grsecurity forums

[hmhansolo]

I have a question about how to setup a particular acl.

files that exist:
/
/home
/home/user
/home/user/file1
/home/user/file2
/home/user/file...
/home/user/fileX
/home/user/dir1
/home/user/dir2
/home/user/.app1
/home/user/.app2
/home/user/.myapp
/home/user/.myapp_savedfiles

i want myapp to be able to see:
/
/home
/home/user
/home/user/.myapp
/home/user/.myapp_savedfiles

so i want it to be able to list /home/user, but only see .myapp and .myapp_savedfiles. However, I cannot individually hide all the other files/folders in /home/user because there are too many of varying names.

i tried:
/ /home /home/user /home/user/* h
/home/user/.myapp rwcdx
/home/user/.myapp_savedfiles rwcdx

but of course the above doesn't work.

is there any way i can hide everything in a directory except for some few items?

--hmhansolo

Thank you before hand.

[Hue-Bond]

>so i want it to be able to list /home/user, but only see .myapp and
>.myapp_savedfiles. However, I cannot individually hide all the other
>files/folders in /home/user because there are too many of varying
>names.

According to the 1.9 MAC documentation (yes, I know that is outdated),
you have to specify the glob last:

/home/user r
/home/user/.myapp rwxcd
/home/user/.myapp_savedfiles rwxcd
/home/user/* h

Beware, though, that that kind of glob (at the end of the subject) only
works for files that already exist at 'gradm -E' time. So, if another process
creates some file in /home/user, it won't be hidden from myapp (or at
least, that is my understanding of the doc).

[spender]

That's not true anymore with 2.x. Globbed objects apply to objects created before and after the RBAC system is enabled.

-Brad

[hmhansolo]

subject /bin/ls o {
...
/home
/home/user r
/home/user/temp arwcdx
/home/user/* h
...
}

Results in:
$ ls /home/user/
file1
file2
temp

$ ls /home/user/*
ls: /home/user/file1: No such file or directory
ls: /home/user/file2: No such file or directory
/home/user/temp:

$ ls /home/user/temp/


$ ls /home/user/temp/*
/home/user/temp/tempfile1
/home/user/temp/tempfile2







subject /bin/ls o {
...
/home
/home/user
/home/user/temp arwcdx
/home/user/* h
...
}

results in the same thing above

















subject /bin/ls o {
...
/home
/home/user h
/home/user/temp arwcdx
/home/user/* h
...
}


Results in:
$ ls /home/user/
ls: /home/user/: No such file or folder

$ ls /home/user/*
ls: /home/user/file1: No such file or directory
ls: /home/user/file2: No such file or directory
/home/user/temp:

$ ls /home/user/temp/


$ ls /home/user/temp/*
/home/user/temp/tempfile1
/home/user/temp/tempfile2
















subject /bin/ls o {
...
/home
/home/user h
/home/user/temp arwcdx
...
}


same as the last one.








What i want is this:


$ ls /home/user/
temp

$ ls /home/user/*
ls: /home/user/file1: No such file or directory
ls: /home/user/file2: No such file or directory
/home/user/temp:

$ ls /home/user/temp/
tempfile1
tempfile2

$ ls /home/user/temp/*
/home/user/temp/tempfile1
/home/user/temp/tempfile2





The globbing above is done by bash which has full access.

[hmhansolo]

i should also add.. that for setups like:
/home/user
/home/user/temp rwcdxa
/home/user/* h

all the files like file1 and file2 in /home/user show up when u do `ls /home/user`
however, all folders and files alike show up as files all with size 0. So technically, you cannot access them in any way shape or form, but there still is a data leak in the names of the files, plus it isnt that good that directories show up as files with size 0.

[spender]

The readdir problem has been solved in 2.1.1, a test release of which is available at http://grsecurity.net/~spender

-Brad