RBAC is almost perfect, but there another issue.
I read and understand all kinds of object modes we have in RBAC, but there is only read-only ptrace flag ('t'). So I can't run gdb on prog and modify it's variables for debugging purposes. Is there a way to allow gdb to perform such tasks?
Write-allowed ptrace for gdb?
10 posts
• Page 1 of 1
Write-allowed ptrace for gdb?
by Undine » Fri Oct 14, 2011 10:34 am
- Undine
- Posts: 46
- Joined: Thu Sep 08, 2011 7:08 am
Re: Write-allowed ptrace for gdb?
by spender » Fri Oct 14, 2011 11:29 am
'r' subject mode: http://en.wikibooks.org/wiki/Grsecurity ... ject_Modes if you need to gdb attach, otherwise you can gdb your child process without any additional modes. The read-only ptrace flag is used as a restriction, not as some additional privilege.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: Write-allowed ptrace for gdb?
by Undine » Fri Oct 14, 2011 12:23 pm
spender wrote:'r' subject mode: http://en.wikibooks.org/wiki/Grsecurity ... ject_Modes if you need to gdb attach, otherwise you can gdb your child process without any additional modes. The read-only ptrace flag is used as a restriction, not as some additional privilege.
-Brad
Hm, that does not work for me. gdb refused to run without rxt on /bin/bash, /bin/bash without rxt on actually debugged program. Just puts in log:
grsec: (dev:S:/usr/bin/gdb) denied ptrace of /bin/bash by /bin/bash[gdb:31061] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gdb[gdb:31059] uid/euid:1000/1000 gid/egid:1000/1000
(Here I'm confused about "/bin/bash[gdb]")
which avoidable only by setting this readonly ptrace restriction. But then gdb says that it can't modify registers (this restriction in effect). How to solve this?
- Undine
- Posts: 46
- Joined: Thu Sep 08, 2011 7:08 am
Re: Write-allowed ptrace for gdb?
by spender » Fri Oct 14, 2011 7:36 pm
Since you made a subject just for gdb and set the subject mode on that, you'll also need to add 't' to the subject mode.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: Write-allowed ptrace for gdb?
by Undine » Sat Oct 15, 2011 12:53 am
spender wrote:Since you made a subject just for gdb and set the subject mode on that, you'll also need to add 't' to the subject mode.
-Brad
Thanks, it worked. Putting 't' on gdb and bash on subjects of that role.
(Unfortunately I can't trace program - gdb reports unusual EIO, but I'll try to fix that later with less complex programs)
- Undine
- Posts: 46
- Joined: Thu Sep 08, 2011 7:08 am
Re: Write-allowed ptrace for gdb?
by Undine » Sat Oct 15, 2011 1:51 pm
Still can't run gdb properly 
Now I get EIO on ptrace and gdb output:
Logs are empty about this.
Can you help?
Now I get EIO on ptrace and gdb output:Starting program: /tmp/hw.debug
Warning:
Cannot insert breakpoint 1.
Error accessing memory address 0x4004a8: Input/output error.
Cannot insert breakpoint -1.
Temporarily disabling shared library breakpoints:
breakpoint #-1
Logs are empty about this.
Can you help?
- Undine
- Posts: 46
- Joined: Thu Sep 08, 2011 7:08 am
Re: Write-allowed ptrace for gdb?
by spender » Sat Oct 15, 2011 9:36 pm
You need to chpax -m the target binary.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: Write-allowed ptrace for gdb?
by Undine » Sun Oct 16, 2011 4:41 am
spender wrote:You need to chpax -m the target binary.
-Brad
This did not solved the problem
- Undine
- Posts: 46
- Joined: Thu Sep 08, 2011 7:08 am
Re: Write-allowed ptrace for gdb?
by spender » Sun Oct 16, 2011 5:24 am
Then you only have PT_PAX_FLAGS support and need to paxctl -C the binary, then paxctl -m it.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
Re: Write-allowed ptrace for gdb?
by Undine » Sun Oct 16, 2011 6:00 am
spender wrote:Then you only have PT_PAX_FLAGS support and need to paxctl -C the binary, then paxctl -m it.
-Brad
No, same effect.
- Undine
- Posts: 46
- Joined: Thu Sep 08, 2011 7:08 am
10 posts
• Page 1 of 1