grsecurity forums

[moseleymark]

A colleague pointed out to me (to my chagrin, after using grsec for years) the 'define' mechanism the other day. I'd never seen it before (nor can I find mention of it on the wiki) but it looks super, super useful. One thing I was curious about was why it's just limited to the file entries. Being able to use define's for the bind/connect sections of an ACL would make it even more useful. I've got bind/connect for every ACL entry and they are the most repetitive bits of my policies, almost invariably 'bind disabled' (for non-daemons) and the same initial connect's (for DNS, LDAP, etc, plus "connect 0.0.0.0/32:0 dgram udp" to keep interface discovery from choking logs).

[spender]

Hi Mark,

I'll look into adding this for you -- thanks for the suggestion.

-Brad

[spender]

Hi Mark,

I added support for connect/bind rules and also capabilities. If you'd like to test the code it's in the git repo for gradm:

http://cvsweb.grsecurity.net/?p=gradm.g ... eb81d1bebe

Thanks!
-Brad

[moseleymark]

Applied and testing. Looks good so far. I've applied it too to a 2.2.2 gradm and seems to be working fine there too (any gotchas of using it with older gradm's I should be aware of?).

Thanks for the super quick turnaround! This is a feature I think could be pretty useful to everyone.

[spender]

Hi Mark,

If it applied cleanly there shouldn't be any issues. The patch doesn't affect any interaction with the kernel, just which objects get added to the policy (which is eventually transferred to the kernel).

-Brad