Here is a look at what needs to be done (in no particular order). * find calls to cap_issubset (i.e. ptrace, PTRACE_ATTACH option) and figure out how to eliminate (this should be handled in capabilities module). * move keep_capabilities from task_struct to security blob in task_struct # look at mmap write (as brought up by Chris Evans). # get game plan for socket (AF_INET, AF_UNIX, AF_INET6, etc.) # ipc has been largely untouched. * dummy_compute_creds doesn't allow setuid binaries to setuid (see below) # consider pushing mount/umount to superblock ops. # add ability to pass module name when registering as a secondary module * review hooks (esp. capable() hooks) that are embedded in compound conditionals to allow each module its own policy. Some suggestions from Stephen Smalley * break compute_creds apart so the kernel manages the common part of setuid/setgid and the modules simply add their own $0.02. * review MAY_EXEC check in load_elf_binary() * mmap hook, esp. for files that are mmap'd with execute. * review placement of file [alloc|free]_security to insure it is consistent with creation/deletion of file objects. consider sepearte hook for initializing blob (like attach_pathlabel). # review dummy stubs and place superuser checks as approriate. * add append distintion on file permssion check (and perhaps look at immutable, etc.) _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu May 31 2001 - 11:29:26 PDT