Directories not fully hidden?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Directories not fully hidden?

Postby Xerxes » Thu Nov 03, 2005 4:12 am

The Grsecurity log is filled up with entries of programs that try to browse the file system and request information on directories which should be hidden but are partially visible:
# / $ ls
bin boot dev home lib mnt opt proc root sbin usr
# / $ ls -al
ls: boot: No such file or directory
ls: proc: No such file or directory
total 40
drwxr-xr-x 18 root root 4096 Jun 14 12:59 .
drwxr-xr-x 18 root root 4096 Jun 14 12:59 ..
[...]

Is there any way to work around this issue?

I am using Grsecurity 2.1.6 on a 2.4.31 kernel.
Xerxes
 
Posts: 5
Joined: Mon Jan 26, 2004 2:43 pm

Postby Xerxes » Tue Nov 08, 2005 5:08 am

Common... someone must know...
Xerxes
 
Posts: 5
Joined: Mon Jan 26, 2004 2:43 pm

Postby spender » Thu Nov 10, 2005 6:40 pm

Have you tried adding the following rules:

/boot* h
/proc* h

to fully hide those specific mountpoints.

Also, to suppress logging for specific objects, add the "s" flag to the object.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Xerxes » Sat Nov 12, 2005 1:13 pm

Adding a suffix of * solved the problem, thanks! I only wonder why this works; why is /boot different from /boot*?
Xerxes
 
Posts: 5
Joined: Mon Jan 26, 2004 2:43 pm

Postby spender » Sat Nov 12, 2005 1:19 pm

It's been discussed previously on the forums: the inode-based lookups assume that for a given name, there can be only one inode/device pair. It so happens that for mountpoints, there is both an inode/device pair for the directory that holds the mount, and the root of the filesystem of the filesystem mounted there that resolve to the same name. This causes readdir/getdents to still be able to see the mountpoint (which you can also see through /proc/self/maps, btw). Using /boot* turns the object into a globbed object, which means it matches based on filename, so it will take care of both inode/device pairs.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support

cron