grsecurity forums

[Blub]

On my system (ArchLinux) `/dev/log` is a symlink to to `/run/systemd/journal/dev-log`, which is a systemd-thing and causes warnings coming from gradm:

Code: Select all

Warning: permission for symlink /dev/log in role users, subject /usr/bin/gradm_pam does not match that of its matching target object /run.  Symlink is specified on line 1587 of /etc/grsec/policy.


I haven't yet tried using gradm_pam at all but I'd assume that this warning also means that gradm_pam won't actually be able to acces /dev/log.
So I was wondering what the common solution for this would be?
Should the warning just be ignored, or should ArchLinux patch gradm_adm.c to include the appropriate permissions?

There currently seems to be no way to extend these permissions - please correct me if I'm wrong - as adding the subject manually causes a "Duplicate subject found" error, and gradm_adm.c shows they use the 'o' flag (which makes total sense).

Would it be an acceptable solution to introduce the option of adding extra permissions in special variables used for these programs?
Like this:

Code: Select all

--- a/gradm_adm.c   2014-07-16 13:53:49.950469128 +0200
+++ b/gradm_adm.c   2014-07-16 13:53:27.820468833 +0200
@@ -168,6 +168,7 @@ add_gradm_pam_acl(struct role_acl *role)
    struct ip_acl ip;
    struct protoent *proto;
    char *grpam_path;
+   struct var_object *extra_var;
 
    if (bikeshedding_detected())
       grpam_path = get_bikeshedded_path(GRPAM_PATH);
@@ -236,6 +237,10 @@ add_gradm_pam_acl(struct role_acl *role)
 
    add_sock_family(current_subject, "netlink");
 
+   extra_var = sym_retrieve("grsec_gradm_pam_extra");
+   if (extra_var)
+      interpret_variable(extra_var);
+
    return;
 }
 
@@ -258,6 +263,7 @@ add_grlearn_acl(struct role_acl *role)
    struct stat fstat;
    struct ip_acl ip;
    char *grlearn_path;
+   struct var_object *extra_var;
 
    if (bikeshedding_detected())
       grlearn_path = get_bikeshedded_path(GRLEARN_PATH);
@@ -280,6 +286,10 @@ add_grlearn_acl(struct role_acl *role)
 
    add_cap_acl(current_subject, "-CAP_ALL", NULL);
 
+   extra_var = sym_retrieve("grsec_grlearn_extra");
+   if (extra_var)
+      interpret_variable(extra_var);
+
    return;
 }
 


With this I can silence the warning by adding this to the top of my policy

Code: Select all

define grsec_gradm_pam_extra {
   /run/systemd/journal/dev-log   rw
}


[spender]

Hi Wolfgang,

That's a neat trick -- I'll think about doing that in the future. For now I've just allowed gradm_pam to access that file if it exists by modifying the built-in policy in gradm_adm.c

Thanks,
-Brad

[Blub]

Thanks, works for me since it's the only warning I get