| 1 |
Hi Alex, |
| 2 |
|
| 3 |
>sorry to interrupt your thoughts, but gcc trampolines are not used for |
| 4 |
>such things :-( |
| 5 |
|
| 6 |
I'll take your word for it :-) |
| 7 |
|
| 8 |
>> Is there any way of running an executable with modified |
| 9 |
>> grsecurity options |
| 10 |
>> without changing the on-disk file with chpax? |
| 11 |
>yes, there is |
| 12 |
>with an enabled grsec system, you have to put grsecurity acl PaX flags |
| 13 |
>for the kaspersky binary: |
| 14 |
|
| 15 |
Thanks for the pointer; turns out it's good and bad news: |
| 16 |
|
| 17 |
The good news: Yep, in a system with active grsec acls that works as |
| 18 |
expected. |
| 19 |
|
| 20 |
The bad news: setting up the system so it works with active grsec acl is NOT |
| 21 |
a trivial task :-) Still trying to get basic system functionality working |
| 22 |
without error messages, not succeeded yet. |
| 23 |
|
| 24 |
Currently I'm trying to understand these log entries: |
| 25 |
|
| 26 |
Sep 17 22:13:13 firewall kernel: |
| 27 |
grsec: From 10.192.14.130: denied access to hidden file /dev/urandom |
| 28 |
by |
| 29 |
(gradm:27705) UID(0) EUID(0), parent (bash:17833) UID(0) EUID(0) |
| 30 |
|
| 31 |
Sep 17 22:00:22 firewall kernel: |
| 32 |
grsec: From 10.192.14.130: denied open of /dev/urandom for reading by |
| 33 |
|
| 34 |
(sshd:29575) UID(0) EUID(0), parent (sshd:25465) UID(0S |
| 35 |
|
| 36 |
Which I get when using the default acls from grsecurity-base-policy-20030614; |
| 37 |
these specify (excerpt) |
| 38 |
|
| 39 |
/ { |
| 40 |
/ |
| 41 |
/dev |
| 42 |
/dev/random r |
| 43 |
/dev/urandom r |
| 44 |
} |
| 45 |
|
| 46 |
Which I'd have expected to enable read access for /dev/urandom for all |
| 47 |
processess. So where do these come from? |
| 48 |
|
| 49 |
Oh, well I guess this is going to take some more time :-) |
| 50 |
|
| 51 |
Bye, Martin |
| 52 |
|
| 53 |
-- |
| 54 |
gentoo-hardened@g.o mailing list |
Archives