TOMOYO Linux is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. It was launched in March 2003 and had been sponsored by NTT DATA Corporation, Japan until March 2012.
TOMOYO Linux focuses on the behaviour of a system. Every process is created to achieve a purpose, and like an immigration officer, TOMOYO Linux allows each process to declare behaviours and resources needed to achieve their purpose. When protection is enabled, TOMOYO Linux acts like an operation watchdog, restricting each process to only the behaviours and resources allowed by the administrator.
@ Use queue instead of fixed sized array for audit log.
WriteAuditLog() now uses queue to save statically allocated memory.
Administrators can give any size for audit logs at runtime.
@ Use kzalloc() instead of kmalloc() + memset().
kmalloc() + memset() were replaced with kzalloc().
@ Support "delayed enforcing" mode.
Until now, access request was immediately rejected
if policy doesn't allow that access and the system is
running in enforce mode.
Sometimes, especially after updating softwares,
some unexpected access requests arise from proper procedure.
Such access requests should be granted because
they are not caused by malicious attacks.
So I introduced a mechanism to allow administrator some grace
to decide to grant or reject such access requests.
This mechanism is implemented in the following manner.
"Don't return immediately if permission denied."
"Sleep for a while waiting administrator's decision."
"Return successfully if administrator tells to do so."
@ Fix handling of prefix in GetAbsolutePath().
Some objects doesn't have prefix "/".
Pipe has prefix "pipe:" and socket has prefix "socket:".
GetAbsolutePath() couldn't handle prefixes other than '/' properly.
@ Remove IsCorrectPath() checks for File Access Control functions.
File Access Control functions accepted only pathnames that start
with '/' because these functions assumed pathnames returned by
GetAbsolutePath() always start with '/'.
However, I found a program that opens an unnamed pipe via
(probably) /proc/PID/fd/ directory. (You can see entries like
"pipe:[number]" if you run "ls -l /proc/*/fd/".)
Now, File Access Control functions have to accept pathnames
that don't start with '/'. So, I stopped checking IsCorrectPath().
@ Fix handling of NULL nameidata in vfs_open().
In 2.6 kernels, NFS daemon and sys_mq_open() call
vfs_create() with NULL nameidata. In such cases,
CheckSingleWritePermission() must not be called.
Version 1.1.1 2006/05/15 Functionality enhancement release.