grsecurity forums

by **skylearner** » Wed Jun 01, 2011 3:25 am

Hi,

I am trying to enable the RBAC on my system.

When I do gradm -E i am getting the following error.

Code: Select all: Reading access is allowed by role root to /lib/modules, the directory which holds kernel kernel modules. The ability to read these images provides an attacker with very useful information for launching "ret-to-libc" style attacks against the kernel. Reading access is allowed by role root to /proc/kallsyms, a pseudo-file that holds a mapping between kernel addresses and symbols. This information is very useful to an attacker in sophisticated kernel exploits. There were 2 holes found in your RBAC configuration. These must be fixed before the RBAC system will be allowed to be enabled.

How do I fix this problem.

In my /etc/grsec/policy file the policy specification for the root is like the following

Code: Select all: role root uG role_transitions admin role_allow_ip 0.0.0.0/32 subject / { / /bin x /dev h /dev/.udev /dev/.udev/queue.bin wd /dev/sr0 r /etc r /etc/grsec h /etc/ssh h /etc/shadow h /etc/shadow- h /etc/gshadow h /etc/gshadow- h /etc/ppp/chap-secrets h /etc/ppp/pap-secrets h /etc/samba/smbpasswd h /var h /var/lib/apt /var/lib/dpkg/status /var/run /var/run/gdm/auth-for-root-9gNbjw/database r /var/run/usplash.pid r /var/spool/cron/crontabs /lib rx /proc r /proc/kcore h /proc/sys h /proc/bus h /proc/slabinfo h /proc/modules h /root /root/.local /root/.recently-used.xbel r /tmp rwcd /usr /usr/local h /usr/local/lib/python2.6/dist-packages /usr/local/share /usr/local/share/icons /usr/share r /usr/bin x /usr/lib rx /usr/src h /sys h /boot h -CAP_ALL bind disabled connect disabled } subject /bin/bash o { / h /bin h /bin/ls x /sbin h /sbin/reboot x /boot /lib /lib/modules h /root /root/.bash_history ra /usr /usr/bin x /usr/lib /usr/src h -CAP_ALL bind disabled connect disabled } subject /bin/dash o { / h /bin h /bin/cat x /bin/dash x /etc h /etc/default/rcS r /etc/init.d/rc x /etc/ld.so.cache r /lib h /lib/ld-2.10.1.so x /lib/tls/i686/cmov/libc-2.10.1.so rx /sbin h /sbin/hwclock x /sbin/usplash x /usr h /usr/bin/tput x /var h /var/run /var/run/sendsigs.omit a /dev /dev/tty8 w /dev/grsec h /dev/mem h /dev/kmem h /dev/port h /dev/log h /proc /proc/kcore h /proc/sys h /proc/bus h /proc/slabinfo h /proc/modules h -CAP_ALL bind disabled connect disabled } subject /bin/rm o { / h /bin h /bin/rm x /etc h /etc/ld.so.cache r /lib h /lib/ld-2.10.1.so x /lib/tls/i686/cmov/libc-2.10.1.so rx /var h /var/run/console /var/run/console/root wd -CAP_ALL bind disabled connect disabled } subject /bin/sed o { / h /bin h /bin/sed x /etc h /etc/ld.so.cache r /lib rx /lib/modules h /proc h /proc/filesystems r /var h /var/run/console /var/run/console/root rwcd /var/run/console/sedA7fRKV rwcd /selinux -CAP_ALL bind disabled connect disabled } subject /bin/umount o { / h /bin h /bin/umount x /lib rx /lib/modules h /usr h /usr/lib r /etc /etc/ld.so.cache r /etc/locale.alias r /etc/mtab rwcd /etc/mtab.tmp rwcd /etc/mtab~ wcdl /etc/mtab~4752 wcd /etc/grsec h /etc/ssh h /etc/passwd h /etc/shadow h /etc/shadow- h /etc/gshadow h /etc/gshadow- h /etc/ppp/chap-secrets h /etc/ppp/pap-secrets h /etc/samba/smbpasswd h /root -CAP_ALL +CAP_SYS_ADMIN bind disabled connect disabled } subject /etc/init.d o { / /bin rxi /etc rxi /etc/grsec h /etc/ssh h /etc/shadow h /etc/shadow- h /etc/gshadow h /etc/gshadow- h /etc/ppp/chap-secrets h /etc/ppp/pap-secrets h /etc/samba/smbpasswd h /lib rxi /lib/modules h /root h /root/.local /sbin xi /var h /var/lib/alsa /var/lib/alsa/asound.state rw /var/run /var/run/kerneloops.pid rwd /dev /dev/.initramfs /dev/.initramfs/usplash_fifo w /dev/null w /dev/snd/controlC0 rw /dev/tty8 rw /dev/grsec h /dev/mem h /dev/kmem h /dev/port h /dev/log h /proc r /proc/kcore h /proc/sys h /proc/bus h /proc/slabinfo h /proc/modules h /usr /usr/lib rxi /usr/local h /usr/local/lib/python2.6/dist-packages /usr/sbin h /usr/sbin/kerneloops /usr/sbin/laptop_mode /usr/bin xi /usr/share r /usr/src h /sys h /boot h -CAP_ALL +CAP_DAC_OVERRIDE +CAP_SYS_TTY_CONFIG bind disabled connect disabled } subject /sbin/hwclock o { / h /dev h /dev/rtc0 r /etc h /etc/ld.so.cache r /etc/localtime r /lib h /lib/ld-2.10.1.so x /lib/tls/i686/cmov/libc-2.10.1.so rx /sbin h /sbin/hwclock x -CAP_ALL +CAP_SYS_TIME bind disabled connect disabled } subject /sbin/init o { / /bin h /bin/dash x /dev h /dev/console w /dev/log rw /dev/null rw /proc /proc/kcore h /proc/sys h /proc/bus h /proc/slabinfo h /proc/modules h /etc/grsec h /etc/ssh h /etc/passwd h /etc/shadow h /var/backups h /etc/shadow- h /etc/gshadow h /etc/gshadow- h /var/log h /sys h /etc/ppp/chap-secrets h /etc/ppp/pap-secrets h /etc/samba/smbpasswd h /boot h /lib/modules h /usr/src h -CAP_ALL +CAP_KILL +CAP_SYS_TTY_CONFIG bind disabled connect disabled } subject /sbin/reboot o { user_transition_allow root / h /etc h /etc/ld.so.cache r /etc/locale.alias r /lib rx /lib/modules h /sbin h /sbin/reboot x /sbin/shutdown x /usr h /usr/lib r /usr/share h /usr/share/locale /usr/share/locale-langpack /var h /var/run/utmp r -CAP_ALL +CAP_SETUID bind disabled connect disabled } subject /sbin/shutdown o { user_transition_allow root / /dev h /dev/pts w /dev/tty7 w /lib rx /lib/tls h /lib/tls/i686/cmov/libc-2.10.1.so rx /lib/tls/i686/cmov/libpthread-2.10.1.so rx /lib/tls/i686/cmov/librt-2.10.1.so rx /lib/modules h /sbin h /sbin/shutdown x /usr h /usr/lib r /usr/share h /usr/share/locale /usr/share/locale-langpack /var h /var/log/wtmp w /var/run /var/run/utmp rw /etc /etc/ld.so.cache r /etc/locale.alias r /etc/localtime r /etc/grsec h /etc/ssh h /etc/passwd h /etc/shadow h /etc/shadow- h /etc/gshadow h /etc/gshadow- h /etc/ppp/chap-secrets h /etc/ppp/pap-secrets h /etc/samba/smbpasswd h /proc /proc/kcore h /proc/sys h /proc/bus h /proc/slabinfo h /proc/modules h /sys h /boot h -CAP_ALL +CAP_SETUID +CAP_SYS_TTY_CONFIG bind disabled connect disabled } subject /sbin/usplash o { / h /dev h /dev/.initramfs /dev/.initramfs/usplash_fifo rw /dev/console rw /dev/fb0 rw /dev/tty0 rw /dev/tty1 rw /dev/tty8 rw /etc h /etc/ld.so.cache r /lib rx /lib/tls h /lib/tls/i686/cmov/libc-2.10.1.so rx /lib/tls/i686/cmov/libdl-2.10.1.so rx /lib/modules h /proc h /proc/cmdline r /sbin h /sbin/usplash x /sys h /sys/devices/pci0000:00/0000:00:02.0 /sys/devices/pci0000:00/0000:00:02.0/graphics/fb0/virtual_size r /usr h /usr/lib/usplash/usplash-theme-ubuntu.so rx /var h /var/run /var/run/usplash.pid wc -CAP_ALL +CAP_SYS_TTY_CONFIG bind disabled connect disabled } subject /usr/bin/Xorg o { / h /dev/tty0 w /dev/tty7 w /tmp wd /var/run/gdm/auth-for-gdm-8zWy3u/database -CAP_ALL +CAP_CHOWN +CAP_SYS_ADMIN bind disabled connect disabled } subject /usr/bin/gedit o { / /etc h /etc/ld.so.cache r /etc/locale.alias r /etc/nsswitch.conf r /etc/passwd r /lib rx /lib/modules h /proc h /proc/filesystems r /var h /var/run /var/run/gdm/auth-for-root-9gNbjw/database r /home /home/karthik /home/karthik/tutorial /home/karthik/tutorial/applicationspecificsettings6 rw /home/karthik/tutorial/gradm r /root rwcd /root/.local h /root/.local/share /root/.config /root/.themes /tmp rw /usr /usr/bin h /usr/bin/gedit x /usr/lib rx /usr/local h /usr/local/share /usr/local/share/icons /usr/share r /usr/src h /dev/grsec h /dev/mem h /dev/kmem h /dev/port h /dev/log h /sys h /boot h -CAP_ALL bind disabled connect disabled } subject /usr/bin/nautilus o { / h /dev h /dev/null r /etc h /etc/gnome/defaults.list /etc/localtime /home h /home/karthik/tutorial/applicationspecificsettings6 /usr h /usr/bin h /usr/bin/gedit x /usr/local h /usr/local/share /usr/local/share/applications /usr/local/share/icons /usr/share r /proc /proc/kcore h /proc/sys h /proc/bus h /proc/slabinfo h /proc/modules h /root rwcd -CAP_ALL bind disabled connect disabled } subject /usr/bin/seahorse-daemon o { / h /dev/log rw /tmp rwd /usr/share/locale /usr/share/locale-langpack -CAP_ALL bind disabled connect disabled } subject /usr/bin/vim.tiny o { / h /boot h /boot/grub /boot/grub/.grub.cfg.swp rwcd /boot/grub/.grub.cfg.swx rwcd /boot/grub/grub.cfg rw /boot/grub/grub.cfz~ wcd /etc rwcd /etc/ssh h /etc/shadow h /etc/shadow- h /etc/gshadow h /etc/gshadow- h /etc/ppp/chap-secrets h /etc/ppp/pap-secrets h /etc/samba/smbpasswd h /lib rx /lib/modules h /proc h /proc/filesystems r /usr h /usr/bin/vim.tiny x /usr/lib r /usr/share/vim /var h /var/run /root r /selinux -CAP_ALL bind disabled connect disabled } subject /usr/lib/bonobo-activation/bonobo-activation-server o { / /dev h /dev/log rw /dev/null rw /dev/urandom r /etc r /etc/bonobo-activation h /etc/bonobo-activation/bonobo-activation-config.xml r /etc/grsec h /etc/ssh h /etc/shadow h /etc/shadow- h /etc/gshadow h /etc/gshadow- h /etc/ppp/chap-secrets h /etc/ppp/pap-secrets h /etc/samba/smbpasswd h /lib rx /lib/modules h /usr h /usr/lib rx /usr/share h /usr/share/locale /usr/share/locale-langpack /var h /var/run /tmp rwcd /proc/kcore h /proc/sys h /proc/bus h /proc/slabinfo h /proc/modules h /sys h /boot h -CAP_ALL bind disabled connect disabled } subject /usr/lib/gdm/gdm-simple-slave o { / h /tmp /var/log/wtmp w -CAP_ALL bind disabled connect disabled } subject /usr/lib/gvfs/gvfs-fuse-daemon o { user_transition_allow root / h /bin/umount x /etc/ld.so.cache r /etc/mtab /lib/libgcc_s.so.1 rx -CAP_ALL +CAP_SETUID bind disabled connect disabled } subject /usr/lib/libgconf2-4/gconfd-2 o { / h /root /root/.gconfd /root/.gconfd/saved_state rwcd /root/.gconfd/saved_state.orig rwcd /root/.gconfd/saved_state.tmp rwcd /tmp wd -CAP_ALL bind disabled connect disabled } subject /usr/lib/libvte9/gnome-pty-helper o { / h /var/log/wtmp w /var/run/utmp rw -CAP_ALL bind disabled connect disabled } subject /usr/sbin/NetworkManager o { / h /dev/log rw /var/run /var/run/NetworkManager.pid wd -CAP_ALL bind disabled connect disabled } subject /usr/sbin/acpid o { / h /dev/console w /dev/log rw -CAP_ALL +CAP_SYS_TTY_CONFIG bind disabled connect disabled } subject /usr/sbin/console-kit-daemon o { / h /dev h /dev/log rw /dev/null r /etc h /etc/ConsoleKit/run-session.d /lib h /lib/udev/udev-acl x /usr h /usr/lib/ConsoleKit/run-session.d /usr/lib/ConsoleKit/run-session.d/pam-foreground-compat.ck x /proc /proc/kcore h /proc/sys h /proc/bus h /proc/slabinfo h /proc/modules h -CAP_ALL bind disabled connect disabled } subject /usr/sbin/gdm-binary o { / h /var/run wd /var/run/gdm /var/run/gdm/auth-for-gdm-8zWy3u wd /var/run/gdm/auth-for-root-9gNbjw wd -CAP_ALL +CAP_FOWNER bind disabled connect disabled } subject /usr/sbin/modem-manager o { / h /dev/console w /dev/log rw -CAP_ALL +CAP_SYS_TTY_CONFIG bind disabled connect disabled }

by **spender** » Wed Jun 01, 2011 10:26 am

It looks as though you were performing administrative tasks while in the root role. These should only be done within the admin role. I'd advise you to restart the learning, as otherwise an attacker than gains uid 0 will be able to modify items in /boot/grub as is allowed by your current policy. To fix the errors on policy enabling, you need to add:

/lib/modules h
/proc/kallsyms h

below the "subject / {" line for the root role. If you could do me a favor as well, could you grep your learning log file for "/lib/modules" and "/proc/kallsyms" and paste the results here? You can remove any IP addresses that exist.

-Brad

by **spender** » Tue Jun 07, 2011 8:15 pm

As a followup, the version of gradm uploaded today includes a new directive, "read-protected-path", for learn_config. This directive tells the learning process to create subjects for processes that access certain sensitive information. I've filled up learn_config with a good set of default values for this that you should adopt into your own config. Using it will ensure you won't get similar error messages as you received previously. Thanks for reporting this!

-Brad

grsecurity forums

Problem enabling RBAC

Problem enabling RBAC

Re: Problem enabling RBAC

Re: Problem enabling RBAC