grsecurity forums

2.6.23.14-grsec

/usr/jail/bin/ping is a hardlink to /bin/ping, a 4755 permissions root:root suid binary

Outside of a chroot, non-root users and ping hosts. Inside a chroot, however, not even root can run it:

Code: Select all

root@falcon ~# ping google.com
PING google.com (72.14.207.99) 56(84) bytes of data.
64 bytes from eh-in-f99.google.com (72.14.207.99): icmp_seq=1 ttl=244 time=26.0 ms
root@falcon ~# chroot /usr/jail/
root@falcon /# ping google.com
ping: icmp open socket: Operation not permitted
root@falcon /# exit


I've even tried using ping w/o it being a hardlink; copy /bin/ping to /usr/jail/bin/pping, set the 4755 perms on it, still no luck.

strace reveals:

Code: Select all

socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted)


Same goes for mtr:

Code: Select all

root@falcon ~# chroot /usr/jail/
root@falcon /# mtr google.com
mtr: unable to get raw sockets.


I've tried this with chroot restrictions both enabled and disabled in the kernel.

Haven't found anything on google or these forums... they all point to ping not having the suid bit, which it does. I don't have this problem with a non-grsec kernel

Ideas anyone?

It's expected behavior for ping to not work in a chroot as root, since it requires use of CAP_NET_RAW. The capability restrictions in chroot option handles this case. I'm suspicious of your claim that the problem occurs even with the chroot options disabled, since they're compiled to nothing if the options are disabled. The only case where I can see this happening is if the sysctl option was enabled, and the chroot options were disabled at runtime outside of the chroot, after the chroot had already been made by the shell that eventually executed ping. Could you paste the config you used that has the chroot options disabled but still experiences the problem?

-Brad

Without chroot:

Code: Select all

# CONFIG_GRKERNSEC_CHROOT is not set
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y


Wow. Heh. I didn't notice that - I use "make menuconfig"

I have two servers running with grsecurity - one was with this option not set (it has sysctl), and the other one has this option set (but I disabled sysctl unfortionatly)

On both systems I have the grsecurity set to "high", but CONFIG_GRKERNSEC_CHROOT itself isn't set on the one... I was under the impression that since it wasn't set (I used "make menuconfig") that all the sub-options wouldn't be enabled either. Guess I was wrong! (I'll set it to "custom" next time )

Anyway, I did this:

Code: Select all

echo 0 > /proc/sys/kernel/grsecurity/chroot_caps


And ping now works on the one box. I'll rebuild the kernel again on the 2nd server with syssctl support so I can turn this thing off at runtime

Thanks for your help!!! Your mention to CAP_NET_RAW lead me to read about CONFIG_GRKERNSEC_CHROOT_CAPS, and seeing that it's enabled (even when chroot itself is off) causes the issue.