>
> Borsenkow Andrej <[EMAIL PROTECTED]> writes:
>
> > On 14 May 2002, Guillaume Cottenceau wrote:
> >
> > > Borsenkow Andrej <[EMAIL PROTECTED]> writes:
> > >
> > > > Obviously grsecurity does not like what happens during initrd
stage:
> > > >
> > > > VFS: Mounted root (ext2 filesystem).
> > > > grsec: mount . to / by (swapper:9) UID(0) EUID(0), parent
(swapper:1)
> > > > UID(0) EUID(0)
> > > > grsec: denied attempt to mount (/proc) as /proc from chroot jail
> (01:00:2)
> > > > of 0.0 by (linuxrc:9) UID(0) EUID(0), parent (swapper:1) UID(0)
> EUID(0)
> > > > grsec: more denied mounts in chroot, logging disabled for 30
seconds
> > >
> > > ???? fuck grsec!! i need those mounts.
> > >
> >
> > Juan, what happened to GRKERNSEC_SYSCTL???
> >
> > [root@gw grsecurity]# grep GRKERNSEC_SYSCTL /boot/config
> > [root@gw grsecurity]#
> > bor@cooker:/usr/src/linux-2.4.18-13mdk/grsecurity%> grep SYSCTL *
> > if [ "$CONFIG_SYSCTL" != "n" ]; then
> > bool 'Sysctl support' CONFIG_GRKERNSEC_SYSCTL
> >
> > gc, with this option you can temporarily sysctl -w
> > kernel.grsecurity.chroot_deny_mount=0 before chrooting and then
revert it
> > back (of course you can use proper syscall). Unless chroot happens
before
> > entering linuxrc :(
>
> AFAIK there is no explicit chroot in linuxrc/initrd. Can it be
> when the kernel mounts and runs the initrd, it uses an implicit
> chroot for that?
>
It does not matter. You still must be able to enable "mount in chroot"
before doing first explicit mount.
Because there is no way to tell if kernel is compiled with grsecurity or
not and if this particular option is enabled and if we do not have some
other options that behave funny I suggest general implementation in
nash, like
sysctl set <name> <value>
sysctl restore <name>
sysctl set saves old value (if available) and sets new. It must be
careful to not overwrite saved value if it is called second time (for
whatever reason) which amounts to (in pigin-C)
save = find_value (name)
if (!save) {
if (oldvalue = get_value(name)) {
save = save_value(name, oldvalue)
}
}
if (save)
set_value(name, value)
and for restore just
if (oldvalue = find_value(name))
set_value(name, oldvalue)
Nice and clean and just needs GRKERNSEC_SYSCTL support :-)
-andrej
P.S. Of course it should be reported to grsec. But I am almost sure the
answer will be "secure kernel must not have modules" and I completely
agree with them :-)
