Quoting Crispin Cowan (crispin@private): > Serge E. Hallyn wrote: > > Hmm, a question on behavior. > > > > Let's say hallyn_t is allowed to write /var (var_t), but not to do > > getattr on /var/secret_process_is_running (secret_t). If hallyn_t > > does ls /var/secret_process_is_running, he gets -ENOENT, but what > > should he get if he does 'touch /var/secret_process_is_running'? > > -EPERM obviously leaks information... > > > If you create a file whose existence is supposed to be secret, and you > put it in a public directory, then you have made a mistake, because the > file's existence is always detectable. > > Suppose we create file in /var/nothingtoseehere. The adversary can > create any file they want, *except* for /var/nothingtoseehere, which > will return some kind of error message (doesn't matter which error). > From this, the attacker can infer the existence of the file, and its name. Right. Of course we could solve this with a custom polyinstantiated filesystem, which might even be pretty simple to do as either a stackable fs around a real one, or a userspace filesystem. It would simply create a new entry for /var/nothingtoseehere with the creator's context, so that when a process in that context did ls /var, it would see the new file. I was wondering whether there are any other tricks we could play. Sounds like no :) And as you point out, if we don't solve this, there's no point returning -ENOENT on ls /var. thanks, -serge
This archive was generated by hypermail 2.1.3 : Thu Jan 05 2006 - 06:38:02 PST