linux/Documentation/admin-guide/LSM/tomoyo.rst

======
TOMOYO
======

What is TOMOYO?
===============

TOMOYO is a name-based MAC extension (LSM module) for the Linux kernel.

LiveCD-based tutorials are available at

http://tomoyo.sourceforge.jp/1.8/ubuntu12.04-live.html
http://tomoyo.sourceforge.jp/1.8/centos6-live.html

Though these tutorials use non-LSM version of TOMOYO, they are useful for you
to know what TOMOYO is.

How to enable TOMOYO?
=====================

Build the kernel with ``CONFIG_SECURITY_TOMOYO=y`` and pass ``security=tomoyo`` on
kernel's command line.

Please see http://tomoyo.osdn.jp/2.5/ for details.

Where is documentation?
=======================

User <-> Kernel interface documentation is available at
https://tomoyo.osdn.jp/2.5/policy-specification/index.html .

Materials we prepared for seminars and symposiums are available at
https://osdn.jp/projects/tomoyo/docs/?category_id=532&language_id=1 .
Below lists are chosen from three aspects.

What is TOMOYO?
  TOMOYO Linux Overview
    https://osdn.jp/projects/tomoyo/docs/lca2009-takeda.pdf
  TOMOYO Linux: pragmatic and manageable security for Linux
    https://osdn.jp/projects/tomoyo/docs/freedomhectaipei-tomoyo.pdf
  TOMOYO Linux: A Practical Method to Understand and Protect Your Own Linux Box
    https://osdn.jp/projects/tomoyo/docs/PacSec2007-en-no-demo.pdf

What can TOMOYO do?
  Deep inside TOMOYO Linux
    https://osdn.jp/projects/tomoyo/docs/lca2009-kumaneko.pdf
  The role of "pathname based access control" in security.
    https://osdn.jp/projects/tomoyo/docs/lfj2008-bof.pdf

History of TOMOYO?
  Realities of Mainlining
    https://osdn.jp/projects/tomoyo/docs/lfj2008.pdf

What is future plan?
====================

We believe that inode based security and name based security are complementary
and both should be used together. But unfortunately, so far, we cannot enable
multiple LSM modules at the same time. We feel sorry that you have to give up
SELinux/SMACK/AppArmor etc. when you want to use TOMOYO.

We hope that LSM becomes stackable in future. Meanwhile, you can use non-LSM
version of TOMOYO, available at http://tomoyo.osdn.jp/1.8/ .
LSM version of TOMOYO is a subset of non-LSM version of TOMOYO. We are planning
to port non-LSM version's functionalities to LSM versions.
doc: ReSTify tomoyo.txt Adjusts for ReST markup and moves under LSM admin guide. Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 04:51:46 -07:00			`======`
			`TOMOYO`
			`======`

			`What is TOMOYO?`
			`===============`
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00
			`TOMOYO is a name-based MAC extension (LSM module) for the Linux kernel.`

			`LiveCD-based tutorials are available at`
doc: ReSTify tomoyo.txt Adjusts for ReST markup and moves under LSM admin guide. Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 04:51:46 -07:00
tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rst Fix outdated links. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.l.morris@oracle.com> 2017-07-18 19:59:53 +09:00			`http://tomoyo.sourceforge.jp/1.8/ubuntu12.04-live.html`
			`http://tomoyo.sourceforge.jp/1.8/centos6-live.html`
doc: ReSTify tomoyo.txt Adjusts for ReST markup and moves under LSM admin guide. Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 04:51:46 -07:00
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00			`Though these tutorials use non-LSM version of TOMOYO, they are useful for you`
			`to know what TOMOYO is.`

doc: ReSTify tomoyo.txt Adjusts for ReST markup and moves under LSM admin guide. Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 04:51:46 -07:00			`How to enable TOMOYO?`
			`=====================`
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00
doc: ReSTify tomoyo.txt Adjusts for ReST markup and moves under LSM admin guide. Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 04:51:46 -07:00			Build the kernel with ``CONFIG_SECURITY_TOMOYO=y`` and pass ``security=tomoyo`` on
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00			`kernel's command line.`

tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rst Fix outdated links. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.l.morris@oracle.com> 2017-07-18 19:59:53 +09:00			`Please see http://tomoyo.osdn.jp/2.5/ for details.`
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00
doc: ReSTify tomoyo.txt Adjusts for ReST markup and moves under LSM admin guide. Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 04:51:46 -07:00			`Where is documentation?`
			`=======================`
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00
			`User <-> Kernel interface documentation is available at`
Replace HTTP links with HTTPS ones: documentation Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w\|/)`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Link: https://lore.kernel.org/r/20200526060544.25127-1-grandmaster@al2klimov.de Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2020-05-26 08:05:44 +02:00			`https://tomoyo.osdn.jp/2.5/policy-specification/index.html .`
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00
			`Materials we prepared for seminars and symposiums are available at`
Replace HTTP links with HTTPS ones: documentation Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w\|/)`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Link: https://lore.kernel.org/r/20200526060544.25127-1-grandmaster@al2klimov.de Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2020-05-26 08:05:44 +02:00			`https://osdn.jp/projects/tomoyo/docs/?category_id=532&language_id=1 .`
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00			`Below lists are chosen from three aspects.`

			`What is TOMOYO?`
			`TOMOYO Linux Overview`
Replace HTTP links with HTTPS ones: documentation Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w\|/)`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Link: https://lore.kernel.org/r/20200526060544.25127-1-grandmaster@al2klimov.de Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2020-05-26 08:05:44 +02:00			`https://osdn.jp/projects/tomoyo/docs/lca2009-takeda.pdf`
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00			`TOMOYO Linux: pragmatic and manageable security for Linux`
Replace HTTP links with HTTPS ones: documentation Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w\|/)`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Link: https://lore.kernel.org/r/20200526060544.25127-1-grandmaster@al2klimov.de Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2020-05-26 08:05:44 +02:00			`https://osdn.jp/projects/tomoyo/docs/freedomhectaipei-tomoyo.pdf`
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00			`TOMOYO Linux: A Practical Method to Understand and Protect Your Own Linux Box`
Replace HTTP links with HTTPS ones: documentation Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w\|/)`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Link: https://lore.kernel.org/r/20200526060544.25127-1-grandmaster@al2klimov.de Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2020-05-26 08:05:44 +02:00			`https://osdn.jp/projects/tomoyo/docs/PacSec2007-en-no-demo.pdf`
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00
			`What can TOMOYO do?`
			`Deep inside TOMOYO Linux`
Replace HTTP links with HTTPS ones: documentation Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w\|/)`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Link: https://lore.kernel.org/r/20200526060544.25127-1-grandmaster@al2klimov.de Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2020-05-26 08:05:44 +02:00			`https://osdn.jp/projects/tomoyo/docs/lca2009-kumaneko.pdf`
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00			`The role of "pathname based access control" in security.`
Replace HTTP links with HTTPS ones: documentation Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w\|/)`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Link: https://lore.kernel.org/r/20200526060544.25127-1-grandmaster@al2klimov.de Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2020-05-26 08:05:44 +02:00			`https://osdn.jp/projects/tomoyo/docs/lfj2008-bof.pdf`
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00
			`History of TOMOYO?`
			`Realities of Mainlining`
Replace HTTP links with HTTPS ones: documentation Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w\|/)`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Link: https://lore.kernel.org/r/20200526060544.25127-1-grandmaster@al2klimov.de Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2020-05-26 08:05:44 +02:00			`https://osdn.jp/projects/tomoyo/docs/lfj2008.pdf`
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00
doc: ReSTify tomoyo.txt Adjusts for ReST markup and moves under LSM admin guide. Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 2017-05-13 04:51:46 -07:00			`What is future plan?`
			`====================`
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00
			`We believe that inode based security and name based security are complementary`
			`and both should be used together. But unfortunately, so far, we cannot enable`
			`multiple LSM modules at the same time. We feel sorry that you have to give up`
			`SELinux/SMACK/AppArmor etc. when you want to use TOMOYO.`

			`We hope that LSM becomes stackable in future. Meanwhile, you can use non-LSM`
tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rst Fix outdated links. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.l.morris@oracle.com> 2017-07-18 19:59:53 +09:00			`version of TOMOYO, available at http://tomoyo.osdn.jp/1.8/ .`
tomoyo: add Documentation/tomoyo.txt Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: James Morris <jmorris@namei.org> 2009-04-13 11:04:19 +09:00			`LSM version of TOMOYO is a subset of non-LSM version of TOMOYO. We are planning`
			`to port non-LSM version's functionalities to LSM versions.`