Device driver programming summary

Edit online

The following guidelines should be considered when implementing device drivers.

Note: New system calls have been added to support extended security for each read/write on Streams and FIFO devices. Two new library API's, eread() and ewrite() support this extended security attribute. If it is an MLS Kernel, a security flag DEV_SEC_ERDWR is set on the device. Similarly for FIFO GNF_SEC_ERDWR is set on the device. These flags enable additional security checks on each read/write.

General design techniques

All security checks within the device driver should be written in a modular fashion and should be easily identifiable.

Checks within device drivers

It is always better to keep MIC, MAC, and DAC checks out of a device driver. Device drivers without such checks can be easily ported to or from untrusted systems or other types of trusted systems.

In a regular device driver implementation, the kernel performs MIC, MAC, and DAC checks and the driver performs any additional required privilege checks. In an irregular device driver implementation, all checks (MIC, MAC, DAC, and privilege checks) are performed in the device driver. The choice of whether to implement a regular or irregular device driver is a matter of design judgment.

DAC

DAC is enforced for each device special file based on the filesystem entry point used to access the device.

Checking for correct installation

Any device driver that performs MAC checks should securely handle (within reasonable bounds) the possibility that the device was defined incorrectly.

Privileged access

It may ne appropriate for a device driver to limit certain device operations to privileged processes. However, there are a few specific recommendations for these situations.

You can use the refmon kernel function to determine if you have the necessary privileges.