On Sun, 28 May 2006, Evgeniy Polyakov wrote: > Does SELinux have security handlers for each type of possible ioctls > over the world? Each ioctl number is like each netlink type of message, > but instead there is only one check per ioctl syscall as long as lsm > hook for socket's send/recv syscall. > It could be interesting and quite challenging to force all ioctl users > to have the same structure under each ioctl number so SELinux could > control for example disk geometry or time and date requests...
It has a generic control for ioctls, but also does some special handling for some ioctls. > And, btw, what is the purpose of controlling netlink messages? > Does it prevent malicious userspace application to receive events from > malicious kernel module? It provides control over which types of applications can send and receive different types of Netlink messages. e.g. you can specify that Apache can read the routing table but not write to it. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
