The /sys/kernel/security/tomoyo/ interface
/sys/kernel/security/tomoyo/domain_policy
This read/write interface contains the policy that is defined for each domain. Any lines starting with "<kernel>" indicate the start of a new block of access permissions.
The associated configuration file is "/etc/tomoyo/domain_policy.conf".
This interface is used primarily by the userspace tools tomoyo-editpolicy, tomoyo-loadpolicy and tomoyo-savepolicy.
/sys/kernel/security/tomoyo/exception_policy
This read/write interface contains the exception policy. Each line is an individual entry.
The associated configuration file is "/etc/tomoyo/exception_policy.conf".
This interface is used primarily by the userspace tools tomoyo-editpolicy, tomoyo-loadpolicy and tomoyo-savepolicy.
/sys/kernel/security/tomoyo/manager
This read/write interface contains a list of either domains or full pathnames that have been given permission to write to the "/sys/kernel/security/tomoyo/" interface.
As an exception, all domains can write to below interfaces for restricted purposes.
- /sys/kernel/security/tomoyo/.process_status for reading information of processes
- /sys/kernel/security/tomoyo/domain_policy for reading specific domain's (or specific process's) access permissions
- /sys/kernel/security/tomoyo/self_domain for changing the domain of the caller process
The associated configuration file is "/etc/tomoyo/manager.conf".
This interface is used primarily by the userspace tools tomoyo-editpolicy, tomoyo-loadpolicy and tomoyo-savepolicy.
# cat /sys/kernel/security/tomoyo/manager
/usr/sbin/tomoyo-loadpolicy /usr/sbin/tomoyo-editpolicy /usr/sbin/tomoyo-setlevel /usr/sbin/tomoyo-setprofile /usr/sbin/tomoyo-queryd
/sys/kernel/security/tomoyo/profile
This read/write interface contains the profile configuration.
The associated configuration file is "/etc/tomoyo/profile.conf".
This interface is used primarily by the userspace tools tomoyo-editpolicy, tomoyo-loadpolicy, tomoyo-savepolicy and tomoyo-setlevel.
/sys/kernel/security/tomoyo/query
This read/write interface is used to grant or reject individual access requests that occur within domains in "Enforcing Mode".
This interface is used primarily by the userspace tool tomoyo-queryd.
/sys/kernel/security/tomoyo/self_domain
This read-only interface shows the domain of the caller process.
/sys/kernel/security/tomoyo/meminfo
This read/write interface contains information about memory usage in bytes.
# cat /sys/kernel/security/tomoyo/meminfo
Policy: 1081504 Query lists: 0 (Quota: 1048576) Total: 1081504
- Policy shows the memory used for holding access permissions.
- Query lists shows the memory used for waiting for administrator's decision.
- Total shows the total memory used.
This interface allows the administrator to configure memory quota.
The associated configuration file is "/etc/tomoyo/meminfo.conf".
This interface is used primarily by the userspace tools tomoyo-editpolicy, tomoyo-loadpolicy and tomoyo-savepolicy.
/sys/kernel/security/tomoyo/version
This read-only interface contains the currently running version of TOMOYO Linux.
/sys/kernel/security/tomoyo/.domain_status
This read/write interface contains a list of domain names and profile numbers currently defined in domain policy.
This is used primarily by the userspace tool tomoyo-setprofile.
/sys/kernel/security/tomoyo/.process_status
This read/write interface contains a list of domain names and profile numbers that the currently running process belongs to.
This interface is used primarily by the userspace tool tomoyo-pstree.