Ubuntu kernels with TOMOYO Linux extension

Sun Aug 17 14:17:09 UTC 2008

Hello.

I'd like to propose TOMOYO Linux for Ubuntu kernels.

----- What is TOMOYO Linux? -----

TOMOYO Linux is a tool for reinforcing access control which is supposed to be
performed by the userland process.

Here are kickstart pages that demonstrate TOMOYO Linux for Ubuntu 8.04 .
You can try it via Live CD on VMware Player.
 http://tomoyo.sourceforge.jp/en/1.6.x/1st-step/ubuntu8.04-live/
 http://tomoyo.sourceforge.jp/en/1.6.x/1st-step/ubuntu8.04/

----- Why TOMOYO Linux? -----

Because TOMOYO Linux is "Understandable" and "Manageable".
I consider it is important for security to understand the access control rules
and manage by oneself when things didn't go as he/she has expected.
The "policy" (the access control rules, called "profile" in AppArmor) in TOMOYO
Linux is quite "Understandable" and "Manageable".

SELinux (a security enhancement mechanism which is already in the vanilla
kernels) provides ready-made policy, and users are using policy without
customizing/understanding. This approach is ideal if policy contains
permissions which are essential for their usage and contains no permissions
which lead to undesirable results. But it is bad if "policy lacks permissions
which is essential for their usage" or "redundant permissions in policy led to
undesirable results".

TOMOYO Linux tracks the whole system's behavior (i.e. from /sbin/init at the
boot stage to power failure at halt stage) and reports users in understandable
and manageable manner. So users can customize/optimize as he/she wants.

You will understand the policy shown in kickstart pages.
Users can master TOMOYO Linux as easy as AppArmor.

TOMOYO Linux doesn't provide ready-made policy but it provides "Learning"
feature. This feature allows users create policy from scratch so that the
created policy is perfectly optimized for their usage.

----- Problems which prevent TOMOYO Linux from merging into vanilla kernels. -----

While attempts to merge TOMOYO Linux into vanilla kernels are in progress, they
have not succeeded yet because of problems which both of TOMOYO Linux and
AppArmor have.

(1) Pathname based access control is considered harmful.

Major opinion in the LSM (Linux Security Module, a framework which provides
hooks for security related functions) community is that access control should
not be performed based on pathnames.

But TOMOYO Linux (minor opinion) asserts that pathnames based access control is
essential for security because

 It is the file's *attribute* that decides "whether the file is readable and/or
 writable and/or executable or not", but it is the file's *name* that decides
 "how the file's content is processed" and "how the system behaves".

I think this problem is almost solved, as I explained Andrew Morton, James
Morris and Paul Moore, and they understood it. The material is available at
 http://sourceforge.jp/projects/tomoyo/document/lfj2008-bof.pdf

(2) Parameter for performing pathname based access control is missing.

To perform pathname based access control, parameters for calculating requested
pathnames are needed. They are "struct dentry" and "struct vfsmount".
However, "struct vfsmount" parameter is not passed to LSM hooks because VFS
helper functions (e.g. vfs_mkdir()) don't receive it.

AppArmor has developed patches which pass "struct vfsmount" parameter to VFS
helper functions and LSM functions, and the patches are merged into
distributor's kernels which support AppArmor.
But the patches are not merged yet into vanilla kernels since the VFS
maintainers consider that VFS helper functions should not access "struct
vfsmount" parameter.

This problem is not solved yet. And I don't know how many months/years are
needed to solve this problem.

----- Expected supported levels from developers if something breaks due to
upstream changes. -----

I'm maintaining TOMOYO Linux for kernels from 2.4.30 to 2.4.36 and from 2.6.11
to 2.6.27-rc3 . As the wide range of applicable versions shows, TOMOYO Linux
touches only surface of the kernel. So, I think we don't need to worry about
upstream changes. Suffice it to say that what may break TOMOYO Linux is the
same with AppArmor (i.e. what you already have in Ubuntu kernels).

Regards.