For the purpose of security-oriented source code review, I’m interested in finding (comprehensively) all ioctl commands that are registered in the Linux kernel. Also, I’d like to classify them as either accessible by administrators (e.g root), and which ones are accessible by unprivileged users.
I’m not sure if it would be easier to read the kernel source code or if there is some way to query the list in user-space. If I need to look in the kernel, what functions would I need to look for for registration of ioctls?
ioctls don’t actually get registered in the kernel, each type of file-like object has a different set of ioctls available.
Most of the time they are implemented using a switch statement.
So what you really need to do is:
In practice finding out what ioctls are available is nontrivial. Many devices have a man page which lists them, but others don’t, and the list may be incomplete.
Usually there is a function somewhere with a big switch-statement. However there is a kind of “inheritance” whereby a lot of devices have several different kinds of ioctl implemented at different levels.
The same “kind” of driver is usually implemented in several different types of hardware, and they often share quite a lot of code.
For example, serial ports have their own ioctls defined in http://lxr.linux.no/#linux+v2.6.35/drivers/serial/serial_core.c#L1107
But serial ports also potentially have ioctls defined on a per-driver basis, but as they are ttys, they also respond to tty ioctls.
It’s differently structured for each subsystem because they have different behaviour.