Page 1 of 1

Could not open /proc/sysy/kernel/grsecurity/acl

PostPosted: Mon Dec 16, 2002 4:27 am
by andutt
Running Rehat 7.3 with 2.4.9-kernel from kernel.org using last stable version of gradm and grsecurity 1.9.7. I have loaded gradm -E sucessfully but im failing to do gradm -a or gradm -D with following errormessage:

Could not open /proc/sysy/kernel/grsecurity/acl

Ivé tried to recompile my kernel and to recompile gradm without success. Any suggestions.

/Andutt

PostPosted: Mon Dec 16, 2002 12:24 pm
by spender
Was the error a permission denied error? If so, check the logs. It's most likely an incorrect password.

-Brad

PostPosted: Tue Dec 17, 2002 3:30 am
by andutt
Hello Brad

Ialso thought so in the beginning, but i have set new passwords, deleted /etc/grsec when i have booted on my original kernel an tried to remake gradm, without luck. The thing thats a little wierd is that i cant see anything under /proc/sys/kernel. Thats before i have executed gradm -E.

So i something loaded automaticly on boot?? I´m running on default acl:s under /etc/grsec and following config is compiled into the kernel:

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Buffer Overflow Protection
#
# CONFIG_GRKERNSEC_PAX_NOEXEC is not set
# CONFIG_GRKERNSEC_PAX_ASLR is not set
# CONFIG_GRKERNSEC_KMEM is not set

#
# ACL options
#
CONFIG_GR_DEBUG=y
CONFIG_GR_SUPERDEBUG=y
CONFIG_GR_MAXTRIES=3
CONFIG_GR_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
# CONFIG_GRKERNSEC_PROC_USERGROUP is not set
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
# CONFIG_GRKERNSEC_CHROOT_CAPS is not set

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
CONFIG_GRKERNSEC_RANDPING=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y

#
# Miscellaneous Features
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

/Andutt

PostPosted: Tue Dec 17, 2002 7:22 am
by andutt
Hi Again

When i compiled my kernel with the grsec-patch installed but grsecurity disabled in the kernel my proc-filesystem seems normal again.

So something must be wrong with my configuration of grsecurity..have someone any idea what??

/Andutt

Problem is real

PostPosted: Tue Dec 17, 2002 11:00 am
by cmouse
I have the same problem. Password works since it allows me to use gradm -E

After trying to disable the ACL -or- trying to become admin will not succeed:
desteem:/etc/grsec# gradm -a
Password:
Error writing to /proc/sys/kernel/grsecurity/acl
write: Operation not permitted

I have no idea why this happens

Dec 17 18:59:09 desteem kernel: grsec: admin auth failure for (gradm:340) UID(0) EUID(0), parent (bash:23794) UID(0) EUID(0)
Dec 17 18:59:19 desteem kernel: grsec: admin auth failure for (gradm:22240) UID(0) EUID(0), parent (bash:23794) UID(0) EUID(0)
Dec 17 18:59:35 desteem kernel: grsec: admin auth failure for (gradm:4058) UID(0) EUID(0), parent (bash:23794) UID(0) EUID(0)

I am 101% positive that my password is correct. As I triplechecked it.

PostPosted: Tue Dec 17, 2002 11:04 am
by spender
The password isn't needed to enable the ACL system. I'm not sure why you're not able to authenticate to the ACL system. The config you pasted looks fine. I don't really have much else to go on, though.

-Brad

PostPosted: Tue Dec 17, 2002 11:05 am
by cmouse
hmm, you must have confused me =) I am not the original poster

PostPosted: Tue Dec 17, 2002 11:26 am
by cmouse
..continued

I made a change to the gradm source code, basically I removed all content from add_gradm_acl().

Then I made my own ACL for gradm, and you know what? It worked.

PostPosted: Tue Dec 17, 2002 12:16 pm
by andutt
Hi again

Now i tried to compile a kernel whitout sysctl-support in grsecurity...and now it workes perfectly!!!!

My /proc/sys/kernel directory looks normal again...So thoose that have the same problem, try that....following kernelconfig:

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Buffer Overflow Protection
#
CONFIG_GRKERNSEC_PAX_NOEXEC=y
CONFIG_GRKERNSEC_PAX_PAGEEXEC=y
CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
CONFIG_GRKERNSEC_PAX_EMUTRAMP=y
CONFIG_GRKERNSEC_PAX_MPROTECT=y
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDKSTACK=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_PAX_RANDEXEC=y
CONFIG_GRKERNSEC_KMEM=y

#
# ACL options
#
CONFIG_GR_DEBUG=y
CONFIG_GR_SUPERDEBUG=y
CONFIG_GR_MAXTRIES=3
CONFIG_GR_TIMEOUT=30

#
# Filesystem Protections
#
# CONFIG_GRKERNSEC_PROC is not set
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
# CONFIG_GRKERNSEC_CHROOT_NICE is not set
# CONFIG_GRKERNSEC_CHROOT_CAPS is not set

#
# Kernel Auditing
#
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=1007
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
CONFIG_GRKERNSEC_RANDPING=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
# CONFIG_GRKERNSEC_SYSCTL is not set

#
# Miscellaneous Features
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

/Andutt

PostPosted: Tue Dec 17, 2002 2:44 pm
by spender
you shouldn't need your own ACL for gradm. Since gradm is compiled statically, it only needs the access specified in gradm_adm.c What changes did you make in your ACL for it?

-Brad

PostPosted: Tue Dec 17, 2002 2:51 pm
by spender
Also, have either of you tried 1.9.8-rc2 and gradm-1.6-rc2? I'd be interested in knowing if you have the same problems with that.

-Brad

PostPosted: Wed Dec 18, 2002 2:53 am
by cmouse
sorry to disappoint you, but I'd rather not test the 'unstable' version. :)

almost forgot...
this is the ACL I used after removing the static ACL...

/sbin/gradm {
/proc/sys/kernel/grsecurity/acl rw
/etc/grsec/ r
/etc/grsec/pw r
/etc/grsec/acl r
+CAP_ALL
}

This isn't most likely the sanest ACL to use, but it works. You might drop that +CAP_ALL there though...