Difference between revisions of "TOMOYO"

From CBLFS
Jump to navigationJump to search
(add TOMOYO 1.5 for kernel 2.3)
(more configuration details)
Line 133: Line 133:
 
== Configuring ==
 
== Configuring ==
  
Run tomoyo_init_policy.sh to perform initial configuration for tomoyo patch.
+
=== Configuring TOMOYO 2.x ===
 
 
/usr/lib/ccs/tomoyo_init_policy.sh
 
 
 
You will get initial configuration files in /etc/tomoyo/ directory.
 
  
 
Run init_policy.sh to perform initial configuration for ccs patch
 
Run init_policy.sh to perform initial configuration for ccs patch
Line 144: Line 140:
  
 
You will get initial configuration files in /etc/ccs/ directory.
 
You will get initial configuration files in /etc/ccs/ directory.
 +
 +
=== Configuring TOMOYO 2.x ===
 +
 +
Run tomoyo_init_policy.sh to perform initial configuration for TOMOYO 2.x.
 +
 +
/usr/lib/ccs/tomoyo_init_policy.sh
 +
 +
You will get initial configuration files in /etc/tomoyo/ directory.
 +
 +
=== Configuring TOMOYO learning mode ===
  
 
Configure TOMOYO Linux to learn system behavior.
 
Configure TOMOYO Linux to learn system behavior.
Line 149: Line 155:
 
  echo '<kernel>' > /etc/tomoyo/domain_policy.conf
 
  echo '<kernel>' > /etc/tomoyo/domain_policy.conf
 
  echo 'use_profile 1' >> /etc/tomoyo/domain_policy.conf
 
  echo 'use_profile 1' >> /etc/tomoyo/domain_policy.conf
 +
 +
== Start Your TOMOYO LFS ==
  
 
When you boot with TOMOYO Linux kernel, you will see the following message when /sbin/init is about to start.
 
When you boot with TOMOYO Linux kernel, you will see the following message when /sbin/init is about to start.
Line 157: Line 165:
  
 
If you press 'Enter' key or wait for 10 seconds, TOMOYO Linux gets enabled and policy is loaded. If you have trouble such as unable to login because of inappropriate TOMOYO Linux configuration, enter "disable" and press 'Enter' key to disable TOMOYO Linux.
 
If you press 'Enter' key or wait for 10 seconds, TOMOYO Linux gets enabled and policy is loaded. If you have trouble such as unable to login because of inappropriate TOMOYO Linux configuration, enter "disable" and press 'Enter' key to disable TOMOYO Linux.
 +
 +
grub menu can use CCS=default to boot using default policy without waiting.
 +
 +
root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default
 +
 +
newer version of /sbin/{ccs,tomoyo}-init from
 +
http://svn.sourceforge.jp/cgi-bin/viewcvs.cgi?rev=580&root=tomoyo&view=rev
 +
can be used, and with CCS=ask to let user select from available policies at boot time.
 +
 +
== Configuring policy as you wish ==
  
 
Login to the system as root user, and run editpolicy included in TOMOYO Linux tools.
 
Login to the system as root user, and run editpolicy included in TOMOYO Linux tools.

Revision as of 07:00, 16 October 2007


Introduction to TOMOYO

The fundamental concept of TOMOYO Linux is "tracking process invocation history". TOMOYO Linux splits domains using "process invocation history" and the process transits to a different domain whenever execution of a program (i.e. do_execve()) is requested. By transiting to a different domain whenever execution of a program is requested, each domain will have the minimal permissions that are essential for processes in that domain to do their roles.

Project Homepage: http://tomoyo.sourceforge.jp/en/2.1.x/

Dependencies

Required

  • OpenSSL needed for mailauth function of TOMOYO tools

Rebuild Kernel

2.6.22 Kernel and TOMOYO 1.5

Extract the TOMOYO 1.5 patches to the kernel source directory.

cd linux-2.6.22.9
wget http://osdn.dl.sourceforge.jp/tomoyo/27219/ccs-patch-1.5.0-20070920.tar.gz
tar xvf ccs-patch-1.5.0-20070920.tar.gz

Modify the ccs-patch-1.5.0-20070920 patch:

8<=========== change for version ============>8
-EXTRAVERSION = .9-cfs-v22
+EXTRAVERSION = .9-cfs-v22-ccs
8<=========== chang for CFS v22 patch http://lkml.org/lkml/2007/9/26/97 ============>8
@@ -64,5 +64,8 @@
#include <asm/tlb.h>
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
/*
* Scheduler clock - returns current time in nanosec units.
@@ -4060,6 +4063,9 @@ int can_nice(const struct task_struct *p
8<=======================>8

Patch the kernel source:

patch -p1 -i ../sched-cfs-v2.6.22.9-v22.patch &&
patch -p1 -i ccs-patch-2.6.22.txt

Compile and install a new TOMOYO aware kernel. Ensure you enable the TOMOYO features.

2.6.23 Kernel and TOMOYO 1.5

TOMOYO 1.5 has some features like network and mount operations control that not currently available in TOMOYO 2.x. so TOMOYO 1.5 is a better choice than TOMOYO 2.x.

Extract the TOMOYO 1.5 patches to the kernel source directory.

cd linux-2.6.23
wget http://osdn.dl.sourceforge.jp/tomoyo/27219/ccs-patch-1.5.0-20070920.tar.gz
tar xvf ccs-patch-1.5.0-20070920.tar.gz
patch -p1 -i ccs-patch-2.6.23-rc7.txt

Compile and install a new TOMOYO aware kernel. Ensure you enable the TOMOYO features.

2.6.23 Kernel and TOMOYO 2.x

Extract the TOMOYO 2.x patches to the kernel source directory.

for i in `cat patches/series`; do patch -p1 < patches/$i; done

Compile and install a new TOMOYO aware kernel. Ensure you enable the TOMOYO features. Go to "Security options" screen and unselect "Default Linux Capabilities", "Root Plug Support", "NSA SELinux Support" and select "TOMOYO Linux support" as shown below.

[*] Enable different security models
< >   Default Linux Capabilities
< >   Root Plug Support
[ ] NSA SELinux Support
[*] TOMOYO Linux support

CCS Tools

Non-Multilib

Compile the package:

make

Install the package:

make install

Multilib

32Bit

Compile the package:

make CC="gcc ${BUILD32}"

Install the package:

make install

N32

Compile the package:

sed -i 's@/usr/lib@/usr/lib32@g' Makefile &&
make CC="gcc ${BUILDN32}"

Install the package:

make install

64Bit

Compile the package:

sed -i 's@/usr/lib@/usr/lib64@g' Makefile &&
make CC="gcc ${BUILD64}"

Install the package:

make install

Configuring

Configuring TOMOYO 2.x

Run init_policy.sh to perform initial configuration for ccs patch

/usr/lib/ccs/init_policy.sh

You will get initial configuration files in /etc/ccs/ directory.

Configuring TOMOYO 2.x

Run tomoyo_init_policy.sh to perform initial configuration for TOMOYO 2.x.

/usr/lib/ccs/tomoyo_init_policy.sh

You will get initial configuration files in /etc/tomoyo/ directory.

Configuring TOMOYO learning mode

Configure TOMOYO Linux to learn system behavior.

echo '<kernel>' > /etc/tomoyo/domain_policy.conf
echo 'use_profile 1' >> /etc/tomoyo/domain_policy.conf

Start Your TOMOYO LFS

When you boot with TOMOYO Linux kernel, you will see the following message when /sbin/init is about to start.

TOMOYO Linux: Enter 'disable' within 10 seconds to disable         
TOMOYO Linux.
TOMOYO Linux>

If you press 'Enter' key or wait for 10 seconds, TOMOYO Linux gets enabled and policy is loaded. If you have trouble such as unable to login because of inappropriate TOMOYO Linux configuration, enter "disable" and press 'Enter' key to disable TOMOYO Linux.

grub menu can use CCS=default to boot using default policy without waiting.

root=/dev/hda8 ro vga=791 video=neofb:ywrap,mtrr acpi=off CCS=default

newer version of /sbin/{ccs,tomoyo}-init from http://svn.sourceforge.jp/cgi-bin/viewcvs.cgi?rev=580&root=tomoyo&view=rev can be used, and with CCS=ask to let user select from available policies at boot time.

Configuring policy as you wish

Login to the system as root user, and run editpolicy included in TOMOYO Linux tools.

/usr/lib/ccs/editpolicy

Contents

Download Source http://osdn.dl.sourceforge.jp/tomoyo/27220/ccs-tools-Template:CCSTools-Version.tar.gz
Download Patch (for 2.6.22 series Kernel): http://people.redhat.com/mingo/cfs-scheduler/sched-cfs-v2.6.22.9-v22.patch
Download Patch (TOMOYO 1.5 for 2.6.22 or 2.6.23 Kernel): http://osdn.dl.sourceforge.jp/tomoyo/27219/ccs-patch-1.5.0-20070920.tar.gz
Download Patch (TOMOYO 2.1 for 2.6.23 series Kernel): http://svn.sourceforge.jp/cgi-bin/viewcvs.cgi/tags/lkml/4/patches.tar.gz?root=tomoyo&view=tar
Installed Directories: /usr/lib/ccs
Installed Programs: tomoyo_init_policy.sh, init_policy.sh, editpolicy, editpolicy_offline, setlevel, setprofile, ccstree, savepolicy, makesyaoranconf, ccs-auditd, findtemp, sortpolicy, ld-watch, ccs-queryd, checkpolicy, /sbin/{ccs,tomoyo}-init
Installed Libraries:

Short Descriptions

editpolicy Edits the current policy in /proc/ccs/ directory
editpolicy_offline Edits the policy in /etc/ccs/ directory.
setlevel Changes the current control level (i.e. writing to /proc/ccs/profile ) and displays the new control level.
setprofile Assigns a profile to domains.
ccstree Lists the domainnames of currently running processes belong to and the profile numbers the domains currently assigned to.
savepolicy Saves the on-memory policy onto disk.
makesyaoranconf Generates syaoran.conf, the configuration file for SYAORAN (the Tamper-Proof /dev filesystem). You can use SYAORAN filesystem if you want to run the system with read-only root fs or you want to prevent device files from tampering.
ccs-auditd Reads from /proc/ccs/grant_log and /proc/ccs/reject_log and writes to the location given in the commandline parameters.
sortpolicy Remove duplicated entry from logs written by "ccs-auditd".
findtemp Reads domain policy from standard input and checks the existence of pathnames, and dumps the nonexistent pathnames.
ld-watch Appends shared libraries to exception policy automatically using "allow_read" directive when the location of shared libraries in /etc/ld.so.cache has changed.
ccs-queryd Detects policy violation and displays the access request. You can tell the system whether the access request should be granted (or granted and policy should be appended to grant the access request) or rejected after you validate the access request.

By running this program while updating packages, you can avoid errors due to insufficient permissions.

Never grant access requests unconditionally. The cause of policy violation is not always updating packages, but may by malicious requests by attackers. If you grant access requests caused by malicious requests by attackers, the system gets intruded.

To enable "delayed enforcing mode", you need to either set "ALLOW_ENFORCE_GRACE=1" in /proc/ccs/profile using "setlevel" command or assign a profile whose ALLOW_ENFORCE_GRACE is set to 1 to domains using "setprofile" command.

checkpolicy Reads policy files from standard input and checks syntaxes.
ccs-init Loads policy files from /etc/ccs/ directory.

Put this program as /sbin/ccs-init , and this program will be invoked automatically when execution of /sbin/init is requested by initrd.

Retrieved from "?title=TOMOYO&oldid=11583"