[refpolicy] sshd capability net_admin

[refpolicy] sshd capability net_admin

[Russell Coker]

/* Allow interface configuration */
/* Allow administration of IP firewall, masquerading and accounting */
/* Allow setting debug option on sockets */
/* Allow modification of routing tables */
/* Allow setting arbitrary process / process group ownership on
   sockets */
/* Allow binding to any address for transparent proxying (also via NET_RAW) */
/* Allow setting TOS (type of service) */
/* Allow setting promiscuous mode */
/* Allow clearing driver statistics */
/* Allow multicasting */
/* Allow read/write of device-specific registers */
/* Allow activation of ATM control sockets */

Above is the CAP_NET_ADMIN description from /usr/include/linux/capability.h.

type=AVC msg=audit(1490092328.100:101): avc:  denied  { net_admin } for  
pid=666 comm="sshd" capability=12  scontext=system_u:system_r:sshd_t:s0-
s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=capability 
permissive=0
type=SYSCALL msg=audit(1490092328.100:101): arch=c000003e syscall=54 
success=no exit=-1 a0=5 a1=1 a2=20 a3=7ffc7051bd00 items=0 ppid=1 pid=666 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" 
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Above are the audit.log entries from sshd requesting net_admin access.  From 
the strace source it seems that syscall 54 on AMD64 is setsockopt(), a0 would 
be the socket handle, a1 is the level and /usr/include/asm-generic/socket.h 
defines SOL_SOCKET as 1, and SO_RCVTIMEO as 20.

But a grep of the sshd source doesn't show it using SO_RCVTIMEO as the optname 
for setsockopt().  Am I making a mistake in reading the audit.log?

We probably want a dontaudit rule, but I'm trying to work out exactly what 
sshd is trying to do first.  Any suggestions?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] sshd capability net_admin

[cgzones]

I like to use the -i flag of ausearch to interpret the syscalls for me.
Are you sure with the value of 20? I think it's hexadecimal, which
translates to 32 SO_SNDBUFFORCE, which might get used via libpam-systemd in
systems libraries.

On 21 Mar 2017 12:00 pm, "Russell Coker via refpolicy" <
refpolicy@oss.tresys.com> wrote:

/* Allow interface configuration */
/* Allow administration of IP firewall, masquerading and accounting */
/* Allow setting debug option on sockets */
/* Allow modification of routing tables */
/* Allow setting arbitrary process / process group ownership on
   sockets */
/* Allow binding to any address for transparent proxying (also via NET_RAW)
*/
/* Allow setting TOS (type of service) */
/* Allow setting promiscuous mode */
/* Allow clearing driver statistics */
/* Allow multicasting */
/* Allow read/write of device-specific registers */
/* Allow activation of ATM control sockets */

Above is the CAP_NET_ADMIN description from /usr/include/linux/capability.h.

type=AVC msg=audit(1490092328.100:101): avc:  denied  { net_admin } for
pid=666 comm="sshd" capability=12  scontext=system_u:system_r:sshd_t:s0-
s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tclass=capability
permissive=0
type=SYSCALL msg=audit(1490092328.100:101): arch=c000003e syscall=54
success=no exit=-1 a0=5 a1=1 a2=20 a3=7ffc7051bd00 items=0 ppid=1 pid=666
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Above are the audit.log entries from sshd requesting net_admin access.  From
the strace source it seems that syscall 54 on AMD64 is setsockopt(), a0
would
be the socket handle, a1 is the level and /usr/include/asm-generic/socket.h
defines SOL_SOCKET as 1, and SO_RCVTIMEO as 20.

But a grep of the sshd source doesn't show it using SO_RCVTIMEO as the
optname
for setsockopt().  Am I making a mistake in reading the audit.log?

We probably want a dontaudit rule, but I'm trying to work out exactly what
sshd is trying to do first.  Any suggestions?

--
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170321/8cb18065/attachment.html 

[refpolicy] sshd capability net_admin

[Russell Coker]

OK, ausearch says that it's SO_SNDBUFFORCE.  Thanks for the pointer about 
ausearch, I obviously need to spend some time investigating tools that were 
invented after I developed my work practices.

      SO_SNDBUFFORCE (since Linux 2.6.14)
              Using this socket option, a privileged  (CAP_NET_ADMIN)  process
              can  perform  the same task as SO_SNDBUF, but the wmem_max limit
              can be overridden.

socket(7) has the above, so it seems that dontaudit will do.

On Tuesday, 21 March 2017 3:03:35 PM AEDT cgzones wrote:
> I like to use the -i flag of ausearch to interpret the syscalls for me.
> Are you sure with the value of 20? I think it's hexadecimal, which
> translates to 32 SO_SNDBUFFORCE, which might get used via libpam-systemd in
> systems libraries.
> 
> On 21 Mar 2017 12:00 pm, "Russell Coker via refpolicy" <
> refpolicy at oss.tresys.com> wrote:
> 
> /* Allow interface configuration */
> /* Allow administration of IP firewall, masquerading and accounting */
> /* Allow setting debug option on sockets */
> /* Allow modification of routing tables */
> /* Allow setting arbitrary process / process group ownership on
>    sockets */
> /* Allow binding to any address for transparent proxying (also via NET_RAW)
> */
> /* Allow setting TOS (type of service) */
> /* Allow setting promiscuous mode */
> /* Allow clearing driver statistics */
> /* Allow multicasting */
> /* Allow read/write of device-specific registers */
> /* Allow activation of ATM control sockets */
> 
> Above is the CAP_NET_ADMIN description from /usr/include/linux/capability.h.
> 
> type=AVC msg=audit(1490092328.100:101): avc:  denied  { net_admin } for
> pid=666 comm="sshd" capability=12  scontext=system_u:system_r:sshd_t:s0-
> s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
> tclass=capability
> permissive=0
> type=SYSCALL msg=audit(1490092328.100:101): arch=c000003e syscall=54
> success=no exit=-1 a0=5 a1=1 a2=20 a3=7ffc7051bd00 items=0 ppid=1 pid=666
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd"
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
> 
> Above are the audit.log entries from sshd requesting net_admin access.  From
> the strace source it seems that syscall 54 on AMD64 is setsockopt(), a0
> would
> be the socket handle, a1 is the level and /usr/include/asm-generic/socket.h
> defines SOL_SOCKET as 1, and SO_RCVTIMEO as 20.
> 
> But a grep of the sshd source doesn't show it using SO_RCVTIMEO as the
> optname
> for setsockopt().  Am I making a mistake in reading the audit.log?
> 
> We probably want a dontaudit rule, but I'm trying to work out exactly what
> sshd is trying to do first.  Any suggestions?
> 
> --
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/