grsecurity forums

[Kyoshiro]

I've noticed a problem with RES_* access controls. It seems to mess with other ACLs.

For example, I try to contact a ldap server in admin role. In each case ldapsearch works correctly in default mode and pam_ldap too. Then it's not a ldap config issue.I have this policy for admin role :

Code: Select all

role admin sA
subject / rk {
        / rwcdmxil
        +CAP_ALL
         RES_FILES unlimited unlimited
}

With these rules,in admin role :
- ldapsearch on a remote ldap server => unable to contact server. In fact I receive nothing on the ldap server and strace tells me that connect is in state -EINPROG, in progress. But the ldapsearch is doing a select on -1 fd, => -EINVAL. No grsecurity logs.
- telnet/nc remote ldap server make through it

When I add the learning mode to subject /, ldapsearch works fine and the learning log says someting like :

Code: Select all

admin   72      0       0       /usr/bin/ldapsearch     /       u       -1      0       0       xxx.xxx.xxx.xxx
admin   72      0       0       /usr/bin/ldapsearch     /       g       -1      0       0       xxx.xxx.xxx.xxx

If I remove the learning mode and any RES_*, ldapsearch is ok in admin role.

[Kyoshiro]

In fact it seems related to "unlimited" keywords...

[spender]

Is it only with RES_FILES or with any of the resource limits? Can you trigger the problem with any other application that you could give me an strace of?

-Brad

[Kyoshiro]

Sorry it was RES_NOFILE and not RES_FILES but I suppose you understood .

In fact the problem is related to "unlimited" keyword and I'm now sure of it. I put in the default subject of a role the object : RES_NPROC unlimited unlimited. The result was I couldn't even authenticate to that role. GrSec logs says :

special role test failure for /sbin/gradm[gradm:7499] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:28423] uid/euid:0/0 gid/egid:0/0

When I remove the RES_NPROC line, everything's Ok. (And I'm sure I put the correct password about 10 times :p). This makes me think grsec RBAC replaces unlimited with 0.

If you still need the strace of the ldapsearch process I can give it to you. If I use netcat to connect to the ldap server, it works fine. I suppose ldapsearch doesn't behave like netcat. What's strange is that sockets should be limited by RES_NOFILE then...

[spender]

I'm unable to reproduce your problem. I'm certain grsec doesn't set the resource limits to 0 if you specify unlimited in your config, but you can verify it by setting your RES_NOFILE limit with ulimit -n 30, and then enable your policy that has RES_NOFILE unlimited unlimited, and after gradm -E, run ulimit -n to check your current limit. It should say unlimited.

-Brad

[Kyoshiro]

Okay, I'll try that. Anyway, we'll install the beta version soon, and maybe the problem will no more exist . I hope