[linux-2.6-block.git] / Documentation / admin-guide / LSM / tomoyo.rst

======
TOMOYO
======

What is TOMOYO?
===============

TOMOYO is a name-based MAC extension (LSM module) for the Linux kernel.

LiveCD-based tutorials are available at

http://tomoyo.sourceforge.jp/1.8/ubuntu12.04-live.html
http://tomoyo.sourceforge.jp/1.8/centos6-live.html

Though these tutorials use non-LSM version of TOMOYO, they are useful for you
to know what TOMOYO is.

How to enable TOMOYO?
=====================

Build the kernel with ``CONFIG_SECURITY_TOMOYO=y`` and pass ``security=tomoyo`` on
kernel's command line.

Please see http://tomoyo.osdn.jp/2.5/ for details.

Where is documentation?
=======================

User <-> Kernel interface documentation is available at
http://tomoyo.osdn.jp/2.5/policy-specification/index.html .

Materials we prepared for seminars and symposiums are available at
http://osdn.jp/projects/tomoyo/docs/?category_id=532&language_id=1 .
Below lists are chosen from three aspects.

What is TOMOYO?
  TOMOYO Linux Overview
    http://osdn.jp/projects/tomoyo/docs/lca2009-takeda.pdf
  TOMOYO Linux: pragmatic and manageable security for Linux
    http://osdn.jp/projects/tomoyo/docs/freedomhectaipei-tomoyo.pdf
  TOMOYO Linux: A Practical Method to Understand and Protect Your Own Linux Box
    http://osdn.jp/projects/tomoyo/docs/PacSec2007-en-no-demo.pdf

What can TOMOYO do?
  Deep inside TOMOYO Linux
    http://osdn.jp/projects/tomoyo/docs/lca2009-kumaneko.pdf
  The role of "pathname based access control" in security.
    http://osdn.jp/projects/tomoyo/docs/lfj2008-bof.pdf

History of TOMOYO?
  Realities of Mainlining
    http://osdn.jp/projects/tomoyo/docs/lfj2008.pdf

What is future plan?
====================

We believe that inode based security and name based security are complementary
and both should be used together. But unfortunately, so far, we cannot enable
multiple LSM modules at the same time. We feel sorry that you have to give up
SELinux/SMACK/AppArmor etc. when you want to use TOMOYO.

We hope that LSM becomes stackable in future. Meanwhile, you can use non-LSM
version of TOMOYO, available at http://tomoyo.osdn.jp/1.8/ .
LSM version of TOMOYO is a subset of non-LSM version of TOMOYO. We are planning
to port non-LSM version's functionalities to LSM versions.
Commit	Line	Data
5ea672c7 KC	1	======
	2	TOMOYO
	3	======
	4
	5	What is TOMOYO?
	6	===============
17a7b7b3 TH	7
	8	TOMOYO is a name-based MAC extension (LSM module) for the Linux kernel.
	9
	10	LiveCD-based tutorials are available at
5ea672c7	11
31368ce8 TH	12	http://tomoyo.sourceforge.jp/1.8/ubuntu12.04-live.html
31368ce8 TH	13	http://tomoyo.sourceforge.jp/1.8/centos6-live.html
5ea672c7	14
17a7b7b3 TH	15	Though these tutorials use non-LSM version of TOMOYO, they are useful for you
	16	to know what TOMOYO is.
	17
5ea672c7 KC	18	How to enable TOMOYO?
5ea672c7 KC	19	=====================
17a7b7b3	20
5ea672c7	21	Build the kernel with ``CONFIG_SECURITY_TOMOYO=y`` and pass ``security=tomoyo`` on
17a7b7b3 TH	22	kernel's command line.
17a7b7b3 TH	23
31368ce8	24	Please see http://tomoyo.osdn.jp/2.5/ for details.
17a7b7b3	25
5ea672c7 KC	26	Where is documentation?
5ea672c7 KC	27	=======================
17a7b7b3 TH	28
17a7b7b3 TH	29	User <-> Kernel interface documentation is available at
31368ce8	30	http://tomoyo.osdn.jp/2.5/policy-specification/index.html .
17a7b7b3 TH	31
17a7b7b3 TH	32	Materials we prepared for seminars and symposiums are available at
31368ce8	33	http://osdn.jp/projects/tomoyo/docs/?category_id=532&language_id=1 .
17a7b7b3 TH	34	Below lists are chosen from three aspects.
	35
	36	What is TOMOYO?
	37	TOMOYO Linux Overview
31368ce8	38	http://osdn.jp/projects/tomoyo/docs/lca2009-takeda.pdf
17a7b7b3	39	TOMOYO Linux: pragmatic and manageable security for Linux
31368ce8	40	http://osdn.jp/projects/tomoyo/docs/freedomhectaipei-tomoyo.pdf
17a7b7b3	41	TOMOYO Linux: A Practical Method to Understand and Protect Your Own Linux Box
31368ce8	42	http://osdn.jp/projects/tomoyo/docs/PacSec2007-en-no-demo.pdf
17a7b7b3 TH	43
	44	What can TOMOYO do?
	45	Deep inside TOMOYO Linux
31368ce8	46	http://osdn.jp/projects/tomoyo/docs/lca2009-kumaneko.pdf
17a7b7b3	47	The role of "pathname based access control" in security.
31368ce8	48	http://osdn.jp/projects/tomoyo/docs/lfj2008-bof.pdf
17a7b7b3 TH	49
	50	History of TOMOYO?
	51	Realities of Mainlining
31368ce8	52	http://osdn.jp/projects/tomoyo/docs/lfj2008.pdf
17a7b7b3	53
5ea672c7 KC	54	What is future plan?
5ea672c7 KC	55	====================
17a7b7b3 TH	56
	57	We believe that inode based security and name based security are complementary
	58	and both should be used together. But unfortunately, so far, we cannot enable
	59	multiple LSM modules at the same time. We feel sorry that you have to give up
	60	SELinux/SMACK/AppArmor etc. when you want to use TOMOYO.
	61
	62	We hope that LSM becomes stackable in future. Meanwhile, you can use non-LSM
31368ce8	63	version of TOMOYO, available at http://tomoyo.osdn.jp/1.8/ .
17a7b7b3 TH	64	LSM version of TOMOYO is a subset of non-LSM version of TOMOYO. We are planning
17a7b7b3 TH	65	to port non-LSM version's functionalities to LSM versions.