grsecurity forums

Hi!

I'm experimenting with roles, trying to create a restrictive environment for a regular user:

Here's the ACL i'm using for the moment:

role myuser u
role_transitions admin
subject / {

/

/dev
/dev/tty rw
/dev/pts rw
/dev/null rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/proc rwx
/proc/kcore h
/proc/sys r
/var/run/utmp rw

/etc r
/etc/profile.d rx
/etc/grsec h

/home
/home/myuser rwx

/bin rx

/lib rx
/lib/modules h

/tmp rw

/usr
/usr/bin rx
/usr/include r
/usr/lib rx
/usr/libexec rx
/usr/man r
/usr/share r

/sbin/consoletype x
/var/spool/mail/myuser rw

/home/* h
/usr/* h
/* h

-CAP_ALL
}

This works fine in general, except in /

$ ls
bin boot dev etc home lib proc tmp usr var

$ ls -l
ls: boot: No such file or directory
ls: var: No such file or directory
[...]

I use the same logic with / that i used in /home, so that the user can only list his homedir, but i don't get this kind of errors there.
What might i be missing?

Thanks in advance.

/boot and /var must be partitions on your system. The partitions themselves can't be made hidden, since for each mountpoint, there exists two sets of inode/device numbers, both referencing the same file. Another problem is that from userspace, we can't really tell one of these sets of numbers. It's only used when traversing down the filesystem path. So, there's two ways to look at the file: as a file on the partition it's mounted on, or as "/" on the partition itself. We can't really solve this, since some of the logic requires there being a 1-to-1 function from filenames to inodes (but the reverse is not true of course, because of hardlinks).

-Brad

Thanks for the reply Brad.

My workaround:

/var
/var/* h
/boot
/boot/* h

Can't hide the mount point, but can hide everything inside. So be it.