Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#44568 - [linux-grsec] grsec: denied exec of usermode helper binary ... located outside of /sbin

Attached to Project: Community Packages
Opened by nixscripter (nixscripter) - Monday, 13 April 2015, 04:43 GMT
Last edited by Daniel Micay (thestinger) - Wednesday, 15 April 2015, 14:42 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To Daniel Micay (thestinger)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The exact instance of the issue I have encountered is caused by a package that is not officially supported. However, I feel the need to open something because it is caused by an Arch-specific FHS decision, and I see it as just a matter of time before someone else hits this problem in the future.

One of the features of grsecurity is to require that all kernel helper binaries be in a couple of directories such as /sbin. But on Arch Linux, /sbin is a symlink to /usr/bin. This means that anything installed in /sbin with intent to follow the rules will fail the grsecurity check, because it will determine (correctly) it is actually in /usr/bin, which is not in the list.

In my case, this is particularly bad, because the binary which fails is part of the Tomoyo Mandatory Access Control System, which causes a kernel panic. I'm using linux-grsec because the Tomoyo extension was removed from the mainline some months back, but this package kept it in (thankfully). Since I'm trying to have a community supported kernel without having to recompile it myself for every upgrade, I'd really like this package to provide me with one. This is the only stumbling block I have left.

A patch has already been written to address this issue. I would request that it be considered for addition to the package:
https://github.com/fishilico/shared/raw/master/archlinux-seckernel/usr-bin-usermode-helper.patch

For reference, the version of linux-grsec which displays this behavior is 3.19.3.201504021826-1.
This task depends upon

Closed by  Daniel Micay (thestinger)
Wednesday, 15 April 2015, 14:42 GMT
Reason for closing:  Fixed
Additional comments about closing:  3.19.4.201504142300
Comment by Daniel Micay (thestinger) - Tuesday, 14 April 2015, 17:08 GMT
I'm fine with making this change, but it seems like it could just be done upstream. Can you try asking on the grsecurity forums? The separation between sbin and bin was always quite arbitrary and varied per distribution. Lots of tools that tended to go in sbin worked as a regular user anyway.
Comment by Daniel Micay (thestinger) - Wednesday, 15 April 2015, 13:33 GMT
This is now fixed upstream:

+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
+ strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
+ strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
+ strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {

Loading...