adds a ttynodedev and TIOCLINUX filtering support

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>

1 files changed, 42 insertions, 0 deletions

diff --git a/src/dev/nodedev/ttynodedev.cil b/src/dev/nodedev/ttynodedev.cil
index 00ac2ca..265a070 100644
--- a/src/dev/nodedev/ttynodedev.cil
+++ b/src/dev/nodedev/ttynodedev.cil
@@ -5,6 +5,48 @@
 
   (filecon "/dev/tty" char nodedev_context)
 
+  (macro tioclinux_nodedev_chr_files ((type ARG1))
+	 (allowx ARG1 nodedev TIOCLINUX))
+
+  (macro tiocsti_nodedev_chr_files ((type ARG1))
+	 (allowx ARG1 nodedev TIOCSTI))
+
   (blockinherit .nodedev.template)
 
   (call .rbacsep.exempt.obj.type (nodedev)))
+
+;; TIOCLINUX, subcode=TIOCL_GETMOUSEREPORTING
+(in after tty.append_nodedev_chr_files
+    (allowx ARG1 nodedev IOCTLCONSOLE_NOT_TIOCLINUX)
+    (allowx ARG1 nodedev IOCTLTTY_NOT_TIOCSTI)
+    (allowx ARG1 nodedev IOCTLVT))
+
+(in after tty.appendinherited_nodedev_chr_files
+    (allowx ARG1 nodedev IOCTLCONSOLE_NOT_TIOCLINUX)
+    (allowx ARG1 nodedev IOCTLTTY_NOT_TIOCSTI)
+    (allowx ARG1 nodedev IOCTLVT))
+
+(in after tty.manage_nodedev_chr_files
+    (allowx ARG1 nodedev IOCTLCONSOLE_NOT_TIOCLINUX)
+    (allowx ARG1 nodedev IOCTLTTY_NOT_TIOCSTI)
+    (allowx ARG1 nodedev IOCTLVT))
+
+(in after tty.readwrite_nodedev_chr_files
+    (allowx ARG1 nodedev IOCTLCONSOLE_NOT_TIOCLINUX)
+    (allowx ARG1 nodedev IOCTLTTY_NOT_TIOCSTI)
+    (allowx ARG1 nodedev IOCTLVT))
+
+(in after tty.readwriteinherited_nodedev_chr_files
+    (allowx ARG1 nodedev IOCTLCONSOLE_NOT_TIOCLINUX)
+    (allowx ARG1 nodedev IOCTLTTY_NOT_TIOCSTI)
+    (allowx ARG1 nodedev IOCTLVT))
+
+(in after tty.write_nodedev_chr_files
+    (allowx ARG1 nodedev IOCTLCONSOLE_NOT_TIOCLINUX)
+    (allowx ARG1 nodedev IOCTLTTY_NOT_TIOCSTI)
+    (allowx ARG1 nodedev IOCTLVT))
+
+(in after tty.writeinherited_nodedev_chr_files
+    (allowx ARG1 nodedev IOCTLCONSOLE_NOT_TIOCLINUX)
+    (allowx ARG1 nodedev IOCTLTTY_NOT_TIOCSTI)
+    (allowx ARG1 nodedev IOCTLVT))