akarititle.png

AKARI/TOMOYO functionality comparison table

Since AKARI is based on TOMOYO Linux 1.8, AKARI provides similar functionality and syntax which TOMOYO Linux 1.8 provides. This page describes the difference.

TOMOYO 1.8AKARITOMOYO 2.5
AdvantagesComplete functionality and syntax are supported.No need to replace kernel package.Included in upstream kernels.
No need to replace kernel package if built into the kernel.
DisadvantagesNeed to replace kernel package.Supported functionality and syntax depend on kernel's version and kernel's configuration options.Supported functionality and syntax depend on kernel's version.
Dependency Requires patching against kernel's source and rebuilding from source. Kernel package must be built with below configuration options.
  • CONFIG_SECURITY=y
  • CONFIG_KALLSYMS=y
  • CONFIG_PROC_FS=y
  • CONFIG_MODULES=y
The kernel package should be built with below configuration options in addition to above configuration options for supporting further functionality.
  • CONFIG_SECURITY_NETWORK=y
  • CONFIG_SECURITY_PATH=y
Currently known to work on x86_32 x86_64 SH and ARM. Other architectures are not tested yet.
Kernel package must be built with below configuration options.
  • CONFIG_SECURITY=y
  • CONFIG_SECURITYFS=y
  • CONFIG_SECURITY_PATH=y
  • CONFIG_SECURITY_NETWORK=y
  • CONFIG_SECURITY_TOMOYO=y
Requires kernel 3.2.
(Backport patch for Linux 2.6.33 to 3.1 is available.)

Below table describes detailed functionality and syntax difference:

TOMOYO 1.8AKARITOMOYO 2.5
Supported kernel version2.4.37
2.6.27-2.6.39
3.0-3.19
4.0-
2.6.0-2.6.202.6.21-2.6.232.6.24-2.6.282.6.292.6.30-2.6.322.6.33-2.6.39
3.0-3.19
4.0-
3.2-3.19
4.0-
TypeFunction
Accuracy of pathnames
Allow use of absolute pathnames for directory modification operations?YY(*1)Y
Restrict accessing information to only self process? (proc:/self/)YYY
Allow accessing deleted files?YYY
Allow accessing pathnames longer than 4000 bytes?YYY
Features for assisting specifying string values
Allow recursive directory matching? (/\{dir\}/)YYY
Allow grouping pathnames? (path_group)YYY
Features for assisting specifying numeric values
Allow grouping numbers? (number_group)YYY
Allow grouping IP addresses? (address_group)YYY
Features for reducing reboots
Memory reclaimed by garbage collection?YYY
Features for supporting more fine grained domain transitions
Allow domain transitions without program execution? (task manual_domain_transition)YYY
Automatically perform domain transitions upon condition match? (task auto_domain_transition)YY
Features for specifying more fine grained permissions
Restrict based on process's credentials (e.g. user ID)?YYY
Restrict based on file's credentials (e.g. owner ID)?YYY
Allow including grouped permissions? (acl_group)YYY
Allow using policy namespace?YYY
Features for reducing damage by runaway
Sleep penalty (enforcing_penalty)YY
execute handler (task {auto_execute_handler,denied_execute_handler})YY
Features for obtaining access logs
Notify of policy violation using mail?YYY
Generate access granted logs/rejected logs?YYY
Features for assisting software updates
Handle policy violation interactively?YYY
Access control for Files
Restrict opening files for reading? (file read)YYY
    Do not check read permission when files are not opened for reading?YYY
    Check read permission for sysctl?YYY
Restrict opening files for writing? (file {write,append})YYY
    Do not check write permission when files are not opened for writing?YYY
    Check write permission for sysctl?YYY
Restrict executing programs? (file execute)YYY
    Allow execution of programs with temporary names?YYY
    Check dereferenced pathname when executing programs?YYY
    Check invocation name (argv[0]) when executing programs?YYY
    Check arguments (argv[]) and environment variables (envp[]) when executing programs?YYY
    Restrict permitted environment variables names? (misc env)YYY
    Restrict permitted binary loader (e.g. /lib/ld-linux.so.2) programs?YY
    Specify domain transition preference?YYY
Restrict creating files? (file create)YYY
    Check DAC's permission when creating files?YYY
Restrict creating directories? (file mkdir)YYY
    Check DAC's permission when creating directories?YYY
Restrict creating FIFOs? (file mkfifo)YYY
    Check DAC's permission when creating FIFOs?YYY
Restrict creating Unix domain sockets? (file mksock)YYY
    Check DAC's permission when creating Unix domain sockets?YYY
Restrict creating symbolic links? (file symlink)YYY
    Check symbolic link's target when creating symbolic links?YYY
Restrict creating device files? (file {mkblock,mkchar})YYY
    Check device major/minor numbers and DAC's permission when creating device files?YYY
Restrict use of IOCTL requests? (file ioctl)YYY
    Check IOCTL's command number?YYY
Restrict change of owner ID? (file chown)YYY
    Restrict owner ID when changing it?YYY
Restrict change of group ID? (file chgrp)YYY
    Restrict group ID when changing it?YYY
Restrict change of DAC's permissions? (file chmod)YYY
    Restrict DAC's permissions when changing it?YYY
Restrict deleting files? (file unlink)YYY
Restrict truncating files? (file truncate)YYY
Restrict renaming files? (file rename)YYY
Restrict creating hard links? (file link)YYY
Restrict deleting directories? (file rmdir)YYY
Restrict mounting filesystems? (file mount)YYY
    Check filesystem's type when mounting filesystems?YYY
    Check mount flags when mounting filesystems?YY(*2)YY
Restrict unmounting filesystems? (file unmount)YYY
Restrict change of root directories? (file chroot)YY(*1)Y
Restrict exchange of root directories? (file pivot_root)YYY
Access control for Networks
Restrict remote IP addresses and port numbers for outgoing connections?
(network inet stream connect)
YY(*3)Y
Restrict remote IP addresses and port numbers for outgoing packets?
(network inet {dgram,raw} send)
YY(*3)Y
Restrict remote IP addresses and port numbers for incoming connections?
(network inet stream accept)
YY(*3) (*4)
Restrict remote IP addresses and port numbers for incoming packets?
(network inet {dgram,raw} recv)
Y
Restrict local IP addresses and port numbers?
(network inet {stream,dgram,raw} bind / network inet stream listen)
YY(*3)Y
Reserve specific local port numbers for applications that need them?Y
Restrict remote UNIX addresses for outgoing connections?
(network unix {stream,seqpacket} connect)
YY(*3)Y
Restrict remote UNIX addresses for outgoing packets?
(network unix dgram send)
YY(*3)Y
Restrict remote UNIX addresses for incoming connections?
(network unix {stream,seqpacket} accept)
YY(*3) (*4)
Restrict remote UNIX addresses for incoming packets?
(network unix dgram recv)
Y
Restrict local UNIX addresses?
(network unix {stream,dgram,seqpacket} bind / network unix {stream,seqpacket} listen)
YY(*3)Y
Access control for Capabilities
Restrict original capabilities? (capability)Y
Access control for IPC
Restrict destination domains for signal transmission? (ipc signal)Y
Misc
Allow using with SELinux / AppArmor?YY
Allow enabling functionalities the administrator wants to enable?YYY
Quick initialization of configuration?YYY