TOMOYO Linux is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. It was launched in March 2003 and had been sponsored by NTT DATA Corporation, Japan until March 2012.
TOMOYO Linux focuses on the behaviour of a system. Every process is created to achieve a purpose, and like an immigration officer, TOMOYO Linux allows each process to declare behaviours and resources needed to achieve their purpose. When protection is enabled, TOMOYO Linux acts like an operation watchdog, restricting each process to only the behaviours and resources allowed by the administrator.
@ Allow address grouping.
To reduce the labor of repeating similar IPv4/IPv6 addresses,
I introduced a macro 'address_group' to make group such addresses.
For example, you had to give like
allow_network TCP accept 10.0.0.0-10.255.255.255 1024-65535
allow_network TCP accept 172.16.0.0-172.31.255.255 1024-65535
allow_network TCP accept 192.168.0.0-192.168.255.255 1024-65535
but now, you can give just
allow_network TCP accept @localnet 1024-65535
if you give
address_group localnet 10.0.0.0-10.255.255.255
address_group localnet 172.16.0.0-172.31.255.255
address_group localnet 192.168.0.0-192.168.255.255
in the exception policy.
@ Remove obsolete functions.
@ Add some hooks.
Read permission check is done if open_exec()
is called from search_binary_handler().
Read permission check is not done if open_exec()
is called from do_execve(), instead,
execute permission check is done at
I moved the location of calling CheckCapabilityACL()
and CheckMountPermission() from sys_mount() to do_mount().
@ Use 'unsigned int' for sscanf().
I compiled SYAORAN fs on x86_64 environment and found
the compiler showing warning messages about size of data types.
Since size of data types may mismatch for sscanf(),
I replaced some types with 'unsigned int'.
Version 1.4 2007/04/01 x86_64 support release.