-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Fri, Nov 06, 2015 at 09:51:08AM -0800, Jeffrey Vander Stoep wrote: > > Applying ioctl whitelisting on GNU/Linux systems looks to me pretty hard > > to do though. Many drivers, and their ioctls to support. > > Agreed. > > On Android we use ioctl whitelisting only in a targeted manner. I > think the same approach could (should) be applied to GNU/Linux. > > The example that went out in the M release focused on restricting the > leakage of privacy sensitive information from socket ioctls. Apps are > blocked from using socket ioctls to access the wifi MAC address, wifi > SSID and layer 2 encryption protocol. I could see a similar policy > applied to the GNU/Linux browser. Ioctl policies on GPU access also > seem practical albeit device specific. Thanks. that prompted me to see what happened to the seandroid repository on bitbucket because it has been stale for a while now. found https://android.googlesource.com/platform/external/sepolicy/+/master/ioctl_macros That should be easy to implement on GNU/Linux indeed. Will try that soon > > Constructing a comprehensive list of ioctls and the > source/target/class sets that require access does not strike me as > practical. In many cases these ioctls are already properly restricted > via the ioctl permission. > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. - -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJWPO0yAAoJENAR6kfG5xmcmoEL/0ldXc6lSpW/ztGGDPmgEZkc MqUi5l8bze1oyPiFVYlcXNe7ht9wHc8B6kZXH6k0XHOCpXO7hHO0PGp1hlb2JkHI qdEGGjPEPob0N7meDA8MV9WRXO2eTkBhJ0CU8mEtx9FjGplDqvWKpDi28SG+9h3S 1WhEKbsSoqJ8jcd//X9IxVcFsQHLmu+HfNxyGYI33VdBxyqJWrVEq2OYyXdOYmM5 MjCHb/oDLuzKhuKrejCl+ecHcAA6iCf2PYfS6PQAbfi7Fooa9r3gocrVmMzvjXR8 TfNJeIceK+PclF7830ByPeInJ0FE1DxrZGGKMAnbYLAT4tFl5E9BzKEADJicLEqH 2pRxAsYf1qMs5Zfxul/LQWhu3E9HBRRpnijVCmcnJ5PjCPVWUd5olcS2rKMtkBsf OC16SQO1Zsgv//xzumvGGTeyJEVR94Uoukh5uQnCjdJz9UZApIW/0wm/sbgnAEqz tclJiiE1oZqT1khg8uhRh/AAl91nptYqCmlYBplp0w== =+KkK -----END PGP SIGNATURE----- _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
