[grsec] proc restrictions + /proc/net/if_inet6

[Wolfram Schlich]

* Christian Schmidt <lkml at digadd.de> [2007-05-10 14:44]:
> Wolfram Schlich schrieb:
> > Hi,
> > 
> > with activated proc restrictions, IPv6 enabled services/daemons
> > (like apache, bind, postfix) are prevented from functioning
> > properly, as they rely on information they read from
> > /proc/net/if_inet6.
> > 
> > See this: http://forums.grsecurity.net/viewtopic.php?p=6575
> 
> One could say: design error.
> This broken IPV6 support is basically the same reason you need to mount
> /proc in a chroot() environment for bind.
> Modifying the source to use the netlink interface makes it go away. I'm
> atm working on a patch for bind at least to remove dependency on /proc.

Ah, interesting. As I said, that also applies to apache and postfix.
When your patch is ready, it might be a good idea to show it to the
apache and postfix developer(s) as well so they get a clue on
how to fix it in their own programs.

> > Adding those daemon users to the grsec_proc/1001 group is
> > unreasonable, as those users would have far more permissions
> > than needed.
> > 
> > Currently, I can do a "chmod a+rx /proc/net", but I don't
> > like it having to put a line like the above into some sort
> > of init script.
> >
> > I'd rather prefer grsecurity to take care about this, either
> > as a user definable option through .config (for example
> > CONFIG_GRKERNSEC_PROC_NET) or as a "new default" setting.
> 
> Your workaround more or less looks like turning grsecurity /proc/net
> restriction off.

Yes, that's true.
It might be better to do it this way:

	chmod -R o= /proc/net
	chmod a+r /proc/net/if_inet6
	chmod a+rx /proc/net

Then, only /proc/net/if_inet6 can be read by everyone,
the other files/directories are still protected except for
members of the grsec_proc/1001 group.

Optionally, one could add another dedicated group to control
access to /proc/net/if_inet6 alone.
-- 
Wolfram Schlich