GRKERNSEC_SYSFS_RESTRICT breaks udev and systemd networking
Posted: Sat Dec 24, 2016 2:51 am
Linux: 4.8.15 w/ Grsecurity 3.1-4.8.15-201612151923
Platform: ARM64 -- Amlogic Meson GXBB (Hardkernel ODROID-C2 SBC)
systemd-networkd:
systemd-udevd:
# ethtool eth0
# strace -f ethtool eth0
As we can see the SIOCETHTOOL ioctl fails with EBUSY, which according to Linux source occurs when the interface is down.
Manually bringing the interface up using ifconfig or "ip link set ..." works...
# ifconfig eth0 up
# ethtool eth0
...but does not result in systemd reconfiguring via DHCP or anything, leaving networking in a half-broken state.
The host machine is a server and I would therefore prefer to keep sysfs restrictions enabled, so is there a textbook way to restore systemd's ability to configure my network interface, without loosening permissions across the entire sysfs? Thanks in advance for any insight!
Platform: ARM64 -- Amlogic Meson GXBB (Hardkernel ODROID-C2 SBC)
- Code: Select all
Dec 23 23:59:18 bastion systemd[2350]: Failed to enumerate devices: Permission denied
Dec 23 23:59:18 bastion systemd[2350]: Failed to get udev device from devnum 179:1: Permission denied
systemd-networkd:
- Code: Select all
Dec 23 23:59:06 bastion systemd-networkd[2340]: eth0: Could not find udev device: No such device
Dec 23 23:59:06 bastion systemd-networkd[2340]: eth0: Failed
systemd-udevd:
- Code: Select all
Dec 23 23:59:06 bastion systemd-udevd[2266]: link_config: could not get ethtool features for eth0
Dec 23 23:59:06 bastion systemd-udevd[2266]: Could not set offload features of eth0: Device or resource busy
# ethtool eth0
- Code: Select all
Settings for eth0:
Cannot get device settings: Device or resource busy
Cannot get wake-on-lan settings: Device or resource busy
Cannot get message level: Device or resource busy
Cannot get link status: Device or resource busy
No data available
# strace -f ethtool eth0
- Code: Select all
execve("/usr/bin/ethtool", ["ethtool", "eth0"], [/* 13 vars */]) = 0
brk(NULL) = 0xe68e000
faccessat(AT_FDCWD, "/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=38252, ...}) = 0
mmap(NULL, 38252, PROT_READ, MAP_PRIVATE, 3, 0) = 0xffffaf582000
close(3) = 0
openat(AT_FDCWD, "/usr/lib/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0000T\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=674672, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffaf580000
mmap(NULL, 737912, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xffffaf4ac000
mprotect(0xffffaf550000, 61440, PROT_NONE) = 0
mmap(0xffffaf55f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa3000) = 0xffffaf55f000
close(3) = 0
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\270\364\1\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1723248, ...}) = 0
mmap(NULL, 1446512, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xffffaf34a000
mprotect(0xffffaf493000, 61440, PROT_NONE) = 0
mmap(0xffffaf4a2000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x148000) = 0xffffaf4a2000
mmap(0xffffaf4a8000, 12912, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xffffaf4a8000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffaf348000
mprotect(0xffffaf4a2000, 16384, PROT_READ) = 0
mprotect(0xffffaf55f000, 4096, PROT_READ) = 0
mprotect(0x452000, 4096, PROT_READ) = 0
mprotect(0xffffaf58e000, 4096, PROT_READ) = 0
munmap(0xffffaf582000, 38252) = 0
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(247, 0), ...}) = 0
ioctl(1, TCGETS, {B115200 opost isig icanon echo ...}) = 0
brk(NULL) = 0xe68e000
brk(0xe6b0000) = 0xe6b0000
write(1, "Settings for eth0:\n", 19Settings for eth0:
) = 19
ioctl(3, SIOCETHTOOL, 0xfffffcf01a00) = -1 EBUSY (Device or resource busy)
ioctl(3, SIOCETHTOOL, 0xfffffcf01a00) = -1 EBUSY (Device or resource busy)
dup(2) = 4
fcntl(4, F_GETFL) = 0x20002 (flags O_RDWR|0x20000)
fstat(4, {st_mode=S_IFCHR|0600, st_rdev=makedev(247, 0), ...}) = 0
ioctl(4, TCGETS, {B115200 opost isig icanon echo ...}) = 0
write(4, "Cannot get device settings: Devi"..., 52Cannot get device settings: Device or resource busy
) = 52
close(4) = 0
ioctl(3, SIOCETHTOOL, 0xfffffcf01a00) = -1 EBUSY (Device or resource busy)
dup(2) = 4
fcntl(4, F_GETFL) = 0x20002 (flags O_RDWR|0x20000)
fstat(4, {st_mode=S_IFCHR|0600, st_rdev=makedev(247, 0), ...}) = 0
ioctl(4, TCGETS, {B115200 opost isig icanon echo ...}) = 0
write(4, "Cannot get wake-on-lan settings:"..., 57Cannot get wake-on-lan settings: Device or resource busy
) = 57
close(4) = 0
ioctl(3, SIOCETHTOOL, 0xfffffcf01a00) = -1 EBUSY (Device or resource busy)
dup(2) = 4
fcntl(4, F_GETFL) = 0x20002 (flags O_RDWR|0x20000)
fstat(4, {st_mode=S_IFCHR|0600, st_rdev=makedev(247, 0), ...}) = 0
ioctl(4, TCGETS, {B115200 opost isig icanon echo ...}) = 0
write(4, "Cannot get message level: Device"..., 50Cannot get message level: Device or resource busy
) = 50
close(4) = 0
ioctl(3, SIOCETHTOOL, 0xfffffcf01a00) = -1 EBUSY (Device or resource busy)
dup(2) = 4
fcntl(4, F_GETFL) = 0x20002 (flags O_RDWR|0x20000)
fstat(4, {st_mode=S_IFCHR|0600, st_rdev=makedev(247, 0), ...}) = 0
ioctl(4, TCGETS, {B115200 opost isig icanon echo ...}) = 0
write(4, "Cannot get link status: Device o"..., 48Cannot get link status: Device or resource busy
) = 48
close(4) = 0
write(1, "No data available\n", 18No data available
) = 18
exit_group(75) = ?
+++ exited with 75 +++
As we can see the SIOCETHTOOL ioctl fails with EBUSY, which according to Linux source occurs when the interface is down.
Manually bringing the interface up using ifconfig or "ip link set ..." works...
# ifconfig eth0 up
- Code: Select all
[ 2335.908378] meson8b-dwmac c9410000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
# ethtool eth0
- Code: Select all
Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Link partner advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Link partner advertised pause frame use: Symmetric
Link partner advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: MII
PHYAD: 0
Transceiver: external
Auto-negotiation: on
Supports Wake-on: ug
Wake-on: d
Current message level: 0x0000003f (63)
drv probe link timer ifdown ifup
Link detected: yes
...but does not result in systemd reconfiguring via DHCP or anything, leaving networking in a half-broken state.
The host machine is a server and I would therefore prefer to keep sysfs restrictions enabled, so is there a textbook way to restore systemd's ability to configure my network interface, without loosening permissions across the entire sysfs? Thanks in advance for any insight!