Restrict Applications with grsecurity

Use Linux capabilities and grsecurity’s ACLs to restrict applications on your system.

Now that you have installed the grsecurity patches, you’ll probably want to make use of its flexible ACL system to further restrict the privileged applications on your system, beyond what grsecurity’s kernel security features provide. If you’re just joining us and are not familiar with grsecurity, read [Hack #13] first.

To restrict specific applications, you will need to make use of the gradm utility, which can be downloaded from the main grsecurity site (http://www.grsecurity.net). You can compile and install it in the usual way: unpack the source distribution, change into the directory that it creates, and then run make && make install. This will install gradm in /sbin, create the /etc/grsec directory containing a default ACL, and install the manpage.

After gradm has been installed, the first thing you’ll want to do is create a password that gradm will use to authenticate itself to the kernel. You can do this by running gradm with the -P option:

# gradm -P
Setting up grsecurity ACL password
Password: 
Re-enter Password: 
Password written to /etc/grsec/pw.

To enable grsecurity’s ACL system, use this command:

# /sbin/gradm -E

Once you’re finished setting up your ACLs, you’ll probably want to add that command to the end of your system startup. You can do this by adding it to the end of /etc/rc.local or a similar script that is designated for customizing your system startup.

The default ACL installed in /etc/grsec/acl is quite restrictive, so you’ll want to create ACLs for the services and system binaries you want to use. For example, after the ACL system has been enabled, ifconfig will no longer be able to change interface characteristics, even when run as root:

# /sbin/ifconfig eth0:1 192.168.0.59 up
SIOCSIFADDR: Permission denied
SIOCSIFFLAGS: Permission denied
SIOCSIFFLAGS: Permission denied

The easiest way to set up an ACL for a particular command is to specify that you want to use grsecurity’s learning mode, rather than specifying each ACL manually. If you’ve enabled ACLs, you’ll need to temporarily disable them for your shell by running gradm -a. You’ll then be able to access files within /etc/grsec; otherwise, the directory will be hidden to you.

Add an entry like this to /etc/grsec/acl:

/sbin/ifconfig lo {
        /               h
        /etc/grsec      h
        -CAP_ALL
}

This is about the most restrictive ACL possible because it hides the root directory from the process and removes any privileges that it may need. The lo next to the binary to which the ACL applies says to use learning mode and to override the default ACL. After you’re done editing the ACLs, you’ll need to tell grsecurity to reload them by running gradm -R.

Now try to run the ifconfig command again:

# /sbin/ifconfig eth0:1 192.168.0.59 up
# /sbin/ifconfig eth0:1
eth0:1    Link encap:Ethernet  HWaddr 00:0C:29:E2:2B:C1  
          inet addr:192.168.0.59  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:10 Base address:0x10e0

In addition to the command succeeding, grsecurity will create learning log entries. You can then use gradm to generate an ACL for the program based on these logs:

# gradm -a
Password:
# gradm -L -O stdout
/sbin/ifconfig o {
        /usr/share/locale/locale.alias r
        /usr/lib/locale/locale-archive r
        /usr/lib/gconv/gconv-modules.cache r
        /proc/net/unix r
        /proc/net/dev r
        /proc/net r
        /lib/ld-2.3.2.so x
        /lib/i686/libc-2.3.2.so rx
        /etc/ld.so.cache r
        /sbin/ifconfig x
        /etc/grsec h
        / h
        -CAP_ALL
        +CAP_NET_ADMIN
}

Now you can replace the learning ACL for /sbin/ifconfig in /etc/grsec/acl with this one, and ifconfig should work. You can then follow this process for each program that needs special permissions to function. Just make sure to try out anything you will want to do with those programs, to ensure that grsecurity’s learning mode will detect that it needs to perform a particular system call or open a specific file.

Using grsecurity to lock down applications can seem like tedious work at first, but it will ultimately create a system that gives each process only the permissions it needs to do its job—no more, no less. When you need to build a highly secured platform, grsecurity can provide very finely grained control over just about everything the system can possibly do.

Get Network Security Hacks now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.