Does the 'h' subject flag work properly?

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Does the 'h' subject flag work properly?

Postby vinceh » Wed Aug 11, 2004 1:43 am

I'm currently trying to hide all processes in a special directory. I.e. /specialdir/hiddenproc should be hidden. So I added the following line to my policy:
Code: Select all
subject /specialdir h

Then I started /specialdir/hiddenproc, checked out its PID (i.e. 12345) and enabled the RBAC system. As expected, the 12345 entry dissappeared from the /proc directory listing. Then I tried to 'cat /proc/12345/cmdline' and quite unexpectedly, I could still view it. I could also view the dir listing of /proc/12345.
Even worse, after restarting /specialdir/hiddenproc, its PID even showed up in the /proc directory, making it visible to ps, pstree etc.


Am I doing something wrong or is this a problem with grsecurity?


I'm running grsec 2.0.1 on a kernel 2.6.7 and gradm 2.0.1.
Here is my complete policy (which is in no way intended to be secure yet):

Code: Select all
role admin sA
subject / r {

        / rwcdmxi

        }

role default G
role_transitions admin

subject / {

        /               rwcdmxi
        /proc           rw
        /proc/kcore     h
        /proc/sys       r

        /etc            rx
        /etc/grsec      h

        /bin            rx
        /sbin           rx
        /usr/bin        rx
        /usr/sbin       rx
        /usr/local/bin  rx
        /usr/local/sbin rx

        /lib            rx
        /usr/lib        rx

        /boot           r
        /vmlinuz        r
        /vmlinuz.old    r

        /root           rx
        /root/.*        rwcdmxi

        /dev
        /dev/grsec      h
        /dev/urandom    r
        /dev/random     r
        /dev/zero       rw
        /dev/input      rw
        /dev/psaux      rw
        /dev/null       rw
        /dev/tty0       rw
        /dev/tty1       rw
        /dev/tty2       rw
        /dev/tty3       rw
        /dev/tty4       rw
        /dev/tty5       rw
        /dev/tty6       rw
        /dev/tty7       rw
        /dev/tty8       rw
        /dev/console    rw
        /dev/tty        rw
        /dev/pts        rw
        /dev/ptmx       rw
        /dev/dsp        rw
        /dev/mixer      rw
        /dev/initctl    rw
        /dev/fd0        r
        /dev/cdrom      r
        /dev/mem        h
        /dev/kmem       h
        /dev/port       h
        /dev/log        rw

        -CAP_SYS_MODULE
        -CAP_SYS_RAWIO
        -CAP_MKNOD
        -CAP_SYS_ADMIN
        -CAP_NET_ADMIN
        -CAP_NET_BIND_SERVICE
        -CAP_SYS_TTY_CONFIG

    }

subject /specialdir h
vinceh
 
Posts: 4
Joined: Tue Aug 10, 2004 1:32 pm

Postby spender » Wed Aug 11, 2004 7:58 am

I'm unable to duplicate this. Here's how I tested (on 2.0.1-2.6.7)

made a file /root/hide/test, that does a sleep(30);
added subject /root/hide h to my default role
/root/hide/test &
gradm -E
cat /proc/6149/environ
file not found
gradm -D
cat /proc/6149/environ
found

What did you do differently from this? Were you doing the cats in the admin role? If you think you followed these same steps, can you provide a log of it, including a gradm -S after your gradm -E?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby vinceh » Wed Aug 11, 2004 2:59 pm

I just tried this again, and I seem to be one step closer now:

This time I used a simple "Hello World" program:

Code: Select all
hidden.c
#include<stdio.h>
 
int main()
{
   printf("Hello World\n");
   sleep(90);
   return 0;
}


Result:
Code: Select all
debian:/specialdir# gradm -S
The RBAC system is currently enabled.


On another console I started the process:
Code: Select all
debian:/specialdir# ./hidden
Hello World


Back on the old console:

Code: Select all
debian:/# ps aux | grep hidden
root     12673  0.0  0.0  1272  308 pts/6    S+   20:46   0:00 ./hidden
debian:/# cat /proc/12673/environ
cat: /proc/12673/environ: No such process
debian:/# ls /proc/12673/
auxv  cmdline  cwd  environ  exe  fd  ipaddr  maps  mem  mounts  root  stat  statm  status  task  wchan
debian:/# cat /proc/12673/cmdline
./hidden
debian:/#


Next thing I did was adding a simple '/specialdir rwx' line to the default subject of my default role.

Result:

Code: Select all
debian:/specialdir# ./hidden &
Hello World
[1] 295
debian:/specialdir# ls /proc/295
ls: /proc/295: No such file or directory
debian:/specialdir# cat /proc/295/cmdline
cat: /proc/295/cmdline: No such file or directory
debian:/specialdir# cat /proc/295/environ
cat: /proc/295/environ: No such file or directory
debian:/specialdir# ps aux | grep hidden
debian:/specialdir#


So it seems like I need that "/specialdir rwx" line for the "subject /specialdir h" to work properly.
vinceh
 
Posts: 4
Joined: Tue Aug 10, 2004 1:32 pm

Postby spender » Wed Aug 11, 2004 3:46 pm

Oh, I see the problem. I didn't see it the first time. Your rules are wrong. You have / rwxcdmi -> the i means inherit, which means when you execute the binary it inherits the subject /, and doesn't get the subject with the hidden flag. Having a / rwxcdmi rule is really not a good idea *at all* ;p I think I'll have to add this to the things that get enforced in gradm.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby vinceh » Wed Aug 11, 2004 4:09 pm

Eek. You're right. Thanks.
vinceh
 
Posts: 4
Joined: Tue Aug 10, 2004 1:32 pm


Return to RBAC policy development