Page 1 of 1

Linux kernel version 5.13.4 with TOMOYO support

Posted: Thu Nov 18, 2021 6:41 am
by Chrysolite Azalea

Hello everyone! I've compiled a kernel with TOMOYO 1.8 support (TOMOYO is a mandatory access control system) by patching the kernel sources before running menuconfig (Woof-CE Kernel kit asks which configuration software to use, kernel sources can be patched at this time).

vmlinuz file: https://mega.nz/file/GbJzwQzB#tis0p1GO0 ... DUVA4_5884
SHA512: b4db99c3d9be33e9090d4bbf7225634c205da9902db6a0b44dac6f7d04421509a870f888788a1b9b6afbc41ae597a952544724796ee3fc02f85190d7e70bf437

Kernel modules SFS: https://mega.nz/file/CLRVQK5S#7FjkMbcdD ... 6ba3w74yCU
SHA512: 29d1a832bbe2d09e05f80b38ddc7c0c0661008e987a300b1c50bb246b531c971892cc60303abcf952405ea7f9109c03d90c27f4f8658b74c242f2b6dc135353f

Also, I haven't enabled the "do not modify task_struct" option, so patches may break KABI (kernel application binary interface), so modules may have to be recompiled for such a kernel

TOMOYO userspace tools:

ccs-tools.sfs
(192 KiB) Downloaded 33 times

TOMOYO web-site: https://tomoyo.osdn.jp/

I haven't created policies yet, I'm considering creating them soon. I'm also considering compiling 32-bit TOMOYO-supporting kernel and kernels with task_struct unmodified to prevent kABI breakage.

Would be nice to see mandatory access control in Puppy Linux.


Re: Linux kernel version 5.13.4 with TOMOYO support

Posted: Thu Nov 18, 2021 4:42 pm
by mikeslr

For those wondering what TOMOYO is:
"Tomoyo Linux is a MAC implementation for Linux that can be used to increase the security of a system...Tomoyo Linux focuses on system behaviour. Tomoyo Linux allows each process to declare behaviours and resources needed to achieve their purpose. When protection is enabled, Tomoyo Linux restricts each process to the behaviours and resources allowed by the administrator...Tomoyo was merged in Linux Kernel mainline version 2.6.30 (2009, June 10)/[2]. It is currently one of four standard Linux Security Modules (LSM), along with SELinux, AppArmor and SMACK." https://en.wikipedia.org/wiki/Tomoyo_Linux

Seems like a worthwhile addition to Puppys' arsenal. Thanks, Chrysolite Azalea, :thumbup: for working on its development and implementation.


Re: Linux kernel version 5.13.4 with TOMOYO support

Posted: Sat Nov 20, 2021 6:32 pm
by Chrysolite Azalea

Got TOMOYO functioning today. What I'd like to note, to get TOMOYO working, you need to add ccs-tools to one of the SFS files loaded at boot time. I added them to adrv. To do so, you need to unpack one of the SFS files (adrv, fdrv, zdrv, puppy-sfs) with unsquashfs, add ccs-tools, repack the file using mksquashfs, and replace the original file.

To check whether TOMOYO is working, you can run the dmesg command. If it's working, there should be the "Mandatory Access Control is activated" line.