grsecurity forums

Posted: **Fri Oct 14, 2011 10:34 am**

RBAC is almost perfect, but there another issue.
I read and understand all kinds of object modes we have in RBAC, but there is only read-only ptrace flag ('t'). So I can't run gdb on prog and modify it's variables for debugging purposes. Is there a way to allow gdb to perform such tasks?

Posted: **Fri Oct 14, 2011 11:29 am**

'r' subject mode: http://en.wikibooks.org/wiki/Grsecurity ... ject_Modes if you need to gdb attach, otherwise you can gdb your child process without any additional modes. The read-only ptrace flag is used as a restriction, not as some additional privilege.

-Brad

Posted: **Fri Oct 14, 2011 12:23 pm**

spender wrote:'r' subject mode: http://en.wikibooks.org/wiki/Grsecurity ... ject_Modes if you need to gdb attach, otherwise you can gdb your child process without any additional modes. The read-only ptrace flag is used as a restriction, not as some additional privilege.

-Brad

Hm, that does not work for me. gdb refused to run without rxt on /bin/bash, /bin/bash without rxt on actually debugged program. Just puts in log:

grsec: (dev:S:/usr/bin/gdb) denied ptrace of /bin/bash by /bin/bash[gdb:31061] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gdb[gdb:31059] uid/euid:1000/1000 gid/egid:1000/1000

(Here I'm confused about "/bin/bash[gdb]")
which avoidable only by setting this readonly ptrace restriction. But then gdb says that it can't modify registers (this restriction in effect). How to solve this?

Posted: **Fri Oct 14, 2011 7:36 pm**

Since you made a subject just for gdb and set the subject mode on that, you'll also need to add 't' to the subject mode.

-Brad

Posted: **Sat Oct 15, 2011 12:53 am**

spender wrote:Since you made a subject just for gdb and set the subject mode on that, you'll also need to add 't' to the subject mode.

-Brad

Thanks, it worked. Putting 't' on gdb and bash on subjects of that role.
(Unfortunately I can't trace program - gdb reports unusual EIO, but I'll try to fix that later with less complex programs)

Posted: **Sat Oct 15, 2011 1:51 pm**

Still can't run gdb properly

Now I get EIO on ptrace and gdb output:

Starting program: /tmp/hw.debug
Warning:
Cannot insert breakpoint 1.
Error accessing memory address 0x4004a8: Input/output error.
Cannot insert breakpoint -1.
Temporarily disabling shared library breakpoints:
breakpoint #-1

Logs are empty about this.
Can you help?

Posted: **Sat Oct 15, 2011 9:36 pm**

You need to chpax -m the target binary.

-Brad

Posted: **Sun Oct 16, 2011 4:41 am**

spender wrote:You need to chpax -m the target binary.

-Brad

This did not solved the problem

Posted: **Sun Oct 16, 2011 5:24 am**

Then you only have PT_PAX_FLAGS support and need to paxctl -C the binary, then paxctl -m it.

-Brad

Posted: **Sun Oct 16, 2011 6:00 am**

spender wrote:Then you only have PT_PAX_FLAGS support and need to paxctl -C the binary, then paxctl -m it.

-Brad

No, same effect.

grsecurity forums

Write-allowed ptrace for gdb?

Write-allowed ptrace for gdb?

Re: Write-allowed ptrace for gdb?

Re: Write-allowed ptrace for gdb?

Re: Write-allowed ptrace for gdb?

Re: Write-allowed ptrace for gdb?

Re: Write-allowed ptrace for gdb?

Re: Write-allowed ptrace for gdb?

Re: Write-allowed ptrace for gdb?

Re: Write-allowed ptrace for gdb?

Re: Write-allowed ptrace for gdb?