grsecurity forums

by **tjh** » Sun Jan 04, 2015 6:51 pm

I encounter the odd problem where learning on a subject doesn't pickup any of the network/capabilitiy requirements of the process.

Case in point is ping.

Firstly I didn't have a specific subject for ping for my user, so it was failing:

Code: Select all: grsec: From 192.168.0.107: (tim:U:/) use of CAP_NET_RAW denied for /bin/ping[ping:26198] uid/euid:1000/0 gid/egid:1000/1000, parent /usr/bin/tcsh[tcsh:26195] uid/euid:1000/1000 gid/egid:1000/1000 grsec: From 192.168.0.107: (tim:U:/) use of CAP_SETUID denied for /bin/ping[ping:26198] uid/euid:1000/0 gid/egid:1000/1000, parent /usr/bin/tcsh[tcsh:26195] uid/euid:1000/1000 gid/egid:1000/1000 grsec: From 192.168.0.107: (tim:U:/) use of CAP_NET_RAW denied for /bin/ping[ping:26200] uid/euid:1000/0 gid/egid:1000/1000, parent /usr/bin/tcsh[tcsh:26195] uid/euid:1000/1000 gid/egid:1000/1000 grsec: From 192.168.0.107: (tim:U:/) use of CAP_SETUID denied for /bin/ping[ping:26200] uid/euid:1000/0 gid/egid:1000/1000, parent /usr/bin/tcsh[tcsh:26195] uid/euid:1000/1000 gid/egid:1000/1000

No worries. So I hadded /bin/ping to Tim's role with:

Code: Select all: subject /bin/ping ol { / }

And then started gradm with "gradm -E -L /tmp/fixes.log"

I pinged a few things:

Code: Select all: micro:~> ping muppetz.com PING muppetz.com (103.247.152.88) 56(84) bytes of data. 64 bytes from muppetz.com (103.247.152.88): icmp_req=1 ttl=56 time=9.16 ms ^C --- muppetz.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 9.163/9.163/9.163/0.000 ms micro:~> ping slashdot.org PING slashdot.org (216.34.181.45) 56(84) bytes of data. ^C64 bytes from slashdot.org (216.34.181.45): icmp_req=1 ttl=236 time=192 ms --- slashdot.org ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 192.438/192.438/192.438/0.000 ms micro:~> ping beer.com PING beer.com (198.202.143.18) 56(84) bytes of data. ^C64 bytes from landings.lax.aftermarket.com (198.202.143.18): icmp_req=1 ttl=47 time=146 ms --- beer.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 146.868/146.868/146.868/0.000 ms

The output of that session (from fixes.log) is below:

Code: Select all: tim 1 1000 1000 /bin/ping /bin/ping 1 1 /lib/i386-linux-gnu/ld-2.13.so 8 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping 1 1 /etc/ld.so.cache 17 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping 1 1 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so 17 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping 1 1 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so 8 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping u 1000 1000 1000 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping 1 1 /run/resolvconf/resolv.conf 17 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping 1 1 /etc/nsswitch.conf 17 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping 1 1 /lib/i386-linux-gnu/i686/cmov/libnss_files-2.13.so 17 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping 1 1 /lib/i386-linux-gnu/i686/cmov/libnss_files-2.13.so 8 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping 1 1 /etc/host.conf 17 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping 1 1 /etc/hosts 17 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping 1 1 /lib/libnss_mdns4_minimal.so.2 17 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping 1 1 /lib/libnss_mdns4_minimal.so.2 8 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping 1 1 /lib/i386-linux-gnu/i686/cmov/libnss_dns-2.13.so 17 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping 1 1 /lib/i386-linux-gnu/i686/cmov/libnss_dns-2.13.so 8 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping 1 1 /lib/i386-linux-gnu/i686/cmov/libresolv-2.13.so 17 192.168.0.107 tim 1 1000 1000 /bin/ping /bin/ping 1 1 /lib/i386-linux-gnu/i686/cmov/libresolv-2.13.so 8 192.168.0.107

I then ran gradm -F /tmp/fixes.log -O /tmp/fixes.conf

In fixes.conf I have:

Code: Select all: ### THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE USER ROLE "tim" ### # Role: tim subject /bin/ping o { user_transition_allow tim / /bin h /bin/ping rx /boot h /dev/grsec h /dev/kmem h /dev/log h /dev/mem h /dev/port h /etc h /etc/host.conf r /etc/hosts r /etc/ld.so.cache r /etc/nsswitch.conf r /lib rx /lib/modules h /lib64/modules h /proc/bus h /proc/kallsyms h /proc/kcore h /proc/modules h /proc/slabinfo h /proc/sys h /run h /run/resolvconf/resolv.conf r /sys h /usr/src h /var/backups h /var/log h -CAP_ALL bind disabled connect disabled sock_allow_family all }

There is still no Capability or connect rules, trying to ping gives me:

Code: Select all: grsec: From 192.168.0.107: (tim:U:/bin/ping) denied socket(inet,raw,icmp) by /bin/ping[ping:26848] uid/euid:1000/0 gid/egid:1000/1000, parent /usr/bin/tcsh[tcsh:26844] uid/euid:1000/1000 gid/egid:1000/1000 grsec: From 192.168.0.107: (tim:U:/bin/ping) use of CAP_SETUID denied for /bin/ping[ping:26848] uid/euid:1000/0 gid/egid:1000/1000, parent /usr/bin/tcsh[tcsh:26844] uid/euid:1000/1000 gid/egid:1000/1000 grsec: From 192.168.0.107: (tim:U:/bin/ping) denied socket(inet,dgram,ip) by /bin/ping[ping:26848] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/tcsh[tcsh:26844] uid/euid:1000/1000 gid/egid:1000/1000

I have enough knowledge to know how to fix that myself manually, but I'm curious why this didn't work. Am I doing something wrong? Is learning capabilities/network statements only supported with full learning, not subject learning?

Thanks!

Tim

by **spender** » Sun Jan 04, 2015 10:09 pm

Hi Tim,

I'll look into this -- are you using the latest gradm?

-Brad

by **tjh** » Sun Jan 04, 2015 10:27 pm

I'm using the latest available at ~spender, not the latest available from your cvs/github repo.

If you think that's worth trying I'm happy to give it a go.

Tim

by **spender** » Sun Jan 04, 2015 10:36 pm

That's fine, no need to use the git version.

I'll let you know what I find out.

Thanks,
-Brad

by **spender** » Mon Jan 05, 2015 8:59 am

Hi Tim,

Which kernel are you using?

-Brad

by **tjh** » Mon Jan 05, 2015 1:39 pm

I follow the development fairly closely, this is a 3.17.6-grsec kernel.

Happy to provide the .config as well if that'll help.

by **spender** » Mon Jan 12, 2015 10:34 pm

Hi Tim,

I didn't spot it on my first read through of your report, but when I went to go reproduce your problem, I realized the issue. Your object list for learning on ping is incorrect. You used:

Code: Select all: subject /bin/ping ol /

when you should have used:

Code: Select all: subject /bin/ping ol / h -CAP_ALL connect disabled bind disabled

It's necessary to use the additional lines, as the absence of any capability rules for instance implies all capabilities are allowed, likewise if no network policy is used. With the object list I provided, all filesystem, capability, and network accesses will be learned.

-Brad

by **tjh** » Mon Jan 12, 2015 10:37 pm

Makes sense, thanks very much!

grsecurity forums

Subject Learning Not Learning Capabilities/Networks

Subject Learning Not Learning Capabilities/Networks

Re: Subject Learning Not Learning Capabilities/Networks

Re: Subject Learning Not Learning Capabilities/Networks

Re: Subject Learning Not Learning Capabilities/Networks

Re: Subject Learning Not Learning Capabilities/Networks

Re: Subject Learning Not Learning Capabilities/Networks

Re: Subject Learning Not Learning Capabilities/Networks

Re: Subject Learning Not Learning Capabilities/Networks