Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
I *hope* the note number 4 is actually correct!?
src/xperm_rules.md | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/xperm_rules.md b/src/xperm_rules.md
index 7f8744b..1e1dfff 100644
--- a/src/xperm_rules.md
+++ b/src/xperm_rules.md
@@ -1,6 +1,6 @@
# Extended Access Vector Rules
-There are three extended AV rules implemented from Policy version 30
+There are four extended AV rules implemented from Policy version 30
with the target platform 'selinux' that expand the permission sets from
a fixed 32 bits to permission sets in 256 bit increments: *allowxperm*,
*dontauditxperm*, *auditallowxperm* and *neverallowxperm*.
@@ -127,6 +127,12 @@ Notes:
class/permission is required.
3. To deny all ioctl requests for a specific source/target/class the
*xperm_set* should be set to *0* or *0x0*.
+4. From the 32-bit ioctl request parameter value only the least significant
+ 16 bits are used. Thus *0x8927*, *0x00008927* and *0xabcd8927*
+ are the same extended permission.
+5. To decode a numeric ioctl request parameter into the corresponding
+ textual identifier see
+ <https://www.kernel.org/doc/html/latest/userspace-api/ioctl/ioctl-decoding.html>
<!-- %CUTHERE% -->
--
2.28.0
