// Whole file system is in virtual space 2 (10 // binary) recursive for set "/" vs=0b10; // but /tmp is changed to be in VS 1 (01 binary) recursive for set "/tmp" vs=0b01; // for deletion of /tmp/delme for unlink "/tmp/delme" { // Log process info for this attempt log_proc; // Apply next setting to this process (rm) parent // (it's your shell) apply = A_FOR_PARENT; // or apply it for all processes with your login // id (uid) apply = A_FOR_LOGIN; // Put parent/all processes to virtual space 2 vs=0b10; // they can see (vss) just the second virtual // space, that means not the first vss=0b10; // return success to calling process (rm), but do // do not allow this operation. We are faking // success, so attacker can think he is // successful. To return error, use NO. answer = SKIP; }
[robo@unicorn /tmp]$ ls -l delme -rw-rw-r-- 1 robo robo 28 Jan 20 22:34 delme [robo@unicorn /tmp]$ id uid=500(robo) gid=500(robo) groups=500(robo) [robo@unicorn /tmp]$ rm delme Medusa: Security d ecap=00000000) delme (/tmp/delme) Medusa: Security d ecap=00000000) delme (/tmp/delme) [robo@unicorn /tmp]$ ls -l ls: .: Operation not permitted [robo@unicorn /tmp]$ cd .. [robo@unicorn /]$ cd /tmp bash: /tmp: Operation not permitted