grsecurity forums

[Grach]

Though some significant level of isolation can be achieved today with Gresecurity's chroot restrictions and RBAC, it seems there's no simple, supported and stable way to restrict a group of chrooted processes to a sigle IP address as a source of outgoing packets. Do you plan to (ever) implement something to restrict the connect() sockets' source addresses?

There is LXC - the lightweight container implementation for Linux, similar to FreeBSD jails:
http://www.ibm.com/developerworks/linux ... ontainers/
It does restrict source addresses of outgoing connections, but I have no success to run it with Grsecurity and Gentoo's hardened sources 2.6.27-r7: patching and compiling are ok, but it panics the kernel early during boot. Any chances Grsecurity will ever work with something like that?

[Grach]

If anyone interested, here's another code to deal with connect() (I didn't try it yet):
https://lists.linux-foundation.org/pipe ... 15140.html

[spender]

If I add something like this, it would be within the RBAC system, since for grsecurity I like to keep the non-RBAC features simple enough to require no configuration.

-Brad

[Grach]

I understand it's not a priority at all. But still... When, approximately, do you plan (?) to implement something like this? Also, if such RBAC functionality should be funded, how much would it be worth and how long would it take to be implemented? My employers are poor startup company, but who knows... At least let us to be aware of the price, please.

[spender]

It shouldn't take too long to write; the second link has the basic idea. Would you need separate rules for bind and connect? Would it need to support more than one IP address?

-Brad

[Grach]

Would you need separate rules for bind and connect?

"Need" is not the word, but yes, that would be very useful.

Would it need to support more than one IP address?

Though one IP address is basically enough, multiple IP addresses would be just plain awesome.

[spender]

I've just finished writing up the code for gradm and both the 2.4 and 2.6 patches. I'm testing it now to make sure it works properly. Use of it is pretty simple, all it involves is the following line in your policy:

ip_override <IP Address>

This causes binds to INADDR_ANY or connects for the given subject without an associated bind to a local address to be bound to the IP address you specify. Through the bind rules already existing in the RBAC system, you've been able to choose which IPs a process can bind to for their connects, so this is strictly for the INADDR_ANY case.

-Brad

[spender]

Code works, I uploaded a new gradm 2.1.13 tarball and the patches for 2.4.37 and 2.6.28.7.

-Brad

[Grach]

This is the last major thing we were missing in Grsecurity/PaX kernels, and now we can finally replace FreeBSD with Hardened Gentoo. Thank you very much!