tags:

views:

75

answers:

3
+1  Q: 

Can ioctl commands in Linux be completely enumerated?

For the purpose of security-oriented source code review, I'm interested in finding (comprehensively) all ioctl commands that are registered in the Linux kernel. Also, I'd like to classify them as either accessible by administrators (e.g root), and which ones are accessible by unprivileged users.

I'm not sure if it would be easier to read the kernel source code or if there is some way to query the list in user-space. If I need to look in the kernel, what functions would I need to look for for registration of ioctls?

A: 

For character devices, you need to look at their file_operations structure. There is a function pointer in that structure called ioctl which is called when you call ioctl in that device.

So doing what you want will be hard, as each device has it's own ioctl commands.

Matias Valdenegro  2010-09-13 19:51:13
There is a fairly comprehensive list of ioctl numbers in Documentaion/ioctl/ioctl-number.txt inside the kernel source. However, it probably doesn't document every thing out there but you can use that as a starting point :)
Bandan  2010-09-13 20:33:33
+1  A: 

man ioctl_list also gives the list of std ioctl commands with small note and associated header file.

Midson  2010-09-14 04:53:07
+3  A: 

ioctls don't actually get registered in the kernel, each type of file-like object has a different set of ioctls available.

Most of the time they are implemented using a switch statement.

So what you really need to do is:

  • Figure out what set of devices / file types are security-relevant - those devices only openable by root presumably don't need such to be checked for root-exploits.
  • Work out what ioctls are available.

In practice finding out what ioctls are available is nontrivial. Many devices have a man page which lists them, but others don't, and the list may be incomplete.

Usually there is a function somewhere with a big switch-statement. However there is a kind of "inheritance" whereby a lot of devices have several different kinds of ioctl implemented at different levels.

The same "kind" of driver is usually implemented in several different types of hardware, and they often share quite a lot of code.

For example, serial ports have their own ioctls defined in http://lxr.linux.no/#linux+v2.6.35/drivers/serial/serial_core.c#L1107

But serial ports also potentially have ioctls defined on a per-driver basis, but as they are ttys, they also respond to tty ioctls.

It's differently structured for each subsystem because they have different behaviour.

MarkR  2010-09-15 05:14:25
This pretty much confirms what I already feared. Thanks for the explanation.
Jeremy Powell  2010-09-15 16:44:25

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?