Restrict Applications with grsecurity

Restrict Applications with grsecurity

Use Linux capabilities and grsecurity's ACLs to restrict applications on your system.

Now that you have installed the grsecurity patch [Hack #13], you'll probably want to make use of its flexible Role-Based Access Controls (RBAC) system to further restrict the privileged applications on your system, beyond what grsecurity's kernel security features provide.

If you're just joining us and are not familiar with grsecurity, read "Lock Down Your Kernel with grsecurity" [Hack #13] first.

To restrict specific applications, you will need to make use of the gradm utility, which can be downloaded from the main grsecurity site ( You can compile and install it in the usual way: unpack the source distribution, change into the directory that it creates, and then run make && make install. This command installs gradm in /sbin, creates the /etc/grsec directory containing a default policy, and installs the manual page.

As part of running make install, you'll be prompted to set a password that will be used for gradm to authenticate itself with the kernel. You can change the password later by running gradm with the -P option:

# gradm -P
Setting up grsecurity RBAC password
Re-enter Password: 
Password written to /etc/grsec/pw.

You'll also need to set a password for the admin role:

# gradm -P admin
Setting up password for role admin
Re-enter Password: 
Password written to /etc/grsec/pw.

Then, use this command to enable grsecurity's RBAC system:

# /sbin/gradm -E

Once you're finished setting up your policy, you'll probably want to add that command to the end of your system startup. Add it to the end of /etc/rc.local or a similar script that is designated for customizing your system startup.

The default policy installed in /etc/grsec/policy is quite restrictive, so you'll want to create a policy for the services and system binaries that you want to use. For example, after the RBAC system has been enabled, ifconfig will no longer be able to change interface characteristics, even when run as root:

# /sbin/ifconfig eth0:1 up
SIOCSIFADDR: Permission denied
SIOCSIFFLAGS: Permission denied
SIOCSIFFLAGS: Permission denied

The easiest way to set up a policy for a particular command is to specify that you want to use grsecurity's learning mode, rather than specifying each one manually. If you've enabled RBAC, you'll need to temporarily disable it for your shell by running gradm -a admin. You'll then be able to access files within /etc/grsec; otherwise, the directory will be hidden to you.

Add an entry like this to /etc/grsec/policy:

subject /sbin/ifconfig  l
        /               h
        /etc/grsec      h

This is about the most restrictive policy possible, because it hides the root directory from the process and removes any privileges that it may need. The l next to the binary that the policy applies to says to use learning mode.

After you're done editing the policy, you'll need to disable RBAC and then re-enable it with learning mode:

# gradm -a admin
# gradm -D
# gradm -L /etc/grsec/learning.logs -E

Now, try to run the ifconfig command again:

# /sbin/ifconfig eth0:1 up
# /sbin/ifconfig eth0:1
eth0:1    Link encap:Ethernet  HWaddr 08:00:46:0C:AA:DF  
          inet addr:  Bcast:  Mask:

When the command succeeds, grsecurity will create learning log entries. You can then use gradm to generate an ACL for the program based on these logs:

# gradm -a admin
# gradm -L /etc/grsec/learning.logs -O stdout
Beginning full learning object reduction for subject /sbin/ifconfig...done.
subject /sbin/ifconfig {
user_transition_allow root
group_transition_allow root

        /                               h
        /sbin/ifconfig                  rx

Now, you can replace the learning policy for /sbin/ifconfig in /etc/grsec/policy with this one, and ifconfig should work. You can then follow this process for each program that needs special permissions to function. Just make sure to try out anything you will want to do with those programs, to ensure that grsecurity's learning mode will detect that it needs to perform a particular system call or open a specific file.

Using grsecurity to lock down applications can seem like tedious work at first, but it will ultimately create a system that gives each process only the permissions it needs to do its jobno more, no less. When you need to build a highly secured platform, grsecurity can provide finely grained control over just about everything the system can possibly do.

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows