Does RBAC support recursive globbing wildcards?
Posted: Tue Aug 25, 2015 9:15 pmI love RBAC and find it very straightforward to configure (albeit time consuming). However the one problem which I keep running into and which causes my policies to be far less secure than they should be is the lack of recursive globbing. For example, if I need to allow a program to read to any file with a certain extension under a specific directory with RBAC regardless of the subdirectory it is in, I cannot do it like this like I could in zsh or apparmor:
If I wanted it to be recursive, I would have to do something like this:
Not only is that very sloppy and would make the policy incredibly long, but it would only work up to so many subdirectories, and I don't like relying on assumptions that an object I want to match is only so many subdirectories deep.
If globbing support doesn't exist, is there any chance it would be a feature that could be added in the future? I can't imagine it would be too difficult to implement in gradm itself, but my understanding of C is too limited to patch it.
If no one has the time to add the feature, I'd appreciate it if someone could at least point me in the right direction and tell me how such a thing would be implemented. The two possibilities I see are 1) add support in the kernel side of things, which would require paths to be resolved at each access (which might be fundamentally impossible with the RBAC architecture, I don't know), or 2) add support to gradm_analyze.c, so that when it encounters a **, it sends a series of commands to /dev/grsec to enable */, then */*/, then */*/*/, etc (basically having ** acting like an alias for the really long recursive globbing example above). I imagine #2 would be much easier?
- Code: Select all
/home/myname/**/*.png r
If I wanted it to be recursive, I would have to do something like this:
- Code: Select all
/home/myname/*.png r
/home/myname/*/*.png r
/home/myname/*/*/*.png r
/home/myname/*/*/*/*.png r
...
/home/myname/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*.png r
Not only is that very sloppy and would make the policy incredibly long, but it would only work up to so many subdirectories, and I don't like relying on assumptions that an object I want to match is only so many subdirectories deep.
If globbing support doesn't exist, is there any chance it would be a feature that could be added in the future? I can't imagine it would be too difficult to implement in gradm itself, but my understanding of C is too limited to patch it.
If no one has the time to add the feature, I'd appreciate it if someone could at least point me in the right direction and tell me how such a thing would be implemented. The two possibilities I see are 1) add support in the kernel side of things, which would require paths to be resolved at each access (which might be fundamentally impossible with the RBAC architecture, I don't know), or 2) add support to gradm_analyze.c, so that when it encounters a **, it sends a series of commands to /dev/grsec to enable */, then */*/, then */*/*/, etc (basically having ** acting like an alias for the really long recursive globbing example above). I imagine #2 would be much easier?