Thanks Paul. I wasn't anticipating much feedback until the userspace changes were submitted. Just got those in on Wednesday. Let me know if there is anything else I can provide. On Thu, Apr 23, 2015 at 3:28 PM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Thu, Apr 9, 2015 at 5:48 PM, Jeff Vander Stoep <jeffv@xxxxxxxxxx> wrote: >> ---- motivation ---- >> Ioctls provide many of the operations necessary for device control. The typical >> driver supports a device specific set of operations accessible by the ioctl >> system call and specified by the command argument. SELinux provides per >> operation access control to many system operations e.g. chown, kill, setuid, >> ipc_lock, etc. Ioclts on the other hand are granted on a per file descriptor >> basis using the ioctl permission, meaning that the set of operations provided >> by the driver are granted on an all-or-nothing basis. In some cases this may be >> acceptable, but often the same driver provides a large and diverse set of >> operations such as benign and necessary functionality as well as dangerous >> capabilities, or access to system information that should be restricted. > > I haven't had a chance to review your patches yet, but thank you for > posting them and responding to the early feedback. It may take me a > few weeks to review these patches, but they are in my review queue. > > -Paul > > -- > paul moore > www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
