Kernel Development

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 05:01, 27 November 2008 (edit)
JamesMorris (Talk | contribs)
(To Do List)
← Previous diff
Revision as of 23:07, 1 December 2008 (edit) (undo)
JamesMorris (Talk | contribs)
(To Do List)
Next diff →
Line 1: Line 1:
== To Do List == == To Do List ==
 +
 +* Remove ae.used field.
* Audit for correctness when CONFIG_BUG=n. * Audit for correctness when CONFIG_BUG=n.
Line 29: Line 31:
* Add a 'map' check on mmap and mprotect so that we can distinguish memory mapped access (since it has different implications for revocation). * Add a 'map' check on mmap and mprotect so that we can distinguish memory mapped access (since it has different implications for revocation).
-* btrfs/crfs support+* btrfs support (fs needs to be wired up to xattr code)
 + 
 +* crfs ?
* cap_override class<sup>2</sup> (rfc patch posted, needs re-base and extension for 64-bit caps) * cap_override class<sup>2</sup> (rfc patch posted, needs re-base and extension for 64-bit caps)

Revision as of 23:07, 1 December 2008

Contents

To Do List

  • Remove ae.used field.
  • Audit for correctness when CONFIG_BUG=n.
  • Add LTP tests for recent kernel changes.
  • Remove all unnecessary secondary_ops calls that have no corresponding capability hook (legacy of old attempts to support other security modules as secondary)
  • Possibly convert all security_ops calls to direct cap_ calls for greater efficiency and clarity, although we would still retain secondary_ops so that we can reset security_ops in selinux_disable(), although technically that would be cleaner if handled by the framework rather than direct manipulation by selinux.
  • the message inode_doinit_with_dentry: context_to_sid(blah:blah:bah) returned 22 is meaningless to all but 2 people in the world and isn't uncommon (and maybe printk_ratelimit() it
  • avc_init() calls kmem_cache_create() but this is not freed if we call selinux_disable() from init
  • Possibly add a permission to allow multi-threaded dynamic transitions.5
  • Reduce size of critical sections and use of GFP_ATOMIC.
  • Remove load_mutex mutex. [patch queued]
  • Open code POLICY_RDLOCK and friends (per suggestion from akpm) [patches queued]
  • Investigate security policy for cgroups.
  • Labeling for loopback traffic (in progress HP).
  • Reduce memory usage of selinux structs: pahole (eparis RH BZ#235284)
  • Add a 'map' check on mmap and mprotect so that we can distinguish memory mapped access (since it has different implications for revocation).
  • btrfs support (fs needs to be wired up to xattr code)
  • crfs ?
  • cap_override class2 (rfc patch posted, needs re-base and extension for 64-bit caps)
  • Compile out LSM hooks & allow SELinux to be linked directly.
  • Automate checking for new syscalls in kernels (-mm, -rc etc).
  • remove secondary module stacking code (eparis RH BZ#231890)
  • fine grained enforcement of sysfs objects (RH BZ#228902)
  • ditto for usbfs and other pseudo filesystems of interest
  • additional support of a security netfilter table for secmark/net forwarding (RH: merged to nf repo)
  • Namespacing of SELinux global functions and variables.4
  • NFSv4 support (in progress)
  • Linux hv controls (in progress Tresys?)
  • Revoke memory-mapped file access upon policy change or setxattr.
  • Real device labeling and access control (i.e. bind a label to a device in the kernel irrespective of what device node is used to access it so that a process that can create any device nodes at all can't effectively bypass all device access controls just by creating an arbitrary node to any device in a type accessible to it),
  • Full APIs for getting and setting security contexts of sockets and IPC objects. Ensure that socket context is kept consistent on socket inode and sock structures when changed.
  • Polyinstantiated ports
  • Increased granularity for Generic Netlink
  • CIFS support for single-context clients (also has xattrs & Karl says it's better than NFS).
  • Investigate integration with integrity measurement (in progress IBM and NSA)
  • Crypto policy for domains & object handling
  • Expand LTP as a full regression testuite for every permission & class
  • Redo performance testing & profiling
  • Better controls for posix message queues (?)
  • move *mem permissions to new memprotect class. Bump policy version.
  • discovery of class and permission offsets 3
  • better support for FS whose labelling behaviour is not specified in policy. If nothing from policy just test for xattr support and use it if it is there.

Notes:

2Allow SELinux to selectively grant capabilities authoritatively based on SELinux domain. Executables could be made privileged w/o needing to be setuid root, all via SELinux without needing yet another mechanism like file capabilities. Eliminate the need for filesystem capabilities support (which will be a nightmare to manage, as they are per-file bitmaps vs. per-type access

vectors).

3 Make the hooks/avc layer request class/perm offsets from security server so that static offsets are no longer necessary and obsolete kernel classes can be purged.

4

We have a lot of global functions and variables, some with no prefix at
all, some with prefixes that are not clearly scoped to selinux.

I'd at least:
- rename the security server functions from security_ to selinux_ to
avoid confusion/conflicts with LSM.
- rename ss_initialized to selinux_ss_initialized.
- rename the policydb and sidtab variables to selinux_policydb and
selinux_sidtab (and/or wrap them in a single container structure with a
single active policy pointer to it, with the intent of ultimately
refcounting it and introducing _get and _put functions).

Then you've got the generic data structures and their functions, like
hashtab_, symtab_, etc, which could either be taken to lib/ or given
selinux_ prefixes.

5 We may wish to consider removing this restriction altogether, and/or making it subject to a permission check. Per-thread context can be useful for multi-threaded server effectively acting as a userspace object manager but wanting to set kernel context to avoid race conditions on file accesses, ala the samba file server case.

Known Bugs

Done

  • Finalize NFS binary mount support: ensure new hooks are called.
  • Review Netlink link creation API code for security hook coverage.
  • Remove obsolete object backpointers.
  • Fix context_struct_compute_av latency issue raised by Ingo Molnar (lkml post)
  • Better support for sys_splice and related syscalls
  • change Kconfig to use select instead of depends (eparis RH BZ# 228899)
  • allow undefined classes and permissions in kernel (eparis RH BZ#235280)
  • explicitly set i_ino on all creations in selinuxfs (eparis RH BZ#235248)
  • Review sys_fallocate if/when it is merged
  • Labeling for forwarded traffic (done: HP)
  • security_file_permission callsite consolidation1 (done: RH)
  • Add hook for filesystems with binary mount data per requests by fsdevel folk (done: RH)
  • add NFSv4 support for command line mount options. (done: RH)
  • Support for 64-bit capabilities (sds of the NSA)
  • Display LSM mount options in /proc/mounts (done: RH)
  • Permissive domains (done: RH).
  • printk prefixes and error message cleanup (done: RH)
  • open permission (done: RH)
  • security_port_sid optimization (done: HP, netport cache)
  • Normalize SELinux in-kernel API (obsolete: converted to LSM hooks)
  • Support for setting down unknown file contexts for package managers and filesystem restore (done: NSA, deferred mapping of contexts patch).
  • Finer-grained proc checking so that we don't require full ptrace permission just to read process state (done: NSA, split proc ptrace checking into read vs. attach).
  • Improve/fix ioctl checking (done: NSA, simplify ioctl checking).

1 Provide a static inline helper for all FMODE_READ/FMODE_WRITE checks that also includes the corresponding security_file_permission() call to help ensure that they always happen together in the future. Possibly even rolling up rw_verify_area() checking as well into it.

Resources

Personal tools