Using tomoyo-tools for system security
- Introduction
- Setup
- Initializing Configuration
- Configure Bootloader
- Setting to Learning Mode
- Disable Tomoyo Hardening
- More Comprehensive Settings
Introduction
Tomoyo Linux is a Mandatory Access Control (MAC) implementation for Linux, used for system-analysis as well as system restriction for increased security. It is not designed to offer protection “out of the box”, but instead requires time and an understanding of the concepts and tools involved.
Focusing on the behavior of the system, where every process has its defined purpose, Tomoyo allows each process to declare the characteristic behavior and the resources it needs to achieve said purpose. With the protection enabled, Tomoyo then restricts each process to that set of behaviors and resources allowed by the administrator.
The main features of TOMOYO Linux include:
- System analysis
- Increased security through Mandatory Access Control
- Tools to aid in policy generation
- Simple syntax
- Easy to use
- Very few dependencies
- Requires no modification of existing binaries
/etc/tomoyo/
is the storage location of all policy information.
Setup
Tomoyo, because of the way it works, needs to have some time spent on the system in a ‘learning’ setup. The more time you allow Tomoyo to learn how and what programs you use, the less likely you are to have it log things that are just normal for the given app and scenario. Tomoyo is primarily CLI based but with a well structured and easy to understand layout. It’s not that hard to setup, since the KaOS kernel has Tomoyo support available by default. Tomoyo is part of a default KaOS install, but in case it was removed, install with:
sudo pacman -Syu
sudo pacman -S tomoyo-tools
Initializing Configuration
Before you can make use of TOMOYO Linux, an initialization procedure must take place. This prepares the files in which policy information will be stored.
# /usr/lib/tomoyo/init_policy
Configure Bootloader
To enable Tomoyo, you need to add security=tomoyo to the kernel commandline in either grub or systemd-boot.
For grub:
kate /etc/default/grub
[...]
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash security=tomoyo"
[...]
As always, after editing Grub’s configuration you need to run:
sudo grub-mkconfig -o /boot/grub/grub.cfg
For systemd-boot:
kate /boot/loader/entries/KaOS.conf
options root=UUID=XXXXXXX-XXXX-XXXX-XXXX-XXXXXX quiet resume=UUID=XXXX-XXXX-XXXX-XXXX-XXXXXX rw security=tomoyo
and reboot.
Setting to Learning Mode
The “Learning Mode” profile is the feature of TOMOYO Linux that makes developing policy very easy. This mode will automatically generate a policy for any domain that has this profile selected. In order to set up the policy to “learning mode, you have to open the Domain Transition Editor:
# tomoyo-editpolicy
Now, the only thing that should be listed is the
To set the
You will notice the empty kernel entry from when we set up is now populated and should have the entries in profile ‘1’ learning mode. Give yourself a pat on the back and go back to using the computer normally. For now you should just go about business as usual and allow Tomoyo to learn the apps you use in your daily routines.
Disable Tomoyo Hardening
If you run into trouble with Tomoyo or just don’t want it running anymore you can easily disable it by changing the bootline from “security=tomoyo” to “security=none”. If your system is no longer booting due to problems with Tomoyo you can still fix this using the recovery boot option which should not have Tomoyo enabled.
More Comprehensive Settings
This guide is here to explain how to get started with Tomoyo and once the system has gone through the “learning” it is time to use the very complete official documentation: