Using tomoyo-tools for system security
Introduction
Tomoyo Linux is a Mandatory Access Control (MAC) implementation for Linux, used for system-analysis as well as system restriction for increased security. It is not designed to offer protection “out of the box”, but instead requires time and an understanding of the concepts and tools involved.
Focusing on the behavior of the system, where every process has its defined purpose, Tomoyo allows each process to declare the characteristic behavior and the resources it needs to achieve said purpose. With the protection enabled, Tomoyo then restricts each process to that set of behaviors and resources allowed by the administrator.
The main features of TOMOYO Linux include:
- System analysis
- Increased security through Mandatory Access Control
- Tools to aid in policy generation
- Simple syntax
- Easy to use
- Very few dependencies
- Requires no modification of existing binaries
/etc/tomoyo/
is the storage location of all policy information.
Setup
Tomoyo, because of the way it works, needs to have some time spent on the system in a learning setup. The more time you allow Tomoyo to learn how and what programs you use, the less likely you are to have it log things that are just normal for the given app and scenario. Tomoyo is primarily CLI based but with a well structured and easy to understand layout. It’s not that hard to setup, since the KaOS kernel has Tomoyo support available by default. Tomoyo is part of a default KaOS install, but in case it was removed, install with:
Initializing Configuration
Before you can make use of TOMOYO Linux, an initialization procedure must take place. This prepares the files in which policy information will be stored.
Configure Bootloader
To enable Tomoyo, you need to add security=tomoyo
to the kernel commandline in either grub or systemd-boot.
For grub:
As always, after editing Grub’s configuration you need to run:
For systemd-boot:
and reboot.
Setting to Learning Mode
The Learning Mode profile is the feature of TOMOYO Linux that makes developing policy very easy. This mode will automatically generate a policy for any domain that has this profile selected. In order to set up the policy to learning mode, you have to open the Domain Transition Editor:
Now, the only thing that should be listed is the kernel domain. Now we need to set Tomoyo to learning mode on the kernel.
The kernel should be highlighted in green (if you don’t use the arrow keys to select it). Once it is selected, press S
and you will be asked to enter the profile number
.
To set the kernel domain to learning enter 1
. The learning profile will also log all the boot time files and operations. There are four setup profiles to use within Tomoyo, but for now we only need to use the policy number 1.
You will notice the empty kernel
entry from when we set up is now populated and should have the entries in profile 1
learning mode. Give yourself a pat on the back and go back to using the computer normally. For now you should just go about business as usual and allow Tomoyo to learn the apps you use in your daily routines.
Disable Tomoyo Hardening
If you run into trouble with Tomoyo or just don’t want it running anymore you can easily disable it by changing the bootline from security=tomoyo
to security=none
. If your system is no longer booting due to problems with Tomoyo you can still fix this using the recovery boot option which should not have Tomoyo enabled.
More Comprehensive Settings
This guide is here to explain how to get started with Tomoyo and once the system has gone through the learning it is time to use the very complete official documentation: