Difference between revisions of "TOMOYO Linux"

From ArchWiki
Jump to: navigation, search
m (remove "out of date")
(22 intermediate revisions by 9 users not shown)
Line 1: Line 1:
[[Category:Security (English)]]
+
[[Category:Security]]
[[Category:Kernel (English)]]
+
[[Category:Kernel]]
[[Category:Networking (English)]]
+
[[ja:TOMOYO Linux]]
{{i18n|TOMOYO Linux}}
+
[[ru:TOMOYO Linux]]
 
[http://tomoyo.sourceforge.jp/ TOMOYO Linux] is Mandatory Access Control (MAC) implementation for Linux. It was launched in March 2003 and is sponsored by [http://www.nttdata.co.jp/en/ NTT Data Corporation]. TOMOYO Linux focuses on the behaviour of a system, allowing each process to declare behaviours and resources needed to achieve its purpose. It can be used as a system analysis tool as well as an access restriction tool.
 
[http://tomoyo.sourceforge.jp/ TOMOYO Linux] is Mandatory Access Control (MAC) implementation for Linux. It was launched in March 2003 and is sponsored by [http://www.nttdata.co.jp/en/ NTT Data Corporation]. TOMOYO Linux focuses on the behaviour of a system, allowing each process to declare behaviours and resources needed to achieve its purpose. It can be used as a system analysis tool as well as an access restriction tool.
  
The security goal of TOMOYO Linux is to provide "MAC that covers practical requirements for most users and keeps usable for most administrators". TOMOYO Linux is not a tool or security professional but for average users and administrators.
+
The security goal of TOMOYO Linux is to provide "MAC that covers practical requirements for most users and keeps usable for most administrators". TOMOYO Linux is not a tool for just security professionals, but also for average users and administrators.
 
{{Note|This article does not aim to be an exhaustive guide and should be used as a supplement to the extensive [http://tomoyo.sourceforge.jp/documentation.html user documentation] provided by the project.}}
 
{{Note|This article does not aim to be an exhaustive guide and should be used as a supplement to the extensive [http://tomoyo.sourceforge.jp/documentation.html user documentation] provided by the project.}}
 
{{Tip|The [[#TOMOYO Linux 2.x|TOMOYO Linux 2.x]] branch is already in the Arch Linux [community] repository. This branch will eventually come closer to reaching feature parity with the 1.x branch, but for those wanting an easy start the 2.x branch is easy to install. The [[#TOMOYO Linux 1.x|TOMOYO Linux 1.x]] branch is for those wanting the greatest security, while [[#AKARI|AKARI]] is somewhere in between.}}
 
{{Tip|The [[#TOMOYO Linux 2.x|TOMOYO Linux 2.x]] branch is already in the Arch Linux [community] repository. This branch will eventually come closer to reaching feature parity with the 1.x branch, but for those wanting an easy start the 2.x branch is easy to install. The [[#TOMOYO Linux 1.x|TOMOYO Linux 1.x]] branch is for those wanting the greatest security, while [[#AKARI|AKARI]] is somewhere in between.}}
Line 29: Line 29:
 
Implementing TOMOYO Linux 1.x using a kernel patched with ccs-patch provides the full functionality obtainable from the TOMOYO Linux project. However, implementation of this branch requires the most hurdles to be overcome, as the kernel must be patched with [http://sourceforge.jp/projects/tomoyo/ ccs-patch] and subsequently recompiled.
 
Implementing TOMOYO Linux 1.x using a kernel patched with ccs-patch provides the full functionality obtainable from the TOMOYO Linux project. However, implementation of this branch requires the most hurdles to be overcome, as the kernel must be patched with [http://sourceforge.jp/projects/tomoyo/ ccs-patch] and subsequently recompiled.
  
Both ''linux-ccs'' and the userspace tools must be installed. A package for [https://aur.archlinux.org/packages.php?ID=51669 linux-ccs] and a package for [http://aur.archlinux.org/packages.php?ID=42606 ccs-tools] are available on the AUR.
+
Both ''linux-ccs'' and the userspace tools must be installed. A package for [https://aur.archlinux.org/packages.php?ID=51669 linux-ccs] and a package for [https://aur.archlinux.org/packages.php?ID=42606 ccs-tools] are available on the AUR.
  
 
===Initializing configuration===
 
===Initializing configuration===
 
The policy must first be initialized:
 
The policy must first be initialized:
 
  # /usr/lib/ccs/init_policy
 
  # /usr/lib/ccs/init_policy
The policy files are saved in the {{Filename|/etc/css/}} directory and can be edited by running:
+
The policy files are saved in the {{ic|/etc/css/}} directory and can be edited by running:
 
  # ccs-editpolicy
 
  # ccs-editpolicy
  
Line 57: Line 57:
  
 
===Installation===
 
===Installation===
Both AKARI and the userspace tools must be installed. A package for [http://aur.archlinux.org/packages.php?ID=42608 AKARI] and a package for [http://aur.archlinux.org/packages.php?ID=42606 ccs-tools] are available on the AUR.
+
Both AKARI and the userspace tools must be installed. A package for [https://aur.archlinux.org/packages.php?ID=42608 AKARI] and a package for [https://aur.archlinux.org/packages.php?ID=42606 ccs-tools] are available on the AUR.
  
 
The bootloader configuration must be changed in order to activate AKARI:
 
The bootloader configuration must be changed in order to activate AKARI:
Line 68: Line 68:
 
The policy must first be initialized:
 
The policy must first be initialized:
 
  # /usr/lib/ccs/init_policy --module_name=akari
 
  # /usr/lib/ccs/init_policy --module_name=akari
The policy files are saved in the {{Filename|/etc/css/}} directory and can be edited by running:
+
The policy files are saved in the {{ic|/etc/css/}} directory and can be edited by running:
 
  # ccs-editpolicy
 
  # ccs-editpolicy
  
 
==TOMOYO Linux 2.x==
 
==TOMOYO Linux 2.x==
 
===Limitations of TOMOYO Linux 2.x===
 
===Limitations of TOMOYO Linux 2.x===
The implementation of TOMOYO Linux 2.x into the Linux mainline kernel is not yet complete but is still effective for MAC of files. There are a few features that still need to be implemented as compared to the 1.x branch. This [http://tomoyo.sourceforge.jp/comparison.html.en chart] has a comprehensive comparison of the differences between each branch of development.
+
The implementation of TOMOYO Linux 2.x into the Linux mainline kernel is not yet complete but is very close to 1.x since 2.5.x. There are a few features that still need to be implemented as compared to the 1.x branch. This [http://tomoyo.sourceforge.jp/comparison.html.en chart] has a comprehensive comparison of the differences between each branch of development.
  
 
===Installation===
 
===Installation===
Line 86: Line 86:
 
</pre>
 
</pre>
  
For kernel versions between 2.6.30 and 2.6.35, tomoyo-tools 2.2.x should be installed. A package is available on the [http://aur.archlinux.org/packages.php?ID=42272 AUR]
+
For kernel versions between 2.6.30 and 2.6.35, tomoyo-tools 2.2.x should be installed. A package is available on the [https://aur.archlinux.org/packages.php?ID=42272 AUR]
 +
 
 +
If all ok, append '''security=tomoyo TOMOYO_trigger=/sbin/init''' to parameter GRUB_CMDLINE_LINUX_DEFAULT in {{ic|/etc/default/grub}}:
 +
<pre>GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo TOMOYO_trigger=/sbin/init"</pre>
 +
After, recompile {{ic|grub.cfg}}:
 +
# grub-mkconfig -o /boot/grub/grub.cfg
 +
So, TOMOYO will load all saved policies from {{ic|/etc/tomoyo/policy/current}} when {{ic|/sbin/init}} executes.
 +
 
 +
{{Note|For systemd, /sbin/init is now a symlink to /usr/lib/systemd/systemd. You need to specify /sbin/init to
 +
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER or TOMOYO_trigger since our /init tries to pass /sbin/init to the execve() request.}}
 +
 
 +
For first time, you may want to auto-save in-memory policies to filesystem when computer goes to shutdown/reboot. If yes, append the following line to {{ic|/etc/rc.local.shutdown}}:
 +
<pre>/usr/sbin/tomoyo-savepolicy</pre>
  
 
===Initializing configuration===
 
===Initializing configuration===
 
The policy must first be initialized:
 
The policy must first be initialized:
 
  # /usr/lib/tomoyo/init_policy
 
  # /usr/lib/tomoyo/init_policy
The policy files are saved in the {{Filename|/etc/tomoyo/}} directory and can be edited by running:
+
The policy files are saved in the {{ic|/etc/tomoyo/}} directory and can be edited by running:
 
  # tomoyo-editpolicy
 
  # tomoyo-editpolicy
 +
 +
By default, tomoyo will start with "Disabled" profile (see profile-table below). You may want to enable learning mode for everybody right now. Just switch profile for {{ic|<kernel>}} namespace in {{ic|/etc/tomoyo/policy/current/domain_policy.conf}}:
 +
<pre><kernel>
 +
use_profile 1
 +
use_group 0</pre>
 +
If unsure if such wide learning is needed, just ignore this step. You can switch profiles later using '''tomoyo-editpolicy''' in "Domain transition editor" by pressing '''S''' on any selected domain (domains).
 +
 +
Now, the computer should be restarted.
  
 
==Usage==
 
==Usage==
Line 102: Line 122:
 
If using TOMOYO Linux 2.x, then ''tomoyo-tools'' should be used:
 
If using TOMOYO Linux 2.x, then ''tomoyo-tools'' should be used:
 
  # /usr/sbin/tomoyo-editpolicy
 
  # /usr/sbin/tomoyo-editpolicy
As the system runs, TOMOYO Linux will create domains and add them to the tree. The access analysis/restriction in TOMOYO Linux is applied via domains. Every process belongs to a single domain and the process will transit to a different domain whenever it executes a program. The name of a domain is a concatenated string expression for the process execution history. For example, the name of the domain which the kernel belongs to is "<kernel>"; the name of domain which {{Filename|/sbin/init}} invoked by the kernel belongs to is "<kernel> /sbin/init"; if {{Filename|/sbin/init}} invokes {{Filename|/etc/rc.d/rc}} then the domain it belongs to is "<kernel> /sbin/init /etc/rc.d/rc". You can suppress or initialize domain transitions as needed.
+
As the system runs, TOMOYO Linux will create domains and add them to the tree. The access analysis/restriction in TOMOYO Linux is applied via domains. Every process belongs to a single domain and the process will transit to a different domain whenever it executes a program. The name of a domain is a concatenated string expression for the process execution history. For example, the name of the domain which the kernel belongs to is "<kernel>"; the name of domain which {{ic|/sbin/init}} invoked by the kernel belongs to is "<kernel> /sbin/init"; if {{ic|/sbin/init}} invokes {{ic|/etc/rc.d/rc}} then the domain it belongs to is "<kernel> /sbin/init /etc/rc.d/rc". You can suppress or initialize domain transitions as needed.
  
 
Profiles can be assigned to each domain. There are four default profiles:
 
Profiles can be assigned to each domain. There are four default profiles:
Line 123: Line 143:
 
* [http://akari.sourceforge.jp/index.html.en AKARI documentation]
 
* [http://akari.sourceforge.jp/index.html.en AKARI documentation]
 
* [http://tomoyo.sourceforge.jp/1.8/index.html.en TOMOYO Linux 1.8.x documentation]
 
* [http://tomoyo.sourceforge.jp/1.8/index.html.en TOMOYO Linux 1.8.x documentation]
* [http://tomoyo.sourceforge.jp/2.3/index.html.en TOMOYO Linux 2.3.x documentation]
+
* [http://tomoyo.sourceforge.jp/2.5/index.html.en TOMOYO Linux 2.5.x documentation]
 
* [http://lwn.net/Articles/263179/ TOMOYO Linux Security Goal]
 
* [http://lwn.net/Articles/263179/ TOMOYO Linux Security Goal]
 
* [http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/centos5.5/domain_policy.conf?v=policy-sample Policy sample]
 
* [http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/centos5.5/domain_policy.conf?v=policy-sample Policy sample]

Revision as of 17:09, 12 March 2013

TOMOYO Linux is Mandatory Access Control (MAC) implementation for Linux. It was launched in March 2003 and is sponsored by NTT Data Corporation. TOMOYO Linux focuses on the behaviour of a system, allowing each process to declare behaviours and resources needed to achieve its purpose. It can be used as a system analysis tool as well as an access restriction tool.

The security goal of TOMOYO Linux is to provide "MAC that covers practical requirements for most users and keeps usable for most administrators". TOMOYO Linux is not a tool for just security professionals, but also for average users and administrators.

Note: This article does not aim to be an exhaustive guide and should be used as a supplement to the extensive user documentation provided by the project.
Tip: The TOMOYO Linux 2.x branch is already in the Arch Linux [community] repository. This branch will eventually come closer to reaching feature parity with the 1.x branch, but for those wanting an easy start the 2.x branch is easy to install. The TOMOYO Linux 1.x branch is for those wanting the greatest security, while AKARI is somewhere in between.

Introduction

TOMOYO Linux attempts to make the system where everything is prearranged in an easy to understand way:

  • Make all access requests that will occur at least once during the lifetime of the kernel known in advance
  • Allow the administrator to write a policy that only allows expected and desirable access requests

Unlike AppArmor, TOMOYO Linux is intended to protect the whole system from attackers exploiting vulnerabilities in applications. TOMOYO Linux addresses this threat by recording the behaviour of all applications in the test environment and then forcing all applications to act within these recorded behaviours in the production environment.

TOMOYO Linux is not for users wanting ready-made policy files supplied by others. It involves creating policy from scratch, aided by the "learning mode" which can automatically generate policy files with necessary and sufficient permissions for a specific system. TOMOYO Linux reports what is happening within the Linux system and can therefore be used as a system analysis tool. It resembles strace and reports what is being executed by each program and what files/networks are accessed.

This table provides a comprehensive comparison of TOMOYO Linux with AppArmor, SELinux and SMACK.

Branches of development

TOMOYO Linux 1.x is the original branch of development. TOMOYO Linux was first released on 11th November 2005. It was implemented as a patch that can be applied to the Linux kernel and is still in active development. It can coexist with other security modules such as SELinux, SMACK and AppArmor.

TOMOYO Linux 2.x is the Linux mainline kernel branch of development. In June 2009, TOMOYO was merged into the Linux kernel version 2.6.30 and it uses standard Linux Security Module (LSM) hooks. However, the LSM hooks must be extended further in order to port the full MAC functionality of TOMOYO Linux into the Linux kernel. Thus, it does not yet provide equal functionality with the 1.x branch of development. This chart compares the differences between each branch.

AKARI is based on the TOMOYO Linux 1.x branch and is implemented as a Loadable Kernel Module (LKM). It therefore has the advantage of not requiring the user to patch and recompile the kernel. This table provides a comprehensive comparison of AKARI with the TOMOYO Linux 1.x and 2.x branches.

TOMOYO Linux 1.x

Implementing TOMOYO Linux 1.x using a kernel patched with ccs-patch provides the full functionality obtainable from the TOMOYO Linux project. However, implementation of this branch requires the most hurdles to be overcome, as the kernel must be patched with ccs-patch and subsequently recompiled.

Both linux-ccs and the userspace tools must be installed. A package for linux-ccs and a package for ccs-tools are available on the AUR.

Initializing configuration

The policy must first be initialized:

# /usr/lib/ccs/init_policy

The policy files are saved in the /etc/css/ directory and can be edited by running:

# ccs-editpolicy

AKARI

Limitations of AKARI

AKARI has the advantage of not requiring kernel recompilation. If using the TOMOYO Linux project purely for system analysis, then AKARI is the easiest method of achieving this. If using the TOMOYO Linux project for system restriction, it is a minimal effort way to gain most of the functionality of the TOMOYO Linux 1.x branch. However, there are a few limitations that must be considered:

  • It depends on the kernel version and configuration provided by the distribution:
CONFIG_SECURITY=y [required]
CONFIG_KALLSYMS=y [required]
CONFIG_PROC_FS=y [required]
CONFIG_MODULES=y [required]
CONFIG_SECURITY_PATH=y [optional: for using absolute pathnames]
CONFIG_SECURITY_NETWORK=y [optional: for providing network restriction]
  • The restriction of a few advanced networking operations are limited or unavailable due to the absence of required LSM hooks
  • Restricting use of capabilities is not possible
  • Looking up per-task variables is slower as they are managed outside "struct task_struct" in order to keep KABI unchanged. However, this should not be noticeable for the typical end-user as performance decrease by pathname based permission checking is dominant

This table provides a comprehensive comparison of AKARI with the TOMOYO Linux 1.x and 2.x branches.

Note: The Arch Linux kernel from 2.6.36 onwards provides all of the configuration options required for full functionality.

Installation

Both AKARI and the userspace tools must be installed. A package for AKARI and a package for ccs-tools are available on the AUR.

The bootloader configuration must be changed in order to activate AKARI:

title  Arch Linux
root   (hd0,0)
kernel /boot/vmlinuz-linux root=/dev/sda1 ro init=/sbin/ccs-init
initrd /boot/initramfs-linux.img

Initializing configuration

The policy must first be initialized:

# /usr/lib/ccs/init_policy --module_name=akari

The policy files are saved in the /etc/css/ directory and can be edited by running:

# ccs-editpolicy

TOMOYO Linux 2.x

Limitations of TOMOYO Linux 2.x

The implementation of TOMOYO Linux 2.x into the Linux mainline kernel is not yet complete but is very close to 1.x since 2.5.x. There are a few features that still need to be implemented as compared to the 1.x branch. This chart has a comprehensive comparison of the differences between each branch of development.

Installation

TOMOYO Linux 2.x is part of the Linux mainline kernel and, in addition to those previously mentioned, requires the following kernel configuration:

CONFIG_SECURITY_TOMOYO=y
Note: The Arch Linux kernel from 2.6.36 onwards provides all of the configuration options required for full functionality.

If the kernel supports TOMOYO Linux 2.x, then only the userspace tools need to be installed:

pacman -S tomoyo-tools

For kernel versions between 2.6.30 and 2.6.35, tomoyo-tools 2.2.x should be installed. A package is available on the AUR

If all ok, append security=tomoyo TOMOYO_trigger=/sbin/init to parameter GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="quiet security=tomoyo TOMOYO_trigger=/sbin/init"

After, recompile grub.cfg:

# grub-mkconfig -o /boot/grub/grub.cfg

So, TOMOYO will load all saved policies from /etc/tomoyo/policy/current when /sbin/init executes.

Note: For systemd, /sbin/init is now a symlink to /usr/lib/systemd/systemd. You need to specify /sbin/init to CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER or TOMOYO_trigger since our /init tries to pass /sbin/init to the execve() request.

For first time, you may want to auto-save in-memory policies to filesystem when computer goes to shutdown/reboot. If yes, append the following line to /etc/rc.local.shutdown:

/usr/sbin/tomoyo-savepolicy

Initializing configuration

The policy must first be initialized:

# /usr/lib/tomoyo/init_policy

The policy files are saved in the /etc/tomoyo/ directory and can be edited by running:

# tomoyo-editpolicy

By default, tomoyo will start with "Disabled" profile (see profile-table below). You may want to enable learning mode for everybody right now. Just switch profile for <kernel> namespace in /etc/tomoyo/policy/current/domain_policy.conf:

<kernel>
use_profile 1
use_group 0

If unsure if such wide learning is needed, just ignore this step. You can switch profiles later using tomoyo-editpolicy in "Domain transition editor" by pressing S on any selected domain (domains).

Now, the computer should be restarted.

Usage

It is important to consult the relevant documentation in order to use TOMOYO Linux or AKARI effectively:

Run the policy editor to begin editing. If using TOMOYO Linux 1.x or AKARI, then ccs-tools should be used:

# /usr/sbin/ccs-editpolicy

If using TOMOYO Linux 2.x, then tomoyo-tools should be used:

# /usr/sbin/tomoyo-editpolicy

As the system runs, TOMOYO Linux will create domains and add them to the tree. The access analysis/restriction in TOMOYO Linux is applied via domains. Every process belongs to a single domain and the process will transit to a different domain whenever it executes a program. The name of a domain is a concatenated string expression for the process execution history. For example, the name of the domain which the kernel belongs to is "<kernel>"; the name of domain which /sbin/init invoked by the kernel belongs to is "<kernel> /sbin/init"; if /sbin/init invokes /etc/rc.d/rc then the domain it belongs to is "<kernel> /sbin/init /etc/rc.d/rc". You can suppress or initialize domain transitions as needed.

Profiles can be assigned to each domain. There are four default profiles:

Disabled Works as if regular kernel.
Learning Do not reject an access request if it violates policy. Append the request to policy.
Permissive Do not reject an access request if it violates policy. Do not append the request to policy.
Enforcing Reject an access request if it violates policy. Do not append the request to policy.

The learning profile can be used to analyse the system or a specific application. Once all of the desired access requests of a domain have been identified, the policy for that domain can be edited as required before selecting the enforcing profile. This can be done for any and all domains from the start of system boot.

References

See also