On 06/03/2014 09:38 PM, Ruowen Wang wrote: > Hi SEAndroid, > > I am wondering if there is a way to map specific system calls to > specific permissions in SEAndroid or previous SELinux. For instance, the > syscall "fork" requires a permission "fork" of class "process". Some of > the permission names are the same as syscalls. But others are not. For > example, syscall "stat" requires permissions "getattr". I am reading the > kernel code and selinux kernel module code but different syscalls are > implemented in different places in kernel. I don't know if there is an > easy way to collect them. Or maybe I should trace backwards from > security_operations? > > Thanks in advance!
We originally documented the mapping (for the original, Linux 2.2-based, pre-LSM implementation) in the technical report available from: http://www.nsa.gov/research/_files/selinux/papers/slinux-abs.shtml See the Control Requirements subsections under Process Management, File System, Networking, System V IPC for the mapping of system calls to permission checks; see the Permissions subsections for the definitions of the permissions. Then for the LSM-based implementation, we documented the mapping from LSM hooks to permission checks in the technical report available from: http://www.nsa.gov/research/_files/selinux/papers/module-abs.shtml Tresys Technology put together their own reference on the object classes and permissions at: http://selinuxproject.org/page/ObjectClassesPerms although that does not provide a mapping from system calls or hooks or show the subject/object of each check, unlike our reports. Of course nothing is as current or authoritative as the code itself, but the above documents may nonetheless be helpful as references. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
