commit: 413d913dee884ea80815487287919e16b7387039
Author: Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys
<DOT> com>
AuthorDate: Sat Oct 29 16:08:18 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 27 16:04:59 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=413d913d
Let unprivileged users list mounted filesystems
Let unprivileged users list filesystems mounted on mount points such
as /mnt (cdrom, FAT, NTFS and so on).
This makes a great difference to the usability and effectiveness of
graphical filesystem browsers such as Gnome Nautilus and currently
comes at no security penalty because mounted filesystems can be
listed with programs such as the "df" program from GNU coreutils or
by simply reading /proc/mounts.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/system/userdomain.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index e933890..6fb46be 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -552,8 +552,8 @@ template(`userdom_common_user_template',`
files_exec_etc_files($1_t)
files_search_locks($1_t)
- # Check to see if cdrom is mounted
- files_search_mnt($1_t)
+ # List mounted filesystems (cdrom, FAT, NTFS and so on)
+ files_list_mnt($1_t)
# cjp: perhaps should cut back on file reads:
files_read_var_files($1_t)
files_read_var_symlinks($1_t)
