Difference between revisions of "TOMOYO"

From CBLFS
Jump to navigationJump to search
(Tried to make it look presentable and fit the template.)
Line 1: Line 1:
[http://tomoyo.sourceforge.jp/wiki-e/?TomoyoOnLFS install for kernel 2.6.22.x]
+
{|style="text-align: left; background-color: AliceBlue;"
[http://tomoyo.sourceforge.jp/en/2.1.x/ install for kernel 2.6.23.x]
+
|-
 +
!Download Patch (for 2.6.22 series Kernel):
 +
|http://people.redhat.com/mingo/cfs-scheduler/sched-cfs-v2.6.22.9-v22.patch
 +
|-
 +
!Download Patch (for 2.6.22 series Kernel):
 +
|http://osdn.dl.sourceforge.jp/tomoyo/27219/ccs-patch-1.5.0-20070920.tar.gz
 +
|-
 +
!Download Patch (for 2.6.23 series Kernel):
 +
|http://svn.sourceforge.jp/cgi-bin/viewcvs.cgi/trunk/2.1.x/tomoyo-lsm/patches.tar.gz?root=tomoyo&view=tar
 +
|}
  
[http://tomoyo.sourceforge.jp/wiki-e/?WhatIs What is TOMOYO Linux?]
+
----
  
 +
{{Package-Introduction|The fundamental concept of TOMOYO Linux is "tracking process invocation history".  TOMOYO Linux splits domains using "process invocation history" and the process transits to a different domain whenever execution of a program (i.e. do_execve()) is requested. By transiting to a different domain
 +
whenever execution of a program is requested, each domain will have the minimal permissions that are essential for processes in that domain to do their roles.|http://tomoyo.sourceforge.jp/en/2.1.x/}}
  
 +
== Dependencies ==
  
The fundamental concept of TOMOYO Linux is "tracking process
+
=== Required ===
invocation history".
+
* [[bc]]
 +
* [[OpenSSL]]
 +
* [[ccs-tools]]
 +
* [[tomoyo-tools]]
  
The "struct task_struct"->security member holds a pointer to the
+
== Non-Multilib or Multilib ==
"process invocation history". Thus, every process (the kernel,
 
/sbin/init process and any children/descendant of /sbin/init) knows
 
its "process invocation history" (or ancestors). Since every process
 
knows its ancestors, TOMOYO Linux can enforce access control over all
 
processes.
 
  
TOMOYO Linux splits domains using "process invocation history" and the
+
=== 2.6.22 Kernel ===
process transits to a different domain whenever execution of a program
 
(i.e. do_execve()) is requested. By transiting to a different domain
 
whenever execution of a program is requested, each domain will have
 
the minimal permissions that are essential for processes in that
 
domain to do their roles.
 
  
You don't need to define domains beforehand. TOMOYO Linux kernel will
+
Modify the ccs-patch-1.5.0-20070920 patch:
automatically define new domains whenever execution of a program is
 
requested, and the process will automatically transit to the new
 
domain. (If the process's domain is in enforcing mode, TOMOYO Linux
 
kernel will not define new domains to avoid memory consumption attack.)
 
  
TOMOYO Linux can restrict the following requests on a per-a-domain basis:
+
8<=========== change for version ============>8
 +
-EXTRAVERSION = .9-cfs-v22
 +
+EXTRAVERSION = .9-cfs-v22-ccs
 +
8<=========== chang for CFS v22 patch http://lkml.org/lkml/2007/9/26/97 ============>8
 +
@@ -64,5 +64,8 @@
 +
#include <asm/tlb.h>
 +
+/***** TOMOYO Linux start. *****/
 +
+#include <linux/tomoyo.h>
 +
+/***** TOMOYO Linux end. *****/
 +
/*
 +
* Scheduler clock - returns current time in nanosec units.
 +
@@ -4060,6 +4063,9 @@ int can_nice(const struct task_struct *p
 +
8<=======================>8
  
    * opening files
+
Patch the kernel source:
    * communicating via PF_INET sockets
 
    * sending signals
 
  
TOMOYO Linux can also restrict the following namespace manipulation requests.
+
patch -p1 -i ../sched-cfs-v2.6.22.9-v22.patch &&
 +
patch -p1 -i ccs-patch-2.6.22.txt
  
    * mounting filesystems
+
Compile and install a new TOMOYO aware kernel.  Ensure you enable the TOMOYO features.
    * unmounting filesystems
 
    * using pivot_root
 
  
 +
=== 2.6.23 Kernel ===
  
<<Example>>
+
Apply the patches to the kernel source:
  
The tree below shows a part of domain transitions generated using
+
for i in `cat patches/series`; do
Debian Etch. The domain a process is in is determined based on the
+
    patch -p1 < patches/$i;
process's "process invocation history". Each domain has permissions
+
done
(or ACL), and the behavior (or requests shown above) of a process is
 
restricted by the ACL of the domain that the process is in.
 
  
    <kernel>
+
Compile and install a new TOMOYO aware kernel. Ensure you enable the TOMOYO features.  Go to "Security options" screen and unselect "Default Linux Capabilities", "Root Plug Support", "NSA SELinux Support" and select "TOMOYO Linux support".
      + /sbin/init
 
          + /etc/init.d/rc
 
              + /etc/init.d/apache2
 
                  + /usr/bin/env
 
                      + /usr/sbin/apache2ctl
 
                          + /usr/sbin/apache2
 
  
You can assign different access control modes (or profiles) on a
+
[*] Enable different security models
per-a-domain basis. Thus, you can enforce access control partially or
+
    < >   Default Linux Capabilities
entirely. Also, by assigning "learning mode" to a domain, ACL that are
+
    < >  Root Plug Support
requested by processes in that domain are automatically (i.e. in
+
[ ] NSA SELinux Support
real-time) accumulated. The following ACL are an excerpt from
+
[*] TOMOYO Linux support
/usr/sbin/apache2 domain generated using "learning mode".
 
 
 
    4 /etc/apache2/apache2.conf
 
    4 /var/www/apache2-default/index.html
 
    allow_create /var/run/apache2.pid
 
    allow_unlink /var/run/apache2.pid
 
    allow_network TCP bind 192.168.1.135 80
 
    allow_network TCP listen 192.168.1.135 80
 
    allow_network TCP accept 192.168.1.1 2389
 
 
 
The above ACL allows Apache to do the following behavior.
 
 
 
    * Opening /etc/apache2/apache2.conf and
 
      /var/www/apache2-default/index.html for reading.
 
    * Creating and deleting /var/run/apache2.pid .
 
    * Binding to local address (IP = 192.168.1.135, port = 80).
 
    * Listening at local address (IP = 192.168.1.135, port = 80).
 
    * Accepting from remote address (IP = 192.168.1.1, port = 2389).
 
 
 
You may use wildcards for pathnames, ranges for IP addresses and port
 
numbers, groups of pathnames and IP addresses for flexible definition.
 
 
 
 
 
<<Features of TOMOYO Linux.>>
 
 
 
TOMOYO Linux is an implementation of MAC, but you can use TOMOYO Linux
 
not only for MAC, but also to analyze a system's behavior, since
 
TOMOYO Linux can accumulate access requests raised by applications
 
sorted by each "process invocation history".
 
 
 
TOMOYO Linux and AppArmor are alike from the point of view of pathname
 
based access control, but TOMOYO Linux has differences in the
 
following points:
 
 
 
    * TOMOYO Linux can apply access control over the whole process
 
      (from the execution of /sbin/init at the startup procedure,
 
      till the power failure at the shutdown procedure).
 
    * TOMOYO Linux can apply access control not only over files but
 
      also over networking, signals, namespace manipulations.
 
    * TOMOYO Linux can accumulate ACL in real-time using
 
      "learning mode".
 
 
 
    * TOMOYO Linux allows the administrator to switch the access
 
      control mode on a per-domain and per-functionality basis.
 
    * TOMOYO Linux allows the administrator to judge (grant/reject)
 
      requests which that violated ACL manually while operating in
 
      "enforcing mode" without once rejecting these requests.
 
    * TOMOYO Linux supports conditional ACL (e.g. owner of
 
      process/files etc.).
 
 
 
Documents about installing and experiencing TOMOYO Linux are available
 
at [http://tomoyo.sourceforge.jp/en/2.1.x/ http://tomoyo.sourceforge.jp/en/2.1.x/] . Please try TOMOYO Linux.
 
Feedbacks are most welcome.
 

Revision as of 06:01, 6 October 2007

Download Patch (for 2.6.22 series Kernel): http://people.redhat.com/mingo/cfs-scheduler/sched-cfs-v2.6.22.9-v22.patch
Download Patch (for 2.6.22 series Kernel): http://osdn.dl.sourceforge.jp/tomoyo/27219/ccs-patch-1.5.0-20070920.tar.gz
Download Patch (for 2.6.23 series Kernel): http://svn.sourceforge.jp/cgi-bin/viewcvs.cgi/trunk/2.1.x/tomoyo-lsm/patches.tar.gz?root=tomoyo&view=tar

Introduction to TOMOYO

The fundamental concept of TOMOYO Linux is "tracking process invocation history". TOMOYO Linux splits domains using "process invocation history" and the process transits to a different domain whenever execution of a program (i.e. do_execve()) is requested. By transiting to a different domain whenever execution of a program is requested, each domain will have the minimal permissions that are essential for processes in that domain to do their roles.

Project Homepage: http://tomoyo.sourceforge.jp/en/2.1.x/

Dependencies

Required

Non-Multilib or Multilib

2.6.22 Kernel

Modify the ccs-patch-1.5.0-20070920 patch:

8<=========== change for version ============>8
-EXTRAVERSION = .9-cfs-v22
+EXTRAVERSION = .9-cfs-v22-ccs
8<=========== chang for CFS v22 patch http://lkml.org/lkml/2007/9/26/97 ============>8
@@ -64,5 +64,8 @@
#include <asm/tlb.h>
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
/*
* Scheduler clock - returns current time in nanosec units.
@@ -4060,6 +4063,9 @@ int can_nice(const struct task_struct *p
8<=======================>8

Patch the kernel source:

patch -p1 -i ../sched-cfs-v2.6.22.9-v22.patch &&
patch -p1 -i ccs-patch-2.6.22.txt

Compile and install a new TOMOYO aware kernel. Ensure you enable the TOMOYO features.

2.6.23 Kernel

Apply the patches to the kernel source:

for i in `cat patches/series`; do
    patch -p1 < patches/$i;
done

Compile and install a new TOMOYO aware kernel. Ensure you enable the TOMOYO features. Go to "Security options" screen and unselect "Default Linux Capabilities", "Root Plug Support", "NSA SELinux Support" and select "TOMOYO Linux support".

[*] Enable different security models
    < >   Default Linux Capabilities
    < >   Root Plug Support
[ ] NSA SELinux Support
[*] TOMOYO Linux support
Retrieved from "?title=TOMOYO&oldid=11347"