allow program to call /sbin/halt

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

allow program to call /sbin/halt

Postby cross » Fri Nov 06, 2009 8:57 am

Hi!
I want to allow one of my program to call /sbin/halt and shutdown the system under grsec.
program execute halt like:
execl("/sbin/halt", "/sbin/halt", NULL) .

My rules for this application:
subject /opt/sbin/amd64/myprogram o {
<skip some rulles>
/sbin/halt rxt
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_FOWNER
+CAP_FSETID
+CAP_SYS_TIME
+CAP_KILL
+CAP_SYS_PTRACE
}
The rule for halt:
subject /sbin/halt o {
/
/etc h
/etc/ld.so.cache r
/lib rx
/sbin h
/sbin/halt x
/sbin/shutdown x
/var h
/var/log w
/var/run rw
/dev/grsec h
/proc r
/proc/kcore h
/proc/sys h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
-CAP_ALL
+CAP_SYS_BOOT
+CAP_SYS_TTY_CONFIG
}

But still i have the message in log. And program can't call halt :(
Nov 6 15:44:17 kernel: [1216927.621573] grsec: From 192.168.68.172: (root:U:/opt/sbin/amd64/myprogram) denied ptrace of /sbin/halt by /sbin/halt[myprogram:11787] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

Any idea about what's wrong?
cross
 
Posts: 5
Joined: Fri Nov 06, 2009 8:43 am

Re: allow program to call /sbin/halt

Postby spender » Fri Nov 06, 2009 6:06 pm

/opt/sbin/amd64/myprogram needs "t" added to its subject mode:

http://en.wikibooks.org/wiki/Grsecurity ... ject_Modes

t Allow ptracing of any process (do not use unless necessary, allows ptrace to cross subject boundaries).


You should then add the "p" object flag to every object in the /opt/sbin/amd64/myprogram subject but /sbin/halt

http://en.wikibooks.org/wiki/Grsecurity ... ject_Modes
p Reject all ptraces to this object.


For the /sbin/halt *object* within the subject for /opt/sbin/amd64/myprogram, you should first try giving it the "t" object mode:

t This object can be ptraced, but cannot modify the running task. This is referred to as a 'read-only ptrace'.


But if that fails, just leave it off.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: allow program to call /sbin/halt

Postby cross » Mon Nov 09, 2009 10:36 am

Thanks for answer Brad.
But still it doesn't work :( I made all changes mention above.
Now it looks like

subject /opt/sbin/amd64/myprogram ot {
<skip some rulles>
/sbin/halt rx
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_FOWNER
+CAP_FSETID
+CAP_SYS_TIME
+CAP_KILL
+CAP_SYS_PTRACE
}
The rule for halt:
subject /sbin/halt o {
/
/etc h
/etc/ld.so.cache r
/lib rx
/sbin h
/sbin/halt x
/sbin/shutdown x
/var h
/var/log w
/var/run rw
/dev/grsec h
/proc r
/proc/kcore h
/proc/sys h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
-CAP_ALL
+CAP_SYS_BOOT
+CAP_SYS_TTY_CONFIG
}
Still have Nov 9 17:31:41 kernel: [1482571.199187] grsec: From 192.168.68.172: (root:U:/opt/sbin/amd64/myprogram) denied ptrace of /sbin/halt by /sbin/halt[myprogram:29504] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
cross
 
Posts: 5
Joined: Fri Nov 06, 2009 8:43 am

Re: allow program to call /sbin/halt

Postby spender » Mon Nov 09, 2009 10:44 am

Ok, this seems to be related to a current known bug where execs with LSM_UNSAFE_SHARE are disallowed (and logged as ptraces instead of CLONE_FS attempts). Unlike with ptrace, these execs can't currently be given an exception under RBAC policy. It'll be fixed in the next patch.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: allow program to call /sbin/halt

Postby cross » Wed Nov 11, 2009 9:04 am

It is stupid question but as far not only me have that problem (see viewtopic.php?f=5&t=2214).
Any plan when this patch will be released?
cross
 
Posts: 5
Joined: Fri Nov 06, 2009 8:43 am

Re: allow program to call /sbin/halt

Postby spender » Wed Nov 11, 2009 10:07 am

Yes, the patch I released last night fixes the problem. In your case, you should be have t in the subject mode, and then add "p" to every object in that subject (since it doesn't need to ptrace anything, it just needs to use CLONE_FS).

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: allow program to call /sbin/halt

Postby cross » Thu Nov 12, 2009 6:49 am

thanks a lot.
cross
 
Posts: 5
Joined: Fri Nov 06, 2009 8:43 am


Return to RBAC policy development

cron