From 9da725c52e6a743a1c30257a85a9cf6ccc95042e Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@defensec.nl>
Date: Thu, 25 Apr 2024 15:52:48 +0200
Subject: adds a ttynodedev and TIOCLINUX filtering support

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
 src/dev/nodedev/ttynodedev.cil | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

(limited to 'src/dev/nodedev')

diff --git a/src/dev/nodedev/ttynodedev.cil b/src/dev/nodedev/ttynodedev.cil
index 00ac2ca..265a070 100644
--- a/src/dev/nodedev/ttynodedev.cil
+++ b/src/dev/nodedev/ttynodedev.cil
@@ -5,6 +5,48 @@
 
   (filecon "/dev/tty" char nodedev_context)
 
+  (macro tioclinux_nodedev_chr_files ((type ARG1))
+	 (allowx ARG1 nodedev TIOCLINUX))
+
+  (macro tiocsti_nodedev_chr_files ((type ARG1))
+	 (allowx ARG1 nodedev TIOCSTI))
+
   (blockinherit .nodedev.template)
 
   (call .rbacsep.exempt.obj.type (nodedev)))
+
+;; TIOCLINUX, subcode=TIOCL_GETMOUSEREPORTING
+(in after tty.append_nodedev_chr_files
+    (allowx ARG1 nodedev IOCTLCONSOLE_NOT_TIOCLINUX)
+    (allowx ARG1 nodedev IOCTLTTY_NOT_TIOCSTI)
+    (allowx ARG1 nodedev IOCTLVT))
+
+(in after tty.appendinherited_nodedev_chr_files
+    (allowx ARG1 nodedev IOCTLCONSOLE_NOT_TIOCLINUX)
+    (allowx ARG1 nodedev IOCTLTTY_NOT_TIOCSTI)
+    (allowx ARG1 nodedev IOCTLVT))
+
+(in after tty.manage_nodedev_chr_files
+    (allowx ARG1 nodedev IOCTLCONSOLE_NOT_TIOCLINUX)
+    (allowx ARG1 nodedev IOCTLTTY_NOT_TIOCSTI)
+    (allowx ARG1 nodedev IOCTLVT))
+
+(in after tty.readwrite_nodedev_chr_files
+    (allowx ARG1 nodedev IOCTLCONSOLE_NOT_TIOCLINUX)
+    (allowx ARG1 nodedev IOCTLTTY_NOT_TIOCSTI)
+    (allowx ARG1 nodedev IOCTLVT))
+
+(in after tty.readwriteinherited_nodedev_chr_files
+    (allowx ARG1 nodedev IOCTLCONSOLE_NOT_TIOCLINUX)
+    (allowx ARG1 nodedev IOCTLTTY_NOT_TIOCSTI)
+    (allowx ARG1 nodedev IOCTLVT))
+
+(in after tty.write_nodedev_chr_files
+    (allowx ARG1 nodedev IOCTLCONSOLE_NOT_TIOCLINUX)
+    (allowx ARG1 nodedev IOCTLTTY_NOT_TIOCSTI)
+    (allowx ARG1 nodedev IOCTLVT))
+
+(in after tty.writeinherited_nodedev_chr_files
+    (allowx ARG1 nodedev IOCTLCONSOLE_NOT_TIOCLINUX)
+    (allowx ARG1 nodedev IOCTLTTY_NOT_TIOCSTI)
+    (allowx ARG1 nodedev IOCTLVT))
-- 
cgit v1.2.3