Nested subjects and RBAC reloading

Submit your RBAC policies or suggest policy improvements

Nested subjects and RBAC reloading

Postby Hue-Bond » Tue Mar 07, 2006 7:15 pm

Simple script:

Code: Select all
#!/bin/bash
while /bin/sleep 3; do 
        /bin/echo abc   
done


ACL:

Code: Select all
subject /home/hue/bin/echoer hpdAo {
user_transition_allow hue
group_transition_allow hue

        /                               h
        /bin                            h
        /bin/bash                       x
        /bin/echo                       x
        /bin/sleep                      x
        /dev                            h
        /dev/tty                        rw
        /dev/urandom                    r
        /etc                            h
        /etc/ld.so.cache                r
        /etc/mtab                       r
        /home                           h
        /home/hue
        /home/hue/bin/echoer            rx
        /lib                            h
        /lib/ld-2.3.6.so                x
        /lib/libc-2.3.6.so              rx
        /lib/libdl-2.3.6.so             rx
        /lib/libncurses.so.5.5          rx
        /proc                           h
        /proc/meminfo                   r
        /usr                            h
        /usr/lib/gconv/gconv-modules.cache      r
        /usr/lib/locale
        /usr/lib/locale/en_US.utf8      r
        /usr/share/locale               r
        -CAP_ALL
        bind    disabled
        connect disabled
}

subject /home/hue/bin/echoer:/bin/sleep hpdAo {
user_transition_allow hue
group_transition_allow hue

        /                               h
        /dev                            h
        /dev/urandom                    r
        /etc                            h
        /etc/ld.so.cache                r
        /lib                            h
        /lib/ld-2.3.6.so                x
        /lib/libc-2.3.6.so              rx
        /usr                            h
        /usr/lib/gconv/gconv-modules.cache      r
        /usr/lib/locale
        /usr/lib/locale/en_US.utf8      r
        /usr/share/locale               r
        -CAP_ALL
        bind    disabled
        connect disabled
}

subject /home/hue/bin/echoer:/bin/echo hpdAo {
user_transition_allow hue
group_transition_allow hue

        /                               h
        /dev                            h
        /dev/urandom                    r
        /etc                            h
        /etc/ld.so.cache                r
        /lib                            h
        /lib/ld-2.3.6.so                x
        /lib/libc-2.3.6.so              rx
        /usr                            h
        /usr/lib/gconv/gconv-modules.cache      r
        /usr/lib/locale
        /usr/lib/locale/en_US.utf8      r
        /usr/share/locale               r
        -CAP_ALL
        bind    disabled
        connect disabled
}


If I run the script and then reload gradm in another console, everything's ok:

Code: Select all
$ echoer
abc
abc
abc
abc
abc
^C
$ _


As expected. Now let's try prepending "/bin/bash:" to each subject (and commenting out '/home/hue/bin/echoer rx' from the echoer policy to avoid an error from gradm about duplicated objects, since there's a line like that in bash policy):

Code: Select all
$ echoer
abc
abc
abc
/home/hue/bin/echoer: line 3: /bin/echo: No such file or directory
/home/hue/bin/echoer: line 2: /bin/sleep: No such file or directory


When I do 'gradm -R', the system forgets the nesting and starts placing processes in the default subject:

Code: Select all
(hue:U:/bin/bash) exec of /home/hue/bin/echoer (echoer ) by /bin/bash[...]
(hue:U:/home/hue/bin/echoer) exec of /bin/sleep (/bin/sleep 3 ) by /home/hue/bin/echoer[...]
(hue:U:/home/hue/bin/echoer) exec of /bin/echo (/bin/echo abc ) by /home/hue/bin/echoer[...]
(hue:U:/home/hue/bin/echoer) exec of /bin/sleep (/bin/sleep 3 ) by /home/hue/bin/echoer[...]
(hue:U:/home/hue/bin/echoer) exec of /bin/echo (/bin/echo abc ) by /home/hue/bin/echoer[...]
(hue:U:/home/hue/bin/echoer) exec of /bin/sleep (/bin/sleep 3 ) by /home/hue/bin/echoer[...]
(hue:U:/home/hue/bin/echoer) exec of /bin/echo (/bin/echo abc ) by /home/hue/bin/echoer[...]
(hue:U:/home/hue/bin/echoer) exec of /bin/sleep (/bin/sleep 3 ) by /home/hue/bin/echoer[...]
(admin:S:/) exec of /sbin/gradm (gradm -R ) by /bin/bash[...]
(root:U:/sbin/gradm) grsecurity 2.1.8 RBAC system reloaded by /sbin/gradm[...]
(hue:U:/) denied access to hidden file /bin/echo by /home/hue/bin/echoer[...]
<repeated 2 more times>
(hue:U:/) denied access to hidden file /usr/share/locale by /home/hue/bin/echoer[...]
<repeated 5 more times>
(hue:U:/) denied access to hidden file /bin/sleep by /home/hue/bin/echoer[...]
more alerts, logging disabled for 1 seconds


I expect the same results as in the first case. Am I doing something wrong?
Hue-Bond
 
Posts: 34
Joined: Mon Dec 13, 2004 4:31 pm

Postby spender » Sun Mar 12, 2006 4:12 pm

Can you show me the new policy? I don't want to make any assumptions by piecing together what you've said about the new policy.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Hue-Bond » Sun Mar 12, 2006 5:41 pm

spender wrote:Can you show me the new policy?

Yes, of course:

Code: Select all
subject /bin/bash:/home/hue/bin/echoer hpdAo {
user_transition_allow hue
group_transition_allow hue

        /                               h
        /bin                            h
        /bin/bash                       x
        /bin/echo                       x
        /bin/sleep                      x
        /dev                            h
        /dev/tty                        rw
        /dev/urandom                    r
        /etc                            h
        /etc/ld.so.cache                r
        /etc/mtab                       r
        /home                           h
        /home/hue
#       /home/hue/bin/echoer            rx
        /lib                            h
        /lib/ld-2.3.6.so                x
        /lib/libc-2.3.6.so              rx
        /lib/libdl-2.3.6.so             rx
        /lib/libncurses.so.5.5          rx
        /proc                           h
        /proc/meminfo                   r
        /usr                            h
        /usr/lib/gconv/gconv-modules.cache      r
        /usr/lib/locale
        /usr/lib/locale/en_US.utf8      r
        /usr/share/locale               r
        -CAP_ALL
        bind    disabled
        connect disabled
}

subject /bin/bash:/home/hue/bin/echoer:/bin/sleep hpdAo {
user_transition_allow hue
group_transition_allow hue

        /                               h
        /dev                            h
        /dev/urandom                    r
        /etc                            h
        /etc/ld.so.cache                r
        /lib                            h
        /lib/ld-2.3.6.so                x
        /lib/libc-2.3.6.so              rx
        /usr                            h
        /usr/lib/gconv/gconv-modules.cache      r
        /usr/lib/locale
        /usr/lib/locale/en_US.utf8      r
        /usr/share/locale               r
        -CAP_ALL
        bind    disabled
        connect disabled
}

subject /bin/bash:/home/hue/bin/echoer:/bin/echo hpdAo {
user_transition_allow hue
group_transition_allow hue

        /                               h
        /dev                            h
        /dev/urandom                    r
        /etc                            h
        /etc/ld.so.cache                r
        /lib                            h
        /lib/ld-2.3.6.so                x
        /lib/libc-2.3.6.so              rx
        /usr                            h
        /usr/lib/gconv/gconv-modules.cache      r
        /usr/lib/locale
        /usr/lib/locale/en_US.utf8      r
        /usr/share/locale               r
        -CAP_ALL
        bind    disabled
        connect disabled
}

Code: Select all
$ diff -u pol1 pol2
--- pol1        2006-03-12 22:27:01.000000000 +0100
+++ pol2        2006-03-12 22:26:40.000000000 +0100
@@ -1,4 +1,4 @@
-subject /home/hue/bin/echoer hpdAo {
+subject /bin/bash:/home/hue/bin/echoer hpdAo {
 user_transition_allow hue
 group_transition_allow hue

@@ -15,7 +15,7 @@
         /etc/mtab                       r
         /home                           h
         /home/hue
-        /home/hue/bin/echoer            rx
+#       /home/hue/bin/echoer            rx
         /lib                            h
         /lib/ld-2.3.6.so                x
         /lib/libc-2.3.6.so              rx
@@ -33,7 +33,7 @@
         connect disabled
 }

-subject /home/hue/bin/echoer:/bin/sleep hpdAo {
+subject /bin/bash:/home/hue/bin/echoer:/bin/sleep hpdAo {
 user_transition_allow hue
 group_transition_allow hue

@@ -55,7 +55,7 @@
         connect disabled
 }

-subject /home/hue/bin/echoer:/bin/echo hpdAo {
+subject /bin/bash:/home/hue/bin/echoer:/bin/echo hpdAo {
 user_transition_allow hue
 group_transition_allow hue
 
Hue-Bond
 
Posts: 34
Joined: Mon Dec 13, 2004 4:31 pm

Postby spender » Mon Mar 13, 2006 7:20 pm

Ok, I see the problem more clearly now. It's not a bug, but simply a limitation of the system as it has to do with reloading. I'll give you an example to demonstrate why it's difficult to give expected behavior in these cases. What you want is for the program to work the same as it did before the reload, but to apply those nested rules, the RBAC system has to actually see the chain of execution. Without seeing that, we can't really determine at runtime who executed what, since programs can fork+exec+exit. Say you wanted to do a nested subject on a daemon, and for it to persist across reload (which is really just a disable+enable). The daemon wasn't started by init, but after its fork+exit, it is reparented to init. The RBAC system doesn't know about any of that unless it happened while it was enabled.

A possible solution for an atomic reload would be to save that state upon disable and use it on enable, but there is no solution I think for a disable/enable case.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Hue-Bond » Tue Mar 14, 2006 11:44 am

The daemon wasn't started by init, but after its fork+exit, it is reparented to init.

Maybe the system could build the tree on initialization by looking at the PPID of the processes. Yes, it is a workaround that would yield init as the parent of your example daemon but I think it would be better than nothing.

A possible solution for an atomic reload would be to save that state upon disable and use it on enable

Since RBAC shouldn't be normally turned off in a production environment, I see this solution rather acceptable. And certainly better than the PPID hack.
Hue-Bond
 
Posts: 34
Joined: Mon Dec 13, 2004 4:31 pm


Return to RBAC policy development

cron