grsecurity forums

Hi Brad,

I'm using linux-3.15.10-hardened-r2 along with gradm-3.0-201407222118.
I don't know how long this new capability CAP_BLOCK_SUSPEND has been around in the kernel (I see it in linux-3.15.9-hardened), but somehow it hasn't been triggered until lately. Maybe it's the new systemd-216, I didn't see that for systemd-215 on a previous kernel with the capability already present. So systemd-216 asks for it but works without it. Dovecot also claims this capability for some reason I don't really understand, but it also works without it.
In the mean time gradm's last capability is still CAP_WAKE_ALARM. If I add the capability to the policy gradm therefore complains about the unknown capability. Adding the new capability is trivial and solves the situation.

Code: Select all

diff -urN gradm-orig/gradm_cap.c gradm-dw/gradm_cap.c
--- gradm-orig/gradm_cap.c      2014-07-17 02:22:13.000000000 +0200
+++ gradm-dw/gradm_cap.c   2014-08-29 15:03:01.872462751 +0200
@@ -57,6 +57,7 @@
        {"CAP_MAC_ADMIN", 33},
        {"CAP_SYSLOG", 34},
        {"CAP_WAKE_ALARM", 35},
+       {"CAP_BLOCK_SUSPEND", 36},
        {"CAP_ALL", ~0}
 };

diff -urN gradm-orig/gradm_defs.h gradm-dw/gradm_defs.h
--- gradm-orig/gradm_defs.h     2014-07-17 02:22:13.000000000 +0200
+++ gradm-dw/gradm_defs.h  2014-08-29 15:03:31.760533829 +0200
@@ -40,8 +40,8 @@
 #define PATH_MAX               4096
 #define MAX_LINE_LEN           5000

-// CAP_WAKE_ALARM
-#define CAP_MAX                        35
+// CAP_BLOCK_SUSPEND
+#define CAP_MAX                        36

 #define MAX_INCLUDE_DEPTH      20
 #define MAX_NEST_DEPTH         8


Unfortunately it also means, that an updated policy cannot be loaded with a prior gradm after the upgrade...

Regards: Dw.

Hi sir,

I had added support for this a little while ago in git but hadn't updated it on the website. The current version on the website now should have support for the capability.

-Brad