grsecurity forums

I've got a lot of boxes that I've been procastinating about upgrading kernels on due to the lock-step of having to modify the ACLs to use sock_allow_family wherever it's needed (and I've got over 100 different ACLs, so it's a non-trivial thing). But I can't backport the sock_allow_family stuff to pre-2.6.36.1 kernels or the ACL will refuse to the load. So for anything still using gradm 2.2.0, I was thinking about a hack like this, so that I can at least add sock_allow_family stuff without causing the ACL loading to choke on the older kernel boxes.

Brad, do you see any glaring gotchas with this approach with 2.2.0? ACLs with sock_allow_family seem to load just fine on a pre-2.6.36.1 kernel and stuff still seems to be getting caught by the ACL system. In terms of placement, I don't know if where it gets put matters, but I just put it at the beginning of the regular-looking directives. I figured treating it as a comment (and thus not having to worry about stuff coming after it in the line) was the easiest/cleanest way to accomplish this. Please let me know what you think. The last thing I want to do is compromise the security on these boxes.


--- a/gradm.l 2010-06-19 20:58:41.000000000 -0400
+++ b/gradm.l 2011-03-29 14:10:25.000000000 -0400
@@ -259,6 +259,11 @@
gradmlval.string = gr_strdup(yytext);
return ID_NAME;
}
+"sock_allow_family" {
+ if (YYSTATE != COMMENT_STATE)
+ old_state2 = YYSTATE;
+ BEGIN(COMMENT_STATE);
+ }
"user_transition_allow" {
BEGIN(IDTRANS_STATE);
return USER_TRANS_ALLOW;

Sure, looks ok to me.

-Brad