From: Joshua Brindle <brindle@quarksecurity.com>
To: William Roberts <bill.c.roberts@gmail.com>
Cc: linux-security-module@vger.kernel.org,
Stephen Smalley <sds@tycho.nsa.gov>,
James Morris <james.l.morris@oracle.com>,
selinux@tycho.nsa.gov
Subject: Re: [PATCH 0/2] selinux: add targeted whitelisting of ioctl commands.
Date: Thu, 21 May 2015 10:57:18 -0400 [thread overview]
Message-ID: <555DF24E.1060000@quarksecurity.com> (raw)
In-Reply-To: <CAFftDdpayX=GqssXHxpfq8UTycJSfamGQdzqMWe9wYDfwwegvg@mail.gmail.com>
William Roberts wrote:
> On May 21, 2015 7:53 AM, "Joshua Brindle"<brindle@quarksecurity.com> wrote:
>> William Roberts wrote:
>>> On Wed, May 20, 2015 at 9:17 PM, Jeffrey Vander Stoep<jeffv@google.com>
>>> wrote:
>>>
>>>> Thanks for all the feedback and suggestions. Agreed that raw numerical
>>>> values are confusing. I will fix up the commit message to set a better
>>>> precedent for intended use. I included them more to illustrate what is
>>>> happening under the hood. I like the idea of a qualifier for clarity.
>>>> The qualifier seems necessary for the suggested non-ioctl-specific
>>>> approach.
>>>>
>>>> Individual ioctl labels are only marginally better than raw numbers.
>>>> E.g. { TCSETSF TIOCGWINSZ TCGETA TCSETA TCSETAW TCSETAF TCSBRK TCXONC
>>>> TIOCMBIS }. More helpful...but not much.
>>>>
>>>> My plan was to group commonly used ioctl sets into macros.
>>>>
>>>> e.g. common_socket_ioc, priv_socket_ioc, tty_ioc, gpu_ioc, etc
>>>>
>>> This is exactly what I had in mind, just use m4
>>>
>> Even outside of my analysis use case I think this is not a good idea.
>>
>> Consider the Android base policy defined gpu_op as a set of ioctls, and
> there were related rules for gpu users defined there. Then a device variant
> policy has additional gpu_op ioctl's. How does it add them? Does it have to
> re-add all of the related rules with the new ioctls?
>
> I could define a new macro my_device_GPU_ioctls and include the base macro
> in its expansion.
And repeat every related rule (and keep them in sync as the base policy
develops). How much easier is it just to add your ioctl to an ioctl
attribute and be done?
>
>> In the ioctl-attibute case the variant policy would just add its specific
> ioctls to gpu_op and everything would be taken care of.
>> Then we just need to preserve the symbols for looking at policies and
> we'll all be happy, right?
>>
>>>> After monitoring ioctl use across five different devices I think this
>>>> is a good approach as just 10-20 macros would be adequate for a
>>>> targeted policy and would provide a clearer explanation of the
>>>> permissions given.
>>>>
>>>
>>>
>
next prev parent reply other threads:[~2015-05-21 14:57 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-09 21:48 [PATCH 0/2] selinux: add targeted whitelisting of ioctl commands Jeff Vander Stoep
2015-04-09 23:03 ` Jeffrey Vander Stoep
2015-04-22 22:18 ` Jeffrey Vander Stoep
2015-04-23 22:28 ` Paul Moore
2015-04-24 15:02 ` Jeffrey Vander Stoep
2015-05-20 20:04 ` Paul Moore
2015-05-20 21:56 ` Jeffrey Vander Stoep
2015-05-21 0:39 ` William Roberts
2015-05-21 2:08 ` Joshua Brindle
2015-05-21 4:17 ` Jeffrey Vander Stoep
2015-05-21 11:21 ` Paul Moore
2015-05-21 13:35 ` Joshua Brindle
2015-05-21 14:10 ` Paul Moore
2015-05-21 14:16 ` Joshua Brindle
2015-05-21 14:19 ` Paul Moore
2015-05-21 14:23 ` Joshua Brindle
2015-05-21 14:37 ` Paul Moore
2015-05-21 14:41 ` Joshua Brindle
2015-05-21 14:44 ` William Roberts
2015-05-21 14:53 ` Joshua Brindle
2015-05-21 14:56 ` William Roberts
2015-05-21 14:57 ` Joshua Brindle [this message]
2015-05-21 15:09 ` Stephen Smalley
2015-05-21 15:27 ` Joshua Brindle
2015-05-21 18:05 ` Jeffrey Vander Stoep
2015-05-22 18:12 ` Paul Moore
2015-05-21 12:37 ` Stephen Smalley
2015-05-21 12:34 ` Stephen Smalley
2015-05-21 13:43 ` James Carter
2015-05-21 13:50 ` Stephen Smalley
2015-05-21 13:54 ` Stephen Smalley
2015-05-21 14:04 ` Paul Moore
2015-05-21 14:10 ` James Carter
2015-05-21 14:11 ` Stephen Smalley
2015-05-21 14:13 ` Paul Moore
2015-05-21 14:14 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555DF24E.1060000@quarksecurity.com \
--to=brindle@quarksecurity.com \
--cc=bill.c.roberts@gmail.com \
--cc=james.l.morris@oracle.com \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.