grsecurity forums

[snow]

Hi!

If i try to mount a encrypted drive (dm-crypt with LUKS) in my filemanager i get the error: "Not authorized to perform operation". It's not promting me for the su password and just giving me this error.

Unfortunately my encrypted LVM mounts fine at boot, but i can't mount some harddrives with the grsec kernel. On the Stock kernel everything works fine.

Any ideas what causes this problem?

Best regards

[spender]

I assume you're using udisks, if so then this is by design. We prevent unprivileged mounts via CONFIG_GRKERNSEC_MODHARDEN, including assisted unprivileged mounts via udisks.

-Brad

[snow]

Thanks for the quick response.

Is there a workaround for this without disabling the whole CONFIG_GRKERNSEC_MODHARDEN feature?

[spender]

In the patch there's a comment saying "hack to workaround consolekit/udisks stupidity". The code there is within an ifdef, remove everything between the ifdef and the endif. Also I should clarify my comment from above: it has to do with the introduction of filesystem modules for which that filesystem module hasn't already been loaded, not the mount itself (so you could also manually modprobe the relevant module as root, and that should work around it as well). If that doesn't fix it, then there's something else going on and I'd need to see what logs are present in dmesg.

-Brad

[snow]

Unfortunately the patch doesn't work anymore after removing this section. I found the comment in the file. The section looks like this:

Code: Select all

@@ -152,6 +150,20 @@ int __request_module(bool wait, const char *fmt, ...)
    if (ret)
       return ret;
 
+#ifdef CONFIG_GRKERNSEC_MODHARDEN
+   if (uid_eq(current_uid(), GLOBAL_ROOT_UID)) {
+      /* hack to workaround consolekit/udisks stupidity */
+      read_lock(&tasklist_lock);
+      if (!strcmp(current->comm, "mount") &&
+          current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
+         read_unlock(&tasklist_lock);
+         printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
+         return -EPERM;
+      }
+      read_unlock(&tasklist_lock);
+   }
+#endif
+
    /* If modprobe needs a service that is in a module, we get a recursive
     * loop.  Limit the number of running kmod threads to max_threads/2 or
     * MAX_KMOD_CONCURRENT, whichever is the smaller.  A cleaner method


I removed the part in the ifdef, so it looks like this:

Code: Select all

@@ -152,6 +150,20 @@ int __request_module(bool wait, const char *fmt, ...)
    if (ret)
       return ret;
 
+#ifdef CONFIG_GRKERNSEC_MODHARDEN
+#endif
+
    /* If modprobe needs a service that is in a module, we get a recursive
     * loop.  Limit the number of running kmod threads to max_threads/2 or
     * MAX_KMOD_CONCURRENT, whichever is the smaller.  A cleaner method


By applying the patch i get the following error:

Code: Select all

patch: **** malformed patch at line 145516: @@ -180,16 +192,61 @@ int __request_module(bool wait, const char *fmt, ...)


which is the section directly afterwards. Am I missing something? Wheres my error in the modified file?

(so you could also manually modprobe the relevant module as root, and that should work around it as well)

Which module(s) would I have to load with modprobe?

[spender]

I meant to remove it from the patched kernel source. If that's the only change within that hunk of the patch, then feel free to just remove that hunk from the patch instead. As for what modules would be involved, I don't know (I would need more information than provided). You can determine this from a vanilla kernel with the same config, looking at lsmod output prior to mounting the drive and after mounting the drive.

-Brad

[snow]

I tried to remove the whole hunk but it didn't compile anymore, but removing it from the kmod.c file worked. The problem is it still doesn't mount my drive and there are no useful logs with dmesg and in /var/log/syslog around the time i mount the drive (there are just rejected iptables packets ...).
Strange thing is: my encrypted USB flash drive mounts fine.

[spender]

Did you enable CONFIG_GRKERNSEC_SYSFS_RESTRICT?

-Brad

[snow]

# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set

This means the setting is disabled i guess?

Sorry I should have written my config already in the first post.

Configuration Method: Automatic
Usage Type: Desktop
Virtualization Type: Host
Virtualization HW: EPT/RVI support
Virtualization SW: KVM
Required Priorities: Security

I didn't customize the settings further

Here's the full config:
http://pastebin.com/sPKrMyEq

[spender]

That looks fine -- I'm not sure what the problem could be then, based on the information you provided. You could try stracing the process reporting the error, or doing a binary-search disabling of grsec features to find the compatibility culprit.

-Brad