On Fri, Jun 12, 2015 at 12:02 PM, Jeff Vander Stoep <jeffv@xxxxxxxxxx> wrote: > Add extended permissions logic to selinux. Extended permissions > provides additional permissions in 256 bit increments. Extend the > generic ioctl permission check to use the extended permissions for > per-command filtering. Source/target/class sets including the ioctl > permission may additionally include a set of commands. Example: > > allowxperm <source> <target>:<class> ioctl unpriv_app_socket_cmds > auditallowxperm <source> <target>:<class> ioctl priv_gpu_cmds > > Where unpriv_app_socket_cmds and priv_gpu_cmds are macros > representing commonly granted sets of ioctl commands. > > When ioctl commands are omitted only the permissions are checked. > This feature is intended to provide finer granularity for the ioctl > permission that may be too imprecise. For example, the same driver > may use ioctls to provide important and benign functionality such as > driver version or socket type as well as dangerous capabilities such > as debugging features, read/write/execute to physical memory or > access to sensitive data. Per-command filtering provides a mechanism > to reduce the attack surface of the kernel, and limit applications > to the subset of commands required. > > The format of the policy binary has been modified to include ioctl > commands, and the policy version number has been incremented to > POLICYDB_VERSION_XPERMS_IOCTL=30 to account for the format > change. > > The extended permissions logic is deliberately generic to allow > components to be reused e.g. netlink filters > > Bug: 19416735 > Change-Id: Ibd462f12ba5748cf5dd91f28e5795764363121a2 > Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx> > --- > v6 adds ommitted function comment header entries for avc_update_node > > security/selinux/avc.c | 415 ++++++++++++++++++++++++++++++++++-- > security/selinux/hooks.c | 42 +++- > security/selinux/include/avc.h | 6 + > security/selinux/include/security.h | 32 ++- > security/selinux/ss/avtab.c | 104 +++++++-- > security/selinux/ss/avtab.h | 33 ++- > security/selinux/ss/conditional.c | 32 ++- > security/selinux/ss/conditional.h | 6 +- > security/selinux/ss/policydb.c | 5 + > security/selinux/ss/services.c | 213 ++++++++++++++++-- > security/selinux/ss/services.h | 6 + > 11 files changed, 834 insertions(+), 60 deletions(-) Also applied to the SELinux next-queue, thank you. However, can you explain the "Bug" and "Change-Id" headers in your patch description above? They are horribly generic and I'd like to remove them from the sign-off or at least provide a more descriptive name in order to limit the confusion. For example, could we provide a URL instead of a bug ID#? Could it be an Android-Change-Id (or similar)? -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
