Linux Security Summit 2015/Abstracts/Vander Stoep

From Linux Kernel Security Subsystem
Jump to: navigation, search


Ioctl Command Whitelisting in SELinux


Jeffrey Vander Stoep, Google


Ioctls provide many of the capabilities necessary for device control, ranging from benign functionality to critical operations or access to sensitive information. Some system capabilities, e.g. chown, kill, setuid, ipc_lock, etc are granted on a per capability basis. Ioctls on the other hand are granted on a per file descriptor basis, meaning that the set of ioctl capabilities provided by the file descriptor are granted all-or-nothing, even when only a subset may be needed. A single file descriptor may provide access to hundreds of capabilities. To restrict applications to their needed subset of capabilities, selinux permissions have been extended to allow per-command whitelisting of ioctls. The discussion will include demonstration of attack surface reduction, bugs made unreachable, and improvements for user privacy. We will also share challenges and findings from deployment in Android M-preview.