grsecurity forums

I'm trying to make secure policy - config http://pastebin.com/6QWFLWL5

There are following lines:
dont-reduce-path /home
read-protected-path /home
high-protected-path /home

but policy is missing /home and many other directories in many subjects and /home remains accessible

# Role: root
subject /bin/cut o {
/ h
/bin/cut x
/dev h
/etc/ld.so.cache r
/lib64/ld-2.14.1.so x
/lib64/libc-2.14.1.so rx
/mnt h
/mnt/md3 h
/proc h
-CAP_ALL
bind disabled
connect disabled
}

I don't see anything wrong with that policy for /bin/cut (not /bin/cat btw). It has / h, which would match /home. This is why it doesn't need a separate, duplicate object.

-Brad

You are right. It works. I tested it again. It didn't work during my previous test for some reason.

I found something else. /dev and /etc are included in read/high-protected-path, but there are no modes.

# Role: root
subject /bin/cat o {
/ h
/bin h
/bin/cat x
/dev
/dev/grsec h
/dev/kmem h
/dev/log h
/dev/mem h
/dev/port h
/etc

That policy is fine also. read-protected-path does exactly what the documentation says: creates subjects for binaries that access a certain path for reading. In the policy you pasted, there's no read access to /dev, just 'find' access. 'find' access only allows the ability to see the file and stat it, but no reading/writing/executing/etc.

-Brad