grsecurity forums


https://forums.grsecurity.net./

2.6.18 - "Restrict /proc to user only" not working

https://forums.grsecurity.net./viewtopic.php?f=1&t=1559

Page 1 of 1

2.6.18 - "Restrict /proc to user only" not working

PostPosted: Tue Sep 26, 2006 10:11 pm
by perlionex
I'm running the latest patch in ~spender (grsecurity-2.1.9-2.6.18-200609261743.patch).

However, the "Restrict /proc to user only" feature does not seem to be working; my normal users can view all processes, unlike in the past when they could only view their own.

The most relevant .config entries are:

Code: Select all
#
# Security options
#

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y
CONFIG_PAX_KERNEXEC=y

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_SANITIZE=y
# CONFIG_PAX_MEMORY_UDEREF is not set

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y

#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
# CONFIG_GRKERNSEC_PROC_IPADDR is not set
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
# CONFIG_GRKERNSEC_SYSCTL is not set

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
# CONFIG_KEYS is not set
# CONFIG_SECURITY is not set

PostPosted: Thu Sep 28, 2006 5:48 am
by perlionex
Still observed with grsecurity-2.1.9-2.6.18-200609271814.patch.

PostPosted: Thu Sep 28, 2006 6:38 pm
by Platyna
I have the same problem.

Regards.

PostPosted: Sat Sep 30, 2006 10:06 am
by spender
I'm working on a fix. They completely rewrote the procfs code and as a side-effect of their new, hack-filled code, it is making it very difficult to keep the same functionality as in previous grsec versions.

-Brad

PostPosted: Sat Sep 30, 2006 3:10 pm
by spender
The latest patch in ~spender should resolve all problems with the /proc restrictions, as well as all problems with hidden and fd/mem restricted subjects in the RBAC system.

-Brad

PostPosted: Sun Oct 01, 2006 10:52 am
by Platyna
Thank you.

Regards.

PostPosted: Mon Oct 02, 2006 2:31 am
by SergK
I've got compilation error with grsecurity-2.1.9-2.6.18-200609301554.patch and undefined CONFIG_GRKERNSEC_PROC_USERGROUP in kernel config:
Code: Select all
  CC      fs/proc/base.o
fs/proc/base.c: In function 'pid_revalidate':
fs/proc/base.c:1381: error: expected expression before ')' token
make[2]: *** [fs/proc/base.o] Error 1
make[1]: *** [fs/proc] Error 2
make: *** [fs] Error 2


I think there simply wrong place for '||' operator, so this:
Code: Select all
--- fs/proc/base.c.orig 2006-10-02 06:35:30.000000000 +0000
+++ fs/proc/base.c      2006-10-02 06:36:26.000000000 +0000
@@ -1374,9 +1374,9 @@
 
        if (task &&
 #if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-           (!tmp->uid || (tmp->uid == task->uid) ||
+           (!tmp->uid || (tmp->uid == task->uid)
 #ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-           in_group_p(CONFIG_GRKERNSEC_PROC_GID)
+           || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
 #endif
            ) &&
 #endif

resolve proble for me.
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/