tomoyotitle.png

TOMOYO Linux functionality comparison table

TOMOYO Linux version1.71.82.22.32.42.52.6
Supported kernel version2.4.37
2.6.27-2.6.37
2.4.37
2.6.27-2.6.39
3.0-3.19
4.0-4.20
5.0-
2.6.30-2.6.322.6.332.6.342.6.352.6.36-2.6.39
3.0
3.13.2-3.19
4.0-4.20
5.0
5.1-
TypeFunction
Accuracy of pathnames
Restrict accessing information to only self process? (/proc/self/)YYYYY
Allow accessing deleted files?YYYYYY
Allow accessing pathnames longer than 4000 bytes?YYYYYY
Features for assisting specifying string values
Allow recursive directory matching? (/\{dir\}/)YYYYYYYYY
Allow grouping pathnames? (path_group)YYYYYYY
Features for assisting specifying numeric values
Allow grouping numbers? (number_group)YYYYYY
Allow grouping IP addresses? (address_group)YYYY
Features for reducing reboots
Memory reclaimed by garbage collection?YYYYYYYY
Features for supporting more fine grained domain transitions
Allow domain transitions without program execution?YYYY
Automatically perform domain transitions upon condition match?Y
Features for specifying more fine grained permissions
Restrict based on process's credentials (e.g. user ID)?YYYYY
Restrict based on file's credentials (e.g. owner ID)?YYYYY
Restrict access using process's state variables?Y(*2)
Allow including grouped permissions? (acl_group)YYYY
Allow using policy namespace?YYYY
Features for reducing damage by runaway
Sleep penaltyYY
execute handlerYY
Features for obtaining access logs
Notify of policy violation using mail?YYYYYY
Generate access granted logs/rejected logs?YYYYY
Features for assisting software updates
Handle policy violation interactively?YYYYYY
Access control for Files
Restrict opening files for reading? (read)YYYYYYYYYY
Restrict opening files for writing? (write)YYYYYYYYYY
    Tell opening files for appending from writing? (append)(*1)Y(*1)(*1)(*1)(*1)(*1)YYY
Restrict executing programs? (execute)YYYYYYYYYY
    Allow execution of programs with temporary names?YYYYYY
    Check dereferenced pathname when executing programs?YYYYY
    Check invocation name (argv[0]) when executing programs?YYYYY
    Check arguments (argv[]) and environment variables (envp[]) when executing programs?YYYYY
    Restrict permitted environment variables names?YYYY
    Restrict permitted binary loader (e.g. /lib/ld-linux.so.2) programs?YY
    Specify domain transition preference?YYY
Restrict creating files? (create)YYYYYYYYYY
    Check DAC's permission when creating files?YYYYYY
Restrict creating directories? (mkdir)YYYYYYYYYY
    Check DAC's permission when creating directories?YYYYYY
Restrict creating FIFOs? (mkfifo)YYYYYYYYYY
    Check DAC's permission when creating FIFOs?YYYYYY
Restrict creating Unix domain sockets? (mksock)YYYYYYYYYY
    Check DAC's permission when creating Unix domain sockets?YYYYYY
Restrict creating symbolic links? (symlink)YYYYYYYYYY
    Check symbolic link's target when creating symbolic links?YYYYY
Restrict creating device files? (mkblock/mkchar)YYYYYYYYYY
    Check device major/minor numbers and DAC's permission when creating device files?YYYYYY
Restrict use of IOCTL requests? (ioctl)YYYYYYYY
    Check IOCTL's command number?YYYYYY
Restrict change of owner (chown) / group (chgrp) / DAC's permissions (chmod)?YYYYYYYY
    Restrict owner ID / group ID / DAC's permissions?YYYYYY
Restrict deleting files? (unlink)YYYYYYYYYY
Restrict truncating files? (truncate)YYYYYYYYYY
Restrict overwriting files? (rewrite)Y(*1)YYYYY(*1)(*1)(*1)
Restrict renaming files? (rename)YYYYYYYYYY
Restrict creating hard links? (link)YYYYYYYYYY
Restrict deleting directories? (rmdir)YYYYYYYYYY
Restrict mounting filesystems? (mount)YYYYYYYY
    Check filesystem's type and mount options when mounting filesystems?YYYYYY
Restrict unmounting filesystems? (unmount)YYYYYYYY
Restrict change of root directories (chroot) / exchange of root directories (pivot_root)?YYYYYYYY
Access control for Networks
Restrict remote IP addresses and port numbers for outgoing connections?YYYY
Restrict remote IP addresses and port numbers for outgoing packets?YYYY
Restrict remote IP addresses and port numbers for incoming connections?YY
Restrict remote IP addresses and port numbers for incoming packets?YY
Restrict local IP addresses and port numbers?YYYY
Reserve specific local port numbers for applications that need them?YY
Restrict remote UNIX addresses for outgoing connections?YYY
Restrict remote UNIX addresses for outgoing packets?YYY
Restrict remote UNIX addresses for incoming connections?Y
Restrict remote UNIX addresses for incoming packets?Y
Restrict local UNIX addresses?YYY
Access control for Capabilities
Restrict original capabilities?YY
    Do not check capabilities that overwrap other permissions?Y
Access control for IPC
Restrict destination domains for signal transmission?YY
Misc
Allow enabling TOMOYO Linux with SELinux / AppArmor?YYY
Allow enabling functionalities the administrator wants to enable?YYYYYY
Quick initialization of configuration?YYYYYY