Skip to content
pyllyukko edited this page Dec 16, 2016 · 17 revisions

Strategy

  • Start off with the example policy provided with gradm
  • Decide what is sensitive and put that into $grsec_denied
  • First create the basic role layout
    • Create a domain for all regular users
    • Configure the default role with / h, -CAP_ALL, connect disabled & bind disabled
  • Create a sane (somewhat permissive) default subject for all interactive user roles, so that all the basic command line tools etc. work without having a separate subject
  • For system/service roles, try to utilize full system learning generated policies, as they (should) have quite limited and predefined functionality and behavior. These should also have very restrictive default subject.
  • Use policy inheritance as much as possible to keep the policy file small and manageable
  • Restrict all capabilities by default
  • Start fixing the policy by functionality, e.g. fix login, Xorg, audio, networking, cron, suspend, bluetooth, etc...
  • Double-check policy tweaks from a separate reference policy created with full system learning
  • Use inheritance for those problematic subjects that call stuff from everywhere (/usr/lib64/pm-utils/bin/pm-action is one example)

inherit-learn

  • /usr/sbin/tigercron
  • /usr/bin/rkhunter
  • /usr/lib64/pm-utils/bin/pm-action
  • /usr/lib64/sa/sa2

Details

rx

For most users the following should be enough:

        /bin            rx
        /usr/bin        rx
        /usr/lib        rx
        /usr/lib64      rx
        /usr/libexec    rx
        /usr/share      rx
        /lib            rx
        /lib64          rx

/lib*

Remove stuff like /lib32, /libx32 & /lib64/modules, as they don't exist in Slackware system.

NTP

NTP settles for so little <3

# Role: root
subject /usr/sbin/ntpd o {
        /                               h
        /etc/ntp/drift                  rwcd
        /etc/ntp/drift.TEMP             rwcd
        -CAP_ALL
        +CAP_SYS_TIME
}

/sbin/init

# Role: root
subject /sbin/init o {
}

/bin/login

# Role: root
subject /bin/login

# Role: users
subject /bin/login
        /dev/log                        rw
        bind    disabled
        connect disabled

/sbin/agetty

# Role: root
subject /sbin/agetty
        -CAP_ALL
        +CAP_CHOWN
        +CAP_FSETID
        +CAP_SYS_ADMIN
        +CAP_SYS_TTY_CONFIG
        bind    disabled
        connect disabled

/usr/bin/sudo

+CAP_SYS_ADMIN for users?

# Role: root
subject /usr/bin/sudo
        /dev/log                        rw
        /var/log/sudo.log               a
        -CAP_ALL
        +CAP_SETGID
        +CAP_SETUID
        +CAP_SYS_RESOURCE
        bind    disabled
        connect disabled

# Role: users
subject /usr/bin/sudo
        -CAP_ALL
        +CAP_SETGID
        +CAP_SETUID
        +CAP_SYS_RESOURCE
        bind    disabled
        connect disabled
        sock_allow_family netlink

users

  • /dev/dri/card0 is for Xorg
domain users u pyllyukko
subject /
        /                               r
        /bin                            rx
        /dev                            
        /dev/dri                        h
        /dev/dri/card0                  rw
        /dev/fuse                       rw
        /dev/null                       rw
        /dev/zero                       rw
        /dev/ptmx                       rw
        /dev/pts                        rw
        /dev/shm                        rwcd
        /dev/tty                        rw
        /dev/tty?                       rw
        /dev/urandom                    r
        /dev/random                     r
        /tmp                            rwcd
        /var/tmp                        rwcd
        $grsec_denied
Clone this wiki locally