Learning mode messing with /proc

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Learning mode messing with /proc

Postby Kyoshiro » Thu Aug 12, 2004 6:15 pm

I've enabled learning mode for a home made program, like this :
Code: Select all
subject /home/kyoshiro/projets/PW/src/wrapper-usage l {
       / h
       -CAP_ALL
       RES_FSIZE     0 0
       RES_DATA      0 0
       RES_RSS       0 0
       RES_NOFILE    0 0
       RES_MEMLOCK   0 0
       RES_STACK     0 0
       RES_AS        0 0
       RES_NPROC     0 0
       RES_LOCKS     0 0
       connect disabled
       bind disabled
}


Then I run :
gradm -L /etc/grsec/log -E
run /home/kyoshiro/projets/PW/src/wrapper-usage

- my program is frozen,
- I can't CTRL+C, I can't kill it (I tried all signals),
- ps hangs while reading /proc when it reaches the /proc/pid corresponding to my process. In fact, all programs trying to read /proc/pid/* for my learning mode program just hang.
- When not in root, I can list some files :
Code: Select all
-=( ~ )=- ls -l /proc/7152/
ls: cannot read symbolic link /proc/7152/cwd: Permission denied
ls: cannot read symbolic link /proc/7152/root: Permission denied
ls: cannot read symbolic link /proc/7152/exe: Permission denied
total 0
dr-xr-xr-x  2 root root 0 Aug 12 23:26 attr/
-r--------  1 root root 0 Aug 12 23:22 auxv
-r--r--r--  1 root root 0 Aug 12 23:22 cmdline
lrwxrwxrwx  1 root root 0 Aug 12 23:22 cwd
-r--------  1 root root 0 Aug 12 23:22 environ
lrwxrwxrwx  1 root root 0 Aug 12 23:22 exe
dr-x------  2 root root 0 Aug 12 23:26 fd/
-r--------  1 root root 0 Aug 12 23:22 ipaddr
-r--r--r--  1 root root 0 Aug 12 23:22 maps
-rw-------  1 root root 0 Aug 12 23:22 mem
-r--r--r--  1 root root 0 Aug 12 23:22 mounts
lrwxrwxrwx  1 root root 0 Aug 12 23:22 root
-r--r--r--  1 root root 0 Aug 12 23:19 stat
-r--r--r--  1 root root 0 Aug 12 23:22 statm
-r--r--r--  1 root root 0 Aug 12 23:22 status
dr-xr-xr-x  3 root root 0 Aug 12 23:26 task/


Learning log shows this (which was written just when I launched my program) :

Code: Select all
default 20      4026428564      8       <NULL>          7       3409485824              3       3223175879.3615299760.7.3


I can't do anything to that process when I disable RBAC (gradm -D), neither when going in admin role. I think it's not really normal :p...
I must say that my program is not a common one... It sets uid, gid, rlimits, capabilities and then it does its work.... I've set up some debug printf, and while grsec's RBAC is disabled, it works correctly. When I enable RBAC, nothing is printed out, even while I've put some printf at the very start of the program....

Any idea ? :)
Each time I test this, I must reboot since I can't kill the process I launch, and I can't even use ps. Maybe I should tell ps/ls/pstree developpers to make non-blocking reads :p.

Sorry Iforgot to tell my version :
grsec 2 with current patch for linux 2.6.7
latest gradm
Kyoshiro
 
Posts: 20
Joined: Thu Aug 12, 2004 5:45 pm

Re: Learning mode messing with /proc

Postby PaX Team » Fri Aug 13, 2004 3:40 am

Kyoshiro wrote:I can't do anything to that process when I disable RBAC (gradm -D), neither when going in admin role. I think it's not really normal :p...
I must say that my program is not a common one... It sets uid, gid, rlimits, capabilities and then it does its work.... I've set up some debug printf, and while grsec's RBAC is disabled, it works correctly. When I enable RBAC, nothing is printed out, even while I've put some printf at the very start of the program....
if the program is not too secret, could you send us strace outputs for both cases (with and without grsec enabled)? btw, spender's on vacation till next week-end, so don't expect it resolved before that (if it's a simple locking problem as it seems to be, maybe i can help it myself).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby Kyoshiro » Fri Aug 13, 2004 5:17 am

I'll send you the straces this afternoon (France :)), then in about 3 or 4 hours.

Thanks.
Kyoshiro
 
Posts: 20
Joined: Thu Aug 12, 2004 5:45 pm

Postby spender » Fri Aug 20, 2004 10:09 am

Your policy is probably not what you want. You have only "l" in the subject mode, and it looks like you want to use "ol". The subject is inheriting rules from the default subject and is most likely the reason why you are getting unexpected results.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron