TOMOYO Linux

TOMOYO Linux is an extension for the Linux kernel to provide mandatory access control (MAC) functions. It is provided in the form of patches to the Linux vanilla kernel and utilities for policy management.

Supported Platforms:

# Fedora 11/12/13/14
# CentOS 3/4/5/6
# Debian Etch/Lenny/Squeeze
# OpenSUSE 11.0/11.1/11.2/11.3/11.4
# Asianux 2/3
# Ubuntu 6.06/8.04/8.10/9.04/9.10/10.04/10.10/11.04
# Vine Linux 4.2/5.2
# Gentoo
# Hardened Gentoo
# Nature's Linux 1.6
# Turbolinux
# MandrivaLinux
# Pax/GrSecurity
# Meego
# Android
# Armadillo-9
# CAT760

What is new in this release:

• Fix 2011/09/25
• @ Simplify garbage collector.
• It turned out that use of batched processing tends to choke garbage
• collector when certain pattern of entries are queued. Thus, I replaced it
• with sequential processing.
• Fix 2011/09/16
• @ Allow specifying domain transition preference.
• I got an opinion that it is difficult to use exception policy's domain
• transition control directives because they need to match the pathname
• specified to "file execute" directives. For example, if "file execute
• /bin/\*\-ls\-cat" is given, corresponding domain transition control
• directive needs to be like "no_keep_domain /bin/\*\-ls\-cat from any".
• To solve this difficulty, I introduced optional argument that supersedes
• exception policy's domain transition control directives.
• file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls"
• file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat"
• file execute /bin/\*\-ls\-cat child
• file execute /usr/sbin/httpd exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd"
• This argument allows transition to different domains based on conditions.
• /usr/sbin/sshd
• file execute /bin/bash /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c"
• file execute /bin/bash /usr/sbin/sshd //root-session task.uid=0
• file execute /bin/bash /usr/sbin/sshd //nonroot-session task.uid!=0

What is new in version 1.8.2:

• Remove unused "struct inode *" parameter from ccs-patch-\*.diff .
• Allow specifying trigger for activation.
• Add policy namespace support.
• Remove CONFIG_CCSECURITY_BUILTIN_INITIALIZERS option.

What is new in version 1.8.1:

• Several bugs were fixed.
• A new feature to protect the Android environment from privilege escalation was added.
• Support for packed policy format was added.
• The garbage collector was modified so as not to wait for /proc/ccs/ users.
• As a result, memory reclamation can start earlier.

What is new in version 1.8.0-p3:

• Fix infinite loop bug when reading /proc/ccs/audit or /proc/ccs/query .
• @ Use filesystem name for unnamed devices when vfsmount is missing.
• @ Split ccs_null_security into ccs_default_security and ccs_oom_security.
• @ Use same interface for audit logs.

What is new in version 1.8.0-20110207:

• Fix infinite loop bug when reading /proc/ccs/audit or /proc/ccs/query . In ccs_flush(), head->r.w[0] holds pointer to string data to be printed. But head->r.w[0] was updated only when the string data was partially printed (because head->r.w[0] will be updated by head->r.w[1] later if completely printed). However, regarding /proc/ccs/audit and /proc/ccs/query , an additional '\0' is printed after the string data was completely printed. But if free space for read buffer became 0 before printing the additional '\0', ccs_flush() was returning without updating head->r.w[0]. As a result, ccs_flush() forever reprints already printed string data.

What is new in version 1.6.7:

• A severe memory consumption problem was discovered in ccs-patch-1.6.5-20081111.tar.gz .
• http://lists.sourceforge.jp/mailman/archives/tomoyo-users-en/2008-December/000011.html
• Those who downloaded ccs-patch-1.6.5-20081111.tar.gz , please update to ccs-patch-1.6.6-20090202.tar.gz .

What is new in version 1.6.6:

• This release fixes 3 bugs that existed in versions 1.6.0 to 1.6.5.

What is new in version 1.6.5:

• This third anniversary release fixes many bugs and includes many enhancements.