Forgot your password?
typodupeerror

Comment: TOMOYO Linux (Score 1) 77

by toshiharu (#18382073) Attached to: SELinux by Example

Hi,

If you think SELinux is too much/heavy for you, you might be interested in TOMOYO Linux. I'm so sure that most of you never heard of "TOMOYO Linux", so I'll explain briefly. "TOMOYO Linux is a project started and actively maintained by the Japanese SI company, NTT DATA CORPORATION to provide a Mandatory Access Controls mechanism in Linux."

In short, TOMOYO Linux is quite similar to AppArmor and has been available at SourceForge.jp under GPL license since Nov. 2005.

TOMOYO Linux Project

The project has a pleny of documentation but most of them are written in Japanese. I have some links.

If you happen to have a chance to attend CELF Embedded Linux Conference 2007 (April 17th-19th , San Jose), you'll be able to see presentation and tutorial.

http://www.celinux.org/elc2007/sessions.html

Abstract:

Linux has been adopted more and more by embedded devices. But its poor access control model raises critical security problems. Unlike PCs, it is difficult to apply security patches to embedded devices. Thus, embedded devices should be designed with due consideration for imperative access control. Linux kernel 2.6 has been equipped with LSM (Linux Security Modules, OS level security framework) to provide MAC (Mandatory Access Control, imperative access control) ability. NSA's SELinux (Security-Enhanced Linux, LSM applicant security server) provides very fine-grained access control, but its requirements for embedded devices seem to be too excessive. LIDS (Linux Intrusion Detection System), on the other hand, is relatively compact and better suits embedded systems. However its access control granularity is rather sparse. There are many limitations which are specific to embedded devices. For example, slow CPU speed, storage capacity for OS and programs, filesystem that doesn't support xattr (extended attributes), hard-links and symbolic links used for busybox (multi-call binary to save space), files dynamically created on volatile filesystem. TOMOYO Linux (http://tomoyo.sourceforge.jp/index.html.en) is yet another way to provide a lightweight and manageable MAC ability. It is available under GPL and applicable to and suitable for both PCs and embedded devices. In this session, we will present an overview of TOMOYO Linux and explain why TOMOYO Linux is suitable for embedded devices. We will also show some demonstrations.

"When it comes to humility, I'm the greatest." -- Bullwinkle Moose

Working...