Linux Security Summit 2015/Abstracts/Vander Stoep
Ioctl Command Whitelisting in SELinux
Jeffrey Vander Stoep, Google
Ioctls provide many of the capabilities necessary for device control, ranging from benign functionality to critical operations or access to sensitive information. Some system capabilities, e.g. chown, kill, setuid, ipc_lock, etc are granted on a per capability basis. Ioctls on the other hand are granted on a per file descriptor basis, meaning that the set of ioctl capabilities provided by the file descriptor are granted all-or-nothing, even when only a subset may be needed. A single file descriptor may provide access to hundreds of capabilities. To restrict applications to their needed subset of capabilities, selinux permissions have been extended to allow per-command whitelisting of ioctls. The discussion will include demonstration of attack surface reduction, bugs made unreachable, and improvements for user privacy. We will also share challenges and findings from deployment in Android M-preview.