NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > OpenBSD Security> 2006-09

Re: fping & systrace

From: Steffen Schuetz (st.schgmx.net)
Date: Sat Sep 02 2006 - 15:47:12 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Saturday 02 September 2006 12:14, Julien TOUCHE wrote:
[cut]
>
> i don't get it ???
>
> "native-getuid: permit as root" doesn't work in a systrace policy

You should try "true then permit as root"

> $ sudo /bin/systrace -a -c 556:556 /usr/local/sbin/fping localhost
> syntax error
> /etc/systrace/usr_local_sbin_fping:24: syntax error.
> Segmentation fault
>
> and same for adding a return code to permit.
>
> nobody with systrace privilege evelation and fping ?

The following policy works for me:

Policy: /usr/local/sbin/fping, Emulation: native
        native-geteuid: true then permit as root
        native-getuid: true then permit as root
        native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_RAW" then permit as root
        native-issetugid: permit
        native-mprotect: prot eq "PROT_READ" then permit
        native-mmap: prot eq "PROT_READ|PROT_WRITE" then permit
        native-fsread: filename eq "/var/run/ld.so.hints" then permit
        native-fstat: permit
        native-mmap: prot eq "PROT_READ" then permit
        native-close: permit
        native-fsread: filename eq "/usr/lib/libc.so.39.2" then permit
        native-read: permit
        native-mmap: prot eq "PROT_NONE" then permit
        native-mmap: prot eq "PROT_READ|PROT_EXEC" then permit
        native-mprotect: prot eq "PROT_READ|PROT_WRITE" then permit
        native-mprotect: prot eq "PROT_READ|PROT_WRITE|PROT_EXEC" then permit
        native-mprotect: prot eq "PROT_READ|PROT_EXEC" then permit
        native-munmap: permit
        native-sigprocmask: permit
        native-__sysctl: permit
        native-fsread: filename eq "/etc/protocols" then permit
        native-fsread: filename eq "/etc/malloc.conf" then permit
        native-seteuid: uid eq "0" and uname eq "root" then permit
        native-setuid: uid eq "0" and uname eq "root" then permit
        native-getpid: permit
        native-sigaction: permit
        native-gettimeofday: permit
        native-sendto: sockaddr match "inet-*:0" then permit
        native-select: permit
        native-recvfrom: permit
        native-ioctl: permit
        native-write: permit
        native-exit: permit

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]