grsecurity forums

Hi!

I'm experiencing weird problems with ntpdate and iptables (probably others too, haven't yet tried out).

I've set -CAP_NET_ADMIN in the startup script and given iptables +CAP_NET_ADMIN in proc.acl. When ever I try to run iptables, I get this these errors:

kernel: attempt to mmap 97292 2065 executableby (iptables:874) UID(0) EUID(0), parent (bash:7130) UID(0) EUID(0)
kernel: attempt to mmap 32498 2065 executableby (iptables:874) UID(0) EUID(0), parent (bash:7130) UID(0) EUID(0)
kernel: signal 11 sent to (iptables:874) UID(0) EUID(0), parent (bash:7130) UID(0) EUID(0)
Segmentation fault

Actually it doesn't make any difference what I put in proc.acl for iptables. I've tried just blank /sbin/iptables { } and with +CAP_NET_ADMIN, always the same errors.

I'm not running PaX, but the Openwall protection is on. I also tried to compile the kernel without it, didn't help.

The same things happens with ntpdate, when I set -CAP_SYS_TIME. The problem occurs on two boxes!

Both programs work fine when I set their capabilities to +.

Oh, and I'm running grsec-1.9.4 and kernel 2.4.18.

Hmm, got it working by adding this to proc.acl for iptables:

/sbin/iptables {
/ rwx
+CAP_NET_ADMIN
}

The same thing worked for ntpdate.

you always need to give execute access to the program you're executing in your process acl. If you don't put anything inside the {} of your process acl, your program cannot access anything, and I'm almost certain you don't want that. Take a look at some of the examples in the acl development section of the forum.