ダウンロードリスト

Sponsored link

プロジェクト概要

システムを解析および保護するためのセキュリティモジュール TOMOYO Linux は Linux 向けの強制アクセス制御( MAC )の実装で、システムのセキュリティを高める用途は勿論、システムの解析を行う用途でも使えるツールです。このプロジェクトは2003年3月に始まり、2012年3月までは株式会社NTTデータがスポンサーとなって開発されました。

TOMOYO Linux はシステムの振る舞いに注目します。プロセスは何かの目的を達成するために生成されます。 TOMOYO Linux は(出入国審査官のように)それぞれのプロセスに対して目的を達成するのに必要な振る舞いや資源について報告させることができます。また、保護モードを有効にすることにより、(運用監視人のように)システム管理者により承認された振る舞いと資源へのアクセスのみを許可することもできます。

システム要件

システム要件が設定されていません

リリース時刻: 2006-09-03 00:00
ccs-patch 1.2-20060903 (3 個のファイル 非表示)

リリースノート

リリースノートはありません

変更履歴

Fix 2006/07/14

@ Change behavior of pathname pattern matching.

Until now, it was impossible to use patterns like "\*.txt"
because "\*" matched to more than 0 characters until next '/'.
Now, "\*" matches to more than 0 characters.

Until now, it was impossible to use patterns like "\$00"
because "\$" matched to more than 1 digits until next
non digit character.
Now, "\$" matches to more than 1 digits.

Also, new patterns "\x" "\X" "\a" "\A" "\@" are added.

Fix 2006/07/21

@ Add CONFIG_TOMOYO_NETWORK option.

Until now, only port numbers for TCP and UDP were controllable.
Now, the combination of IPv4/IPv6 address and port numbers
for TCP and UDP is controllable.
CONFIG_TOMOYO_NETWORKPORT became obsolete.

Fix 2006/07/25

@ Change matching rule for CheckFileACL().

Until now, only first entry that matched to the requested pathname
was used for permission checking. For example, two entries

"2 /tmp/file-\$.txt"
"4 /tmp/fil\?-0.txt"

are given in this order and requested pathname is "/tmp/file-0.txt",
the "2 /tmp/file-\$.txt" is used. But if two entries

"4 /tmp/fil\?-0.txt"
"2 /tmp/file-\$.txt"

are given in this order, the "4 /tmp/fil\?-0.txt" is used.
This may potentially cause trouble because the result of
permission checks depends on the order of entries.

Now, all entries that matched to the requested pathname
are used for permission checking so that the result of
permission checks doesn't depend on the order of entries.

Fix 2006/07/27

@ Support RAW IPv4/IPv6 control.

Some programs such as 'ping' and 'traceroute' use raw IP socket.
Now, the combination of IPv4/IPv6 address and protocol numbers
for IP is controllable.

Fix 2006/08/04

@ Add filename and argv[0] comparison check.

The domain transition was done based on filename passed to do_execve(),
while the behavior was defined based on argv[0].
There is no problem if the filename is argv[0]-unaware application.
But if argv[0]-aware, access control bypassing happens if the process
transits to trusted domain but behaves as different program.
For example, when the administrator specifies domain for /bin/ls as
trusted but both /bin/ls and /bin/cat are links to /sbin/busybox ,
a cracker can run /bin/cat in a trusted domain if the cracker
succeeds to invoke do_execve() with filename = "/bin/ls" and
argv[0] = "/bin/cat".

I introduced a keyword that permits the mismatch of
basename of filename and argv[0].

Fix 2006/08/10

@ Support ID based condition checks.

It was impossible to use process id (uid and gid and so on) for
checking individual domain ACL.

Now it became possible to use process id for checking individual
domain ACL. For example,

"1 /bin/sh if task.euid!=0"

allows the domain to execute /bin/sh only when the process's euid
is not 0, and

"6 /home/\*/\* if task.uid=path1.uid"

allows the domain to read-write user's home directory
only when the file's owner matches to the process's uid.

Fix 2006/08/22

@ Fix ROUNDUP() in fs/realpath.c .

Alignment using sizeof(int) may be inappropriate for 64bit environment.
I changed to use the larger size of 'void *' and 'long'
instead of 'int'.
For environment where sizeof(int) = sizeof(long) = sizeof(void *),
this change has no effect.

Version 1.2 2006/09/03 Functionality enhancement release.

Fix 2006/09/30

@ Fix CheckFilePerm() in fs/tomoyo_file.c .

The location to call path_release() was too early.