Trusted TPE GID appears garbled. If set to, for example, 1234 in kernel: # grep TPE .config CONFIG_GRKERNSEC_TPE=y # CONFIG_GRKERNSEC_TPE_ALL is not set CONFIG_GRKERNSEC_TPE_INVERT=y CONFIG_GRKERNSEC_TPE_GID=1234 It still appears as 1 to sysctl: # sysctl -a | grep tpe kernel.grsecurity.tpe = 1 kernel.grsecurity.tpe_gid = 1 kernel.grsecurity.tpe_invert = 1 Consequently, TPE acts as if all the users in the trusted group are untrusted. Reproducible: Always
Created attachment 268271 [details] emerge --info
Reassigning to @hardened, which I think will be more help here.
Would you mind providing the hardened-sources version giving the issue, sounds like 2.6.36-hardened-r9 but just to be sure. As a note, I can't reproduce this on .37-r7 with CONFIG_GRKERNSEC_TPE_ALL enabled. And when writing the tpe doc (which was on an .36 series kernel) I didn't hit it either though I also had CONFIG_GRKERNSEC_TPE_ALL too.
i can't reproduce this on 2.6.38. with CONFIG_GRKERNSEC_TPE_ALL enabled.
Hi guys: 1) Please (re)assign hardened kernel bugs to hardened-kernel@ or to me. 2) I am not able to reproduce this 2.6.36-hardened-r9 x86_64. redsprite grsecurity # uname -a Linux redsprite 2.6.36-hardened-r9 #1 SMP Mon Apr 4 07:54:24 EDT 2011 x86_64 Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz GenuineIntel GNU/Linux redsprite grsecurity # pwd /proc/sys/kernel/grsecurity redsprite grsecurity # cat tpe* 1 9995 1 redsprite grsecurity # sysctl -a | grep tpe kernel.grsecurity.tpe = 1 kernel.grsecurity.tpe_gid = 9995 kernel.grsecurity.tpe_invert = 1 redsprite grsecurity # zcat /proc/config.gz | grep TPE CONFIG_GRKERNSEC_TPE=y # CONFIG_GRKERNSEC_TPE_ALL is not set CONFIG_GRKERNSEC_TPE_INVERT=y CONFIG_GRKERNSEC_TPE_GID=9995 3) If the reporter has CONFIG_IKCONFIG_PROC=y then please post your zcat /proc/config.gz | grep TPE Your .config file may not match the running kernel's config.
Well, this behavior is still there: # uname -a Linux Falcon 2.6.36-hardened-r9 #2 SMP Sun Jan 23 00:17:22 EST 2011 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ AuthenticAMD GNU/Linux # ls -l /usr/src total 52 lrwxrwxrwx 1 root root 24 Jan 20 21:40 linux -> linux-2.6.36-hardened-r9 # grep TPE /usr/src/linux/.config CONFIG_GRKERNSEC_TPE=y # CONFIG_GRKERNSEC_TPE_ALL is not set CONFIG_GRKERNSEC_TPE_INVERT=y CONFIG_GRKERNSEC_TPE_GID=1234 # zcat /proc/config.gz | grep TPE gzip: /proc/config.gz: No such file or directory # cat /proc/sys/kernel/grsecurity/tpe* 1 1 1 # sysctl -a | grep tpe error: permission denied on key 'net.ipv4.route.flush' kernel.grsecurity.tpe = 1 kernel.grsecurity.tpe_gid = 1 kernel.grsecurity.tpe_invert = 1 Could there be another configuration setting that makes a difference? Or the range for the group ID itself? Any diagnostics I could run?
# grep CONFIG_IKCONFIG_PROC 2011-01-23.config (not set). I have restarted the server to make certain the config I am looking at matches the running kernel. Still the same behavior.
(In reply to comment #7) > # grep CONFIG_IKCONFIG_PROC 2011-01-23.config > > (not set). > > I have restarted the server to make certain the config I am looking at matches > the running kernel. Still the same behavior. Please post your config file. I need to reproduce this to see. Out of curiosity, does sysctl -w kernel.grsecurity.tpe_gid=9995 allow you to change your tpe gid?
Created attachment 268549 [details] .config
Yes, TPE GID can be changed via sysctl: # sysctl -w kernel.grsecurity.tpe_gid=9995 # sysctl -a | grep tpe error: permission denied on key 'net.ipv4.route.flush' kernel.grsecurity.tpe = 1 kernel.grsecurity.tpe_gid = 9995 kernel.grsecurity.tpe_invert = 1 Posting .config.
I used your config file and still can't reproduce this. I simply don't know how you are hitting it. As soon as the system came up, I checked and got kernel.grsecurity.tpe_gid=1234. I did change a few options in order to get the hard drive recognized. Here's the diff between my config and the one you gave me. hard-sixtyfour src # diff -U0 config-361735 config-new --- config-361735 2011-04-05 23:32:54.000000000 +0000 +++ config-new 2011-04-06 23:49:31.000000000 +0000 @@ -4 +4 @@ -# Sat Jan 22 23:59:43 2011 +# Wed Apr 6 23:49:31 2011 @@ -754,2 +754,2 @@ -# CONFIG_SATA_INIC162X is not set -# CONFIG_SATA_SIL24 is not set +CONFIG_SATA_INIC162X=y +CONFIG_SATA_SIL24=y @@ -761,3 +761,3 @@ -# CONFIG_PDC_ADMA is not set -# CONFIG_SATA_QSTOR is not set -# CONFIG_SATA_SX4 is not set +CONFIG_PDC_ADMA=y +CONFIG_SATA_QSTOR=y +CONFIG_SATA_SX4=y @@ -769 +769 @@ -# CONFIG_ATA_PIIX is not set +CONFIG_ATA_PIIX=y @@ -778 +778 @@ -# CONFIG_SATA_VITESSE is not set +CONFIG_SATA_VITESSE=y @@ -786 +786 @@ -CONFIG_PATA_ATIIXP=y +# CONFIG_PATA_ATIIXP is not set @@ -824 +824 @@ -# CONFIG_PATA_MPIIX is not set +CONFIG_PATA_MPIIX=y At this point I just don't know what else to try or suggest. Can anyone else reproduce this?
I have found the problem. Sorry for the wasted time! /etc/sysctl.conf contains: kernel.grsecurity.tpe_gid = 1 Not sure if sysctl.conf comes with this setting by default or if some script sets it there. The one thing I know is that I did not put it there. Incidentally, it contains a lot of other grsecurity settings: kernel.grsecurity.resource_logging = 1 #kernel.grsecurity.destroy_unused_shm = 1 kernel.grsecurity.chroot_findtask = 1 kernel.grsecurity.dmesg = 1 #kernel.grsecurity.rand_pids = 1 kernel.grsecurity.tpe_gid = 1 kernel.grsecurity.tpe = 1 kernel.grsecurity.chroot_deny_sysctl = 1 kernel.grsecurity.chroot_caps = 1 kernel.grsecurity.chroot_restrict_nice = 1 kernel.grsecurity.chroot_deny_mknod = 1 kernel.grsecurity.chroot_deny_chmod = 1 kernel.grsecurity.chroot_enforce_chdir = 1 kernel.grsecurity.chroot_deny_pivot = 1 kernel.grsecurity.chroot_deny_chroot = 1 kernel.grsecurity.chroot_deny_fchdir = 1 kernel.grsecurity.chroot_deny_mount = 1 kernel.grsecurity.chroot_deny_unix = 1 kernel.grsecurity.chroot_deny_shmat = 1 kernel.grsecurity.timechange_logging = 1 kernel.grsecurity.forkfail_logging = 1 kernel.grsecurity.execve_limiting = 1 kernel.grsecurity.fifo_restrictions = 1 kernel.grsecurity.linking_restrictions = 1 Thank you for help find this.
(In reply to comment #12) > I have found the problem. Sorry for the wasted time! > > /etc/sysctl.conf contains: > > kernel.grsecurity.tpe_gid = 1 > It happens. However, in the future, please do not mark a bug critical if it is not. Read the following: http://www.gentoo.org/doc/en/bugzilla-howto.xml There we read: Critical - The program has loss of data or severe memory leaks during runtime. Again, an important program like say net-tools failing to compile could be labelled critical. It won't prevent the system from starting up, but is quite essential for day to day stuff.