grsecurity2 does not allow block device reads (e.g. cdrom)

Submit your RBAC policies or suggest policy improvements

grsecurity2 does not allow block device reads (e.g. cdrom)

Postby in-grsecurity@baka.org » Sat Jul 31, 2004 1:54 am

With seemingly all of the necessary bits enabled, I am unable to have a listed subject process read a block device. I am probably missing something, but nothing comes to mind.

This is using the 2.6.7 patch specified in a recent forum post, and a slightly modified cvs-tip gradm2 (modified to allow the analysis to be suggestions, not requirements).

strace shows that the open is getting EPERM, which is as far as I can see (by scanning the source code since the extremely limited documention I have doesn't mention anything) what is supposed to happen if CAP_SYS_RAWIO is not enabled.
However...it is enabled.

After disabling gradm, it works as expected.

-----------------------------
3163 stat64("/dev/cdrom", {st_mode=S_IFBLK|0600, t_rdev=makedev(11, 0), ...}) = 0
3163 open("/dev/cdrom", O_RDONLY|O_NONBLOCK) = -1 PERM (Operation not permitted)
-----------------------------

Seemingly relevant config file section:
-----------------------------
subject /usr/bin/xmms o {
/
/dev
/dev/cdrom r
/dev/sound rw
/dev/urandom r
/etc/fstab r
/etc/hosts r
/etc/ld.so.cache r
/etc/mtab r
/etc/nsswitch.conf r
/etc/passwd r
/etc/resolv.conf r
/lib rxi
/misc r
/home r
/home/seth/.xmms rwcd
/proc/meminfo r
/proc/sys/kernel/version r
/tmp rwcd
/usr/X11R6/lib rxi
/usr/bin/xmms xit
/usr/lib rxi
/usr/share r
-CAP_ALL
+CAP_SYS_RAWIO

connect 0.0.0.0/0:80 stream tcp
connect 0.0.0.0/0:8000 stream tcp
connect 0.0.0.0/0:8080 stream tcp
connect 204.52.227.0/24:53 dgram udp
bind 0.0.0.0:0 dgram udp
bind 0.0.0.0:0 dgram ip
}
-----------------------------
in-grsecurity@baka.org
 
Posts: 10
Joined: Sat Jul 31, 2004 1:25 am

Re: grsecurity2 does not allow block device reads (e.g. cdro

Postby hightower » Sat Jul 31, 2004 9:26 am

in-grsecurity@baka.org wrote:strace shows that the open is getting EPERM, which is as far as I can see (by scanning the source code since the extremely limited documention I have doesn't mention anything) what is supposed to happen if CAP_SYS_RAWIO is not enabled.
However...it is enabled.

After disabling gradm, it works as expected.

-----------------------------
3163 stat64("/dev/cdrom", {st_mode=S_IFBLK|0600, t_rdev=makedev(11, 0), ...}) = 0
3163 open("/dev/cdrom", O_RDONLY|O_NONBLOCK) = -1 PERM (Operation not permitted)
-----------------------------

Seemingly relevant config file section:
-----------------------------
subject /usr/bin/xmms o {
/
/dev
/dev/cdrom r

So what is /dev/cdrom linked to?

ciao, Marc
hightower
 
Posts: 49
Joined: Wed Mar 06, 2002 11:36 am

Postby in-grsecurity@baka.org » Sat Jul 31, 2004 12:28 pm

not xxxx> ls -l /dev/cdrom
lr-xr-xr-x 1 root root 13 Jul 31 04:26 /dev/cdrom -> cdroms/cdrom0
not xxxx> ls -l /dev/cdroms/cdrom0
lr-xr-xr-x 1 root root 34 Dec 31 1969 /dev/cdroms/cdrom0 -> ../scsi/host0/bus0/target0/lun0/cd
not xxxx> ls -l /dev/scsi/host0/bus0/target0/lun0/cd
brw------- 1 xxxx root 11, 0 Dec 31 1969 /dev/scsi/host0/bus0/target0/lun0/cd

In other words, surprise surprise, a block device.
in-grsecurity@baka.org
 
Posts: 10
Joined: Sat Jul 31, 2004 1:25 am

Postby spender » Tue Aug 03, 2004 1:42 am

I had planned on adding a subject flag to override the CAP_SYS_RAWIO check for processes such as xmms or cdrecord that open specific block devices, since it can be done as non-root many cases.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby in-grsecurity@baka.org » Tue Aug 03, 2004 2:44 pm

I had planned on adding a subject flag to override the CAP_SYS_RAWIO check for processes such as xmms or cdrecord that open specific block devices, since it can be done as non-root many cases.


But you think that CAP_SYS_RAWIO should work? I have been unable to get xmms to work even with CAP_SYS_RAWIO work, or any other capability for that matter (I tried ALL) . I cannot play my CD with grsecurity loaded.
in-grsecurity@baka.org
 
Posts: 10
Joined: Sat Jul 31, 2004 1:25 am

Postby spender » Tue Aug 03, 2004 2:59 pm

It doesn't work because it requires CAP_SYS_RAWIO and doesn't care if you're root or non-root. Unless you're non-root and the child of a root process that has granted you CAP_SYS_RAWIO using capset and prctl, you won't have CAP_SYS_RAWIO raised for the process. Remember, grsecurity doesn't add capabilities, it only takes them away.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to RBAC policy development