Difference between revisions of "Kernel Development"

From SELinux Wiki
Jump to: navigation, search
(To Do List)
Line 7: Line 7:
 
* UBIFS support.
 
* UBIFS support.
  
* Handle setxattr() consistently on filesystems that do not support labeling.<sup>6</sup>
+
* Audit for correctness when CONFIG_BUG=n (patches posted, http://marc.info/?l=selinux&m=123446905808001&w=2).
 
+
* Remove ae.used field and address avc_has_perm* scalability.<sup>7</sup>
+
 
+
* Audit for correctness when CONFIG_BUG=n.
+
  
 
* Add LTP tests for recent kernel changes.
 
* Add LTP tests for recent kernel changes.
  
* Possibly convert all security_ops calls to direct cap_ calls for greater efficiency and clarity, although we would still retain secondary_ops so that we can reset security_ops in selinux_disable(), although technically that would be cleaner if handled by the framework rather than direct manipulation by selinux.
+
* Eliminate the need for secondary_ops altogether by providing LSM support for reverting to the original (capability) security module.
 
+
* the message inode_doinit_with_dentry:  context_to_sid(blah:blah:bah) returned 22 is meaningless to all but 2 people in the world and isn't uncommon (and maybe printk_ratelimit() it
+
  
 
* avc_init() calls kmem_cache_create() but this is not freed if we call selinux_disable() from init
 
* avc_init() calls kmem_cache_create() but this is not freed if we call selinux_disable() from init
 
* Possibly add a permission to allow multi-threaded dynamic transitions.<sup>5</sup>
 
  
 
* Reduce size of critical sections and use of GFP_ATOMIC.
 
* Reduce size of critical sections and use of GFP_ATOMIC.
Line 99: Line 91:
 
hashtab_, symtab_, etc, which could either be taken to lib/ or given
 
hashtab_, symtab_, etc, which could either be taken to lib/ or given
 
selinux_ prefixes.</pre>
 
selinux_ prefixes.</pre>
</p>
 
<p>
 
<sup>5</sup> We may wish to consider removing this restriction altogether, and/or
 
making it subject to a permission check.  Per-thread context can be
 
useful for multi-threaded server effectively acting as a userspace
 
object manager but wanting to set kernel context to avoid race
 
conditions on file accesses, ala the samba file server case.
 
</p>
 
<p>
 
<sup>6</sup> Seems like we ought to handle setxattr() consistently on filesystems
 
that do not support labeling.  Mountpoint labeling triggers EOPNOTSUPP.
 
Genfscon does not.
 
 
Lack of a separate kernel interfaces for getxattr vs. getfilecon()
 
prevents us from probing for actual attribute on disk.  Deferred context
 
support will let you see the raw context value from disk if present but
 
doesn't indicate absence of an attribute.
 
</p>
 
<p>
 
<sup>7</sup> [http://lkml.org/lkml/2008/11/17/351 lkml post]
 
 
</p>
 
</p>
  
Line 186: Line 158:
  
 
* Improve/fix ioctl checking (done: NSA, simplify ioctl checking).
 
* Improve/fix ioctl checking (done: NSA, simplify ioctl checking).
 +
 +
* Handle setxattr() consistently on filesystems that do not support labeling (cd89596f0ccfa3ccb8a81ce47782231cf7ea7296
 +
).<sup>6</sup>
 +
 +
* Remove ae.used field and address avc_has_perm* scalability (906d27d9d28fd50fb40026e56842d8f6806a7a04).<sup>7</sup>
 +
 +
* Convert all security_ops calls to direct cap_ calls for greater efficiency and clarity (200ac532a4bc3134147ca06686c56a6420e66c46).
 +
 +
* The error message inode_doinit_with_dentry:  context_to_sid(blah:blah:bah) returned 22 is meaningless to all but 2 people in the world and isn't uncommon (4ba0a8ad63e12a03ae01c039482967cc496b9174).
 +
 +
* Add a permission to allow multi-threaded dynamic transitions (via boundary support, (d9250dea3f89fe808a525f08888016b495240ed4).<sup>5</sup>
 +
  
 
''Notes:''
 
''Notes:''
Line 191: Line 175:
 
<p><sup>1</sup> Provide a static inline helper for all FMODE_READ/FMODE_WRITE checks that also includes the corresponding security_file_permission() call to help ensure that they always happen together in the future.  Possibly even rolling up rw_verify_area() checking as well into it.
 
<p><sup>1</sup> Provide a static inline helper for all FMODE_READ/FMODE_WRITE checks that also includes the corresponding security_file_permission() call to help ensure that they always happen together in the future.  Possibly even rolling up rw_verify_area() checking as well into it.
 
</p>
 
</p>
 +
<p>
 +
<sup>5</sup> We may wish to consider removing this restriction altogether, and/or
 +
making it subject to a permission check.  Per-thread context can be
 +
useful for multi-threaded server effectively acting as a userspace
 +
object manager but wanting to set kernel context to avoid race
 +
conditions on file accesses, ala the samba file server case.
 +
</p>
 +
<p>
 +
<sup>6</sup> Seems like we ought to handle setxattr() consistently on filesystems
 +
that do not support labeling.  Mountpoint labeling triggers EOPNOTSUPP.
 +
Genfscon does not.
 +
</p>
 +
<p>
 +
<sup>7</sup> [http://lkml.org/lkml/2008/11/17/351 lkml post]
 +
</p>
 +
  
 
== Resources ==
 
== Resources ==

Revision as of 15:03, 27 May 2009

To Do List

  • Add support for SCTP.8
  • Fix signal inheritance controls (possibly drop some or all, or only enforce in policy for certain domains).
  • UBIFS support.
  • Add LTP tests for recent kernel changes.
  • Eliminate the need for secondary_ops altogether by providing LSM support for reverting to the original (capability) security module.
  • avc_init() calls kmem_cache_create() but this is not freed if we call selinux_disable() from init
  • Reduce size of critical sections and use of GFP_ATOMIC.
  • Investigate security policy for cgroups.
  • Add a 'map' check on mmap and mprotect so that we can distinguish memory mapped access (since it has different implications for revocation).
  • crfs ?
  • cap_override class2 (rfc patch posted, needs re-base and extension for 64-bit caps)
  • Compile out LSM hooks & allow SELinux to be linked directly.
  • Automate checking for new syscalls in kernels (-mm, -rc etc).
  • fine grained enforcement of sysfs objects (RH BZ#228902)
  • ditto for usbfs and other pseudo filesystems of interest
  • additional support of a security netfilter table for secmark/net forwarding (RH: merged to nf repo)
  • Namespacing of SELinux global functions and variables.4
  • NFSv4 support (in progress)
  • Revoke memory-mapped file access upon policy change or setxattr.
  • Real device labeling and access control (i.e. bind a label to a device in the kernel irrespective of what device node is used to access it so that a process that can create any device nodes at all can't effectively bypass all device access controls just by creating an arbitrary node to any device in a type accessible to it),
  • Full APIs for getting and setting security contexts of sockets and IPC objects. Ensure that socket context is kept consistent on socket inode and sock structures when changed.
  • Polyinstantiated ports
  • Increased granularity for Generic Netlink
  • CIFS support for single-context clients (also has xattrs & Karl says it's better than NFS).
  • Investigate integration with integrity measurement (in progress IBM and NSA)
  • Crypto policy for domains & object handling
  • Expand LTP as a full regression testuite for every permission & class
  • Redo performance testing & profiling
  • Better controls for posix message queues (?)
  • move *mem permissions to new memprotect class. Bump policy version.
  • discovery of class and permission offsets 3
  • better support for FS whose labelling behaviour is not specified in policy. If nothing from policy just test for xattr support and use it if it is there (RH in progress, patch reverted due to ntfs deadlocks).
  • memory leak detector pops on policy reload. probably due to {new,old}policydb being on stack and memcpy'd into the data section policydb (aka probably false positive)

Notes:

2Allow SELinux to selectively grant capabilities authoritatively based on SELinux domain. Executables could be made privileged w/o needing to be setuid root, all via SELinux without needing yet another mechanism like file capabilities. Eliminate the need for filesystem capabilities support (which will be a nightmare to manage, as they are per-file bitmaps vs. per-type access vectors).

3 Make the hooks/avc layer request class/perm offsets from security server so that static offsets are no longer necessary and obsolete kernel classes can be purged.

4

We have a lot of global functions and variables, some with no prefix at
all, some with prefixes that are not clearly scoped to selinux.

I'd at least:
- rename the security server functions from security_ to selinux_ to
avoid confusion/conflicts with LSM.
- rename ss_initialized to selinux_ss_initialized.
- rename the policydb and sidtab variables to selinux_policydb and
selinux_sidtab (and/or wrap them in a single container structure with a
single active policy pointer to it, with the intent of ultimately
refcounting it and introducing _get and _put functions).

Then you've got the generic data structures and their functions, like
hashtab_, symtab_, etc, which could either be taken to lib/ or given
selinux_ prefixes.

8 ml post

Done

  • Reduce memory usage of selinux structs: pahole (eparis RH BZ#235284)
  • Remove secondary module stacking code (eparis RH BZ#231890)
  • Labeling for loopback traffic [HP].
  • Remove load_mutex mutex. [RH]
  • Open code POLICY_RDLOCK and friends (per suggestion from akpm) [RH]
  • drop selinux_inode*killpriv, selinux_task*setuid and selinux_task_prctl since the hooks will default to the capability functions if SELinux doesn't define them. [RH]
  • Remove all unnecessary secondary_ops calls that have no corresponding capability hook (legacy of old attempts to support other security modules as secondary) [RH]
  • Finalize NFS binary mount support: ensure new hooks are called.
  • Review Netlink link creation API code for security hook coverage.
  • Remove obsolete object backpointers.
  • Fix context_struct_compute_av latency issue raised by Ingo Molnar (lkml post)
  • Better support for sys_splice and related syscalls
  • change Kconfig to use select instead of depends (eparis RH BZ# 228899)
  • allow undefined classes and permissions in kernel (eparis RH BZ#235280)
  • explicitly set i_ino on all creations in selinuxfs (eparis RH BZ#235248)
  • Review sys_fallocate if/when it is merged
  • Labeling for forwarded traffic (done: HP)
  • security_file_permission callsite consolidation1 (done: RH)
  • Add hook for filesystems with binary mount data per requests by fsdevel folk (done: RH)
  • add NFSv4 support for command line mount options. (done: RH)
  • Support for 64-bit capabilities (sds of the NSA)
  • Display LSM mount options in /proc/mounts (done: RH)
  • Permissive domains (done: RH).
  • printk prefixes and error message cleanup (done: RH)
  • open permission (done: RH)
  • security_port_sid optimization (done: HP, netport cache)
  • Normalize SELinux in-kernel API (obsolete: converted to LSM hooks)
  • Support for setting down unknown file contexts for package managers and filesystem restore (done: NSA, deferred mapping of contexts patch).
  • Finer-grained proc checking so that we don't require full ptrace permission just to read process state (done: NSA, split proc ptrace checking into read vs. attach).
  • Improve/fix ioctl checking (done: NSA, simplify ioctl checking).
  • Handle setxattr() consistently on filesystems that do not support labeling (cd89596f0ccfa3ccb8a81ce47782231cf7ea7296

).6

  • Remove ae.used field and address avc_has_perm* scalability (906d27d9d28fd50fb40026e56842d8f6806a7a04).7
  • Convert all security_ops calls to direct cap_ calls for greater efficiency and clarity (200ac532a4bc3134147ca06686c56a6420e66c46).
  • The error message inode_doinit_with_dentry: context_to_sid(blah:blah:bah) returned 22 is meaningless to all but 2 people in the world and isn't uncommon (4ba0a8ad63e12a03ae01c039482967cc496b9174).
  • Add a permission to allow multi-threaded dynamic transitions (via boundary support, (d9250dea3f89fe808a525f08888016b495240ed4).5


Notes:

1 Provide a static inline helper for all FMODE_READ/FMODE_WRITE checks that also includes the corresponding security_file_permission() call to help ensure that they always happen together in the future. Possibly even rolling up rw_verify_area() checking as well into it.

5 We may wish to consider removing this restriction altogether, and/or making it subject to a permission check. Per-thread context can be useful for multi-threaded server effectively acting as a userspace object manager but wanting to set kernel context to avoid race conditions on file accesses, ala the samba file server case.

6 Seems like we ought to handle setxattr() consistently on filesystems that do not support labeling. Mountpoint labeling triggers EOPNOTSUPP. Genfscon does not.

7 lkml post


Resources