121250 – Deactivating disable_modules in grsecurity renders other options immutable

Bug 121250 - Deactivating disable_modules in grsecurity renders other options immutable

Summary: Deactivating disable_modules in grsecurity renders other options immutable

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	solar (RETIRED)

URL:
Whiteboard:	upstream
Keywords:	Bug

Depends on:
Blocks:

Reported:	2006-02-01 20:16 UTC by kfm
Modified:	2006-12-12 11:08 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
grsec-2.1.8-disable_modules-fix.patch (grsec-2.1.8-disable_modules-fix.patch,588 bytes, patch) 2006-02-05 20:44 UTC, kfm	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description kfm 2006-02-01 20:16:42 UTC

As reported by Alex Efros at the tail end of bug 118188:

---
I've just upgraded from -r3 to -r5. There one new option was added in -r5:
GRKERNSEC_MODSTOP. I've enabled it and found small bug: disabling module
(un)loading also automatically disable changing other grsec options.

I've these two lines at bottom of /etc/sysctl.conf:
kernel.grsecurity.disable_modules = 1
kernel.grsecurity.grsec_lock = 1
and after executing first line sysctl unable to execute second line.

Here is what I see in console:
home /proc/sys/kernel/grsecurity # cat disable_modules 
1
home /proc/sys/kernel/grsecurity # cat grsec_lock 
0
home /proc/sys/kernel/grsecurity # echo 0 > disable_modules 
home /proc/sys/kernel/grsecurity # cat disable_modules 
1
home /proc/sys/kernel/grsecurity # echo 1 > grsec_lock 
home /proc/sys/kernel/grsecurity # cat grsec_lock 
0

And here is what was added into log file while I run these commands:
2006-02-02_02:49:04.79450 kern.alert: grsec: denied modification of grsecurity
sysctl value : disable_modules by /bin/bash[bash:29081] uid/euid:0/0
gid/egid:0/0, parent /bin/su[su:13200] uid/euid:0/0 gid/egid:0/0
2006-02-02_02:49:16.37100 kern.alert: grsec: denied modification of grsecurity
sysctl value : grsec_lock by /bin/bash[bash:29081] uid/euid:0/0 gid/egid:0/0,
parent /bin/su[su:13200] uid/euid:0/0 gid/egid:0/0
---

According to Alex and solar, both hardened-sources-2.6.14-r5 and hardened-sources-2.4.32-r2 are affected. As I understand it, we are currently waiting on upstream for further developments.

Comment 1 kfm 2006-02-05 20:44:03 UTC

spender has a new patch (grsecurity-2.1.8-2.6.14.7-200602052251) which should address two things over the prior release:

1) Hopefully this bug (for which I shall attach an incremental patch here)
2) bug 99413

Alex, can you give this patch a try please?

Comment 2 kfm 2006-02-05 20:44:29 UTC

Created attachment 79004 [details, diff]
grsec-2.1.8-disable_modules-fix.patch

Comment 3 Alex Efros 2006-02-05 21:47:29 UTC

I've tested both patches (this and for bug 99413).

This patch fixes bug.

Patch for bug 99413 probably fixes bug too. Probably - because I have problem described in bug 99413 not on every reboot, so a couple of reboots without this issue don't make me 100% sure that bug 99413 fixed too.

Comment 4 kfm 2006-02-05 21:51:10 UTC

(In reply to comment #3)
> I've tested both patches (this and for bug 99413).
> 
> This patch fixes bug.

Good, thanks for testing :) As for #99413 please make any observations within the context of the bug itself.

Comment 5 kfm 2006-03-16 04:39:12 UTC

Fixed in hardened-sources-2.6.14-r6 (bug 121925) - closing.

Comment 6 kfm 2006-03-16 04:47:09 UTC

Hmm, actually that was a bit hasty - as far as I know this still affects 2.4. Re-opening and assigning to solar to determine the bug's fate.

Comment 7 solar (RETIRED) gentoo-dev

2006-03-17 02:51:10 UTC

Unless somebody is asking for a fix. I'm more likely to wait for 2.1.9

Comment 8 solar (RETIRED) gentoo-dev

2006-12-12 11:08:49 UTC

This should be fixed now. If not please report it to the grsec mailing list.