grsecurity forums

by **nordom** » Fri Jan 21, 2005 8:01 pm

Do you think it is possible to make acl's with per-ioctl permissions? I want to stop my users from reading my interfaces' MAC addresses, but I don't know if it is possible to do this with grsecurity.

It seems like MAC address can be retrieved by SIOCGIFHWADDR and adding this feature would require some hooks in ioctl handling functions(file_ioctl?). What do you think about it?

Maybe there's some other way of disabling HWaddr access but i can't find it. Can anybody help me?

by **nordom** » Sun Jan 23, 2005 1:46 pm

I've patched the kernel myself:

Code: Select all: --- linux/net/core/dev.c 2005-01-22 20:37:57.000000000 +0000 +++ linux/net/core/dev_new.c 2005-01-23 12:36:38.121893856 +0000 @@ -2336,6 +2336,8 @@ return dev_set_mtu(dev, ifr->ifr_mtu); case SIOCGIFHWADDR: + if(current->uid != 0) return -EPERM; + if (!dev->addr_len) memset(ifr->ifr_hwaddr.sa_data, 0, sizeof ifr->ifr_hwaddr.sa_data); else

Now only uid 0 can see the MAC, from what I know. (At least the ifconfig doesn't display HWAddr now.

)

by **fonya** » Mon Jan 24, 2005 9:15 am

nordom wrote:I've patched the kernel myself:

Now only uid 0 can see the MAC, from what I know. (At least the ifconfig doesn't display HWAddr now. )

Why, don't You use the CONFIG_GRKERNSEC_DMESG configure parameter:

Code: Select all: --- linux/net/core/dev_old.c 2005-01-24 12:18:31.545819984 +0100 +++ linux/net/core/dev.c 2005-01-24 14:17:34.273454560 +0100 @@ -2336,6 +2336,10 @@ return dev_set_mtu(dev, ifr->ifr_mtu); case SIOCGIFHWADDR: +#ifdef CONFIG_GRKERNSEC_DMESG + if (!capable(CAP_SYS_ADMIN) && grsec_enable_dmesg) + return -EPERM; +#endif if (!dev->addr_len) memset(ifr->ifr_hwaddr.sa_data, 0, sizeof ifr->ifr_hwaddr.sa_data); else

I forget an include, in the includes near the beginig of the file write by hand:

#include <linux/grsecurity.h>

Sorry