TOMOYO Linux is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. It was launched in March 2003 and had been sponsored by NTT DATA Corporation, Japan until March 2012.
TOMOYO Linux focuses on the behaviour of a system. Every process is created to achieve a purpose, and like an immigration officer, TOMOYO Linux allows each process to declare behaviours and resources needed to achieve their purpose. When protection is enabled, TOMOYO Linux acts like an operation watchdog, restricting each process to only the behaviours and resources allowed by the administrator.
Fix 2006/01/04
@ Add CheckWritePermission() check in unix_bind().
I modified to check write permission in unix_bind(), for
sys_mknod(S_IFSOCK) checks write permission.
@ Show hook version in proc_misc_init().
The hook part of this patch depends on the kernel's version,
while the rest part of this patch doesn't.
I added the hook version so that the administrator can
know the last modified date of the hooks.
@ Move permission checks from filp_open() to open_namei().
I moved the location of checking MAC's permission
from filp_open() to open_namei().
@ Fix an error in filp_open(). (only 2.6.15-rc5)
This error was only in the patch 2.6.15-rc5 and
was fixed in the patch for 2.6.15.
Fix 2006/01/12
@ Add /proc/ccs/info/self_domain.
I added /proc/ccs/info/self_domain so that the userland programs
can know the name of domain they belong to if necessary.
Fix 2006/01/13
@ Merge constants for CheckTaskCapability().
I merged *_INHERITABLE_* and *_LOCAL_* to avoid always
calling CheckTaskCapability() with both constants.
@ DropTaskCapability() returns -EAGAIN on success.
DropTaskCapability() must not return 0 on success, for
DropTaskCapability() is called from do_execve().
@ Fix an error for chroot() permission check.
The chroot() restriction was not working due to the following mistake.
CheckChRootPermission() || CheckTaskCapability() returns 0 or 1, while
CheckChRootPermission() | CheckTaskCapability() returns 0 or -EPERM.
Fix 2006/01/17
@ Suppress some of debug messages in TOMOYO.
I added KERN_DEBUG to suppress some of debug messages.
Fix 2006/01/19
@ Remove isRoot() checks in AddChrootACL() and AddMountACL().
I found a program that needs to chroot by non-root.
So, I stopped checking uid=euid=0 for these functions so that
"accept mode" can append ACLs.
The isRoot() is checked at AddChrootPolicy() and AddMountPolicy().
@ Map NULL device name to "<NULL>" in AddMountACL().
VMware mounts vmware-hgfs with NULL device name.
So I mapped NULL device name to "<NULL>".
Fix 2006/01/20
@ Suppress some of debug messages in SAKURA.
I added KERN_DEBUG to suppress some of debug messages.
@ Call panic() if failed to load given profile.
Call panic() if profile index was given via CCS= parameter
but the profile doesn't exist.
If CCS= parameter is not given, the kernel attempts to load
profile 0, but it doesn't call panic() if profile 0 doesn't exist.
Fix 2006/01/24
@ Use full_name_hash() for IsGloballyReadableFile().
I modified to use full_name_hash() for faster scan.
@ Add signal checking condition in CheckSignalACL().
The documentation says "if the target domain's domainname
starts with the source domain's domainname, it is always granted"
but actually it isn't. I'll change the documentation instead of
changing the source code.
Also, checking for pid = -1 was missing. This error was fixed.
Fix 2006/02/09
@ Use mutex_lock()/mutex_unlock instead of down()/up().
Kernel 2.6.16 changed members of "struct inode".
I modified to use mutex_lock()/mutex_unlock() for after 2.6.16
and down()/up() for before 2.6.16.
Version 1.0.2 2006/02/14 Many bug-fixes release.