TOMOYO
Contents
Introduction to TOMOYO
The fundamental concept of TOMOYO Linux is "tracking process invocation history". TOMOYO Linux splits domains using "process invocation history" and the process transits to a different domain whenever execution of a program (i.e. do_execve()) is requested. By transiting to a different domain whenever execution of a program is requested, each domain will have the minimal permissions that are essential for processes in that domain to do their roles.
Project Homepage: http://tomoyo.sourceforge.jp/en/2.1.x/
Dependencies
Required
- OpenSSL needed for mailauth function of TOMOYO tools
Rebuild Kernel
2.6.22 Kernel
Modify the ccs-patch-1.5.0-20070920 patch:
8<=========== change for version ============>8 -EXTRAVERSION = .9-cfs-v22 +EXTRAVERSION = .9-cfs-v22-ccs 8<=========== chang for CFS v22 patch http://lkml.org/lkml/2007/9/26/97 ============>8 @@ -64,5 +64,8 @@ #include <asm/tlb.h> +/***** TOMOYO Linux start. *****/ +#include <linux/tomoyo.h> +/***** TOMOYO Linux end. *****/ /* * Scheduler clock - returns current time in nanosec units. @@ -4060,6 +4063,9 @@ int can_nice(const struct task_struct *p 8<=======================>8
Patch the kernel source:
patch -p1 -i ../sched-cfs-v2.6.22.9-v22.patch && patch -p1 -i ccs-patch-2.6.22.txt
Compile and install a new TOMOYO aware kernel. Ensure you enable the TOMOYO features.
2.6.23 Kernel
Extract the TOMOYO patches to the kernel source directory.
for i in `cat patches/series`; do patch -p1 < patches/$i; done
Compile and install a new TOMOYO aware kernel. Ensure you enable the TOMOYO features. Go to "Security options" screen and unselect "Default Linux Capabilities", "Root Plug Support", "NSA SELinux Support" and select "TOMOYO Linux support" as shown below.
[*] Enable different security models < > Default Linux Capabilities < > Root Plug Support [ ] NSA SELinux Support [*] TOMOYO Linux support
CCS Tools
Non-Multilib
Compile the package:
make
Install the package:
make install
Multilib
32Bit
Compile the package:
make CC="gcc ${BUILD32}"
Install the package:
make install
N32
Compile the package:
sed -i 's@/usr/lib@/usr/lib32@g' Makefile && make CC="gcc ${BUILDN32}"
Install the package:
make install
64Bit
Compile the package:
sed -i 's@/usr/lib@/usr/lib64@g' Makefile && make CC="gcc ${BUILD64}"
Install the package:
make install
Configuring
Run tomoyo_init_policy.sh to perform initial configuration for tomoyo patch.
/usr/lib/ccs/tomoyo_init_policy.sh
You will get initial configuration files in /etc/tomoyo/ directory.
Run init_policy.sh to perform initial configuration for ccs patch
/usr/lib/ccs/init_policy.sh
You will get initial configuration files in /etc/ccs/ directory.
Configure TOMOYO Linux to learn system behavior.
echo '<kernel>' > /etc/tomoyo/domain_policy.conf echo 'use_profile 1' >> /etc/tomoyo/domain_policy.conf
When you boot with TOMOYO Linux kernel, you will see the following message when /sbin/init is about to start.
TOMOYO Linux: Enter 'disable' within 10 seconds to disable TOMOYO Linux. TOMOYO Linux>
If you press 'Enter' key or wait for 10 seconds, TOMOYO Linux gets enabled and policy is loaded. If you have trouble such as unable to login because of inappropriate TOMOYO Linux configuration, enter "disable" and press 'Enter' key to disable TOMOYO Linux.
Login to the system as root user, and run editpolicy included in TOMOYO Linux tools.
/usr/lib/ccs/editpolicy
Contents
Download Source | http://osdn.dl.sourceforge.jp/tomoyo/27220/ccs-tools-Template:CCSTools-Version.tar.gz |
---|---|
Download Patch (for 2.6.22 series Kernel): | http://people.redhat.com/mingo/cfs-scheduler/sched-cfs-v2.6.22.9-v22.patch |
Download Patch (TOMOYO 1.5 for 2.6.22 or 2.6.23 Kernel): | http://osdn.dl.sourceforge.jp/tomoyo/27219/ccs-patch-1.5.0-20070920.tar.gz |
Download Patch (TOMOYO 2.1 for 2.6.23 series Kernel): | http://svn.sourceforge.jp/cgi-bin/viewcvs.cgi/tags/lkml/4/patches.tar.gz?root=tomoyo&view=tar |
Installed Directories: | /usr/lib/ccs |
---|---|
Installed Programs: | tomoyo_init_policy.sh, init_policy.sh |
Installed Libraries: |