grsecurity forums

[HellFire]

I'm unable to read /proc correctly even though I'm in the group set in CONFIG_GRKERNSEC_PROC_GID


Patch: 07/19/11

administrator:~$ grep GRKERNSEC_PROC /boot/config-$(uname -r)
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=27
# CONFIG_GRKERNSEC_PROC_ADD is not set
# CONFIG_GRKERNSEC_PROC_IPADDR is not set


administrator:~$ id
uid=1100(administrator) gid=1100(administrator) groups=1100(administrator),4(adm),7(lp),20(dialout),24(cdrom),27(sudo),30(dip),40(src),46(plugdev),109(lpadmin),110(sambashare),111(admin),1106(scanner)

administrator:~$ ls -ld /proc/net/
dr-xr-xr-x 2 administrator sudo 0 2011-07-22 01:27 /proc/net/
administrator:~$ ls -l /proc/net/
ls: reading directory /proc/net/: Invalid argument

[spender]

It looks as though you tried to hack your configuration manually instead of using make menuconfig or some other standard method. It should not be possible via normal configuration to enable both GRKERNSEC_PROC_USER and GRKERNSEC_PROC_USERGROUP. I'll add a compiler error to prevent this from being possible in the future, but for now enable only GRKERNSEC_PROC_USERGROUP for the functionality you want.

-Brad

[HellFire]

I did actually use make menuconfig for it. I'll try rebuilding with it off and see what happens.

* Edit: Looks like if you set security level to medium/high, it still lets you turn it on and won't turn off usergroup.
Fixed it with:

Code: Select all

config GRKERNSEC_PROC_USER
        bool "Restrict /proc to user only"
        depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USERGROUP

[HellFire]

Yup, that fixed it. Thanks.

[spender]

Using make menuconfig in that way (selecting high security then adding additional options) isn't a proper way to configure grsecurity. It used to be back in the 2.4 days, but with the Kconfig rewrite in 2.6 and the way 'select' works, there's not a way I know of to implement this.

-Brad