Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 457812 - GRKERNSEC_DEVICE_SIDECHANNEL causes logspam in avc.log
Summary: GRKERNSEC_DEVICE_SIDECHANNEL causes logspam in avc.log
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: The Gentoo Linux Hardened Kernel Team (OBSOLETE)
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2013-02-16 11:25 UTC by Mira Ressel
Modified: 2013-02-17 22:48 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch for linux-3.7.5-hardened/kernel/capability.c (ns_capable_nolog.patch,442 bytes, patch)
2013-02-16 11:25 UTC, Mira Ressel
Details | Diff
Patch for linux-3.7.5-hardened/kernel/capability.c (ns_capable_nolog.patch,440 bytes, patch)
2013-02-16 11:27 UTC, Mira Ressel
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mira Ressel 2013-02-16 11:25:52 UTC
Created attachment 339042 [details, diff]
Patch for linux-3.7.5-hardened/kernel/capability.c

GRKERNSEC_DEVICE_SIDECHANNEL, which was introduced with hardened-sources-3.7.5, causes some SELinux denial messages, because it checks for CAP_MKNOD.

Te implementation of this feature actually uses capable_nolog(CAP_MKNOD) (fs/stat.c), but its helper function ns_capable_nolog (kernel/capability.c) incorrectly calls security_capable instead of security_capable_noaudit.

A patch is attached. (Remark: The _nolog functions are not part of the mainline kernel, but were introduced by grsecurity.)
Comment 1 Mira Ressel 2013-02-16 11:27:45 UTC
Created attachment 339044 [details, diff]
Patch for linux-3.7.5-hardened/kernel/capability.c
Comment 2 Anthony Basile gentoo-dev 2013-02-16 17:08:56 UTC
This looks sane.  I'll pass it to upstream for them to consider including into the next grsec/pax patchset.
Comment 3 PaX Team 2013-02-17 03:16:35 UTC
thanks, it's fixed in the latest grsec. for faster turnaround it's better to directly email us ;).
Comment 4 Mira Ressel 2013-02-17 17:26:07 UTC
Thanks for fixing. From https://grsecurity.net I got the impression that the preferred way for reporting bugs were the forums, and I didn't want to create Yet Another Account (TM). Next time I'll contact you directly via mail...
Comment 5 Anthony Basile gentoo-dev 2013-02-17 22:48:55 UTC
(In reply to comment #4)
> Thanks for fixing. From https://grsecurity.net I got the impression that the
> preferred way for reporting bugs were the forums, and I didn't want to
> create Yet Another Account (TM). Next time I'll contact you directly via
> mail...

Bugs here are gentoo specific.  It does sometimes happen that a bug in the hardened-sources is my responsibility.  But since 99% of the hardened-sources patchset is grsec/pax, if you go directly to pipacs it save the time for me to cc them.