"'TOMOYO Linux' is our work in the field of security enhanced Linux," Kentaro Takeda began, describing 15 patches posted to the Linux Kernel mailing list. He noted that in an earlier version of the patches posted just prior to the recent Kernel summit, TOMOYO Linux's Mandatory Access Control was limited to files. In the new patch, he explained, "now TOMOYO Linux has access control functionality not only for files but also for networking, signal transmission and namespace manipulation and we got the source code cleaned-up." Kentaro went to provide an overview:
"The fundamental concept of TOMOYO Linux is 'tracking process invocation history'.
"The 'struct task_struct'->security member holds a pointer to the 'process invocation history'. Thus, every process (the kernel, /sbin/init process and any children/descendant of /sbin/init) knows its 'process invocation history' (or ancestors). Since every process knows its ancestors, TOMOYO Linux can enforce access control over all processes."
From: Kentaro Takeda <takedakn@...>
Subject: [TOMOYO 00/15](repost) TOMOYO Linux - MAC based on process invocation history.
Date: Oct 2, 3:25 am 2007
"TOMOYO Linux" is our work in the field of security enhanced Linux.
This is the repeated post of second submission of TOMOYO Linux
( http://lkml.org/lkml/2007/8/24/116 ).
Unfortunately it was just before the Kernel Summit.
We could not receive any suggestions about our codes.
Before this posting, we changed the program to use
securityfs (Kyle's comment) and re-generated patches
with the current git tree.
When we posted our first proposal to LKML, TOMOYO Linux's MAC was
limited to file access control. Now TOMOYO Linux has access control
functionality not only for files but also for networking, signal
transmission and namespace manipulation and we got the source code
cleaned-up.
Patches consist of four types.
* [TOMOYO 01/15]: Mandatory modifications against standard kernel.
* [TOMOYO 02-13/15]: LSM implementation of TOMOYO Linux.
* [TOMOYO 14/15]: Optional modifications against standard kernel.
* [TOMOYO 15/15]: Makefile and Kconfig .
<<What you can do with TOMOYO Linux.>>
The fundamental concept of TOMOYO Linux is "tracking process
invocation history".
The "struct task_struct"->security member holds a pointer to the
"process invocation history". Thus, every process (the kernel,
/sbin/init process and any children/descendant of /sbin/init) knows
its "process invocation history" (or ancestors). Since every process
knows its ancestors, TOMOYO Linux can enforce access control over all
processes.
TOMOYO Linux splits domains using "process invocation history" and the
process transits to a different domain whenever execution of a program
(i.e. do_execve()) is requested. By transiting to a different domain
whenever execution of a program is requested, each domain will have
the minimal permissions that are essential for processes in that
domain to do their roles.
You don't need to define domains beforehand. TOMOYO Linux kernel will
automatically define new domains whenever execution of a program is
requested, and the process will automatically transit to the new
domain. (If the process's domain is in enforcing mode, TOMOYO Linux
kernel will not define new domains to avoid memory consumption attack.)
TOMOYO Linux can restrict the following requests on a per-a-domain basis:
* opening files
* communicating via PF_INET sockets
* sending signals
TOMOYO Linux can also restrict the following namespace manipulation requests.
* mounting filesystems
* unmounting filesystems
* using pivot_root
<<Example>>
The tree below shows a part of domain transitions generated using
Debian Etch. The domain a process is in is determined based on the
process's "process invocation history". Each domain has permissions
(or ACL), and the behavior (or requests shown above) of a process is
restricted by the ACL of the domain that the process is in.
<kernel>
+ /sbin/init
+ /etc/init.d/rc
+ /etc/init.d/apache2
+ /usr/bin/env
+ /usr/sbin/apache2ctl
+ /usr/sbin/apache2
You can assign different access control modes (or profiles) on a
per-a-domain basis. Thus, you can enforce access control partially or
entirely. Also, by assigning "learning mode" to a domain, ACL that are
requested by processes in that domain are automatically (i.e. in
real-time) accumulated. The following ACL are an excerpt from
/usr/sbin/apache2 domain generated using "learning mode".
4 /etc/apache2/apache2.conf
4 /var/www/apache2-default/index.html
allow_create /var/run/apache2.pid
allow_unlink /var/run/apache2.pid
allow_network TCP bind 192.168.1.135 80
allow_network TCP listen 192.168.1.135 80
allow_network TCP accept 192.168.1.1 2389
The above ACL allows Apache to do the following behavior.
* Opening /etc/apache2/apache2.conf and
/var/www/apache2-default/index.html for reading.
* Creating and deleting /var/run/apache2.pid .
* Binding to local address (IP = 192.168.1.135, port = 80).
* Listening at local address (IP = 192.168.1.135, port = 80).
* Accepting from remote address (IP = 192.168.1.1, port = 2389).
You may use wildcards for pathnames, ranges for IP addresses and port
numbers, groups of pathnames and IP addresses for flexible definition.
<<Features of TOMOYO Linux.>>
TOMOYO Linux is an implementation of MAC, but you can use TOMOYO Linux
not only for MAC, but also to analyze a system's behavior, since
TOMOYO Linux can accumulate access requests raised by applications
sorted by each "process invocation history".
TOMOYO Linux and AppArmor are alike from the point of view of pathname
based access control, but TOMOYO Linux has differences in the
following points:
* TOMOYO Linux can apply access control over the whole process
(from the execution of /sbin/init at the startup procedure,
till the power failure at the shutdown procedure).
* TOMOYO Linux can apply access control not only over files but
also over networking, signals, namespace manipulations.
* TOMOYO Linux can accumulate ACL in real-time using
"learning mode".
* TOMOYO Linux allows the administrator to switch the access
control mode on a per-domain and per-functionality basis.
* TOMOYO Linux allows the administrator to judge (grant/reject)
requests which that violated ACL manually while operating in
"enforcing mode" without once rejecting these requests.
* TOMOYO Linux supports conditional ACL (e.g. owner of
process/files etc.).
Documents about installing and experiencing TOMOYO Linux are available
at http://tomoyo.sourceforge.jp/en/2.1.x/ . Please try TOMOYO Linux.
Feedbacks are most welcome.
<<Related links>>
OLS BoF material: http://sourceforge.jp/projects/tomoyo/document/ols2007-tomoyo-20070629.pdf
Previous submissions: http://lkml.org/lkml/2007/6/13/58 , http://lkml.org/lkml/2007/6/14/55, http://lkml.org/lkml/2007/8/24/116
Kentaro Takeda
NTT DATA CORPORATION
-
SE-Linux
Is this the same as SE-Linux?
How is it different?
How does it compare?
Re: SE-Linux
> Is this the same as SE-Linux?
> How is it different?
> How does it compare?
TOMOYO Linux is pathname-based MAC while SELinux is label based.
TOMOYO Linux has a "learning" mode in addition to "permissive" mode and "enforcing" mode. Learning mode can be used to analyze the system behavior. Example of the learning mode can be found at the following url.
http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/centos4.4/domain_policy....
Above is also an example of policy definition of TOMOYO Linux. It's in plain text format. Its structure is quite simple: "domain" "ACL lists for domain". TOMOYO Linux policy is quite readable like AppArmor's policy.
TOMOYO Linux supports 2.4 kernel along with 2.6. Binary packages are provided for major distributions.
http://sourceforge.jp/projects/tomoyo/files/
Both SELinux and TOMOYO Linux have concepts of "domain". With SELinux, domains have to be defined by administrators. With TOMOYO Linux, domain is defined automatically by TOMOYO Linux kernel, so no definitions are needed.
TOMOYO Linux can be used to analyze the system behavior in detail.
--
Toshi
TOMOYO is very simple to
TOMOYO is very simple to install, and very easy to start, and ACL very direct that you know clearly what you are doing. I do not like any security model based on label, SELinux or SMACK, any label based model will be only in a mess.
TOMOYO has rich fuctions:
as an object, process can be identified a list of pathname like " /sbin/init /sbin/agetty /usr/bin/bash", so that " /sbin/init /sbin/agetty /usr/bin/bash" and " /sbin/init /sbin/agetty /usr/bin/bash /usr/bin/bash" could each have different ACL, though they are all produced by /usr/bin/bash.
or just only by pathname: " /usr/bin/bash", then any /usr/bin/bash produeced processes could have same ACL.
TOMOYO defines an exutable file, like /usr/bin/bas, to be a program; and defines a living instance in a running Linux of a program a domain. so that each running process is clearly defined directly by its domain. this is a much more intuitive concetp compared with labels.
for each domain, file operation, network operation and many other operations are controld using the text control lists, which could be easily read and understood, so that you know clearly those controls.
basic control profiles are provided, so that you cat use it before set your own configurations. and profiles could be changed at any time. there's a learning profile to automatically generate a control policy for domains that have been running in your Linux.
there are other tools to help manage your system security. ccs-queryd, an interactive toll, could help you much to analyse a program's behavior and control object access interactively.
generally speaking, TOMOYO is a very handy MAC security system.
TOMOYO is a very handy MAC security system
TOMOYO is very simple to install, and very easy to start, and ACL very direct that you know clearly what you are doing. I do not like any security model based on label, SELinux or SMACK, any label based model will be only in a mess.
TOMOYO has rich fuctions:
as an object, process can be identified a list of pathname like " /sbin/init /sbin/agetty /usr/bin/bash", so that " /sbin/init /sbin/agetty /usr/bin/bash" and " /sbin/init /sbin/agetty /usr/bin/bash /usr/bin/bash" could each have different ACL, though they are all produced by /usr/bin/bash.
or just only by pathname with : " /usr/bin/bash",( maybe used to mean the object of a process lives with kernel, not the object of file lives disk) then any /usr/bin/bash produeced processes could have same ACL.
TOMOYO defines an exutable file, like /usr/bin/bas, to be a program; and defines a living instance in a running Linux of a program a domain. so that each running process is clearly defined directly by its domain. this is a much more intuitive concetp compared with labels.
for each domain, file operation, network operation and many other operations are controld using the text control lists, which could be easily read and understood, so that you know clearly those controls.
TOMOYO is a very handy MAC security system
TOMOYO Linux LiveCD (ISO image)
For those who are interested in TOMOYO Linux, Ubuntu 7.04 Desktop based ISO image is available.
Kernel is TOMOYO Linux patched and there's a shortcut for TOMOYO Linux policy editor ("editpolicy") is on the desktop. All Ubuntu packages are unchanged.
Download:
http://tomoyo.sourceforge.jp/wiki-e/?TomoyoLive
Direction:
1. Open the editpolicy shortcut.
2. Browse the domains using cursor move keys.
3. Select a domain and enter "return" to show the ACL for the selected domain.
4. Go back to domain transition screen by entering "return".
Editpolicy manual:
http://tomoyo.sourceforge.jp/en/1.5.x/tool-editpolicy.html
If you are LFS user, try to build and test TOMOYO Linux yourself.
http://tomoyo.sourceforge.jp/wiki-e/?TomoyoOnLFS
FOSDEM'08 presentation (Develop/Embedded Track) slides
"TOMOYO Linux for Secure Embedded"
PacSec2007 presentation slides
"TOMOYO Linux: A Practical Method to Understand and Protect Your Own Linux Box"
2008-07-09 Linux Foundation Japan #8 Symposium slides and movie
Slides
http://sourceforge.jp/projects/tomoyo/document/lfj2008.pdf
Movie
http://www.linux-foundation.jp/uploads/seminar20080709/lf-harada.flv