Problem mounting encrypted drive

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

Problem mounting encrypted drive

Postby snow » Mon Jan 23, 2017 3:19 pm

Hi!

If i try to mount a encrypted drive (dm-crypt with LUKS) in my filemanager i get the error: "Not authorized to perform operation". It's not promting me for the su password and just giving me this error.

Unfortunately my encrypted LVM mounts fine at boot, but i can't mount some harddrives with the grsec kernel. On the Stock kernel everything works fine.

Any ideas what causes this problem?

Best regards
snow
 
Posts: 5
Joined: Mon Jan 23, 2017 3:11 pm

Re: Problem mounting encrypted drive

Postby spender » Mon Jan 23, 2017 6:29 pm

I assume you're using udisks, if so then this is by design. We prevent unprivileged mounts via CONFIG_GRKERNSEC_MODHARDEN, including assisted unprivileged mounts via udisks.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: Problem mounting encrypted drive

Postby snow » Tue Jan 24, 2017 2:19 pm

Thanks for the quick response.

Is there a workaround for this without disabling the whole CONFIG_GRKERNSEC_MODHARDEN feature?
snow
 
Posts: 5
Joined: Mon Jan 23, 2017 3:11 pm

Re: Problem mounting encrypted drive

Postby spender » Tue Jan 24, 2017 6:12 pm

In the patch there's a comment saying "hack to workaround consolekit/udisks stupidity". The code there is within an ifdef, remove everything between the ifdef and the endif. Also I should clarify my comment from above: it has to do with the introduction of filesystem modules for which that filesystem module hasn't already been loaded, not the mount itself (so you could also manually modprobe the relevant module as root, and that should work around it as well). If that doesn't fix it, then there's something else going on and I'd need to see what logs are present in dmesg.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: Problem mounting encrypted drive

Postby snow » Wed Jan 25, 2017 1:23 pm

Unfortunately the patch doesn't work anymore after removing this section. I found the comment in the file. The section looks like this:
Code: Select all
@@ -152,6 +150,20 @@ int __request_module(bool wait, const char *fmt, ...)
    if (ret)
       return ret;
 
+#ifdef CONFIG_GRKERNSEC_MODHARDEN
+   if (uid_eq(current_uid(), GLOBAL_ROOT_UID)) {
+      /* hack to workaround consolekit/udisks stupidity */
+      read_lock(&tasklist_lock);
+      if (!strcmp(current->comm, "mount") &&
+          current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
+         read_unlock(&tasklist_lock);
+         printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
+         return -EPERM;
+      }
+      read_unlock(&tasklist_lock);
+   }
+#endif
+
    /* If modprobe needs a service that is in a module, we get a recursive
     * loop.  Limit the number of running kmod threads to max_threads/2 or
     * MAX_KMOD_CONCURRENT, whichever is the smaller.  A cleaner method


I removed the part in the ifdef, so it looks like this:
Code: Select all
@@ -152,6 +150,20 @@ int __request_module(bool wait, const char *fmt, ...)
    if (ret)
       return ret;
 
+#ifdef CONFIG_GRKERNSEC_MODHARDEN
+#endif
+
    /* If modprobe needs a service that is in a module, we get a recursive
     * loop.  Limit the number of running kmod threads to max_threads/2 or
     * MAX_KMOD_CONCURRENT, whichever is the smaller.  A cleaner method


By applying the patch i get the following error:
Code: Select all
patch: **** malformed patch at line 145516: @@ -180,16 +192,61 @@ int __request_module(bool wait, const char *fmt, ...)

which is the section directly afterwards. Am I missing something? Wheres my error in the modified file?


(so you could also manually modprobe the relevant module as root, and that should work around it as well)

Which module(s) would I have to load with modprobe?
snow
 
Posts: 5
Joined: Mon Jan 23, 2017 3:11 pm

Re: Problem mounting encrypted drive

Postby spender » Wed Jan 25, 2017 11:48 pm

I meant to remove it from the patched kernel source. If that's the only change within that hunk of the patch, then feel free to just remove that hunk from the patch instead. As for what modules would be involved, I don't know (I would need more information than provided). You can determine this from a vanilla kernel with the same config, looking at lsmod output prior to mounting the drive and after mounting the drive.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: Problem mounting encrypted drive

Postby snow » Fri Jan 27, 2017 4:12 am

I tried to remove the whole hunk but it didn't compile anymore, but removing it from the kmod.c file worked. The problem is it still doesn't mount my drive and there are no useful logs with dmesg and in /var/log/syslog around the time i mount the drive (there are just rejected iptables packets ...).
Strange thing is: my encrypted USB flash drive mounts fine.
snow
 
Posts: 5
Joined: Mon Jan 23, 2017 3:11 pm

Re: Problem mounting encrypted drive

Postby spender » Fri Jan 27, 2017 8:03 am

Did you enable CONFIG_GRKERNSEC_SYSFS_RESTRICT?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: Problem mounting encrypted drive

Postby snow » Fri Jan 27, 2017 10:52 am

# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set

This means the setting is disabled i guess?

Sorry I should have written my config already in the first post.

Configuration Method: Automatic
Usage Type: Desktop
Virtualization Type: Host
Virtualization HW: EPT/RVI support
Virtualization SW: KVM
Required Priorities: Security

I didn't customize the settings further

Here's the full config:
http://pastebin.com/sPKrMyEq
snow
 
Posts: 5
Joined: Mon Jan 23, 2017 3:11 pm

Re: Problem mounting encrypted drive

Postby spender » Fri Jan 27, 2017 6:16 pm

That looks fine -- I'm not sure what the problem could be then, based on the information you provided. You could try stracing the process reporting the error, or doing a binary-search disabling of grsec features to find the compatibility culprit.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to grsecurity support

cron