From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 28 Nov 2016 23:24:10 +0100 Subject: [refpolicy] [PATCH 2/2] system/modutils: Allow kmod to use the sys_admin cap In-Reply-To: <20161128231432.22c0b1bc@gentp.lnet> References: <20161127164146.3773-1-aranea@aixah.de> <20161127164146.3773-2-aranea@aixah.de> <1480278785.620.4.camel@trentalancia.net> <20161127222218.1ae86825@gentp.lnet> <1480285881.620.14.camel@trentalancia.net> <20161127235012.78adccd6@gentp.lnet> <1480352576.14631.5.camel@trentalancia.net> <20161128224859.013ce4ab@gentp.lnet> <1480370260.14631.12.camel@trentalancia.net> <20161128231432.22c0b1bc@gentp.lnet> Message-ID: <1480371850.14631.21.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 28/11/2016 at 23.14 +0100, Luis Ressel wrote: > On Mon, 28 Nov 2016 22:57:40 +0100 > Guido Trentalancia via refpolicy wrote: > > > > > That's really?counterproductive when combined with SELinux ! > > > > At the moment, if a malicious version of getty gets into the > > system, > > it is granted sys_admin capability permissions (which includes > > privileged and administrative operations). > > > > On the other hand, a normal, tight policy (which does not grant the > > unneeded sys_admin permission) would prevent a malicious getty from > > carrying out privileged and administrative operations which can > > damage > > the system and/or disrupt its normal operation. > > Well, a malicious binary tagged getty_t and running with root > privileges could easily wreak enough havoc that the availability or > non-availability of CAP_SYS_ADMIN access is somewhat irrelevant. > > Anyway, I've just revisited the discussion about agetty's > cap_sys_admin > permission we've had in March. Looks like it may be required on some > non-grsec systems, too. (Grep the ML history for the subject "Allow > getty the sys_admin capability"). It's very easy !... You can create a patch that reverts commit?7216d000d94342dc347a976a7a6a65f40a2f41cb and then adds an "ifdef grsecurity" for such sys_admin permission (for getty and/or kmod). That way, it won't unnecessarily weaken other systems. Regards, Guido