30.08.2020 00:26, Topi Miettinen пишет: > On 29.8.2020 14.08, Mikhail Novosyolov wrote: >> >> 4. Try to just restrict write access to directories without proper MLS labels: >> separate /tmp for arch user, maybe separate /var/tmp for each user, chmod -x (maybe via ACL) for /run etc. > > PAM module pam_namespace sets up private directories in /tmp etc. and pam_tmpdir is probably similar. Yes. But it causes problems in different places, by far not all software is ready to have different files in /tmp from different users. In general this does work. But for /tmp. What about /var/tmp, /run? In theory a similar polyinstantiation can be done for them, but new problems will be encountered. /var/tmp is even more interesting because it is normally not a tmpfs, some software can store permanent data there, e.g. KDE4 stores cache files there. Per-user onion-mounting (overlayfs, aufs) or a simple `mount --bind` could be used there.
