From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BF5051395E4 for ; Tue, 6 Dec 2016 12:26:40 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0A48AE0BD5; Tue, 6 Dec 2016 12:26:40 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DD8C0E0BD5 for ; Tue, 6 Dec 2016 12:26:39 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 1E5F93414D6 for ; Tue, 6 Dec 2016 12:26:39 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id B3FB524BD for ; Tue, 6 Dec 2016 12:26:37 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1480262699.413d913dee884ea80815487287919e16b7387039.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/userdomain.if X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 413d913dee884ea80815487287919e16b7387039 X-VCS-Branch: master Date: Tue, 6 Dec 2016 12:26:37 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: ea8f773e-879c-43cd-9e27-43fe59f9c9ac X-Archives-Hash: 6ef244d97756b8903d63671a47ee5ace commit: 413d913dee884ea80815487287919e16b7387039 Author: Guido Trentalancia via refpolicy oss tresys com> AuthorDate: Sat Oct 29 16:08:18 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 27 16:04:59 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=413d913d Let unprivileged users list mounted filesystems Let unprivileged users list filesystems mounted on mount points such as /mnt (cdrom, FAT, NTFS and so on). This makes a great difference to the usability and effectiveness of graphical filesystem browsers such as Gnome Nautilus and currently comes at no security penalty because mounted filesystems can be listed with programs such as the "df" program from GNU coreutils or by simply reading /proc/mounts. Signed-off-by: Guido Trentalancia trentalancia.net> policy/modules/system/userdomain.if | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index e933890..6fb46be 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -552,8 +552,8 @@ template(`userdom_common_user_template',` files_exec_etc_files($1_t) files_search_locks($1_t) - # Check to see if cdrom is mounted - files_search_mnt($1_t) + # List mounted filesystems (cdrom, FAT, NTFS and so on) + files_list_mnt($1_t) # cjp: perhaps should cut back on file reads: files_read_var_files($1_t) files_read_var_symlinks($1_t)