[Cooker] Re: -16mdksecure - strange grsecurity logging
Borsenkow Andrej [EMAIL PROTECTED] writes: Obviously grsecurity does not like what happens during initrd stage: VFS: Mounted root (ext2 filesystem). grsec: mount . to / by (swapper:9) UID(0) EUID(0), parent (swapper:1) UID(0) EUID(0) grsec: denied attempt to mount (/proc) as /proc from chroot jail (01:00:2) of 0.0 by (linuxrc:9) UID(0) EUID(0), parent (swapper:1) UID(0) EUID(0) grsec: more denied mounts in chroot, logging disabled for 30 seconds fuck grsec!! i need those mounts. grsec: signal 11 sent to (linuxrc:9) UID(0) EUID(0), parent (swapper:1) Not very surprising, I probably don't check return values of all syscalls correctly. UID(0) EUID(0) grsec: mount .. to . by (swapper:1) UID(0) EUID(0), parent (swapper:0) UID(0) EUID(0) I must say I do _NOT_ like signal 11 to linuxrc. -andrej -- Guillaume Cottenceau - http://people.mandrakesoft.com/~gc/
[Cooker] Re: -16mdksecure - strange grsecurity logging
On 14 May 2002, Guillaume Cottenceau wrote: Borsenkow Andrej [EMAIL PROTECTED] writes: Obviously grsecurity does not like what happens during initrd stage: VFS: Mounted root (ext2 filesystem). grsec: mount . to / by (swapper:9) UID(0) EUID(0), parent (swapper:1) UID(0) EUID(0) grsec: denied attempt to mount (/proc) as /proc from chroot jail (01:00:2) of 0.0 by (linuxrc:9) UID(0) EUID(0), parent (swapper:1) UID(0) EUID(0) grsec: more denied mounts in chroot, logging disabled for 30 seconds fuck grsec!! i need those mounts. Juan, what happened to GRKERNSEC_SYSCTL??? [root@gw grsecurity]# grep GRKERNSEC_SYSCTL /boot/config [root@gw grsecurity]# bor@cooker:/usr/src/linux-2.4.18-13mdk/grsecurity% grep SYSCTL * if [ $CONFIG_SYSCTL != n ]; then bool 'Sysctl support' CONFIG_GRKERNSEC_SYSCTL gc, with this option you can temporarily sysctl -w kernel.grsecurity.chroot_deny_mount=0 before chrooting and then revert it back (of course you can use proper syscall). Unless chroot happens before entering linuxrc :( In any case I want this option back. -andrej
[Cooker] Re: -16mdksecure - strange grsecurity logging
Borsenkow Andrej [EMAIL PROTECTED] writes: On 14 May 2002, Guillaume Cottenceau wrote: Borsenkow Andrej [EMAIL PROTECTED] writes: Obviously grsecurity does not like what happens during initrd stage: VFS: Mounted root (ext2 filesystem). grsec: mount . to / by (swapper:9) UID(0) EUID(0), parent (swapper:1) UID(0) EUID(0) grsec: denied attempt to mount (/proc) as /proc from chroot jail (01:00:2) of 0.0 by (linuxrc:9) UID(0) EUID(0), parent (swapper:1) UID(0) EUID(0) grsec: more denied mounts in chroot, logging disabled for 30 seconds fuck grsec!! i need those mounts. Juan, what happened to GRKERNSEC_SYSCTL??? [root@gw grsecurity]# grep GRKERNSEC_SYSCTL /boot/config [root@gw grsecurity]# bor@cooker:/usr/src/linux-2.4.18-13mdk/grsecurity% grep SYSCTL * if [ $CONFIG_SYSCTL != n ]; then bool 'Sysctl support' CONFIG_GRKERNSEC_SYSCTL gc, with this option you can temporarily sysctl -w kernel.grsecurity.chroot_deny_mount=0 before chrooting and then revert it back (of course you can use proper syscall). Unless chroot happens before entering linuxrc :( AFAIK there is no explicit chroot in linuxrc/initrd. Can it be when the kernel mounts and runs the initrd, it uses an implicit chroot for that? -- Guillaume Cottenceau - http://people.mandrakesoft.com/~gc/
[Cooker] RE: -16mdksecure - strange grsecurity logging
Borsenkow Andrej [EMAIL PROTECTED] writes:
On 14 May 2002, Guillaume Cottenceau wrote:
Borsenkow Andrej [EMAIL PROTECTED] writes:
Obviously grsecurity does not like what happens during initrd
stage:
VFS: Mounted root (ext2 filesystem).
grsec: mount . to / by (swapper:9) UID(0) EUID(0), parent
(swapper:1)
UID(0) EUID(0)
grsec: denied attempt to mount (/proc) as /proc from chroot jail
(01:00:2)
of 0.0 by (linuxrc:9) UID(0) EUID(0), parent (swapper:1) UID(0)
EUID(0)
grsec: more denied mounts in chroot, logging disabled for 30
seconds
fuck grsec!! i need those mounts.
Juan, what happened to GRKERNSEC_SYSCTL???
[root@gw grsecurity]# grep GRKERNSEC_SYSCTL /boot/config
[root@gw grsecurity]#
bor@cooker:/usr/src/linux-2.4.18-13mdk/grsecurity% grep SYSCTL *
if [ $CONFIG_SYSCTL != n ]; then
bool 'Sysctl support' CONFIG_GRKERNSEC_SYSCTL
gc, with this option you can temporarily sysctl -w
kernel.grsecurity.chroot_deny_mount=0 before chrooting and then
revert it
back (of course you can use proper syscall). Unless chroot happens
before
entering linuxrc :(
AFAIK there is no explicit chroot in linuxrc/initrd. Can it be
when the kernel mounts and runs the initrd, it uses an implicit
chroot for that?
It does not matter. You still must be able to enable mount in chroot
before doing first explicit mount.
Because there is no way to tell if kernel is compiled with grsecurity or
not and if this particular option is enabled and if we do not have some
other options that behave funny I suggest general implementation in
nash, like
sysctl set name value
sysctl restore name
sysctl set saves old value (if available) and sets new. It must be
careful to not overwrite saved value if it is called second time (for
whatever reason) which amounts to (in pigin-C)
save = find_value (name)
if (!save) {
if (oldvalue = get_value(name)) {
save = save_value(name, oldvalue)
}
}
if (save)
set_value(name, value)
and for restore just
if (oldvalue = find_value(name))
set_value(name, oldvalue)
Nice and clean and just needs GRKERNSEC_SYSCTL support :-)
-andrej
P.S. Of course it should be reported to grsec. But I am almost sure the
answer will be secure kernel must not have modules and I completely
agree with them :-)
