From: Joshua Brindle <brindle@quarksecurity.com>
To: Paul Moore <paul@paul-moore.com>
Cc: James Morris <james.l.morris@oracle.com>,
linux-security-module@vger.kernel.org,
"selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH 0/2] selinux: add targeted whitelisting of ioctl commands.
Date: Thu, 21 May 2015 10:16:04 -0400 [thread overview]
Message-ID: <555DE8A4.2050000@quarksecurity.com> (raw)
In-Reply-To: <CAHC9VhSeZA_qKK_7L94C24LsctATj5etRK7bayO2W6TfmimwOg@mail.gmail.com>
Paul Moore wrote:
> On Thu, May 21, 2015 at 9:35 AM, Joshua Brindle
> <brindle@quarksecurity.com> wrote:
>> Paul Moore wrote:
>>> On Thu, May 21, 2015 at 12:17 AM, Jeffrey Vander Stoep wrote:
>>>> Thanks for all the feedback and suggestions. Agreed that raw numerical
>>>> values are confusing. I will fix up the commit message to set a better
>>>> precedent for intended use. I included them more to illustrate what is
>>>> happening under the hood. I like the idea of a qualifier for clarity.
>>>> The qualifier seems necessary for the suggested non-ioctl-specific
>>>> approach.
>>> Great, thank you.
>>>
>>>> Individual ioctl labels are only marginally better than raw numbers.
>>>> E.g. { TCSETSF TIOCGWINSZ TCGETA TCSETA TCSETAW TCSETAF TCSBRK TCXONC
>>>> TIOCMBIS }. More helpful...but not much.
>>>>
>>>> My plan was to group commonly used ioctl sets into macros.
>>>>
>>>> e.g. common_socket_ioc, priv_socket_ioc, tty_ioc, gpu_ioc, etc
>>>>
>>>> After monitoring ioctl use across five different devices I think this
>>>> is a good approach as just 10-20 macros would be adequate for a
>>>> targeted policy and would provide a clearer explanation of the
>>>> permissions given.
>>> Agreed. We can use m4 to provide both the ioctl names and sets if needed.
>> m4 is never the answer....
>
> Except for the policy interfaces, permission sets, etc. ;)
>
> See Stephen's comments on this, specifically the idea that ioctls are
> not objects. Further, the existing permission set shorthand is a very
> good precedence for this approach towards ioctl number handling; I see
> no reason *not* to use m4.
>
The reason *not* to use m4 is because we want some sort of meaningful
identifiers preserved in the kernel policy for analysis. I know that
isn't your use case but it is some of ours.
>> An attribute-like symbol that is maintained in the binary would make these
>> visible in the loaded policy and therefore more understandable/analyzable.
>
> I think the proposed approach is easily understood and/or analyzable.
>
>> It would also allow you to easily add them in specific devices in a more
>> readable way. For example, if the Android base policy allowed gpu_ioc to
>> surfaceflinger all a device specific variant would need to do is add its
>> ioctls to the attribute.
>
> Once again, I think the proposed approach ticks these boxes as well.
>
Not in the *kernel binary*
next prev parent reply other threads:[~2015-05-21 14:16 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-09 21:48 [PATCH 0/2] selinux: add targeted whitelisting of ioctl commands Jeff Vander Stoep
2015-04-09 23:03 ` Jeffrey Vander Stoep
2015-04-22 22:18 ` Jeffrey Vander Stoep
2015-04-23 22:28 ` Paul Moore
2015-04-24 15:02 ` Jeffrey Vander Stoep
2015-05-20 20:04 ` Paul Moore
2015-05-20 21:56 ` Jeffrey Vander Stoep
2015-05-21 0:39 ` William Roberts
2015-05-21 2:08 ` Joshua Brindle
2015-05-21 4:17 ` Jeffrey Vander Stoep
2015-05-21 11:21 ` Paul Moore
2015-05-21 13:35 ` Joshua Brindle
2015-05-21 14:10 ` Paul Moore
2015-05-21 14:16 ` Joshua Brindle [this message]
2015-05-21 14:19 ` Paul Moore
2015-05-21 14:23 ` Joshua Brindle
2015-05-21 14:37 ` Paul Moore
2015-05-21 14:41 ` Joshua Brindle
2015-05-21 14:44 ` William Roberts
2015-05-21 14:53 ` Joshua Brindle
2015-05-21 14:56 ` William Roberts
2015-05-21 14:57 ` Joshua Brindle
2015-05-21 15:09 ` Stephen Smalley
2015-05-21 15:27 ` Joshua Brindle
2015-05-21 18:05 ` Jeffrey Vander Stoep
2015-05-22 18:12 ` Paul Moore
2015-05-21 12:37 ` Stephen Smalley
2015-05-21 12:34 ` Stephen Smalley
2015-05-21 13:43 ` James Carter
2015-05-21 13:50 ` Stephen Smalley
2015-05-21 13:54 ` Stephen Smalley
2015-05-21 14:04 ` Paul Moore
2015-05-21 14:10 ` James Carter
2015-05-21 14:11 ` Stephen Smalley
2015-05-21 14:13 ` Paul Moore
2015-05-21 14:14 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555DE8A4.2050000@quarksecurity.com \
--to=brindle@quarksecurity.com \
--cc=james.l.morris@oracle.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.