* [RFC] TOMOYO Linux released!
@ 2005-12-21 11:21 Tetsuo Handa
2005-12-21 11:33 ` Arjan van de Ven
0 siblings, 1 reply; 7+ messages in thread
From: Tetsuo Handa @ 2005-12-21 11:21 UTC (permalink / raw)
To: linux-kernel, kernelnewbies
Hello!
A new and easy to master access control for Linux,
TOMOYO Linux, is now available.
TOMOYO Linux is a small kernel patch that provides
MAC (Mandatory Access Control) functions to Linux.
TOMOYO Linux was developed by NTT DATA CORPORATION, Japan,
and released under GPL license.
TOMOYO Linux has the following features.
Please see documentations and papers for details.
(There are 5 papers written in Japanese.
2 of them are available in English, as shown below.
Translation of 3 papers is now in progress.)
(1) Takes full advantage of "struct task_struct".
(2) Uses realpath(2), the kernel version of realpath(3).
(3) Works for 2.4.30/2.6.11 and later.
TOMOYO Linux includes the following components.
(1) Domain-Free Mandatory Access Control
(Code name is SAKURA, which is the acronym for
"Security Advancement Know-how Upon Readonly Approach".)
(2) Domain-Based Mandatory Access Control
(Code name is TOMOYO, which is the acronym for
"Task Oriented Management Obviates Your Onus".)
http://sourceforge.jp/projects/tomoyo/document/lc2005-en.pdf
(3) Tamper-Proof Device Filesystem
(Code name is SYAORAN, which is the acronym for
"Simple Yet All-important Object Realizing Abiding Nexus".)
(4) Never breakable Login Authentication
(Code name is CERBERUS, which is the acronym for
"Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Security".)
http://sourceforge.jp/projects/tomoyo/document/winf2005-en.pdf
(5) Delegation of Administration Tasks
(Code name is YUE, which is the acronym for
"Your User-role Enforcer".)
TOMOYO Linux has 3 usages.
(1) Provide MAC to improve security dramatically for servers.
TOMOYO Linux provides realpath(2)-based MAC
with automatic policy generation technology.
You can generate policies from the scratch
by just operating what you want to allow.
TOMOYO Linux will generate policy that only allows
what you have operated.
(2) Analysis system behavior.
You can use TOMOYO Linux for examination purpose.
You can know which application accesses
to which files and directories.
To define policies for MAC, you need to know
which application accesses to which files and directories.
TOMOYO Linux reports you with realpath(2)-based pathnames
to help your policy definition.
I think this is helpful for developing SELinux's policy.
(3) Create filesystem images with minimum files.
You can use TOMOYO Linux to create the custom
filesystem image with the minimum files.
TOMOYO produces realpath(2)-based policy file,
and you can create filesystem image
by just copying files listed in the policy file.
This is useful for creating custom initrd.img .
Project URL: http://tomoyo.sourceforge.jp/
Download URL: http://sourceforge.jp/projects/tomoyo/
The authors of this patch (hereafter, we) don't have much experience
in kernel programming. But we could accomplish primarily
due to your unstinting support. Thank you very much.
We are worried that this patch would contain some mistakes
such as missing hooks, improper location of hooks, potential deadlocks.
There would be better way of implementation.
All kinds of comments, pointing the errors and suggestions are welcome.
We do hope this patch reduces the labor of server security management
and you enjoy the life with Linux.
Happy Holidays!
Thank you.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [RFC] TOMOYO Linux released!
2005-12-21 11:21 [RFC] TOMOYO Linux released! Tetsuo Handa
@ 2005-12-21 11:33 ` Arjan van de Ven
2005-12-21 12:12 ` Tetsuo Handa
2005-12-21 22:16 ` Ingo Oeser
0 siblings, 2 replies; 7+ messages in thread
From: Arjan van de Ven @ 2005-12-21 11:33 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: linux-kernel, kernelnewbies
On Wed, 2005-12-21 at 20:21 +0900, Tetsuo Handa wrote:
> Hello!
>
> A new and easy to master access control for Linux,
> TOMOYO Linux, is now available.
very interesting; a few quick questions that I didn't see answered on
the side
1) where can we download the patches?
2) How does the use of "absolute paths" interact with namespaces?
In principle each process can have its own namespace after all!
(not many distributions use this today, but that will change soon,
per user /tmp is a very attractive feature and all needed
infrastructure helpers for this will be in the 2.6.15 kernel)
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC] TOMOYO Linux released!
2005-12-21 11:33 ` Arjan van de Ven
@ 2005-12-21 12:12 ` Tetsuo Handa
2005-12-22 23:09 ` Rik van Riel
2005-12-21 22:16 ` Ingo Oeser
1 sibling, 1 reply; 7+ messages in thread
From: Tetsuo Handa @ 2005-12-21 12:12 UTC (permalink / raw)
To: arjan; +Cc: linux-kernel, kernelnewbies
Hello,
Arjan van de Ven wrote:
> > A new and easy to master access control for Linux,
> > TOMOYO Linux, is now available.
> very interesting; a few quick questions that I didn't see answered on
> the side
Thank you for your interest.
> 1) where can we download the patches?
You can download from http://sourceforge.jp/projects/tomoyo/ .
Click the links "Download" in the middle of the page.
The ccs-patch is the kernel patch and the ccs-tools is the userland
utilities such as policy editors.
The documentation index page is http://tomoyo.sourceforge.jp/en/doc/ .
The complete installation guide is at
http://tomoyo.sourceforge.jp/en/doc/install.html .
The kickstart installation guide will be added in a several days.
> 2) How does the use of "absolute paths" interact with namespaces?
> In principle each process can have its own namespace after all!
> (not many distributions use this today, but that will change soon,
> per user /tmp is a very attractive feature and all needed
> infrastructure helpers for this will be in the 2.6.15 kernel)
This is like d_path(), expect that TOMOYO Linux ignores
each process's root directory. TOMOYO Linux uses global namespace.
For example, if a process accesses to /foo/bar which has already
chroot'ed to /jail directory, then TOMOYO Linux regards
as if the process is accessing to /jail/foo/bar .
You can find some example policies at
http://tomoyo.sourceforge.jp/example_policy/ .
You can feel the image of realpath()-based policy files.
Regards...
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC] TOMOYO Linux released!
2005-12-21 12:12 ` Tetsuo Handa
@ 2005-12-22 23:09 ` Rik van Riel
2005-12-23 4:38 ` Tetsuo Handa
0 siblings, 1 reply; 7+ messages in thread
From: Rik van Riel @ 2005-12-22 23:09 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: arjan, linux-kernel, kernelnewbies
On Wed, 21 Dec 2005, Tetsuo Handa wrote:
> > 1) where can we download the patches?
> You can download from http://sourceforge.jp/projects/tomoyo/ .
Why does the Tomoyo patch have its own hooks in various
places sitting right next to the LSM hooks?
--
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC] TOMOYO Linux released!
2005-12-22 23:09 ` Rik van Riel
@ 2005-12-23 4:38 ` Tetsuo Handa
2005-12-23 15:35 ` Bill Davidsen
0 siblings, 1 reply; 7+ messages in thread
From: Tetsuo Handa @ 2005-12-23 4:38 UTC (permalink / raw)
To: riel; +Cc: arjan, linux-kernel, kernelnewbies
Hello,
Rik van Riel wrote:
> Why does the Tomoyo patch have its own hooks in various
> places sitting right next to the LSM hooks?
There are two reasons.
One is to support both 2.4 kernels and 2.6 kernels.
The other is some parameters are missing for TOMOYO Linux.
TOMOYO needs "struct vfsmnt" parameter to calculate realpath(2),
but this parameter is unavailable after entring into
the vfs functions (for example, vfs_mknod()) and
unable to use (for example, security_inode_mknod()).
Also not all hooks needed for TOMOYO Linux are provided by LSM.
For example, a hook for SAKURA_MayAutobind() is not provided by LSM.
By the way, the kickstart guide is now available at
http://tomoyo.sourceforge.jp/en/kickstart/ .
If you have private questions, you can send mails to
tomoyo-support _at_ lists.sourceforge.jp .
Regards...
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC] TOMOYO Linux released!
2005-12-23 4:38 ` Tetsuo Handa
@ 2005-12-23 15:35 ` Bill Davidsen
0 siblings, 0 replies; 7+ messages in thread
From: Bill Davidsen @ 2005-12-23 15:35 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: arjan, linux-kernel, kernelnewbies
Tetsuo Handa wrote:
> Hello,
>
> Rik van Riel wrote:
>
>>Why does the Tomoyo patch have its own hooks in various
>>places sitting right next to the LSM hooks?
>
> There are two reasons.
>
> One is to support both 2.4 kernels and 2.6 kernels.
>
> The other is some parameters are missing for TOMOYO Linux.
> TOMOYO needs "struct vfsmnt" parameter to calculate realpath(2),
> but this parameter is unavailable after entring into
> the vfs functions (for example, vfs_mknod()) and
> unable to use (for example, security_inode_mknod()).
>
> Also not all hooks needed for TOMOYO Linux are provided by LSM.
> For example, a hook for SAKURA_MayAutobind() is not provided by LSM.
>
>
>
> By the way, the kickstart guide is now available at
> http://tomoyo.sourceforge.jp/en/kickstart/ .
>
> If you have private questions, you can send mails to
> tomoyo-support _at_ lists.sourceforge.jp .
Hopefully most questionss will stay here until people have a chance to
get general questions answered. This is interesting stuff, although I
suspect that the main goal was safe operation of authorized users on the
machine, rather than protection of servers. It appears to have benefits
for servers as well, of course.
--
-bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
last possible moment - but no longer" -me
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC] TOMOYO Linux released!
2005-12-21 11:33 ` Arjan van de Ven
2005-12-21 12:12 ` Tetsuo Handa
@ 2005-12-21 22:16 ` Ingo Oeser
1 sibling, 0 replies; 7+ messages in thread
From: Ingo Oeser @ 2005-12-21 22:16 UTC (permalink / raw)
To: Arjan van de Ven; +Cc: linux-kernel
[-- Attachment #1: Type: text/plain, Size: 548 bytes --]
Hi Arjan,
On Wednesday 21 December 2005 12:33, you wrote:
> per user /tmp is a very attractive feature and all needed
> infrastructure helpers for this will be in the 2.6.15 kernel)
Yes! I use this (via symlinks) already and love it.
If I now could get age based file removal, to free up more
temporary space for sth. else with limits on minimum age,
I would be a very happy user.
I know this could be done in user space similiar to
the dynamic swap space addition.
So just take this as a hint from a customer :-)
Regards
Ingo Oeser
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-12-23 15:35 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-12-21 11:21 [RFC] TOMOYO Linux released! Tetsuo Handa
2005-12-21 11:33 ` Arjan van de Ven
2005-12-21 12:12 ` Tetsuo Handa
2005-12-22 23:09 ` Rik van Riel
2005-12-23 4:38 ` Tetsuo Handa
2005-12-23 15:35 ` Bill Davidsen
2005-12-21 22:16 ` Ingo Oeser
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox