[grsec] proc restrictions + /proc/net/if_inet6

Wolfram Schlich lists at wolfram.schlich.org
Thu May 10 07:51:16 EDT 2007


Hi,

with activated proc restrictions, IPv6 enabled services/daemons
(like apache, bind, postfix) are prevented from functioning
properly, as they rely on information they read from
/proc/net/if_inet6.

See this: http://forums.grsecurity.net/viewtopic.php?p=6575

Adding those daemon users to the grsec_proc/1001 group is
unreasonable, as those users would have far more permissions
than needed.

Currently, I can do a "chmod a+rx /proc/net", but I don't
like it having to put a line like the above into some sort
of init script.

I'd rather prefer grsecurity to take care about this, either
as a user definable option through .config (for example
CONFIG_GRKERNSEC_PROC_NET) or as a "new default" setting.

Comments, please :)
-- 
Regards,
Wolfram Schlich <wschlich at gentoo.org>
Gentoo Linux * http://dev.gentoo.org/~wschlich/


More information about the grsecurity mailing list