included in TOMOYO Linux tools.
 +
 
 +
/usr/sbin/ccs-editpolicy
 +
 
 +
= Contents =
 +
 
 +
{| style="text-align: left;"
 +
|-valign="top"
 +
!Installed Directories:
 +
| /sbin
 +
|-valign="top"
 +
!Installed Programs:
 +
|ccs-init, tomoyo-init
 +
|-valign="top"
 +
!Installed Libraries:
 +
|
 +
|}
 +
 
 +
 
 +
{| style="text-align: left;"
 +
|-valign="top"
 +
!Installed Directories:
 +
|/usr/sbin
 +
|-valign="top"
 +
!Installed Programs:
 +
|ccs-editpolicy, ccs-setlevel, ccs-setprofile, ccs-ccstree, ccs-savepolicy, ccs-auditd, ccs-findtemp, ccs-sortpolicy, ccs-ld-watch, ccs-queryd, ccs-checkpolicy
 +
|-valign="top"
 +
!Installed Libraries:
 +
|
 +
|}
 +
 
 +
 
 +
{| style="text-align: left;"
 +
|-valign="top"
 +
!Installed Directories:
 +
|/usr/lib/ccs
 +
|-valign="top"
 +
!Installed Programs:
 +
|tomoyo_init_policy.sh, init_policy.sh, editpolicy, setlevel, setprofile, ccstree, savepolicy, makesyaoranconf, ccs-auditd, ccs-notifyd, findtemp, sortpolicy, ld-watch, ccs-queryd, checkpolicy
 +
|-valign="top"
 +
!Installed Libraries:
 +
|
 +
|}
 +
 
 +
== Short Descriptions ==
 +
 
 +
{| style="text-align: left;"
 +
|-valign="top"
 +
!ccs-editpolicy
 +
|Edits the current policy in /proc/ccs/ or /sys/kernel/security/tomoyo/ directory
 +
|-valign="top"
 +
!ccs-setlevel
 +
|Changes the current control level (i.e. writing to /proc/ccs/profile or /sys/kernel/security/tomoyo/profile ) and displays the new control level.
 +
|-valign="top"
 +
!ccs-setprofile
 +
|Assigns a profile to domains.
 +
|-valign="top"
 +
!ccs-pstree (for TOMOYO 1.7) ccs-ccstree (for TOMOYO 2.2)
 +
|Lists the domainnames of currently running processes belong to and the profile numbers the domains currently assigned to.
 +
|-valign="top"
 +
!ccs-savepolicy
 +
|Saves the on-memory policy onto disk.
 +
|-valign="top"
 +
!ccs-auditd
 +
|Reads from /proc/ccs/grant_log and /proc/ccs/reject_log and writes to the location given in the commandline parameters.
 +
|-valign="top"
 +
!ccs-sortpolicy
 +
|Remove duplicated entry from logs written by "ccs-auditd".
 +
|-valign="top"
 +
!ccs-findtemp
 +
|Reads domain policy from standard input and checks the existence of pathnames, and dumps the nonexistent pathnames.
 +
|-valign="top"
 +
!ccs-ld-watch
 +
|Appends shared libraries to exception policy automatically using "allow_read" directive when the location of shared libraries in /etc/ld.so.cache has changed.
 +
|-valign="top"
 +
!ccs-queryd
 +
|Detects policy violation and displays the access request. You can tell the system whether the access request should be granted (or granted and policy should be appended to grant the access request) or rejected after you validate the access request.
 +
 
 +
By running this program while updating packages, you can avoid errors due to insufficient permissions.
 +
 
 +
Never grant access requests unconditionally. The cause of policy violation is not always updating packages, but may by malicious requests by attackers. If you grant access requests caused by malicious requests by attackers, the system gets intruded.
 +
 
 +
|-valign="top"
 +
!ccs-checkpolicy
 +
|Reads policy files from standard input and checks syntaxes.
 +
|-valign="top"
 +
!ccs-init
 +
|Loads policy files from /etc/ccs/ directory. Put this program as /sbin/ccs-init , and this program will be invoked automatically when execution of /sbin/init is requested by initrd.
 +
|-valign="top"
 +
!tomoyo-init
 +
|Loads policy files from /etc/tomoyo/ directory. Put this program as /sbin/tomoyo-init , and this program will be invoked automatically when execution of /sbin/init is requested by initrd.
 +
|}
 +
 
 +
[[Category:Security]]

Latest revision as of 07:23, 25 August 2010


Introduction to TOMOYO

The fundamental concept of TOMOYO Linux is "tracking process invocation history". TOMOYO Linux splits domains using "process invocation history" and the process transits to a different domain whenever execution of a program (i.e. do_execve()) is requested. By transiting to a different domain whenever execution of a program is requested, each domain will have the minimal permissions that are essential for processes in that domain to do their roles. For more information, see http://tomoyo.sourceforge.jp/wiki-e/?WhatIs .

Project Homepage: http://tomoyo.sourceforge.jp/

Dependencies

  • None

Building TOMOYO aware kernels

Kernel 2.6.35.* with TOMOYO 1.7.2-2010804

Download ccs-patch-1.7.2-2010804.tar.gz and put it in the kernel source dir. Then patch the kernel:

tar xzvf ccs-patch-1.7.2-2010804.tar.gz &&
patch -Np1 -i patches/ccs-patch-2.6.35.diff

Run "make menuconfig" and enable these options in the "Security Options" section:

[*] CCSecurity support
(2048) Default maximal count for learning mode
(/sbin/ccs-init) Default policy loader
(/sbin/ccs-start) Alternative activation trigger
(/sbin/modprobe /sbin/hotplug) Built-in domain initializer programs
[*]   Auditing interface support
(1024)  Default maximal count for grant log
(1024)  Default maximal count for reject log

These can be built as modules if you use a initramfs. Now, compile and install the kernel with the instructions in the book.

TOMOYO 2.2.0

Download 2.6.30 (or later) from http://www.kernel.org/ and extract it.

Run "make menuconfig" and go to "Security options" screen and select "TOMOYO Linux support" as shown below.

[ ] Enable access key retention support
[*] Enable different security models
-*- Enable the securityfs filesystem
[ ] Socket and Networking Security Hooks
-*- Security hooks for pathname based access control
[ ] File POSIX Capabilities
(0) Low address space to protect from user allocation
[*] TOMOYO Linux Support

Again, these can be built as modules if you use an initramfs. Compile the kernel according to the book.

Building TOMOYO Tools

Download tomoyo-tools-2.2.0-20100225.tar.gz (for TOMOYO 2.2) or ccs-tools-1.7.2-20100401.tar.gz (for TOMOYO 1.7), depending on your version, and put it the source directory (either /sources or /usr/src).

Non-Multilib

Compile the package:

make

Install the package:

make install

Multilib

32Bit

Compile the package:

make CC="gcc ${BUILD32}"

Install the package:

make install

N32

Compile the package:

sed -i 's@/usr/lib@/usr/lib32@g' Makefile &&
make CC="gcc ${BUILDN32}"

Install the package:

make install

64Bit

Compile the package:

sed -i 's@/usr/lib@/usr/lib64@g' Makefile &&
make CC="gcc ${BUILD64}"

Install the package:

make install

Configuring

TOMOYO 1.7.2-2010804

Run init_policy to perform the initial configuration.

/usr/lib/ccs/init_policy

You should get various files in /etc/ccs/ directory.

If you want to, create an audit log in /var/log/tomoyo:

cat > /etc/rc.d/init.d/ccs-auditd << EOF
#!/bin/sh
/usr/sbin/ccs-auditd /dev/null /var/log/tomoyo/reject_log.txt
EOF
chmod +x /etc/rc.d/init.d/ccs-auditd
for i in 2 3 4 5; do
ln -sv ../init.d/ccs-auditd /etc/rc.d/rc${i}.d/S99ccs-auditd; done
mkdir -p /var/log/tomoyo

Now, start the system from Learning Mode, so that you can apply future restrictions later if you want to:

echo '<kernel>' > /etc/ccs/domain_policy.conf
echo 'use_profile 1' >> /etc/ccs/domain_policy.conf

TOMOYO 2.2.0

Run tomoyo_init_policy.sh to perform the initial configuration.

/usr/lib/ccs/tomoyo_init_policy.sh

You should get initial configuration files in /etc/tomoyo/ directory.

Now, start the system from Learning Mode, so that you can apply future restrictions later if you want to:

echo '<kernel>' > /etc/tomoyo/domain_policy.conf
echo 'use_profile 1' >> /etc/tomoyo/domain_policy.conf

Booting TOMOYO Linux

TOMOYO 1.7.2-2010804

You can use boot parameter CCS=<name> to load profile /etc/ccs/profile-<name>.conf . Without CCS= parameter or <name> is "default", /etc/ccs/profile.conf will be loaded. You can use CCS=ask to let user select from available profiles in /etc/ccs/ at boot time You can use CCS=disable to boot as usual Linux (i.e. without TOMOYO protection). This is just an example:

root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default

TOMOYO 2.2.0

Same as TOMOYO 1.7.2-2010804, except that the policies are loaded from /etc/tomoyo/ directory.

But, be sure to add the security=tomoyo parameter. This is, again, just an example:

root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default security=tomoyo

Configuring Policy to Guard Linux as Needed

Login to the system as root user, and run editpolicy included in TOMOYO Linux tools.

/usr/sbin/ccs-editpolicy

Contents

Download Tools Source: http://jaist.dl.sourceforge.jp/tomoyo/43376/ccs-tools-1.7.2-20100401.tar.gz (for TOMOYO 1.7) http://jaist.dl.sourceforge.jp/tomoyo/41908/tomoyo-tools-2.2.0-20100225.tar.gz (for TOMOYO 2.2)
Download Kernel Patch: http://jaist.dl.sourceforge.jp/tomoyo/43375/ccs-patch-1.7.2-2010804.tar.gz
Installed Directories: /sbin
Installed Programs: ccs-init, tomoyo-init
Installed Libraries:


Installed Directories: /usr/sbin
Installed Programs: ccs-editpolicy, ccs-setlevel, ccs-setprofile, ccs-ccstree, ccs-savepolicy, ccs-auditd, ccs-findtemp, ccs-sortpolicy, ccs-ld-watch, ccs-queryd, ccs-checkpolicy
Installed Libraries:


Installed Directories: /usr/lib/ccs
Installed Programs: tomoyo_init_policy.sh, init_policy.sh, editpolicy, setlevel, setprofile, ccstree, savepolicy, makesyaoranconf, ccs-auditd, ccs-notifyd, findtemp, sortpolicy, ld-watch, ccs-queryd, checkpolicy
Installed Libraries:

Short Descriptions

ccs-editpolicy Edits the current policy in /proc/ccs/ or /sys/kernel/security/tomoyo/ directory
ccs-setlevel Changes the current control level (i.e. writing to /proc/ccs/profile or /sys/kernel/security/tomoyo/profile ) and displays the new control level.
ccs-setprofile Assigns a profile to domains.
ccs-pstree (for TOMOYO 1.7) ccs-ccstree (for TOMOYO 2.2) Lists the domainnames of currently running processes belong to and the profile numbers the domains currently assigned to.
ccs-savepolicy Saves the on-memory policy onto disk.
ccs-auditd Reads from /proc/ccs/grant_log and /proc/ccs/reject_log and writes to the location given in the commandline parameters.
ccs-sortpolicy Remove duplicated entry from logs written by "ccs-auditd".
ccs-findtemp Reads domain policy from standard input and checks the existence of pathnames, and dumps the nonexistent pathnames.
ccs-ld-watch Appends shared libraries to exception policy automatically using "allow_read" directive when the location of shared libraries in /etc/ld.so.cache has changed.
ccs-queryd Detects policy violation and displays the access request. You can tell the system whether the access request should be granted (or granted and policy should be appended to grant the access request) or rejected after you validate the access request.

By running this program while updating packages, you can avoid errors due to insufficient permissions.

Never grant access requests unconditionally. The cause of policy violation is not always updating packages, but may by malicious requests by attackers. If you grant access requests caused by malicious requests by attackers, the system gets intruded.

ccs-checkpolicy Reads policy files from standard input and checks syntaxes.
ccs-init Loads policy files from /etc/ccs/ directory. Put this program as /sbin/ccs-init , and this program will be invoked automatically when execution of /sbin/init is requested by initrd.
tomoyo-init Loads policy files from /etc/tomoyo/ directory. Put this program as /sbin/tomoyo-init , and this program will be invoked automatically when execution of /sbin/init is requested by initrd.
Retrieved from "?title=TOMOYO&oldid=20299"