Difference between revisions of "Kernel Development"
JamesMorris (Talk | contribs) (→To Do List) |
(→To Do List) |
||
Line 38: | Line 38: | ||
* Linux hv controls (in progress Tresys?) | * Linux hv controls (in progress Tresys?) | ||
− | |||
− | |||
− | |||
− | |||
* Revoke memory-mapped file access upon policy change or setxattr. | * Revoke memory-mapped file access upon policy change or setxattr. |
Revision as of 14:59, 6 June 2008
Contents
To Do List
- Reduce size of critical sections and use of GFP_ATOMIC.
- Remove load_mutex mutex.
- Open code POLICY_RDLOCK and friends (per suggestion from akpm) [patches queued]
- Investigate security policy for cgroups.
- Labeling for loopback traffic (in progress HP).
- Reduce memory usage of selinux structs: pahole (eparis RH BZ#235284)
- Add a 'map' check on mmap and mprotect so that we can distinguish memory mapped access (since it has different implications for revocation).
- btrfs support
- Export current policy via selinuxfs so that it can be verified and analyzed.
- cap_override class2 (rfc patch posted, needs re-base and extension for 64-bit caps)
- Compile out LSM hooks & allow SELinux to be linked directly.
- Automate checking for new syscalls in kernels (-mm, -rc etc).
- remove secondary module stacking code (eparis RH BZ#231890)
- fine grained enforcement of sysfs objects (RH BZ#228902)
- ditto for usbfs and other pseudo filesystems of interest
- additional support of a security netfilter table for secmark/net forwarding (RH: merged to nf repo)
- Namespacing of SELinux global functions and variables.
- NFSv4 support (in progress)
- Linux hv controls (in progress Tresys?)
- Revoke memory-mapped file access upon policy change or setxattr.
- Real device labeling and access control (i.e. bind a label to a device in the kernel irrespective of what device node is used to access it so that a process that can create any device nodes at all can't effectively bypass all device access controls just by creating an arbitrary node to any device in a type accessible to it),
- Full APIs for getting and setting security contexts of sockets and IPC objects. Ensure that socket context is kept consistent on socket inode and sock structures when changed.
- Polyinstantiated ports
- Increased granularity for Generic Netlink
- CIFS support for single-context clients (also has xattrs & Karl says it's better than NFS).
- Investigate integration with integrity measurement (in progress IBM and NSA)
- Crypto policy for domains & object handling
- Expand LTP as a full regression testuite for every permission & class
- Redo performance testing & profiling
- Support for kernel namespaces: labeling and access controls on namespaces, per-namespace policy?
- Similar support for chroots to support build systems?
- Better controls for posix message queues (?)
- move *mem permissions to new memprotect class. Bump policy version.
- discovery of class and permission offsets 3
- better support for FS whose labelling behaviour is not specified in policy. If nothing from policy just test for xattr support and use it if it is there.
Notes:
2Allow SELinux to selectively grant capabilities authoritatively based on SELinux domain. Executables could be made privileged w/o needing to be setuid root, all via SELinux without needing yet another mechanism like file capabilities. Eliminate the need for filesystem capabilities support (which will be a nightmare to manage, as they are per-file bitmaps vs. per-type access
vectors).3 Make the hooks/avc layer request class/perm offsets from security server so that static offsets are no longer necessary and obsolete kernel classes can be purged.
4"replacing the default case in selinux_file_ioctl with a simple test of _IOC_DIR(cmd) as in Smack, mapping to FILE__WRITE and/or FILE__READ accordingly."
Known Bugs
Done
- Finalize NFS binary mount support: ensure new hooks are called.
- Review Netlink link creation API code for security hook coverage.
- Remove obsolete object backpointers.
- Fix context_struct_compute_av latency issue raised by Ingo Molnar (lkml post)
- Better support for sys_splice and related syscalls
- change Kconfig to use select instead of depends (eparis RH BZ# 228899)
- allow undefined classes and permissions in kernel (eparis RH BZ#235280)
- explicitly set i_ino on all creations in selinuxfs (eparis RH BZ#235248)
- Review sys_fallocate if/when it is merged
- Labeling for forwarded traffic (done: HP)
- security_file_permission callsite consolidation1 (done: RH)
- Add hook for filesystems with binary mount data per requests by fsdevel folk (done: RH)
- add NFSv4 support for command line mount options. (done: RH)
- Support for 64-bit capabilities (sds of the NSA)
- Display LSM mount options in /proc/mounts (done: RH)
- Permissive domains (done: RH).
- printk prefixes and error message cleanup (done: RH)
- open permission (done: RH)
- security_port_sid optimization (done: HP, netport cache)
- Normalize SELinux in-kernel API (obsolete: converted to LSM hooks)
- Support for setting down unknown file contexts for package managers and filesystem restore (done: NSA, deferred mapping of contexts patch)
1 Provide a static inline helper for all FMODE_READ/FMODE_WRITE checks that also includes the corresponding security_file_permission() call to help ensure that they always happen together in the future. Possibly even rolling up rw_verify_area() checking as well into it.
Resources
- Adding New Permissions How to add a new permission to SELinux
- kerneloops.org oopses relating to SELinux.