tomoyotitle.png

TOMOYO Linux functionality comparison table

TOMOYO Linux version1.71.82.22.32.42.5
Supported kernel version2.4.37
2.6.27-2.6.37
2.4.37
2.6.27-2.6.39
3.0-3.19
4.0-
2.6.30-2.6.322.6.332.6.342.6.352.6.36-2.6.39
3.0
3.13.2-3.19
4.0-
TypeFunction
Accuracy of pathnames
Restrict accessing information to only self process? (/proc/self/)YYYY
Allow accessing deleted files?YYYYY
Allow accessing pathnames longer than 4000 bytes?YYYYY
Features for assisting specifying string values
Allow recursive directory matching? (/\{dir\}/)YYYYYYYY
Allow grouping pathnames? (path_group)YYYYYY
Features for assisting specifying numeric values
Allow grouping numbers? (number_group)YYYYY
Allow grouping IP addresses? (address_group)YYY
Features for reducing reboots
Memory reclaimed by garbage collection?YYYYYYY
Features for supporting more fine grained domain transitions
Allow domain transitions without program execution?YYY
Automatically perform domain transitions upon condition match?Y
Features for specifying more fine grained permissions
Restrict based on process's credentials (e.g. user ID)?YYYY
Restrict based on file's credentials (e.g. owner ID)?YYYY
Restrict access using process's state variables?Y(*2)
Allow including grouped permissions? (acl_group)YYY
Allow using policy namespace?YYY
Features for reducing damage by runaway
Sleep penaltyYY
execute handlerYY
Features for obtaining access logs
Notify of policy violation using mail?YYYYY
Generate access granted logs/rejected logs?YYYY
Features for assisting software updates
Handle policy violation interactively?YYYYY
Access control for Files
Restrict opening files for reading? (read)YYYYYYYYY
Restrict opening files for writing? (write)YYYYYYYYY
    Tell opening files for appending from writing? (append)(*1)Y(*1)(*1)(*1)(*1)(*1)YY
Restrict executing programs? (execute)YYYYYYYYY
    Allow execution of programs with temporary names?YYYYY
    Check dereferenced pathname when executing programs?YYYY
    Check invocation name (argv[0]) when executing programs?YYYY
    Check arguments (argv[]) and environment variables (envp[]) when executing programs?YYYY
    Restrict permitted environment variables names?YYY
    Restrict permitted binary loader (e.g. /lib/ld-linux.so.2) programs?YY
    Specify domain transition preference?YY
Restrict creating files? (create)YYYYYYYYY
    Check DAC's permission when creating files?YYYYY
Restrict creating directories? (mkdir)YYYYYYYYY
    Check DAC's permission when creating directories?YYYYY
Restrict creating FIFOs? (mkfifo)YYYYYYYYY
    Check DAC's permission when creating FIFOs?YYYYY
Restrict creating Unix domain sockets? (mksock)YYYYYYYYY
    Check DAC's permission when creating Unix domain sockets?YYYYY
Restrict creating symbolic links? (symlink)YYYYYYYYY
    Check symbolic link's target when creating symbolic links?YYYY
Restrict creating device files? (mkblock/mkchar)YYYYYYYYY
    Check device major/minor numbers and DAC's permission when creating device files?YYYYY
Restrict use of IOCTL requests? (ioctl)YYYYYYY
    Check IOCTL's command number?YYYYY
Restrict change of owner (chown) / group (chgrp) / DAC's permissions (chmod)?YYYYYYY
    Restrict owner ID / group ID / DAC's permissions?YYYYY
Restrict deleting files? (unlink)YYYYYYYYY
Restrict truncating files? (truncate)YYYYYYYYY
Restrict overwriting files? (rewrite)Y(*1)YYYYY(*1)(*1)
Restrict renaming files? (rename)YYYYYYYYY
Restrict creating hard links? (link)YYYYYYYYY
Restrict deleting directories? (rmdir)YYYYYYYYY
Restrict mounting filesystems? (mount)YYYYYYY
    Check filesystem's type and mount options when mounting filesystems?YYYYY
Restrict unmounting filesystems? (unmount)YYYYYYY
Restrict change of root directories (chroot) / exchange of root directories (pivot_root)?YYYYYYY
Access control for Networks
Restrict remote IP addresses and port numbers for outgoing connections?YYY
Restrict remote IP addresses and port numbers for outgoing packets?YYY
Restrict remote IP addresses and port numbers for incoming connections?YY
Restrict remote IP addresses and port numbers for incoming packets?YY
Restrict local IP addresses and port numbers?YYY
Reserve specific local port numbers for applications that need them?YY
Restrict remote UNIX addresses for outgoing connections?YY
Restrict remote UNIX addresses for outgoing packets?YY
Restrict remote UNIX addresses for incoming connections?Y
Restrict remote UNIX addresses for incoming packets?Y
Restrict local UNIX addresses?YY
Access control for Capabilities
Restrict original capabilities?YY
    Do not check capabilities that overwrap other permissions?Y
Access control for IPC
Restrict destination domains for signal transmission?YY
Misc
Allow enabling TOMOYO Linux with SELinux / AppArmor?YY
Allow enabling functionalities the administrator wants to enable?YYYYY
Quick initialization of configuration?YYYYY