grsecurity forums

Hi,

I did not find any documentation regarding override 'o' flag on nested subject. Looks that this mode is not applied here. Example with gentoo-hardened 4.1.7-r1:

(root:U:/bin/bash) denied access to hidden file /proc/meminfo by /bin/bash[bash:10885] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/cron[cron:10884] uid/euid:0/0 gid/egid:0/0

Here the subject is /bin/bash, which is configured as:

Code: Select all

subject /usr/sbin/cron:/bin/bash o {
/ h
...
...
-CAP_ALL
bind disabled
connect disabled
}

However, 'o' flag is apparently ignored as when I grant access to /proc/meminfo to parent 'cron' subject, bash gets access as well. Also, not specifying default subject '/' with 'o' flagged subject does not report error on gradm check/reload. What would be the best way to achieve special ACL for bash run by cron process while not granting it access to same objects/CAPS as cron?

Hi,

This seems like a bug in gradm. Can you apply the following patch to add override support for nested subjects?

Code: Select all

diff --git a/gradm_nest.c b/gradm_nest.c
index 17e97a6..f67b4c9 100644
--- a/gradm_nest.c
+++ b/gradm_nest.c
@@ -91,7 +91,8 @@ add_proc_nested_acl(struct role_acl *role, const char *mainsubjname,
                        if (otmp->mode & GR_EXEC)
                                otmp->nested = current_subject;
        }
-       current_subject->parent_subject = stmp;
+       if (!(current_subject->mode & GR_OVERRIDE) && strcmp(current_subject->filename, "/"))
+               current_subject->parent_subject = stmp;

        if (!stat(nestednames[i - 1], &fstat) && S_ISREG(fstat.st_mode))
                add_proc_object_acl(current_subject, nestednames[i - 1], proc_object_mode_conv("rx"), GR_FLEARN);


Thanks,
-Brad

What is the correct version of gradm to patch? The one I have(package gradm-3.1.201507041117) doesn't seem to be compatible with the patch code.
From headers:
#define GR_VERSION "3.1"
#define GRADM_VERSION 0x3100

What patch command did you use and what was the output? It should apply cleanly against that version.

-Brad

I used following:

Code: Select all

# patch -p1 < nest.patch
patching file gradm_nest.c
Hunk #1 FAILED at 91.
1 out of 1 hunk FAILED -- saving rejects to file gradm_nest.c.rej
#

Code: Select all

# cat nest.patch
diff --git a/gradm_nest.c b/gradm_nest.c
index 17e97a6..f67b4c9 100644
--- a/gradm_nest.c
+++ b/gradm_nest.c
@@ -91,7 +91,8 @@ add_proc_nested_acl(struct role_acl *role, const char *mainsubjname,
                        if (otmp->mode & GR_EXEC)
                                otmp->nested = current_subject;
        }
-       current_subject->parent_subject = stmp;
+       if (!(current_subject->mode & GR_OVERRIDE) && strcmp(current_subject->filename, "/"))
+               current_subject->parent_subject = stmp;

        if (!stat(nestednames[i - 1], &fstat) && S_ISREG(fstat.st_mode))
                add_proc_object_acl(current_subject, nestednames[i - 1], proc_object_mode_conv("rx"), GR_FLEARN);
#

And the block the patch should apply to:

Code: Select all

# cat -n gradm_nest.c | tail -n+80
    80                          exit(EXIT_FAILURE);
    81                  }
    82                  if (i != nestlen - 1)
    83                          stmp = otmp->nested;
    84          }
    85 
    86          add_proc_subject_acl(role, nestednames[i - 1], nestmode, GR_FFAKE);
    87 
    88          namelen = strlen(nestednames[i-1]);
    89          for_each_file_object(otmp, stmp) {
    90                  if (!strncmp(nestednames[i-1], otmp->filename, namelen) && (otmp->filename[namelen] == '/' || otmp->filename[namelen] == '\0'))
    91                          if (otmp->mode & GR_EXEC)
    92                                  otmp->nested = current_subject;
    93          }
    94          current_subject->parent_subject = stmp;
    95 
    96          if (!stat(nestednames[i - 1], &fstat) && S_ISREG(fstat.st_mode))
    97                  add_proc_object_acl(current_subject, nestednames[i - 1], proc_object_mode_conv("rx"), GR_FLEARN);
    98 
    99          return;
   100  }
#

Anyway, I tried to manually change on line 94 and recompile, however, it causes system crash.
Triggering event: (/etc/crontab) 59 * * * * root rm -f /var/spool/cron/lastrun/cron.hourly
I have these rules for affected part (I moved /bin/rm from bash subject to cron for testing 'o', expected result here should be deny access):

Code: Select all

subject /usr/sbin/cron opT {
user_transition_allow root
group_transition_allow root
/
/*                              h
/bin/bash                       x
/bin/rm                       x
/dev/log                        rw
/dev/null                       rw
/etc                            h
/etc/cron*                      r
/etc/group                      r
/etc/ld.so.cache                r
/etc/localtime                  r
/etc/login.defs                 r
/etc/pam.d                      r
/etc/passwd                     r
/etc/security                   r
/etc/shadow                     r
/lib64                          rx
/proc/meminfo                   r
/proc/sys/kernel/ngroups_max    r
/root
/root/*                         h
/run/cron.pid                   rwcd
/usr/lib64/gconv/gconv-modules.cache  r
/usr/sbin/cron                  rx
/usr/sbin/sendmail              x
/usr/share                      r
/var/spool/cron/crontabs        r
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
bind disabled
connect  disabled
}

subject /usr/sbin/cron:/bin/bash o {
/dev/tty                        rw
/etc/shadow                     h
/usr/local/bin/flushspam        rx
/usr/local/sbin/run-crons_w     rx
-CAP_ALL
bind disabled
connect disabled
}

gif upload


adult image hosting

This is because as a non-inheriting subject, you have to supply a default "/" object. Replace the existing patch with the one from:
http://grsecurity.net/~spender/nested.diff
it will add the necessary checking to make sure a default object is supplied for these nested subjects.

-Brad

Looks OK now, the override flag is working for nested subject, so its ok to create different permissions for same subject, depending on its parent subject while giving it its own non-inherited ACL.

There was one small issue with compiling the patched code:

Code: Select all

gradm_analyze.c:707:2: error: void value not ignored as it ought to be
  errs_found += check_nested_default_objects();

For quick workaround I replaced this part of the patch:

Code: Select all

@@ -681,6 +704,8 @@ analyze_acls(void)
 
    errs_found += check_role_transitions();
 
+   errs_found += check_nested_default_objects();
+
    for_each_role(role, current_role)
       if (role->roletype & GR_ROLE_DEFAULT)
          def_role_found = 1;

with

Code: Select all

@@ -721,6 +744,7 @@
                }
 
                check_default_objects(role);
+               check_nested_default_objects();
                check_subject_modes(role);
                check_socket_policies(role);

Then the code compiled OK and errors for missing default subject work as well