システムを解析および保護するためのセキュリティモジュール TOMOYO Linux は Linux 向けの強制アクセス制御( MAC )の実装で、システムのセキュリティを高める用途は勿論、システムの解析を行う用途でも使えるツールです。このプロジェクトは2003年3月に始まり、2012年3月までは株式会社NTTデータがスポンサーとなって開発されました。
TOMOYO Linux はシステムの振る舞いに注目します。プロセスは何かの目的を達成するために生成されます。 TOMOYO Linux は(出入国審査官のように)それぞれのプロセスに対して目的を達成するのに必要な振る舞いや資源について報告させることができます。また、保護モードを有効にすることにより、(運用監視人のように)システム管理者により承認された振る舞いと資源へのアクセスのみを許可することもできます。
Fix 2006/01/04
@ Add CheckWritePermission() check in unix_bind().
I modified to check write permission in unix_bind(), for
sys_mknod(S_IFSOCK) checks write permission.
@ Show hook version in proc_misc_init().
The hook part of this patch depends on the kernel's version,
while the rest part of this patch doesn't.
I added the hook version so that the administrator can
know the last modified date of the hooks.
@ Move permission checks from filp_open() to open_namei().
I moved the location of checking MAC's permission
from filp_open() to open_namei().
@ Fix an error in filp_open(). (only 2.6.15-rc5)
This error was only in the patch 2.6.15-rc5 and
was fixed in the patch for 2.6.15.
Fix 2006/01/12
@ Add /proc/ccs/info/self_domain.
I added /proc/ccs/info/self_domain so that the userland programs
can know the name of domain they belong to if necessary.
Fix 2006/01/13
@ Merge constants for CheckTaskCapability().
I merged *_INHERITABLE_* and *_LOCAL_* to avoid always
calling CheckTaskCapability() with both constants.
@ DropTaskCapability() returns -EAGAIN on success.
DropTaskCapability() must not return 0 on success, for
DropTaskCapability() is called from do_execve().
@ Fix an error for chroot() permission check.
The chroot() restriction was not working due to the following mistake.
CheckChRootPermission() || CheckTaskCapability() returns 0 or 1, while
CheckChRootPermission() | CheckTaskCapability() returns 0 or -EPERM.
Fix 2006/01/17
@ Suppress some of debug messages in TOMOYO.
I added KERN_DEBUG to suppress some of debug messages.
Fix 2006/01/19
@ Remove isRoot() checks in AddChrootACL() and AddMountACL().
I found a program that needs to chroot by non-root.
So, I stopped checking uid=euid=0 for these functions so that
"accept mode" can append ACLs.
The isRoot() is checked at AddChrootPolicy() and AddMountPolicy().
@ Map NULL device name to "<NULL>" in AddMountACL().
VMware mounts vmware-hgfs with NULL device name.
So I mapped NULL device name to "<NULL>".
Fix 2006/01/20
@ Suppress some of debug messages in SAKURA.
I added KERN_DEBUG to suppress some of debug messages.
@ Call panic() if failed to load given profile.
Call panic() if profile index was given via CCS= parameter
but the profile doesn't exist.
If CCS= parameter is not given, the kernel attempts to load
profile 0, but it doesn't call panic() if profile 0 doesn't exist.
Fix 2006/01/24
@ Use full_name_hash() for IsGloballyReadableFile().
I modified to use full_name_hash() for faster scan.
@ Add signal checking condition in CheckSignalACL().
The documentation says "if the target domain's domainname
starts with the source domain's domainname, it is always granted"
but actually it isn't. I'll change the documentation instead of
changing the source code.
Also, checking for pid = -1 was missing. This error was fixed.
Fix 2006/02/09
@ Use mutex_lock()/mutex_unlock instead of down()/up().
Kernel 2.6.16 changed members of "struct inode".
I modified to use mutex_lock()/mutex_unlock() for after 2.6.16
and down()/up() for before 2.6.16.
Version 1.0.2 2006/02/14 Many bug-fixes release.
TOMOYO
Fork