TOMOYO Linux is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. It was launched in March 2003 and had been sponsored by NTT DATA Corporation, Japan until March 2012.
TOMOYO Linux focuses on the behaviour of a system. Every process is created to achieve a purpose, and like an immigration officer, TOMOYO Linux allows each process to declare behaviours and resources needed to achieve their purpose. When protection is enabled, TOMOYO Linux acts like an operation watchdog, restricting each process to only the behaviours and resources allowed by the administrator.
@ Fix CheckFilePerm() in fs/tomoyo_file.c .
The location to call path_release() was too early.
@ Support per-domain profile.
It became possible to assign different profiles for different domains.
This will help administrators using building up approach.
@ Change parameters for CheckFilePerm().
I was re-resolving pathnames inside CheckFilePerm() even though
the caller function already resolved them.
So I changed to pass dentry and vfsmount instead of pathname,
and removed changes made on 2006/09/30.
@ Support deny_rewrite and allow_rewrite permission.
It became possible to make regular files append-only
using "deny_rewrite" directive in exception policy and
override it using "allow_rewrite" directive in domain policy.
Regular files specified using "deny_rewrite" directive
can't be open()ed with O_TRUNC or without O_APPEND,
can't be truncate()ed or ftruncate()ed,
can't be turned O_APPEND flag off using fcntl(F_SETFL)
unless specified using "allow_rewrite" directive.
@ Enable configuration options by default for kernel config.
CONFIG_SAKURA and CONFIG_TOMOYO are now 'y' by default
and CONFIG_SYAORAN is now 'm' by default.
@ Use external policy loader.
Until now, policies are loaded when /sbin/init starts and
initial control levels are switched using CCS= parameter.
But since some boxes have to fixate kernel command line options
at compilation time, I think it will become more flexible
by running external policy loader using init= parameter so that
initial control levels can be specified before /sbin/init starts.
Call panic() if initial control levels are not specified.
@ Add missing parameter in FindNextDomain().
'struct file' was needed for allowing 'if path1.*' checks.
@ Print error messages in CheckFlags().
Some users seem to have troubles picking up all necessary
entries for the configuration file of SYAORAN filesystem
since makesyaoranconf can't pick up entries that are
nonexistent at the time.
I added error message so that users can find missing entries
@ Change /proc/ccs/info/self_domain .
I changed /proc/ccs/info/self_domain to return
the domain of open time rather than first read time.
This modification makes shell's redirection usage
more convenient since redirection opens file
but doesn't read at the time.
'cat < /proc/ccs/info/self_domain' will return
the domain of shell, and
'cat /proc/ccs/info/self_domain' will return
the domain of cat .
@ Replace MAX_ENFORCE_GRACE with ALLOW_ENFORCE_GRACE.
Since it was inconvenient that requests that are waiting for
supervisor's decision are rejected automatically when
MAX_ENFORCE_GRACE seconds has elapsed, I modified WriteAnswer()
reset timeout counter whenever a supervisor's decision is written
and I modified ccs-queryd write a dummy decision every seconds
so that the requests won't be rejected automatically as long as
ccs-queryd is running.
This change made MAX_ENFORCE_GRACE's meaning boolean.
So I fixated MAX_ENFORCE_GRACE to 10 seconds and removed
To allow administrators selectively enable "delayed enforcing"
mode, I added ALLOW_ENFORCE_GRACE parameter.
The behavior of "delayed enforcing" mode is defined
in the following order.
(1) The requests are rejected immediately if ALLOW_ENFORCE_GRACE=0.
(2) The requests are rejected immediately
if nobody is opening /proc/ccs/policy/query interface.
(3) The requests won't be rejected automatically
if ALLOW_ENFORCE_GRACE=1 and ccs-queryd is running.
(4) The requests will be rejected in 10 seconds
if somebody other than ccs-queryd (such as less(1)) is
opening /proc/ccs/policy/query interface, for
such process doesn't write dummy decisions.
Version 1.3 2006/11/11 First anniversary release.