grsecurity forums

[spender]

Hi,

Ignore the first set of "errors" -- that's normal.

For the second, just adding:

Code: Select all

#include <linux/cred.h>
#include <linux/grsecurity.h>


to the top of that file (below the other headers) should fix it.

-Brad

[alan.d]

Thanks Brad, the missing headers resolved the issue.
Unfortunately it does still not solve the issue, see strace -f output: http://pastebin.com/xghFp3ar
Or did I misunderstand the part "For the /proc/1/root, there's no choice but to allow it to be viewed by all users", so this is needed to be done by me? It all comes down to that access and your patch did not change anything about /proc/1/root, right?

[spender]

Hi Alan,

Your logs show systemctl calling stat() on /proc/1/root. This can't possibly work as an unprivileged user, even on a vanilla system. It will be able to perform an lstat(), but stat() implies following the /proc/1/root symlink. This will result in a proc_fd_access_allowed() check present since 2006 that will fail. So getting an EACCES on /proc/1/root isn't the issue, that's fine. The patch I gave you at least now allows a process to see the existence of /proc/1. The stat()s seem to be part of its completely broken chroot detection -- it's impossible for it to detect a chroot except as a root user. It seems it then tries to consult pkttyagent/libpolkit (perhaps to have it perform the access in a privileged process on behalf of your user, or have it send you a file descriptor). I imagine that's where it's going wrong. Can you show me what it displays to your screen when you try running it? What other systemd-related logs are produced as a result of the command?

-Brad

[alan.d]

[user@localhost ~]$ journalctl &> 1
[user@localhost ~]$ systemctl suspend
Failed to execute operation: Access denied
Failed to start suspend.target: Access denied
[user@localhost ~]$ journalctl &> 2
[user@localhost ~]$ diff -u 1 2
--- 1 2014-10-30 10:31:02.344933141 +0100
+++ 2 2014-10-30 10:31:12.760026873 +0100
@@ -1,4 +1,4 @@
--- Logs begin at Wed 2014-10-29 10:40:31 CET, end at Thu 2014-10-30 10:30:58 CET. --
+-- Logs begin at Wed 2014-10-29 10:40:31 CET, end at Thu 2014-10-30 10:31:08 CET. --
Oct 29 11:39:55 localhost systemd-journal[184]: Runtime journal is using 8.0M (max allowed 800.2M, trying to leave 1.1G free of 7.8G available → current limit 800.2M).
Oct 29 11:39:55 localhost systemd-journal[184]: Runtime journal is using 8.0M (max allowed 800.2M, trying to leave 1.1G free of 7.8G available → current limit 800.2M).
Oct 29 11:39:55 localhost kernel: CPU0 microcode updated early to revision 0x29, date = 2013-06-12
@@ -21305,3 +21305,6 @@
Oct 30 10:30:35 localhost.localdomain sudo[2739]: user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/bin/top
Oct 30 10:30:46 localhost.localdomain kernel: mce: [Hardware Error]: Machine check events logged
Oct 30 10:30:58 localhost.localdomain chronyd[639]: Selected source 81.223.20.2
+Oct 30 10:31:07 localhost.localdomain polkitd[732]: Registered Authentication Agent for unix-process:2772:32208 (system bus name :1.108 [<unknown>], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
+Oct 30 10:31:07 localhost.localdomain dbus[644]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.107" (uid=1000 pid=2772 comm="") interface="org.freedesktop.systemd1.Manager" member="StartUnit" error name="(unset)" requested_reply="0" destination="org.freedesktop.systemd1" (uid=0 pid=1 comm="")
+Oct 30 10:31:08 localhost.localdomain polkitd[732]: Unregistered Authentication Agent for unix-process:2772:32208 (system bus name :1.108, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)


The more precise take:

[user@localhost ~]$ sudo journalctl &> a
[user@localhost ~]$ strace -f systemctl suspend &> trace
[user@localhost ~]$ sudo journalctl &> b
[user@localhost ~]$ sudo diff -u a b
--- a 2014-10-30 10:44:51.455533356 +0100
+++ b 2014-10-30 10:45:05.431688872 +0100
@@ -1,4 +1,4 @@
--- Logs begin at Wed 2014-10-29 10:40:31 CET, end at Thu 2014-10-30 10:44:50 CET. --
+-- Logs begin at Wed 2014-10-29 10:40:31 CET, end at Thu 2014-10-30 10:45:04 CET. --
Oct 29 11:39:55 localhost systemd-journal[184]: Runtime journal is using 8.0M (max allowed 800.2M, trying to leave 1.1G free of 7.8G available → current limit 800.2M).
Oct 29 11:39:55 localhost systemd-journal[184]: Runtime journal is using 8.0M (max allowed 800.2M, trying to leave 1.1G free of 7.8G available → current limit 800.2M).
Oct 29 11:39:55 localhost kernel: CPU0 microcode updated early to revision 0x29, date = 2013-06-12
@@ -21413,3 +21413,7 @@
Oct 30 10:44:00 localhost.localdomain sudo[4091]: user : TTY=pts/3 ; PWD=/home/user ; USER=root ; COMMAND=/bin/diff -u a b
Oct 30 10:44:29 localhost.localdomain sudo[4109]: user : TTY=pts/3 ; PWD=/home/user ; USER=root ; COMMAND=/bin/rm -rf 1 11 12 13 14 2 a
Oct 30 10:44:50 localhost.localdomain sudo[4119]: user : TTY=pts/3 ; PWD=/home/user ; USER=root ; COMMAND=/bin/journalctl
+Oct 30 10:45:01 localhost.localdomain polkitd[732]: Registered Authentication Agent for unix-process:4130:115593 (system bus name :1.127 [<unknown>], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
+Oct 30 10:45:01 localhost.localdomain dbus[644]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.128" (uid=1000 pid=4130 comm="") interface="org.freedesktop.systemd1.Manager" member="StartUnit" error name="(unset)" requested_reply="0" destination="org.freedesktop.systemd1" (uid=0 pid=1 comm="")
+Oct 30 10:45:01 localhost.localdomain polkitd[732]: Unregistered Authentication Agent for unix-process:4130:115593 (system bus name :1.127, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
+Oct 30 10:45:04 localhost.localdomain sudo[4235]: user : TTY=pts/3 ; PWD=/home/user ; USER=root ; COMMAND=/bin/journalctl

The trace can be found here: http://pastebin.com/khU2Puzp

[spender]

Can you mail me a trace when you are strace attached to polkitd while performing the systemctl operation?

-Brad

[alan.d]

Polkit output of strace -f: https://drive.google.com/uc?export=down ... 29vOEgyeUk
strace -f of systemctl suspend at the same time: http://pastebin.com/ZR7jphHE
journald entries created at that time:
Oct 30 13:57:18 localhost.localdomain polkitd[766]: Registered Authentication Agent for unix-process:3524:119952 (system bus name :1.124 [<unknown>], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Oct 30 13:57:19 localhost.localdomain dbus[654]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.125" (uid=1000 pid=3524 comm="") interface="org.freedesktop.systemd1.Manager" member="StartUnit" error name="(unset)" requested_reply="0" destination="org.freedesktop.systemd1" (uid=0 pid=1 comm="")
Oct 30 13:57:20 localhost.localdomain polkitd[766]: Unregistered Authentication Agent for unix-process:3524:119952 (system bus name :1.124, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

[spender]

Hi Alan,

I think there's a separate issue here in that polkitd may need to run in the special group for GRKERNSEC_PROC_USERGROUP. Your trace shows it attempting and failing to find what is perhaps your process attempting to communicate with it. It then makes several attempts to open /etc/polkit-1/localauthority and /var/lib/polkit-1/localauthority, which appear to be the only things returning the EACCES that it eventually reports to you. I don't know the cause of this latter issue, perhaps resolving the first will resolve the second.

I would like to see though whether allowing polkitd to run with the special group enables others not in that group to essentially bypass GRKERNSEC_PROC restrictions (seeing the existence of processes of other users, etc).

-Brad

[alan.d]

Thanks for your great support. What can I do now? I mean I already tested adding polkitd user to the "perm" group configured in the kernel config and it resolves this issue. How could it help other users to see processes of other users? The only way I can imagine is that a process running under the "perm" user leaks that info on request, however there is nothing we can do to resolve this, so I think we will have to live with the risk .
Adding polkitd to that group resolves most issues here. Since I have not yet tested other DE's than gnome, I can only report what still does not work: Mounting devices that need access permission. Normally a dialog asking for the password would appear which does not happen on the grsec kernel, as something does not have the permission to create that dialog. Adding the primary user to the "perm" group too resolves that problem, however then we do not have our /proc restrictions. I mean graphically mounting devices is convenient, but I can also do it from commandline. Do you mind looking at the trace?
I am not sure yet what to trace though. The file manager returns the message that there could not be a password dialog created, so should I trace the file manager? I think I did so yesterday and saw it requestion some /proc/<pid>/cgroup.