gmane.linux.tomoyo.user.english

[tomoyo-users-en 493] about maintaining tomoyolinux

Pawan Kumar — 2012-05-14T09:49:52

Thanks for quick reply.

Currently I am learning things up and new to the world of masters like you.
I am developing myself and I guess by the end of this year I would have
achieved some of my targets about web, linux, cisco and I want to provide
free articles, tutorials, documentations to the people who are new to
tomoyo linux but at this stage I am very new to it. I will be playing with
it. I am sorry my friends are users of winodows and I moved to linux a few
months back so currently I do not have enough capabilities or resources and
I have not maintained any repo ever.

With time I would be developing things up and will start writing articles
and videos on tomoyo linux and its uses, at the moment I am just playing
with it.


Thanks for you time and quick reply
Pawan




On Sat, May 12, 2012 at 11:00 PM, <
tomoyo-users-en-request-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS< at >public.gmane.org> wrote:

_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS< at >public.gmane.org
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

[tomoyo-users-en 491] tomoyo linux users request for 64 bit system

Pawan Kumar — 2012-05-12T23:07:36

Hi,

Thanks for creating such a beautiful security system. I have seen tomoyo
linux live cd for ubuntu, thanks for making our life easier. My question
is, a big population of the world is using ubuntu and that too 64 bit, so
how tomoyo linux addresses porting tomoyo linux on 64 bit ubuntu. Sorry, I
am not aware of any manual way to do it for ubuntu 64 bit. If there is any
link that can help people like me using 64 bit ubuntu 12.04 to be able to
use tomoyo linux. it would be such a great help. It would be really great
for us if more videos are posted on youtube that can help new users of
linux start tomoyo linux with no problem at all. Things become much more
easier when we see something visually than read any manual. It would be
great if you can explain different situations that can help even the vast
number of desktop users of the world to be able to make their system more
secure.

Thanks for giving your valuable time to make peoples life easier!
Appreciate all your work!

Is it available for 64 bit opensuse?

Thank you
_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS< at >public.gmane.org
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

[tomoyo-users-en 484] Tomoyo Kernel Profiles have Disappeared

Cam McK — 2012-05-10T07:20:05

Hello,

I have been trying to find out why my tomoyo installation has broken itself.

It was running locking down just the apache service, I rebooted my server
for some maintenance and it failed to come backup. I logged into the
console and it was waiting at boot for a tomoyo profile, I typed "disable"
if I recall correctly and it booted. I then performed, tomoyo-editpolicy
and apache was back to profile 1, when I tried to adjust it to profile 3,
it just stayed on 1.

A bit of investigation shows that the kernel doesn't know about profiles 2
& 3.

How do I go about resolving this?

Thanks
Cam

INFO:

Linux www.cam.com 2.6.32-5-amd64 #1 SMP Thu Mar 22 17:26:33 UTC 2012 x86_64
GNU/Linux

root< at >www:~# cat /boot/grub/menu.lst
      ===== SNIP =====
kernel          /boot/vmlinuz-2.6.32-5-amd64 root=/dev/xvda1 ro
security=tomoyo
initrd          /boot/initrd.img-2.6.32-5-amd64
      ====== SNIP =====

root< at >www:~# cat /sys/kernel/security/tomoyo/manager
/usr/sbin/tomoyo-loadpolicy
/usr/sbin/tomoyo-editpolicy
/usr/sbin/tomoyo-setlevel
/usr/sbin/tomoyo-setprofile
/usr/sbin/tomoyo-ld-watch

root< at >www:~# cat  /sys/kernel/security/tomoyo/profile
0-COMMENT=disabled
0-MAC_FOR_FILE=disabled
0-MAX_ACCEPT_ENTRY=0
0-TOMOYO_VERBOSE=disabled
1-COMMENT=disabled
1-MAC_FOR_FILE=disabled
1-MAX_ACCEPT_ENTRY=0
1-TOMOYO_VERBOSE=disabled
2-COMMENT=
2-MAC_FOR_FILE=disabled
2-MAX_ACCEPT_ENTRY=2048
2-TOMOYO_VERBOSE=enabled

root< at >www:~# cat /etc/tomoyo/profile.conf
0-COMMENT=-----Disabled Mode-----
0-MAC_FOR_FILE=disabled
0-TOMOYO_VERBOSE=disabled
1-COMMENT=-----Learning Mode-----
1-MAC_FOR_FILE=learning
1-TOMOYO_VERBOSE=disabled
2-COMMENT=-----Permissive Mode-----
2-MAC_FOR_FILE=permissive
2-TOMOYO_VERBOSE=enabled
3-COMMENT=-----Enforcing Mode-----
3-MAC_FOR_FILE=enforcing
3-TOMOYO_VERBOSE=enabled

DMESG:
[    0.868188] Calling /sbin/tomoyo-init to load policy. Please wait.
[  240.032087] INFO: task run-init:1 blocked for more than 120 seconds.
[  240.032100] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables
this message.
[  240.032109] run-init      D 0000000000000000     0     1      0
0x00000000
[  240.032120]  ffffffff814891f0 0000000000000282 0000000000000000
ffffffff8100e252
[  240.032134]  0000001000000000 ffff880007c6d4c0 000000000000f9e0
ffff880007c5ffd8
[  240.032147]  0000000000015780 0000000000015780 ffff880007c68000
ffff880007c682f8
[  240.032166] Call Trace:
[  240.032173]  [<ffffffff8100e252>] ? check_events+0x12/0x20
      ========== SNIP ==========


root< at >www:~# aptitude show tomoyo-tools
Package: tomoyo-tools
State: installed
Automatically installed: no
Version: 2.2.0-20100225-1
Priority: extra
Section: admin
Maintainer: Hideki Yamane <henrich-8fiUuRrzOP0dnm+yROfE0A< at >public.gmane.org>
Uncompressed Size: 324 k
Depends: libc6 (>= 2.7), libncurses5 (>= 5.7+20100313)
Conflicts: tomoyo-ccstools, tomoyo-ccstools1.7
Replaces: tomoyo-ccstools, tomoyo-ccstools1.7
Description: Lightweight and easy-use Mandatory Access Control for Linux
      ========== SNIP ==========
_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS< at >public.gmane.org
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

[tomoyo-users-en 481] kernel panic after installing tomoyo linux ccs tools on ubuntu 12.04 kernel 3.2.0-24-virtual

Pawan Kumar — 2012-05-07T23:30:21

Hi guys,

I installed tomoyo linux on kubuntu 12.04* kernel 3.2.0-24-virtua*l (
yesterday, I had same problem on 3.2.0-24 generic kernel too).

I followed this exactly

Ubuntu 12.04 (generic-pae flavour)

# echo 'deb http://tomoyo.sourceforge.jp/repos-1.8/Ubuntu12.04/ ./' >>
/etc/apt/sources.list
# apt-get update
# apt-get install linux-generic-pae-ccs ccs-tools

From: http://tomoyo.sourceforge.jp/1.8/chapter-3.html.en but  I had no
success and I got kernel panic error. Though I was able to boot into my
previous kenel and things were fine.

I want to use tomoyo linux on kubuntu. Any suggestions would be
appreciated. Am I doing anything wrong here or is there any extra steps
that I should take...? Its a recently installed kubuntu machine.

Thanks for any suggestions
pk
_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS< at >public.gmane.org
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

[tomoyo-users-en 480] ccs-patch-1.6.9p4/1.7.3p4/1.8.3p7akari-1.0.27 caitsith-0.1p1 uploaded.

Tetsuo Handa — 2012-05-05T13:50:03

ccs-patch 1.8.3p7 fixes three bugs.

 (1) Regarding 2.6.0-2.6.11 kernels, TOMOYO needs to use
     spin_lock_bh()/spin_unlock_bh() rather than
     spin_lock_irq()/spin_unlock_irq() when a packet was dropped by TOMOYO.

 (2) Regarding RHEL 5.2-5.8 kernels, TOMOYO needs to protect
     skb_kill_datagram() call with lock_sock()/release_sock() when UDP packet
     was dropped by TOMOYO.

 (3) Regarding Ubuntu 12.04 kernel on Live CD, TOMOYO needs to accept manager
     programs which do not start with / because the pathname of
     /usr/sbin/ccs-editpolicy seen from Ubuntu 12.04 Live CD is
     squashfs:/usr/sbin/ccs-editpolicy rather than /usr/sbin/ccs-editpolicy .

Unless you are using one of kernel versions listed above, this update will not
be needed.



ccs-patch-1.7.3p4 and ccs-patch-1.6.9p4 fixes the bugs (1) and (2).



Live CD for Ubuntu 12.04 + TOMOYO 1.8.3p7 is now available.
http://tomoyo.sourceforge.jp/1.8/ubuntu12.04-live.html

This Live CD can be also used as Ubuntu 12.04 + TOMOYO 2.5 by appending
"security=tomoyo ccsecurity=off" to the kernel boot options.

We are too late for putting tomoyo-tools-2.5 into repository for Ubuntu 12.04.
Please install tomoyo-tools-2.5 from source rather than trying to install
binary tomoyo-tools-2.5 package using apt-get, for the package installed by
apt-get is tomoyo-tools-2.4 and therefore causes kernel panic upon boot due to
profile version mismatch.

    TOMOYO: 2.5.0
    Profile version 20100903 is not supported.
    Userland tools for TOMOYO 2.5 must be installed and policy must be initialized.
    Please see http://tomoyo.sourceforge.jp/2.5/ for more information.
    Kernel panic - not syncing: STOP!



akari-1.0.27 fixes the bug (3) and supports any RHEL 4/5/6 kernels.
The bugs (1) and (2) do not affect AKARI, for AKARI cannot handle incoming
packets.



Please let me know if you found any problems.

ccs-patch-1.6.9-20120505.tar.gz     MD5: 3333f441b9e74b8fc6f9722c701e2e1d
ccs-patch-1.7.3-20120505.tar.gz     MD5: aaaa0b076d2ff853a7f7007c7521df8e
ccs-patch-1.8.3-20120505.tar.gz     MD5: 444498151f894b1985f1beb98679bcfe
akari-1.0.27-20120505.tar.gz        MD5: bbbbb12c4aee2e8e5ffc3b4075163bcc
caitsith-patch-0.1-20120505.tar.gz  MD5: 1111566e2503e5155771c4c4f80f96ff
caitsith-tools-0.1-20120505.tar.gz  MD5: aaaa08c1b97338647a2d240be6d6e430

[tomoyo-users-en 474] Fwd: Looking for patch to add "Audit" Featurein Tomoyo 2.3

NITIN JHANWAR — 2012-04-04T12:11:02

Hello,

I am a newbie in Tomoyo and looking for assistance. 
I am running linux-3.0.2 on my arm board which is having tomoyo 2.3 version. 
now my requirement is to run "audit" (Generate access granted logs/rejected logs) feature of tomoyo which is available in tomoyo 2.5 version (available with linux-3.2.2). 

I am looking for any direct patch available for this. 
If patch is available,please share that patch link to me. 

Thanks
Nitin

[tomoyo-users-en 473] Looking for patch to add "Audit" Feature inTomoyo 2.3

NITIN JHANWAR — 2012-04-04T12:08:44

Hello,

I am a newbie in Tomoyo and looking for assistance. 
I am running linux-3.0.2 on my arm board which is having tomoyo 2.3 version. 
now my requirement is to run "audit" (Generate access granted logs/rejected logs) feature of tomoyo which is available in tomoyo 2.5 version (available with linux-3.2.2). 

I am looking for any direct patch available for this. 
If patch is available,please share that patch link to me. 

Thanks
Nitin

[tomoyo-users-en 472] CaitSith 0.1 released.

Tetsuo Handa — 2012-04-01T14:07:17

CaitSith is an access restriction module for Linux 2.6.27 and later kernels.
This module gives you ability to restrict access (e.g. opening files, executing
programs) at the kernel level. This module is designed for ease of use.

This module was derived from TOMOYO Linux 1.8.3, but usage of this module would
be too different to imagine that this module was derived from TOMOYO Linux.

Documentation http://caitsith.sourceforge.jp/ is under construction, sorry.



Also, I uploaded other tarballs. ccs-patch-1.8.3-20120401.tar.gz and
akari-1.0.26-20120401.tar.gz now support Linux 3.4-rc1 and Ubuntu 12.04.

MD5:                              Filename:
000003289b6f9213b0e8c7c51607136e  ccs-patch-1.6.9-20120401.tar.gz
77779ee24436324fdb45e232ca938063  ccs-patch-1.7.3-20120401.tar.gz
aaaaca0e7b06e4e37cfa5a879cfb4736  ccs-patch-1.8.3-20120401.tar.gz
222233ff6cfb39d5c2258d91646c88a7  akari-1.0.26-20120401.tar.gz
8888e7faede611f1d951d616636d4e27  caitsith-patch-0.1-20120401.tar.gz
eeeebbe3ff39cd369caf00807ee1d335  caitsith-tools-0.1-20120401.tar.gz



By the way, are there still users who are using TOMOYO 1.6.x?
Download statistics counter shows that there is almost no user.
If nobody uses, maybe it is time to discontinue TOMOYO 1.6.x branches.

[tomoyo-users-en 466] Next version of TOMOYO

Tetsuo Handa — 2012-03-10T03:00:16

Although there are several problems remaining, the next version of TOMOYO is
taking a concrete shape. It is designed for simplicity. For example, since some
people complain that "who can manage domains that exceed many hundreds?", I
changed TOMOYO's domain management from mandatory to optional. For another
example, since some people complain that "I want to use black listing because
white listing is too much burden for me", I changed from allow-only rules to
allow/deny rules which resembles network packet filtering rules.

Due to large changes, the version number cannot be determined yet.
It might be no longer TOMOYO.

Installation instructions and policy specification is available at
http://tomoyo.sourceforge.jp/testing/ .
If you can prepare a system for evaluation (e.g. virtual machine), please try
and give us feedbacks.

[tomoyo-users-en 465] ccs-patch-1.6.9p2/1.7.3p2/1.8.3p5 andccs-tools-1.6.9p1/1.7.3p1/1.8.3p2 uploaded.

Tetsuo Handa — 2012-03-03T13:38:40

While reading AppArmor's patch, I noticed that TOMOYO's mount permission check
becomes inaccurate when multiple mount flags are passed, for userspace can pass
in arbitrary combinations of MS_* flags to mount() request. Two examples:

  If both MS_BIND and one of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE are
  passed, device name which should be checked for MS_BIND was not checked
  because MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE had higher priority than
  MS_BIND.

  If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name which
  should not be checked for MS_REMOUNT was checked because MS_BIND/MS_MOVE had
  higher priority than MS_REMOUNT.

I fixed this bug by changing priority to MS_REMOUNT -> MS_BIND ->
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount() does.
Also, I changed to unconditionally return -EINVAL if more than one of
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE is passed so that TOMOYO will not
generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity check mount
flags passed to change_mnt_propagation()" clarified that these flags must be
exclusively passed.

TOMOYO 2.3 (Linux 2.6.36) and later has this bug.
Patch for TOMOYO 2.5 will be included in Linux 3.4.

Fixing this bug might require correction of policy if access control for mount
operation is enabled (though correction of policy will unlikely be required
because applications unlikely pass MS_* flags combination in a way TOMOYO hits
examples shown above).



Also, UMH_WAIT_PROC constant (currently 1) is scheduled for renumbering in
Linux 3.4. I changed to use UMH_WAIT_PROC constant instead of hardcoded
constant in case renumbering was backported.

Unfortunately, there is no means to detect this renumbering at runtime. If you
started to experience kernel panic upon execution of external policy loader
(i.e. /sbin/ccs-init) due to the kernel no longer waiting for completion of
external policy loader process, please check whether renumbering was backported
or not. (Same thing will happen to /sbin/tomoyo-init process if renumbering
patch was backported without changing TOMOYO 2.x code to use UMH_WAIT_PROC
constant. Please be careful if you are backporting TOMOYO 2.x.)



Regarding ccs-tools-1.7.3 package, I fixed two bugs and made two enhancements.

  /usr/sbin/ccs-checkpolicy
    Fix validation failure with number_group entries.

  /usr/sbin/ccs-editpolicy
    Allow optimization command ('o' key) to exception policy.
    Fix wrong copy to buffer command ('insert' key) from Process State Viewer mode.

  /usr/lib/ccs/init_policy
    Generate wildcarded allow_read entries.

Regarding ccs-tools-1.8.3 package, I made a small change to policy editor's
header line because Toshiharu told me that printing number of selected entries
makes it easier to confirm whether optimization command ('o' key) has selected
any lines or not.

  If no line is selected, the header line looks like below.

    <<< Exception Policy Editor >>>      109 entries    '?' for help

  If one or more lines are selected, the header line looks like below.

    <<< Exception Policy Editor >>>      109 entries (9 selected)   '?' for help



Please let me know if you found any problems.

ccs-patch-1.6.9-20120301.tar.gz  MD5: 111184bfdcc6342987af4f431895e382
ccs-patch-1.7.3-20120301.tar.gz  MD5: 1111d8fb724cae0c7b0dd8a3b294c55f
ccs-patch-1.8.3-20120301.tar.gz  MD5: bbbbc6a0872028ed17d623af720a73bd
ccs-tools-1.6.9-20120301.tar.gz  MD5: 9999b891210fb4d79da4e9ebefc92236
ccs-tools-1.7.3-20120301.tar.gz  MD5: 777796417338fff302597456bbf9e0b7
ccs-tools-1.8.3-20120301.tar.gz  MD5: dddd6ca49a2f73bef77590cd4d199a9f
akari-1.0.25-20120301.tar.gz     MD5: 6666311eece23c6250957dca91083b6e

[tomoyo-users-en 463] Tomoyo 1.8 on Android 2.6.35 kernel

Bhargava Shastry — 2012-02-17T15:07:26

Hello,

Is there a patch available for making an Android 2.6.35 kernel with TOMOYO
1.8 support? I gather that 2.6.35 patch exists for the mainline kernel but
the same patch does not work cleanly with the Android specific kernel.
Also, although 2.6.35 ships with a TOMOYO LSM, I'd prefer 1.8 because of a
superior feature set.

Any suggestions?

Regards,
Bhargava Shastry
_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS< at >public.gmane.org
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

[tomoyo-users-en 459] Delete policy line API

Bhargava Shastry — 2012-02-12T15:03:47

Hello,

I haven't come across an API for policy line deletion for TOMOYO 1.8. Is
there any way to delete portions of domain policy other than doing it
manually using ccs-editpolicy? I am thinking of using sed on the
domain_policy.conf with the specific string to be deleted.

Thanks,
Bhargava Shastry
_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS< at >public.gmane.org
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

[tomoyo-users-en 452] logging and execution tracing

Peter Moody — 2012-01-26T19:16:40

I know that MAC isn't really the right place to do this, but I'm
investigating all possibilities.

Is it possible to have tomoyo log more information about binaries that
are exec'd? I know that it tracks the execution chain for all process
starting with init, but is it possible to attach more information to
the log tomoyo stores about each execve like the time and uid that
executed it? Actually, does tomoyo already log the uid? The other
question is would it be possible/easy to extract this information with
user-land tools?

Cheers,
peter

[tomoyo-users-en 447] Tomoyo 2.5 and sockets beginning with nullcharacters

Steven Allen — 2012-01-14T18:38:18

In Tomoyo 2.5 (kernel 3.2.1) I am unable to add ACLs for sockets with
null characters as per:
http://tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en

Nothing happens when I add them through tomoyo-editpolicy. If I manually
add them to the domain policy, they are removed on load. Using \?
instead of \000 works. Policy violations involving \000 are correctly
logged.

The ACL in question:
network unix stream connect \000/tmp/.X11-unix/X\$

[tomoyo-users-en 444] Tomoyo 1.8 connections on UDP 0

Milton Yates — 2012-01-11T20:56:28

Hi guys,

I'm using Tomoyo 1.8.3 on linux 3.1, migrating from in-kernel Tomoyo
2.4, I have started using socket filtering which is pretty cool!

I have found that Tomoyo generates logs like this:
"network inet dgram send X.X.X.X 0"
connection attempts on UDP port 0, for every outbound inet TCP
connection the program makes.

Is sending to UDP 0 still how the OS finds a free port?

Even if I do not authorize these packets through in the policy,
everything seems to work fine.

Is this a known behaviour?
Would you recommend allowing this activity?
Could it not be misused to communicate externally on port 0?

Cheers & Best wishes!
Milton

[tomoyo-users-en 443] restricting access on forked process

thiruhari — 2012-01-11T15:44:13

Dear All,

I am new to tomoyo linux. I have just gone through few pages in the
documentation of version 2.5.

I have one basic question.

My understanding:

Learning - through this mode i can develop policy for all domain in my
system.

Enforcing - through this mode i can enforce policy which i have developed
earlier with learning mode

Now My Use case below,

I want to use this tomoyo for an embedded device which includes rich set of
features like web browser..

In which End - User is allowed to install any game and play the same at any
time. (game includes features like save current and resume it on next power
cycle).

Now My question:

I want to restrict process read/write on File System for unknown processes.

At the time of developing policy i will not be knowing the forked process
which is created from my browser task.

With the above scenario in my how shall i use tomoyo linux in enforcing
mode?

My objective is i don't want to allow (malicious activities) any unknown
process which is forked from my Main task.

(Also consider that my system includes lot third party libraries)

Thanks in Advance..


Best Regards
Hari
_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS< at >public.gmane.org
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

[tomoyo-users-en 437] How to Download Tomoyo Source Code athttp://tomoyo.sourceforge.jp/cgi-bin/lxr/source?

TEH JIA YEW — 2012-01-05T08:18:06

Dear Tomoyo User,
1. Goo day and Happy New Year 2012.2. I am a Postgraduate Research Student working on implementation on Linux Security for Linux File-systems using Tomoyo Linux. I am attached to a research university in Malaysia.3. I need to enable IMA in kernel 2.6.32-generic-ccs as part of my work.4. Hence I need the entire Tomoyo kernel source to ensure that both IMA and Tomoyo in http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/?v=linux-2.6.32.52-ccs-1.8.3 can be compiled into one single kernel.5. I had tried downloading the codes from no. 4 above using git , svn and cvs but no success.6. Highly appreciate if any one can tell me on how to download all codes from  
http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/?v=linux-2.6.32.52-ccs-1.8.3  ?
 
Thank you for your help.
rgdsjyteh._______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS< at >public.gmane.org
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

[tomoyo-users-en 437] How to Download Tomoyo Source Code athttp://tomoyo.sourceforge.jp/cgi-bin/lxr/source?

TEH JIA YEW — 2012-01-05T08:18:06

Dear Tomoyo User,
1. Goo day and Happy New Year 2012.2. I am a Postgraduate Research Student working on implementation on Linux Security for Linux File-systems using Tomoyo Linux. I am attached to a research university in Malaysia.3. I need to enable IMA in kernel 2.6.32-generic-ccs as part of my work.4. Hence I need the entire Tomoyo kernel source to ensure that both IMA and Tomoyo in http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/?v=linux-2.6.32.52-ccs-1.8.3 can be compiled into one single kernel.5. I had tried downloading the codes from no. 4 above using git , svn and cvs but no success.6. Highly appreciate if any one can tell me on how to download all codes from  
http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/?v=linux-2.6.32.52-ccs-1.8.3  ?
 
Thank you for your help.
rgdsjyteh._______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS< at >public.gmane.org
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

[tomoyo-users-en 437] How to Download Tomoyo Source Code athttp://tomoyo.sourceforge.jp/cgi-bin/lxr/source?

TEH JIA YEW — 2012-01-05T08:18:06

Dear Tomoyo User,
1. Goo day and Happy New Year 2012.2. I am a Postgraduate Research Student working on implementation on Linux Security for Linux File-systems using Tomoyo Linux. I am attached to a research university in Malaysia.3. I need to enable IMA in kernel 2.6.32-generic-ccs as part of my work.4. Hence I need the entire Tomoyo kernel source to ensure that both IMA and Tomoyo in http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/?v=linux-2.6.32.52-ccs-1.8.3 can be compiled into one single kernel.5. I had tried downloading the codes from no. 4 above using git , svn and cvs but no success.6. Highly appreciate if any one can tell me on how to download all codes from  
http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/?v=linux-2.6.32.52-ccs-1.8.3  ?
 
Thank you for your help.
rgdsjyteh._______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS< at >public.gmane.org
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

[tomoyo-users-en 435] Useful scripts for version 2.3

Boruch Baum — 2011-11-13T21:18:04

I'm evaluating tomyoo 2.3 in debian wheezy. Here are two scripts that I've found useful. Because I'm not sure whether or how this list supports attachments, I'm also pasting the scripts in-line. I have no idea whether these will work for version 2.5, but they are basically awk scripts, and should be easy to modify, as you wish. Hope its helpful.




1 _tomoyo-policy-sort
================

Helps identify what domains are in need of 
patternizing, and possibly be candidates for domain-transition.

Usage hints:
1] No admin privileges are required to run the script. It DOES require 
read-access to a domain_policy file, and defaults to 
/etc/tomoyo/domain_policy.conf.
2] run the script with no 
parameters to see how may rules there are for each domain in 
/etc/tomoyo/domain_policy.conf, sorted by increasing number of rules,. 
So, the most likely candidates for patternizing will display at the end 
of the output.
3] run the 
script with the -d parameter to get the same output as above, but sorted by the last element of the domains and nicely columnated for display in a browser/editor WITHOUT wordwrap. Use this to easily see duplicate 
executables, which would be the first step to considering a domain for 
domain-transition.

2 _tomoyo_patternize_home
===================== 
Since there are many configuration and other files in
 users' $HOME directory, and patternizing them manually is cumbersome, this script automates the process. It should be 
followed with a 'tomoyo-checkpolicy' invocation, of course.



==============================
BEGIN SCRIPT #1 -  _tomoyo-policy-sort
==============================
#!/bin/bash
SCRIPT_VERSION="1.0, written for tomoyo v2.3"
#
# Tomoyo Policy Count / Sort
#
# Usage: _tomoyo-policy-sort [ [-d|-n] [-r] [file] ] | -v | -h
# OPTIONS
# -d  sort by domain
# -n  sort by number of policies (default)
# -r  raw (no columnation, headers, separators)
# -v  version
# -h  usage information
# The default input file is /etc/tomoyo/domain_policy.conf

# This script reads a tomoyo domain.conf file,
# counts the number of rules of each policy, and
# sorts the output either numerically, by the
# number of rules per domain, or alphabetically,
# by the final element in the domain path (the
# executable).
#
# When sorting alphabetically by executable, the
# output is displayed in a nicely columnated
# format for viewing in a non-wordwrap browser
# or editor.
#
# Written by: Boruch Baum <boruch-baum-eF6LUNyCSZCkA/em5mhdO+TW4wlIGRCZ< at >public.gmane.org>
# No warranties ...
# Use at your own risk  ...
# License: OpenGPL2 ...
# Include author info when redistributing ...

function usage_message {
      echo -e "\n_tomoyo-policy-sort: count rules and sort a domain.conf file\nUSAGE: _tomoyo-policy-sort [ [-d|-n] [-r] [file] ] | -v | -h\nOPTIONS:\n -d  sort by domain\n -n  sort by number of policies (default)\n -r  raw (no columnation, headers, separators)\n -v  version\n -h  usage information\n The default input file is /etc/tomoyo/domain_policy.conf\nVERSION: $SCRIPT_VERSION\n"
   }


function error_message {
      echo "error: a parameter is invalid or file unreadable: "$myparm
      usage_message
   }

SORT_OPTION="number"
DECORATION="TRUE"
POLICY_FILENAME="/etc/tomoyo/domain_policy.conf"

for myparm in "$< at >" ;do case $myparm in
-h|--help   ) usage_message; exit;;
-v|--version) echo "version "$SCRIPT_VERSION; exit;;
-d          ) SORT_OPTION="domain";; 
-n          ) ;;
-r          ) DECORATION="FALSE";;
*           ) if [[ -r "$myparm" ]]; then
                 POLICY_FILENAME=$myparm
              else
                 error_message
                 exit
              fi
              ;;
esac; done



if [[ "$SORT_OPTION" == "domain" ]] ; then
awk ' BEGIN {DOMAIN = ""; DOMAIN_PATH = ""; FIRST=1}
      /^</  {LAST = FNR ; TOTAL = LAST - FIRST
             if ( TOTAL > 3 ) print DOMAIN, TOTAL-3, DOMAIN_PATH
             DOMAIN=$NF; DOMAIN_PATH=$0; FIRST=FNR+1
            }
      END   {LAST = FNR
             if ( TOTAL > 3 ) print DOMAIN, TOTAL-3, DOMAIN_PATH
            }
    ' $POLICY_FILENAME | sort | \
awk -v decoration="$DECORATION" \
    ' BEGIN {if ( decoration == "TRUE" ) {
             UNDERLINE="------"
             printf "%6s  %s \\ %s\n", "Size", "Executable", "Domain Path" }}
      decoration == "TRUE" && DOMAIN != $1 {
             printf "%6s  %s \\ %s\n", UNDERLINE, UNDERLINE, UNDERLINE}
      {DOMAIN=$1; printf "%6i  %s \\ %s\n", $2, $1, substr($0,index($0,"<"))} ' | \
column -s"\\" -t


else # Sort numerically by number of rules per domain
awk ' BEGIN {DOMAIN = ""; FIRST=1}
      /^</  {LAST = FNR ; TOTAL = LAST - FIRST
             if ( TOTAL > 3 ) printf("%6i  %s\n",TOTAL-3,DOMAIN)
             DOMAIN=$0; FIRST=FNR+1
            }
      END   {LAST = FNR
             if ( TOTAL > 3 ) printf("%6i  %s\n",TOTAL-3,DOMAIN)
            }
    ' $POLICY_FILENAME | sort -n
fi

============================
END SCRIPT #1 -  _tomoyo-policy-sort
============================


================================
BEGIN SCRIPT # -_tomoyo-patternize-home
================================
#!/bin/bash
SCRIPT_VERSION="1.0, written for tomoyo v2.3"
#
# Tomoyo Policy Patternize $HOME
#
# USAGE: _tomoyo-patternize-home [ [-i|-a] [-c|-A] [file] | -v | -h ]
# OPTIONS
# -i  interactive (prompts for each action) (default)
# -a  automatic (no prompting)
# -c  configuration files only (default)
# -A  all files
# -v  version
# -h  usage information
# The default input file is /etc/tomoyo/domain_policy.conf
# The default output file is ./domain_policy.conf.new


# The idea is to offer a variant on patternizing to account for the special case of user home directories, in which what is desired is to globally or selectively patternize just the user directory name for many (or all) user directory configuration files. I know that last sentence may sound unclear; what I mean is to have a simple way to patternize "/home/\*/foo/bar", without having to tell the script what "foo/bar" is.

# Written by: Boruch Baum <boruch-baum-eF6LUNyCSZBnVtAGhAykeQ< at >public.gmane.orgrge.net>
# No warranties ...
# Use at your own risk  ...
# License: OpenGPL2 ...
# Include author info when redistributing ...

function usage_message {
      echo -e "\nTomoyo Policy Patternize \$HOME: patternize just the \$HOME directory\nUSAGE: _tomoyo-patternize-home [ [-i|-a] [-c|-A] [file] | -v | -h ]\nOPTIONS:\n -i  interactive (prompts for each action) (default)\n -a  automatic (no prompting)\n -c  configuration files only (default)\n -A  all files\n -v  version\n -h  usage information\n The default input file is /etc/tomoyo/domain_policy.conf\n The default output file is ./domain_policy.conf.new\nVERSION: $SCRIPT_VERSION\n"
   }

function error_message {
      echo "error: a parameter is invalid or file unreadable: "$myparm
      usage_message
   }


# POLICY_FILENAME="/etc/tomoyo/domain_policy.conf"
POLICY_FILENAME="test-data-file"
OUTPUT_FILENAME="domain_policy.conf.new"
MODE="interactive"
FILESPEC="config-only"

for myparm in "$< at >" ;do case $myparm in
-h|--help   ) usage_message; exit;;
-v|--version) echo "version "$SCRIPT_VERSION; exit;;
-i          ) MODE="interactive";; 
-a          ) MODE="automatic";;
-c          ) FILESPEC="config-only";;
-A          ) FILESPEC="all-files";;
*           ) if [[ -r "$myparm" ]]; then
                 POLICY_FILENAME=$myparm
              else
                 error_message
                 exit
              fi
              ;;
esac; done

if [[ $MODE == "interactive" ]] ; then

exec 3<>$POLICY_FILENAME
cat /dev/null > $OUTPUT_FILENAME
FINISHED=0
while [[ $FINISHED == 0 ]] ; do
   read <&3
   FINISHED=$?
   if [[ "$REPLY" =~ (<.*) ]] ; then
      DOMAIN=$REPLY
      echo $DOMAIN >> $OUTPUT_FILENAME
   else
      RULE=$REPLY
      REPLY="-"
      if   [[ "$FILESPEC" == "all-files" ]] &&  $(grep -q " /home/" <<<$RULE) ; then
         while [[ $REPLY =~ ([^yn]) ]] ; do
            echo -e "\n\nDOMAIN: $DOMAIN\nRULE: $RULE"
            read -rs -n 1 -p "Do you want to patternize? y/n"
            done
         if [[ $REPLY == "y" ]] ; then
            RULE=$( sed 's/ \/home\/[^\/]*\// \/home\/\\\*\//g' <<<$RULE )
         fi
      elif [[ "$FILESPEC" == "config-only" ]] &&  $(grep -q " /home/[^/]*/\." <<<$RULE) ; then
         while [[ $REPLY =~ ([^yn]) ]] ; do
            echo -e "\n\nDOMAIN: $DOMAIN\nRULE: $RULE"
            read -rs -n 1 -p "Do you want to patternize? y/n"
            done
         if [[ $REPLY == "y" ]] ; then
            RULE=$( sed 's/ \/home\/[^\/]*\/\./ \/home\/\\\*\/\./g' <<<$RULE )
         fi
      fi
      echo $RULE >> $OUTPUT_FILENAME
   fi
   done
exec 3>&-
exit

else # [[ $MODE == "automatic" ]]

awk -v file_spec="$FILESPEC" '
      /^</ { DOMAIN=$0; print; next}
     !/^</ {

if ( $2 !~ /^\/home\// && $3 !~ /^\/home\// ) print
else {
   if ( file_spec == "config-only" )  \
        $2 =~ /^\/home\/[^/]*\/\./ {
            $2 = gensub("^\/home\/[^/]*\/","\/home\/\\\\*\/",1,$2) }
        $3 =~ /^\/home\/[^/]*\/\./ {
            $3 = gensub("^\/home\/[^/]*\/","\/home\/\\\\*\/",1,$3) }
   else {
        $2 = gensub("^\/home\/[^/]*\/","\/home\/\\\\*\/",1,$2)
        $3 = gensub("^\/home\/[^/]*\/","\/home\/\\\\*\/",1,$3)
        }
   print
   }
           }
    ' $POLICY_FILENAME 2>/dev/null

fi
===============================
END SCRIPT # -_tomoyo-patternize-home
===============================_______________________________________________
tomoyo-users-en mailing list
tomoyo-users-en-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS< at >public.gmane.org
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

[tomoyo-users-en 433] Can't set policy on Arch Linux

JD — 2011-12-26T18:18:29

Hi,

I've just started with Tomoyo 2.4 on a fresh install on Arch Linux,
but I can't set a policy.
I've followed the instructions on the wiki: setting the grub command
line, executing /usr/lib/tomoyo/init_policy, and running
tomoyo-editpolicy; however, if I try to set a policy on any process
("s" and entering "1" where it asks for the new profile number), it
does not change, the profile number remains at 0.

I've tried saving the policy and loading it at reboot, yet it still
remains unchanged. I've also tried removing the program, deleting all
the files within /etc/tomoyo/, and retrying but to no avail.

Can any one shed some light on this please?

Thanks, JD.