Red Hat Bugzilla – Bug 193994
Identify and implement missing controls in upstream kernel
Last modified: 2007-11-30 17:11:34 EST
Missing controls: identify and implement controls for core kernel
components which have been added or modified and currently lack any
mediation. Stephen has identified the following:
kernel/futex.c:all callers of futex_find_get_task()
kernel/cpuset.c:all callers of attach_task()
kernel/signal.c:kill_proc_info_as_uid() [problematic, as it apparently
needs credentials to be provided by the caller rather than using
current, so we need the interface itself to pass a SID]
May need further review of the syscall table, and we need to know if the
new cpu rate cap stuff is going in.
Current status: under investigation.
I've audited all of the new *at syscalls and they're ok.
Also looks like we need to add a control to sys_mbind(), and more general
auditing is likely required.
Created attachment 130840 [details]
Brief Analysis of functions
*Replaying posts from e-mails received*
My name is Dave Quigley and I'll be working on SELinux for the next few
months. Just before Stephen left he gave me this list so I spent most of last
week looking at it. After some comments from Stephen I have a revised version
of my analysis for these functions. I'll attach them to the bug, and please
feel free to give comments on then.