Can ioctl commands in Linux be completely enumerated?

StackOverflow https://stackoverflow.com/questions/3703823

  •  02-10-2019
  •  | 
  •  

Question

For the purpose of security-oriented source code review, I'm interested in finding (comprehensively) all ioctl commands that are registered in the Linux kernel. Also, I'd like to classify them as either accessible by administrators (e.g root), and which ones are accessible by unprivileged users.

I'm not sure if it would be easier to read the kernel source code or if there is some way to query the list in user-space. If I need to look in the kernel, what functions would I need to look for for registration of ioctls?

Was it helpful?

Solution

ioctls don't actually get registered in the kernel, each type of file-like object has a different set of ioctls available.

Most of the time they are implemented using a switch statement.

So what you really need to do is:

  • Figure out what set of devices / file types are security-relevant - those devices only openable by root presumably don't need such to be checked for root-exploits.
  • Work out what ioctls are available.

In practice finding out what ioctls are available is nontrivial. Many devices have a man page which lists them, but others don't, and the list may be incomplete.

Usually there is a function somewhere with a big switch-statement. However there is a kind of "inheritance" whereby a lot of devices have several different kinds of ioctl implemented at different levels.

The same "kind" of driver is usually implemented in several different types of hardware, and they often share quite a lot of code.

For example, serial ports have their own ioctls defined in http://lxr.linux.no/#linux+v2.6.35/drivers/serial/serial_core.c#L1107

But serial ports also potentially have ioctls defined on a per-driver basis, but as they are ttys, they also respond to tty ioctls.

It's differently structured for each subsystem because they have different behaviour.

OTHER TIPS

man ioctl_list also gives the list of std ioctl commands with small note and associated header file.

For character devices, you need to look at their file_operations structure. There is a function pointer in that structure called ioctl which is called when you call ioctl in that device.

So doing what you want will be hard, as each device has it's own ioctl commands.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top