Difference between revisions of "Kernel Development"

From SELinux Wiki
Jump to: navigation, search
(Known Bugs)
(To Do List)
Line 1: Line 1:
 
== To Do List ==
 
== To Do List ==
 
* Investigate possible further need for GFP_NOFS, per [http://marc.info/?t=120716967100004&r=1&w=2 discussion].
 
  
 
* Investigate security policy for cgroups.  
 
* Investigate security policy for cgroups.  
 
* Make sure all printks have KERN_ prefixes.
 
 
* Change error messages in hooks.c to have SELinux in the message in place of the __FUNCTION__ name, and/or to ensure that all such functions have a selinux prefix.
 
  
 
* Labeling for loopback traffic (in progress HP).
 
* Labeling for loopback traffic (in progress HP).
Line 14: Line 8:
  
 
* Add a 'map' check on mmap and mprotect so that we can distinguish memory mapped access (since it has different implications for revocation).
 
* Add a 'map' check on mmap and mprotect so that we can distinguish memory mapped access (since it has different implications for revocation).
 
* Add open perm to help with the fd redirection issue, so that r/w can be given out more liberally without allowing direct open, requiring access via fd use.  See http://marc.info/?l=selinux&m=120118041128655&w=2  (patch posted RH)
 
  
 
* btrfs support
 
* btrfs support
 
* Possibly: eliminate security_file_permission altogether and switch to a revoke-based model if the revoke support in -mm goes upstream (i.e. don't revalidate on use, revoke upon file relabel or policy change).
 
  
 
* Export current policy via selinuxfs so that it can be verified and analyzed.
 
* Export current policy via selinuxfs so that it can be verified and analyzed.
  
* cap_override class<sup>2</sup>  (in progress NSA)
+
* cap_override class<sup>2</sup>  (rfc patch posted, needs re-base and extension for 64-bit caps)
  
 
* Compile out LSM hooks & allow SELinux to be linked directly.
 
* Compile out LSM hooks & allow SELinux to be linked directly.
Line 30: Line 20:
  
 
* remove secondary module stacking code (eparis RH BZ#231890)
 
* remove secondary module stacking code (eparis RH BZ#231890)
 
* security_port_sid needs optimization (eparis RH BZ#234531, HP planning to do it for 2.6.26)
 
  
 
* fine grained enforcement of sysfs objects (RH BZ#228902)
 
* fine grained enforcement of sysfs objects (RH BZ#228902)
  
 
* additional support of a security netfilter table for secmark/net forwarding (RH: RFC patch posted)
 
* additional support of a security netfilter table for secmark/net forwarding (RH: RFC patch posted)
 
* Normalize the SELinux in-kernel API.
 
  
 
* Namespacing of SELinux global functions and variables.
 
* Namespacing of SELinux global functions and variables.
Line 43: Line 29:
 
* NFSv4 support (in progress)
 
* NFSv4 support (in progress)
  
* Linux hv controls (in progress Tresys)
+
* Linux hv controls (in progress Tresys?)
  
 
* Finer-grained proc checking (so that we don't require full ptrace permission just to read process state),
 
* Finer-grained proc checking (so that we don't require full ptrace permission just to read process state),
Line 53: Line 39:
 
* Real device labeling and access control (i.e. bind a label to a device in the kernel irrespective of what device node is used to access it so that a process that can create any device nodes at all can't effectively bypass all device access controls just by creating an arbitrary node to any device in a type accessible to it),
 
* Real device labeling and access control (i.e. bind a label to a device in the kernel irrespective of what device node is used to access it so that a process that can create any device nodes at all can't effectively bypass all device access controls just by creating an arbitrary node to any device in a type accessible to it),
  
* Full APIs for getting and setting security contexts of sockets and IPC objects.
+
* Full APIs for getting and setting security contexts of sockets and IPC objects.  Ensure that socket context is kept consistent on socket inode and sock structures when changed.
  
 
* Polyinstantiated ports
 
* Polyinstantiated ports
Line 61: Line 47:
 
* CIFS support for single-context clients (also has xattrs & Karl says it's better than NFS).
 
* CIFS support for single-context clients (also has xattrs & Karl says it's better than NFS).
  
* Investigate integration with integrity & measurement
+
* Investigate integration with integrity measurement (in progress IBM and NSA)
  
 
* Crypto policy for domains & object handling
 
* Crypto policy for domains & object handling
  
 
* Expand LTP as a full regression testuite for every permission & class
 
* Expand LTP as a full regression testuite for every permission & class
 
* Convert sk_callback_lock to RCU
 
  
 
* Redo performance testing & profiling
 
* Redo performance testing & profiling
  
* Support for kernel namespaces
+
* Support for kernel namespaces:  labeling and access controls on namespaces, per-namespace policy?
 +
 
 +
* Similar support for chroots to support build systems?
 +
 
 +
* Support for setting down unknown file contexts for package managers and filesystem restore (old patches posted, need re-base and resolution)
  
 
* Better controls for posix message queues (?)
 
* Better controls for posix message queues (?)

Revision as of 12:44, 25 April 2008

To Do List

  • Investigate security policy for cgroups.
  • Labeling for loopback traffic (in progress HP).
  • Reduce memory usage of selinux structs: pahole (eparis RH BZ#235284)
  • Add a 'map' check on mmap and mprotect so that we can distinguish memory mapped access (since it has different implications for revocation).
  • btrfs support
  • Export current policy via selinuxfs so that it can be verified and analyzed.
  • cap_override class2 (rfc patch posted, needs re-base and extension for 64-bit caps)
  • Compile out LSM hooks & allow SELinux to be linked directly.
  • Automate checking for new syscalls in kernels (-mm, -rc etc).
  • remove secondary module stacking code (eparis RH BZ#231890)
  • fine grained enforcement of sysfs objects (RH BZ#228902)
  • additional support of a security netfilter table for secmark/net forwarding (RH: RFC patch posted)
  • Namespacing of SELinux global functions and variables.
  • NFSv4 support (in progress)
  • Linux hv controls (in progress Tresys?)
  • Finer-grained proc checking (so that we don't require full ptrace permission just to read process state),
  • Improve/fix ioctl checking (see prior discussions on selinux and linux-security-module list), 4
  • Revoke memory-mapped file access upon policy change or setxattr.
  • Real device labeling and access control (i.e. bind a label to a device in the kernel irrespective of what device node is used to access it so that a process that can create any device nodes at all can't effectively bypass all device access controls just by creating an arbitrary node to any device in a type accessible to it),
  • Full APIs for getting and setting security contexts of sockets and IPC objects. Ensure that socket context is kept consistent on socket inode and sock structures when changed.
  • Polyinstantiated ports
  • Increased granularity for Generic Netlink
  • CIFS support for single-context clients (also has xattrs & Karl says it's better than NFS).
  • Investigate integration with integrity measurement (in progress IBM and NSA)
  • Crypto policy for domains & object handling
  • Expand LTP as a full regression testuite for every permission & class
  • Redo performance testing & profiling
  • Support for kernel namespaces: labeling and access controls on namespaces, per-namespace policy?
  • Similar support for chroots to support build systems?
  • Support for setting down unknown file contexts for package managers and filesystem restore (old patches posted, need re-base and resolution)
  • Better controls for posix message queues (?)
  • move *mem permissions to new memprotect class. Bump policy version.
  • discovery of class and permission offsets 3

Notes:

2Allow SELinux to selectively grant capabilities authoritatively based on SELinux domain. Executables could be made privileged w/o needing to be setuid root, all via SELinux without needing yet another mechanism like file capabilities. Eliminate the need for filesystem capabilities support (which will be a nightmare to manage, as they are per-file bitmaps vs. per-type access

vectors).

3 Make the hooks/avc layer request class/perm offsets from security server so that static offsets are no longer necessary and obsolete kernel classes can be purged.

4"replacing the default case in selinux_file_ioctl with a simple test of _IOC_DIR(cmd) as in Smack, mapping to FILE__WRITE and/or FILE__READ accordingly."

Known Bugs

Done

  • Finalize NFS binary mount support: ensure new hooks are called.
  • Review Netlink link creation API code for security hook coverage.
  • Remove obsolete object backpointers.
  • Fix context_struct_compute_av latency issue raised by Ingo Molnar (lkml post)
  • Better support for sys_splice and related syscalls
  • change Kconfig to use select instead of depends (eparis RH BZ# 228899)
  • allow undefined classes and permissions in kernel (eparis RH BZ#235280)
  • explicitly set i_ino on all creations in selinuxfs (eparis RH BZ#235248)
  • Review sys_fallocate if/when it is merged
  • Labeling for forwarded traffic (done: HP)
  • security_file_permission callsite consolidation1 (done: RH)
  • Add hook for filesystems with binary mount data per requests by fsdevel folk (done: RH)
  • add NFSv4 support for command line mount options. (done: RH)
  • Support for 64-bit capabilities (sds of the NSA)
  • Display LSM mount options in /proc/mounts (done: RH)
  • Permissive domains (done: RH).

1 Provide a static inline helper for all FMODE_READ/FMODE_WRITE checks that also includes the corresponding security_file_permission() call to help ensure that they always happen together in the future. Possibly even rolling up rw_verify_area() checking as well into it.

Resources