grsecurity forums

[Kyoshiro]

I've enabled learning mode for a home made program, like this :

Code: Select all

subject /home/kyoshiro/projets/PW/src/wrapper-usage l {
       / h
       -CAP_ALL
       RES_FSIZE     0 0
       RES_DATA      0 0
       RES_RSS       0 0
       RES_NOFILE    0 0
       RES_MEMLOCK   0 0
       RES_STACK     0 0
       RES_AS        0 0
       RES_NPROC     0 0
       RES_LOCKS     0 0
       connect disabled
       bind disabled
}

Then I run :
gradm -L /etc/grsec/log -E
run /home/kyoshiro/projets/PW/src/wrapper-usage

- my program is frozen,
- I can't CTRL+C, I can't kill it (I tried all signals),
- ps hangs while reading /proc when it reaches the /proc/pid corresponding to my process. In fact, all programs trying to read /proc/pid/* for my learning mode program just hang.
- When not in root, I can list some files :

Code: Select all

-=( ~ )=- ls -l /proc/7152/
ls: cannot read symbolic link /proc/7152/cwd: Permission denied
ls: cannot read symbolic link /proc/7152/root: Permission denied
ls: cannot read symbolic link /proc/7152/exe: Permission denied
total 0
dr-xr-xr-x  2 root root 0 Aug 12 23:26 attr/
-r--------  1 root root 0 Aug 12 23:22 auxv
-r--r--r--  1 root root 0 Aug 12 23:22 cmdline
lrwxrwxrwx  1 root root 0 Aug 12 23:22 cwd
-r--------  1 root root 0 Aug 12 23:22 environ
lrwxrwxrwx  1 root root 0 Aug 12 23:22 exe
dr-x------  2 root root 0 Aug 12 23:26 fd/
-r--------  1 root root 0 Aug 12 23:22 ipaddr
-r--r--r--  1 root root 0 Aug 12 23:22 maps
-rw-------  1 root root 0 Aug 12 23:22 mem
-r--r--r--  1 root root 0 Aug 12 23:22 mounts
lrwxrwxrwx  1 root root 0 Aug 12 23:22 root
-r--r--r--  1 root root 0 Aug 12 23:19 stat
-r--r--r--  1 root root 0 Aug 12 23:22 statm
-r--r--r--  1 root root 0 Aug 12 23:22 status
dr-xr-xr-x  3 root root 0 Aug 12 23:26 task/

Learning log shows this (which was written just when I launched my program) :

Code: Select all

default 20      4026428564      8       <NULL>          7       3409485824              3       3223175879.3615299760.7.3

I can't do anything to that process when I disable RBAC (gradm -D), neither when going in admin role. I think it's not really normal :p...
I must say that my program is not a common one... It sets uid, gid, rlimits, capabilities and then it does its work.... I've set up some debug printf, and while grsec's RBAC is disabled, it works correctly. When I enable RBAC, nothing is printed out, even while I've put some printf at the very start of the program....

Any idea ?
Each time I test this, I must reboot since I can't kill the process I launch, and I can't even use ps. Maybe I should tell ps/ls/pstree developpers to make non-blocking reads :p.

Sorry Iforgot to tell my version :
grsec 2 with current patch for linux 2.6.7
latest gradm

[PaX Team]

I can't do anything to that process when I disable RBAC (gradm -D), neither when going in admin role. I think it's not really normal :p...
I must say that my program is not a common one... It sets uid, gid, rlimits, capabilities and then it does its work.... I've set up some debug printf, and while grsec's RBAC is disabled, it works correctly. When I enable RBAC, nothing is printed out, even while I've put some printf at the very start of the program....

if the program is not too secret, could you send us strace outputs for both cases (with and without grsec enabled)? btw, spender's on vacation till next week-end, so don't expect it resolved before that (if it's a simple locking problem as it seems to be, maybe i can help it myself).

[Kyoshiro]

I'll send you the straces this afternoon (France ), then in about 3 or 4 hours.

Thanks.

[spender]

Your policy is probably not what you want. You have only "l" in the subject mode, and it looks like you want to use "ol". The subject is inheriting rules from the default subject and is most likely the reason why you are getting unexpected results.

-Brad