On 8/29/2020 4:08 AM, Mikhail Novosyolov wrote: > Hello everyone, > > We have been thinking on such problem: read access to a file may be restricted with SELinux MCS/MLS, especially MLS/MCS. > If a file with restricted access is inside a directory without restricted access, its name is readable. > Name of the file may be used to store some "secret" information. > Some system directories, e.g. /var/tmp, are writable for multiple users, and they may use it to exchange secret information, > bypassing restrictions. > > Is there a way to restrict access to names of such files? TL;DR - No This is probably the oldest active question in the history of UNIX/Linux security. In the late 1980's it arose many times in the process of system security evaluations. Because the name of a file is data in the directory, and not an attribute of the file in UNIX/Linux filesystems, access to it is controlled by access to the directory. There was initially much crying and gnashing of teeth about this in the evaluation community. Especially with regard to /tmp. SELinux (and Smack, and B&L systems from the old days) have explicit policies controlling how files can be created in directories such that you can read the directory but not the file attributes. While this can't prevent creating a file named launch-the-missiles-at-noon, it provides accountability. > > What may theoretically be done: > > 1. Hide such files from directory listing. A bad idea, because most pieces of software (and people) > are not ready to deal with situations when a file does not exist but a file with such name cannot be > created because it already exists. > > 2. Change name of the file to "????". Even worse. > > 3. Do not show the name of the file at all. I do not know how it should be done, > something like showing that an "inode" exists. > > 4. Try to just restrict write access to directories without proper MLS labels: > separate /tmp for arch user, maybe separate /var/tmp for each user, chmod -x (maybe via ACL) for /run etc. > > Can and should it be done with SELinux? What about other LSM modules? > Is there a more generic approach to hide names of unreadable files? >
