Bug 193994

Summary: Identify and implement missing controls in upstream kernel
Product: [Fedora] Fedora Reporter: James Morris <jmorris>
Component: kernelAssignee: James Morris <jmorris>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: high    
Version: rawhideCC: dpquigl, eparis, redhat-bugzilla, sdsmall, wtogami
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-09-19 00:18:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 193995    
Attachments:
Description Flags
Brief Analysis of functions none

Description James Morris 2006-06-04 06:14:39 UTC 
Missing controls: identify and implement controls for core kernel
components which have been added or modified and currently lack any
mediation.  Stephen has identified the following:

mm/mempolicy.c:sys_migrate_pages()
mm/migrate.c:sys_move_pages()
kernel/futex.c:sys_get_robust_list()
kernel/futex.c:all callers of futex_find_get_task()
kernel/cpuset.c:all callers of attach_task()
kernel/sched.c:sched_setaffinity(), sched_getaffinity()
kernel/signal.c:kill_proc_info_as_uid() [problematic, as it apparently
needs credentials to be provided by the caller rather than using
current, so we need the interface itself to pass a SID]

May need further review of the syscall table, and we need to know if the
new cpu rate cap stuff is going in.

Current status: under investigation.
Comment 1 James Morris 2006-06-06 06:19:51 UTC 
I've audited all of the new *at syscalls and they're ok.

Also looks like we need to add a control to sys_mbind(), and more general
auditing is likely required.
Comment 2 David Quigley 2006-06-14 13:09:59 UTC 
Created attachment 130840 [details]
Brief Analysis of functions

*Replaying posts from e-mails received*

Hello,
    My name is Dave Quigley and I'll be working on SELinux for the next few
months. Just before Stephen left he gave me this list so I spent most of last
week looking at it. After some comments from Stephen I have a revised version
of my analysis for these functions. I'll attach them to the bug, and please
feel free to give comments on then.