Grsecurity/PaX and source IP addresses of connect() sockets

Discuss and suggest new grsecurity features

Grsecurity/PaX and source IP addresses of connect() sockets

Postby Grach » Fri Feb 06, 2009 12:50 am

Though some significant level of isolation can be achieved today with Gresecurity's chroot restrictions and RBAC, it seems there's no simple, supported and stable way to restrict a group of chrooted processes to a sigle IP address as a source of outgoing packets. Do you plan to (ever) implement something to restrict the connect() sockets' source addresses?

There is LXC - the lightweight container implementation for Linux, similar to FreeBSD jails:
http://www.ibm.com/developerworks/linux ... ontainers/
It does restrict source addresses of outgoing connections, but I have no success to run it with Grsecurity and Gentoo's hardened sources 2.6.27-r7: patching and compiling are ok, but it panics the kernel early during boot. Any chances Grsecurity will ever work with something like that?
Grach
 
Posts: 66
Joined: Thu Feb 05, 2009 11:15 pm

Re: Grsecurity/PaX and source IP addresses of connect() sockets

Postby Grach » Fri Feb 06, 2009 7:00 pm

If anyone interested, here's another code to deal with connect() (I didn't try it yet):
https://lists.linux-foundation.org/pipe ... 15140.html
Grach
 
Posts: 66
Joined: Thu Feb 05, 2009 11:15 pm

Re: Grsecurity/PaX and source IP addresses of connect() sockets

Postby spender » Sun Feb 08, 2009 12:59 pm

If I add something like this, it would be within the RBAC system, since for grsecurity I like to keep the non-RBAC features simple enough to require no configuration.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Grsecurity/PaX and source IP addresses of connect() sockets

Postby Grach » Tue Feb 10, 2009 6:11 am

I understand it's not a priority at all. But still... When, approximately, do you plan (?) to implement something like this? Also, if such RBAC functionality should be funded, how much would it be worth and how long would it take to be implemented? My employers are poor startup company, but who knows... At least let us to be aware of the price, please. :)
Grach
 
Posts: 66
Joined: Thu Feb 05, 2009 11:15 pm

Re: Grsecurity/PaX and source IP addresses of connect() sockets

Postby spender » Thu Feb 19, 2009 8:31 pm

It shouldn't take too long to write; the second link has the basic idea. Would you need separate rules for bind and connect? Would it need to support more than one IP address?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Grsecurity/PaX and source IP addresses of connect() sockets

Postby Grach » Fri Feb 20, 2009 2:42 am

Would you need separate rules for bind and connect?

"Need" is not the word, but yes, that would be very useful.

Would it need to support more than one IP address?

Though one IP address is basically enough, multiple IP addresses would be just plain awesome.
Grach
 
Posts: 66
Joined: Thu Feb 05, 2009 11:15 pm

Re: Grsecurity/PaX and source IP addresses of connect() sockets

Postby spender » Sat Feb 21, 2009 4:26 pm

I've just finished writing up the code for gradm and both the 2.4 and 2.6 patches. I'm testing it now to make sure it works properly. Use of it is pretty simple, all it involves is the following line in your policy:

ip_override <IP Address>

This causes binds to INADDR_ANY or connects for the given subject without an associated bind to a local address to be bound to the IP address you specify. Through the bind rules already existing in the RBAC system, you've been able to choose which IPs a process can bind to for their connects, so this is strictly for the INADDR_ANY case.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Grsecurity/PaX and source IP addresses of connect() sockets

Postby spender » Sun Feb 22, 2009 10:11 pm

Code works, I uploaded a new gradm 2.1.13 tarball and the patches for 2.4.37 and 2.6.28.7.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: Grsecurity/PaX and source IP addresses of connect() sockets

Postby Grach » Mon Feb 23, 2009 2:48 pm

This is the last major thing we were missing in Grsecurity/PaX kernels, and now we can finally replace FreeBSD with Hardened Gentoo. Thank you very much!
Grach
 
Posts: 66
Joined: Thu Feb 05, 2009 11:15 pm


Return to grsecurity development

cron