Application oriented firewall using Tomoyo Mandatory Access Control

Application oriented firewall using Tomoyo Mandatory Access Control

Application oriented firewall using Tomoyo Mandatory Access Control

 

 

Important notes

 

  • To work with this tutorial you first need to install a custom kernel from AUR, this inconvenience is due to Arch team removing every MAC except SELinux from their kernel sources
  • the following AUR packages must be installed first:
    https://aur.archlinux.org/packages/linux-lts-tomoyo/
    https://aur.archlinux.org/packages/tomoyo-tools/
  • To speed up the build process and make the kernel optimized for your local machine's cpu
    edit /etc/makepkg.conf
    and change your CFLAGS and CXXFLAGS to
    CFLAGS="-march=native -mtune=native -O2 -pipe -fstack-protector-strong"
    CXXFLAGS="-march=native -mtune=native -O2 -pipe -fstack-protector-strong"
    and MAKEFLAGS="-j<1.5x your physical core count>“
    so should you have an 8 core cpu, the syntax would go like MAKEFLAGS=”-j12"
  • In order to edit all the files described below and to execute any of the described commands you’ll need local root access rights.
  • The firewall setting works as a white list, when you’re done with this tutorial, any Internet access to or from any application on your computer will be blocked by default,
    you will need to enable it explicitly for selected application by using tomoyo-editpolicy and changing it’s profile from 0 to 1 as simple as that.
  • After you installed the kernel from the AUR follow the tutorial

if you already configured Tomoyo, goto step 6.

 

 

Configuration

Step 1


Edit /boot/grub/grub.cfg
You have to add security=tomoyo to your boot entry as shown below:
menuentry 'Antergos Linux TOMOYO LTS' --class antergos --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-a1387b32-d357-11e7-9296-cec278b6b50a' {
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_gpt
        insmod ext2
        set root='hd3,gpt2'
        if [ x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint-bios=hd3,gpt2 --hint-efi=hd3,gpt2 --hint-baremetal=ahci3,gpt2  a1387b32-d357-11e7-9296-cec278b6b50a
        else
          search --no-floppy --fs-uuid --set=root a1387b32-d357-11e7-9296-cec278b6b50a
        fi
        echo    'Loading  linux kernel ...'
        linux   /vmlinuz-linux-lts-tomoyo root=UUID=a1387b32-d357-11e7-9296-cec278b6b50a rw  quiet resume=UUID=a1387b32-d357-11e7-9296-cec278b6b50a security=tomoyo
        echo    'Loading initial ramdisk ...'
        initrd   /initramfs-linux-lts-tomoyo.img
}

Step 2:


Edit /etc/default/grub
add security=tomoyo to your boot entry as shown below:
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Antergos"
GRUB_CMDLINE_LINUX_DEFAULT="quiet resume=UUID=a1387b32-d357-11e7-9296-cec278b6b50a" security=tomoyo
GRUB_CMDLINE_LINUX=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable Hidden Menu, and optionally hide the timeout count
#GRUB_HIDDEN_TIMEOUT=5
#GRUB_HIDDEN_TIMEOUT_QUIET=true

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
# modes only.  Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
GRUB_THEME="/boot/grub/themes/Antergos-Default/theme.txt"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

#GRUB_SAVEDEFAULT="true"

Step 3


Install tomoyo-tools
type in the terminal:
pacman -S tomoyo-tools

Step 4


Reboot your OS.
 

Step 5


Initialize tomoyo default configs and profiles
type in the terminal:
/usr/lib/tomoyo/init_policy

Step 6


edit /etc/tomoyo/policy/current/profile.conf, Import or override your entries with the following code:
PROFILE_VERSION=20110903 0-COMMENT=-----block network inet----- 0-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
 0-CONFIG={ mode=disabled grant_log=no reject_log=no }
 0-CONFIG::network::unix_stream_bind={ mode=disabled grant_log=no reject_log=no }
 0-CONFIG::network::unix_stream_listen={ mode=disabled grant_log=no reject_log=no }
 0-CONFIG::network::unix_stream_connect={ mode=disabled grant_log=no reject_log=no }
 0-CONFIG::network::unix_dgram_bind={ mode=disabled grant_log=no reject_log=no }
 0-CONFIG::network::unix_dgram_send={ mode=disabled grant_log=no reject_log=no }
 0-CONFIG::network::unix_seqpacket_bind={ mode=disabled grant_log=no reject_log=no }
 0-CONFIG::network::unix_seqpacket_listen={ mode=disabled grant_log=no reject_log=no }
 0-CONFIG::network::unix_seqpacket_connect={ mode=disabled grant_log=no reject_log=no }
 0-CONFIG::network={ mode=enforcing grant_log=no reject_log=yes }
 1-COMMENT=-----allow all----- 1-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
 1-CONFIG={ mode=disabled grant_log=no reject_log=no }
 2-COMMENT=-----Permissive Mode----- 2-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
 2-CONFIG={ mode=permissive grant_log=no reject_log=yes }
 3-COMMENT=-----Enforcing Mode----- 3-PREFERENCE={ max_audit_log=1024 max_learning_entry=2048 }
 3-CONFIG={ mode=enforcing grant_log=no reject_log=yes }

Step 7


Reboot your OS.
 

Usage


you can edit any rule by executing:
tomoyo-editpolicy

then, by pressing s you can change application’s profile 0=block all Internet access, 1=allow all Internet access
you can exit the policy editor by pressing q.

NOTE:
after any changes you made to the policy, you need to save it to the disk, to do so, just type in the terminal:

tomoyo-savepolicy

NOTE:
Before you can allow an application you have to run it at least once, that way tomoyo notes the application’s existence.

NOTE:
to find an application a bit quicker in the tomoyo’s policy editor, just press f while in policy editor, and then type the first few letters of the application, after that press enter,
press n to look for the next occurrence of the application in the domain policy list

In case you still don't know how to use tomoyo's policy editor
please consult the official tomoyo documentation:
http://tomoyo.sourceforge.jp/2.5/index.html.en

Contributors:

(Visited 68 times, 3 visits today)

Pin It on Pinterest

Share This