From: Stephen Smalley <sds@tycho.nsa.gov>
To: Joshua Brindle <brindle@quarksecurity.com>,
William Roberts <bill.c.roberts@gmail.com>
Cc: james.l.morris@oracle.com, linux-security-module@vger.kernel.org,
"selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>
Subject: Re: [PATCH 0/2] selinux: add targeted whitelisting of ioctl commands.
Date: Thu, 21 May 2015 08:37:40 -0400 [thread overview]
Message-ID: <555DD194.3060702@tycho.nsa.gov> (raw)
In-Reply-To: <555D3E20.7050907@quarksecurity.com>
On 05/20/2015 10:08 PM, Joshua Brindle wrote:
> William Roberts wrote:
> <snip>
>>>> ---- Policy format ----
>>>> allow<source> <target>:<class> { 0x8910-0x8926 0x892A-0x8935 }
>>>> auditallow<source> <target>:<class> 0x892A
>>> I agree with only specifying the lower 16 bits (command,type) when
>>> specifying
>>> the individual ioctls, I even like the '-' shortcut, but I'm a little
>>> concerned about specifying a number directly in the permission field
>>> without
>>> any sort of qualifier. Specifically I'm worried that it hurts the
>>> readability
>>> of the policy and could pose problems with future work.
>>>
>>> I'd be much happier if we could add some sort of syntax which would
>>> qualify
>>> the numbers as ioctls, for example:
>>>
>>> allow<source> <target>:<class> { ioctl(0x8910-0x8926)
>>> ioctl(0x892A) }
>>>
>>>
>> If you want additional syntax couldn't we move that burden to m4 rather
>> then making it a part of the compiler core?
>>
>
> I haven't looked at the patches but the parser isn't going to be any
> more or less complex either way, so whatever looks better and is easier
> to generate is likely better.
>
> These raw values really bother me, though. They make policy impossible
> to interpret if you do not have an intimate understanding of the
> drivers. Are these really permissions? It seems closer to Xen's labeling
> of memory addresses and pci devices.
>
> For reference Xen policy labels various objects:
> pirqcon 33 system_u:object_r:nicP_t
> iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t
> iomemcon 0xfebd9 system_u:object_r:nicP_t
> ioportcon 0xecc0-0xecdf system_u:object_r:nicP_t
> pcidevicecon 0xc800 system_u:object_r:nicP_t
>
> And uses standard TE rules to allow access.
>
> Why not label ioctls and have an ioctl object class?
An early version of the patches tried that, but I advised against it.
ioctl commands are not objects/resources; they are actions and therefore
map to something like permissions. Further, the object in these checks
is the device node security context and class, which reflects the
underlying driver, e.g. the GPU driver, the binder driver, the block
driver for the /system partition, etc. IIRC, the early version of the
patch had two checks, the normal ioctl check against the device node
security context and a new check against the security context derived
from the ioctl command value, but the pairwise checking doesn't
necessarily give you the same control or expressiveness.
next prev parent reply other threads:[~2015-05-21 12:37 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-09 21:48 [PATCH 0/2] selinux: add targeted whitelisting of ioctl commands Jeff Vander Stoep
2015-04-09 23:03 ` Jeffrey Vander Stoep
2015-04-22 22:18 ` Jeffrey Vander Stoep
2015-04-23 22:28 ` Paul Moore
2015-04-24 15:02 ` Jeffrey Vander Stoep
2015-05-20 20:04 ` Paul Moore
2015-05-20 21:56 ` Jeffrey Vander Stoep
2015-05-21 0:39 ` William Roberts
2015-05-21 2:08 ` Joshua Brindle
2015-05-21 4:17 ` Jeffrey Vander Stoep
2015-05-21 11:21 ` Paul Moore
2015-05-21 13:35 ` Joshua Brindle
2015-05-21 14:10 ` Paul Moore
2015-05-21 14:16 ` Joshua Brindle
2015-05-21 14:19 ` Paul Moore
2015-05-21 14:23 ` Joshua Brindle
2015-05-21 14:37 ` Paul Moore
2015-05-21 14:41 ` Joshua Brindle
2015-05-21 14:44 ` William Roberts
2015-05-21 14:53 ` Joshua Brindle
2015-05-21 14:56 ` William Roberts
2015-05-21 14:57 ` Joshua Brindle
2015-05-21 15:09 ` Stephen Smalley
2015-05-21 15:27 ` Joshua Brindle
2015-05-21 18:05 ` Jeffrey Vander Stoep
2015-05-22 18:12 ` Paul Moore
2015-05-21 12:37 ` Stephen Smalley [this message]
2015-05-21 12:34 ` Stephen Smalley
2015-05-21 13:43 ` James Carter
2015-05-21 13:50 ` Stephen Smalley
2015-05-21 13:54 ` Stephen Smalley
2015-05-21 14:04 ` Paul Moore
2015-05-21 14:10 ` James Carter
2015-05-21 14:11 ` Stephen Smalley
2015-05-21 14:13 ` Paul Moore
2015-05-21 14:14 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555DD194.3060702@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=bill.c.roberts@gmail.com \
--cc=brindle@quarksecurity.com \
--cc=james.l.morris@oracle.com \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.