You are not logged in.

#1 2011-02-24 15:04:18

jnguyen
Member
Registered: 2011-02-17
Posts: 139
Website

TOMOYO Linux Security Repository

Hi Archers.

A repository is now available for all TOMOYO Linux packages, and can be browsed here. It includes patched kernel26 and kernel26-lts, as well as userspace tools for both 1.8.x and 2.3.x branches.

Put this in "/etc/pacman.conf":

[tomoyo]
Server = http://repo.tomoyolinux.co.uk/archlinux/$arch

Run the following to see the packages in the repo:

pacman -Sl tomoyo

We redesigned our website recently, and are also working on rewriting the official documentation.

All pkgbuilds are available in the AUR.

Please do let me know if there are problems with the repository or packages. If you're not sure where to start, read the wiki page.

Last edited by jnguyen (2011-04-12 06:59:46)


TOMOYO Linux: Mandatory Access Control.
My AUR packages

Offline

#2 2011-02-24 16:21:48

trungpham
Member
Registered: 2010-10-21
Posts: 28

Re: TOMOYO Linux Security Repository

Cool man. I'm using it.

Time in tomoyo log is different from system time. How does tomoyo get timestamp?

Offline

#3 2011-02-24 16:27:53

brian
Member
Registered: 2009-08-03
Posts: 16

Re: TOMOYO Linux Security Repository

Thanks very much for working on this. I hope that packages will eventually include sensible TOMOYO profiles. Right now, it's hard for people who care about security to protect themselves, especially from client-side holes.

Offline

#4 2011-02-24 16:47:05

jnguyen
Member
Registered: 2011-02-17
Posts: 139
Website

Re: TOMOYO Linux Security Repository

trungpham wrote:

Cool man. I'm using it.

Time in tomoyo log is different from system time. How does tomoyo get timestamp?

What is your output of "date", and what is the TIMEZONE and HARDWARECLOCK from /etc/rc.conf. How much are the times out by in tomoyo logs? Are you using ccs-tools or tomoyo-tools?

brian wrote:

Thanks very much for working on this. I hope that packages will eventually include sensible TOMOYO profiles. Right now, it's hard for people who care about security to protect themselves, especially from client-side holes.

Do you mean shipping TOMOYO Linux with pre-built policy? This is the AppArmor approach in Ubuntu, and SELinux approach in Fedora. While this is great for the respective distros (and they are doing a great job with it), TOMOYO Linux encourages the use of the policy editor and getting familiar with the syntax from the start. The learning mode, simple syntax and extensive documentation aim to make life very easy. If you want, kernel26-ccs can actually be used alongside AppArmor or SELinux. Of course, the problem with pre-built policy is that it can't be too restrictive, otherwise users will complain when things break. And if it isn't restrictive enough then it isn't beneficial.

Even so, in the future (probably not until 2011 Q3) I may set up a help site with screencasts and policy examples for common applications smile

Last edited by jnguyen (2011-02-24 21:29:15)


TOMOYO Linux: Mandatory Access Control.
My AUR packages

Offline

#5 2011-02-24 23:08:01

jnguyen
Member
Registered: 2011-02-17
Posts: 139
Website

Re: TOMOYO Linux Security Repository

Just so everyone knows, I will try to push kernels within a reasonable time (<72h) after the Arch Linux counterpart hits [core]. I perform some rudimentary tests of all packages, which consists of booting the kernel (kernel26-ccs, kernel26-lts-ccs, or kernel26 with akari) and opening the policy editor (ccs-tools or tomoyo-tools). kernel26-ccs x86_64 is the kernel I predominantly use on my Arch Linux desktop, so this receives the most testing, but generally everything should work fine.

If you notice any bugs that are probably related to upstream, they can be reported in our mailing list.


TOMOYO Linux: Mandatory Access Control.
My AUR packages

Offline

#6 2011-02-25 09:08:37

jnguyen
Member
Registered: 2011-02-17
Posts: 139
Website

Re: TOMOYO Linux Security Repository

Is anyone interested in kernel26-ck patched with ccs-patch? I do use kernel26-ck occasionally, so I may provide a package if there is interest. Of course, users of kernel26-ck or any other custom kernel can just compile AKARI module, but there may be some who need the features that AKARI is missing (it's not missing many).

Last edited by jnguyen (2011-02-25 09:18:34)


TOMOYO Linux: Mandatory Access Control.
My AUR packages

Offline

#7 2011-02-25 16:18:53

trungpham
Member
Registered: 2010-10-21
Posts: 28

Re: TOMOYO Linux Security Repository

@jnguyen: your reply gives me suggestion. My current timezone is GMT+7 and tomoyo log time + 7 = system time. Thanks!

jnguyen wrote:

Is anyone interested in kernel26-ck patched with ccs-patch? I do use kernel26-ck occasionally, so I may provide a package if there is interest. Of course, users of kernel26-ck or any other custom kernel can just compile AKARI module, but there may be some who need the features that AKARI is missing (it's not missing many).

I'm running kernel26 + ck2 + ccs + aufs. It'll be super cool if you integrate aufs too. I've used it to automount compressed  /usr.

Offline

#8 2011-02-26 22:31:19

jnguyen
Member
Registered: 2011-02-17
Posts: 139
Website

Re: TOMOYO Linux Security Repository

trungpham wrote:

I'm running kernel26 + ck2 + ccs + aufs. It'll be super cool if you integrate aufs too. I've used it to automount compressed  /usr.

Unfortunately I have no interest in aufs, and I originally removed aufs patches from the pkgbuild because applying ccs-patch broke and required some manual patching. I'm not sure what the situation is now. I also just have an aversion to the aufs patches generally because it seems to go against the Arch Way to have them in the default Arch kernel (not really sure how that happened). The Arch developers are allowed to do what they want obviously, and are doing a great job, but I will stand by my own principles and will thus probably not provide aufs patched kernels, especially since it breaks ccs-patch.

On the other hand, I may eventually start providing kernels patched with ck and ccs. I am due to have my home internet stripped from me some time soon for a short period (or long period depending on whether my ISP wishes to further infuriate me with their awful customer service) and will be relying on mobile broadband, so I may wait until after this until I consider providing kernel26-ck-ccs.

But anyway, I'm glad that your issue got resolved, and thanks for your interest in TOMOYO Linux smile


TOMOYO Linux: Mandatory Access Control.
My AUR packages

Offline

#9 2011-02-27 09:19:04

trungpham
Member
Registered: 2010-10-21
Posts: 28

Re: TOMOYO Linux Security Repository

Yep. KISS is cool. Then I'll patch it myself. Keep the good work. Thanks!

PS: Are you Vietnamese? smile

Offline

#10 2011-03-01 16:23:04

jnguyen
Member
Registered: 2011-02-17
Posts: 139
Website

Re: TOMOYO Linux Security Repository

Some information for anyone who is interested in TOMOYO Linux development:

Before further functionality can be introduced into the 2.x branch of TOMOYO Linux, the integration of a couple of LSM hooks must occur (or more accurately, the reimplementation of a couple of hooks that had previously been removed). Once this is done, then more features can be ported into the 2.x branch.

As always, for anyone seeking the full functionality (protection of network, ipc signals, capabilities etc), the repository provides kernel26-ccs and kernel26-lts-ccs. For those using custom kernels, it is very easy to compile AKARI as a module instead of trying to combine ccs-patch with whatever other patches you are using.

trungpham wrote:

PS: Are you Vietnamese? smile

Yes, nice to meet a fellow Vietnamese archer smile


TOMOYO Linux: Mandatory Access Control.
My AUR packages

Offline

#11 2011-03-02 08:19:31

jnguyen
Member
Registered: 2011-02-17
Posts: 139
Website

Re: TOMOYO Linux Security Repository

TOMOYO Linux 2.x memory leak found in all kernels above 2.6.36.

See the mailing list and bug report for more information:

Mailing List
Bug #23098

edit: Now fixed in 2.6.37.5 and 2.6.38.1 smile

Last edited by jnguyen (2011-03-29 12:07:31)


TOMOYO Linux: Mandatory Access Control.
My AUR packages

Offline

#12 2011-03-10 15:24:33

jnguyen
Member
Registered: 2011-02-17
Posts: 139
Website

Re: TOMOYO Linux Security Repository

Just to let everyone know that I have no home internet for around 3 weeks, following various issues with my broadband provider. I will be relying on mobile broadband in the meantime, which unfortunately is not quite so reliable. I apologize if there are delays in uploading packages, but I will try my best to keep everything up to date.


TOMOYO Linux: Mandatory Access Control.
My AUR packages

Offline

#13 2011-04-02 10:06:54

jnguyen
Member
Registered: 2011-02-17
Posts: 139
Website

Re: TOMOYO Linux Security Repository

There will be some downtime today as I perform some server maintenance (probably not more than 1hour), but when it comes back up there will be new packages for the latest release of ccs-patch (1.8.1). I will also be pushing the latest kernel (2.6.38.2) so please do let me know if there are any problems.

edit: maintenance is taking longer than expected, apologies for the downtime. It will be up within a couple hours.

Last edited by jnguyen (2011-04-02 17:44:29)


TOMOYO Linux: Mandatory Access Control.
My AUR packages

Offline

#14 2011-04-02 20:35:24

jnguyen
Member
Registered: 2011-02-17
Posts: 139
Website

Re: TOMOYO Linux Security Repository

Repository is back online cool

2.6.38.2 is now the latest kernel. Also, /dev/kmem has now been disabled in the Arch Linux kernel following a bug report that I opened. This was a change that I previously made in my own kernels due to the fact that RHEL/Fedora/Debian/Ubuntu all disable it by default, and it's used rarely except by rootkits. But now everyone can rest easy regardless of whether you use kernel26-ccs or not smile


TOMOYO Linux: Mandatory Access Control.
My AUR packages

Offline

#15 2011-04-12 18:17:48

jnguyen
Member
Registered: 2011-02-17
Posts: 139
Website

Re: TOMOYO Linux Security Repository

Hi Archers, you may have noticed that tomoyo-tools has just been pushed to [community], which is great cool

I apologise but I have thus chosen to temporarily take down the [tomoyo] repository for two reasons:
1. I do not have home internet at the moment due to ISP problems, and mobile internet is expensive and makes server maintenance rather hard
2. uptake of packages other than tomoyo-tools is currently rather low so I do not expect this to affect many users.

The good news is that I will continue to provide all packages on AUR, and once I get my internet back I will also be providing kernel26-ck-ccs binary packages alongside the others smile

Server is still running for now, but I will be taking it down during this week.

Also, the 1.8.x documentation has been completely rewritten and is available here.

Last edited by jnguyen (2011-04-12 19:32:11)


TOMOYO Linux: Mandatory Access Control.
My AUR packages

Offline

#16 2011-05-07 09:35:51

broken pipe
Member
Registered: 2010-12-10
Posts: 238

Re: TOMOYO Linux Security Repository

thx for providing those packages in arch!!! i didn't want to install the whole kernel so i installed akari and the ccs-tools instead. do i have to make any changes or edit configs afterwards? does the module know what is right and what is wrong by default?

i can see that it logs something but i don't know how to interpret those messages

#2011/05/07 11:31:53# profile=0 mode=disabled granted=no (global-pid=3761) task={ pid=3761 ppid=3758 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 type!=execute_handler }
<kernel> /sbin/init /usr/bin/kdm /usr/share/config/kdm/Xsession /usr/bin/startkde /usr/lib/kde4/libexec/start_kdeinit_wrapper /usr/lib/kde4/libexec/start_kdeinit /usr/bin/kdeinit4 /bin/bash /bin/su /bin/bash /bin/cat
use_group 0

Offline

#17 2011-05-08 15:09:19

jnguyen
Member
Registered: 2011-02-17
Posts: 139
Website

Re: TOMOYO Linux Security Repository

broken pipe wrote:

thx for providing those packages in arch!!! i didn't want to install the whole kernel so i installed akari and the ccs-tools instead. do i have to make any changes or edit configs afterwards? does the module know what is right and what is wrong by default?

i can see that it logs something but i don't know how to interpret those messages

#2011/05/07 11:31:53# profile=0 mode=disabled granted=no (global-pid=3761) task={ pid=3761 ppid=3758 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 type!=execute_handler }
<kernel> /sbin/init /usr/bin/kdm /usr/share/config/kdm/Xsession /usr/bin/startkde /usr/lib/kde4/libexec/start_kdeinit_wrapper /usr/lib/kde4/libexec/start_kdeinit /usr/bin/kdeinit4 /bin/bash /bin/su /bin/bash /bin/cat
use_group 0

Hi broken pipe. I recommend that you take a look at the AKARI documentation/tutorial. TOMOYO Linux does not know what is right and wrong by default, it is up to the user to let TOMOYO Linux know. The "Learning Mode" can be used to make this easy.

Since AKARI is based on the 1.x branch of TOMOYO Linux, you can also use the 1.8.x documentation. We have recently rewritten the 1.8.x documentation so it may be more informative, but there is information there that is not applicable to AKARI.

I would also recommend our Mailing List if you have any further questions.


TOMOYO Linux: Mandatory Access Control.
My AUR packages

Offline

Board footer

Powered by FluxBB