On 10/21/23 00:20, Casey Schaufler wrote:
On 10/20/2023 8:58 AM, Maxime Coquelin wrote:
This patch introduces LSM hooks for devices creation,
destruction and opening operations, checking the
application is allowed to perform these operations for
the Virtio device type.
Why do you think that there needs to be a special LSM check for virtio
devices? What can't existing device attributes be used?
Michael asked for a way for SELinux to allow/prevent the creation of
some types of devices [0].
A device is created using ioctl() on VDUSE control chardev. Its type is
specified via a field in the structure passed in argument.
I didn't see other way than adding dedicated LSM hooks to achieve this,
but it is possible that their is a better way to do it?
Thanks,
Maxime
[0]:
https://lore.kernel.org/all/20230829130430-mutt-send-email-mst@xxxxxxxxxx/
_______________________________________________
Virtualization mailing list
Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/virtualization