• Jeff Vander Stoep's avatar
    selinux: extended permissions for ioctls · fa1aa143
    Jeff Vander Stoep authored
    Add extended permissions logic to selinux. Extended permissions
    provides additional permissions in 256 bit increments. Extend the
    generic ioctl permission check to use the extended permissions for
    per-command filtering. Source/target/class sets including the ioctl
    permission may additionally include a set of commands. Example:
    
    allowxperm <source> <target>:<class> ioctl unpriv_app_socket_cmds
    auditallowxperm <source> <target>:<class> ioctl priv_gpu_cmds
    
    Where unpriv_app_socket_cmds and priv_gpu_cmds are macros
    representing commonly granted sets of ioctl commands.
    
    When ioctl commands are omitted only the permissions are checked.
    This feature is intended to provide finer granularity for the ioctl
    permission that may be too imprecise. For example, the same driver
    may use ioctls to provide important and benign functionality such as
    driver version or socket type as well as dangerous capabilities such
    as debugging features, read/write/execute to physical memory or
    access to sensitive data. Per-command filtering provides a mechanism
    to reduce the attack surface of the kernel, and limit applications
    to the subset of commands required.
    
    The format of the policy binary has been modified to include ioctl
    commands, and the policy version number has been incremented to
    POLICYDB_VERSION_XPERMS_IOCTL=30 to account for the format
    change.
    
    The extended permissions logic is deliberately generic to allow
    components to be reused e.g. netlink filters
    Signed-off-by: default avatarJeff Vander Stoep <jeffv@google.com>
    Acked-by: default avatarNick Kralevich <nnk@google.com>
    Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    fa1aa143
avc.c 30.4 KB