1 |
On Sun, Feb 09, 2014 at 02:10:47PM +0100, Luis Ressel wrote: |
2 |
> > Isn't there any mount option that you can pass so that all members of |
3 |
> > a certain group can still access sysfs? Perhaps "gid="? |
4 |
> |
5 |
> I guess that would be a safer approach. But I'd prefer a standardized |
6 |
> approach for this - surely there are more non-root applications which |
7 |
> need extended /sys access. I think not every hardened user should have |
8 |
> to figure this out himself. |
9 |
|
10 |
It needs to be staged a bit before we should consider optimizations in our |
11 |
current setup. |
12 |
|
13 |
> The best way I can imagine to solve this would be a new eclass. It |
14 |
> would be called in an ebuild (unconditionally) with an user name, would |
15 |
> then check if a certain USE flag (either "hardened" or something more |
16 |
> specific) was set and then add the user in question to a certain group, |
17 |
> perhaps "sysfs". Before doing this for the first time, it would create |
18 |
> that group and ask the user to add an appropriate mount option. |
19 |
> |
20 |
> What do you think about this? Is it just overcomplicated or a good way |
21 |
> to go? Also, do you know of other programs which have problems with |
22 |
> GRKERNSEC_SYSFS_RESTRICT? I'd be willing to write the eclass if you |
23 |
> like the idea. |
24 |
|
25 |
There are others (I google'd a bit and found a few), but not that much. If |
26 |
the solution (group access) works and is sufficient, I don't know if there |
27 |
is a need for creating an eclass. |
28 |
|
29 |
After all, it might be as simple as: |
30 |
|
31 |
#v+ |
32 |
use hardened && egroupadd sysfs <username> |
33 |
#v- |
34 |
|
35 |
if egroupadd would exist, that is. I haven't looked in detail at the |
36 |
user.eclass, but that would be all that is needed. |
37 |
|
38 |
But again, I think this needs to stage a bit - document it on the wiki, test |
39 |
it out. See if applications still work if they are member of said group |
40 |
without that group being the primary group, etc. |
41 |
|
42 |
Wkr, |
43 |
Sven Vermeulen |