Ubuntu kernels with TOMOYO Linux extension

Tim Gardner tim.gardner at canonical.com
Mon Aug 18 12:18:50 UTC 2008 

Tetsuo Handa wrote:
> Hello.
> 
> I'd like to propose TOMOYO Linux for Ubuntu kernels.
> 
> ----- What is TOMOYO Linux? -----
> 
> TOMOYO Linux is a tool for reinforcing access control which is supposed to be
> performed by the userland process.
> 
> Here are kickstart pages that demonstrate TOMOYO Linux for Ubuntu 8.04 .
> You can try it via Live CD on VMware Player.
>  http://tomoyo.sourceforge.jp/en/1.6.x/1st-step/ubuntu8.04-live/
>  http://tomoyo.sourceforge.jp/en/1.6.x/1st-step/ubuntu8.04/
> 
> ----- Why TOMOYO Linux? -----
> 
> Because TOMOYO Linux is "Understandable" and "Manageable".
> I consider it is important for security to understand the access control rules
> and manage by oneself when things didn't go as he/she has expected.
> The "policy" (the access control rules, called "profile" in AppArmor) in TOMOYO
> Linux is quite "Understandable" and "Manageable".
> 
> SELinux (a security enhancement mechanism which is already in the vanilla
> kernels) provides ready-made policy, and users are using policy without
> customizing/understanding. This approach is ideal if policy contains
> permissions which are essential for their usage and contains no permissions
> which lead to undesirable results. But it is bad if "policy lacks permissions
> which is essential for their usage" or "redundant permissions in policy led to
> undesirable results".
> 
> TOMOYO Linux tracks the whole system's behavior (i.e. from /sbin/init at the
> boot stage to power failure at halt stage) and reports users in understandable
> and manageable manner. So users can customize/optimize as he/she wants.
> 
> You will understand the policy shown in kickstart pages.
> Users can master TOMOYO Linux as easy as AppArmor.
> 
> TOMOYO Linux doesn't provide ready-made policy but it provides "Learning"
> feature. This feature allows users create policy from scratch so that the
> created policy is perfectly optimized for their usage.
> 
> ----- Problems which prevent TOMOYO Linux from merging into vanilla kernels. -----
> 
> While attempts to merge TOMOYO Linux into vanilla kernels are in progress, they
> have not succeeded yet because of problems which both of TOMOYO Linux and
> AppArmor have.
> 
> (1) Pathname based access control is considered harmful.
> 
> Major opinion in the LSM (Linux Security Module, a framework which provides
> hooks for security related functions) community is that access control should
> not be performed based on pathnames.
> 
> But TOMOYO Linux (minor opinion) asserts that pathnames based access control is
> essential for security because
> 
>  It is the file's *attribute* that decides "whether the file is readable and/or
>  writable and/or executable or not", but it is the file's *name* that decides
>  "how the file's content is processed" and "how the system behaves".
> 
> I think this problem is almost solved, as I explained Andrew Morton, James
> Morris and Paul Moore, and they understood it. The material is available at
>  http://sourceforge.jp/projects/tomoyo/document/lfj2008-bof.pdf
> 
> (2) Parameter for performing pathname based access control is missing.
> 
> To perform pathname based access control, parameters for calculating requested
> pathnames are needed. They are "struct dentry" and "struct vfsmount".
> However, "struct vfsmount" parameter is not passed to LSM hooks because VFS
> helper functions (e.g. vfs_mkdir()) don't receive it.
> 
> AppArmor has developed patches which pass "struct vfsmount" parameter to VFS
> helper functions and LSM functions, and the patches are merged into
> distributor's kernels which support AppArmor.
> But the patches are not merged yet into vanilla kernels since the VFS
> maintainers consider that VFS helper functions should not access "struct
> vfsmount" parameter.
> 
> This problem is not solved yet. And I don't know how many months/years are
> needed to solve this problem.
> 
> ----- Expected supported levels from developers if something breaks due to
> upstream changes. -----
> 
> I'm maintaining TOMOYO Linux for kernels from 2.4.30 to 2.4.36 and from 2.6.11
> to 2.6.27-rc3 . As the wide range of applicable versions shows, TOMOYO Linux
> touches only surface of the kernel. So, I think we don't need to worry about
> upstream changes. Suffice it to say that what may break TOMOYO Linux is the
> same with AppArmor (i.e. what you already have in Ubuntu kernels).
> 
> 
> Regards.
> 

Our security expert has this opinion:

> I'm not very interested in supporting another out-of-mainline MAC
> system.  I'm additionally worried that since it doesn't use LSM, it's
> even less likely to make it into upstream.  At least AppArmor keeps
> seeing forward progress in the VFS changes they've been needing.

rtg
-- 
Tim Gardner tim.gardner at ubuntu.com

More information about the kernel-team mailing list