Пример #1
0
void
add_grlearn_acl(struct role_acl *role)
{
	struct stat fstat;
	struct ip_acl ip;
	char *grlearn_path;

	if (bikeshedding_detected())
		grlearn_path = get_bikeshedded_path(GRLEARN_PATH);
	else
		grlearn_path = GRLEARN_PATH;

	if (stat(grlearn_path, &fstat)) {
		fprintf(stderr, "%s does not exist.  Please reinstall gradm.\n", grlearn_path);
		exit(EXIT_FAILURE);
	}

	add_proc_subject_acl(role, grlearn_path, proc_subject_mode_conv("hpado"), 0);

	memset(&ip, 0, sizeof (ip));
	add_ip_acl(current_subject, GR_IP_CONNECT, &ip);
	add_ip_acl(current_subject, GR_IP_BIND, &ip);

	ADD_OBJ("/", "h");
	ADD_OBJ(grlearn_path, "x");

	add_cap_acl(current_subject, "-CAP_ALL", NULL);

	return;
}
Пример #2
0
void add_fulllearn_acl(void)
{
	struct ip_acl ip;

	add_kernel_acl();
	add_fulllearn_admin_acl();
	add_fulllearn_shutdown_acl();

	add_role_acl(&current_role, gr_strdup("default"), role_mode_conv("A"), 0);
	add_role_transition(current_role, "admin");
	add_role_transition(current_role, "shutdown");
	add_proc_subject_acl(current_role, "/", proc_subject_mode_conv("ol"), 0);

	ADD_OBJ("/", "h");

	add_cap_acl(current_subject, "-CAP_ALL", NULL);

	memset(&ip, 0, sizeof (ip));
	add_ip_acl(current_subject, GR_IP_CONNECT, &ip);
	add_ip_acl(current_subject, GR_IP_BIND, &ip);

	add_gradm_acl(current_role);

	parse_learn_config();

	expand_acls();
	return;
}
Пример #3
0
static void add_fulllearn_admin_acl(void)
{
	add_role_acl(&current_role, gr_strdup("admin"), role_mode_conv("sA"), 0);
	add_proc_subject_acl(current_role, "/", proc_subject_mode_conv("aorvk"), 0);
	ADD_OBJ("/", "rwcdmlxi");

	return;
}
Пример #4
0
void
add_kernel_acl(void)
{
	add_role_acl(&current_role, gr_strdup(":::kernel:::"), role_mode_conv("sN"), 1);

	add_proc_subject_acl(current_role, "/", proc_subject_mode_conv("kvo"), 0);

	ADD_OBJ("/", "rwxcdl");
	ADD_OBJ(GRSEC_DIR, "h");

	return;
}
Пример #5
0
void add_rolelearn_acl(void)
{
	struct ip_acl ip;

	add_proc_subject_acl(current_role, "/", proc_subject_mode_conv("ol"), 0);

	ADD_OBJ("/", "h");

	add_cap_acl(current_subject, "-CAP_ALL", NULL);

	memset(&ip, 0, sizeof (ip));
	add_ip_acl(current_subject, GR_IP_CONNECT, &ip);
	add_ip_acl(current_subject, GR_IP_BIND, &ip);

	return;
}
Пример #6
0
static void add_fulllearn_shutdown_acl(void)
{
	struct ip_acl ip;

	add_role_acl(&current_role, gr_strdup("shutdown"), role_mode_conv("sARG"), 0);
	add_proc_subject_acl(current_role, "/", proc_subject_mode_conv("rvkao"), 0);

	ADD_OBJ("/", "");
	ADD_OBJ("/dev", "");
	ADD_OBJ("/dev/urandom", "r");
	ADD_OBJ("/dev/random", "r");
	ADD_OBJ("/etc", "r");
	ADD_OBJ("/bin", "rx");
	ADD_OBJ("/sbin", "rx");
	ADD_OBJ("/lib", "rx");
	ADD_OBJ("/lib32", "rx");
	ADD_OBJ("/lib64", "rx");
	ADD_OBJ("/usr", "rx");
	ADD_OBJ("/proc", "r");
	ADD_OBJ("/boot", "h");
	ADD_OBJ("/dev/grsec", "h");
	ADD_OBJ("/dev/kmem", "h");
	ADD_OBJ("/dev/mem", "h");
	ADD_OBJ("/dev/port", "h");
	ADD_OBJ("/etc/grsec", "h");
	ADD_OBJ("/proc/kcore", "h");
	ADD_OBJ("/proc/slabinfo", "h");
	ADD_OBJ("/proc/modules", "h");
	ADD_OBJ("/proc/kallsyms", "h");
	ADD_OBJ("/lib/modules", "hs");
	ADD_OBJ("/lib32/modules", "hs");
	ADD_OBJ("/lib64/modules", "hs");
	ADD_OBJ("/etc/ssh", "h");
	add_cap_acl(current_subject, "-CAP_ALL", NULL);

	memset(&ip, 0, sizeof (ip));
	add_ip_acl(current_subject, GR_IP_CONNECT, &ip);
	add_ip_acl(current_subject, GR_IP_BIND, &ip);

	return;
}
Пример #7
0
void
add_gradm_acl(struct role_acl *role)
{
	struct stat fstat;
	char gradm_realpath[PATH_MAX] = { 0 };
	char *gradm_name;
	struct ip_acl ip;
	struct protoent *proto;
	char *gradm_path;
	char *grpam_path;

	find_gradm_path(gradm_realpath);

	gradm_name = gr_strdup(gradm_realpath);

	if (bikeshedding_detected()) {
		gradm_path = get_bikeshedded_path(GRADM_PATH);
		grpam_path = get_bikeshedded_path(GRPAM_PATH);
	} else {
		gradm_path = GRADM_PATH;
		grpam_path = GRPAM_PATH;
	}

	if (gr_enable && strcmp(gradm_name, gradm_path)) {
		printf("You are attempting to use a gradm binary other "
		       "than the installed version.  Depending on your "
		       "policy, you could be locking yourself out of "
		       "your machine by enabling the RBAC system with "
		       "this binary.  Press \'y\' if you wish to ignore "
		       "this warning, or any other key to cancel.\n>");
		if (getchar() != 'y')
			exit(EXIT_FAILURE);
	}

	add_proc_subject_acl(role, gradm_name, proc_subject_mode_conv("ado"), 0);

	if (!stat(GRDEV_PATH, &fstat)) {
		ADD_OBJ(GRDEV_PATH, "w");
	} else {
		fprintf(stderr, "%s does not "
			"exist.  Please recompile your kernel with "
			"grsecurity and install a newer version of gradm.\n",
			GRDEV_PATH);
		exit(EXIT_FAILURE);
	}

	/* for NFS */
	proto = gr_getprotobyname("udp");
	memset(&ip, 0, sizeof (ip));
	ip.low = 2049;
	ip.high = 2049;
	ip.type = (1U << SOCK_DGRAM);
	ip.proto[IPPROTO_IP / 32] |= (1U << (IPPROTO_IP % 32));
	ip.proto[proto->p_proto / 32] |= (1U << (proto->p_proto % 32));
	add_ip_acl(current_subject, GR_IP_CONNECT, &ip);
	memset(&ip, 0, sizeof (ip));
	add_ip_acl(current_subject, GR_IP_BIND, &ip);

	ADD_OBJ("/", "h");
	ADD_OBJ("/etc/ld.so.cache", "r");
	ADD_OBJ("/etc/ld.so.preload", "r");
	ADD_OBJ("/etc/ld.so.nohwcap", "r");
	ADD_OBJ("/etc/protocols", "r");
	ADD_OBJ("/dev/urandom", "r");
	ADD_OBJ("/lib", "rx");
	ADD_OBJ("/usr/lib", "rx");
	ADD_OBJ("/lib32", "rx");
	ADD_OBJ("/libx32", "rx");
	ADD_OBJ("/usr/lib32", "rx");
	ADD_OBJ("/usr/libx32", "rx");
	ADD_OBJ("/lib64", "rx");
	ADD_OBJ("/usr/lib64", "rx");
	ADD_OBJ(gradm_name, "x");
	ADD_OBJ(grpam_path, "x");

	add_cap_acl(current_subject, "-CAP_ALL", NULL);
	add_cap_acl(current_subject, "+CAP_IPC_LOCK", NULL);

	return;
}
Пример #8
0
void
add_gradm_pam_acl(struct role_acl *role)
{
	struct ip_acl ip;
	struct protoent *proto;
	char *grpam_path;

	if (bikeshedding_detected())
		grpam_path = get_bikeshedded_path(GRPAM_PATH);
	else
		grpam_path = GRPAM_PATH;

	add_proc_subject_acl(role, grpam_path, proc_subject_mode_conv("ado"), 0);

	ADD_OBJ(GRDEV_PATH, "w");

	/* for NFS */
	proto = gr_getprotobyname("udp");
	memset(&ip, 0, sizeof (ip));
	ip.low = 2049;
	ip.high = 2049;
	ip.type = (1U << SOCK_DGRAM);
	ip.proto[IPPROTO_IP / 32] |= (1U << (IPPROTO_IP % 32));
	ip.proto[proto->p_proto / 32] |= (1U << (proto->p_proto % 32));
	add_ip_acl(current_subject, GR_IP_CONNECT, &ip);

	/* for TCP/UDP LDAP */
	proto = gr_getprotobyname("tcp");
	memset(&ip, 0, sizeof (ip));
	ip.low = 389;
	ip.high = 389;
	ip.type = (1U << SOCK_STREAM);
	ip.proto[IPPROTO_IP / 32] |= (1U << (IPPROTO_IP % 32));
	ip.proto[proto->p_proto / 32] |= (1U << (proto->p_proto % 32));
	add_ip_acl(current_subject, GR_IP_CONNECT, &ip);

	proto = gr_getprotobyname("udp");
	memset(&ip, 0, sizeof (ip));
	ip.low = 389;
	ip.high = 389;
	ip.type = (1U << SOCK_DGRAM);
	ip.proto[IPPROTO_IP / 32] |= (1U << (IPPROTO_IP % 32));
	ip.proto[proto->p_proto / 32] |= (1U << (proto->p_proto % 32));
	add_ip_acl(current_subject, GR_IP_CONNECT, &ip);

	/* for TCP SSL LDAP */
	proto = gr_getprotobyname("tcp");
	memset(&ip, 0, sizeof (ip));
	ip.low = 636;
	ip.high = 636;
	ip.type = (1U << SOCK_STREAM);
	ip.proto[IPPROTO_IP / 32] |= (1U << (IPPROTO_IP % 32));
	ip.proto[proto->p_proto / 32] |= (1U << (proto->p_proto % 32));
	add_ip_acl(current_subject, GR_IP_CONNECT, &ip);

	/* no binding allowed */
	memset(&ip, 0, sizeof (ip));
	add_ip_acl(current_subject, GR_IP_BIND, &ip);

	ADD_OBJ("/", "h");
	ADD_OBJ("/etc/default/passwd", "r");
	ADD_OBJ("/etc/ld.so.cache", "r");
	ADD_OBJ("/etc/ld.so.preload", "r");
	ADD_OBJ("/etc/ld.so.nohwcap", "r");
	ADD_OBJ("/etc/localtime", "r");
	ADD_OBJ("/etc/login.defs", "r");
	ADD_OBJ("/etc/protocols", "r");
	ADD_OBJ("/etc/passwd", "r");
	ADD_OBJ("/etc/shadow", "r");
	ADD_OBJ("/etc/pam.d", "r");
	ADD_OBJ("/etc/pam.conf", "r");
	ADD_OBJ("/etc/security", "r");
	ADD_OBJ("/usr/share/zoneinfo", "r");
	ADD_OBJ("/etc/nsswitch.conf", "r");
	ADD_OBJ("/etc/ldap.conf", "r");
	ADD_OBJ("/etc/ldap/ldap.conf", "r");
	ADD_OBJ("/dev/urandom", "r");
	ADD_OBJ("/proc", "");
	ADD_OBJ("/proc/filesystems", "r");
	ADD_OBJ("/selinux", "r");
	ADD_OBJ("/dev", "");
	ADD_OBJ("/dev/tty", "rw");
	ADD_OBJ("/dev/tty?", "rw");
	ADD_OBJ("/dev/pts", "rw");
	ADD_OBJ("/var/run", "");
	ADD_OBJ("/run", "");
	ADD_OBJ("/run/resolvconf/resolv.conf", "r");
	ADD_OBJ("/run/nscd/socket", "rw");
	ADD_OBJ("/var/run/utmp", "rw");
	ADD_OBJ("/var/run/utmpx", "rw");
	ADD_OBJ("/var/log/faillog", "rw");
	ADD_OBJ("/dev/log", "rw");
	ADD_OBJ("/run/systemd/journal/dev-log", "rw");
	ADD_OBJ("/dev/null", "rw");
	ADD_OBJ("/lib", "rx");
	ADD_OBJ("/usr/lib", "rx");
	ADD_OBJ("/lib32", "rx");
	ADD_OBJ("/usr/lib32", "rx");
	ADD_OBJ("/lib64", "rx");
	ADD_OBJ("/usr/lib64", "rx");
	ADD_OBJ(grpam_path, "x");

	add_cap_acl(current_subject, "-CAP_ALL", NULL);
	add_cap_acl(current_subject, "+CAP_IPC_LOCK", NULL);
	add_cap_acl(current_subject, "+CAP_AUDIT_WRITE", NULL);

	add_sock_family(current_subject, "netlink");

	return;
}
Пример #9
0
void
add_proc_nested_acl(struct role_acl *role, char *mainsubjname,
		    char **nestednames, int nestlen, u_int32_t nestmode)
{
	int i;
	char *nestname;
	unsigned int namelen = 0;
	struct proc_acl *stmp;
	struct file_acl *otmp = NULL;
	struct stat fstat;

	if (nestmode & GR_LEARN) {
		fprintf(stderr, "Error on line %lu of %s:\n", lineno,
			current_acl_file);
		fprintf(stderr,
			"Learning is not yet implemented for nested subjects.\n");
		exit(EXIT_FAILURE);
	}

	namelen += strlen(mainsubjname);
	for (i = 0; i < nestlen; i++)
		namelen += strlen(nestednames[i]) + 1;

	nestname = malloc(namelen + 1);

	if (!nestname) {
		fprintf(stderr, "Out of memory.\n");
		exit(EXIT_FAILURE);
	}

	strcpy(nestname, mainsubjname);
	for (i = 0; i < nestlen; i++)
		sprintf(nestname + strlen(nestname), ":%s", nestednames[i]);

	stmp = lookup_acl_subject_by_name(role, mainsubjname);
	if (stmp == NULL) {
		fprintf(stderr,
			"No subject %s found for nested subject %s specified on line %lu of %s.\n",
			mainsubjname, nestname, lineno, current_acl_file);
		exit(EXIT_FAILURE);
	}

	for (i = 0; i < nestlen; i++) {
		otmp = lookup_acl_object_by_name(stmp, nestednames[i]);
		if (otmp == NULL) {
			fprintf(stderr,
				"No object %s found for nested subject %s "
				"specified on line %lu of %s.\n",
				nestednames[i], nestname, lineno,
				current_acl_file);
			exit(EXIT_FAILURE);
		} else if (!otmp->nested && (i != nestlen - 1)) {
			fprintf(stderr,
				"No nested subject %s found for nested "
				"subject %s specified on line %lu of %s.\n",
				nestednames[i], nestname, lineno,
				current_acl_file);
			exit(EXIT_FAILURE);
		} else if (otmp->nested && (i == nestlen - 1)) {
			fprintf(stderr,
				"Duplicate nested subject %s found on line "
				"%lu of %s.\n",
				nestname, lineno, current_acl_file);
			exit(EXIT_FAILURE);
		}
		if (i != nestlen - 1)
			stmp = otmp->nested;
	}

	add_proc_subject_acl(role, nestednames[i - 1], nestmode, GR_FFAKE);

	namelen = strlen(nestednames[i-1]);
	for_each_object(otmp, stmp) {
		if (!strncmp(nestednames[i-1], otmp->filename, namelen) && (otmp->filename[namelen] == '/' || otmp->filename[namelen] == '\0'))
			if (otmp->mode & GR_EXEC)
				otmp->nested = current_subject;
	}
	current_subject->parent_subject = stmp;
	current_subject->mode |= GR_NESTED;

	if (!stat(nestednames[i - 1], &fstat) && S_ISREG(fstat.st_mode))
		add_proc_object_acl(current_subject, nestednames[i - 1], proc_object_mode_conv("rx"), GR_FLEARN);

	return;
}