* [RFC PATCH] xperm_rules: add two notes
@ 2020-09-04 16:18 Christian Göttsche
2020-09-06 13:59 ` Richard Haines
2020-09-18 14:28 ` Paul Moore
0 siblings, 2 replies; 3+ messages in thread
From: Christian Göttsche @ 2020-09-04 16:18 UTC (permalink / raw)
To: selinux
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
I *hope* the note number 4 is actually correct!?
src/xperm_rules.md | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/xperm_rules.md b/src/xperm_rules.md
index 7f8744b..1e1dfff 100644
--- a/src/xperm_rules.md
+++ b/src/xperm_rules.md
@@ -1,6 +1,6 @@
# Extended Access Vector Rules
-There are three extended AV rules implemented from Policy version 30
+There are four extended AV rules implemented from Policy version 30
with the target platform 'selinux' that expand the permission sets from
a fixed 32 bits to permission sets in 256 bit increments: *allowxperm*,
*dontauditxperm*, *auditallowxperm* and *neverallowxperm*.
@@ -127,6 +127,12 @@ Notes:
class/permission is required.
3. To deny all ioctl requests for a specific source/target/class the
*xperm_set* should be set to *0* or *0x0*.
+4. From the 32-bit ioctl request parameter value only the least significant
+ 16 bits are used. Thus *0x8927*, *0x00008927* and *0xabcd8927*
+ are the same extended permission.
+5. To decode a numeric ioctl request parameter into the corresponding
+ textual identifier see
+ <https://www.kernel.org/doc/html/latest/userspace-api/ioctl/ioctl-decoding.html>
<!-- %CUTHERE% -->
--
2.28.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [RFC PATCH] xperm_rules: add two notes
2020-09-04 16:18 [RFC PATCH] xperm_rules: add two notes Christian Göttsche
@ 2020-09-06 13:59 ` Richard Haines
2020-09-18 14:28 ` Paul Moore
1 sibling, 0 replies; 3+ messages in thread
From: Richard Haines @ 2020-09-06 13:59 UTC (permalink / raw)
To: Christian Göttsche, selinux
On Fri, 2020-09-04 at 18:18 +0200, Christian Göttsche wrote:
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> I *hope* the note number 4 is actually correct!?
It is correct as noted in [1]. checkpolicy allows 0x1234ABCD and just
uses ABCD whereas CIL only allows 0xABCD.
[1]
https://lore.kernel.org/selinux/1495656704.3489.4.camel@tycho.nsa.gov/
>
> src/xperm_rules.md | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/src/xperm_rules.md b/src/xperm_rules.md
> index 7f8744b..1e1dfff 100644
> --- a/src/xperm_rules.md
> +++ b/src/xperm_rules.md
> @@ -1,6 +1,6 @@
> # Extended Access Vector Rules
>
> -There are three extended AV rules implemented from Policy version 30
> +There are four extended AV rules implemented from Policy version 30
Yes I think they all came under policy 30. It's just that
neverallowxperm was added a few months later.
> with the target platform 'selinux' that expand the permission sets
> from
> a fixed 32 bits to permission sets in 256 bit increments:
> *allowxperm*,
> *dontauditxperm*, *auditallowxperm* and *neverallowxperm*.
> @@ -127,6 +127,12 @@ Notes:
> class/permission is required.
> 3. To deny all ioctl requests for a specific source/target/class
> the
> *xperm_set* should be set to *0* or *0x0*.
> +4. From the 32-bit ioctl request parameter value only the least
> significant
> + 16 bits are used. Thus *0x8927*, *0x00008927* and *0xabcd8927*
> + are the same extended permission.
> +5. To decode a numeric ioctl request parameter into the
> corresponding
> + textual identifier see
> + <
> https://www.kernel.org/doc/html/latest/userspace-api/ioctl/ioctl-decoding.html
> >
>
> <!-- %CUTHERE% -->
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [RFC PATCH] xperm_rules: add two notes
2020-09-04 16:18 [RFC PATCH] xperm_rules: add two notes Christian Göttsche
2020-09-06 13:59 ` Richard Haines
@ 2020-09-18 14:28 ` Paul Moore
1 sibling, 0 replies; 3+ messages in thread
From: Paul Moore @ 2020-09-18 14:28 UTC (permalink / raw)
To: Christian Göttsche; +Cc: selinux
On Fri, Sep 4, 2020 at 12:18 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> I *hope* the note number 4 is actually correct!?
>
> src/xperm_rules.md | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
Hi Christian, I'm sorry for the delay but this fix is now merged. I
did have to merge it by hand so please double check to make sure I
didn't mess it up (it looked good to me in all three formats).
> diff --git a/src/xperm_rules.md b/src/xperm_rules.md
> index 7f8744b..1e1dfff 100644
> --- a/src/xperm_rules.md
> +++ b/src/xperm_rules.md
> @@ -1,6 +1,6 @@
> # Extended Access Vector Rules
>
> -There are three extended AV rules implemented from Policy version 30
> +There are four extended AV rules implemented from Policy version 30
> with the target platform 'selinux' that expand the permission sets from
> a fixed 32 bits to permission sets in 256 bit increments: *allowxperm*,
> *dontauditxperm*, *auditallowxperm* and *neverallowxperm*.
> @@ -127,6 +127,12 @@ Notes:
> class/permission is required.
> 3. To deny all ioctl requests for a specific source/target/class the
> *xperm_set* should be set to *0* or *0x0*.
> +4. From the 32-bit ioctl request parameter value only the least significant
> + 16 bits are used. Thus *0x8927*, *0x00008927* and *0xabcd8927*
> + are the same extended permission.
> +5. To decode a numeric ioctl request parameter into the corresponding
> + textual identifier see
> + <https://www.kernel.org/doc/html/latest/userspace-api/ioctl/ioctl-decoding.html>
>
> <!-- %CUTHERE% -->
>
> --
> 2.28.0
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-09-18 14:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-04 16:18 [RFC PATCH] xperm_rules: add two notes Christian Göttsche
2020-09-06 13:59 ` Richard Haines
2020-09-18 14:28 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.