TOMOYO Linux is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. It was launched in March 2003 and had been sponsored by NTT DATA Corporation, Japan until March 2012.
TOMOYO Linux focuses on the behaviour of a system. Every process is created to achieve a purpose, and like an immigration officer, TOMOYO Linux allows each process to declare behaviours and resources needed to achieve their purpose. When protection is enabled, TOMOYO Linux acts like an operation watchdog, restricting each process to only the behaviours and resources allowed by the administrator.
@ Change behavior of pathname pattern matching.
Until now, it was impossible to use patterns like "\*.txt"
because "\*" matched to more than 0 characters until next '/'.
Now, "\*" matches to more than 0 characters.
Until now, it was impossible to use patterns like "\$00"
because "\$" matched to more than 1 digits until next
non digit character.
Now, "\$" matches to more than 1 digits.
Also, new patterns "\x" "\X" "\a" "\A" "\@" are added.
@ Add CONFIG_TOMOYO_NETWORK option.
Until now, only port numbers for TCP and UDP were controllable.
Now, the combination of IPv4/IPv6 address and port numbers
for TCP and UDP is controllable.
CONFIG_TOMOYO_NETWORKPORT became obsolete.
@ Change matching rule for CheckFileACL().
Until now, only first entry that matched to the requested pathname
was used for permission checking. For example, two entries
are given in this order and requested pathname is "/tmp/file-0.txt",
the "2 /tmp/file-\$.txt" is used. But if two entries
are given in this order, the "4 /tmp/fil\?-0.txt" is used.
This may potentially cause trouble because the result of
permission checks depends on the order of entries.
Now, all entries that matched to the requested pathname
are used for permission checking so that the result of
permission checks doesn't depend on the order of entries.
@ Support RAW IPv4/IPv6 control.
Some programs such as 'ping' and 'traceroute' use raw IP socket.
Now, the combination of IPv4/IPv6 address and protocol numbers
for IP is controllable.
@ Add filename and argv comparison check.
The domain transition was done based on filename passed to do_execve(),
while the behavior was defined based on argv.
There is no problem if the filename is argv-unaware application.
But if argv-aware, access control bypassing happens if the process
transits to trusted domain but behaves as different program.
For example, when the administrator specifies domain for /bin/ls as
trusted but both /bin/ls and /bin/cat are links to /sbin/busybox ,
a cracker can run /bin/cat in a trusted domain if the cracker
succeeds to invoke do_execve() with filename = "/bin/ls" and
argv = "/bin/cat".
I introduced a keyword that permits the mismatch of
basename of filename and argv.
@ Support ID based condition checks.
It was impossible to use process id (uid and gid and so on) for
checking individual domain ACL.
Now it became possible to use process id for checking individual
domain ACL. For example,
"1 /bin/sh if task.euid!=0"
allows the domain to execute /bin/sh only when the process's euid
is not 0, and
"6 /home/\*/\* if task.uid=path1.uid"
allows the domain to read-write user's home directory
only when the file's owner matches to the process's uid.
@ Fix ROUNDUP() in fs/realpath.c .
Alignment using sizeof(int) may be inappropriate for 64bit environment.
I changed to use the larger size of 'void *' and 'long'
instead of 'int'.
For environment where sizeof(int) = sizeof(long) = sizeof(void *),
this change has no effect.
Version 1.2 2006/09/03 Functionality enhancement release.
@ Fix CheckFilePerm() in fs/tomoyo_file.c .
The location to call path_release() was too early.