From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 30 Oct 2016 14:32:10 -0400
Subject: [refpolicy] [PATCH] Let unprivileged users list mounted
 filesystems
In-Reply-To: <1477757298.21169.7.camel@trentalancia.net>
References: <1477757298.21169.7.camel@trentalancia.net>
Message-ID: <4098477a-3bf7-fe28-dba8-cb5c11c1e62d@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/29/16 12:08, Guido Trentalancia via refpolicy wrote:
> Let unprivileged users list filesystems mounted on mount points such
> as /mnt (cdrom, FAT, NTFS and so on).
>
> This makes a great difference to the usability and effectiveness of
> graphical filesystem browsers such as Gnome Nautilus and currently
> comes at no security penalty because mounted filesystems can be
> listed with programs such as the "df" program from GNU coreutils or
> by simply reading /proc/mounts.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/system/userdomain.if |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff -pruN refpolicy-git-29102016-orig/policy/modules/system/userdomain.if refpolicy-git-29102016/policy/modules/system/userdomain.if
> --- refpolicy-git-29102016-orig/policy/modules/system/userdomain.if	2016-09-09 17:23:54.956287179 +0200
> +++ refpolicy-git-29102016/policy/modules/system/userdomain.if	2016-10-29 16:44:56.343046029 +0200
> @@ -530,8 +530,8 @@ template(`userdom_common_user_template',
>
>  	files_exec_etc_files($1_t)
>  	files_search_locks($1_t)
> -	# Check to see if cdrom is mounted
> -	files_search_mnt($1_t)
> +	# List mounted filesystems (cdrom, FAT, NTFS and so on)
> +	files_list_mnt($1_t)
>  	# cjp: perhaps should cut back on file reads:
>  	files_read_var_files($1_t)
>  	files_read_var_symlinks($1_t)

Merged.

-- 
Chris PeBenito