grsecurity forums

WIth a 2.6.10 grsec kernel version grsecurity-2.1.1-2.6.10-200501121748.patch
and gradm version gradm-2.1.1-200501122225.tar.gz

I get the following message when I try to use gradm after I enable to system. I do gradm -E which works i guess. But when I try to do anything else with gradm.. gradm -D, gradm -a admin... etc... all result in the below..

Your terminal is being sniffed.

I tried this as the first thing I did when I boot up. I open a shell (not in X11. in a regular login prompt) as root. No su or anything. And I still get that statement about. .

case GRADM_RELOAD:
case GRADM_DISABLE:
case GRADM_SPROLE:
case GRADM_UNSPROLE:
case GRADM_MODSEGV:
if (retval == 2) {
printf("The operation you requested cannot be performed "
"because the RBAC system is currently disabled.\n");
ioctl(0, TIOCNXCL);
exit(EXIT_FAILURE);
} else if (retval == 3) {
printf("AA3: Your terminal is being sniffed. Please logout and take whatever measures necessary.\n");
ioctl(0, TIOCNXCL);
exit(EXIT_FAILURE);
}
break;
}

return;
}



it seems when trying to Disable, the above code is run... there are only two options.. either the system is already disabled.. or your terminal is being sniffed..


by the way, everything was working okay with the stable release version for 2.6.7

and it seems, the 3 is the return value from when writing to /dev/grsec... so i guess that is the kernel responding to what gradm writes to /dev/grsec... i guess.. so why is the kernel responding as such?

ok.. so it seems to happen in gracl.c in function gr_check_secure_terminal...

it is called from write_grsec_handler on line 2807

Code: Select all

            if (!gr_check_secure_terminal(current))
               error = 3;


gr_check_secure_terminal fails if

Code: Select all

         if (file && file->f_dentry->d_inode->i_rdev == our_file->f_dentry->d_inode->i_rdev) {


is true (amongr other conditions).



excuse the many posts.. this is the first time that I am actually even looking at kernel code..[/code]

it seems like it is going through each running thread and checking if any of the running processes have an open file that is the same file of the tty where that command was run...

i could be wrong.. i have never looked at kernel/grsec code ever before...

i guess the idea is, if another process has that tty file (terminal) open, then some other process can listen in...

but, there is no way to open up a terminal without some other process other than initd owning it... right?


lemme know if I am close... thanks...

i'll leave the real analysis to the professionals.. thanks Brad.

Grab the latest version of 2.1.1 and let me know if your problem still exists.

-Brad

my linux kernel is crashing... more like it is freezing dead... nothing goes into the logs... cause i assume there is no time for the kernel to output an oops before it dies.... is there any way i can debug the kernel enuff to see where the kernel is dying.. i need to do this on a live kernel.. so using UML or doing it in bochs/qemu/vmware is not an option. Also, I only have my one computer, so I can't do remote debugging.

Anyways... can someone post a link to some howtos/manuals/documents about kernel debugging and how to find out why/when kernels crash..

thanks

--hmhansolo

nope.. still a problem... what type of terminal is supposed to be used to authenticate to gradm?


also, when you develop and test kernels, what do you use... do u use vmware or something like that to test the kernels... or do u have a seperate machine where u test, that doesnt need to be stable...?? and how about debuggin?

What was the filename of the terminal you were using to authenticate with gradm, and what appeared in your kernel logs when it told you your tty was being sniffed? Are you able to log into tty2 and authenticate?

What were you doing when the system froze? Were you running full learning?

-Brad