gradm feature request

Discuss and suggest new grsecurity features

gradm feature request

Postby tjh » Wed Oct 12, 2011 7:32 pm

Could you make gradm -S also tell you if you're currently in a special role?

Sometimes I come back to box with screen running and I'm not sure if I'm authenticated or not.

I know I can easily gradm -u, but being able to find out without deauthing would be nice.

Good/Bad idea?
tjh
 
Posts: 102
Joined: Sat Oct 16, 2004 8:19 pm

Re: gradm feature request

Postby spender » Wed Oct 12, 2011 8:25 pm

You can cat /proc/self/status ;) But I agree, this would be good to add to gradm.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: gradm feature request

Postby tjh » Sun Oct 16, 2011 1:56 pm

Another Feature Request

When creating a 'Full Learning" policy (gradm -F -L /tmp/learn.logs -O /tmp/policy) - would it be possible to add a comment before each subject, stating what role it's part of?

For Example:
Code: Select all

subject /etc/cron.daily o {
user_transition_allow man
group_transition_allow man

        /                               r
        /bin                            rxi
        /boot                           r
        /boot/grub
        /dev


Would instead become:

Code: Select all

# Role: root
subject /etc/cron.daily o {
user_transition_allow man
group_transition_allow man

        /                               r
        /bin                            rxi
        /boot                           r
        /boot/grub
        /dev


This makes it easy when you're editing a large file to remember where you are (or when searching/moving forward being sure where you are)

It's one thing I've realized would make things a little easier as a newbie.

Tim
tjh
 
Posts: 102
Joined: Sat Oct 16, 2004 8:19 pm

Re: gradm feature request

Postby spender » Sun Oct 16, 2011 11:19 pm

Good idea, I've just committed this change to CVS.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: gradm feature request

Postby Undine » Wed Dec 14, 2011 4:01 pm

spender wrote:You can cat /proc/self/status ;) But I agree, this would be good to add to gradm.

-Brad

Sorry for bumping, but I can't see any role name when doing "cat /proc/self/status". I see only PaX flags. I'm using linux 3.1.5 with latest patch. I'm sure I'm doing this under special role.
Undine
 
Posts: 46
Joined: Thu Sep 08, 2011 7:08 am

Re: gradm feature request

Postby spender » Wed Dec 14, 2011 4:23 pm

Sorry about that. I checked the code again and noticed that it only allows admin-like roles to view the RBAC information in /proc/pid/status. I could add an exemption for the current task to inspect itself.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: gradm feature request

Postby Undine » Thu Dec 15, 2011 6:51 am

spender wrote:Sorry about that. I checked the code again and noticed that it only allows admin-like roles to view the RBAC information in /proc/pid/status. I could add an exemption for the current task to inspect itself.

-Brad

This will be great.
Undine
 
Posts: 46
Joined: Thu Sep 08, 2011 7:08 am


Return to grsecurity development

cron