[grsec] feature request / question / discussion / etc

jnf jnf at nosec.net
Thu Sep 22 02:04:47 EDT 2005 

Hi all,

while my current position doesn't have me playing with grsec/rbac as much
as I was previously, I still use it on home systems and something I noted
a while back when I was trying to split a system into well defined roles
where no one role had 'super user' access, but rather one role controlled
tty's, another syslog, etc, in other words 'total' compartmentalization of
duties across many segmented roles.

The biggest problems I faced were:

a) having to modify the kernel source myself as I learned that as least
previously (I haven't checked in a while), that the capabilities system in
linux is shipped in a disabled state- meaning that (this is going from
memory of stuff done almost a year ago) that initd didn't have
CAP_SETPCAP, and thus couldn't hand out capabilities, and as a result no
process could give its children capabilities. Again, as I stated I'm going
from my memory of trying to get this fully working a year ago and getting
my work cut short by tyranical employers with bigger aspirations than
brains (hi jake). This wasn't an incredibly hard thing to fix, at least at
base level as it just required flipping a couple statements in the kernel,
but after reading many things like [1] I've wondered if thats even a wise
choice.

and

b) very few userspace applications actively request capabilities, I'd
blame this mostly on (a) and problems like (a), which I realize this is
beyond the scope of any kernel development (to fix an entire userland),
but perhaps it would be possible to check rbac policies, and see if an
operation a process is trying to execute requires CAP_X, and if they are
allowed to have CAP_X, let the operation suceed even though they didn't
truly have the capability.

Really, I just want to hear everyone's thoughts on the subject, I mean
capabilities add such a nice dimension of security and to see them
crippled so somewhat saddens me.

cheers,

jnf



--

There are only two choices in life. You either conform the truth to your desire,
or you conform your desire to the truth. Which choice are you making?

More information about the grsecurity mailing list