[grsec] gradm2 2.0.1 and grsec 2.0.1 bug with enabling RBAC

Marek Habersack grendel at caudium.net
Fri Oct 29 17:05:31 EDT 2004 

On Fri, Oct 29, 2004 at 04:08:04PM -0400, spender at grsecurity.net scribbled:
> > if (write(fd, buf, sizeof(struct gr_arg_wrapper)) != sizeof(struct gr_arg_wrapper)) {
> > 
> > in transmit_to_kernel, while the kernel code in write_grsec_handler for the
> > STATUS mode does the following:
> > 
> > switch (gr_usermode->mode) {
> >         case STATUS:
> >                         if (gr_status & GR_READY)
> >                                 error = 1;
> >                         else
> >                                 error = 2;
> >                         goto out;
> 
> But transmit_to_kernel isn't called when we're checking status, 
This is odd then, for take a look:

# gradm2 -E
grsecurity version check: No such file or directory
You are using incompatible versions of gradm and grsecurity.
Please update both versions to the ones available on the website.

the perror call is inserted in transmit_to_kernel above, and the above 'you
are using...' message is printed only from transmit_to_kernel - I got
suggested by that and didn't look for other writes to the device. From
looking at the strace output, an earlier call is indeed returning 2 from
write.

> check_acl_status is called; so this can't be the problem.  What grsec 
> log do you get when you see the error?  Can you have gradm print the 
> return value?
Yep, here's the output of printks in the write routine:

grsec: gracl.c:2666: error == 12
grsec: gracl.c:2729: status request
grsec: gracl.c:2734: status returning 2
grsec: gracl.c:2907: returning 2
grsec: gracl.c:2666: error == 12
grsec: gracl.c:2729: status request
grsec: gracl.c:2734: status returning 2
grsec: gracl.c:2907: returning 2
grsec: gracl.c:2666: error == 12
grsec: gracl.c:2755: ENABLE request
grsec: From 192.168.24.68: Fatal: Unable to find ACL for (init:1)
grsec: From 192.168.24.68: Unable to load grsecurity 2.0.1 for
/sbin/gradm2[gradm2:5393] uid/euid:0/0 gid/egid:0/0, parent  /bin/bash[bash:23036] uid/euid:0/0 gid/egid:0/0 RBAC system may already be enabled.
grsec: gracl.c:2907: returning 1

regards,

marek

More information about the grsecurity mailing list