Re: Hiding names of unreadable files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 29.8.2020 14.08, Mikhail Novosyolov wrote:
Hello everyone,

We have been thinking on such problem: read access to a file may be restricted with SELinux MCS/MLS, especially MLS/MCS.
If a file with restricted access is inside a directory without restricted access, its name is readable.
Name of the file may be used to store some "secret" information.
Some system directories, e.g. /var/tmp, are writable for multiple users, and they may use it to exchange secret information,
bypassing restrictions.

Is there a way to restrict access to names of such files?

What may theoretically be done:

1. Hide such files from directory listing. A bad idea, because most pieces of software (and people)
are not ready to deal with situations when a file does not exist but a file with such name cannot be
created because it already exists.

2. Change name of the file to "????". Even worse.

3. Do not show the name of the file at all. I do not know how it should be done,
something like showing that an "inode" exists.

4. Try to just restrict write access to directories without proper MLS labels:
separate /tmp for arch user, maybe separate /var/tmp for each user, chmod -x (maybe via ACL) for /run etc.

Can and should it be done with SELinux? What about other LSM modules?
Is there a more generic approach to hide names of unreadable files?


PAM module pam_namespace sets up private directories in /tmp etc. and pam_tmpdir is probably similar.

-Topi



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux