When /proc restrictions in grsecurity are enabled, access to the /proc tree is prohibited at first, but allowed after a few tries (being the root user). Reproducible: Always Steps to Reproduce: 1. try to access /proc/anything at bootup 2. access is denied, dirs are readonly 3. try a few times, with "ls /proc/sys/<tab>" or with using the full path 4. magically, the kernel allows access Actual Results: # ls -la /proc/sys -r--r--r-- 11 root root 0 May 31 17:00 /proc/sys and one second later... # ls -la /proc/sys total 0 dr-xr-xr-x 11 root root 0 May 31 17:00 . dr-xr-xr-x 128 root root 0 May 31 2003 .. dr-xr-xr-x 2 root root 0 May 31 17:00 abi dr-xr-xr-x 2 root root 0 May 31 17:00 debug dr-xr-xr-x 5 root root 0 May 31 17:00 dev dr-xr-xr-x 3 root root 0 May 31 17:00 fs dr-xr-xr-x 4 root root 0 May 31 17:00 kernel dr-xr-xr-x 7 root root 0 May 31 17:00 net dr-xr-xr-x 2 root root 0 May 31 17:00 proc dr-xr-xr-x 2 root root 0 May 31 17:00 sched dr-xr-xr-x 2 root root 0 May 31 17:00 vm Expected Results: allow access in the first place. i enabled /proc restrictions, my .config contains # # Filesystem Protections # CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USER=y
I've just run into this bug myself when using the acl features of grsecurity. /proc/mounts was hidden per my acl setup. /etc/fstab hidden /etc/mtab hidden I typed mount and noticed I was able to see my mounts when they should be hidden. I then ran "strace -eopen mount" and saw the open("/proc/mounts", succeed Tested gentoo-hardened-r2(grsecuirty-1.9.9g) and my files were hidden as expected. This is a serious security flaw and should be fixed right away. Tests not preformed vanilla kernel with grsecurity-1.9.9h. Note: There was recent security fix for grsecurity ALSR leakage. (I think this is what we are encountering) --
This bug seems to be present in grsecurity out of the box. Downloaded linux-2.4.20.tar.gz, grsecurity-1.9.9h.patch (No other patches at all) Recompiled and tested. Got the same results so I emailing spender (Grsecuirty Author) explaining this.
spender mail server is broke or rejecting mail. Will try again later.
This should be fixed in gentoo-sources-2.4.20-r6 also note we have grsec-sources now in portage which will try to keep current to Brad's code upstream
Tried with gentoo-sources-r7 still the same problem, /proc/sys is not accessible. After a while (sorry can't define the time) it is accessible.
/proc/sys is not accessible to root? Best thing I can say here is give grsec-sources a try.. If the problem exists still then we have a grsec problems vs a gentoo one. If the problem goes away then the best I can do here is to make a fuss with our current gentoo-sources maintainers.
Please use an updated sources.
Can anybody confirm if this is happening with a vanilla grsec-sources or is/was this happening only in the gentoo-sources?
changing resolution to WORKSFORSOME
