15ea672c7SKees Cook====== 25ea672c7SKees CookTOMOYO 35ea672c7SKees Cook====== 45ea672c7SKees Cook 55ea672c7SKees CookWhat is TOMOYO? 65ea672c7SKees Cook=============== 75ea672c7SKees Cook 85ea672c7SKees CookTOMOYO is a name-based MAC extension (LSM module) for the Linux kernel. 95ea672c7SKees Cook 105ea672c7SKees CookLiveCD-based tutorials are available at 115ea672c7SKees Cook 1231368ce8STetsuo Handahttp://tomoyo.sourceforge.jp/1.8/ubuntu12.04-live.html 1331368ce8STetsuo Handahttp://tomoyo.sourceforge.jp/1.8/centos6-live.html 145ea672c7SKees Cook 155ea672c7SKees CookThough these tutorials use non-LSM version of TOMOYO, they are useful for you 165ea672c7SKees Cookto know what TOMOYO is. 175ea672c7SKees Cook 185ea672c7SKees CookHow to enable TOMOYO? 195ea672c7SKees Cook===================== 205ea672c7SKees Cook 215ea672c7SKees CookBuild the kernel with ``CONFIG_SECURITY_TOMOYO=y`` and pass ``security=tomoyo`` on 225ea672c7SKees Cookkernel's command line. 235ea672c7SKees Cook 2431368ce8STetsuo HandaPlease see http://tomoyo.osdn.jp/2.5/ for details. 255ea672c7SKees Cook 265ea672c7SKees CookWhere is documentation? 275ea672c7SKees Cook======================= 285ea672c7SKees Cook 295ea672c7SKees CookUser <-> Kernel interface documentation is available at 30*93431e06SAlexander A. Klimovhttps://tomoyo.osdn.jp/2.5/policy-specification/index.html . 315ea672c7SKees Cook 325ea672c7SKees CookMaterials we prepared for seminars and symposiums are available at 33*93431e06SAlexander A. Klimovhttps://osdn.jp/projects/tomoyo/docs/?category_id=532&language_id=1 . 345ea672c7SKees CookBelow lists are chosen from three aspects. 355ea672c7SKees Cook 365ea672c7SKees CookWhat is TOMOYO? 375ea672c7SKees Cook TOMOYO Linux Overview 38*93431e06SAlexander A. Klimov https://osdn.jp/projects/tomoyo/docs/lca2009-takeda.pdf 395ea672c7SKees Cook TOMOYO Linux: pragmatic and manageable security for Linux 40*93431e06SAlexander A. Klimov https://osdn.jp/projects/tomoyo/docs/freedomhectaipei-tomoyo.pdf 415ea672c7SKees Cook TOMOYO Linux: A Practical Method to Understand and Protect Your Own Linux Box 42*93431e06SAlexander A. Klimov https://osdn.jp/projects/tomoyo/docs/PacSec2007-en-no-demo.pdf 435ea672c7SKees Cook 445ea672c7SKees CookWhat can TOMOYO do? 455ea672c7SKees Cook Deep inside TOMOYO Linux 46*93431e06SAlexander A. Klimov https://osdn.jp/projects/tomoyo/docs/lca2009-kumaneko.pdf 475ea672c7SKees Cook The role of "pathname based access control" in security. 48*93431e06SAlexander A. Klimov https://osdn.jp/projects/tomoyo/docs/lfj2008-bof.pdf 495ea672c7SKees Cook 505ea672c7SKees CookHistory of TOMOYO? 515ea672c7SKees Cook Realities of Mainlining 52*93431e06SAlexander A. Klimov https://osdn.jp/projects/tomoyo/docs/lfj2008.pdf 535ea672c7SKees Cook 545ea672c7SKees CookWhat is future plan? 555ea672c7SKees Cook==================== 565ea672c7SKees Cook 575ea672c7SKees CookWe believe that inode based security and name based security are complementary 585ea672c7SKees Cookand both should be used together. But unfortunately, so far, we cannot enable 595ea672c7SKees Cookmultiple LSM modules at the same time. We feel sorry that you have to give up 605ea672c7SKees CookSELinux/SMACK/AppArmor etc. when you want to use TOMOYO. 615ea672c7SKees Cook 625ea672c7SKees CookWe hope that LSM becomes stackable in future. Meanwhile, you can use non-LSM 6331368ce8STetsuo Handaversion of TOMOYO, available at http://tomoyo.osdn.jp/1.8/ . 645ea672c7SKees CookLSM version of TOMOYO is a subset of non-LSM version of TOMOYO. We are planning 655ea672c7SKees Cookto port non-LSM version's functionalities to LSM versions. 66