strange error on /dev/mem in grsecurity-1.9.8-rc2

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

strange error on /dev/mem in grsecurity-1.9.8-rc2

Postby piavka » Sun Dec 15, 2002 12:51 pm

When starting grsecurity-1.9.8-rc2 with 'gradm -E'(gradm version is 1.6)
i get the error:
Viewing access is allowed to /dev/mem. This would allow an attacker to modify the code of programs running on your system.

While in acl i have
/ {
...
/dev/mem h
...
}

if i comment the '/dev/mem h' i get the error printed twice.

Thanks
piavka
 
Posts: 20
Joined: Tue Jul 02, 2002 10:03 am

Postby spender » Sun Dec 15, 2002 7:30 pm

could you paste the whole ACL for /, and paste a session of you enabling the ACL system and the error?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby piavka » Mon Dec 16, 2002 7:32 am

/etc/grsec#gradm -E
Viewing access is allowed to /dev/mem. This would allow an attacker to modify the code of programs running on your system.

There were 1 holes found in your ACL configuration. These must be fixed before the ACL system will be allowed to be enabled.

The / acl:
/ l {
/ r
/opt r
/home rx
/mnt r
/tmp rw
/boot r
/root r

/usr r
/usr/share/locale rx

/etc r
/etc/grsec h

/var r
/var/tmp rw
/var/log rw

/dev w
/dev/mem h
/dev/kmem h

/proc rw
/proc/sys r
/proc/kcore h

/lib rx
/usr/lib rx
/usr/local/lib rx
/usr/X11R6/lib rx
/bin rx
/sbin rx
/usr/bin rx
/usr/sbin rx
/usr/local/bin rx
/usr/X11R6/bin rx

-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_SYS_MODULE
-CAP_SYS_RAWIO
-CAP_MKNOD
}
piavka
 
Posts: 20
Joined: Tue Jul 02, 2002 10:03 am

Postby spender » Mon Dec 16, 2002 12:23 pm

Sorry, the problem was due to a typo on my part. The error should read "/dev/port", not "/dev/mem". Just add /dev/port h to your ACL and you'll be fine.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support