Page 1 of 1

Feature requests (two)

PostPosted: Sun Dec 29, 2002 2:58 am
by heilpern
I am interested in two features that grsecurity does not seem to have currently. I am very happy with this tool overall.

1) For learning mode, it seems that the acl that is created is a copy of the default acl verbatim, followed with a few changes here and there. I feel it would be useful to see comments in the generated ACL to indicate where something was added beyond the default.

2) I would like to see the ability to have ACLs according to ip address. For example, lets assume my local network is 10.0.0.x. I would like to do something like:
Code: Select all
/ {
   /                            r
   ...
   IP{0.0.0.0/32}   /sbin/gradm h
   IP{10.0.0.0/24}  /sbin/gradm rx
   IP{127.0.0.1/32} /sbin/gradm rx
}

This example would hide gradm from anyone on a network other than 10.0.0.x and 127.0.0.1.

Thoughts?
[/code]

PostPosted: Mon Dec 30, 2002 9:24 pm
by spender
as for the learning issue. The most likely reason why it looks a lot like the default ACL is because you haven't specified "o" in the subject mode, so that ACL is inheriting the default ACL. It may be possible for me to modify the learning mode so that the ACLs that are generated preserve the ACL inheritance, but as that's a prettiness feature more than anything else, it won't have a high priority right now.

As for the IP ACLs for files, any implementation of it would result in bad performance. What I do plan on doing though is having IP ACLs for roles, as setuid() is hardly a bottleneck for any system.

-Brad