Difference between revisions of "Kernel Development"

From SELinux Wiki
Jump to: navigation, search
(Added new syscall checking)
(To Do List)
 
(113 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
== To Do List ==
 
== To Do List ==
  
* Add hook for filesystems with binary mount data (per requests by fsdevel folk)
+
* Fix error propagation for policydb_read to reflect actual errors rather than the default of -EINVAL.
+
* Fix performance issue with ephemeral port binding & high connection rate.  
+
  
* Compile out LSM hooks & allow SELinux to be linked directly.
+
* Reduce SELinux memory footprint, both static and dynamic.
  
* Automate checking for new syscalls in kernels (-mm, -rc etc).
+
* Improve scripts/selinux/mdp to generate a more useful minimal policy as a starting point.  Also make it more flexible.
  
* change Kconfig to use select instead of depends (eparis RH BZ# 228899)
+
* Dynamic discovery of initial SIDs, similar to dynamic discovery of classes/perms.  Map kernel initial SIDs to policy initial SIDs by string name rather than requiring identical index values, handle unknown initial SIDs cleanly (map to unlabeled), and allow future extensibility without causing problems (start regular SIDs at some fixed offset, e.g. 100, or start from the highest legal value and decrement, so that policy reload that changes the number of initial SIDs won't affect them).
  
* remove secondary module stacking code (eparis RH BZ#231890)
+
* Distinguish access(2) from open(2) auditing (see
 +
https://bugzilla.redhat.com/show_bug.cgi?id=495211).
  
* security_port_sid needs optimization (eparis RH BZ#234531)
+
* Audit hooks to ensure that we don't have any more cases where DAC can be weakened.
  
* explicitly set i_ino on all creations in selinuxfs (eparis RH BZ#235248)
+
* Fix the performance issue apparently related to syscall audit which Linus keeps whining about.
  
* allow undefined classes and permissions in kernel (eparis RH BZ#235280)
+
* Add support for SCTP (see https://bugzilla.redhat.com/show_bug.cgi?id=517676).
  
* Reduce memory usage of selinux structs (eparis RH BZ#235284)
+
* Fix signal inheritance controls (possibly drop some or all, or only enforce in policy for certain domains).
  
* fine grained enforcement of sysfs objects (RH BZ#228902)
+
* UBIFS support.
  
* labeled net needs better passing of labels over loopback
+
* Add LTP tests for recent kernel changes.
  
* additional support of a security netfilter table for secmark/net forwarding
+
* Eliminate the need for secondary_ops altogether by providing LSM support for reverting to the original (capability) security module.
  
* Normalize the SELinux in-kernel API.
+
* Reduce size of critical sections and use of GFP_ATOMIC.
  
* Namespacing of SELinux global functions and variables.
+
* Investigate security policy for cgroups.  
  
* NFSv4 support
+
* Add a 'map' check on mmap and mprotect so that we can distinguish memory mapped access (since it has different implications for revocation).
  
* KVM controls
+
* crfs ?
  
* Finer-grained proc checking (so that we don't require full ptrace permission just to read process state),
+
* Automate checking for new syscalls in kernels (-mm, -rc etc).
 +
 
 +
* fine-grained labeling for usbfs and other pseudo filesystems of interest
  
* Improve/fix ioctl checking (see prior discussions on selinux and linux-security-module list),
+
* NFSv4 support (in progress)
  
 
* Revoke memory-mapped file access upon policy change or setxattr.
 
* Revoke memory-mapped file access upon policy change or setxattr.
Line 43: Line 44:
 
* Real device labeling and access control (i.e. bind a label to a device in the kernel irrespective of what device node is used to access it so that a process that can create any device nodes at all can't effectively bypass all device access controls just by creating an arbitrary node to any device in a type accessible to it),
 
* Real device labeling and access control (i.e. bind a label to a device in the kernel irrespective of what device node is used to access it so that a process that can create any device nodes at all can't effectively bypass all device access controls just by creating an arbitrary node to any device in a type accessible to it),
  
* Full APIs for getting and setting security contexts of sockets and IPC objects.
+
* Full APIs for getting and setting security contexts of sockets and IPC objects.  Ensure that socket context is kept consistent on socket inode and sock structures when changed.
  
 
* Polyinstantiated ports
 
* Polyinstantiated ports
Line 49: Line 50:
 
* Increased granularity for Generic Netlink
 
* Increased granularity for Generic Netlink
  
* Better support for sys_splice and related syscalls
+
* CIFS support for single-context clients (also has xattrs & Karl says it's better than NFS).
  
* Review sys_fallocate if/when it is merged
+
* Crypto policy for domains & object handling
  
* CIFS support for single-context clients
+
* Expand LTP as a full regression testuite for every permission & class
  
* lhype controls (investigate & compare with KVM controls)
+
* Redo performance testing & profiling
  
* Investigate integration with integrity & measurement
+
* Better controls for posix message queues (?)
  
* Crypto policy for domains & object handling
+
* move *mem permissions to new memprotect class.  Bump policy version.
  
* Expand LTP as a full regression testuite for every permission & class
+
* better support for FS whose labelling behaviour is not specified in policy.  If nothing from policy just test for xattr support and use it if it is there (RH in progress, patch reverted due to fuse deadlocks).
  
* Convert sk_callback_lock to RCU
+
* memory leak detector pops on policy reload.  probably due to {new,old}policydb being on stack and memcpy'd into the data section policydb (aka probably false positive)
  
* Redo performance testing & profiling
+
* better validation of classes/perms on policy reload.  Warn if any permissions are defined in a kernel class in the policy that are not defined in the kernel's classmap.
  
* Support for kernel namespaces
+
''Notes:''
 
+
<p>
* Better controls for posix message queues (?)
+
</p>
  
== Known Bugs ==
+
== Resources ==
* exporting nfs with the nohide options causes problems on ia64 clients (struct nfs_mount_data corruption)
+
  
 +
* [[Adding New Permissions]] How to add a new permission to SELinux
  
== IRC Channel ==
+
* [http://www.kerneloops.org/searchfile.php?search=security%2Fselinux kerneloops.org] oopses relating to SELinux.
* irc.oftc.net  #selinux-kernel
+

Latest revision as of 23:05, 20 April 2010

To Do List

  • Fix error propagation for policydb_read to reflect actual errors rather than the default of -EINVAL.
  • Reduce SELinux memory footprint, both static and dynamic.
  • Improve scripts/selinux/mdp to generate a more useful minimal policy as a starting point. Also make it more flexible.
  • Dynamic discovery of initial SIDs, similar to dynamic discovery of classes/perms. Map kernel initial SIDs to policy initial SIDs by string name rather than requiring identical index values, handle unknown initial SIDs cleanly (map to unlabeled), and allow future extensibility without causing problems (start regular SIDs at some fixed offset, e.g. 100, or start from the highest legal value and decrement, so that policy reload that changes the number of initial SIDs won't affect them).
  • Distinguish access(2) from open(2) auditing (see

https://bugzilla.redhat.com/show_bug.cgi?id=495211).

  • Audit hooks to ensure that we don't have any more cases where DAC can be weakened.
  • Fix the performance issue apparently related to syscall audit which Linus keeps whining about.
  • Fix signal inheritance controls (possibly drop some or all, or only enforce in policy for certain domains).
  • UBIFS support.
  • Add LTP tests for recent kernel changes.
  • Eliminate the need for secondary_ops altogether by providing LSM support for reverting to the original (capability) security module.
  • Reduce size of critical sections and use of GFP_ATOMIC.
  • Investigate security policy for cgroups.
  • Add a 'map' check on mmap and mprotect so that we can distinguish memory mapped access (since it has different implications for revocation).
  • crfs ?
  • Automate checking for new syscalls in kernels (-mm, -rc etc).
  • fine-grained labeling for usbfs and other pseudo filesystems of interest
  • NFSv4 support (in progress)
  • Revoke memory-mapped file access upon policy change or setxattr.
  • Real device labeling and access control (i.e. bind a label to a device in the kernel irrespective of what device node is used to access it so that a process that can create any device nodes at all can't effectively bypass all device access controls just by creating an arbitrary node to any device in a type accessible to it),
  • Full APIs for getting and setting security contexts of sockets and IPC objects. Ensure that socket context is kept consistent on socket inode and sock structures when changed.
  • Polyinstantiated ports
  • Increased granularity for Generic Netlink
  • CIFS support for single-context clients (also has xattrs & Karl says it's better than NFS).
  • Crypto policy for domains & object handling
  • Expand LTP as a full regression testuite for every permission & class
  • Redo performance testing & profiling
  • Better controls for posix message queues (?)
  • move *mem permissions to new memprotect class. Bump policy version.
  • better support for FS whose labelling behaviour is not specified in policy. If nothing from policy just test for xattr support and use it if it is there (RH in progress, patch reverted due to fuse deadlocks).
  • memory leak detector pops on policy reload. probably due to {new,old}policydb being on stack and memcpy'd into the data section policydb (aka probably false positive)
  • better validation of classes/perms on policy reload. Warn if any permissions are defined in a kernel class in the policy that are not defined in the kernel's classmap.

Notes:

Resources

Retrieved from "http://selinuxproject.org/w/?title=Kernel_Development&oldid=916"