1

I would like to protect my character device,from application operations. I would like that only specific application can do operation on the device.

How can I do it?

Thanks

omri-c
  • 81
  • 1
  • 7
  • How would you identify that your application is accessing it? – Levente Kurusa Dec 26 '13 at 18:55
  • This is what I am asking ... – omri-c Dec 26 '13 at 19:05
  • Basic security in *nix employs file permissions and ownership. Printer ports are owned by lpadmin to restrict access. In a similar manner, allow **rw** access to the char device node only to the same unique username & group that owns the app. But if you're looking for something that cannot be defeated, then you need to look for security dongles, i.e. a hardware solution. – sawdust Dec 26 '13 at 20:23
  • I am writing the char device, can I just define a specific unique application name, and deny all the others ? When the app is open the device file I will query the process name, if there is no match I will return -ENODEV – omri-c Dec 27 '13 at 06:15
  • You need to use SELinux. It is not possible to restrict access at the device level. No Linux device driver has any information about the application code that made the system call that performs a device operation. – Jonathan Ben-Avraham Dec 31 '13 at 08:35

1 Answers1

0

This may not be correct answer(Because I didn't test it). But I believe this will work.

I hope, you have idea about current field in task_struct which will give you the current PID of the process. Please refer this thread. how does current->pid work for linux?

so instead of pid, you can use comm field of task_struct.

http://lxr.free-electrons.com/source/include/linux/sched.h#L1180.

Keep an array of allowed application names in your driver. check comm field against allowed list during /dev/<yourchardriver> open() operation.

sample file operations structure.

struct file_operations fops = { /* these are the file operations provided by our driver */
    .owner = THIS_MODULE, /*prevents unloading when operations are in use*/
    .open = device_open,  /*to open the device*/
    .write = device_write, /*to write to the device*/
    .read = device_read, /*to read the device*/
    .release = device_close, /*to close the device*/
    .llseek = device_lseek
};

when you call open("/dev/sampledrv") in user space, device_open() will be called in your driver. so these validation can be done here.

Community
  • 1
  • 1
Jeyaram
  • 9,158
  • 7
  • 41
  • 63
  • This answer is a candidate for downvote because it is not clear how the device driver could get the task struct. – Jonathan Ben-Avraham Dec 31 '13 at 08:39
  • @JonathanBen-Avraham by referring http://stackoverflow.com/questions/11915728/getting-user-process-pid-when-writing-linux-kernel-module and few more threads, I just assumed. May be I will test and let you know. – Jeyaram Dec 31 '13 at 08:43
  • I think that this might work, but you need to add a snippet of code that gives an idea of how. Use an example UART driver, or trivial `misc` example driver's `open` function to show where and how you would add the proposed code. – Jonathan Ben-Avraham Dec 31 '13 at 10:39