From tazok.id0 at gmail.com Sat Oct 8 00:36:00 2011 From: tazok.id0 at gmail.com (=?ISO-8859-1?Q?Javier_Juan_Mart=EDnez_Cabez=F3n?=) Date: Sat, 8 Oct 2011 00:36:00 +0200 Subject: [rsbac] PROT_EXEC PROT_WRITE Message-ID: Hi I think it would be a good idea to split the MAP_EXEC request into two requests, MAP_EXEC to EXEC only mappings and MAP_WRITE to write only mappings, with this I think we could get W or X or mprotect pax facility implemented in RC or ACL as requests fully integrated. In case both required every one could grant both (java and a few ones more..., nothing important though) I think every PROT_EXEC rights should be granted only to every T_FILE targets, and PROT_WRITE to T_NONE. I think changes wouldn't be so heavy, don't you think?. from mprotect.c: MAP_EXEC||MAP_WRITE #ifdef CONFIG_RSBAC 317 if ((prot & PROT_EXEC) && !(vma->vm_flags & PROT_EXEC)) { 318 rsbac_pr_debug(aef, "calling ADF\n"); 319 if (vma->vm_file) { 320 rsbac_target = T_FILE; 321 rsbac_target_id.file.device = vma->vm_file->f_dentry->d_inode->i_sb->s_dev; 322 rsbac_target_id.file.inode = vma->vm_file->f_dentry->d_inode->i_ino; 323 rsbac_target_id.file.dentry_p = vma->vm_file->f_dentry; 324 } else { 325 rsbac_target = T_NONE; 326 rsbac_target_id.dummy = 0; 327 } 328 rsbac_attribute_value.prot_bits = prot; 329 if (!rsbac_adf_request(R_MAP_EXEC, 330 task_pid(current), 331 rsbac_target, 332 rsbac_target_id, 333 A_prot_bits, 334 rsbac_attribute_value)) 335 { 336 rsbac_pr_debug(aef, "request NOT_GRANTED\n"); 337 error = -EPERM; 338 goto out; 339 } else 340 need_notify = TRUE; 341 } 342 #endif 343 344 tmp = vma->vm_end; 345 if (tmp > end) 346 tmp = end; 347 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags); 348 if (error) 349 goto out; 350 nstart = tmp; 351 352 if (nstart < prev->vm_end) 353 nstart = prev->vm_end; 354 if (nstart >= end) 355 goto out; 356 357 vma = prev->vm_next; 358 if (!vma || vma->vm_start != nstart) { 359 error = -ENOMEM; 360 goto out; 361 } 362 } 363 out: 364 up_write(¤t->mm->mmap_sem); 365 366 /* RSBAC: notify ADF of mapped segment */ 367 #ifdef CONFIG_RSBAC 368 if (need_notify && !error) { 369 union rsbac_target_id_t rsbac_new_target_id; 370 371 rsbac_pr_debug(aef, "calling ADF_set_attr\n"); 372 rsbac_new_target_id.dummy = 0; 373 if (rsbac_adf_set_attr(R_MAP_EXEC, 374 task_pid(current), 375 rsbac_target, 376 rsbac_target_id, 377 T_NONE, 378 rsbac_new_target_id, 379 A_none, 380 rsbac_attribute_value)) 381 { 382 rsbac_printk(KERN_WARNING 383 "sys_mprotect: rsbac_adf_set_attr() returned error\n"); 384 } 385 } 386 #endif 387 388 return error; Amon, Kang, Michal, it's hard to implement as requests and under complete control of rsbac some funcionality of PaX as the one above?, From jens at kasten-edv.de Sat Oct 8 15:12:16 2011 From: jens at kasten-edv.de (Jens Kasten) Date: Sat, 08 Oct 2011 15:12:16 +0200 Subject: [rsbac] jail Message-ID: <1318079536.2700.7.camel@malo.jaschtschik.local> Hi list, i have a problem with the jail. Maybe its a bug iam not sure. For example: Sat Oct 8 14:56:38 2011 :<6>0000001846|rsbac_adf_request(): request WRITE_OPEN, pid 32427, ppid 1, prog_name licq, prog_file /usr/bin/licq, uid 1000, targe t_type DEV, tid char 01:03, attr open_flag, value 32770, result NOT_GRANTED by JAIL Now i add this jail flag and start the licq again. Then the system free. Similar behavior i got on openoffice. Iam not sure, maybe it could also been a pax issue. Gr??e Jens From tazok.id0 at gmail.com Sat Oct 8 15:41:23 2011 From: tazok.id0 at gmail.com (=?ISO-8859-1?Q?Javier_Juan_Mart=EDnez_Cabez=F3n?=) Date: Sat, 8 Oct 2011 15:41:23 +0200 Subject: [rsbac] jail In-Reply-To: <1318079536.2700.7.camel@malo.jaschtschik.local> References: <1318079536.2700.7.camel@malo.jaschtschik.local> Message-ID: Your app is trying to write in /dev/null and it can't, Have you thought in create the node into the jail? (maybe you could create it into a loop device with mknod and mount it using --bind into de jails required. 2011/10/8 Jens Kasten > Hi list, > > i have a problem with the jail. > Maybe its a bug iam not sure. > > For example: > Sat Oct 8 14:56:38 2011 :<6>0000001846|rsbac_adf_request(): request > WRITE_OPEN, pid 32427, ppid 1, prog_name licq, prog_file /usr/bin/licq, > uid 1000, targe > t_type DEV, tid char 01:03, attr open_flag, value 32770, result > NOT_GRANTED by JAIL > > Now i add this jail flag and start the licq again. > Then the system free. > Similar behavior i got on openoffice. > > Iam not sure, maybe it could also been a pax issue. > > Gr??e > Jens > > _______________________________________________ > rsbac mailing list > rsbac at rsbac.org > http://www.rsbac.org/mailman/listinfo/rsbac From tazok.id0 at gmail.com Sat Oct 8 15:49:42 2011 From: tazok.id0 at gmail.com (=?ISO-8859-1?Q?Javier_Juan_Mart=EDnez_Cabez=F3n?=) Date: Sat, 8 Oct 2011 15:49:42 +0200 Subject: [rsbac] jail In-Reply-To: References: <1318079536.2700.7.camel@malo.jaschtschik.local> Message-ID: Did you use "-t" flag? El 8 de octubre de 2011 15:41, Javier Juan Mart?nez Cabez?n < tazok.id0 at gmail.com> escribi?: > Your app is trying to write in /dev/null and it can't, Have you thought in > create the node into the jail? (maybe you could create it into a loop device > with mknod and mount it using --bind into de jails required. > > > 2011/10/8 Jens Kasten > >> Hi list, >> >> i have a problem with the jail. >> Maybe its a bug iam not sure. >> >> For example: >> Sat Oct 8 14:56:38 2011 :<6>0000001846|rsbac_adf_request(): request >> WRITE_OPEN, pid 32427, ppid 1, prog_name licq, prog_file /usr/bin/licq, >> uid 1000, targe >> t_type DEV, tid char 01:03, attr open_flag, value 32770, result >> NOT_GRANTED by JAIL >> >> Now i add this jail flag and start the licq again. >> Then the system free. >> Similar behavior i got on openoffice. >> >> Iam not sure, maybe it could also been a pax issue. >> >> Gr??e >> Jens >> >> _______________________________________________ >> rsbac mailing list >> rsbac at rsbac.org >> http://www.rsbac.org/mailman/listinfo/rsbac > > > From tazok.id0 at gmail.com Sat Oct 8 15:52:41 2011 From: tazok.id0 at gmail.com (=?ISO-8859-1?Q?Javier_Juan_Mart=EDnez_Cabez=F3n?=) Date: Sat, 8 Oct 2011 15:52:41 +0200 Subject: [rsbac] jail In-Reply-To: References: <1318079536.2700.7.camel@malo.jaschtschik.local> Message-ID: Try jail_flag "D" El 8 de octubre de 2011 15:49, Javier Juan Mart?nez Cabez?n < tazok.id0 at gmail.com> escribi?: > Did you use "-t" flag? > > El 8 de octubre de 2011 15:41, Javier Juan Mart?nez Cabez?n < > tazok.id0 at gmail.com> escribi?: > > Your app is trying to write in /dev/null and it can't, Have you thought in >> create the node into the jail? (maybe you could create it into a loop device >> with mknod and mount it using --bind into de jails required. >> >> >> 2011/10/8 Jens Kasten >> >>> Hi list, >>> >>> i have a problem with the jail. >>> Maybe its a bug iam not sure. >>> >>> For example: >>> Sat Oct 8 14:56:38 2011 :<6>0000001846|rsbac_adf_request(): request >>> WRITE_OPEN, pid 32427, ppid 1, prog_name licq, prog_file /usr/bin/licq, >>> uid 1000, targe >>> t_type DEV, tid char 01:03, attr open_flag, value 32770, result >>> NOT_GRANTED by JAIL >>> >>> Now i add this jail flag and start the licq again. >>> Then the system free. >>> Similar behavior i got on openoffice. >>> >>> Iam not sure, maybe it could also been a pax issue. >>> >>> Gr??e >>> Jens >>> >>> _______________________________________________ >>> rsbac mailing list >>> rsbac at rsbac.org >>> http://www.rsbac.org/mailman/listinfo/rsbac >> >> >> > From jens at kasten-edv.de Sat Oct 8 16:27:04 2011 From: jens at kasten-edv.de (Jens Kasten) Date: Sat, 08 Oct 2011 16:27:04 +0200 Subject: [rsbac] jail In-Reply-To: References: <1318079536.2700.7.camel@malo.jaschtschik.local> Message-ID: <1318084024.2700.16.camel@malo.jaschtschik.local> Yes i use this flags -D Am Samstag, den 08.10.2011, 15:52 +0200 schrieb Javier Juan Mart?nez Cabez?n: > Try jail_flag "D" > > El 8 de octubre de 2011 15:49, Javier Juan Mart?nez Cabez?n < > tazok.id0 at gmail.com> escribi?: > > > Did you use "-t" flag? > > > > El 8 de octubre de 2011 15:41, Javier Juan Mart?nez Cabez?n < > > tazok.id0 at gmail.com> escribi?: > > > > Your app is trying to write in /dev/null and it can't, Have you thought in > >> create the node into the jail? (maybe you could create it into a loop device > >> with mknod and mount it using --bind into de jails required. > >> > >> > >> 2011/10/8 Jens Kasten > >> > >>> Hi list, > >>> > >>> i have a problem with the jail. > >>> Maybe its a bug iam not sure. > >>> > >>> For example: > >>> Sat Oct 8 14:56:38 2011 :<6>0000001846|rsbac_adf_request(): request > >>> WRITE_OPEN, pid 32427, ppid 1, prog_name licq, prog_file /usr/bin/licq, > >>> uid 1000, targe > >>> t_type DEV, tid char 01:03, attr open_flag, value 32770, result > >>> NOT_GRANTED by JAIL > >>> > >>> Now i add this jail flag and start the licq again. > >>> Then the system free. > >>> Similar behavior i got on openoffice. > >>> > >>> Iam not sure, maybe it could also been a pax issue. > >>> > >>> Gr??e > >>> Jens > >>> > >>> _______________________________________________ > >>> rsbac mailing list > >>> rsbac at rsbac.org > >>> http://www.rsbac.org/mailman/listinfo/rsbac > >> > >> > >> > > > _______________________________________________ > rsbac mailing list > rsbac at rsbac.org > http://www.rsbac.org/mailman/listinfo/rsbac