On Fri, Sep 4, 2020 at 12:18 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > --- > I *hope* the note number 4 is actually correct!? > > src/xperm_rules.md | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) Hi Christian, I'm sorry for the delay but this fix is now merged. I did have to merge it by hand so please double check to make sure I didn't mess it up (it looked good to me in all three formats). > diff --git a/src/xperm_rules.md b/src/xperm_rules.md > index 7f8744b..1e1dfff 100644 > --- a/src/xperm_rules.md > +++ b/src/xperm_rules.md > @@ -1,6 +1,6 @@ > # Extended Access Vector Rules > > -There are three extended AV rules implemented from Policy version 30 > +There are four extended AV rules implemented from Policy version 30 > with the target platform 'selinux' that expand the permission sets from > a fixed 32 bits to permission sets in 256 bit increments: *allowxperm*, > *dontauditxperm*, *auditallowxperm* and *neverallowxperm*. > @@ -127,6 +127,12 @@ Notes: > class/permission is required. > 3. To deny all ioctl requests for a specific source/target/class the > *xperm_set* should be set to *0* or *0x0*. > +4. From the 32-bit ioctl request parameter value only the least significant > + 16 bits are used. Thus *0x8927*, *0x00008927* and *0xabcd8927* > + are the same extended permission. > +5. To decode a numeric ioctl request parameter into the corresponding > + textual identifier see > + <https://www.kernel.org/doc/html/latest/userspace-api/ioctl/ioctl-decoding.html> > > <!-- %CUTHERE% --> > > -- > 2.28.0 -- paul moore www.paul-moore.com
