grsecurity forums

My policy file contains these capability rules for /bin/login:

Code: Select all

-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_FOWNER
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_TTY_CONFIG


These rules worked fine for me in the past, but under Linux 3.1 my system freezes when (1) the RBAC system is enabled and (2) a non-root user tries to log in.

It looks like all policies that use -CAP_ALL and +CAP_DAC_OVERRIDE cause freezes in non-root contexts. The freezes no longer occur when +CAP_DAC_READ_SEARCH is added to the affected policies.

Tested versions:

• Linux-2.6.32.49 + grsecurity-2.2.2-2.6.32.49-201111262001 => OK
• Linux-3.0.8 + grsecurity-2.2.2-3.0.8-201110250925 => OK
• Linux-3.1.3 + grsecurity-2.2.2-3.1.3-201111262001 => Freeze
• Linux-3.1.4 + grsecurity-2.2.2-3.1.4-201112021740 => Freeze

All tests have been conducted with gradm-2.2.2-201111011031.

Since it works with previous kernel versions, a bug might have crept into the grsecurity patches for Linux 3.1.x. Any ideas?

Can you come up with a simpler reproducer? I've used your policy with both login and a custom app that used CAP_DAC_OVERRIDE when run a nonzero uid. Neither exhibit any problems. Also, can you enable lockdep and other related debugging options (and netconsole to get the kernel logs at the time of the freeze)?

Update: I've been able to reproduce it. I'll try to have a fix today.

-Brad

It's not freeze what I am experiencing, but for the last one week or so, I just can't get neither of my 3.x.x (3.0.8 as well, not just 3.1.1 and 3.1.3 versions) gentoo hardened kernels to work as the older 2.6.39-hardened kernel.
Here is what I haven't budged away from at all:
http://forums.gentoo.org/viewtopic-t-903218-highlight-.html

• # uname -r
  2.6.39-hardened-r8
  works
• 3.0.8-hardened
  does not work or works poorly
• 3.1.1-hardened-r1
  does not work or works poorly
• 3.1.3-hardened
  does not work or works poorly

The problems that I experience range from failing to compile regular emerge and to no permissions for simple things (mounts, file reads)for plain ole programs.
E.g.
the file places.sqlite no permission to read by firefox program itself. This file:

• /home/me/.mozilla/firefox/saltname.default/places.sqlite

and that means, no bookmarks, no history etc.
And for a mounted (sometimes some of the 3.x.x do mount, sometime they don't mount my USB stick with tor-port on it) USB stick partition, the file that is suppose to start the tor bundle:

Code: Select all

/mnt/sdf2/tor-browser_en-US/start-tor-browser

and which executes faultlessly with the 2.6.39-hardened, give the error, IIRC (I am back into the woriking old 2.6.39 kernel(:

Code: Select all

bash: bad interpreter

or something to that effect.
I have been trying to figure out what the issue is, and have been working and reading a lot on it, and searching the web, and this is the closest call what I found, this topic.
Thanks!

I can confirm that the problem is resolved in grsecurity-2.2.2-3.1.4-201112041811.

Many thanks,
-vs

Regarding what I posted above, pls. gentle reader, whether much further afield advanced that you may be, or more newby-like in your understanding such as I am, do note that is isn't probably right what I wrote in the previous post above.
Here you can read what I discovered, and with serious expenditure of time (it really took me time! dear Jesus! ... ):
http://forums.gentoo.org/viewtopic-t-90 ... ight-.html
Thanks!

MRovis, thanx for providing this link - it saved me a lot of time and efforts.