Sophie

Sophie

distrib > Mandriva > 2011.0 > x86_64 > by-pkgid > ec8cc6ad5e0f6fe064f830c1071569ae > files > 1440

kernel-rsbac-doc-3.0.41-1.noarch.rpm

Interceptions for access decisions (AEF) in RSBAC 1.2.5 for 2.4.30:
(ordered as in asm-i386/unistd.h)

Not necessary:
sys_waitpid, sys_time, sys_lseek, sys_getpid, sys_alarm, sys_pause,
sys_sync, sys_getuid, sys_alarm, sys_ftime, sys_dup, sys_times, sys_brk,
sys_getgid, sys_signal, sys_geteuid, sys_getegid, sys_olduname, sys_umask,
sys_ustat, sys_dup2, sys_getppid, sys_getpgrp, sys_setsid, sys_sigaction,
sys_sgetmask, sys_ssetmask, sys_sigsuspend, sys_sigpending, sys_getrlimit,
sys_getrusage, sys_gettimeofday, sys_getgroups, sys_select, sys_munmap,
sys_getpriority, sys_setitimer, sys_getitimer, sys_uname, sys_vhangup,
sys_vm86old, sys_wait4, sys_sysinfo, sys_fsync, sys_sigreturn, sys_newuname,
sys_modify_ldt, sys_sigprocmask, sys_get_kernel_syms(? - see discussion),
sys_sysfs, sys_personality, sys__llseek, sys_newselect, sys_flock,
sys_msync, sys_fdatasync, sys_mlock, sys_munlock, sys_mlockall,
sys_munlockall, sys_sched_getparam, sys_sched_getscheduler, sys_sched_yield,
sys_sched_get_priority_max, sys_sched_get_priority_min,
sys_sched_rr_get_interval, sys_nanosleep, sys_mremap, sys_getresuid,
sys_vm86, sys_poll, sys_getresgid, sys_prctl, sys_rt_sigreturn,
sys_rt_sigaction, sys_rt_sigprocmask, sys_rt_sigpending,
sys_rt_sigtimedwait, sys_rt_sigqueueinfo, sys_rt_sigsuspend, sys_getcwd,
sys_sigaltstack, sys_ugetrlimit, sys_getuid32, sys_getgid32, sys_geteuid32,
sys_getegid32, sys_getgroups32, sys_getresuid32, sys_getresgid32,
sys_mincore, sys_madvise, sys_gettid, sys_readahead, sys_setxattr,
sys_munlockl, sys_munlockall

Not implemented in this kernel:
sys_ftime, sys_break, sys_stty, sys_gtty, sys_prof, sys_lock, sys_mpx,
sys_ulimit, sys_profil, sys_idle, sys_afs_syscall, sys_getpmsg,
sys_putpmsg, sys_security (used by RSBAC where available)

Intercepted:
sys_exit, sys_fork, sys_read, sys_write, sys_open, sys_close, sys_creat,
sys_link, sys_unlink, sys_execve, sys_chdir, sys_mknod, sys_chmod,
sys_lchmod, sys_oldstat, sys_mount, sys_umount (= oldumount), sys_setuid,
sys_stime, sys_ptrace, sys_oldfstat, sys_utime, sys_access, sys_nice (if
priority is raised), sys_rename, sys_mkdir, sys_rmdir, sys_setgid, sys_acct
(APPEND_OPEN on file), sys_umount2 (= umount), sys_ioctl (socket_ioctl,
tty_ioctl (tiocsti)), sys_fcntl (except locking - see discussion),
sys_setpgid, sys_chroot, sys_setreuid, sys_setregid, sys_sethostname,
sys_setrlimit, sys_settimeofday, sys_setgroups, sys_symlink, sys_oldlstat,
sys_readlink, sys_uselib, sys_swapon, sys_reboot, sys_readdir,
sys_mmap (for MAP_EXEC), sys_truncate, sys_ftruncate, sys_fchmod,
sys_fchown, sys_setpriority, sys_statfs, sys_fstatfs, sys_ioperm,
sys_socketcall, sys_stat, sys_lstat, sys_fstat, sys_iopl, sys_swapoff,
sys_ipc, sys_clone, sys_setdomainname, sys_adjtimex, sys_mprotect, 
sys_create_module, sys_init_module, sys_delete_module, 
sys_getpgid, sys_fchdir, sys_setfsuid, sys_setfsgid, sys_vfsreaddir,
sys_readv, sys_writev, sys_getsid, sys_sysctl, sys_setresuid, 
sys_setresgid, sys_pread, sys_pwrite, sys_chown, sys_capget, sys_capset,
sys_vfork, sys_mmap2, sys_truncate64, sys_ftruncate64, sys_stat64,
sys_lstat64, sys_fstat64, sys_lchown32, sys_setreuid32, sys_setregid32,
sys_setgroups32, sys_fchown, sys_setresuid32, sys_setresgid32,
sys_chown32, sys_setuid32, sys_setgid32, sys_setfsuid32, sys_setfsgid32,
sys_pivot_root, sys_getdents64, sys_fcntl64, sys_tkill, sys_sendfile64,


Found missing in 1.2.4-bf5 and intercepted in 1.2.5-pre:
ptrace (on sparc and sparc64), ioctl: BRCTL* (bridging control),
sys_reboot: add reboot_cmd parameter to see command in log,
sys_mount: lookback mounts in do_loopback(),
sys_mount: move mounts in do_move_mounts(),
sys_socketcall (sys_socketpair, sys_setsockopt, sys_getsockopt,
sys_getsockname, sys_getpeername),
sys_getxattr, sys_lgetxattr, sys_fgetxattr, sys_setxattr, sys_lsetxattr,
sys_fsetxattr, sys_listxattr, sys_llistxattr, sys_flistxattr,
sys_removexattr, sys_lremovexattr, sys_fremovexattr,
sys_quotactl (new SCD quota), sys_bdflush, sys_sched_setparam,
sys_sched_setscheduler, sys_query_module, sys_nfsservctl, sys_sendfile,
NETLINK sockets (additional IP addresses, routing, firewall, tcpdiag, rules),
sys_ioctl: fs/ext[3]2/ioctl.c:ext[23]_ioctl(), sys_pipe,
sys_ioctl: drivers/ide/ide.c:ide_ioctl(),
sys_ioctl: tty_ioctl,
sys_fcntl: fs/fcntl.c:do_fcntl(): Control file locking,
sys_flock: fs/locks.c:sys_flock(): Control file advisory locking,
sys_get_kernel_syms: kernel/module.c: SCD ksyms, same for /proc/ksyms,
sys_mlock, sys_mlockall: SCD mlock,
sys_swapon: Also check access to the device as ADD_TO_KERNEL and
REMOVE_FROM_KERNEL

Not yet intercepted, for discussion:

- netlink-sockets: iptables_ULOG, decnet, ipv6

Other notes:
- Added SCD target sysctl, now used by sys_sysctl and /proc/sys instead of
  non-intuitive ST_other

- Added SCD target nfsd for kernel NFS server control

- Added IPC type anonpipe, used by anonymous T_FIFO (if inode on PIPEFS)

- Added requests GET_STATUS_DATA, GET_PERMISSIONS_DATA, MODIFY_PERMISSIONS_DATA,
  SEND for target type DEV

- JAIL module: generally deny read, write, GET_STATUS_DATA and MODIFY_SYSTEM_DATA
  accesses to devices, flags to allow

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional