grsecurity forums

[mutemule]

We have a service that creates Unix domain sockets on the local filesystem, but it appears that in order to do so, it needs to have full access to /proc. I could have sworn I'd seen something recently about allowing access to /proc/net/unix without also allowing access to /proc, but I'm failing to find any such a thing. To work around it, we're now running the process in the GRKERNSEC_PROC_GID group, but that's somewhat less than ideal.

This is kernel 3.14.17 running grsecurity 201408140021. The pertinent kernel configuration options we have enabled are GRKERNSEC_PROC, GRKERNSEC_PROC_USERGROUP, and GRKERNSEC_PROC_ADD.

A sample failure and success:

Code: Select all

# chpst -u service:service cat /proc/net/unix
cat: /proc/net/unix: Permission denied
# chpst -u service:service:procgid head -1 /proc/net/unix
Num       RefCount Protocol Flags    Type St Inode Path
#


Is it possible to allow access to /proc/net/unix only, or are we stuck allowing access to all of /proc for this service (and then further constraining via RBAC, or something)?

[spender]

Hi,

It was /proc/net/dev that was given a special allowance. /proc/net/unix needs to be restricted, so you'll have to run it under the special group.

-Brad

[mutemule]

Ah. Yeah, that makes more sense. Thanks!