ダウンロードリスト

プロジェクト概要

システムを解析および保護するためのセキュリティモジュール TOMOYO Linux は Linux 向けの強制アクセス制御( MAC )の実装で、システムのセキュリティを高める用途は勿論、システムの解析を行う用途でも使えるツールです。このプロジェクトは2003年3月に始まり、2012年3月までは株式会社NTTデータがスポンサーとなって開発されました。

TOMOYO Linux はシステムの振る舞いに注目します。プロセスは何かの目的を達成するために生成されます。 TOMOYO Linux は(出入国審査官のように)それぞれのプロセスに対して目的を達成するのに必要な振る舞いや資源について報告させることができます。また、保護モードを有効にすることにより、(運用監視人のように)システム管理者により承認された振る舞いと資源へのアクセスのみを許可することもできます。

システム要件

システム要件が設定されていません

リリース時刻: 2007-02-14 00:00
ccs-patch 1.3.2-20070214 (2 個のファイル 非表示)

リリースノート

リリースノートはありません

変更履歴

Fix 2006/12/10

@ Allow pathname grouping.

To reduce the labor of repeating '/\*' to allow access recursively,
I introduced a macro 'path_group' to make group such pathnames.
For example, you had to give like

4 /var/www/html/\*
4 /var/www/html/\*/\*
4 /var/www/html/\*/\*/\*
4 /var/www/html/\*/\*/\*/\*

but now, you can give just

4 @WEB-CONTENTS

if you give

path_group WEB-CONTENTS /var/www/html/\*
path_group WEB-CONTENTS /var/www/html/\*/\*
path_group WEB-CONTENTS /var/www/html/\*/\*/\*
path_group WEB-CONTENTS /var/www/html/\*/\*/\*/\*

in the exception policy.
This macro will be useful when grouping different directories.

Fix 2006/12/15

@ Use structured pathnames instead for simple 'char *'.

To reduce the cost of strcmp(), I changed the return value of
SaveName() from 'const char *' to 'const struct path_info *'.
This change will speed up PathMatchesToPattern() comparison.

Fix 2006/12/19

@ Allow registering policy managers using domainnames.

It was difficult to restrict programs that can update policies
via /proc/ccs/ interfaces using pathnames of these programs, for
these programs could be unintendedly invoked.
Now, it became possible to restrict domains that can update policies
via /proc/ccs/ interfaces as well as programs.
By restricting using domainnames, it becomes easier to avoid
unintended invocation.

Fix 2006/12/22

@ Add initialize_domain,no_initizlize_domain,no_keep_domain

To control domain transitions more strictly,
initialize_domain,no_initizlize_domain,no_keep_domain directives
were introduced.

"initialize_domain /some/program" means
jump to "<kernel> /some/program" domain if /some/program is
called from any domain.
This is equivalent to conventional "initializer /some/program".

"initialize_domain /some/program from some_domain" means
jump to "<kernel> /some/program" domain only if /some/program is
called from "some_domain" domain.

"no_initialize_domain /some/program" means
don't jump to "<kernel> /some/program" domain even if
"initialize_domain /some/program" or
"initialize_domain /some/program from some_domain" are given
if /some/program is called from any domain.

"no_initialize_domain /some/program from some_domain" means
don't jump to "<kernel> /some/program" domain even if
"initialize_domain /some/program" or
"initialize_domain /some/program from some_domain" are given
if /some/program is called from "some_domain" domain.

"keep_domain some_domain" means don't jump to child domain
if any programs are called from "some_domain" domain.

"keep_domain /some/program from some_domain" means
don't jump to child domain only if /some/program is
called from "some_domain" domain.

"no_keep_domain some_domain" means
jump to child domain even if
"keep_domain /some/program" or
"keep_domain /some/program from some_domain" are given
if any programs are called from "some_domain" domain.

"no_keep_domain /some/program from some_domain" means
jump to child domain even if
"keep_domain /some/program" or
"keep_domain /some/program from some_domain" are given
if /some/program is called from "some_domain" domain.

"some_domain" can be just the last component of domainname.
For example, giving "/bin/mail" as "some_domain" matches to
all domains whose domainname ends with "/bin/mail".

Fix 2007/01/19

@ Allow reuse of memory allocated for domain policy.

As with domain policy, unlike other policies, didn't have
"is_deleted" flag and new memory were allocated
if the deleted entries are given again.
But to allow administrators switch domain policy periodically,
I introduced "is_deleted" flag.

Writing "some_domain" to /proc/ccs/policy/domain_policy
creates "some_domain" using new memory if it didn't exist.

Writing "select some_domain" doesn't create "some_domain"
if it didn't exist.

Writing "delete some_domain" deletes "some_domain"
but does not delete entries in "some_domain".

Writing "undelete some_domain" undeletes "some_domain"
if it was deleted by "delete some_domain".

Fix 2007/01/22

@ Allow getting already deleted pathnames.

To allow getting pathnames that are already deleted,
I removed (IS_ROOT(dentry) || !d_unhashed(dentry)) check.

Fix 2007/01/26

@ Limit string length to 4000.

I was using PAGE_SIZE (4096 in many environments)
as the max length of any string data.
But for environments that have larger PAGE_SIZE,
doing memset(ptr, 0, PAGE_SIZE) everytime is too wasteful.

Fix 2007/01/29

@ Add garbage collector for domain policy.

Writing "some_domain" to /proc/ccs/policy/domain_policy
creates "some_domain" using new memory only if
some process is staying at that deleted domain.
If no process is staying at that deleted domain,
"some_domain" is undeleted with all ACLs deleted.

Version 1.3.2 2007/02/14 Usability enhancement release.