grsecurity forums

Skip to content

deny application A to execute B

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

deny application A to execute B

Postby Raf256 » Tue Nov 08, 2005 10:47 am

Simple example request, how can I dissallow
program A (like firefox) when runned by an user other then John(*)
to execute any other programs B, besides application C (in examplem totemplayer)?

Can I hide all user files (~/) besides ~/.mozilla and ~/downloads from application A?

(*) how to make it more iteresting like,
- when runned by any user that is NOT in given group
- when runned by any user that IS in given group
- when runned by any user that didnt identyfie self with grsecurity password thingy

What exacly and where should I add to have this result?
Raf256
 
Posts: 72
Joined: Mon Sep 19, 2005 8:38 pm
Top

Postby spender » Thu Nov 10, 2005 6:37 pm

In the default role, create a subject for firefox that disallows execution of everything but what you want it to execute. Create a role for John and a subject in that role for firefox that grants the access you wish it to have when run under that context. For hiding all user files but the ones you mentioned from firefox, try the following three rules in the firefox subject:
/home/* h
/home/*/.mozilla rwcd (you may want to be more fine-grained than this)
/home/*/downloads rwcd

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby Raf256 » Fri Nov 11, 2005 3:40 pm

Hmm, btw - do we have yet a nice, step-by-step, detailed (with examples) howto? Explaining how to do the things You mentione above
Raf256
 
Posts: 72
Joined: Mon Sep 19, 2005 8:38 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group
cron