grsecurity forums

Could you make gradm -S also tell you if you're currently in a special role?

Sometimes I come back to box with screen running and I'm not sure if I'm authenticated or not.

I know I can easily gradm -u, but being able to find out without deauthing would be nice.

Good/Bad idea?

You can cat /proc/self/status But I agree, this would be good to add to gradm.

-Brad

Another Feature Request

When creating a 'Full Learning" policy (gradm -F -L /tmp/learn.logs -O /tmp/policy) - would it be possible to add a comment before each subject, stating what role it's part of?

For Example:

Code: Select all


subject /etc/cron.daily o {
user_transition_allow man
group_transition_allow man

        /                               r
        /bin                            rxi
        /boot                           r
        /boot/grub
        /dev


Would instead become:

Code: Select all


# Role: root
subject /etc/cron.daily o {
user_transition_allow man
group_transition_allow man

        /                               r
        /bin                            rxi
        /boot                           r
        /boot/grub
        /dev


This makes it easy when you're editing a large file to remember where you are (or when searching/moving forward being sure where you are)

It's one thing I've realized would make things a little easier as a newbie.

Tim

Good idea, I've just committed this change to CVS.

-Brad

spender wrote:You can cat /proc/self/status But I agree, this would be good to add to gradm.

-Brad

Sorry for bumping, but I can't see any role name when doing "cat /proc/self/status". I see only PaX flags. I'm using linux 3.1.5 with latest patch. I'm sure I'm doing this under special role.

Sorry about that. I checked the code again and noticed that it only allows admin-like roles to view the RBAC information in /proc/pid/status. I could add an exemption for the current task to inspect itself.

-Brad

spender wrote:Sorry about that. I checked the code again and noticed that it only allows admin-like roles to view the RBAC information in /proc/pid/status. I could add an exemption for the current task to inspect itself.

-Brad

This will be great.