Bug 193994 - Identify and implement missing controls in upstream kernel
Identify and implement missing controls in upstream kernel
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
rawhide
All Linux
high Severity high
: ---
: ---
Assigned To: James Morris
Brian Brock
: SELinux
Depends On:
Blocks: FC6SELinuxKernel
  Show dependency treegraph
 
Reported: 2006-06-04 02:14 EDT by James Morris
Modified: 2007-11-30 17:11 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-18 20:18:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Brief Analysis of functions (4.15 KB, text/plain)
2006-06-14 09:09 EDT, David Quigley
no flags Details

  None (edit)
Description James Morris 2006-06-04 02:14:39 EDT
Missing controls: identify and implement controls for core kernel
components which have been added or modified and currently lack any
mediation.  Stephen has identified the following:

mm/mempolicy.c:sys_migrate_pages()
mm/migrate.c:sys_move_pages()
kernel/futex.c:sys_get_robust_list()
kernel/futex.c:all callers of futex_find_get_task()
kernel/cpuset.c:all callers of attach_task()
kernel/sched.c:sched_setaffinity(), sched_getaffinity()
kernel/signal.c:kill_proc_info_as_uid() [problematic, as it apparently
needs credentials to be provided by the caller rather than using
current, so we need the interface itself to pass a SID]

May need further review of the syscall table, and we need to know if the
new cpu rate cap stuff is going in.

Current status: under investigation.
Comment 1 James Morris 2006-06-06 02:19:51 EDT
I've audited all of the new *at syscalls and they're ok.

Also looks like we need to add a control to sys_mbind(), and more general
auditing is likely required.
Comment 2 David Quigley 2006-06-14 09:09:59 EDT
Created attachment 130840 [details]
Brief Analysis of functions

*Replaying posts from e-mails received*

Hello,
    My name is Dave Quigley and I'll be working on SELinux for the next few
months. Just before Stephen left he gave me this list so I spent most of last
week looking at it. After some comments from Stephen I have a revised version
of my analysis for these functions. I'll attach them to the bug, and please
feel free to give comments on then.

Note You need to log in before you can comment on or make changes to this bug.