Message ID | 20200904161834.7677-1-cgzones@googlemail.com (mailing list archive) |
---|---|
State | Accepted |
Delegated to: | Paul Moore |
Headers | show |
Series | [RFC] xperm_rules: add two notes | expand |
On Fri, 2020-09-04 at 18:18 +0200, Christian Göttsche wrote: > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > I *hope* the note number 4 is actually correct!? It is correct as noted in [1]. checkpolicy allows 0x1234ABCD and just uses ABCD whereas CIL only allows 0xABCD. [1] https://lore.kernel.org/selinux/1495656704.3489.4.camel@tycho.nsa.gov/ > > src/xperm_rules.md | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/src/xperm_rules.md b/src/xperm_rules.md > index 7f8744b..1e1dfff 100644 > --- a/src/xperm_rules.md > +++ b/src/xperm_rules.md > @@ -1,6 +1,6 @@ > # Extended Access Vector Rules > > -There are three extended AV rules implemented from Policy version 30 > +There are four extended AV rules implemented from Policy version 30 Yes I think they all came under policy 30. It's just that neverallowxperm was added a few months later. > with the target platform 'selinux' that expand the permission sets > from > a fixed 32 bits to permission sets in 256 bit increments: > *allowxperm*, > *dontauditxperm*, *auditallowxperm* and *neverallowxperm*. > @@ -127,6 +127,12 @@ Notes: > class/permission is required. > 3. To deny all ioctl requests for a specific source/target/class > the > *xperm_set* should be set to *0* or *0x0*. > +4. From the 32-bit ioctl request parameter value only the least > significant > + 16 bits are used. Thus *0x8927*, *0x00008927* and *0xabcd8927* > + are the same extended permission. > +5. To decode a numeric ioctl request parameter into the > corresponding > + textual identifier see > + < > https://www.kernel.org/doc/html/latest/userspace-api/ioctl/ioctl-decoding.html > > > > <!-- %CUTHERE% --> >
On Fri, Sep 4, 2020 at 12:18 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > I *hope* the note number 4 is actually correct!? > > src/xperm_rules.md | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) Hi Christian, I'm sorry for the delay but this fix is now merged. I did have to merge it by hand so please double check to make sure I didn't mess it up (it looked good to me in all three formats). > diff --git a/src/xperm_rules.md b/src/xperm_rules.md > index 7f8744b..1e1dfff 100644 > --- a/src/xperm_rules.md > +++ b/src/xperm_rules.md > @@ -1,6 +1,6 @@ > # Extended Access Vector Rules > > -There are three extended AV rules implemented from Policy version 30 > +There are four extended AV rules implemented from Policy version 30 > with the target platform 'selinux' that expand the permission sets from > a fixed 32 bits to permission sets in 256 bit increments: *allowxperm*, > *dontauditxperm*, *auditallowxperm* and *neverallowxperm*. > @@ -127,6 +127,12 @@ Notes: > class/permission is required. > 3. To deny all ioctl requests for a specific source/target/class the > *xperm_set* should be set to *0* or *0x0*. > +4. From the 32-bit ioctl request parameter value only the least significant > + 16 bits are used. Thus *0x8927*, *0x00008927* and *0xabcd8927* > + are the same extended permission. > +5. To decode a numeric ioctl request parameter into the corresponding > + textual identifier see > + <https://www.kernel.org/doc/html/latest/userspace-api/ioctl/ioctl-decoding.html> > > <!-- %CUTHERE% --> > > -- > 2.28.0
diff --git a/src/xperm_rules.md b/src/xperm_rules.md index 7f8744b..1e1dfff 100644 --- a/src/xperm_rules.md +++ b/src/xperm_rules.md @@ -1,6 +1,6 @@ # Extended Access Vector Rules -There are three extended AV rules implemented from Policy version 30 +There are four extended AV rules implemented from Policy version 30 with the target platform 'selinux' that expand the permission sets from a fixed 32 bits to permission sets in 256 bit increments: *allowxperm*, *dontauditxperm*, *auditallowxperm* and *neverallowxperm*. @@ -127,6 +127,12 @@ Notes: class/permission is required. 3. To deny all ioctl requests for a specific source/target/class the *xperm_set* should be set to *0* or *0x0*. +4. From the 32-bit ioctl request parameter value only the least significant + 16 bits are used. Thus *0x8927*, *0x00008927* and *0xabcd8927* + are the same extended permission. +5. To decode a numeric ioctl request parameter into the corresponding + textual identifier see + <https://www.kernel.org/doc/html/latest/userspace-api/ioctl/ioctl-decoding.html> <!-- %CUTHERE% -->
Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- I *hope* the note number 4 is actually correct!? src/xperm_rules.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)