Signed-off-by: Kentaro Takeda <[email protected]>
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: Toshiharu Harada <[email protected]>
---
Documentation/tomoyo.txt | 52 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
--- /dev/null
+++ linux-2.6.30-rc1/Documentation/tomoyo.txt
@@ -0,0 +1,52 @@
+--- What is TOMOYO? ---
+
+TOMOYO is a name-based MAC extension (LSM module) for the Linux kernel.
+
+LiveCD-based tutorials are available at
+http://tomoyo.sourceforge.jp/en/1.6.x/1st-step/ubuntu8.04-live/
+http://tomoyo.sourceforge.jp/en/1.6.x/1st-step/centos5-live/ .
+Though these tutorials use non-LSM version of TOMOYO, they are useful for you
+to know what TOMOYO is.
+
+--- How to enable TOMOYO? ---
+
+Build the kernel with CONFIG_SECURITY_TOMOYO=y and pass "security=tomoyo" to
+kernel's command line.
+
+Please see http://tomoyo.sourceforge.jp/en/2.2.x/ for details.
+
+--- Where are documentations? ---
+
+Materials we prepared for seminars and symposiums are available at
+http://sourceforge.jp/projects/tomoyo/docs/?category_id=532&language_id=1 .
+Below lists are chosen from three aspects.
+
+What is TOMOYO?
+ TOMOYO Linux Overview
+ http://sourceforge.jp/projects/tomoyo/docs/lca2009-takeda.pdf
+ TOMOYO Linux: pragmatic and manageable security for Linux
+ http://sourceforge.jp/projects/tomoyo/docs/freedomhectaipei-tomoyo.pdf
+ TOMOYO Linux: A Practical Method to Understand and Protect Your Own Linux Box
+ http://sourceforge.jp/projects/tomoyo/docs/PacSec2007-en-no-demo.pdf
+
+What can TOMOYO do?
+ Deep inside TOMOYO Linux
+ http://sourceforge.jp/projects/tomoyo/docs/lca2009-kumaneko.pdf
+ The role of "pathname based access control" in security.
+ http://sourceforge.jp/projects/tomoyo/docs/lfj2008-bof.pdf
+
+History of TOMOYO?
+ Realities of Mainlining
+ http://sourceforge.jp/projects/tomoyo/docs/lfj2008.pdf
+
+--- What is future plan? ---
+
+We believe that inode based security and name based security are complementary
+and both should be used together. But unfortunately, so far, we cannot enable
+multiple LSM modules at the same time. We feel sorry that you have to give up
+SELinux/SMACK/AppArmor etc. when you want to use TOMOYO.
+
+We hope that LSM becomes stackable in future. Meanwhile, you can use non-LSM
+version of TOMOYO, available at http://tomoyo.sourceforge.jp/en/1.6.x/ .
+LSM version of TOMOYO is a subset of non-LSM version of TOMOYO. We are planning
+to port non-LSM version's functionalities to LSM versions.
--
> +
> +We believe that inode based security and name based security are complementary
> +and both should be used together. But unfortunately, so far, we cannot enable
> +multiple LSM modules at the same time. We feel sorry that you have to give up
> +SELinux/SMACK/AppArmor etc. when you want to use TOMOYO.
> +
> +We hope that LSM becomes stackable in future. Meanwhile, you can use non-LSM
> +version of TOMOYO, available at http://tomoyo.sourceforge.jp/en/1.6.x/ .
> +LSM version of TOMOYO is a subset of non-LSM version of TOMOYO. We are planning
> +to port non-LSM version's functionalities to LSM versions.
>
If you go back through the mailing list you will find stackable has
been debated at length many times.
AppArmor and Tomoyo are both name based. So unlikely you would want
both at the same time.
LSM exists mostly because designers of security systems could not
decide on the 1 default Linux should have.
For inode and name based security the question should be can Tomoyo
merge with the other LSM modules in away that avoids stacking.
Smack and Selinux are sharing code in places with each other. Really
there are only 3 currently active developed LSM's Smack Selinux and
Tomoyo. Merge could basically get us down to 1 with 3 different
configure processing engines. I have not seen apparmor patches that
bring it up to using the secure way of doing name based secuirty.
Could have missed it.
Smack and Selinux both have not contained name based because there was
no secure way todo it. Due to Tomoyo teams work that has changed. So
both Smack and Selinux really need to look at there position on
supporting name based. I agree it would be a gain of Smack and
Selinux supported name based.
Major reason for not allowing multi-able LSM's is the risk that one
might interfere incorrectly with the others operation. This is why
merging is fine. Since the new method would have to be integrated at
development time into 1 LSM so there could not be conflits.
Peter Dolding
On Wed 2009-04-08 22:31:27, Tetsuo Handa wrote:
> Signed-off-by: Kentaro Takeda <[email protected]>
> Signed-off-by: Tetsuo Handa <[email protected]>
> Signed-off-by: Toshiharu Harada <[email protected]>
Could we get an user<->kernel interface documentation?
> +--- How to enable TOMOYO? ---
> +
> +Build the kernel with CONFIG_SECURITY_TOMOYO=y and pass "security=tomoyo" to
> +kernel's command line.
"on kernel's" ?
> +--- Where are documentations? ---
"Where is documentation?"
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Hello.
Pavel Machek wrote:
> Could we get an user<->kernel interface documentation?
It is at http://tomoyo.sourceforge.jp/en/2.2.x/policy-reference.html .
> > +--- How to enable TOMOYO? ---
> > +
> > +Build the kernel with CONFIG_SECURITY_TOMOYO=y and pass "security=tomoyo" to
> > +kernel's command line.
>
> "on kernel's" ?
>
> > +--- Where are documentations? ---
>
> "Where is documentation?"
Updated. Thanks.
James, please apply the below updated one and the one at http://lkml.org/lkml/2009/4/10/170 (Subject: [TOMOYO 2/2] tomoyo: version bump to 2.2.0.).
----------
Subject: tomoyo: add Documentation/tomoyo.txt
Signed-off-by: Kentaro Takeda <[email protected]>
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: Toshiharu Harada <[email protected]>
---
Documentation/tomoyo.txt | 55 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 55 insertions(+)
--- /dev/null
+++ linux-2.6.30-rc1/Documentation/tomoyo.txt
@@ -0,0 +1,55 @@
+--- What is TOMOYO? ---
+
+TOMOYO is a name-based MAC extension (LSM module) for the Linux kernel.
+
+LiveCD-based tutorials are available at
+http://tomoyo.sourceforge.jp/en/1.6.x/1st-step/ubuntu8.04-live/
+http://tomoyo.sourceforge.jp/en/1.6.x/1st-step/centos5-live/ .
+Though these tutorials use non-LSM version of TOMOYO, they are useful for you
+to know what TOMOYO is.
+
+--- How to enable TOMOYO? ---
+
+Build the kernel with CONFIG_SECURITY_TOMOYO=y and pass "security=tomoyo" on
+kernel's command line.
+
+Please see http://tomoyo.sourceforge.jp/en/2.2.x/ for details.
+
+--- Where is documentation? ---
+
+User <-> Kernel interface documentation is available at
+http://tomoyo.sourceforge.jp/en/2.2.x/policy-reference.html .
+
+Materials we prepared for seminars and symposiums are available at
+http://sourceforge.jp/projects/tomoyo/docs/?category_id=532&language_id=1 .
+Below lists are chosen from three aspects.
+
+What is TOMOYO?
+ TOMOYO Linux Overview
+ http://sourceforge.jp/projects/tomoyo/docs/lca2009-takeda.pdf
+ TOMOYO Linux: pragmatic and manageable security for Linux
+ http://sourceforge.jp/projects/tomoyo/docs/freedomhectaipei-tomoyo.pdf
+ TOMOYO Linux: A Practical Method to Understand and Protect Your Own Linux Box
+ http://sourceforge.jp/projects/tomoyo/docs/PacSec2007-en-no-demo.pdf
+
+What can TOMOYO do?
+ Deep inside TOMOYO Linux
+ http://sourceforge.jp/projects/tomoyo/docs/lca2009-kumaneko.pdf
+ The role of "pathname based access control" in security.
+ http://sourceforge.jp/projects/tomoyo/docs/lfj2008-bof.pdf
+
+History of TOMOYO?
+ Realities of Mainlining
+ http://sourceforge.jp/projects/tomoyo/docs/lfj2008.pdf
+
+--- What is future plan? ---
+
+We believe that inode based security and name based security are complementary
+and both should be used together. But unfortunately, so far, we cannot enable
+multiple LSM modules at the same time. We feel sorry that you have to give up
+SELinux/SMACK/AppArmor etc. when you want to use TOMOYO.
+
+We hope that LSM becomes stackable in future. Meanwhile, you can use non-LSM
+version of TOMOYO, available at http://tomoyo.sourceforge.jp/en/1.6.x/ .
+LSM version of TOMOYO is a subset of non-LSM version of TOMOYO. We are planning
+to port non-LSM version's functionalities to LSM versions.
On Mon 2009-04-13 11:04:19, Tetsuo Handa wrote:
> Hello.
>
> Pavel Machek wrote:
> > Could we get an user<->kernel interface documentation?
>
> It is at http://tomoyo.sourceforge.jp/en/2.2.x/policy-reference.html
.
Ouch:
2.5 Memory Allocation Rules
In TOMOYO Linux, memory allocated for holding access permissions and
words are never freed. There is no way except rebooting the system
that can free unneeded memory.
But don't worry. The policy seldom changes after you start production
mode. By tuning policy before starting production mode, you can reduce
memory usage to (usually) less than 1 MB.
....does that mean that it leaks memory by design?
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html