gradm with musl libc continued

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

gradm with musl libc continued

Postby Wizzup » Mon May 23, 2016 10:54 am

Hi,

Some time ago (is it a year already :() I posted this thread, where basic support for musl was put in place: viewtopic.php?f=3&t=4152

While I did test that "gradm -S" worked, as well as "gradm -D", I did not try to actually load a policy. Now that I finally made some time to play around with policies again, I cannot get the musl system to load a policy. Right now I just want to load the default policy that ships with Gentoo Hardened. I get the following error:

Code: Select all
root@lostmemory ~ # gradm -C
root@lostmemory ~ # gradm -V -E
Policy statistics:
-------------------------------------------------------
Role summary:
        0 user roles
        0 group roles
        2 special roles with authentication
        0 special roles without authentication
        2 admin roles
        3 total roles

Subject summary:
        0 nested subjects
        29 subjects can be killed by outside processes
        31 subjects have unprotected shared memory
        22 subjects with unrestricted sockets
        31 total subjects

Object summary:
        0 objects in non-admin roles allow chmod +s
        273 total objects
Error copying structures to the kernel.


The following appears in dmesg:

Code: Select all
[1227858.043715] grsec: From 192.168.178.57: unable to load grsecurity 3.1 for /sbin/gradm[gradm:16845] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:15578] uid/euid:0/0 gid/egid:0/0


Same for enabling learning mode, it seems:

Code: Select all
# gradm -F -L /etc/grsec/learning.log
Error opening /dev/grsec:
Resource busy
^C
root@lostmemory ~ #


I am using the following version:

Code: Select all
root@lostmemory ~ # eix -Ic gradm
[I] sys-apps/gradm (3.1.201603152148@05/23/16): Administrative interface for the grsecurity Role Based Access Control system


Kernel:

Code: Select all
root@lostmemory ~ # uname -a
Linux lostmemory 4.5.3-hardenedlostmemory #1 SMP Mon May 9 03:46:18 CEST 2016 armv7l Allwinner sun4i/sun5i Families GNU/Linux


I hope that my reluctance to test actually loading in a policy in the last thread won't lead to another ABI bump. Please let me know how I can help to further debug/test. Or flame me if this looks like PEBCAK. ;)
Wizzup
 
Posts: 14
Joined: Sat Feb 21, 2015 5:34 pm

Re: gradm with musl libc continued

Postby Wizzup » Sat May 28, 2016 8:49 am

I have tested gradm on alpine amd64 (has musl-libc), and it seems to work there, but that is amd64. I have not been able to test gradm on alpine with arm.
Wizzup
 
Posts: 14
Joined: Sat Feb 21, 2015 5:34 pm

Re: gradm with musl libc continued

Postby Wizzup » Sat Aug 13, 2016 9:28 am

This issue is fixed in the latest gradm - https://cvsweb.grsecurity.net/?p=gradm. ... cb59c5413d

Thanks! grlearn is now running and I haven't run into any other issues.
Wizzup
 
Posts: 14
Joined: Sat Feb 21, 2015 5:34 pm


Return to grsecurity support

cron