AKARI/TOMOYO functionality comparison table

Since AKARI is based on TOMOYO Linux 1.8, AKARI provides similar functionality and syntax which TOMOYO Linux 1.8 provides. This page describes the difference.

	TOMOYO 1.8	AKARI	TOMOYO 2.6
Advantages	Complete functionality and syntax are supported.	No need to replace kernel package.	Included in upstream kernels. No need to replace kernel package if built into the kernel.
Disadvantages	Need to replace kernel package.	Supported functionality and syntax depend on kernel's version and kernel's configuration options.	Supported functionality and syntax depend on kernel's version.
Dependency	Requires patching against kernel's source and rebuilding from source.	Kernel package must be built with below configuration options. CONFIG_SECURITY=y CONFIG_KALLSYMS=y CONFIG_PROC_FS=y CONFIG_MODULES=y The kernel package should be built with below configuration options in addition to above configuration options for supporting further functionality. CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_PATH=y Currently known to work on x86_32 x86_64 SH and ARM. Other architectures are not tested yet.	Kernel package must be built with below configuration options. CONFIG_SECURITY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_PATH=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_TOMOYO=y Requires kernel 5.1.

Below table describes detailed functionality and syntax difference:

		TOMOYO 1.8	AKARI						TOMOYO 2.6
	Supported kernel version	2.4.37 2.6.27-2.6.39 3.0-3.19 4.0-4.20 5.0-5.19 6.0-	2.6.0-2.6.20	2.6.21-2.6.23	2.6.24-2.6.28	2.6.29	2.6.30-2.6.32	2.6.33-2.6.39 3.0-3.19 4.0-4.20 5.0-5.19 6.0-6.11	5.1-5.19 6.0-
Type	Function
Accuracy of pathnames
	Allow use of absolute pathnames for directory modification operations?	Y				Y(*1)			Y
	Restrict accessing information to only self process? (proc:/self/)	Y	Y						Y
	Allow accessing deleted files?	Y	Y						Y
	Allow accessing pathnames longer than 4000 bytes?	Y	Y						Y
Features for assisting specifying string values
	Allow recursive directory matching? (/\{dir\}/)	Y	Y						Y
	Allow grouping pathnames? (path_group)	Y	Y						Y
Features for assisting specifying numeric values
	Allow grouping numbers? (number_group)	Y	Y						Y
	Allow grouping IP addresses? (address_group)	Y	Y						Y
Features for reducing reboots
	Memory reclaimed by garbage collection?	Y	Y						Y
Features for supporting more fine grained domain transitions
	Allow domain transitions without program execution? (task manual_domain_transition)	Y	Y						Y
	Automatically perform domain transitions upon condition match? (task auto_domain_transition)	Y	Y
Features for specifying more fine grained permissions
	Restrict based on process's credentials (e.g. user ID)?	Y	Y						Y
	Restrict based on file's credentials (e.g. owner ID)?	Y	Y						Y
	Allow including grouped permissions? (acl_group)	Y	Y						Y
	Allow using policy namespace?	Y	Y						Y
Features for reducing damage by runaway
	Sleep penalty (enforcing_penalty)	Y	Y
	execute handler (task {auto_execute_handler,denied_execute_handler})	Y	Y
Features for obtaining access logs
	Notify of policy violation using mail?	Y	Y						Y
	Generate access granted logs/rejected logs?	Y	Y						Y
Features for assisting software updates
	Handle policy violation interactively?	Y	Y						Y
Access control for Files
	Restrict opening files for reading? (file read)	Y	Y						Y
	Do not check read permission when files are not opened for reading?	Y					Y		Y
	Check read permission for sysctl?	Y		Y					Y
	Restrict opening files for writing? (file {write,append})	Y	Y						Y
	Do not check write permission when files are not opened for writing?	Y			Y				Y
	Check write permission for sysctl?	Y		Y					Y
	Restrict executing programs? (file execute)	Y	Y						Y
	Allow execution of programs with temporary names?	Y	Y						Y
	Check dereferenced pathname when executing programs?	Y	Y						Y
	Check invocation name (argv[0]) when executing programs?	Y	Y						Y
	Check arguments (argv[]) and environment variables (envp[]) when executing programs?	Y	Y						Y
	Restrict permitted environment variables names? (misc env)	Y	Y						Y
	Restrict permitted binary loader (e.g. /lib/ld-linux.so.2) programs?	Y	Y
	Specify domain transition preference?	Y	Y						Y
	Restrict creating files? (file create)	Y	Y						Y
	Check DAC's permission when creating files?	Y	Y						Y
	Restrict creating directories? (file mkdir)	Y	Y						Y
	Check DAC's permission when creating directories?	Y	Y						Y
	Restrict creating FIFOs? (file mkfifo)	Y	Y						Y
	Check DAC's permission when creating FIFOs?	Y	Y						Y
	Restrict creating Unix domain sockets? (file mksock)	Y	Y						Y
	Check DAC's permission when creating Unix domain sockets?	Y	Y						Y
	Restrict creating symbolic links? (file symlink)	Y	Y						Y
	Check symbolic link's target when creating symbolic links?	Y	Y						Y
	Restrict creating device files? (file {mkblock,mkchar})	Y	Y						Y
	Check device major/minor numbers and DAC's permission when creating device files?	Y	Y						Y
	Restrict use of IOCTL requests? (file ioctl)	Y	Y						Y
	Check IOCTL's command number?	Y	Y						Y
	Restrict change of owner ID? (file chown)	Y	Y						Y
	Restrict owner ID when changing it?	Y	Y						Y
	Restrict change of group ID? (file chgrp)	Y	Y						Y
	Restrict group ID when changing it?	Y	Y						Y
	Restrict change of DAC's permissions? (file chmod)	Y	Y						Y
	Restrict DAC's permissions when changing it?	Y	Y						Y
	Restrict deleting files? (file unlink)	Y	Y						Y
	Restrict truncating files? (file truncate)	Y	Y						Y
	Restrict renaming files? (file rename)	Y	Y						Y
	Restrict creating hard links? (file link)	Y	Y						Y
	Restrict deleting directories? (file rmdir)	Y	Y						Y
	Restrict mounting filesystems? (file mount)	Y	Y						Y
	Check filesystem's type when mounting filesystems?	Y	Y						Y
	Check mount flags when mounting filesystems?	Y	Y(*2)					Y	Y
	Restrict unmounting filesystems? (file unmount)	Y	Y						Y
	Restrict change of root directories? (file chroot)	Y						Y(*1)	Y
	Restrict exchange of root directories? (file pivot_root)	Y	Y						Y
Access control for Networks
	Restrict remote IP addresses and port numbers for outgoing connections? (network inet stream connect)	Y	Y(*3)						Y
	Restrict remote IP addresses and port numbers for outgoing packets? (network inet {dgram,raw} send)	Y	Y(*3)						Y
	Restrict remote IP addresses and port numbers for incoming connections? (network inet stream accept)	Y	Y(3) (4)
	Restrict remote IP addresses and port numbers for incoming packets? (network inet {dgram,raw} recv)	Y
	Restrict local IP addresses and port numbers? (network inet {stream,dgram,raw} bind / network inet stream listen)	Y	Y(*3)						Y
	Reserve specific local port numbers for applications that need them?	Y
	Restrict remote UNIX addresses for outgoing connections? (network unix {stream,seqpacket} connect)	Y	Y(*3)						Y
	Restrict remote UNIX addresses for outgoing packets? (network unix dgram send)	Y	Y(*3)						Y
	Restrict remote UNIX addresses for incoming connections? (network unix {stream,seqpacket} accept)	Y	Y(3) (4)
	Restrict remote UNIX addresses for incoming packets? (network unix dgram recv)	Y
	Restrict local UNIX addresses? (network unix {stream,dgram,seqpacket} bind / network unix {stream,seqpacket} listen)	Y	Y(*3)						Y
Access control for Capabilities
	Restrict original capabilities? (capability)	Y
Access control for IPC
	Restrict destination domains for signal transmission? (ipc signal)	Y
Misc
	Allow using with SELinux / AppArmor?	Y	Y						Y
	Allow enabling functionalities the administrator wants to enable?	Y	Y						Y
	Quick initialization of configuration?	Y	Y						Y

*1: Only when built with CONFIG_SECURITY_PATH=y.
*2: Some mount flags (e.g. nosuid,nodev,noexec) cannot be checked.
*3: Only when built with CONFIG_SECURITY_NETWORK=y.
*4: Timing to check is deferred until the accept()ed socket is used for the first time.