Page 1 of 1

gradm with musl libc continued

PostPosted: Mon May 23, 2016 10:54 am
by Wizzup

Some time ago (is it a year already :() I posted this thread, where basic support for musl was put in place: viewtopic.php?f=3&t=4152

While I did test that "gradm -S" worked, as well as "gradm -D", I did not try to actually load a policy. Now that I finally made some time to play around with policies again, I cannot get the musl system to load a policy. Right now I just want to load the default policy that ships with Gentoo Hardened. I get the following error:

Code: Select all
root@lostmemory ~ # gradm -C
root@lostmemory ~ # gradm -V -E
Policy statistics:
Role summary:
        0 user roles
        0 group roles
        2 special roles with authentication
        0 special roles without authentication
        2 admin roles
        3 total roles

Subject summary:
        0 nested subjects
        29 subjects can be killed by outside processes
        31 subjects have unprotected shared memory
        22 subjects with unrestricted sockets
        31 total subjects

Object summary:
        0 objects in non-admin roles allow chmod +s
        273 total objects
Error copying structures to the kernel.

The following appears in dmesg:

Code: Select all
[1227858.043715] grsec: From unable to load grsecurity 3.1 for /sbin/gradm[gradm:16845] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:15578] uid/euid:0/0 gid/egid:0/0

Same for enabling learning mode, it seems:

Code: Select all
# gradm -F -L /etc/grsec/learning.log
Error opening /dev/grsec:
Resource busy
root@lostmemory ~ #

I am using the following version:

Code: Select all
root@lostmemory ~ # eix -Ic gradm
[I] sys-apps/gradm (3.1.201603152148@05/23/16): Administrative interface for the grsecurity Role Based Access Control system


Code: Select all
root@lostmemory ~ # uname -a
Linux lostmemory 4.5.3-hardenedlostmemory #1 SMP Mon May 9 03:46:18 CEST 2016 armv7l Allwinner sun4i/sun5i Families GNU/Linux

I hope that my reluctance to test actually loading in a policy in the last thread won't lead to another ABI bump. Please let me know how I can help to further debug/test. Or flame me if this looks like PEBCAK. ;)

Re: gradm with musl libc continued

PostPosted: Sat May 28, 2016 8:49 am
by Wizzup
I have tested gradm on alpine amd64 (has musl-libc), and it seems to work there, but that is amd64. I have not been able to test gradm on alpine with arm.

Re: gradm with musl libc continued

PostPosted: Sat Aug 13, 2016 9:28 am
by Wizzup
This issue is fixed in the latest gradm - ... cb59c5413d

Thanks! grlearn is now running and I haven't run into any other issues.