grsecurity forums

I have a question about how to setup a particular acl.

files that exist:
/
/home
/home/user
/home/user/file1
/home/user/file2
/home/user/file...
/home/user/fileX
/home/user/dir1
/home/user/dir2
/home/user/.app1
/home/user/.app2
/home/user/.myapp
/home/user/.myapp_savedfiles

i want myapp to be able to see:
/
/home
/home/user
/home/user/.myapp
/home/user/.myapp_savedfiles

so i want it to be able to list /home/user, but only see .myapp and .myapp_savedfiles. However, I cannot individually hide all the other files/folders in /home/user because there are too many of varying names.

i tried:
/ /home /home/user /home/user/* h
/home/user/.myapp rwcdx
/home/user/.myapp_savedfiles rwcdx

but of course the above doesn't work.

is there any way i can hide everything in a directory except for some few items?

--hmhansolo

Thank you before hand.

>so i want it to be able to list /home/user, but only see .myapp and
>.myapp_savedfiles. However, I cannot individually hide all the other
>files/folders in /home/user because there are too many of varying
>names.

According to the 1.9 MAC documentation (yes, I know that is outdated),
you have to specify the glob last:

/home/user r
/home/user/.myapp rwxcd
/home/user/.myapp_savedfiles rwxcd
/home/user/* h

Beware, though, that that kind of glob (at the end of the subject) only
works for files that already exist at 'gradm -E' time. So, if another process
creates some file in /home/user, it won't be hidden from myapp (or at
least, that is my understanding of the doc).

That's not true anymore with 2.x. Globbed objects apply to objects created before and after the RBAC system is enabled.

-Brad

subject /bin/ls o {
...
/home
/home/user r
/home/user/temp arwcdx
/home/user/* h
...
}

Results in:
$ ls /home/user/
file1
file2
temp

$ ls /home/user/*
ls: /home/user/file1: No such file or directory
ls: /home/user/file2: No such file or directory
/home/user/temp:

$ ls /home/user/temp/


$ ls /home/user/temp/*
/home/user/temp/tempfile1
/home/user/temp/tempfile2







subject /bin/ls o {
...
/home
/home/user
/home/user/temp arwcdx
/home/user/* h
...
}

results in the same thing above

















subject /bin/ls o {
...
/home
/home/user h
/home/user/temp arwcdx
/home/user/* h
...
}


Results in:
$ ls /home/user/
ls: /home/user/: No such file or folder

$ ls /home/user/*
ls: /home/user/file1: No such file or directory
ls: /home/user/file2: No such file or directory
/home/user/temp:

$ ls /home/user/temp/


$ ls /home/user/temp/*
/home/user/temp/tempfile1
/home/user/temp/tempfile2
















subject /bin/ls o {
...
/home
/home/user h
/home/user/temp arwcdx
...
}


same as the last one.








What i want is this:


$ ls /home/user/
temp

$ ls /home/user/*
ls: /home/user/file1: No such file or directory
ls: /home/user/file2: No such file or directory
/home/user/temp:

$ ls /home/user/temp/
tempfile1
tempfile2

$ ls /home/user/temp/*
/home/user/temp/tempfile1
/home/user/temp/tempfile2





The globbing above is done by bash which has full access.

i should also add.. that for setups like:
/home/user
/home/user/temp rwcdxa
/home/user/* h

all the files like file1 and file2 in /home/user show up when u do `ls /home/user`
however, all folders and files alike show up as files all with size 0. So technically, you cannot access them in any way shape or form, but there still is a data leak in the names of the files, plus it isnt that good that directories show up as files with size 0.

The readdir problem has been solved in 2.1.1, a test release of which is available at http://grsecurity.net/~spender

-Brad