Info: Version 1.3 is available.
Last modified: $Date: 2013-03-04 22:48:51 +0900 (Mon, 04 Mar 2013) $
TOMOYO Linux provides some binary kernel packages, but if the CPU architecture differs or you want to customize the kernel configuration, you need to compile kernel. To compile kernel, the following packages are needed.
TOMOYO Linux can enable functions selectively. Choose "File systems" at menuconfig and scroll to the bottom, and you will see the following options.
Refer the descriptions below and choose options you want to support.
Controlling read/write/execute for files.This function restricts files and directories accessible for programs. The granularity is defined as the following.
To enable this function, choose the following options.
This function is essential for restricting domain transitions of TOMOYO Linux. If you don't enable this function, "TOMOYO (Domain-Based Mandatory Access Control) support" can't work properly because it is impossible to restrict domain transitions. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Controlling use of capabilities.This function restricts capabilities allowed for programs. The capability used by standard Linux is called "POSIX capability". Since the maximal kind of capability is limited to 32, some specific capability (especially CAP_SYS_ADMIN capability) tends to used by many purposes, making impossible to perform fine-grained capability checking. Therefore, TOMOYO Linux doesn't control POSIX capability. The capability used by TOMOYO Linux is defined based on original standards. The granularity is defined as the following.
To enable this function, choose the following options.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Controlling use of TCP/IP networkingThis function restricts IP addresses and port numbers programs can use. You can use this function to allow, for example, allowing UDP communication with DNS server's IP address and port 53 and/or restricting the range of acceptable IP addresses for SSH server. To enable this function, choose the following options.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Controlling use of network port numbers for TCP/IP networkingThis function restricts port numbers programs can use. You can use this function to allow, for example, listening at only TCP port 80 and TCP port 443 for WWW server programs and/or connecting to only TCP port 80 and TCP port 443 for WWW client programs. To enable this function, choose the following options. All of this function is included in "Network Address Port Control support", thus you don't need this function if you enable "Network Address Port Control support".
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Controlling use of signal numbers and destination domainsThis function restricts the combination of signal numbers and destination domains programs can use. You can use this function to prevent crackers from sending arbitrary signals to arbitrary processes to terminate arbitrary services. To enable this function, choose the following options.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Limit passing different names on program executionThis function limits passing different names on program execution. When a program is executed, the name of program and parameters for the program are passed in the form of array of string called argv[]. The first element (argv[0]) contains the name of program. To enable this function, choose the following options.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Controlling "the combination of device files and mount points and filesystems" and applying "specific mount options" forcefullyIn Linux, arbitrary filesystems can be mounted on arbitrary directories if the process has the administrator's privileges. This means that if a process with the administrator's privileges has been hijacked, tmpfs may be mounted on /bin/ directory to replace normal programs with malicious programs, tmpfs may be mounted on /var/www/ directory to shadow WWW contents. If you enable TOMOYO Linux's capability control, you can restrict domains that can do mount operation. But such domains can do arbitrary mount operation if the capability is given, and it's not desirable. You can use this function to restrict the combination of device files and mount points and filesystems. This function also includes functions to forcefully apply specific mount options. For example, if you command enforcing nodev option for /tmp/ partition to avoid accessing device files, the kernel will mount with nodev option applied even if the user requested to mount with dev option. To enable this function, choose the following options.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Forbidding unmounting specific directories.In Linux, arbitrary mount points can be unmounted if the process has the administrator's privileges. This means that if a process with the administrator's privileges has been hijacked, proc filesystem mounted on /proc/ directory may be unmounted to cause application malfunction. If you enable TOMOYO Linux's capability control, you can restrict domains that can do unmount operation. But such domains can do arbitrary unmount operation if the capability is given, and it's not desirable. You can use this function to prevent specific mount points from unmounting. To enable this function, choose the following options.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rejecting mount requests that will shadow existent mount pointsIn Linux, it is possible to mount on a mount point that is already mounted on if the process has the administrator's privileges. This means that if a process with the administrator's privileges has been hijacked, tmpfs can be mounted on /var/ partition that is already mounted to cause application malfunction. If you enable TOMOYO Linux's capability control, you can restrict domains that can do mount operation. But such domains can do arbitrary mount operation if the capability is given, and it's not desirable. You can use this function to reject mount request that will shadow existent mount points. To enable this function, choose the following options.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Restricting directories that are allowed to chroot toIn Linux, it is possible to chroot to arbitrary directories if the process has the administrator's privileges. This means that if a process with the administrator's privileges has been hijacked, the cracker can chroot to inappropriate directory to cause application malfunction. If you enable TOMOYO Linux's capability control, you can restrict domains that can do chroot operation. But such domains can do arbitrary chroot operation if the capability is given, and it's not desirable. You can use this function to restrict directories that are allowed to chroot to. To enable this function, choose the following options.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Forbidding use of pivot_rootWhile chroot moves "/" directory, pivot_root exchanges "/" directory. In many cases, pivot_root is used only once on boot, and is seldom used after boot. You can use this function to disable pivot_root after boot. To enable this function, choose the following options.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Restricting local port ranges for automatically assignment for TCP/IP networkingIn Linux, an unused local port number within the range defined in /sys/net/ipv4/ip_local_port_range is assigned when a process called bind() with port number 0 or called connect() without bind(). But only the minimal and maximal values can be controlled by /sys/net/ipv4/ip_local_port_range and there is no functions to exclude specific values. For example, even if you want to reserve local port 8080 for proxy server program, if /sys/net/ipv4/ip_local_port_range has the values 1024 65535, the port 8080 can be assigned to other programs by automatic local port number assignment. You won't be able to start proxy server since the port 8080 is already in use. Also, some clients that want to connect to proxy server program will connect to the port 8080, but the clients will be connected to programs other than proxy server program. You can use this function to exclude specific local port numbers for automatic local port number assignment (which is equivalent to allow defining multiple ranges in /proc/sys/net/ipv4/ip_local_port_range). To enable this function, choose the following options.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Device filesystem that can ensure device's attributesThere are many device files in the /dev directory. It is mandatory for system security that the device files are always associated with correct devices. For example, if /dev/null exists with major-8-0 (/dev/sda) attributes instead of char-1-3, the contents of the SCSI HDD will be destroyed at a blow. Also, if /dev/null exists as a regular file, this may cause leak of information. Therefore, by mounting SYAORAN filesystem that can enforce the combinations of filenames and attributes on /dev/ directory, you can ensure, for example, /dev/null always exists with char-1-3 attributes. To enable this function, choose the following options.
If you are using udev, udev will automatically mounts tmpfs on /dev/ directory and SYAORAN filesystem previously mounted gets shadowed. To prevent such mounts, choose the following options too if you are using udev.
|
The 2.6 kernels have a compilation option named CONFIG_DEBUG_INFO. If this option is enabled, the compiled code's size becomes about 10 times larger. Enabling this option consumes about 1 GB of extra disk space for /usr/src/ directory and about 300 MB of extra disk space for /lib/modules/ directory.
To save disk space, disable the following option.
Kernel hacking --->[ ] Compile the kernel with debug info |
Choose the version you want to use from the following list.
# Download and install kernel source. wget http://ftp.riken.go.jp/Linux/fedoralegacy/redhat/9/updates/i386/kernel-source-2.4.20-46.9.legacy.i386.rpm rpm -ivh kernel-source-2.4.20-46.9.legacy.i386.rpm # Move to the source directory. cd /usr/src/linux-2.4.20-46.9.legacy/ # Download and apply TOMOYO Linux patch. wget -O ccs-patch-1.2-20070519.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/21578/ccs-patch-1.2-20070519.tar.gz' tar -zxf ccs-patch-1.2-20070519.tar.gz patch -sp1 < ccs-patch-2.4.20-46.9.legacy.txt # Remove all temporary files but configuration file. mv .config config make -s distclean mv config .config # Enable options for TOMOYO Linux. make -s menuconfig # Compile as usual. make -s dep modules modules_install install |
# Download and install kernel source. wget http://ftp.riken.go.jp/Linux/fedoralegacy/fedora/3/updates/SRPMS/kernel-2.6.12-2.3.legacy_FC3.src.rpm rpm -ivh kernel-2.6.12-2.3.legacy_FC3.src.rpm # Prepare for compilation. rpmbuild -bp --target i586 /usr/src/redhat/SPECS/kernel-2.6.spec mv /usr/src/redhat/BUILD/kernel-2.6.12/linux-2.6.12/ /usr/src/linux-2.6.12-2.3.legacy_FC3 # Move to the source directory. cd /usr/src/linux-2.6.12-2.3.legacy_FC3/ # Modify version number. sed -i 's/EXTRAVERSION = -prep/EXTRAVERSION = -2.3.legacy_FC3/' Makefile # Download and apply TOMOYO Linux patch. wget -O ccs-patch-1.2-20070519.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/21578/ccs-patch-1.2-20070519.tar.gz' tar -zxf ccs-patch-1.2-20070519.tar.gz patch -sp1 < ccs-patch-2.6.12-2.3.legacy_FC3.txt # Enable options for TOMOYO Linux. make -s menuconfig # Compile as usual. make -s modules modules_install install |
# Download and install kernel source. wget http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/SRPMS/kernel-2.6.17-1.2142_FC4.src.rpm rpm -ivh kernel-2.6.17-1.2142_FC4.src.rpm # Prepare for compilation. rpmbuild -bp --target i586 /usr/src/redhat/SPECS/kernel-2.6.spec mv /usr/src/redhat/BUILD/kernel-2.6.17/linux-2.6.17/ /usr/src/linux-2.6.17-1.2142_FC4 # Move to the source directory. cd /usr/src/linux-2.6.17-1.2142_FC4/ # Modify version number. sed -i 's/EXTRAVERSION = -prep/EXTRAVERSION = -1.2142_FC4/' Makefile # Download and apply TOMOYO Linux patch. wget -O ccs-patch-1.2-20070519.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/21578/ccs-patch-1.2-20070519.tar.gz' tar -zxf ccs-patch-1.2-20070519.tar.gz patch -sp1 < ccs-patch-2.6.17-1.2142_FC4.txt # Enable options for TOMOYO Linux. make -s menuconfig # Compile as usual. make -s make -s modules modules_install install |
# Download and install kernel source. wget http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/SRPMS/kernel-2.6.18-1.2200.fc5.src.rpm rpm -ivh kernel-2.6.18-1.2200.fc5.src.rpm # Prepare for compilation. rpmbuild -bp --target i586 /usr/src/redhat/SPECS/kernel-2.6.spec mv /usr/src/redhat/BUILD/kernel-2.6.18/linux-2.6.18.i586/ /usr/src/linux-2.6.18-1.2200.fc5 # Move to the source directory. cd /usr/src/linux-2.6.18-1.2200.fc5/ # Modify version number. sed -i 's/EXTRAVERSION = -prep/EXTRAVERSION = -1.2187.fc5/' Makefile # Download and apply TOMOYO Linux patch. wget -O ccs-patch-1.2-20070519.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/21578/ccs-patch-1.2-20070519.tar.gz' tar -zxf ccs-patch-1.2-20070519.tar.gz patch -sp1 < ccs-patch-2.6.18-1.2200.fc5.txt # Enable options for TOMOYO Linux. make -s menuconfig # Compile as usual. make -s make -s modules modules_install install |
# Download and install kernel source. wget http://download.fedora.redhat.com/pub/fedora/linux/core/6/source/SRPMS/kernel-2.6.18-1.2798.fc6.src.rpm rpm -ivh kernel-2.6.18-1.2798.fc6.src.rpm # Prepare for compilation. rpmbuild -bp --target i586 /usr/src/redhat/SPECS/kernel-2.6.spec mv /usr/src/redhat/BUILD/kernel-2.6.18/linux-2.6.18.i586/ /usr/src/linux-2.6.18-1.2798.fc6 # Move to the source directory. cd /usr/src/linux-2.6.18-1.2798.fc6/ # Modify version number. sed -i 's/EXTRAVERSION = -prep/EXTRAVERSION = -1.2798.fc6/' Makefile # Download and apply TOMOYO Linux patch. wget -O ccs-patch-1.2-20070519.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/21578/ccs-patch-1.2-20070519.tar.gz' tar -zxf ccs-patch-1.2-20070519.tar.gz patch -sp1 < ccs-patch-2.6.18-1.2798.fc6.txt # Enable options for TOMOYO Linux. make -s menuconfig # Compile as usual. make -s make -s modules modules_install install |
# Download and install kernel source. wget http://mirrors.kernel.org/centos/4.4/updates/SRPMS/kernel-2.6.9-42.0.3.EL.src.rpm rpm -ivh kernel-2.6.9-42.0.3.EL.src.rpm # Prepare for compilation. rpmbuild -bp --target i586 /usr/src/redhat/SPECS/kernel-2.6.spec mv /usr/src/redhat/BUILD/kernel-2.6.9/linux-2.6.9/ /usr/src/linux-2.6.9-42.0.3.EL # Move to the source directory. cd /usr/src/linux-2.6.9-42.0.3.EL/ # Modify version number. sed -i 's/EXTRAVERSION = -prep/EXTRAVERSION = -42.0.3.EL/' Makefile # Download and apply TOMOYO Linux patch. wget -O ccs-patch-1.2-20070519.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/21578/ccs-patch-1.2-20070519.tar.gz' tar -zxf ccs-patch-1.2-20070519.tar.gz patch -sp1 < ccs-patch-2.6.9-42.0.3.EL.txt # Enable options for TOMOYO Linux. make -s menuconfig # Compile as usual. make -s make -s modules modules_install install |
# Download and install kernel source. apt-get install kernel-source-2.4.27 tar -jxf /usr/src/kernel-source-2.4.27.tar.bz2 # Move to the source directory. cd kernel-source-2.4.27/ # Download and apply TOMOYO Linux patch. wget -O ccs-patch-1.2-20070519.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/21578/ccs-patch-1.2-20070519.tar.gz' tar -zxf ccs-patch-1.2-20070519.tar.gz patch -sp1 < ccs-patch-2.4.27-10sarge4.txt # Enable options for TOMOYO Linux. make -s menuconfig # Compile as usual. make -s dep install modules modules_install # Create initrd. mkinitrd -o /boot/initrd.img-2.4.27-10sarge4-ccs 2.4.27-10sarge4-ccs |
# Download and install kernel source. apt-get install kernel-source-2.6.8 tar -jxf /usr/src/kernel-source-2.6.8.tar.bz2 # Move to the source directory. cd kernel-source-2.6.8/ # Download and apply TOMOYO Linux patch. wget -O ccs-patch-1.2-20070519.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/21578/ccs-patch-1.2-20070519.tar.gz' tar -zxf ccs-patch-1.2-20070519.tar.gz patch -sp1 < ccs-patch-2.6.8-16sarge5.txt # Enable options for TOMOYO Linux. make -s menuconfig # Compile as usual. make -s make -s install modules modules_install # Create initrd. mkinitrd -o /boot/initrd.img-2.6.8-16sarge5-ccs 2.6.8-16sarge5-ccs |
# Download and install kernel source. curl -o kernel-source-2.6.16.21-0.25.i586.rpm http://ftp.novell.co.jp/pub/suse/suse/update/10.1/rpm/i586/kernel-source-2.6.16.21-0.25.i586.rpm rpm -ivh kernel-source-2.6.16.21-0.25.i586.rpm # Move to the source directory. cd /usr/src/linux-2.6.16.21-0.25/ # Download and apply TOMOYO Linux patch. wget -O ccs-patch-1.2-20070519.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/21578/ccs-patch-1.2-20070519.tar.gz' tar -zxf ccs-patch-1.2-20070519.tar.gz patch -sp1 < ccs-patch-2.6.16.21-0.25_SUSE.txt # Move to the output directory. cd /usr/src/linux-2.6.16.21-0.25-obj/i386/default/ # Enable options for TOMOYO Linux. make -s menuconfig # Compile as usual. make -s make -s modules modules_install install |
# Download and install kernel source. apt-get install linux-source-2.6.17 tar -jxf /usr/src/linux-source-2.6.17.tar.bz2 # Move to the source directory. cd linux-source-2.6.17/ # Download and apply TOMOYO Linux patch. wget -O ccs-patch-1.2-20070519.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/21578/ccs-patch-1.2-20070519.tar.gz' tar -zxf ccs-patch-1.2-20070519.tar.gz patch -sp1 < ccs-patch-2.6.17-9etch.txt # Enable options for TOMOYO Linux. make -s menuconfig # Compile as usual. make -s make -s install modules modules_install # Create initrd. mkinitrd -o /boot/initrd.img-2.6.17-ccs 2.6.17-ccs |
2.6.11 and later are supported. The following is the case of version 2.6.18 .
# Create a directory where the kernel modules are installed. mkdir -p /lib/modules/2.6.18-ccs # Move to the source directory. cd /usr/src/ # Download kernel source. wget https://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.18.tar.bz2 # Extract. tar -jxf linux-2.6.18.tar.bz2 # Move to the extracted directory. cd linux-2.6.18 # Remove world writable permissions from the source code. find -print0 | xargs -0 chmod go-w -- # Download TOMOYO Linux's kernel patch. wget -O ccs-patch-1.2-20070519.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/21578/ccs-patch-1.2-20070519.tar.gz' # Extract. tar -zxf ccs-patch-1.2-20070519.tar.gz # Apply the kernel patch. patch -sp1 < ccs-patch-2.6.18.txt # Enable options for TOMOYO Linux. make -s menuconfig # Compile as usual. make -s make -s install modules modules_install |
2.4.30 and later are supported. The following is the case of version 2.4.33 .
# Create a directory where the kernel modules are installed. mkdir -p /lib/modules/2.4.33-ccs # Move to the source directory. cd /usr/src/ # Download kernel source. wget https://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.33.tar.bz2 # Extract. tar -jxf linux-2.4.33.tar.bz2 # Move to the extracted directory. cd linux-2.4.33 # Remove world writable permissions from the source code. find -print0 | xargs -0 chmod go-w -- # Download TOMOYO Linux's kernel patch. wget -O ccs-patch-1.2-20070519.tar.gz 'http://sourceforge.jp/frs/redir.php?m=jaist&f=/tomoyo/21578/ccs-patch-1.2-20070519.tar.gz' # Extract. tar -zxf ccs-patch-1.2-20070519.tar.gz # Apply the kernel patch. patch -sp1 < ccs-patch-2.4.33.txt # Enable options for TOMOYO Linux. make -s menuconfig # Compile as usual. make -s dep make -s make -s modules modules_install install |