ioperm(), CONFIG_GRKERNSEC_IO and more
Posted: Mon Jan 24, 2011 12:27 pmHey guys,
i'm a bloody newbie in working with grsecurity. Indeed i red the Gentoo Grsecurity2 QuickStart Guide (since i'm using Hardened Gentoo), Grsecurity ACL docu, and Ch. 3 and 4 of the great Grsecurity Wikibook but i have no practical experience so far.
I compiled the kernel with CONFIG_GRKERNSEC_HARDENED_SERVER=y and CONFIG_GRKERNSEC_IO=y and now i'm experiencing this problem: i've a sane-supported usb scanner on the system and it works pretty well if i execute scanimage directly.
Then i 'installed' scanbuttond, a little binary that executes an action if one of the scanner buttons is used. I use it as a service.
Now i'm totally confused what happens:
scanbuttond: button 1 has been pressed.
kernel: grsec: From 192.168.1.51: denied use of ioperm() by /usr/bin/scanimage[scanimage:20422] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/scanfile.sh[scanfile.sh:20421] uid/euid:0/0 gid/egid:0/0
kernel: grsec: From 192.168.1.51: denied use of ioperm() by /usr/bin/scanimage[scanimage:20422] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/scanfile.sh[scanfile.sh:20421] uid/euid:0/0 gid/egid:0/0
kernel: grsec: From 192.168.1.51: denied open of /dev/port by /usr/bin/scanimage[scanimage:20422] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/scanfile.sh[scanfile.sh:20421] uid/euid:0/0 gid/egid:0/0
scanbuttond: button 1 has been released.
Firstly: the system has the IP 192.168.1.2, my Windows-Client has the IP 192.168.1.51. I'm via SSH connected to the server but -as far as i understand- my Windows-Client has nothing to do with scanbuttond, scanimage or sane. Can you guys explain me this "From 192.168.1.51" part?
Secondly: the ioperm() and /dev/port restrictions follow from CONFIG_GRKERNSEC_IO, right?
/usr/local/bin/scanfile.sh is a shell script i created to get a document scanned and then further processed. As far as i understand it is started by /usr/local/etc/scanbuttond/buttonpressed.sh which itself is started by the scanbuttond binary.
Can i change this behaviour with chpax or another rule modifying tool or do i have to relinquish the IO protection? Or may it be a trusted path problem?
Thanks for any advice
i'm a bloody newbie in working with grsecurity. Indeed i red the Gentoo Grsecurity2 QuickStart Guide (since i'm using Hardened Gentoo), Grsecurity ACL docu, and Ch. 3 and 4 of the great Grsecurity Wikibook but i have no practical experience so far.
I compiled the kernel with CONFIG_GRKERNSEC_HARDENED_SERVER=y and CONFIG_GRKERNSEC_IO=y and now i'm experiencing this problem: i've a sane-supported usb scanner on the system and it works pretty well if i execute scanimage directly.
Then i 'installed' scanbuttond, a little binary that executes an action if one of the scanner buttons is used. I use it as a service.
Now i'm totally confused what happens:
scanbuttond: button 1 has been pressed.
kernel: grsec: From 192.168.1.51: denied use of ioperm() by /usr/bin/scanimage[scanimage:20422] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/scanfile.sh[scanfile.sh:20421] uid/euid:0/0 gid/egid:0/0
kernel: grsec: From 192.168.1.51: denied use of ioperm() by /usr/bin/scanimage[scanimage:20422] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/scanfile.sh[scanfile.sh:20421] uid/euid:0/0 gid/egid:0/0
kernel: grsec: From 192.168.1.51: denied open of /dev/port by /usr/bin/scanimage[scanimage:20422] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/scanfile.sh[scanfile.sh:20421] uid/euid:0/0 gid/egid:0/0
scanbuttond: button 1 has been released.
Firstly: the system has the IP 192.168.1.2, my Windows-Client has the IP 192.168.1.51. I'm via SSH connected to the server but -as far as i understand- my Windows-Client has nothing to do with scanbuttond, scanimage or sane. Can you guys explain me this "From 192.168.1.51" part?
Secondly: the ioperm() and /dev/port restrictions follow from CONFIG_GRKERNSEC_IO, right?
/usr/local/bin/scanfile.sh is a shell script i created to get a document scanned and then further processed. As far as i understand it is started by /usr/local/etc/scanbuttond/buttonpressed.sh which itself is started by the scanbuttond binary.
Can i change this behaviour with chpax or another rule modifying tool or do i have to relinquish the IO protection? Or may it be a trusted path problem?
Thanks for any advice
