grsecurity2 does not allow block device reads (e.g. cdrom)
Posted: Sat Jul 31, 2004 1:54 am
With seemingly all of the necessary bits enabled, I am unable to have a listed subject process read a block device. I am probably missing something, but nothing comes to mind.
This is using the 2.6.7 patch specified in a recent forum post, and a slightly modified cvs-tip gradm2 (modified to allow the analysis to be suggestions, not requirements).
strace shows that the open is getting EPERM, which is as far as I can see (by scanning the source code since the extremely limited documention I have doesn't mention anything) what is supposed to happen if CAP_SYS_RAWIO is not enabled.
However...it is enabled.
After disabling gradm, it works as expected.
-----------------------------
3163 stat64("/dev/cdrom", {st_mode=S_IFBLK|0600, t_rdev=makedev(11, 0), ...}) = 0
3163 open("/dev/cdrom", O_RDONLY|O_NONBLOCK) = -1 PERM (Operation not permitted)
-----------------------------
Seemingly relevant config file section:
-----------------------------
subject /usr/bin/xmms o {
/
/dev
/dev/cdrom r
/dev/sound rw
/dev/urandom r
/etc/fstab r
/etc/hosts r
/etc/ld.so.cache r
/etc/mtab r
/etc/nsswitch.conf r
/etc/passwd r
/etc/resolv.conf r
/lib rxi
/misc r
/home r
/home/seth/.xmms rwcd
/proc/meminfo r
/proc/sys/kernel/version r
/tmp rwcd
/usr/X11R6/lib rxi
/usr/bin/xmms xit
/usr/lib rxi
/usr/share r
-CAP_ALL
+CAP_SYS_RAWIO
connect 0.0.0.0/0:80 stream tcp
connect 0.0.0.0/0:8000 stream tcp
connect 0.0.0.0/0:8080 stream tcp
connect 204.52.227.0/24:53 dgram udp
bind 0.0.0.0:0 dgram udp
bind 0.0.0.0:0 dgram ip
}
-----------------------------
This is using the 2.6.7 patch specified in a recent forum post, and a slightly modified cvs-tip gradm2 (modified to allow the analysis to be suggestions, not requirements).
strace shows that the open is getting EPERM, which is as far as I can see (by scanning the source code since the extremely limited documention I have doesn't mention anything) what is supposed to happen if CAP_SYS_RAWIO is not enabled.
However...it is enabled.
After disabling gradm, it works as expected.
-----------------------------
3163 stat64("/dev/cdrom", {st_mode=S_IFBLK|0600, t_rdev=makedev(11, 0), ...}) = 0
3163 open("/dev/cdrom", O_RDONLY|O_NONBLOCK) = -1 PERM (Operation not permitted)
-----------------------------
Seemingly relevant config file section:
-----------------------------
subject /usr/bin/xmms o {
/
/dev
/dev/cdrom r
/dev/sound rw
/dev/urandom r
/etc/fstab r
/etc/hosts r
/etc/ld.so.cache r
/etc/mtab r
/etc/nsswitch.conf r
/etc/passwd r
/etc/resolv.conf r
/lib rxi
/misc r
/home r
/home/seth/.xmms rwcd
/proc/meminfo r
/proc/sys/kernel/version r
/tmp rwcd
/usr/X11R6/lib rxi
/usr/bin/xmms xit
/usr/lib rxi
/usr/share r
-CAP_ALL
+CAP_SYS_RAWIO
connect 0.0.0.0/0:80 stream tcp
connect 0.0.0.0/0:8000 stream tcp
connect 0.0.0.0/0:8080 stream tcp
connect 204.52.227.0/24:53 dgram udp
bind 0.0.0.0:0 dgram udp
bind 0.0.0.0:0 dgram ip
}
-----------------------------