On Fri, 2020-09-04 at 18:18 +0200, Christian Göttsche wrote: > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > --- > I *hope* the note number 4 is actually correct!? It is correct as noted in [1]. checkpolicy allows 0x1234ABCD and just uses ABCD whereas CIL only allows 0xABCD. [1] https://lore.kernel.org/selinux/1495656704.3489.4.camel@xxxxxxxxxxxxx/ > > src/xperm_rules.md | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/src/xperm_rules.md b/src/xperm_rules.md > index 7f8744b..1e1dfff 100644 > --- a/src/xperm_rules.md > +++ b/src/xperm_rules.md > @@ -1,6 +1,6 @@ > # Extended Access Vector Rules > > -There are three extended AV rules implemented from Policy version 30 > +There are four extended AV rules implemented from Policy version 30 Yes I think they all came under policy 30. It's just that neverallowxperm was added a few months later. > with the target platform 'selinux' that expand the permission sets > from > a fixed 32 bits to permission sets in 256 bit increments: > *allowxperm*, > *dontauditxperm*, *auditallowxperm* and *neverallowxperm*. > @@ -127,6 +127,12 @@ Notes: > class/permission is required. > 3. To deny all ioctl requests for a specific source/target/class > the > *xperm_set* should be set to *0* or *0x0*. > +4. From the 32-bit ioctl request parameter value only the least > significant > + 16 bits are used. Thus *0x8927*, *0x00008927* and *0xabcd8927* > + are the same extended permission. > +5. To decode a numeric ioctl request parameter into the > corresponding > + textual identifier see > + < > https://www.kernel.org/doc/html/latest/userspace-api/ioctl/ioctl-decoding.html > > > > <!-- %CUTHERE% --> >
