Interceptions for access decisions (AEF) in RSBAC 1.2.5 for 2.4.30: (ordered as in asm-i386/unistd.h) Not necessary: sys_waitpid, sys_time, sys_lseek, sys_getpid, sys_alarm, sys_pause, sys_sync, sys_getuid, sys_alarm, sys_ftime, sys_dup, sys_times, sys_brk, sys_getgid, sys_signal, sys_geteuid, sys_getegid, sys_olduname, sys_umask, sys_ustat, sys_dup2, sys_getppid, sys_getpgrp, sys_setsid, sys_sigaction, sys_sgetmask, sys_ssetmask, sys_sigsuspend, sys_sigpending, sys_getrlimit, sys_getrusage, sys_gettimeofday, sys_getgroups, sys_select, sys_munmap, sys_getpriority, sys_setitimer, sys_getitimer, sys_uname, sys_vhangup, sys_vm86old, sys_wait4, sys_sysinfo, sys_fsync, sys_sigreturn, sys_newuname, sys_modify_ldt, sys_sigprocmask, sys_get_kernel_syms(? - see discussion), sys_sysfs, sys_personality, sys__llseek, sys_newselect, sys_flock, sys_msync, sys_fdatasync, sys_mlock, sys_munlock, sys_mlockall, sys_munlockall, sys_sched_getparam, sys_sched_getscheduler, sys_sched_yield, sys_sched_get_priority_max, sys_sched_get_priority_min, sys_sched_rr_get_interval, sys_nanosleep, sys_mremap, sys_getresuid, sys_vm86, sys_poll, sys_getresgid, sys_prctl, sys_rt_sigreturn, sys_rt_sigaction, sys_rt_sigprocmask, sys_rt_sigpending, sys_rt_sigtimedwait, sys_rt_sigqueueinfo, sys_rt_sigsuspend, sys_getcwd, sys_sigaltstack, sys_ugetrlimit, sys_getuid32, sys_getgid32, sys_geteuid32, sys_getegid32, sys_getgroups32, sys_getresuid32, sys_getresgid32, sys_mincore, sys_madvise, sys_gettid, sys_readahead, sys_setxattr, sys_munlockl, sys_munlockall Not implemented in this kernel: sys_ftime, sys_break, sys_stty, sys_gtty, sys_prof, sys_lock, sys_mpx, sys_ulimit, sys_profil, sys_idle, sys_afs_syscall, sys_getpmsg, sys_putpmsg, sys_security (used by RSBAC where available) Intercepted: sys_exit, sys_fork, sys_read, sys_write, sys_open, sys_close, sys_creat, sys_link, sys_unlink, sys_execve, sys_chdir, sys_mknod, sys_chmod, sys_lchmod, sys_oldstat, sys_mount, sys_umount (= oldumount), sys_setuid, sys_stime, sys_ptrace, sys_oldfstat, sys_utime, sys_access, sys_nice (if priority is raised), sys_rename, sys_mkdir, sys_rmdir, sys_setgid, sys_acct (APPEND_OPEN on file), sys_umount2 (= umount), sys_ioctl (socket_ioctl, tty_ioctl (tiocsti)), sys_fcntl (except locking - see discussion), sys_setpgid, sys_chroot, sys_setreuid, sys_setregid, sys_sethostname, sys_setrlimit, sys_settimeofday, sys_setgroups, sys_symlink, sys_oldlstat, sys_readlink, sys_uselib, sys_swapon, sys_reboot, sys_readdir, sys_mmap (for MAP_EXEC), sys_truncate, sys_ftruncate, sys_fchmod, sys_fchown, sys_setpriority, sys_statfs, sys_fstatfs, sys_ioperm, sys_socketcall, sys_stat, sys_lstat, sys_fstat, sys_iopl, sys_swapoff, sys_ipc, sys_clone, sys_setdomainname, sys_adjtimex, sys_mprotect, sys_create_module, sys_init_module, sys_delete_module, sys_getpgid, sys_fchdir, sys_setfsuid, sys_setfsgid, sys_vfsreaddir, sys_readv, sys_writev, sys_getsid, sys_sysctl, sys_setresuid, sys_setresgid, sys_pread, sys_pwrite, sys_chown, sys_capget, sys_capset, sys_vfork, sys_mmap2, sys_truncate64, sys_ftruncate64, sys_stat64, sys_lstat64, sys_fstat64, sys_lchown32, sys_setreuid32, sys_setregid32, sys_setgroups32, sys_fchown, sys_setresuid32, sys_setresgid32, sys_chown32, sys_setuid32, sys_setgid32, sys_setfsuid32, sys_setfsgid32, sys_pivot_root, sys_getdents64, sys_fcntl64, sys_tkill, sys_sendfile64, Found missing in 1.2.4-bf5 and intercepted in 1.2.5-pre: ptrace (on sparc and sparc64), ioctl: BRCTL* (bridging control), sys_reboot: add reboot_cmd parameter to see command in log, sys_mount: lookback mounts in do_loopback(), sys_mount: move mounts in do_move_mounts(), sys_socketcall (sys_socketpair, sys_setsockopt, sys_getsockopt, sys_getsockname, sys_getpeername), sys_getxattr, sys_lgetxattr, sys_fgetxattr, sys_setxattr, sys_lsetxattr, sys_fsetxattr, sys_listxattr, sys_llistxattr, sys_flistxattr, sys_removexattr, sys_lremovexattr, sys_fremovexattr, sys_quotactl (new SCD quota), sys_bdflush, sys_sched_setparam, sys_sched_setscheduler, sys_query_module, sys_nfsservctl, sys_sendfile, NETLINK sockets (additional IP addresses, routing, firewall, tcpdiag, rules), sys_ioctl: fs/ext[3]2/ioctl.c:ext[23]_ioctl(), sys_pipe, sys_ioctl: drivers/ide/ide.c:ide_ioctl(), sys_ioctl: tty_ioctl, sys_fcntl: fs/fcntl.c:do_fcntl(): Control file locking, sys_flock: fs/locks.c:sys_flock(): Control file advisory locking, sys_get_kernel_syms: kernel/module.c: SCD ksyms, same for /proc/ksyms, sys_mlock, sys_mlockall: SCD mlock, sys_swapon: Also check access to the device as ADD_TO_KERNEL and REMOVE_FROM_KERNEL Not yet intercepted, for discussion: - netlink-sockets: iptables_ULOG, decnet, ipv6 Other notes: - Added SCD target sysctl, now used by sys_sysctl and /proc/sys instead of non-intuitive ST_other - Added SCD target nfsd for kernel NFS server control - Added IPC type anonpipe, used by anonymous T_FIFO (if inode on PIPEFS) - Added requests GET_STATUS_DATA, GET_PERMISSIONS_DATA, MODIFY_PERMISSIONS_DATA, SEND for target type DEV - JAIL module: generally deny read, write, GET_STATUS_DATA and MODIFY_SYSTEM_DATA accesses to devices, flags to allow