linux-kernel January 2008 archive
Main Archive Page > Month Archives  > linux-kernel archives
linux-kernel: [TOMOYO #6 retry 00/21] TOMOYO Linux - MAC based o

[TOMOYO #6 retry 00/21] TOMOYO Linux - MAC based on process invocation history.

From: Kentaro Takeda <takedakn_at_nospam>
Date: Wed Jan 09 2008 - 00:53:20 GMT

"TOMOYO Linux" is our work in the field of security enhancement for Linux. This is the 6th submission of TOMOYO Linux. (

Changes since previous (November 17th) submission:

  • Added security goal document. (Documentation/TOMOYO.txt) This document is intended to specify the security goal that TOMOYO Linux is trying to achieve. Thread URL:
  • Added environment variable name control functionality. Users can restrict the environment variable's names passed to execve() for each domain.
  • Refreshed patches for the latest -mm tree. Patches are for 2.6.24-rc6-mm1

The possibility of AB-BA deadlock has been pointed out and argued in .
We believe that LSM functions shouldn't access namespace_sem, so we chose to write a set of wrapper functions to pass "struct vfsmount" to LSM functions using "struct task_struct". This method is suggested at .

We wish Linux to merge either AppArmor's "Pass struct vfsmount to ..." patches or our patches marked as [02/21], [03/21], [04/21] into mainline kernel so that AppArmor and TOMOYO Linux can safely access "struct vfsmount" from LSM.

Patches consist of five types.

  • [TOMOYO 01/21]: Documentation.
  • [TOMOYO 02-05/21]: Essential modifications against -mm kernel.
  • [TOMOYO 06-19/21]: LSM implementation of TOMOYO Linux.
  • [TOMOYO 20/21]: Makefile and Kconfig.
  • [TOMOYO 21/21]: Optional modifications against -mm kernel.

We are trying to make a fair °»secure Linux°… comparison table, it should explain the differences between TOMOYO Linux and AppArmor. (

We would like TOMOYO Linux to be added into -mm tree so that more people can try. Any kind of feedbacks for the patches and the table would be appreciated. -- - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to More majordomo info at