grsecurity forums

[mute]

Here's my problem. I've got my home router box running 2.4.20+1.99h or whatever the latest grsecurity is with the following settings/acls:

/ {
/ r
/home rwx
/mnt rw
/dev
/dev/urandom r
/dev/random r
/dev/zero rw
/dev/input rw
/dev/psaux rw
/dev/null rw
/dev/tty? rw
/dev/console rw
/dev/tty rw
/dev/ttyp? rw
/dev/pts rw
/dev/ptmx rw
/dev/dsp rw
/dev/mixer rw
/dev/fd0 r
/dev/cdrom r
/dev/mem h
/dev/kmem h
/dev/port h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/proc rwx
/proc/kcore h
/proc/sys r
/root r
/tmp rw
/var rwx
/var/tmp rw
/var/log r
/boot h
/etc/grsec h

-CAP_SYS_TTY_CONFIG
-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_ADMIN
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
-CAP_SYS_PTRACE
}

/sbin/init {
/dev/initctl rw
/var/log/wtmp rw
}

/sbin/syslogd Xo {
/ h
/etc/grsec h
/etc r

/var/run/utmp rw
/var/run/syslogd.pid rw
/var/run
/var/log rw
/usr/share/zoneinfo r
/usr/lib
/lib rx

/dev/ttyp? w
/dev/tty w
/dev/tty? w
/dev/tty?? w
/dev/log w
/dev

/sbin/syslogd x

-CAP_ALL
+CAP_DAC_OVERRIDE
connect {
0.0.0.0/0:53 dgram udp
0.0.0.0/0:514 dgram udp
192.168.2.10:1-65535 dgram udp
}
bind {
0.0.0.0:0 dgram ip
}
}

/bin/login {
/dev/log rw
}

/usr/libexec/pt_chown Xo {
/ h
/etc/grsec h
/usr/libexec/pt_chown x
/etc/group r
/etc/ld.so.cache r
/etc/ld.so.preload r
/etc/nsswitch.conf r
/lib rx
-CAP_ALL
+CAP_CHOWN
+CAP_FOWNER
+CAP_FSETID
connect {
disabled
}
bind {
disabled
}
}

/usr/bin/screen oX {
/ h

/usr/bin x
/root r
/home rw
/dev/null rw
/dev
/usr/bin/screen x
/bin/tcsh x
/bin/bash x
/dev/ptmx rw
/dev/pts rw
/dev/ptyp? rw
/dev/vc rw
/etc/grsec h
/etc r
/usr/lib rx
/lib rx
/proc r
/usr/share/terminfo r
/var/run/screen rw
/var/run/utmp rw
-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_FSETID
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_TTY_CONFIG
connect {
disabled
}
bind {
disabled
}
}

/usr/sbin/dhcpd oX {
/ h

/etc/grsec h

/var/state/dhcp rw
/var/run/dhcpd.pid rw
/var/run r

/lib/ rx

/etc r
/etc/dhcp/dhcpd.conf r

/dev/null rw
/dev/log rw

/usr/sbin/dhcpd x

-CAP_ALL
+CAP_DAC_OVERRIDE
+CAP_NET_BIND_SERVICE
+CAP_NET_RAW

connect {
0.0.0.0/0:53 dgram udp
0.0.0.0/0:68 dgram ip udp
0.0.0.0:0 raw_sock icmp
}

bind {
0.0.0.0:67 dgram udp
}

}

/usr/local/bin/sshd opX {
/ h

/var/run/utmp rw
/var/run/sshd.pid w
/var/run
/var/log/wtmp w
/var/log/lastlog rw
/var/log
/var/empty

/usr/local/etc/ r
/usr/lib/libz.so.1.1.3 rx
/usr/lib/libcrack.so.2.7 rx

/home r
/lib rx
/proc
/root
/tmp rw
/usr/local/libexec/sftp-server

/lib/security/pam_unix.so rx
/lib/security/pam_nologin.so rx
/lib/security/pam_deny.so rx
/lib/security/pam_cracklib.so rx
/lib/ld-2.3.1.so x

/etc r
/etc/grsec h
/etc/pam.d/sshd r
/etc/pam.d/other r

/dev/urandom r
/dev/tty rw
/dev/pts rw
/dev/ptmx rw
/dev/null rw
/dev/log rw

/bin/bash x
/usr/local/bin/sshd x

-CAP_ALL
+CAP_CHOWN
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_SYS_CHROOT

connect {
0.0.0.0/0:53 dgram ip udp
0.0.0.0/0:53 stream tcp
127.0.0.1/32:21 stream tcp
0.0.0.0:113 stream tcp
}

bind {
0.0.0.0:22 stream tcp
}
}

/bin/su Xo {
/etc/grsec h
/var/run/utmp rw
/usr/lib rx

/lib/security/ rx
/lib rx

/root
/proc/

/etc/pam.d/su r
/etc/pam.d/other r
/etc/pam.d
/etc r

/dev/log rw
/bin/bash x
/bin/tcsh x
/bin/su x
/ h

+CAP_ALL
}

/sbin/apcupsd o {
/var/run/apcupsd.pid w
/var/run
/var/log/apcupsd ra
/var/log
/var/lock/LCK..ttyS1 rw
/var/lock
/lib/libm-2.3.1.so rx
/lib/libc-2.3.1.so rx
/lib/ld-2.3.1.so x
/etc/localtime r
/etc/ld.so.cache r
/etc/apcupsd/apccontrol rx
/etc/apcupsd/changeme rx
/etc/apcupsd/commfailure rx
/etc/apcupsd/commok rx
/etc/apcupsd/mainsback rx
/etc/apcupsd/masterconnect rx
/etc/apcupsd/mastertimeout rx
/etc/apcupsd/onbattery rx
/etc/apcupsd/apcupsd.conf r
/dev/ttyS1 rw
/dev/log rw
/sbin/apcupsd x
/
-CAP_ALL
}

/usr/local/bin/iplog o {
/var/run/iplog.pid rw
/var/run
/var/log/iplog a
/var/log
/proc/sys/kernel/version r
/lib rx
/etc r
/dev/null w
/usr/local/bin/iplog x
/
-CAP_ALL
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_RAW

connect {
0.0.0.0/0:53 dgram udp
0.0.0.0:0 raw_sock tcp
0.0.0.0:0 raw_sock raw_proto
}

bind {
0.0.0.0:0 dgram ip
}

}

/usr/local/samba/bin/smbd o {
/ r

/var/log/samba a

/usr/local/samba/var rw
/usr/local/samba/var/locks rw
/usr/local/samba/private rw
/usr/local/samba/lib/smb.conf r
/usr/local/samba/lib/codepages/unicode_map.ISO8859-1 r
/usr/local/samba/lib/codepages/unicode_map.850 r
/usr/local/samba/lib/codepages/codepage.850 r


/tmp r
/mnt/hdf rw
/mnt/hde rw

/usr/lib rx
/lib rx
/etc r

/dev/urandom r
/dev/null rw

/usr/local/samba/bin/smbd x

-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_SYS_RESOURCE

connect {
disabled
}

bind {
127.0.0.1:0 dgram udp
192.168.2.1:139 stream tcp
0.0.0.0:0 dgram ip
}

}
/usr/local/samba/bin/nmbd o {
/ h
/usr/local/samba/var/log.nmbd a
/usr/local/samba/var/locks rw
/usr/local/samba/var

/usr/local/samba/lib/smb.conf r
/usr/local/samba/lib/codepages/unicode_map.ISO8859-1 r
/usr/local/samba/lib/codepages/unicode_map.850 r
/usr/local/samba/lib/codepages/codepage.850 r

/lib/ld-2.3.1.so x
/etc r

/dev/null rw

/usr/local/samba/bin/nmbd x

/usr/lib rx
/lib rx

-CAP_ALL
+CAP_NET_BIND_SERVICE

connect {
192.168.2.0/24:1-65535 dgram udp
192.168.2.0/24:1-65535 stream tcp
}

bind {
0.0.0.0:137 dgram udp
0.0.0.0:138 dgram udp
0.0.0.0:0 dgram ip
}

}

/usr/local/libexec/sftp-server o {
/ h
/usr/lib/libz.so.1.1.3 rx
/lib rx

/home

/etc r
/usr/local/libexec/sftp-server x

-CAP_ALL
+CAP_CHOWN
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
}
/usr/local/bin/iptraf o {
/ h
/var/run/iptraf rw
/var/local/iptraf rw
/usr/share/terminfo/a/ansi r

/proc/net/dev r
/usr/lib rx
/lib rx

/etc/services r
/etc/nsswitch.conf r
/etc/ld.so.cache r

/usr/local/bin/rvnamed x
/usr/local/bin/iptraf x

/dev/log rw
+CAP_ALL
}

/sbin/klogd o {
/sbin/klogd x
/dev/log rw
/ h
+CAP_ALL
}

/usr/bin/crontab o {
/usr/bin/crontab x
/ h
-CAP_ALL
}

/usr/sbin/cron o {
/dev/log rw
/ h
+CAP_ALL
}

/usr/sbin/crond o {
/var/spool/cron r
/usr/sbin/sendmail x
/root
/etc r

/bin/bash x
/usr/sbin/crond x
/dev/log rw
/
+CAP_ALL
}
/usr/bin/ncftpd o {
/
/var/run/ncftpd.pid.sh w
/var/log/ncftpd rw
/var/run

/proc/meminfo r

/mnt/hdf rw
/mnt/hde rw
/home rw

/lib rx
/etc r

/dev/null rw
/dev/log rw

/usr/bin/ncftpd x

-CAP_ALL
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_SYS_NICE

connect {
0.0.0.0/0:1-65535 stream tcp
0.0.0.0/0:113 stream ip tcp
0.0.0.0/0:53 dgram ip udp
}

bind {
0.0.0.0:0 dgram ip
0.0.0.0/0:20-24 stream ip tcp
0.0.0.0/0:0 stream ip tcp
}
}

/usr/sbin/makewhatis o {
/

/usr/man/whatis w
/usr/lib/perl5 r
/usr/man rw

/usr/local/man
/usr/kerberos/man r
/usr/X11R6/man
/usr
/tmp rw

/proc/meminfo r

/lib rx

/etc/mtab r
/etc/ld.so.cache r
/etc/cron.daily
/etc

/dev/tty rw

/bin x
/bin x
/usr/local/bin/find x
/usr/sbin/makewhatis rx
/usr/bin/uniq x
/usr/bin/tr x
/usr/bin/man x

-CAP_ALL
+CAP_DAC_OVERRIDE
}

/usr/sbin/logrotate o {
/ h
/etc r

/lib rx
/usr/lib rx
/var/log rw

/usr/sbin/logrotate x
-CAP_ALL
}

/usr/TSS/bin/tripwire o {
/
/usr/TSS rw
/etc r
/tmp rw

+CAP_ALL
}

/usr/sbin/pump o {
/home rxw
/mnt rw
/dev r
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log rxw

/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx

/proc rxw
/proc/kcore h
/proc/sys r
/root r

/tmp rw
/var/tmp rw
/var/log rw
/boot h
/etc/grsec h
/ h
-CAP_ALL
}

/sbin/mingetty l {
/ h
}

*PHEW*, and now my actual grsec settings:

echo 1 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
echo 1 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
echo 1 > /proc/sys/kernel/grsecurity/chroot_deny_fchdir
echo 1 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
echo 1 > /proc/sys/kernel/grsecurity/chroot_deny_mount
echo 1 > /proc/sys/kernel/grsecurity/chroot_deny_pivot
echo 1 > /proc/sys/kernel/grsecurity/chroot_deny_shmat
echo 1 > /proc/sys/kernel/grsecurity/chroot_deny_sysctl
echo 1 > /proc/sys/kernel/grsecurity/chroot_deny_unix
echo 1 > /proc/sys/kernel/grsecurity/chroot_enforce_chdir
echo 1 > /proc/sys/kernel/grsecurity/chroot_findtask
echo 1 > /proc/sys/kernel/grsecurity/execve_limiting
echo 1 > /proc/sys/kernel/grsecurity/fifo_restrictions
echo 1 > /proc/sys/kernel/grsecurity/forkfail_logging
echo 1 > /proc/sys/kernel/grsecurity/linking_restrictions
echo 1 > /proc/sys/kernel/grsecurity/rand_ip_ids
echo 1 > /proc/sys/kernel/grsecurity/rand_pids
echo 1 > /proc/sys/kernel/grsecurity/rand_rpc
echo 1 > /proc/sys/kernel/grsecurity/rand_tcp_src_ports
echo 1 > /proc/sys/kernel/grsecurity/signal_logging

Here's my problem. Box was up and running great for a few weeks, rebooted it once, it's up 5 days and going strong. Suddenly my cable modem goes down. I'm unable to ifconfig my exterior interface up, which means i am unable to grab an ip from my cable modem. I gradm -D, no dice. Reboot from 2.4.20+1.99i to 2.4.20+1.99h, no luck.

I manage to get it to grab an IP once, only to see like 80% packet loss. Replace the NIC and my ethernet cable, no luck.

Reboot to stock 2.4.20, runs fine.

There was nothing in my dmesg which would lead me to believe that the ACLs were preventing pump or anythin else from grabbing an IP..

Anyone have any ideas?

[mute]

nobody eh?

[spender]

did you try rebooting into the same kernel, except without enabling the ACL system?

I don't know much about the programs you're using, but there is a case that could apply here. rtnetlink (which may be used by your programs that are acquiring an IP) supports capabilities of sorts. The capabilities that are set on the socket are determined once in combination with the ACL system. Thus, if the ACL system is disabled, and the socket is still alive, checking against the capabilities on the socket won't take into account that the ACL system is disabled. If this is in fact your problem, I'll look into rewriting how it's handled.

-Brad

[spender]

Try giving pump +CAP_NET_ADMIN as well.

-Brad

[mute]

cool thanks, i'll give it a shot and see whats up.

[mute]

Gave pump +CAP_NET_ADMIN, compiled 2.4.21 + latest grsecurity.

Ran into the problem 5 minutes ago. Logged in, gradm -D'd

ifconfig'd eth0 down, tried to ifup eth0, hangs hangs hangs..

nothing in dmesg. Reboot the box, works fine.

4 days of uptime at the time it occurred.