Ability to extend permissions for gradm_pam/grlearn
Posted: Wed Jul 16, 2014 8:12 am
On my system (ArchLinux) `/dev/log` is a symlink to to `/run/systemd/journal/dev-log`, which is a systemd-thing and causes warnings coming from gradm:
I haven't yet tried using gradm_pam at all but I'd assume that this warning also means that gradm_pam won't actually be able to acces /dev/log.
So I was wondering what the common solution for this would be?
Should the warning just be ignored, or should ArchLinux patch gradm_adm.c to include the appropriate permissions?
There currently seems to be no way to extend these permissions - please correct me if I'm wrong - as adding the subject manually causes a "Duplicate subject found" error, and gradm_adm.c shows they use the 'o' flag (which makes total sense).
Would it be an acceptable solution to introduce the option of adding extra permissions in special variables used for these programs?
Like this:
With this I can silence the warning by adding this to the top of my policy
- Code: Select all
Warning: permission for symlink /dev/log in role users, subject /usr/bin/gradm_pam does not match that of its matching target object /run. Symlink is specified on line 1587 of /etc/grsec/policy.
I haven't yet tried using gradm_pam at all but I'd assume that this warning also means that gradm_pam won't actually be able to acces /dev/log.
So I was wondering what the common solution for this would be?
Should the warning just be ignored, or should ArchLinux patch gradm_adm.c to include the appropriate permissions?
There currently seems to be no way to extend these permissions - please correct me if I'm wrong - as adding the subject manually causes a "Duplicate subject found" error, and gradm_adm.c shows they use the 'o' flag (which makes total sense).
Would it be an acceptable solution to introduce the option of adding extra permissions in special variables used for these programs?
Like this:
- Code: Select all
--- a/gradm_adm.c 2014-07-16 13:53:49.950469128 +0200
+++ b/gradm_adm.c 2014-07-16 13:53:27.820468833 +0200
@@ -168,6 +168,7 @@ add_gradm_pam_acl(struct role_acl *role)
struct ip_acl ip;
struct protoent *proto;
char *grpam_path;
+ struct var_object *extra_var;
if (bikeshedding_detected())
grpam_path = get_bikeshedded_path(GRPAM_PATH);
@@ -236,6 +237,10 @@ add_gradm_pam_acl(struct role_acl *role)
add_sock_family(current_subject, "netlink");
+ extra_var = sym_retrieve("grsec_gradm_pam_extra");
+ if (extra_var)
+ interpret_variable(extra_var);
+
return;
}
@@ -258,6 +263,7 @@ add_grlearn_acl(struct role_acl *role)
struct stat fstat;
struct ip_acl ip;
char *grlearn_path;
+ struct var_object *extra_var;
if (bikeshedding_detected())
grlearn_path = get_bikeshedded_path(GRLEARN_PATH);
@@ -280,6 +286,10 @@ add_grlearn_acl(struct role_acl *role)
add_cap_acl(current_subject, "-CAP_ALL", NULL);
+ extra_var = sym_retrieve("grsec_grlearn_extra");
+ if (extra_var)
+ interpret_variable(extra_var);
+
return;
}
With this I can silence the warning by adding this to the top of my policy
- Code: Select all
define grsec_gradm_pam_extra {
/run/systemd/journal/dev-log rw
}