Info: Version 1.7.x is available.

Japanese Page

Access Analysis using TOMOYO Linux

Last modified: $Date: 2012-03-02 10:34:04 +0900 (Fri, 02 Mar 2012) $

Since the policy of TOMOYO Linux is represented using pathnames, TOMOYO Linux is applicable for tracing file accesses.
You can use TOMOYO Linux to find how programs access files or what program is creating files on specific directories.

Preparation

Install TOMOYO Linux kernel and tool

To compile kernel, see TOMOYO Linux kernel compilation. To compile tool, run the following commands.

wget -O ccs-tools-1.6.9-20120301.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/30298/ccs-tools-1.6.9-20120301.tar.gz'
tar -zxf ccs-tools-1.6.9-20120301.tar.gz
make -C ccstools/ install

Create Policy

Create /etc/ccs/profile.conf with the following contents.

MAC_FOR_FILE=learning
MAX_ACCEPT_ENTRY=1048576
MAX_GRANT_LOG=0
MAX_REJECT_LOG=0
TOMOYO_VERBOSE=disabled

Run the following command.

/usr/lib/ccs/init_policy.sh

Analysis

Reboot with TOMOYO Linux kernel.

Run applications you want to analyze.

You can see the list of programs executed until now by executing /usr/sbin/ccs-editpolicy . Choose a program and press "Enter" to see the list of files accessed by the program. See How to use Policy Editor for usage of the policy editor.

You can save the list of all accessed files until now as /etc/ccs/domain_policy.conf by executing /usr/sbin/ccs-savepolicy .

sflogo.php