grsecurity forums

[deltron]

It's taken me a while, but I am slowly getting the hang of the RBAC system. In my efforts to secure postfix, I've noticed it's an ideal candidate for the use of nested subjects (and possibly inheritance?). The policy excerpt below is my attempt at this, and any comments would be much appreciated.

I have one question about nested subjects: why must I explicitly state each executable to be nested in the original subject, even if they are included under an object already? For example, in the /usr/lib64/postfix/master subject I have /usr/lib64 as rx, yet I get an error unless I specify each executable under /usr/lib64/postfix that will be nested.

Code: Select all

# common objects to postfix worker processes
define postfix {
   /dev/log         rw
   /dev/urandom         r
   /etc            r
   /lib64            rx
   /proc/sys/kernel/ngroups_max   r
   /proc/sys/kernel/version   r
   /usr/lib64         rx
   /usr/share/zoneinfo/GB      r
   /var/run
   /var/spool/postfix
}

# the main daemon (all other processes are children of this)
subject /usr/lib64/postfix/master dpo {
   /            h
   /dev/log         rw
   /lib64            rx
   /usr/lib64         rx
   /usr/lib64/postfix/anvil   x
   /usr/lib64/postfix/cleanup   x
   /usr/lib64/postfix/local   x
   /usr/lib64/postfix/pickup   x
   /usr/lib64/postfix/proxymap   x
   /usr/lib64/postfix/qmgr      x
   /usr/lib64/postfix/smtp      x
   /usr/lib64/postfix/smtpd   x
   /usr/lib64/postfix/tlsmgr   x
   /usr/lib64/postfix/trivial-rewrite   x
   /usr/share/zoneinfo/GB      r
   /var/spool/postfix/private   rw
   /var/spool/postfix/public/pickup   w
   /var/spool/postfix/public/qmgr   w
   -CAP_ALL
   +CAP_DAC_OVERRIDE
   +CAP_DAC_READ_SEARCH
   +CAP_KILL
   +CAP_SETGID
   +CAP_SETUID
   bind   disabled
   connect   disabled
}

subject /usr/lib64/postfix/master:/usr/lib64/postfix/anvil o {
user_transition_allow   root
group_transition_allow   root

   /            h
   $postfix | $bad_etc
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind 0.0.0.0/32:0 dgram ip
   connect disabled
}


subject /usr/lib64/postfix/master:/usr/lib64/postfix/cleanup o {
user_transition_allow   root
group_transition_allow   root

   /            h
   /var/spool/postfix/pid      rw
   $postfix | $bad_etc
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind 0.0.0.0/32:0 dgram ip
   connect disabled
}

subject /usr/lib64/postfix/master:/usr/lib64/postfix/local o {
user_transition_allow   root
group_transition_allow   root

   /            h
   /proc            h
   /proc/stat         r
   /usr/bin/procmail      x
   /var/spool/postfix/active   rw
   /var/spool/postfix/pid/unix.local   rw
   /var/spool/postfix/private/rewrite   rw
   /var/tmp
   $postfix | $bad_etc
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind 0.0.0.0/32:0 dgram ip
   connect disabled
}

subject /usr/lib64/postfix/master:/usr/lib64/postfix/local:/usr/bin/procmail o {

   /            h
   /dev/null         rw
   /dev/urandom         r
   /etc/group         r
   /etc/ld.so.cache      r
   /etc/nsswitch.conf      r
   /etc/passwd         r
   /etc/procmailrc         r
   /home
   /home/*/.procmailrc      r
   /home/*/.maildir      wcdl
   /lib64            rx
   /proc/sys/kernel/ngroups_max   r
   /var/run   
   -CAP_ALL
   +CAP_DAC_OVERRIDE
   +CAP_DAC_READ_SEARCH
   +CAP_SETGID
   +CAP_SETUID
   bind   disabled
   connect   127.0.0.1/32:512 dgram udp
}

subject /usr/lib64/postfix/master:/usr/lib64/postfix/pickup o {
user_transition_allow   root
group_transition_allow   root
   /            h
   /var/spool/postfix/maildrop   
   $postfix | $bad_etc
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind 0.0.0.0/32:0 dgram ip
   connect disabled
}


subject /usr/lib64/postfix/master:/usr/lib64/postfix/proxymap o {
user_transition_allow   root
group_transition_allow   root

   /            h
   $postfix | $bad_etc
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind 0.0.0.0/32:0 dgram ip
   connect disabled
}

subject /usr/lib64/postfix/master:/usr/lib64/postfix/qmgr o {
user_transition_allow   root
group_transition_allow   root

   /            h
   $postfix | $bad_etc
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind 0.0.0.0/32:0 dgram ip
   connect disabled
}

subject /usr/lib64/postfix/master:/usr/lib64/postfix/smtp o {
user_transition_allow   root
group_transition_allow   root

   /            h
   /var/spool/postfix/pid/unix.scan   rw
   /var/spool/postfix/pid/unix.smtp   rw
   $postfix | $bad_etc
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind 0.0.0.0/32:0 dgram ip
   connect disabled
}

subject /usr/lib64/postfix/master:/usr/lib64/postfix/smtpd o {
user_transition_allow   root
group_transition_allow   root

   /         h
   /proc/stat      r
   /var/spool/postfix/pid   rw
   /var/spool/postfix/private/proxymap   rw
   /var/spool/postfix/private/tlsmgr   rw
   $postfix | $bad_etc
   -CAP_ALL
   +CAP_DAC_OVERRIDE
   +CAP_SETGID
   +CAP_SETUID
   bind 0.0.0.0/32:0 dgram ip
   connect   disabled
}

subject /usr/lib64/postfix/master:/usr/lib64/postfix/tlsmgr o {
user_transition_allow   root
group_transition_allow   root
   /         h
   /dev/urandom      r
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /usr/lib64/postfix/master:/usr/lib64/postfix/trivial-rewrite o {
user_transition_allow   root
group_transition_allow   root

   /         h
   $postfix | $bad_etc
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind 0.0.0.0/32:0 dgram ip
   connect   disabled
}