[Cooker] Re: -16mdksecure - strange grsecurity logging
Borsenkow Andrej [EMAIL PROTECTED] writes: Obviously grsecurity does not like what happens during initrd stage: VFS: Mounted root (ext2 filesystem). grsec: mount . to / by (swapper:9) UID(0) EUID(0), parent (swapper:1) UID(0) EUID(0) grsec: denied attempt to mount (/proc) as /proc from chroot jail (01:00:2) of 0.0 by (linuxrc:9) UID(0) EUID(0), parent (swapper:1) UID(0) EUID(0) grsec: more denied mounts in chroot, logging disabled for 30 seconds fuck grsec!! i need those mounts. grsec: signal 11 sent to (linuxrc:9) UID(0) EUID(0), parent (swapper:1) Not very surprising, I probably don't check return values of all syscalls correctly. UID(0) EUID(0) grsec: mount .. to . by (swapper:1) UID(0) EUID(0), parent (swapper:0) UID(0) EUID(0) I must say I do _NOT_ like signal 11 to linuxrc. -andrej -- Guillaume Cottenceau - http://people.mandrakesoft.com/~gc/
[Cooker] Re: -16mdksecure - strange grsecurity logging
On 14 May 2002, Guillaume Cottenceau wrote: Borsenkow Andrej [EMAIL PROTECTED] writes: Obviously grsecurity does not like what happens during initrd stage: VFS: Mounted root (ext2 filesystem). grsec: mount . to / by (swapper:9) UID(0) EUID(0), parent (swapper:1) UID(0) EUID(0) grsec: denied attempt to mount (/proc) as /proc from chroot jail (01:00:2) of 0.0 by (linuxrc:9) UID(0) EUID(0), parent (swapper:1) UID(0) EUID(0) grsec: more denied mounts in chroot, logging disabled for 30 seconds fuck grsec!! i need those mounts. Juan, what happened to GRKERNSEC_SYSCTL??? [root@gw grsecurity]# grep GRKERNSEC_SYSCTL /boot/config [root@gw grsecurity]# bor@cooker:/usr/src/linux-2.4.18-13mdk/grsecurity% grep SYSCTL * if [ $CONFIG_SYSCTL != n ]; then bool 'Sysctl support' CONFIG_GRKERNSEC_SYSCTL gc, with this option you can temporarily sysctl -w kernel.grsecurity.chroot_deny_mount=0 before chrooting and then revert it back (of course you can use proper syscall). Unless chroot happens before entering linuxrc :( In any case I want this option back. -andrej
[Cooker] Re: -16mdksecure - strange grsecurity logging
Borsenkow Andrej [EMAIL PROTECTED] writes: On 14 May 2002, Guillaume Cottenceau wrote: Borsenkow Andrej [EMAIL PROTECTED] writes: Obviously grsecurity does not like what happens during initrd stage: VFS: Mounted root (ext2 filesystem). grsec: mount . to / by (swapper:9) UID(0) EUID(0), parent (swapper:1) UID(0) EUID(0) grsec: denied attempt to mount (/proc) as /proc from chroot jail (01:00:2) of 0.0 by (linuxrc:9) UID(0) EUID(0), parent (swapper:1) UID(0) EUID(0) grsec: more denied mounts in chroot, logging disabled for 30 seconds fuck grsec!! i need those mounts. Juan, what happened to GRKERNSEC_SYSCTL??? [root@gw grsecurity]# grep GRKERNSEC_SYSCTL /boot/config [root@gw grsecurity]# bor@cooker:/usr/src/linux-2.4.18-13mdk/grsecurity% grep SYSCTL * if [ $CONFIG_SYSCTL != n ]; then bool 'Sysctl support' CONFIG_GRKERNSEC_SYSCTL gc, with this option you can temporarily sysctl -w kernel.grsecurity.chroot_deny_mount=0 before chrooting and then revert it back (of course you can use proper syscall). Unless chroot happens before entering linuxrc :( AFAIK there is no explicit chroot in linuxrc/initrd. Can it be when the kernel mounts and runs the initrd, it uses an implicit chroot for that? -- Guillaume Cottenceau - http://people.mandrakesoft.com/~gc/
[Cooker] RE: -16mdksecure - strange grsecurity logging
Borsenkow Andrej [EMAIL PROTECTED] writes: On 14 May 2002, Guillaume Cottenceau wrote: Borsenkow Andrej [EMAIL PROTECTED] writes: Obviously grsecurity does not like what happens during initrd stage: VFS: Mounted root (ext2 filesystem). grsec: mount . to / by (swapper:9) UID(0) EUID(0), parent (swapper:1) UID(0) EUID(0) grsec: denied attempt to mount (/proc) as /proc from chroot jail (01:00:2) of 0.0 by (linuxrc:9) UID(0) EUID(0), parent (swapper:1) UID(0) EUID(0) grsec: more denied mounts in chroot, logging disabled for 30 seconds fuck grsec!! i need those mounts. Juan, what happened to GRKERNSEC_SYSCTL??? [root@gw grsecurity]# grep GRKERNSEC_SYSCTL /boot/config [root@gw grsecurity]# bor@cooker:/usr/src/linux-2.4.18-13mdk/grsecurity% grep SYSCTL * if [ $CONFIG_SYSCTL != n ]; then bool 'Sysctl support' CONFIG_GRKERNSEC_SYSCTL gc, with this option you can temporarily sysctl -w kernel.grsecurity.chroot_deny_mount=0 before chrooting and then revert it back (of course you can use proper syscall). Unless chroot happens before entering linuxrc :( AFAIK there is no explicit chroot in linuxrc/initrd. Can it be when the kernel mounts and runs the initrd, it uses an implicit chroot for that? It does not matter. You still must be able to enable mount in chroot before doing first explicit mount. Because there is no way to tell if kernel is compiled with grsecurity or not and if this particular option is enabled and if we do not have some other options that behave funny I suggest general implementation in nash, like sysctl set name value sysctl restore name sysctl set saves old value (if available) and sets new. It must be careful to not overwrite saved value if it is called second time (for whatever reason) which amounts to (in pigin-C) save = find_value (name) if (!save) { if (oldvalue = get_value(name)) { save = save_value(name, oldvalue) } } if (save) set_value(name, value) and for restore just if (oldvalue = find_value(name)) set_value(name, oldvalue) Nice and clean and just needs GRKERNSEC_SYSCTL support :-) -andrej P.S. Of course it should be reported to grsec. But I am almost sure the answer will be secure kernel must not have modules and I completely agree with them :-)