Page 1 of 1

GRKERNSEC_SYSFS_RESTRICT breaks udev and systemd networking

PostPosted: Sat Dec 24, 2016 2:51 am
by adrolter
Linux: 4.8.15 w/ Grsecurity 3.1-4.8.15-201612151923
Platform: ARM64 -- Amlogic Meson GXBB (Hardkernel ODROID-C2 SBC)

Code: Select all
Dec 23 23:59:18 bastion systemd[2350]: Failed to enumerate devices: Permission denied
Dec 23 23:59:18 bastion systemd[2350]: Failed to get udev device from devnum 179:1: Permission denied


systemd-networkd:
Code: Select all
Dec 23 23:59:06 bastion systemd-networkd[2340]: eth0: Could not find udev device: No such device
Dec 23 23:59:06 bastion systemd-networkd[2340]: eth0: Failed


systemd-udevd:
Code: Select all
Dec 23 23:59:06 bastion systemd-udevd[2266]: link_config: could not get ethtool features for eth0
Dec 23 23:59:06 bastion systemd-udevd[2266]: Could not set offload features of eth0: Device or resource busy


# ethtool eth0
Code: Select all
Settings for eth0:
Cannot get device settings: Device or resource busy
Cannot get wake-on-lan settings: Device or resource busy
Cannot get message level: Device or resource busy
Cannot get link status: Device or resource busy
No data available


# strace -f ethtool eth0
Code: Select all
execve("/usr/bin/ethtool", ["ethtool", "eth0"], [/* 13 vars */]) = 0
brk(NULL)                               = 0xe68e000
faccessat(AT_FDCWD, "/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=38252, ...}) = 0
mmap(NULL, 38252, PROT_READ, MAP_PRIVATE, 3, 0) = 0xffffaf582000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0000T\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=674672, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffaf580000
mmap(NULL, 737912, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xffffaf4ac000
mprotect(0xffffaf550000, 61440, PROT_NONE) = 0
mmap(0xffffaf55f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa3000) = 0xffffaf55f000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0\270\364\1\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1723248, ...}) = 0
mmap(NULL, 1446512, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xffffaf34a000
mprotect(0xffffaf493000, 61440, PROT_NONE) = 0
mmap(0xffffaf4a2000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x148000) = 0xffffaf4a2000
mmap(0xffffaf4a8000, 12912, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xffffaf4a8000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffaf348000
mprotect(0xffffaf4a2000, 16384, PROT_READ) = 0
mprotect(0xffffaf55f000, 4096, PROT_READ) = 0
mprotect(0x452000, 4096, PROT_READ)     = 0
mprotect(0xffffaf58e000, 4096, PROT_READ) = 0
munmap(0xffffaf582000, 38252)           = 0
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(247, 0), ...}) = 0
ioctl(1, TCGETS, {B115200 opost isig icanon echo ...}) = 0
brk(NULL)                               = 0xe68e000
brk(0xe6b0000)                          = 0xe6b0000
write(1, "Settings for eth0:\n", 19Settings for eth0:
)    = 19
ioctl(3, SIOCETHTOOL, 0xfffffcf01a00)   = -1 EBUSY (Device or resource busy)
ioctl(3, SIOCETHTOOL, 0xfffffcf01a00)   = -1 EBUSY (Device or resource busy)
dup(2)                                  = 4
fcntl(4, F_GETFL)                       = 0x20002 (flags O_RDWR|0x20000)
fstat(4, {st_mode=S_IFCHR|0600, st_rdev=makedev(247, 0), ...}) = 0
ioctl(4, TCGETS, {B115200 opost isig icanon echo ...}) = 0
write(4, "Cannot get device settings: Devi"..., 52Cannot get device settings: Device or resource busy
) = 52
close(4)                                = 0
ioctl(3, SIOCETHTOOL, 0xfffffcf01a00)   = -1 EBUSY (Device or resource busy)
dup(2)                                  = 4
fcntl(4, F_GETFL)                       = 0x20002 (flags O_RDWR|0x20000)
fstat(4, {st_mode=S_IFCHR|0600, st_rdev=makedev(247, 0), ...}) = 0
ioctl(4, TCGETS, {B115200 opost isig icanon echo ...}) = 0
write(4, "Cannot get wake-on-lan settings:"..., 57Cannot get wake-on-lan settings: Device or resource busy
) = 57
close(4)                                = 0
ioctl(3, SIOCETHTOOL, 0xfffffcf01a00)   = -1 EBUSY (Device or resource busy)
dup(2)                                  = 4
fcntl(4, F_GETFL)                       = 0x20002 (flags O_RDWR|0x20000)
fstat(4, {st_mode=S_IFCHR|0600, st_rdev=makedev(247, 0), ...}) = 0
ioctl(4, TCGETS, {B115200 opost isig icanon echo ...}) = 0
write(4, "Cannot get message level: Device"..., 50Cannot get message level: Device or resource busy
) = 50
close(4)                                = 0
ioctl(3, SIOCETHTOOL, 0xfffffcf01a00)   = -1 EBUSY (Device or resource busy)
dup(2)                                  = 4
fcntl(4, F_GETFL)                       = 0x20002 (flags O_RDWR|0x20000)
fstat(4, {st_mode=S_IFCHR|0600, st_rdev=makedev(247, 0), ...}) = 0
ioctl(4, TCGETS, {B115200 opost isig icanon echo ...}) = 0
write(4, "Cannot get link status: Device o"..., 48Cannot get link status: Device or resource busy
) = 48
close(4)                                = 0
write(1, "No data available\n", 18No data available
)     = 18
exit_group(75)                          = ?
+++ exited with 75 +++


As we can see the SIOCETHTOOL ioctl fails with EBUSY, which according to Linux source occurs when the interface is down.

Manually bringing the interface up using ifconfig or "ip link set ..." works...

# ifconfig eth0 up
Code: Select all
[ 2335.908378] meson8b-dwmac c9410000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx


# ethtool eth0
Code: Select all
Settings for eth0:
        Supported ports: [ TP MII ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Supported pause frame use: No
        Supports auto-negotiation: Yes
        Advertised link modes:  10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Advertised pause frame use: No
        Advertised auto-negotiation: Yes
        Link partner advertised link modes:  10baseT/Half 10baseT/Full
                                             100baseT/Half 100baseT/Full
                                             1000baseT/Full
        Link partner advertised pause frame use: Symmetric
        Link partner advertised auto-negotiation: Yes
        Speed: 1000Mb/s
        Duplex: Full
        Port: MII
        PHYAD: 0
        Transceiver: external
        Auto-negotiation: on
        Supports Wake-on: ug
        Wake-on: d
        Current message level: 0x0000003f (63)
                               drv probe link timer ifdown ifup
        Link detected: yes


...but does not result in systemd reconfiguring via DHCP or anything, leaving networking in a half-broken state.

The host machine is a server and I would therefore prefer to keep sysfs restrictions enabled, so is there a textbook way to restore systemd's ability to configure my network interface, without loosening permissions across the entire sysfs? Thanks in advance for any insight!

Re: GRKERNSEC_SYSFS_RESTRICT breaks udev and systemd networking

PostPosted: Mon Dec 26, 2016 8:40 am
by spender
You'll have to disable SYSFS_RESTRICT unfortunately, as long as systemd is pointlessly trying to perform these operations as an unprivileged user.

-Brad

Re: GRKERNSEC_SYSFS_RESTRICT breaks udev and systemd networking

PostPosted: Mon Dec 26, 2016 7:00 pm
by adrolter
It's a total (and probably inadvisable) hack, but I solved this by changing the systemd-network user's UID and GID both to 0 in /etc/passwd, essentially making the systemd-network user an alias of root. Imperfect solution for an imperfect world, I guess. Thanks for confirming!

Re: GRKERNSEC_SYSFS_RESTRICT breaks udev and systemd networking

PostPosted: Tue Dec 27, 2016 9:21 am
by spender
Probably inadvisable indeed, you would need to know what else that service is doing. While it's pointless for it to be performing some of these tasks as an unprivileged user, given that this is systemd we're talking about, not only is it guaranteed there's other functionality that really should be separated out, but you'd constantly have to be on the watch for feature creep into that service.

-Brad