enable ioctl filtering on other filesystem types (6695c50d) · Commits · CodeLinaro / public-release-test / platform / system / sepolicy

Commit 6695c50d authored 6 years ago by Nick Kralevich

enable ioctl filtering on other filesystem types

ebc3a1a3 enabled ioctl filtering on
normal files and directories. However, no per-ioctl permissions were
enforced for symbolic links, named pipes ("mkfifo"), or
named sockets.

Start enforcing fine-grain ioctl restrictions for symbolic links, named
pipes, and named sockets.

Motivation: Prevent FS_IOC_ENABLE_VERIFY and FS_IOC_MEASURE_VERITY from
being usable on nonsensical filesystem objects and provide a layer of
defense for kernel bugs.

Test: Device boots and no obvious problem.
Change-Id: Id81b496ab64f37a0918f3dfd8fa9aaa3227009cc

parent ae079b88

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 3 additions and 2 deletions

Please register or to comment