grsecurity forums

[Fuxino]

I have a problem with the policy for tor and I can't figure out what's wrong. When I try to enable tor service I get these errors:

Code: Select all

kernel: grsec: (tor:U:/usr/bin/tor) denied access to hidden file /dev/urandom by /usr/bin/tor[tor:11524] uid/euid:43/43 gid/egid:43/43, parent /usr/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
kernel: grsec: (tor:U:/usr/bin/tor) denied access to hidden file /dev/random by /usr/bin/tor[tor:11524] uid/euid:43/43 gid/egid:43/43, parent /usr/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0

repeated several times.

My policy for tor is like this:

Code: Select all

role tor u
role_allow_ip   0.0.0.0/32
# Role: tor
subject / o {
   /            h
   /usr/bin/tor         x
   -CAP_ALL
   bind   disabled
   connect   disabled
}

# Role: tor
subject /usr/bin/tor o {
   /            h
   /dev            h
   /dev/urandom         r
   /etc            h
   /etc/ld.so.cache      r
   /etc/tor/torrc         r
   /proc            h
   /proc/meminfo         r
   /proc/sys/kernel/random/uuid   r
   /run            h
   /run/systemd/journal/dev-log   rw
   /sys            h
   /sys/devices/system/cpu      
   /sys/devices/system/cpu/online   r
   /usr            h
   /usr/bin         h
   /usr/bin/tor         rx
   /usr/lib         rx
   /usr/lib/modules      h
   /usr/share         h
   /usr/share/tor/geoip      r
   /usr/share/tor/geoip6      r
   /usr/share/zoneinfo      r
   /var            h
   /var/lib/tor         rwcd
   -CAP_ALL
   bind 127.0.0.1/32:9050 stream icmp tcp
   connect 0.0.0.0/0:1024-65535 stream icmp tcp
   connect 0.0.0.0/0:443 stream icmp tcp
   connect 0.0.0.0/0:110 stream icmp tcp
   connect 0.0.0.0/0:80 stream icmp tcp
   connect 0.0.0.0/0:21 stream icmp tcp
   sock_allow_family netlink
}

so it appears to me that it should be able to read /dev/urandom. What am I missing?

[spender]

Can you give me the output of a stat command on /dev/urandom prior to RBAC being enabled and one after this message appears?

Thanks,
-Brad

[Fuxino]

Sure. This is before enabling the RBAC:

Code: Select all

  File: ‘/dev/urandom’
  Size: 0            Blocks: 0          IO Block: 4096   character special file
Device: 6h/6d  Inode: 1032        Links: 1     Device type: 1,9
Access: (0666/crw-rw-rw-)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2015-11-27 16:35:44.528630956 +0100
Modify: 2015-11-27 16:35:44.528630956 +0100
Change: 2015-11-27 16:35:44.528630956 +0100
Birth: -

And after the error message it looks exactly the same:

Code: Select all

  File: ‘/dev/urandom’
  Size: 0            Blocks: 0          IO Block: 4096   character special file
Device: 6h/6d   Inode: 1032        Links: 1     Device type: 1,9
Access: (0666/crw-rw-rw-)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2015-11-27 16:35:44.528630956 +0100
Modify: 2015-11-27 16:35:44.528630956 +0100
Change: 2015-11-27 16:35:44.528630956 +0100
 Birth: -

[spender]

Odd, could you give me an strace of tor with RBAC disabled showing only the accesses to /dev/urandom and /dev/random?

Thanks,
-Brad

[Fuxino]

Code: Select all

open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3
open("/dev/urandom", O_RDONLY)          = 3
open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3
open("/dev/urandom", O_RDONLY|O_CLOEXEC) = 9
open("/dev/urandom", O_RDONLY|O_CLOEXEC) = 9

[Fuxino]

Ok, the problem was the "PrivateDevices=yes" option in the sytemd service I use to run tor. At least, without that option the problem disappears. I'm not sure why...

[spender]

It would be because that option causes Tor to be run with a private mount namespace created on demand, so any inode associated with /dev/urandom inside that namespace isn't knowable from the point where RBAC is loaded. That option shouldn't be enabled with RBAC.

-Brad

[Fuxino]

Oh, ok. Thanks.