Page 1 of 1

Ability to extend permissions for gradm_pam/grlearn

PostPosted: Wed Jul 16, 2014 8:12 am
by Blub
On my system (ArchLinux) `/dev/log` is a symlink to to `/run/systemd/journal/dev-log`, which is a systemd-thing and causes warnings coming from gradm:
Code: Select all
Warning: permission for symlink /dev/log in role users, subject /usr/bin/gradm_pam does not match that of its matching target object /run.  Symlink is specified on line 1587 of /etc/grsec/policy.


I haven't yet tried using gradm_pam at all but I'd assume that this warning also means that gradm_pam won't actually be able to acces /dev/log.
So I was wondering what the common solution for this would be?
Should the warning just be ignored, or should ArchLinux patch gradm_adm.c to include the appropriate permissions?

There currently seems to be no way to extend these permissions - please correct me if I'm wrong - as adding the subject manually causes a "Duplicate subject found" error, and gradm_adm.c shows they use the 'o' flag (which makes total sense).

Would it be an acceptable solution to introduce the option of adding extra permissions in special variables used for these programs?
Like this:
Code: Select all
--- a/gradm_adm.c   2014-07-16 13:53:49.950469128 +0200
+++ b/gradm_adm.c   2014-07-16 13:53:27.820468833 +0200
@@ -168,6 +168,7 @@ add_gradm_pam_acl(struct role_acl *role)
    struct ip_acl ip;
    struct protoent *proto;
    char *grpam_path;
+   struct var_object *extra_var;
 
    if (bikeshedding_detected())
       grpam_path = get_bikeshedded_path(GRPAM_PATH);
@@ -236,6 +237,10 @@ add_gradm_pam_acl(struct role_acl *role)
 
    add_sock_family(current_subject, "netlink");
 
+   extra_var = sym_retrieve("grsec_gradm_pam_extra");
+   if (extra_var)
+      interpret_variable(extra_var);
+
    return;
 }
 
@@ -258,6 +263,7 @@ add_grlearn_acl(struct role_acl *role)
    struct stat fstat;
    struct ip_acl ip;
    char *grlearn_path;
+   struct var_object *extra_var;
 
    if (bikeshedding_detected())
       grlearn_path = get_bikeshedded_path(GRLEARN_PATH);
@@ -280,6 +286,10 @@ add_grlearn_acl(struct role_acl *role)
 
    add_cap_acl(current_subject, "-CAP_ALL", NULL);
 
+   extra_var = sym_retrieve("grsec_grlearn_extra");
+   if (extra_var)
+      interpret_variable(extra_var);
+
    return;
 }
 


With this I can silence the warning by adding this to the top of my policy
Code: Select all
define grsec_gradm_pam_extra {
   /run/systemd/journal/dev-log   rw
}

Re: Ability to extend permissions for gradm_pam/grlearn

PostPosted: Wed Jul 16, 2014 9:57 pm
by spender
Hi Wolfgang,

That's a neat trick -- I'll think about doing that in the future. For now I've just allowed gradm_pam to access that file if it exists by modifying the built-in policy in gradm_adm.c

Thanks,
-Brad

Re: Ability to extend permissions for gradm_pam/grlearn

PostPosted: Thu Jul 17, 2014 2:42 am
by Blub
Thanks, works for me since it's the only warning I get :)