Difference between revisions of "Kernel Development"
From SELinux Wiki
(First dump of list of kernel development which needs done) |
JamesMorris (Talk | contribs) m (added sys_splice) |
||
Line 21: | Line 21: | ||
* Polyinstantiated ports | * Polyinstantiated ports | ||
* Increased granularity for Generic Netlink | * Increased granularity for Generic Netlink | ||
+ | * Better support for sys_splice and related syscalls | ||
Know Bugs: | Know Bugs: | ||
exporting nfs with the nohide options causes problems on ia64 clients (struct nfs_mount_data corruption) | exporting nfs with the nohide options causes problems on ia64 clients (struct nfs_mount_data corruption) |
Revision as of 15:45, 11 May 2007
Enhancments:
- change Kconfig to use select instead of depends (eparis RH BZ# 228899)
- remove secondary module stacking code (eparis RH BZ#231890)
- security_port_sid needs optimization (eparis RH BZ#234531)
- explicitly set i_ino on all creations in selinuxfs (eparis RH BZ#235248)
- allow undefined classes and permissions in kernel (eparis RH BZ#235280)
- Reduce memory usage of selinux structs (eparis RH BZ#235284)
- fine grained enforcement of sysfs objects (RH BZ#228902)
- labeled net needs better passing of labels over loopback
- additional support of a security netfilter table for secmark/net forwarding
- Normalize the SELinux in-kernel API.
- Namespacing of SELinux global functions and variables.
- NFSv4 support
- KVM controls
- Finer-grained proc checking (so that we don't require full ptrace permission just to read process state),
- Improve/fix ioctl checking (see prior discussions on selinux and linux-security-module list),
- Revoke memory-mapped file access upon policy change or setxattr.
- Real device labeling and access control (i.e. bind a label to a device in the kernel irrespective of what device node is used to access it so that a process that can create any device nodes at all can't effectively bypass all device access controls just by creating an arbitrary node to any device in a type accessible to it),
- Full APIs for getting and setting security contexts of sockets and IPC objects.
- Polyinstantiated ports
- Increased granularity for Generic Netlink
- Better support for sys_splice and related syscalls
Know Bugs: exporting nfs with the nohide options causes problems on ia64 clients (struct nfs_mount_data corruption)