Security modules and ioctl()
Posted Feb 21, 2011 13:21 UTC (Mon) by jthill
Parent article: Security modules and ioctl()
How does the 2005 patch force anything at all? The ioctl entrypoints drive all the checking themselves, no matter what it seems --
ioctl_perm() is just a linear search, you'd express it directly in C++ with plain find().
It looks like the mistake with the
DIR bits was made immediately when the earlier patch was proposed, and the resulting bad patch was just Smalley taking somebody's word for it on what those bits mean.
Aren't ioctl numbers part of the userland ABI, set permanently? If so, how is drift a concern here?
to post comments)