Hello. Radoslaw Szkodzinski wrote: > >> > If DAC allows stat() syscall on some file or directory, TOMOYO will allow > >> > stat() syscall on that file or directory. > >> > >> But it could get the syscall itself, any security_file_stat() in there? > > > > There is security_inode_getattr() which can reject stat() syscall, but TOMOYO > > is not using security_inode_getattr(). > > > >> > You don't need to specify "allow_stat" keyword for reading access flags, > >> > xattrs, file size and so on because TOMOYO cannot prevent stat() syscall. > >> > >> And I would like it to. Could be used to hide some more information. > >> Perhaps allow_read should also allow_stat to make it easier to use. > > > > Is hiding DAC's mode, filesize, owner/group etc. useful? I don't think so. > > > > Hiding filesize can be in case of certain file-based encrypted > filesystems... but why would another user even have such access at > all? > > > If we restrict stat() operation for hiding some more information, we should > > restrict readdir() operation as well. > > Hmm, yes, far less useful without that. > I added getattr() and open(O_DIRECTORY) checks (revision 4081). I feel that the getattr() entries are noisy because files are likely fstat()ed after open()ed. Please try. What do you think? Regarding mprotect(), I don't include it in TOMOYO 1.8 because I have to freeze specifications soon in order to release TOMOYO 1.8 on November 11th.
TOMOYO
Fork