Missing controls: identify and implement controls for core kernel components which have been added or modified and currently lack any mediation. Stephen has identified the following: mm/mempolicy.c:sys_migrate_pages() mm/migrate.c:sys_move_pages() kernel/futex.c:sys_get_robust_list() kernel/futex.c:all callers of futex_find_get_task() kernel/cpuset.c:all callers of attach_task() kernel/sched.c:sched_setaffinity(), sched_getaffinity() kernel/signal.c:kill_proc_info_as_uid() [problematic, as it apparently needs credentials to be provided by the caller rather than using current, so we need the interface itself to pass a SID] May need further review of the syscall table, and we need to know if the new cpu rate cap stuff is going in. Current status: under investigation.
I've audited all of the new *at syscalls and they're ok. Also looks like we need to add a control to sys_mbind(), and more general auditing is likely required.
Created attachment 130840 [details] Brief Analysis of functions *Replaying posts from e-mails received* Hello, My name is Dave Quigley and I'll be working on SELinux for the next few months. Just before Stephen left he gave me this list so I spent most of last week looking at it. After some comments from Stephen I have a revised version of my analysis for these functions. I'll attach them to the bug, and please feel free to give comments on then.