Ability to extend permissions for gradm_pam/grlearn

Discuss and suggest new grsecurity features

Moderators: spender, PaX Team

Ability to extend permissions for gradm_pam/grlearn

Postby Blub » Wed Jul 16, 2014 8:12 am

On my system (ArchLinux) `/dev/log` is a symlink to to `/run/systemd/journal/dev-log`, which is a systemd-thing and causes warnings coming from gradm:
Code: Select all
Warning: permission for symlink /dev/log in role users, subject /usr/bin/gradm_pam does not match that of its matching target object /run.  Symlink is specified on line 1587 of /etc/grsec/policy.


I haven't yet tried using gradm_pam at all but I'd assume that this warning also means that gradm_pam won't actually be able to acces /dev/log.
So I was wondering what the common solution for this would be?
Should the warning just be ignored, or should ArchLinux patch gradm_adm.c to include the appropriate permissions?

There currently seems to be no way to extend these permissions - please correct me if I'm wrong - as adding the subject manually causes a "Duplicate subject found" error, and gradm_adm.c shows they use the 'o' flag (which makes total sense).

Would it be an acceptable solution to introduce the option of adding extra permissions in special variables used for these programs?
Like this:
Code: Select all
--- a/gradm_adm.c   2014-07-16 13:53:49.950469128 +0200
+++ b/gradm_adm.c   2014-07-16 13:53:27.820468833 +0200
@@ -168,6 +168,7 @@ add_gradm_pam_acl(struct role_acl *role)
    struct ip_acl ip;
    struct protoent *proto;
    char *grpam_path;
+   struct var_object *extra_var;
 
    if (bikeshedding_detected())
       grpam_path = get_bikeshedded_path(GRPAM_PATH);
@@ -236,6 +237,10 @@ add_gradm_pam_acl(struct role_acl *role)
 
    add_sock_family(current_subject, "netlink");
 
+   extra_var = sym_retrieve("grsec_gradm_pam_extra");
+   if (extra_var)
+      interpret_variable(extra_var);
+
    return;
 }
 
@@ -258,6 +263,7 @@ add_grlearn_acl(struct role_acl *role)
    struct stat fstat;
    struct ip_acl ip;
    char *grlearn_path;
+   struct var_object *extra_var;
 
    if (bikeshedding_detected())
       grlearn_path = get_bikeshedded_path(GRLEARN_PATH);
@@ -280,6 +286,10 @@ add_grlearn_acl(struct role_acl *role)
 
    add_cap_acl(current_subject, "-CAP_ALL", NULL);
 
+   extra_var = sym_retrieve("grsec_grlearn_extra");
+   if (extra_var)
+      interpret_variable(extra_var);
+
    return;
 }
 


With this I can silence the warning by adding this to the top of my policy
Code: Select all
define grsec_gradm_pam_extra {
   /run/systemd/journal/dev-log   rw
}
Blub
 
Posts: 9
Joined: Tue Jul 15, 2014 4:38 am

Re: Ability to extend permissions for gradm_pam/grlearn

Postby spender » Wed Jul 16, 2014 9:57 pm

Hi Wolfgang,

That's a neat trick -- I'll think about doing that in the future. For now I've just allowed gradm_pam to access that file if it exists by modifying the built-in policy in gradm_adm.c

Thanks,
-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: Ability to extend permissions for gradm_pam/grlearn

Postby Blub » Thu Jul 17, 2014 2:42 am

Thanks, works for me since it's the only warning I get :)
Blub
 
Posts: 9
Joined: Tue Jul 15, 2014 4:38 am


Return to grsecurity development

cron