Re: [RFC] LSM generic ioctl permissions patch (1/1)

From: Stephen Smalley (sds@private)
Date: Thu Nov 10 2005 - 06:58:07 PST

Previous message: Lorenzo Hernandez Garcia-Hierro: "Re: [RFC] LSM generic ioctl permissions patch (1/1)"
In reply to: Chris Wright: "Re: [RFC] LSM generic ioctl permissions patch (1/1)"
Next in thread: Chris Wright: "Re: [RFC] LSM generic ioctl permissions patch (1/1)"
Reply: Chris Wright: "Re: [RFC] LSM generic ioctl permissions patch (1/1)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Thu, 2005-11-10 at 00:04 -0800, Chris Wright wrote:
> Interesting approach.  Here are a few issues I see:
> 
> 1) Ioctls are already a mess, it's not clear this helps that situation.
> For example, IOC_DIR is already enough to figure read/write, and adding
> a new table which could get the wrong dir when it's supposedly already
> encoded just seems to add to the mess.

Hmmm...so you'd suggest just having the existing selinux_file_ioctl()
hook function switch off of _IOC_DIR(cmd) and apply checking based on
that information?  That would be a very simple patch.

-- 
Stephen Smalley
National Security Agency

Previous message: Lorenzo Hernandez Garcia-Hierro: "Re: [RFC] LSM generic ioctl permissions patch (1/1)"
In reply to: Chris Wright: "Re: [RFC] LSM generic ioctl permissions patch (1/1)"
Next in thread: Chris Wright: "Re: [RFC] LSM generic ioctl permissions patch (1/1)"
Reply: Chris Wright: "Re: [RFC] LSM generic ioctl permissions patch (1/1)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Thu Nov 10 2005 - 07:03:03 PST