virt-install playing poorly with grsecurity-hardened

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

virt-install playing poorly with grsecurity-hardened

Postby timbgo » Thu Nov 10, 2016 1:09 pm

title: virt-install playing poorly with grsecurity-hardened
---

In the first place, for the less advanced, virt-install that I attempt to use below, is part of an incomplete deployment of virt-manager package in my Gentoo machine (incomplete because my system in a no-systemd and also no-dbus system, and some functionality, most motable the GUI, does not get installed).

The last attempt, complete stdout:
( Devuan_AndrewM_161110_1645_stdout )
Code: Select all
$ kvm_Devuan_AndrewM.sh
virt-install --virt-type kvm --os-variant=debianwheezy    --name=devuan-by-andrewm    --cpu=host --vcpus=2 --memory 2048 --disk path=/Cmn/kvm/images/devuan-by-andrewm--disk0    --cdrom ~/devuan_jessie_1.0.0-beta_amd64_CD.iso    --graphics none --network bridge=br0   --boot kernel=/mnt/cdrom/install.amd/vmlinuz,initrd=/mnt/cdrom/install.amd/initrd.gz,kernel_args='console=ttyS0'
ERROR    Error: --network bridge=br0: [Errno 13] Permission denied: '/proc/net/route'
$

and syslog:
( Devuan_AndrewM_161110_1645_messages )
Code: Select all
Nov 10 16:44:58 g0n kernel: [1223278.318467] grsec: exec of /usr/local/bin/kvm_Devuan_AndrewM.sh (kvm_Devuan_AndrewM.sh ) by /usr/local/bin/kvm_Devuan_AndrewM.sh[bash:9620] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31749] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:58 g0n kernel: [1223278.319120] grsec: exec of /bin/bash (bash /usr/local/bin/kvm_Devuan_AndrewM.sh ) by /bin/bash[kvm_Devuan_Andr:9620] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31749] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:58 g0n kernel: [1223278.321222] grsec: exec of /usr/bin/virt-install (virt-install --virt-type kvm --os-variant=debianwheezy --name=devuan-by-andrewm --cpu=host --vcpus=2 --memory 2048 --disk path=/) by /usr/bin/virt-install[bash:9621] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:9620] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:58 g0n kernel: [1223278.322623] grsec: exec of /usr/share/virt-manager/virt-install (/usr/share/virt-manager/virt-install --virt-type kvm --os-variant=debianwheezy --name=devuan-by-andrewm --cpu=host --vcpus=2 --m) by /usr/share/virt-manager/virt-install[virt-install:9621] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:9620] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:58 g0n kernel: [1223278.323272] grsec: exec of /usr/bin/python2.7 (python2.7 /usr/share/virt-manager/virt-install --virt-type kvm --os-variant=debianwheezy --name=devuan-by-andrewm --cpu=host --v) by /usr/bin/python2.7[virt-install:9621] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:9620] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:58 g0n kernel: [1223278.554195] grsec: exec of /bin/bash (sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null ) by /bin/bash[python2.7:9622] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python2.7[python2.7:9621] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:58 g0n kernel: [1223278.556854] grsec: exec of /sbin/ldconfig (/sbin/ldconfig -p ) by /sbin/ldconfig[sh:9623] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:9622] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:59 g0n kernel: [1223278.819222] grsec: chdir to / by /usr/bin/python2.7[python2.7:9624] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python2.7[python2.7:9621] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:59 g0n kernel: [1223278.821065] grsec: exec of /usr/sbin/libvirtd (/usr/sbin/libvirtd --timeout=30 ) by /usr/sbin/libvirtd[python2.7:9625] uid/euid:1000/1000 gid/egid:1000/1000, parent /[python2.7:9624] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:59 g0n kernel: [1223278.838436] grsec: exec of /bin/kmod (/sbin/modprobe -q -- net-pf-16-proto-9 grsec_modharden_normal1000_ ) by /bin/kmod[kworker/u8:4:9641] uid/euid:0/0 gid/egid:0/0, parent /[kworker/u8:4:9133] uid/euid:0/0 gid/egid:0/0
Nov 10 16:44:59 g0n libvirtd: SQL engine 'mysql' not supported
Nov 10 16:44:59 g0n libvirtd: auxpropfunc error no mechanism available
Nov 10 16:44:59 g0n libvirtd: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Nov 10 16:44:59 g0n kernel: [1223278.842533] grsec: exec of /usr/sbin/dnsmasq (/usr/sbin/dnsmasq --version ) by /usr/sbin/dnsmasq[libvirtd:9643] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/sbin/libvirtd[libvirtd:9642] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:59 g0n kernel: [1223278.844900] grsec: exec of /usr/sbin/dnsmasq (/usr/sbin/dnsmasq --help ) by /usr/sbin/dnsmasq[libvirtd:9644] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/sbin/libvirtd[libvirtd:9642] uid/euid:1000/1000 gid/egid:1000/1000


I may also show later the attempt with GRADM enabled (it always end in a Segmentation fault, for short). But this attempt is with GRADM disabled.

And there's no way to surpass the last hurdle, represented by the:
Code: Select all
ERROR    Error: --network bridge=br0: [Errno 13] Permission denied: '/proc/net/route'

in the stdout above...

I do have:
Code: Select all
# grep GRKERNSEC_PROC .config
CONFIG_GRKERNSEC_PROC_GID=10
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
#

in my:
Code: Select all
# uname -r
4.4.8-hardened-r1-161027_11
#

( and I may try later with the latest kernel --why that old kernel can be read in this bug:
=sys-kernel/hardened-sources-4.7.6: Kernel panic when starting KVM guests
https://bugs.gentoo.org/show_bug.cgi?id=597554
)
So CONFIG_GRKERNSEC_PROC_GID=10 having been like this:
# cat /etc/group | grep -E '\<10\>'
Code: Select all
wheel:x:10:root

and the stdout and the syslog above are both after I changed it to:
Code: Select all
wheel:x:10:root,qemu,miro

( by issuing
Code: Select all
# usermod -a -G wheel qemu
# usermod -a -G wheel miro

BTW also adding root to kvm group didn't help, with:
Code: Select all
# usermod -a -G kvm root

)

I'm running virt-install command from terminal, actually I'm running this command from /usr/local/bin since I have the TPE on:
Code: Select all
# cat /usr/local/bin/kvm_Devuan_AndrewM.sh
#!/usr/bin/env bash


# Script used to install VMs.
# You have to lvcreate the disk(s) first!
# lvcreate -L sizeG -n $name vg0

dummy() {
k###

# uname -a
Linux kvm-affinity-devuan-a 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u1 (2016-09-03) x86_64 GNU/Linux

# vgs
  VG   #PV #LV #SN Attr   VSize   VFree 
  vg0    1   2   0 wz--n- 232.48g 213.85g

# lvcreate -L 12G -n devuan-by-andrewm--disk0 vg0
  Logical volume "devuan-by-andrewm--disk0" created

# ls -lart /dev/mapper/vg0-devuan--by--andrewm----disk0
lrwxrwxrwx 1 root root 7 Sep 30 00:01 /dev/mapper/vg0-devuan--by--andrewm----disk0 -> ../dm-3


# lvdisplay /dev/mapper/vg0-devuan--by--andrewm----disk0
  --- Logical volume ---
  LV Path                /dev/vg0/devuan-by-andrewm--disk0
  LV Name                devuan-by-andrewm--disk0
  VG Name                vg0
  LV UUID                ffN5RP-YNZI-iSkz-PXb1-8o8A-CHh3-LlPIbq
  LV Write Access        read/write
  LV Creation host, time kvm-affinity-devuan-a, 2016-09-30 00:01:22 +1000
  LV Status              available
  # open                 0
  LV Size                12.00 GiB
  Current LE             3072
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:3


# ls -lart /Cmn/kvm/images/devuan-by-andrewm--disk0
lrwxrwxrwx 1 root root 53 Sep 29 16:56 /Cmn/kvm/images/devuan-by-andrewm--disk0 -> /dev/mapper/vg0-devuan--by--andrewm----disk0

# mkdir /mnt/cdrom && mount -o ro ~miro/devuan_jessie_1.0.0-beta_amd64_CD.iso /mnt/cdrom

# df -PTah /mnt/cdrom
Filesystem     Type     Size  Used Avail Use% Mounted on
/dev/loop0     iso9660  4.4G  4.4G     0 100% /cdrom

####
}

set -e

variant="--os-variant=debianwheezy"

name="--name=devuan-by-andrewm"

cpus="--cpu=host --vcpus=2"
memory="--memory 2048"
disk="--disk path=/Cmn/kvm/images/devuan-by-andrewm--disk0"

location="--cdrom ~/devuan_jessie_1.0.0-beta_amd64_CD.iso"

graphics="--graphics none"
network="--network bridge=br0"

boot="--boot kernel=/mnt/cdrom/install.amd/vmlinuz,initrd=/mnt/cdrom/install.amd/initrd.gz,kernel_args='console=ttyS0'"

CMD="virt-install --virt-type kvm ${variant}    ${name}    ${cpus} ${memory} ${disk}    ${location}    ${graphics} ${network}   ${boot}"
echo "${CMD}"
eval ${CMD}


which I follow from this thread on Devuan Forums:
Devuan KVM guest install using ISO, virt-install and text based installation
https://lists.dyne.org/lurker/thread/20 ... 7.ddc5e862
( maybe best read this email:
https://lists.dyne.org/lurker/message/2 ... 62.en.html
that's where the script that I used is from, it's Andrew McGlashan's script, only modified. )

And I set all the lerning into my /etc/grsec/policy but it even asked for learning on the /usr/sbin/init...

So... So I'll first be reverting to my regular GRADM policy, which means abandoning these attempts, so I can go online, do some browsing and some posting, and replying to emails...

Have a look and how much learning was needed (grsec_161109_g5n_13 is my backup
copy of /etc/grsec/policy):

Code: Select all
# cat grsec_161109_g5n_13 | grep ' ol'
subject /sbin/init ol
subject /usr/sbin/libvirtd ol
subject /bin/env ol
subject /sbin/ldconfig ol
subject /usr/bin/glxgears ol
subject /usr/bin/glxinfo ol
subject /usr/bin/python2.7 ol
subject /usr/bin/virt-clone ol
subject /usr/bin/virt-convert ol
subject /usr/bin/virt-install ol
subject /usr/bin/virt-xml ol
subject /usr/share/virt-manager ol
#

All those needed to be set for learning to get to that step with the still unsuccessful virt-install command run...

Here's those for completeness (the glxgears and the glxinfo are not of the bunch, removing them; NOTE: I set those PAX_<...> lines out of desparation ;-) they're probably superfluous and useless if not wrong... Esp. since --I revised my understanding by re-reading the grsecurity kernel help these is no SEGMEXEC in AMD64 kernels... ):
Code: Select all
cat grsec_161109_g5n_13 | grep -B1 -A5 ' ol' | grep -Ev 'glxgears|glxinfo'

# Role: root
subject /sbin/init ol
   /            h
   -CAP_ALL
   -PAX_SEGMEXEC
   -PAX_PAGEEXEC
   -PAX_MPROTECT
   bind   disabled
   connect   disabled
--
# Role: root
subject /usr/sbin/libvirtd ol
   /            h
   -CAP_ALL
   -PAX_SEGMEXEC
   -PAX_PAGEEXEC
   -PAX_MPROTECT
   bind   disabled
   connect   disabled
--
# Role: miro
subject /bin/env ol
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

--
# Role: miro
subject /sbin/ldconfig ol
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

--
# Role: miro
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

--
# Role: miro
subject /usr/bin/python2.7 ol
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

--
# Role: miro
subject /usr/bin/virt-clone ol
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/bin/virt-convert ol
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/bin/virt-install ol
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/bin/virt-xml ol
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

--
# Role: miro
subject /usr/share/virt-manager ol
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled



I did search, but didn't find much how to correctly deploy virt-manager (without GUI) and use virt-install to run VMs.

Maybe other grsecurity users have experience/advice to share on this?

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Return to grsecurity support