Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 457812

Summary: GRKERNSEC_DEVICE_SIDECHANNEL causes logspam in avc.log
Product: Gentoo Linux Reporter: Mira Ressel <aranea>
Component: HardenedAssignee: The Gentoo Linux Hardened Kernel Team (OBSOLETE) <hardened-kernel+disabled>
Status: RESOLVED FIXED    
Severity: normal CC: hardened, pageexec, selinux, spender
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Patch for linux-3.7.5-hardened/kernel/capability.c
Patch for linux-3.7.5-hardened/kernel/capability.c

Description Mira Ressel 2013-02-16 11:25:52 UTC 
Created attachment 339042 [details, diff]
Patch for linux-3.7.5-hardened/kernel/capability.c

GRKERNSEC_DEVICE_SIDECHANNEL, which was introduced with hardened-sources-3.7.5, causes some SELinux denial messages, because it checks for CAP_MKNOD.

Te implementation of this feature actually uses capable_nolog(CAP_MKNOD) (fs/stat.c), but its helper function ns_capable_nolog (kernel/capability.c) incorrectly calls security_capable instead of security_capable_noaudit.

A patch is attached. (Remark: The _nolog functions are not part of the mainline kernel, but were introduced by grsecurity.)
Comment 1 Mira Ressel 2013-02-16 11:27:45 UTC 
Created attachment 339044 [details, diff]
Patch for linux-3.7.5-hardened/kernel/capability.c
Comment 2 Anthony Basile gentoo-dev 2013-02-16 17:08:56 UTC 
This looks sane.  I'll pass it to upstream for them to consider including into the next grsec/pax patchset.
Comment 3 PaX Team 2013-02-17 03:16:35 UTC 
thanks, it's fixed in the latest grsec. for faster turnaround it's better to directly email us ;).
Comment 4 Mira Ressel 2013-02-17 17:26:07 UTC 
Thanks for fixing. From https://grsecurity.net I got the impression that the preferred way for reporting bugs were the forums, and I didn't want to create Yet Another Account (TM). Next time I'll contact you directly via mail...
Comment 5 Anthony Basile gentoo-dev 2013-02-17 22:48:55 UTC 
(In reply to comment #4)
> Thanks for fixing. From https://grsecurity.net I got the impression that the
> preferred way for reporting bugs were the forums, and I didn't want to
> create Yet Another Account (TM). Next time I'll contact you directly via
> mail...

Bugs here are gentoo specific.  It does sometimes happen that a bug in the hardened-sources is my responsibility.  But since 99% of the hardened-sources patchset is grsec/pax, if you go directly to pipacs it save the time for me to cc them.