grsecurity forums

[rfnx]

Hello,

I'm a new user of the grsecurity patch and I thank all the developers for the awesome work. But I'm trying to use systemd-networkd to configure my network and it doesn't work with sysfs restriction of grsecurity because it needs to access the network device.
Is it possible to add a whitelist to this feature (like the TPE group, or the /proc restriction group) ?

[spender]

Is it a server system? What path in /sys is it trying to access?

-Brad

[rfnx]

Thanks for your quick reply !

Yes it is a server system, running Archlinux with the kernel 3.17.7 with grsec patch. I compiled it myself, adding some security features (such as sysfs restriction). I don't know what path it is trying to access, the only log I have is :

Code: Select all

systemd-networkd[277]: eno1            : could not find udev device: Permission denied
systemd-networkd[277]: lo            : could not find udev device: Permission denied

Then the network is not configured of course. I could use another network manager (which run as root) but networkd is native and nice to use. It ran as root previously but it was changed for a normal user and now it doesn't work. So I wanted to add an exception to the sysfs restriction like with TPE. Is it possible ? Maybe this is more a suggestion than a bug report but I think there is a need for that (this issue has already been discussed : http://lists.freedesktop.org/archives/systemd-devel/2014-July/021661.html).

[spender]

I'd need to see the actual paths. Something like strace -f -e open systemd-networkd on a non-grsec system would give me the information I need.

-Brad

[rfnx]

Result of the strace :

Code: Select all

open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/librt.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/libcap.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/libattr.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/run/systemd/container", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/proc/1/environ", O_RDONLY|O_CLOEXEC) = 3
open("/proc/cmdline", O_RDONLY|O_CLOEXEC) = 3
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
syscall_318(0x7f7a0012340, 0x10, 0x1, 0x38, 0, 0) = 0x10
open("/etc/udev/udev.conf", O_RDONLY|O_CLOEXEC) = 7
syscall_318(0x7f2ed156db00, 0x10, 0x1, 0x7f7de1256f9d0, 0x2, 0x7ffdd4a55130) = 0x10
open("/usr/lib/systemd/network/80-container-ve.network", O_RDONLY|O_CLOEXEC) = 9
open("/usr/lib/systemd/network/80-container-host0.network", O_RDONLY|O_CLOEXEC) = 9
open("/etc/systemd/network/50-eno1.network", O_RDONLY|O_CLOEXEC) = 9
open("/run/systemd/netif/.statebPK1Vs", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/links/.2Jcbx0V", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/sys/devices/pci0000:00/0000:00:19.0/net/eno1/uevent", O_RDONLY|O_CLOEXEC) = 9
open("/run/udev/data/n2", O_RDONLY|O_CLOEXEC) = 9
open("/run/systemd/netif/.stateiUXf5o", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/links/.1G2p29R", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/sys/devices/virtual/net/lo/uevent", O_RDONLY|O_CLOEXEC) = 9
open("/run/udev/data/n1", O_RDONLY|O_CLOEXEC) = 9
open("/run/systemd/netif/.stateXTh5el", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/links/.2L8GbkO", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/.stateChWlph", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/links/.2PuiBuK", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/.state1EUUzd", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/links/.145MiFG", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/.stateKGBKK9", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/links/.2H23fQC", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/.stateCKkQV5", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/links/.1o93t1y", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/sys/devices/pci0000:00/0000:00:19.0/net/eno1/name_assign_type", O_RDONLY|O_CLOEXEC) = 9
open("/run/systemd/netif/.stateBdtg71", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/links/.2Vrn6cv", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/.stateXY70iY", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/links/.2bpiZor", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/proc/xen/capabilities", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/sys/hypervisor/type", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/sys/class/dmi/id/sys_vendor", O_RDONLY|O_CLOEXEC) = 9
open("/sys/class/dmi/id/board_vendor", O_RDONLY|O_CLOEXEC) = 9
open("/sys/class/dmi/id/bios_vendor", O_RDONLY|O_CLOEXEC) = 9
open("/proc/cpuinfo", O_RDONLY|O_CLOEXEC) = 9
open("/run/systemd/netif/.stateHmXjvU", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/links/.1zI0HBn", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/proc/sys/kernel/random/boot_id", O_RDONLY|O_NOCTTY|O_CLOEXEC) = 9
eno1            : link configured
open("/run/systemd/netif/.statefOOlIQ", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9
open("/run/systemd/netif/links/.2XfV2Oj", O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, 0600) = 9

[rfnx]

After some research, I found this :

Code: Select all

root@main ~ # find /sys/ -iname '*eno1*'
/sys/devices/pci0000:00/0000:00:19.0/net/eno1
/sys/class/net/eno1
root@main ~ # find /sys/ -iname 'lo'
/sys/devices/virtual/net/lo
/sys/class/net/lo

Is it what you wanted ?

[spender]

Hi,

I'll see if I can work around this.

Thanks,
-Brad

[rfnx]

I was not expecting an answer today :p
Happy new year !

EDIT : I just saw that :
/sys/class/net/eno1 is a symlink to /sys/devices/pci0000:00/0000:00:19.0/net/eno1
and /sys/class/net/lo is a symlink to /sys/devices/virtual/net/lo

/sys/class/net seems to be the directory where symlinks to all interfaces are stored.