From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
To: Casey Schaufler <casey@schaufler-ca.com>,
SElinux list <selinux@vger.kernel.org>
Cc: survolog@yandex.ru,
"Vladimir Potapov" <vladimir.potapov@rosalab.ru>,
"Михаил Мосолов" <m.mosolov@rosalinux.ru>
Subject: Re: Hiding names of unreadable files
Date: Sun, 30 Aug 2020 02:30:08 +0300 [thread overview]
Message-ID: <e8efae23-ac19-ce3d-4988-b3e304e4807b@rosalinux.ru> (raw)
In-Reply-To: <f2db2efd-1852-bcb9-c734-68d29b9f1880@schaufler-ca.com>
29.08.2020 19:42, Casey Schaufler пишет:
> On 8/29/2020 4:08 AM, Mikhail Novosyolov wrote:
>> Hello everyone,
>>
>> We have been thinking on such problem: read access to a file may be restricted with SELinux MCS/MLS, especially MLS/MCS.
>> If a file with restricted access is inside a directory without restricted access, its name is readable.
>> Name of the file may be used to store some "secret" information.
>> Some system directories, e.g. /var/tmp, are writable for multiple users, and they may use it to exchange secret information,
>> bypassing restrictions.
>>
>> Is there a way to restrict access to names of such files?
> TL;DR - No
>
> This is probably the oldest active question in the history
> of UNIX/Linux security. In the late 1980's it arose many times
> in the process of system security evaluations. Because the
> name of a file is data in the directory, and not an attribute
> of the file in UNIX/Linux filesystems, access to it is controlled
> by access to the directory.
>
> There was initially much crying and gnashing of teeth about this
> in the evaluation community. Especially with regard to /tmp.
> SELinux (and Smack, and B&L systems from the old days) have
> explicit policies controlling how files can be created in
> directories such that you can read the directory but not the
> file attributes. While this can't prevent creating a file named
> launch-the-missiles-at-noon, it provides accountability.
Very interesting, thanks.But are there technical restrictions to implement hiding names of files?
Let's assume that we will be OK with performance penalty of directory listing because of checking access rights to each file inside the directory.
Were there any attempts to implement this?
next prev parent reply other threads:[~2020-08-29 23:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-29 11:08 Hiding names of unreadable files Mikhail Novosyolov
2020-08-29 16:42 ` Casey Schaufler
2020-08-29 23:30 ` Mikhail Novosyolov [this message]
2020-08-30 15:55 ` Casey Schaufler
2020-08-31 14:09 ` Stephen Smalley
2020-08-29 21:26 ` Topi Miettinen
2020-08-29 23:25 ` Mikhail Novosyolov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e8efae23-ac19-ce3d-4988-b3e304e4807b@rosalinux.ru \
--to=m.novosyolov@rosalinux.ru \
--cc=casey@schaufler-ca.com \
--cc=m.mosolov@rosalinux.ru \
--cc=selinux@vger.kernel.org \
--cc=survolog@yandex.ru \
--cc=vladimir.potapov@rosalab.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.