Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 193994

Summary: Identify and implement missing controls in upstream kernel
Product: [Fedora] Fedora Reporter: James Morris <jmorris>
Component: kernelAssignee: James Morris <jmorris>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: high    
Version: rawhideCC: dpquigl, eparis, redhat-bugzilla, sdsmall, wtogami
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-09-19 00:18:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 193995    
Attachments:
Description Flags
Brief Analysis of functions none

Description James Morris 2006-06-04 06:14:39 UTC 
Missing controls: identify and implement controls for core kernel
components which have been added or modified and currently lack any
mediation.  Stephen has identified the following:

mm/mempolicy.c:sys_migrate_pages()
mm/migrate.c:sys_move_pages()
kernel/futex.c:sys_get_robust_list()
kernel/futex.c:all callers of futex_find_get_task()
kernel/cpuset.c:all callers of attach_task()
kernel/sched.c:sched_setaffinity(), sched_getaffinity()
kernel/signal.c:kill_proc_info_as_uid() [problematic, as it apparently
needs credentials to be provided by the caller rather than using
current, so we need the interface itself to pass a SID]

May need further review of the syscall table, and we need to know if the
new cpu rate cap stuff is going in.

Current status: under investigation.
Comment 1 James Morris 2006-06-06 06:19:51 UTC 
I've audited all of the new *at syscalls and they're ok.

Also looks like we need to add a control to sys_mbind(), and more general
auditing is likely required.
Comment 2 David Quigley 2006-06-14 13:09:59 UTC 
Created attachment 130840 [details]
Brief Analysis of functions

*Replaying posts from e-mails received*

Hello,
    My name is Dave Quigley and I'll be working on SELinux for the next few
months. Just before Stephen left he gave me this list so I spent most of last
week looking at it. After some comments from Stephen I have a revised version
of my analysis for these functions. I'll attach them to the bug, and please
feel free to give comments on then.