From: aranea@aixah.de (Luis Ressel) Date: Mon, 28 Nov 2016 22:48:59 +0100 Subject: [refpolicy] [PATCH 2/2] system/modutils: Allow kmod to use the sys_admin cap In-Reply-To: <1480352576.14631.5.camel@trentalancia.net> References: <20161127164146.3773-1-aranea@aixah.de> <20161127164146.3773-2-aranea@aixah.de> <1480278785.620.4.camel@trentalancia.net> <20161127222218.1ae86825@gentp.lnet> <1480285881.620.14.camel@trentalancia.net> <20161127235012.78adccd6@gentp.lnet> <1480352576.14631.5.camel@trentalancia.net> Message-ID: <20161128224859.013ce4ab@gentp.lnet> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 28 Nov 2016 18:02:56 +0100 Guido Trentalancia via refpolicy wrote: > On Sun, 27/11/2016 at 23.50 +0100, Luis Ressel wrote: > > On Sun, 27 Nov 2016 23:31:21 +0100 > > Guido Trentalancia via refpolicy wrote: > > [...] > > > We've > > added grsec-specific permissions to the refpolicy before, though > > (for example "getty_t self:capability cap_sys_admin" earlier this > > year). > > Thanks for pointing that out ! I have now removed the sys_admin > capability locally from the getty module. > > It is not needed. And, there must be something wrong if the patch you > mention forces permissions that are normally unneeded... It seems like > it is forcing the users to weaken the policy, which is not what we > want. Well, actually the intent behind this is to *improve* security. The grsec folks check the kernel for APIs which allow potentially dangerous actions without requiring any elevated permissions, and try to secure those APIs -- for example by adding a capable() check. One such case is the TIOCSTI ioctl() on tty devices, which has been used as an avenue for attacks on 'su' sessions (according to the grsec documentation). Of course, there are always a few programs which legitimately use those APIs and thus require additional capabilites on grsec kernels. That's usually not a problem because most of those programs run as root and hence have those capabilities -- unless SELinux gets into the way. In the TIOCSTI case I mentioned above, agetty is one of the few programs out there to use this ioctl (due to a bad design decision that'd be patchable in the source code with moderate effort, I might add). Regards, Luis