grsecurity forums

The Grsecurity log is filled up with entries of programs that try to browse the file system and request information on directories which should be hidden but are partially visible:

# / $ ls
bin boot dev home lib mnt opt proc root sbin usr
# / $ ls -al
ls: boot: No such file or directory
ls: proc: No such file or directory
total 40
drwxr-xr-x 18 root root 4096 Jun 14 12:59 .
drwxr-xr-x 18 root root 4096 Jun 14 12:59 ..
[...]

Is there any way to work around this issue?

I am using Grsecurity 2.1.6 on a 2.4.31 kernel.

Common... someone must know...

Have you tried adding the following rules:

/boot* h
/proc* h

to fully hide those specific mountpoints.

Also, to suppress logging for specific objects, add the "s" flag to the object.

-Brad

Adding a suffix of * solved the problem, thanks! I only wonder why this works; why is /boot different from /boot*?

It's been discussed previously on the forums: the inode-based lookups assume that for a given name, there can be only one inode/device pair. It so happens that for mountpoints, there is both an inode/device pair for the directory that holds the mount, and the root of the filesystem of the filesystem mounted there that resolve to the same name. This causes readdir/getdents to still be able to see the mountpoint (which you can also see through /proc/self/maps, btw). Using /boot* turns the object into a globbed object, which means it matches based on filename, so it will take care of both inode/device pairs.

-Brad