Difference between revisions of "TOMOYO"

From CBLFS
Jump to navigationJump to search
(We have a format and some simple rules. Next time I'm just gonna delete the page.)
Line 1: Line 1:
 
{|style="text-align: left; background-color: AliceBlue;"
 
{|style="text-align: left; background-color: AliceBlue;"
 +
|-
 +
!Download Source
 +
|http://osdn.dl.sourceforge.jp/tomoyo/27220/ccs-tools-{{CCSTools-Version}}.tar.gz
 
|-
 
|-
 
!Download Patch (for 2.6.22 series Kernel):
 
!Download Patch (for 2.6.22 series Kernel):
Line 13: Line 16:
 
----
 
----
  
{{Package-Introduction|The fundamental concept of TOMOYO Linux is "tracking process invocation history".  TOMOYO Linux splits domains using "process invocation history" and the process transits to a different domain whenever execution of a program (i.e. do_execve()) is requested. By transiting to a different domain whenever execution of a program is requested, each domain will  have the minimal permissions that are essential for processes in that domain to do their  roles.|http://tomoyo.sourceforge.jp/en/2.1.x/
+
{{Package-Introduction|The fundamental concept of TOMOYO Linux is "tracking process invocation history".  TOMOYO Linux splits domains using "process invocation history" and the process transits to a different domain whenever execution of a program (i.e. do_execve()) is requested. By transiting to a different domain whenever execution of a program is requested, each domain will  have the minimal permissions that are essential for processes in that domain to do their  roles.|http://tomoyo.sourceforge.jp/en/2.1.x/}}
http://tomoyo.sourceforge.jp/wiki-e/?WhatIs|http://tomoyo.sourceforge.jp/wiki-e/?WhatIs}}
 
  
 
== Dependencies ==
 
== Dependencies ==
  
 
=== Required ===
 
=== Required ===
* [[OpenSSL]]: needed for mailauth function of TOMOYO tools
 
  
== Non-Multilib or Multilib ==
+
* [[OpenSSL]] needed for mailauth function of TOMOYO tools
 +
 
 +
== Rebuild Kernel ==
  
 
=== 2.6.22 Kernel ===
 
=== 2.6.22 Kernel ===
 
http://tomoyo.sourceforge.jp/wiki-e/?TomoyoOnLFS
 
  
 
Modify the ccs-patch-1.5.0-20070920 patch:
 
Modify the ccs-patch-1.5.0-20070920 patch:
Line 52: Line 53:
 
=== 2.6.23 Kernel ===
 
=== 2.6.23 Kernel ===
  
http://tomoyo.sourceforge.jp/en/lkml-4/
+
Extract the TOMOYO patches to the kernel source directory.
 
 
The latest TOMOYO Linux patch is available at http://svn.sourceforge.jp/svnroot/tomoyo/tags/lkml/4/patches/ . Download it and extract it at the kernel source directory.
 
 
 
$ wget -O tomoyo.tar.gz 'http://svn.sourceforge.jp/cgi-bin/viewcvs.cgi/tags/lkml/4/patches.tar.gz?root=tomoyo&view=tar'
 
$ tar -zxvf tomoyo.tar.gz
 
$ /bin/sh -c 'for i in `cat patches/series`; do patch -p1 < patches/$i; done'
 
 
 
Edit Makefile's EXTRAVERSION= line if you need.
 
 
 
Next, create a kernel config with TOMOYO Linux enabled.
 
  
  $ make -s menuconfig
+
  for i in `cat patches/series`; do patch -p1 < patches/$i; done
  
Go to "Security options" screen and unselect "Default Linux Capabilities", "Root Plug Support", "NSA SELinux Support" and select "TOMOYO Linux support" as shown below.
+
Compile and install a new TOMOYO aware kernel.  Ensure you enable the TOMOYO features.  Go to "Security options" screen and unselect "Default Linux Capabilities", "Root Plug Support", "NSA SELinux Support" and select "TOMOYO Linux support" as shown below.
  
 
  [*] Enable different security models
 
  [*] Enable different security models
Line 74: Line 65:
 
  [*] TOMOYO Linux support
 
  [*] TOMOYO Linux support
  
After creating a kernel config, compile the kernel.
+
= CCS Tools =
 +
 
 +
== Non-Multilib ==
 +
 
 +
Compile the package:
 +
 
 +
make
 +
 
 +
Install the package:
 +
 
 +
make install
 +
 
 +
== Multilib ==
 +
 
 +
=== 32Bit ===
 +
 
 +
Compile the package:
 +
 
 +
make CC="gcc ${BUILD32}"
 +
 
 +
Install the package:
 +
 
 +
make install
 +
 
 +
=== N32 ===
 +
 
 +
Compile the package:
 +
 
 +
sed -i 's@/usr/lib@/usr/lib32@g' Makefile &&
 +
make CC="gcc ${BUILDN32}"
 +
 
 +
Install the package:
 +
 
 +
make install
  
$ make -s
+
=== 64Bit ===
# make -s modules_install install
 
  
Create initrd if you need. Edit /boot/grub/grub.conf or /boot/grub/menu.lst if you need.
+
Compile the package:
  
=== Compiling TOMOYO Linux tools ===
+
sed -i 's@/usr/lib@/usr/lib64@g' Makefile &&
 +
make CC="gcc ${BUILD64}"
  
You can download TOMOYO Linux tools at http://osdn.dl.sourceforge.jp/tomoyo/27220/ccs-tools-1.5.0-20070920.tar.gz . Download it and extract it and compile it. The tools are installed in /usr/lib/ccs .
+
Install the package:
  
  $ wget -O tomoyo-tools.tar.gz 'http://osdn.dl.sourceforge.jp/tomoyo/27220/ccs-tools-1.5.0-20070920.tar.gz'
+
  make install
$ tar -zxf tomoyo-tools.tar.gz
 
$ cd ccstools
 
$ make
 
# make install
 
  
=== Initial Configuration ===
+
== Configuring ==
  
Run tomoyo_init_policy.sh included in TOMOYO Linux tools to perform initial configuration for patch from http://svn.sourceforge.jp/cgi-bin/viewcvs.cgi/tags/lkml/4/patches.tar.gz?root=tomoyo&view=tar.
+
Run tomoyo_init_policy.sh to perform initial configuration for tomoyo patch.
  
  # /usr/lib/ccs/tomoyo_init_policy.sh
+
  /usr/lib/ccs/tomoyo_init_policy.sh
  
 
You will get initial configuration files in /etc/tomoyo/ directory.
 
You will get initial configuration files in /etc/tomoyo/ directory.
  
Run init_policy.sh included in TOMOYO Linux tools to perform initial configuration for patch from http://osdn.dl.sourceforge.jp/tomoyo/27219/ccs-patch-1.5.0-20070920.tar.gz
+
Run init_policy.sh to perform initial configuration for ccs patch
  
  # /usr/lib/ccs/init_policy.sh
+
  /usr/lib/ccs/init_policy.sh
  
 
You will get initial configuration files in /etc/ccs/ directory.
 
You will get initial configuration files in /etc/ccs/ directory.
  
=== Tutorial ===
+
Configure TOMOYO Linux to learn system behavior.
 
 
Before starting tutorial, configure TOMOYO Linux to learn whole system behavior.
 
  
  # echo '<kernel>' > /etc/tomoyo/domain_policy.conf
+
  echo '<kernel>' > /etc/tomoyo/domain_policy.conf
  # echo 'use_profile 1' >> /etc/tomoyo/domain_policy.conf
+
  echo 'use_profile 1' >> /etc/tomoyo/domain_policy.conf
  
 
When you boot with TOMOYO Linux kernel, you will see the following message when /sbin/init is about to start.
 
When you boot with TOMOYO Linux kernel, you will see the following message when /sbin/init is about to start.
Line 122: Line 140:
 
Login to the system as root user, and run editpolicy included in TOMOYO Linux tools.
 
Login to the system as root user, and run editpolicy included in TOMOYO Linux tools.
  
  # /usr/lib/ccs/editpolicy
+
  /usr/lib/ccs/editpolicy
 +
 
 +
== Contents ==
 +
 
 +
{| style="text-align: left;"
 +
|-valign="top"
 +
!Installed Directories:
 +
|/usr/lib/ccs
 +
|-valign="top"
 +
!Installed Programs:
 +
|tomoyo_init_policy.sh, init_policy.sh
 +
|-valign="top"
 +
!Installed Libraries:
 +
|
 +
|}
 +
 
 +
=== Short Descriptions ===
 +
 
 +
{| style="text-align: left;"
 +
|-valign="top"
 +
!
 +
|
 +
|-valign="top"
 +
!
 +
|
 +
|-valign="top"
 +
!
 +
|
 +
|}

Revision as of 20:01, 12 October 2007


Introduction to TOMOYO

The fundamental concept of TOMOYO Linux is "tracking process invocation history". TOMOYO Linux splits domains using "process invocation history" and the process transits to a different domain whenever execution of a program (i.e. do_execve()) is requested. By transiting to a different domain whenever execution of a program is requested, each domain will have the minimal permissions that are essential for processes in that domain to do their roles.

Project Homepage: http://tomoyo.sourceforge.jp/en/2.1.x/

Dependencies

Required

  • OpenSSL needed for mailauth function of TOMOYO tools

Rebuild Kernel

2.6.22 Kernel

Modify the ccs-patch-1.5.0-20070920 patch:

8<=========== change for version ============>8
-EXTRAVERSION = .9-cfs-v22
+EXTRAVERSION = .9-cfs-v22-ccs
8<=========== chang for CFS v22 patch http://lkml.org/lkml/2007/9/26/97 ============>8
@@ -64,5 +64,8 @@
#include <asm/tlb.h>
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
/*
* Scheduler clock - returns current time in nanosec units.
@@ -4060,6 +4063,9 @@ int can_nice(const struct task_struct *p
8<=======================>8

Patch the kernel source:

patch -p1 -i ../sched-cfs-v2.6.22.9-v22.patch &&
patch -p1 -i ccs-patch-2.6.22.txt

Compile and install a new TOMOYO aware kernel. Ensure you enable the TOMOYO features.

2.6.23 Kernel

Extract the TOMOYO patches to the kernel source directory.

for i in `cat patches/series`; do patch -p1 < patches/$i; done

Compile and install a new TOMOYO aware kernel. Ensure you enable the TOMOYO features. Go to "Security options" screen and unselect "Default Linux Capabilities", "Root Plug Support", "NSA SELinux Support" and select "TOMOYO Linux support" as shown below.

[*] Enable different security models
< >   Default Linux Capabilities
< >   Root Plug Support
[ ] NSA SELinux Support
[*] TOMOYO Linux support

CCS Tools

Non-Multilib

Compile the package:

make

Install the package:

make install

Multilib

32Bit

Compile the package:

make CC="gcc ${BUILD32}"

Install the package:

make install

N32

Compile the package:

sed -i 's@/usr/lib@/usr/lib32@g' Makefile &&
make CC="gcc ${BUILDN32}"

Install the package:

make install

64Bit

Compile the package:

sed -i 's@/usr/lib@/usr/lib64@g' Makefile &&
make CC="gcc ${BUILD64}"

Install the package:

make install

Configuring

Run tomoyo_init_policy.sh to perform initial configuration for tomoyo patch.

/usr/lib/ccs/tomoyo_init_policy.sh

You will get initial configuration files in /etc/tomoyo/ directory.

Run init_policy.sh to perform initial configuration for ccs patch

/usr/lib/ccs/init_policy.sh

You will get initial configuration files in /etc/ccs/ directory.

Configure TOMOYO Linux to learn system behavior.

echo '<kernel>' > /etc/tomoyo/domain_policy.conf
echo 'use_profile 1' >> /etc/tomoyo/domain_policy.conf

When you boot with TOMOYO Linux kernel, you will see the following message when /sbin/init is about to start.

TOMOYO Linux: Enter 'disable' within 10 seconds to disable         
TOMOYO Linux.
TOMOYO Linux>

If you press 'Enter' key or wait for 10 seconds, TOMOYO Linux gets enabled and policy is loaded. If you have trouble such as unable to login because of inappropriate TOMOYO Linux configuration, enter "disable" and press 'Enter' key to disable TOMOYO Linux.

Login to the system as root user, and run editpolicy included in TOMOYO Linux tools.

/usr/lib/ccs/editpolicy

Contents

Download Source http://osdn.dl.sourceforge.jp/tomoyo/27220/ccs-tools-Template:CCSTools-Version.tar.gz
Download Patch (for 2.6.22 series Kernel): http://people.redhat.com/mingo/cfs-scheduler/sched-cfs-v2.6.22.9-v22.patch
Download Patch (TOMOYO 1.5 for 2.6.22 or 2.6.23 Kernel): http://osdn.dl.sourceforge.jp/tomoyo/27219/ccs-patch-1.5.0-20070920.tar.gz
Download Patch (TOMOYO 2.1 for 2.6.23 series Kernel): http://svn.sourceforge.jp/cgi-bin/viewcvs.cgi/tags/lkml/4/patches.tar.gz?root=tomoyo&view=tar
Installed Directories: /usr/lib/ccs
Installed Programs: tomoyo_init_policy.sh, init_policy.sh
Installed Libraries:

Short Descriptions

Retrieved from "?title=TOMOYO&oldid=11490"