grsecurity forums


https://forums.grsecurity.net./

kernel 3.9.4 grsec + cgroups

https://forums.grsecurity.net./viewtopic.php?f=3&t=3560

Page 1 of 1

kernel 3.9.4 grsec + cgroups

PostPosted: Fri Jun 21, 2013 9:54 am
by davy
Hi,

I'm new to grsec, it's seems to be related to the grsec patch but not sure.

I have some issues with cgroup destination matching.

For the moment, i'm using linux-3.9.4 with one of the latest grsec patch, grsecurity-2.9.1-3.9.4-2013052510.
Withtout this patch, cgroups is working well. (https://www.kernel.org/doc/Documentatio ... groups.txt)

/etc/cgrules.conf is used to set the destination of cgroup.
Code: Select all
#<user>     <controllers>     <destination>
www-data   memory      daemons/www


When i run something as www-data, i can see the correct matching of the process (memory destination : daemons/www):

Code: Select all
root@debian1:~# cat /proc/1629/cgroup
4:memory:/daemons/www
3:devices:/sysdefault
2:cpuacct:/sysdefault
1:cpu:/sysdefault


But when i'm on grsec kernel, i cannot get it working, it's always set to de default destination, so i suppose something is wrong with the matching.

Code: Select all
root@debian1:~# cat /proc/1993/cgroup
12:memory:/sysdefault
11:devices:/sysdefault
10:cpuacct:/sysdefault


Does someone know if it's related to grsec/grsec option or ?

Here my grsec kernel options:

Code: Select all
root@amnesia:/usr/src/linux-3.9.4# grep GRKERN .config
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
# CONFIG_GRKERNSEC_NO_RBAC is not set
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_SYMLINKOWN=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
CONFIG_GRKERNSEC_ROFS=y
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_CHROOT_INITRD=y
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=1007
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
# CONFIG_GRKERNSEC_NO_SIMULT_CONNECT is not set
# CONFIG_GRKERNSEC_SOCKET is not set
CONFIG_GRKERNSEC_SYSCTL=y
# CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6


If you need more info, let me know.
Thank you for your help!

Re: kernel 3.9.4 grsec + cgroups

PostPosted: Fri Jun 21, 2013 6:09 pm
by spender
Is CONFIG_MEMCG enabled?

-Brad

Re: kernel 3.9.4 grsec + cgroups

PostPosted: Mon Jun 24, 2013 4:17 am
by davy
Hello Brad,

Yes it is.

Code: Select all
root@debian1:~# grep CG /boot/config-3.9.4.-grsec
# CONFIG_TCG_ST33_I2C is not set
root@debian1:~# grep CG /boot/config-3.9.4.-grsec
CONFIG_CGROUPS=y
# CONFIG_CGROUP_DEBUG is not set
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_MEMCG=y
CONFIG_MEMCG_SWAP=y
CONFIG_MEMCG_SWAP_ENABLED=y
CONFIG_MEMCG_KMEM=y
CONFIG_CGROUP_HUGETLB=y
CONFIG_CGROUP_PERF=y
CONFIG_CGROUP_SCHED=y
CONFIG_BLK_CGROUP=y
# CONFIG_DEBUG_BLK_CGROUP is not set
CONFIG_NET_CLS_CGROUP=y
# CONFIG_NETPRIO_CGROUP is not set
# CONFIG_MTD_DOCG3 is not set
# CONFIG_MTD_NAND_DOCG4 is not set
CONFIG_TCG_TPM=m
CONFIG_TCG_TIS=m
# CONFIG_TCG_TIS_I2C_INFINEON is not set
CONFIG_TCG_NSC=m
CONFIG_TCG_ATMEL=m
CONFIG_TCG_INFINEON=m
# CONFIG_TCG_ST33_I2C is not set

root@debian1:~# cat /proc/cgroups
#subsys_name   hierarchy   num_cgroups   enabled
cpuset   0   1   1
cpu   1   2   1
cpuacct   2   2   1
memory   4   4   1
devices   3   2   1
freezer   0   1   1
net_cls   0   1   1
blkio   0   1   1
perf_event   0   1   1
hugetlb   0   1   1


Thank you
Davy

Re: kernel 3.9.4 grsec + cgroups

PostPosted: Mon Jun 24, 2013 8:18 am
by davy
Hi,

I notice the kernel version when booting up the "non-patched" kernel was not the same reported in dpkg.
I should made a mistake when i compiled the kernel and package it. (seems i used the 3.8.4 non patched kernel instead of 3.9.4)

Cgroup with 3.9.4 without grsec patch is not working too. So i suppose is not related to it but related to the kernel or cg config.

Sorry for the trouble.
Davy
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/