| 1 |
On Sun, Feb 09, 2014 at 02:10:47PM +0100, Luis Ressel wrote: |
| 2 |
> > Isn't there any mount option that you can pass so that all members of |
| 3 |
> > a certain group can still access sysfs? Perhaps "gid="? |
| 4 |
> |
| 5 |
> I guess that would be a safer approach. But I'd prefer a standardized |
| 6 |
> approach for this - surely there are more non-root applications which |
| 7 |
> need extended /sys access. I think not every hardened user should have |
| 8 |
> to figure this out himself. |
| 9 |
|
| 10 |
It needs to be staged a bit before we should consider optimizations in our |
| 11 |
current setup. |
| 12 |
|
| 13 |
> The best way I can imagine to solve this would be a new eclass. It |
| 14 |
> would be called in an ebuild (unconditionally) with an user name, would |
| 15 |
> then check if a certain USE flag (either "hardened" or something more |
| 16 |
> specific) was set and then add the user in question to a certain group, |
| 17 |
> perhaps "sysfs". Before doing this for the first time, it would create |
| 18 |
> that group and ask the user to add an appropriate mount option. |
| 19 |
> |
| 20 |
> What do you think about this? Is it just overcomplicated or a good way |
| 21 |
> to go? Also, do you know of other programs which have problems with |
| 22 |
> GRKERNSEC_SYSFS_RESTRICT? I'd be willing to write the eclass if you |
| 23 |
> like the idea. |
| 24 |
|
| 25 |
There are others (I google'd a bit and found a few), but not that much. If |
| 26 |
the solution (group access) works and is sufficient, I don't know if there |
| 27 |
is a need for creating an eclass. |
| 28 |
|
| 29 |
After all, it might be as simple as: |
| 30 |
|
| 31 |
#v+ |
| 32 |
use hardened && egroupadd sysfs <username> |
| 33 |
#v- |
| 34 |
|
| 35 |
if egroupadd would exist, that is. I haven't looked in detail at the |
| 36 |
user.eclass, but that would be all that is needed. |
| 37 |
|
| 38 |
But again, I think this needs to stage a bit - document it on the wiki, test |
| 39 |
it out. See if applications still work if they are member of said group |
| 40 |
without that group being the primary group, etc. |
| 41 |
|
| 42 |
Wkr, |
| 43 |
Sven Vermeulen |
Archives