Re: Пара вопрососв о grsecurity
В Срд, 04.06.2003, в 16:04, Dmitry Baryshkov пишет:
> Hello,
> Решил поэкспериментировать с grsecurity. Выглядит действительно
> серьёзно. Правда возникло несколько вопросов:
> 1) Куда логичнее всего вставить вызов gradm -E?
> 2) Какие CAP_* еужно дать X'ам (используется nvidia драйвер).
> А то они без +CAP_ALL не могут инициализировать kernel-module.
> Заранее спасибо.
Этого хватает :-)
--
---------------------------------------------------------
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc
Best Regards mailto:srg@csu.ac.ru
Mokeev Sergey http://sux.csu.ac.ru/
ICQ UIN:168860082
#sample default process acl for grsecurity
# Role flags:
# A -> This role is a "god" role, thus it has special privilege normal
# roles do not have. In particular, this role bypasses the
# additional ptrace restrictions
# N -> Don't require authentication for this role. To access
# the role, use gradm -n <rolename>
# s -> This role is a special role, meaning it does not belong to a
# user or group, and does not fall under ACL enforcement
# u -> This role is a user role
# g -> This role is a group role
# G -> This role can use gradm to authenticate to the kernel
# An ACL for gradm will automatically be added to the role
#
# a role can only be one of user, group, or special
#
# role_allow_ip IP/optional netmask
# eg: role_allow_ip 192.168.1.0/24
# You can have as many of these per role as you want
# They restrict the use of a role to a list of IPs. If a user
# is on the system that would normally get the role does not
# belong to those lists of IPs, the system falls back through
# its method of determining a role for the user
#
# Role hierarchy
# user -> group -> default
# First a user role attempts to match, if one is not found,
# a group role attempts to match, if one is not found,
# the default role is used.
#
# role_transitions <special role 1> <special role 2> ... <special role n>
# eg: role_transitions www_admin dns_admin
#
# role transitions specify which special roles a given role is allowed
# to authenticate to. This applies to special roles that do not
# require password authentication as well. If a user tries to
# authenticate to a role that is not within his transition table, he
# will receive a permission denied error
#
# Nested subjects
# subject /bin/su:/bin/bash:/bin/cat
# / rwx
# +CAP_ALL
# grant privilege to specific processes if they are executed
# within a trusted path. In this case, privilege is
# granted if /bin/cat is executed from /bin/bash, which is
# executed from /bin/su.
#
# Configuration inheritance on nested subjects
# nested subjects inherit rules from their parents. In the
# example above, the nested subject would inherit rules
# from the nested subject for /bin/su:/bin/bash,
# and the subject /bin/su
# View the 1.9.x documentation for more information on
# configuration inheritance
role admin sA
subject /
/ rwxi
+CAP_ALL
role www g
role_transitions admin
subject / o {
/ h
/etc/group r
/etc/hosts r
/etc/httpd r
/etc/ld.so.cache r
/etc/passwd r
/home/apache rwx
/home r
/home/*/http r
/lib rx
/usr/lib rx
/var/log/httpd rw
/var/run rw
/var/www r
+CAP_KILL
+CAP_SETGID
-CAP_ALL
bind 0.0.0.0:80 stream dgram tcp udp
bind 0.0.0.0:443 stream dgram tcp udp
connect 0.0.0.0:53 stream dgram tcp udp
}
role srg2 u
role_transitions admin
subject / o {
/ h
-CAP_ALL
}
role default G
role_transitions admin
subject / o
/ r
/opt rx
/home rwx
/mnt rw
/dev
/dev/grsec h
/dev/loop/ rw
/dev/urandom r
/dev/random r
/dev/zero rw
/dev/input rw
/dev/misc/psaux rw
/dev/null rw
/dev/vc/ rw
/dev/vc/0 rw
/dev/tty0 rw
/dev/console rw
/dev/tty rw
/dev/pts rw
/dev/ptmx rw
/dev/sound/dsp rw
/dev/sound/mixer rw
/dev/initctl rw
/dev/floppy/0 r
/dev/cdroms/cdrom0 r
/dev/mem h
/dev/kmem h
/dev/port h
/bin rx
/sbin rx
/lib rx
/usr rx
/etc rx
/etc/rc.d rxi
/proc rwx
/proc/kcore h
/proc/sys r
/root r
/root/bin rx
/home/*/bin rwx
# /tmp rw
/var rwx
/var/tmp rw
/var/log rw
/boot/* h
/etc/grsec h
/usr/local/src rwx
+CAP_DAC_OVERRIDE
+CAP_SYS_RESOURCE
+CAP_SYS_NICE
+CAP_DAC_READ_SEARCH
+CAP_SYS_RAWIO
-CAP_SYS_MODULE
-CAP_SYS_RAWIO
-CAP_MKNOD
RES_AS 100M 100M
# connect 192.168.1.0/24:22 stream tcp
# bind 0.0.0.0 stream dgram tcp udp
/var/tmp/boot_cd rwx
subject /bin/
/dev/log rw
+CAP_SETGID
+CAP_CHOWN
+CAP_SETUID
+CAP_FSETID
+CAP_FOWNER
+CAP_SYS_TTY_CONFIG
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
subject /bin/mount
+CAP_SYS_ADMIN
/dev/ide rw
/dev/floppy rw
/dev/loop rw
subject /bin/rm
/.autofsck rw
subject /bin/umount
+CAP_SYS_ADMIN
/dev/floppy rw
/dev/ide rw
/dev/loop rw
subject /bin/login
+CAP_KILL
subject /etc/X11/prefdm
+CAP_SYS_TTY_CONFIG
subject /sbin/
/dev/log rw
+CAP_SETGID
+CAP_SETUID
+CAP_CHOWN
+CAP_SYS_TTY_CONFIG
+CAP_SYS_ADMIN
+CAP_DAC_OVERRIDE
+CAP_SYS_MODULE
+CAP_NET_ADMIN
+CAP_KILL
/sbin/syslogd:/sbin/initlog /dev/vc/1? a
subject /sbin/halt vrwx
/ rwxi
+CAP_SYS_BOOT
subject /sbin/init
/ rwxi
+CAP_ALL
subject /sbin/killall5
+CAP_KILL
subject /sbin/losetup
+CAP_IPC_LOCK
subject /sbin/sysctl
/proc rw
subject /usr/bin
/dev/log rw
+CAP_SETGID
+CAP_SETUID
+CAP_NET_RAW
+CAP_SYS_TTY_CONFIG
+CAP_SYS_ADMIN
subject /usr/bin/cdrecord
/dev/scsi/host0/bus0/target0/lun0/generic rw
+CAP_IPC_LOCK
+CAP_SYS_NICE
subject /usr/bin/gdm-binary i
/dev/log rw
+CAP_KILL
+CAP_SETUID
+CAP_SETGID
subject /usr/bin/smbmnt i
/etc/mtab~ rw
/etc/mtab rw
subject /etc/X11/gdm/ i
/dev/log rw
+CAP_KILL
+CAP_SETUID
+CAP_SETGID
subject /usr/bin/rdate
/dev/log rw
+CAP_SYS_TIME
subject /usr/bin/gconf-sanity-check-1
/etc/gconf/ rw
subject /usr/bin/oafd
/dev/log rw
subject /usr/bin/passwd
# /etc/passwd r
/etc/shadow rw
/etc/nshadow rw
/etc/.pwd.lock rw
/usr/lib rx
/lib rx
/ h
+CAP_ALL
subject /usr/bin/vlock
/dev/log rw
subject /usr/libexec/gconf-sanity-check-2
/etc/gconf rw
subject /usr/libexec/gconfd-2
/etc/gconf rw
/dev/log rw
subject /usr/libexec/mysqld
+CAP_FSETID
subject /usr/java
# RLIMIT_AS 268435456 268435456
+CAP_SYS_RESOURCE
subject /usr/java/j2sdk1.4.1_01/bin/java
+CAP_NET_BIND_SERVICE
+CAP_NET_BIND_SERVICE
subject /usr/sbin
/dev/log rw
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_SETUID
+CAP_SETUID
+CAP_SETGID
+CAP_NET_RAW
+CAP_KILL
subject /usr/sbin/gpm
/dev/tts/0 rw
/dev/gpmctl rw
+CAP_SYS_TTY_CONFIG
+CAP_SYS_ADMIN
subject /usr/sbin/sshd
+CAP_CHOWN
+CAP_SYS_CHROOT
+CAP_NET_BIND_SERVICE
subject /usr/sbin/userhelper
/etc/security/console.apps/* rw
+CAP_SETGID
+CAP_SETUID
subject /usr/lib/vmware
/dev/misc/vmmon rwx
/dev/mem rwx
/var/tmp/ rwx
subject /usr/local/bin/mplayer
/usr/local/share/mplayer/config rw
subject /usr/local/bin/licq
/usr/lib/qt-3.1/etc/settings/.qtrc.lock rw
/home/*/.licq/history/* ar
subject /usr/X11R6/bin
/dev/mem rw
/dev/cpu/mtrr w
/dev/log rw
/dev/nvidiactl rw
/dev/nvidia0 rw
/dev/tts/0 rw
+CAP_SYS_TTY_CONFIG
+CAP_SYS_RAWIO
+CAP_SETGID
+CAP_SETUID
+CAP_CHOWN
+CAP_DAC_OVERRIDE
+CAP_DAC_READ_SEARCH
+CAP_KILL
subject /etc/rc.d/rc
/ rwxi
+CAP_ALL
+CAP_SYS_TTY_CONFIG
+CAP_KILL
subject /etc/rc.d/init.d/
+CAP_SYS_TTY_CONFIG
+CAP_KILL
Reply to: