gradm error checking - "/dev h" vs "/dev/* h"
Posted: Mon Jul 27, 2009 11:21 pmSome applications aren't happy when listing of /dev is forbidden, even if the files they need inside /dev are allowed to be accessed. For now gradm does policy checks that prevents allowing safe listing of /dev in the following way within default subject boundaries:
... while it seems pretty safe and correct to me. Is it? I've come up with the following cute little patch for gradm in my local overlay:
It's not a feature request, I post it just for the case if anyone interested in less painful policy creation for desktop environments as I am.
Would be great if the official gradm will suggest something similar though. 
- Code: Select all
subject /
.....
/dev r
/dev/null rw
/dev/* h
.....
... while it seems pretty safe and correct to me. Is it? I've come up with the following cute little patch for gradm in my local overlay:
- Code: Select all
--- gradm2/gradm_analyze.c 2009-04-11 08:27:16.000000000 +0800
+++ gradm2.new/gradm_analyze.c 2009-07-28 10:18:37.000000000 +0800
@@ -513,7 +513,8 @@
errs_found++;
}
- if (!check_permission(role, def_acl, "/dev", &chk)) {
+ if (!check_permission(role, def_acl, "/dev", &chk) &&
+ !check_permission(role, def_acl, "/dev/*", &chk)) {
fprintf(stderr,
"Writing access is allowed by role %s to /dev, the directory which "
"holds system devices.\n\n", role->rolename);
@@ -601,7 +602,8 @@
chk.u_modes = GR_READ;
- if (!check_permission(role, def_acl, "/dev", &chk)) {
+ if (!check_permission(role, def_acl, "/dev", &chk) &&
+ !check_permission(role, def_acl, "/dev/*", &chk)) {
fprintf(stderr,
"Reading access is allowed by role %s to /dev, the directory which "
"holds system devices.\n\n", role->rolename);
It's not a feature request, I post it just for the case if anyone interested in less painful policy creation for desktop environments as I am.
Would be great if the official gradm will suggest something similar though.