Comments (9)
from refpolicy.
@doverride Most programs have no reason to use any of these hardware-specific ioctls, so they should not be allowed by default. Programs that need to use them should be explicitly allowed to use them. Ioctls are a very large attack surface, so blanketly allowing them is a bad idea in my opinion.
Android whitelists ioctls, and I suspect its list is a good one.
from refpolicy.
from refpolicy.
Did you perform tests with a Linux system? Contrary to Android, many applications use tty ioctls (TCGETS
, TCSETSW
, TIOCGWINSZ
, etc.) with their stdout
file descriptor, many changes attributes to their network sockets, etc.
It is unclear to me how much work needs to be done in order to implement ioctl restrictions that make sense on a Linux system which is not an embedded one (such as Android). If the Android list seems to be good, could you please provide a link to it?
from refpolicy.
from refpolicy.
@fishilico @doverride First, many applications do not use very many ioctls, so per-application whitelists should be doable. It does take work, but no more than creating per-application policies.
A good starting point would be to remove ioctl
from some of the interfaces. My understanding is that most applications do not use filesystem ioctls, for example. In other cases, the list of ioctls is well-documented (such as TTYs) and we can whitelist a set of safe ones. In particular, TIOCSTI should not be on the whitelist, as it has been a source of numerous security problems and has few valid use cases. Another good use-case is network ioctls: while some generic ioctls should be allowed, most applications have no business calling device-specific ioctls. Since most vulnerabilities are in the latter, this significantly reduces attack surface. An even clearer case is ioctls that change network configuration: there is absolutely no reason for most applications to be calling them.
from refpolicy.
from refpolicy.
@doverride I think we can use whitelisting for some device nodes, such as PTYs. Also, I think we can just remove ioctl permissions from most filesystem interfaces. Most applications never use filesystem ioctls.
For network devices, I think we can afford to whitelist ioctls that are device-independent and non-privileged. Only certain applications should use device-dependent ioctls.
from refpolicy.
I'm open to patches that address this situation. I wouldn't mind improving things, but I'm highly skeptical, for the same reasons as already stated.
from refpolicy.
Related Issues (20)
- Fail to build with POLICY_TYPE MLS HOT 1
- Fail to build policy fapolicyd if DIRECT_INITRC=y HOT 3
- Q:java based application HOT 5
- Problem when building policy HOT 3
- libsepol.validate_user_datum: Invalid user datum HOT 4
- How to write modules for systemd user services? HOT 7
- libsepol.sepol_string_to_security_class: unrecognized class user_namespace HOT 4
- chrome->nacl_helper: user_namespace HOT 2
- 2 questions HOT 1
- Need help with transitions HOT 1
- Container issues in enforcing mode on Debian 12 HOT 13
- How to transfer the current process or its thread to another context? HOT 4
- Possible missing rule for ssh -> java HOT 2
- Debian 12.1 statd and mountd fail to start with fixed ports HOT 13
- Question: sudo HOT 5
- [Q] Permission cmd in class io_uring not defined in policy. HOT 3
- /root directory has no label specified HOT 4
- systemd v255 executor helper
- Information Disclosure vulnerability related to SSL Private Keys and CSR used by the HTTP daemon HOT 2
- Privileged container spc_t optional HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from refpolicy.