On Thu, Apr 9, 2015 at 5:48 PM, Jeff Vander Stoep <jeffv@xxxxxxxxxx> wrote: > ---- motivation ---- > Ioctls provide many of the operations necessary for device control. The typical > driver supports a device specific set of operations accessible by the ioctl > system call and specified by the command argument. SELinux provides per > operation access control to many system operations e.g. chown, kill, setuid, > ipc_lock, etc. Ioclts on the other hand are granted on a per file descriptor > basis using the ioctl permission, meaning that the set of operations provided > by the driver are granted on an all-or-nothing basis. In some cases this may be > acceptable, but often the same driver provides a large and diverse set of > operations such as benign and necessary functionality as well as dangerous > capabilities, or access to system information that should be restricted. I haven't had a chance to review your patches yet, but thank you for posting them and responding to the early feedback. It may take me a few weeks to review these patches, but they are in my review queue. -Paul -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
