TOMOYO Linux is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. It was launched in March 2003 and had been sponsored by NTT DATA Corporation, Japan until March 2012.
TOMOYO Linux focuses on the behaviour of a system. Every process is created to achieve a purpose, and like an immigration officer, TOMOYO Linux allows each process to declare behaviours and resources needed to achieve their purpose. When protection is enabled, TOMOYO Linux acts like an operation watchdog, restricting each process to only the behaviours and resources allowed by the administrator.
Fix 2006/12/10
@ Allow pathname grouping.
To reduce the labor of repeating '/\*' to allow access recursively,
I introduced a macro 'path_group' to make group such pathnames.
For example, you had to give like
4 /var/www/html/\*
4 /var/www/html/\*/\*
4 /var/www/html/\*/\*/\*
4 /var/www/html/\*/\*/\*/\*
but now, you can give just
4 @WEB-CONTENTS
if you give
path_group WEB-CONTENTS /var/www/html/\*
path_group WEB-CONTENTS /var/www/html/\*/\*
path_group WEB-CONTENTS /var/www/html/\*/\*/\*
path_group WEB-CONTENTS /var/www/html/\*/\*/\*/\*
in the exception policy.
This macro will be useful when grouping different directories.
Fix 2006/12/15
@ Use structured pathnames instead for simple 'char *'.
To reduce the cost of strcmp(), I changed the return value of
SaveName() from 'const char *' to 'const struct path_info *'.
This change will speed up PathMatchesToPattern() comparison.
Fix 2006/12/19
@ Allow registering policy managers using domainnames.
It was difficult to restrict programs that can update policies
via /proc/ccs/ interfaces using pathnames of these programs, for
these programs could be unintendedly invoked.
Now, it became possible to restrict domains that can update policies
via /proc/ccs/ interfaces as well as programs.
By restricting using domainnames, it becomes easier to avoid
unintended invocation.
Fix 2006/12/22
@ Add initialize_domain,no_initizlize_domain,no_keep_domain
To control domain transitions more strictly,
initialize_domain,no_initizlize_domain,no_keep_domain directives
were introduced.
"initialize_domain /some/program" means
jump to "<kernel> /some/program" domain if /some/program is
called from any domain.
This is equivalent to conventional "initializer /some/program".
"initialize_domain /some/program from some_domain" means
jump to "<kernel> /some/program" domain only if /some/program is
called from "some_domain" domain.
"no_initialize_domain /some/program" means
don't jump to "<kernel> /some/program" domain even if
"initialize_domain /some/program" or
"initialize_domain /some/program from some_domain" are given
if /some/program is called from any domain.
"no_initialize_domain /some/program from some_domain" means
don't jump to "<kernel> /some/program" domain even if
"initialize_domain /some/program" or
"initialize_domain /some/program from some_domain" are given
if /some/program is called from "some_domain" domain.
"keep_domain some_domain" means don't jump to child domain
if any programs are called from "some_domain" domain.
"keep_domain /some/program from some_domain" means
don't jump to child domain only if /some/program is
called from "some_domain" domain.
"no_keep_domain some_domain" means
jump to child domain even if
"keep_domain /some/program" or
"keep_domain /some/program from some_domain" are given
if any programs are called from "some_domain" domain.
"no_keep_domain /some/program from some_domain" means
jump to child domain even if
"keep_domain /some/program" or
"keep_domain /some/program from some_domain" are given
if /some/program is called from "some_domain" domain.
"some_domain" can be just the last component of domainname.
For example, giving "/bin/mail" as "some_domain" matches to
all domains whose domainname ends with "/bin/mail".
Fix 2007/01/19
@ Allow reuse of memory allocated for domain policy.
As with domain policy, unlike other policies, didn't have
"is_deleted" flag and new memory were allocated
if the deleted entries are given again.
But to allow administrators switch domain policy periodically,
I introduced "is_deleted" flag.
Writing "some_domain" to /proc/ccs/policy/domain_policy
creates "some_domain" using new memory if it didn't exist.
Writing "select some_domain" doesn't create "some_domain"
if it didn't exist.
Writing "delete some_domain" deletes "some_domain"
but does not delete entries in "some_domain".
Writing "undelete some_domain" undeletes "some_domain"
if it was deleted by "delete some_domain".
Fix 2007/01/22
@ Allow getting already deleted pathnames.
To allow getting pathnames that are already deleted,
I removed (IS_ROOT(dentry) || !d_unhashed(dentry)) check.
Fix 2007/01/26
@ Limit string length to 4000.
I was using PAGE_SIZE (4096 in many environments)
as the max length of any string data.
But for environments that have larger PAGE_SIZE,
doing memset(ptr, 0, PAGE_SIZE) everytime is too wasteful.
Fix 2007/01/29
@ Add garbage collector for domain policy.
Writing "some_domain" to /proc/ccs/policy/domain_policy
creates "some_domain" using new memory only if
some process is staying at that deleted domain.
If no process is staying at that deleted domain,
"some_domain" is undeleted with all ACLs deleted.
Version 1.3.2 2007/02/14 Usability enhancement release.