Page 1 of 1
define's for bind/connect
Posted:
Wed Jul 25, 2012 5:02 pmby moseleymark
A colleague pointed out to me (to my chagrin, after using grsec for years) the 'define' mechanism the other day. I'd never seen it before (nor can I find mention of it on the wiki) but it looks super, super useful. One thing I was curious about was why it's just limited to the file entries. Being able to use define's for the bind/connect sections of an ACL would make it even more useful. I've got bind/connect for every ACL entry and they are the most repetitive bits of my policies, almost invariably 'bind disabled' (for non-daemons) and the same initial connect's (for DNS, LDAP, etc, plus "connect 0.0.0.0/32:0 dgram udp" to keep interface discovery from choking logs).
Re: define's for bind/connect
Posted:
Wed Jul 25, 2012 6:24 pmby spender
Hi Mark,
I'll look into adding this for you -- thanks for the suggestion.
-Brad
Re: define's for bind/connect
Posted:
Wed Jul 25, 2012 8:56 pmby spender
Hi Mark,
I added support for connect/bind rules and also capabilities. If you'd like to test the code it's in the git repo for gradm:
http://cvsweb.grsecurity.net/?p=gradm.g ... eb81d1bebeThanks!
-Brad
Re: define's for bind/connect
Posted:
Thu Jul 26, 2012 5:49 pmby moseleymark
Applied and testing. Looks good so far. I've applied it too to a 2.2.2 gradm and seems to be working fine there too (any gotchas of using it with older gradm's I should be aware of?).
Thanks for the super quick turnaround! This is a feature I think could be pretty useful to everyone.
Re: define's for bind/connect
Posted:
Thu Jul 26, 2012 6:07 pmby spender
Hi Mark,
If it applied cleanly there shouldn't be any issues. The patch doesn't affect any interaction with the kernel, just which objects get added to the policy (which is eventually transferred to the kernel).
-Brad