[rsbac] Re: rsbac Digest, Vol 16, Issue 8

Michał Purzyński albeiro at polsl.gliwice.pl
Sun Apr 11 20:39:48 CEST 2004 

>Date: Sat, 10 Apr 2004 10:29:41 +0200
>From: Amon Ott <ao at rsbac.org>
>Subject: Re: [rsbac] modules-off REG module
>To: RSBAC Discussion and Announcements <rsbac at rsbac.org>
>Message-ID: <200404101029.42086.ao at rsbac.org>
>Content-Type: text/plain;  charset="utf-8"
>
>On Freitag, 9. April 2004 11:10, Michał Purzyński wrote:
>  
>
>>i'am currently writing some REG module, i will write more about it after
>>it is finished, but have simple question:
>>how to hide some file ?
>>/proc/modules in this case would be hiden after loading some kernel
>>module (and add_to_kernel && remove_from_kernel denied, what is working
>>now).
>>i think that request get_status_data and search have to be denied for
>>/proc/modules, but how to `say` it ? target_id is not very easy to use.
>>some examples please ?
>>    
>>
>
>There is currently no hiding of files in RSBAC, because it seemed like a 
>rather dirty hack when I look at it. SEARCH is only valid for directories. 
>You could deny the lookup in /proc, what is probably not what you want.
>
>So you could only control reading access to /proc/modules with the usual 
>FILE target request types. I can reconsider the file hiding feature, if 
>you need it.
>
>Amon.
>  
>

well, since few (call it dirty, they are ;) modules has among other
things to hide files/dirs, it would be realy nice if you could add
hiding to RSBAC. for now it look like i have found some way of hiding
files (from REG module)

in request_func (rest of it cuted):

struct nameidata nd;
struct inode * inode;

user_path_walk("/proc/modules", &nd);
inode = nd.dentry->d_inode;

and later:

if (request == R_GET_STATUS_DATA && target == T_FILE && tid.file.device
== inode->i_sb->s_dev && tid.file.inode == inode->i_ino)
     path_release(&nd);
     return NOT_GRANTED;
}
     else
     path_release(&nd);
     return GRANTED;

what should deny get_status_data to file /proc/modules (which hides it).
but it does not work :( could you give some example how to use
rsbac_target_id_t with files/dirs ?

Albeiro

More information about the rsbac mailing list