Kernel Development

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 01:44, 2 June 2008 (edit)
JamesMorris (Talk | contribs)
(To Do List - security table)
← Previous diff
Current revision (23:05, 20 April 2010) (edit) (undo)
JamesMorris (Talk | contribs)
(To Do List)
 
(45 intermediate revisions not shown.)
Line 1: Line 1:
== To Do List == == To Do List ==
-* Open code POLICY_RDLOCK and friends (per suggestion from akpm).+* Fix error propagation for policydb_read to reflect actual errors rather than the default of -EINVAL.
-* Investigate security policy for cgroups. +* Reduce SELinux memory footprint, both static and dynamic.
-* Labeling for loopback traffic (in progress HP).+* Improve scripts/selinux/mdp to generate a more useful minimal policy as a starting point. Also make it more flexible.
-* Reduce memory usage of selinux structs: pahole (eparis RH BZ#235284)+* Dynamic discovery of initial SIDs, similar to dynamic discovery of classes/perms. Map kernel initial SIDs to policy initial SIDs by string name rather than requiring identical index values, handle unknown initial SIDs cleanly (map to unlabeled), and allow future extensibility without causing problems (start regular SIDs at some fixed offset, e.g. 100, or start from the highest legal value and decrement, so that policy reload that changes the number of initial SIDs won't affect them).
-* Add a 'map' check on mmap and mprotect so that we can distinguish memory mapped access (since it has different implications for revocation).+* Distinguish access(2) from open(2) auditing (see
 +https://bugzilla.redhat.com/show_bug.cgi?id=495211).
-* btrfs support+* Audit hooks to ensure that we don't have any more cases where DAC can be weakened.
-* Export current policy via selinuxfs so that it can be verified and analyzed.+* Fix the performance issue apparently related to syscall audit which Linus keeps whining about.
-* cap_override class<sup>2</sup> (rfc patch posted, needs re-base and extension for 64-bit caps)+* Add support for SCTP (see https://bugzilla.redhat.com/show_bug.cgi?id=517676).
-* Compile out LSM hooks & allow SELinux to be linked directly.+* Fix signal inheritance controls (possibly drop some or all, or only enforce in policy for certain domains).
-* Automate checking for new syscalls in kernels (-mm, -rc etc).+* UBIFS support.
-* remove secondary module stacking code (eparis RH BZ#231890)+* Add LTP tests for recent kernel changes.
-* fine grained enforcement of sysfs objects (RH BZ#228902)+* Eliminate the need for secondary_ops altogether by providing LSM support for reverting to the original (capability) security module.
-* ditto for usbfs and other pseudo filesystems of interest+* Reduce size of critical sections and use of GFP_ATOMIC.
-* additional support of a security netfilter table for secmark/net forwarding (RH: merged to nf repo)+* Investigate security policy for cgroups.
-* Namespacing of SELinux global functions and variables.+* Add a 'map' check on mmap and mprotect so that we can distinguish memory mapped access (since it has different implications for revocation).
-* NFSv4 support (in progress)+* crfs ?
-* Linux hv controls (in progress Tresys?)+* Automate checking for new syscalls in kernels (-mm, -rc etc).
-* Finer-grained proc checking so that we don't require full ptrace permission just to read process state (rfc patch posted),+* fine-grained labeling for usbfs and other pseudo filesystems of interest
-* Improve/fix ioctl checking (patch posted, being tested in Fedora), <sup>4</sup>+* NFSv4 support (in progress)
* Revoke memory-mapped file access upon policy change or setxattr. * Revoke memory-mapped file access upon policy change or setxattr.
Line 50: Line 51:
* CIFS support for single-context clients (also has xattrs & Karl says it's better than NFS). * CIFS support for single-context clients (also has xattrs & Karl says it's better than NFS).
- 
-* Investigate integration with integrity measurement (in progress IBM and NSA) 
* Crypto policy for domains & object handling * Crypto policy for domains & object handling
Line 58: Line 57:
* Redo performance testing & profiling * Redo performance testing & profiling
- 
-* Support for kernel namespaces: labeling and access controls on namespaces, per-namespace policy? 
- 
-* Similar support for chroots to support build systems? 
* Better controls for posix message queues (?) * Better controls for posix message queues (?)
Line 67: Line 62:
* move *mem permissions to new memprotect class. Bump policy version. * move *mem permissions to new memprotect class. Bump policy version.
-* discovery of class and permission offsets <sup>3</sup>+* better support for FS whose labelling behaviour is not specified in policy. If nothing from policy just test for xattr support and use it if it is there (RH in progress, patch reverted due to fuse deadlocks).
-* better support for FS whose labelling behaviour is not specified in policy. If nothing from policy just test for xattr support and use it if it is there.+* memory leak detector pops on policy reload. probably due to {new,old}policydb being on stack and memcpy'd into the data section policydb (aka probably false positive)
 + 
 +* better validation of classes/perms on policy reload. Warn if any permissions are defined in a kernel class in the policy that are not defined in the kernel's classmap.
''Notes:'' ''Notes:''
<p> <p>
-</p><p> 
-<sup>2</sup>Allow SELinux to selectively grant capabilities authoritatively based on SELinux domain. Executables could be made privileged w/o needing to be setuid root, all via SELinux without needing yet another mechanism like file capabilities. Eliminate the need for filesystem capabilities support (which will be a nightmare to manage, as they are per-file bitmaps vs. per-type access 
-vectors).</p> 
-<p> 
-<sup>3</sup> Make the hooks/avc layer request class/perm offsets from security server so that static offsets are no longer necessary and obsolete kernel classes can be purged.</p> 
-<p> 
-<sup>4</sup>"replacing the 
-default case in selinux_file_ioctl with a simple test of _IOC_DIR(cmd) 
-as in Smack, mapping to FILE__WRITE and/or FILE__READ accordingly."</p> 
- 
-== Known Bugs == 
- 
-== Done == 
- 
-* Finalize NFS binary mount support: ensure new hooks are called. 
- 
-* Review ''Netlink link creation API'' code for security hook coverage. 
- 
-* Remove obsolete object backpointers. 
- 
-* Fix context_struct_compute_av latency issue raised by Ingo Molnar ([http://marc.info/?l=linux-kernel&m=118095653422494&w=2 lkml post]) 
- 
-* Better support for sys_splice and related syscalls 
- 
-* change Kconfig to use select instead of depends (eparis RH BZ# 228899) 
- 
-* allow undefined classes and permissions in kernel (eparis RH BZ#235280) 
- 
-* explicitly set i_ino on all creations in selinuxfs (eparis RH BZ#235248) 
- 
-* Review sys_fallocate if/when it is merged 
- 
-* Labeling for forwarded traffic (done: HP) 
- 
-* security_file_permission callsite consolidation<sup>1</sup> (done: RH) 
- 
-* Add hook for filesystems with binary mount data per requests by fsdevel folk (done: RH) 
- 
-* add NFSv4 support for command line mount options. (done: RH) 
- 
-* Support for 64-bit capabilities (sds of the NSA) 
- 
-* Display LSM mount options in /proc/mounts (done: RH) 
- 
-* Permissive domains (done: RH). 
- 
-* printk prefixes and error message cleanup (done: RH) 
- 
-* open permission (done: RH) 
- 
-* security_port_sid optimization (done: HP, netport cache) 
- 
-* Normalize SELinux in-kernel API (obsolete: converted to LSM hooks) 
- 
-* Support for setting down unknown file contexts for package managers and filesystem restore (done: NSA, deferred mapping of contexts patch) 
-<p> 
-</p><p> 
-<sup>1</sup> Provide a static inline helper for all FMODE_READ/FMODE_WRITE checks that also includes the corresponding security_file_permission() call to help ensure that they always happen together in the future. Possibly even rolling up rw_verify_area() checking as well into it. 
</p> </p>

Current revision

[edit] To Do List

  • Fix error propagation for policydb_read to reflect actual errors rather than the default of -EINVAL.
  • Reduce SELinux memory footprint, both static and dynamic.
  • Improve scripts/selinux/mdp to generate a more useful minimal policy as a starting point. Also make it more flexible.
  • Dynamic discovery of initial SIDs, similar to dynamic discovery of classes/perms. Map kernel initial SIDs to policy initial SIDs by string name rather than requiring identical index values, handle unknown initial SIDs cleanly (map to unlabeled), and allow future extensibility without causing problems (start regular SIDs at some fixed offset, e.g. 100, or start from the highest legal value and decrement, so that policy reload that changes the number of initial SIDs won't affect them).
  • Distinguish access(2) from open(2) auditing (see

https://bugzilla.redhat.com/show_bug.cgi?id=495211).

  • Audit hooks to ensure that we don't have any more cases where DAC can be weakened.
  • Fix the performance issue apparently related to syscall audit which Linus keeps whining about.
  • Fix signal inheritance controls (possibly drop some or all, or only enforce in policy for certain domains).
  • UBIFS support.
  • Add LTP tests for recent kernel changes.
  • Eliminate the need for secondary_ops altogether by providing LSM support for reverting to the original (capability) security module.
  • Reduce size of critical sections and use of GFP_ATOMIC.
  • Investigate security policy for cgroups.
  • Add a 'map' check on mmap and mprotect so that we can distinguish memory mapped access (since it has different implications for revocation).
  • crfs ?
  • Automate checking for new syscalls in kernels (-mm, -rc etc).
  • fine-grained labeling for usbfs and other pseudo filesystems of interest
  • NFSv4 support (in progress)
  • Revoke memory-mapped file access upon policy change or setxattr.
  • Real device labeling and access control (i.e. bind a label to a device in the kernel irrespective of what device node is used to access it so that a process that can create any device nodes at all can't effectively bypass all device access controls just by creating an arbitrary node to any device in a type accessible to it),
  • Full APIs for getting and setting security contexts of sockets and IPC objects. Ensure that socket context is kept consistent on socket inode and sock structures when changed.
  • Polyinstantiated ports
  • Increased granularity for Generic Netlink
  • CIFS support for single-context clients (also has xattrs & Karl says it's better than NFS).
  • Crypto policy for domains & object handling
  • Expand LTP as a full regression testuite for every permission & class
  • Redo performance testing & profiling
  • Better controls for posix message queues (?)
  • move *mem permissions to new memprotect class. Bump policy version.
  • better support for FS whose labelling behaviour is not specified in policy. If nothing from policy just test for xattr support and use it if it is there (RH in progress, patch reverted due to fuse deadlocks).
  • memory leak detector pops on policy reload. probably due to {new,old}policydb being on stack and memcpy'd into the data section policydb (aka probably false positive)
  • better validation of classes/perms on policy reload. Warn if any permissions are defined in a kernel class in the policy that are not defined in the kernel's classmap.

Notes:

[edit] Resources

Personal tools