grsecurity forums

by **Hue-Bond** » Tue Mar 07, 2006 7:15 pm

Simple script:

Code: Select all: #!/bin/bash while /bin/sleep 3; do /bin/echo abc done

ACL:

Code: Select all: subject /home/hue/bin/echoer hpdAo { user_transition_allow hue group_transition_allow hue / h /bin h /bin/bash x /bin/echo x /bin/sleep x /dev h /dev/tty rw /dev/urandom r /etc h /etc/ld.so.cache r /etc/mtab r /home h /home/hue /home/hue/bin/echoer rx /lib h /lib/ld-2.3.6.so x /lib/libc-2.3.6.so rx /lib/libdl-2.3.6.so rx /lib/libncurses.so.5.5 rx /proc h /proc/meminfo r /usr h /usr/lib/gconv/gconv-modules.cache r /usr/lib/locale /usr/lib/locale/en_US.utf8 r /usr/share/locale r -CAP_ALL bind disabled connect disabled } subject /home/hue/bin/echoer:/bin/sleep hpdAo { user_transition_allow hue group_transition_allow hue / h /dev h /dev/urandom r /etc h /etc/ld.so.cache r /lib h /lib/ld-2.3.6.so x /lib/libc-2.3.6.so rx /usr h /usr/lib/gconv/gconv-modules.cache r /usr/lib/locale /usr/lib/locale/en_US.utf8 r /usr/share/locale r -CAP_ALL bind disabled connect disabled } subject /home/hue/bin/echoer:/bin/echo hpdAo { user_transition_allow hue group_transition_allow hue / h /dev h /dev/urandom r /etc h /etc/ld.so.cache r /lib h /lib/ld-2.3.6.so x /lib/libc-2.3.6.so rx /usr h /usr/lib/gconv/gconv-modules.cache r /usr/lib/locale /usr/lib/locale/en_US.utf8 r /usr/share/locale r -CAP_ALL bind disabled connect disabled }

If I run the script and then reload gradm in another console, everything's ok:

Code: Select all: $ echoer abc abc abc abc abc ^C $ _

As expected. Now let's try prepending "/bin/bash:" to each subject (and commenting out '/home/hue/bin/echoer rx' from the echoer policy to avoid an error from gradm about duplicated objects, since there's a line like that in bash policy):

Code: Select all: $ echoer abc abc abc /home/hue/bin/echoer: line 3: /bin/echo: No such file or directory /home/hue/bin/echoer: line 2: /bin/sleep: No such file or directory

When I do 'gradm -R', the system forgets the nesting and starts placing processes in the default subject:

Code: Select all: (hue:U:/bin/bash) exec of /home/hue/bin/echoer (echoer ) by /bin/bash[...] (hue:U:/home/hue/bin/echoer) exec of /bin/sleep (/bin/sleep 3 ) by /home/hue/bin/echoer[...] (hue:U:/home/hue/bin/echoer) exec of /bin/echo (/bin/echo abc ) by /home/hue/bin/echoer[...] (hue:U:/home/hue/bin/echoer) exec of /bin/sleep (/bin/sleep 3 ) by /home/hue/bin/echoer[...] (hue:U:/home/hue/bin/echoer) exec of /bin/echo (/bin/echo abc ) by /home/hue/bin/echoer[...] (hue:U:/home/hue/bin/echoer) exec of /bin/sleep (/bin/sleep 3 ) by /home/hue/bin/echoer[...] (hue:U:/home/hue/bin/echoer) exec of /bin/echo (/bin/echo abc ) by /home/hue/bin/echoer[...] (hue:U:/home/hue/bin/echoer) exec of /bin/sleep (/bin/sleep 3 ) by /home/hue/bin/echoer[...] (admin:S:/) exec of /sbin/gradm (gradm -R ) by /bin/bash[...] (root:U:/sbin/gradm) grsecurity 2.1.8 RBAC system reloaded by /sbin/gradm[...] (hue:U:/) denied access to hidden file /bin/echo by /home/hue/bin/echoer[...] <repeated 2 more times> (hue:U:/) denied access to hidden file /usr/share/locale by /home/hue/bin/echoer[...] <repeated 5 more times> (hue:U:/) denied access to hidden file /bin/sleep by /home/hue/bin/echoer[...] more alerts, logging disabled for 1 seconds

I expect the same results as in the first case. Am I doing something wrong?

by **spender** » Sun Mar 12, 2006 4:12 pm

Can you show me the new policy? I don't want to make any assumptions by piecing together what you've said about the new policy.

-Brad

by **Hue-Bond** » Sun Mar 12, 2006 5:41 pm

spender wrote:Can you show me the new policy?

Yes, of course:

Code: Select all: subject /bin/bash:/home/hue/bin/echoer hpdAo { user_transition_allow hue group_transition_allow hue / h /bin h /bin/bash x /bin/echo x /bin/sleep x /dev h /dev/tty rw /dev/urandom r /etc h /etc/ld.so.cache r /etc/mtab r /home h /home/hue # /home/hue/bin/echoer rx /lib h /lib/ld-2.3.6.so x /lib/libc-2.3.6.so rx /lib/libdl-2.3.6.so rx /lib/libncurses.so.5.5 rx /proc h /proc/meminfo r /usr h /usr/lib/gconv/gconv-modules.cache r /usr/lib/locale /usr/lib/locale/en_US.utf8 r /usr/share/locale r -CAP_ALL bind disabled connect disabled } subject /bin/bash:/home/hue/bin/echoer:/bin/sleep hpdAo { user_transition_allow hue group_transition_allow hue / h /dev h /dev/urandom r /etc h /etc/ld.so.cache r /lib h /lib/ld-2.3.6.so x /lib/libc-2.3.6.so rx /usr h /usr/lib/gconv/gconv-modules.cache r /usr/lib/locale /usr/lib/locale/en_US.utf8 r /usr/share/locale r -CAP_ALL bind disabled connect disabled } subject /bin/bash:/home/hue/bin/echoer:/bin/echo hpdAo { user_transition_allow hue group_transition_allow hue / h /dev h /dev/urandom r /etc h /etc/ld.so.cache r /lib h /lib/ld-2.3.6.so x /lib/libc-2.3.6.so rx /usr h /usr/lib/gconv/gconv-modules.cache r /usr/lib/locale /usr/lib/locale/en_US.utf8 r /usr/share/locale r -CAP_ALL bind disabled connect disabled }

Code: Select all: $ diff -u pol1 pol2 --- pol1 2006-03-12 22:27:01.000000000 +0100 +++ pol2 2006-03-12 22:26:40.000000000 +0100 @@ -1,4 +1,4 @@ -subject /home/hue/bin/echoer hpdAo { +subject /bin/bash:/home/hue/bin/echoer hpdAo { user_transition_allow hue group_transition_allow hue @@ -15,7 +15,7 @@ /etc/mtab r /home h /home/hue - /home/hue/bin/echoer rx +# /home/hue/bin/echoer rx /lib h /lib/ld-2.3.6.so x /lib/libc-2.3.6.so rx @@ -33,7 +33,7 @@ connect disabled } -subject /home/hue/bin/echoer:/bin/sleep hpdAo { +subject /bin/bash:/home/hue/bin/echoer:/bin/sleep hpdAo { user_transition_allow hue group_transition_allow hue @@ -55,7 +55,7 @@ connect disabled } -subject /home/hue/bin/echoer:/bin/echo hpdAo { +subject /bin/bash:/home/hue/bin/echoer:/bin/echo hpdAo { user_transition_allow hue group_transition_allow hue

by **spender** » Mon Mar 13, 2006 7:20 pm

Ok, I see the problem more clearly now. It's not a bug, but simply a limitation of the system as it has to do with reloading. I'll give you an example to demonstrate why it's difficult to give expected behavior in these cases. What you want is for the program to work the same as it did before the reload, but to apply those nested rules, the RBAC system has to actually see the chain of execution. Without seeing that, we can't really determine at runtime who executed what, since programs can fork+exec+exit. Say you wanted to do a nested subject on a daemon, and for it to persist across reload (which is really just a disable+enable). The daemon wasn't started by init, but after its fork+exit, it is reparented to init. The RBAC system doesn't know about any of that unless it happened while it was enabled.

A possible solution for an atomic reload would be to save that state upon disable and use it on enable, but there is no solution I think for a disable/enable case.

-Brad

by **Hue-Bond** » Tue Mar 14, 2006 11:44 am

The daemon wasn't started by init, but after its fork+exit, it is reparented to init.

Maybe the system could build the tree on initialization by looking at the PPID of the processes. Yes, it is a workaround that would yield init as the parent of your example daemon but I think it would be better than nothing.

A possible solution for an atomic reload would be to save that state upon disable and use it on enable

Since RBAC shouldn't be normally turned off in a production environment, I see this solution rather acceptable. And certainly better than the PPID hack.

grsecurity forums

Nested subjects and RBAC reloading

Nested subjects and RBAC reloading