[rsbac] rsbac-1.2.3-pre2 on kernel 2.6.0 on SuSE 9.0

Fabian Kiendl rsbac at gmx.net
Thu Jan 1 16:52:35 CET 2004


A Happy New Year 2004! As part of my resolution not to procrastinate on
security matters, here's a brief report on my experiment of installing
rsbac-1.2.3-pre2 on top of kernel 2.6.0 on top of SuSE 9.0:

1) patching the kernel: 1 reject in mm/mmap.c, which was not inserted
automatically because the code lines after the RSBAC insert had changed in the
original. No problem inserting it manually.

2) compiling the kernel: do_mounts complained about an undeclared
real_root_dev, quick and dirty solution: turn initrd support OFF in kernel config

3) compilation of admin tools: like in an earlier post on this list, there
was an undefined reference to errno so "#include <errno.h>" had to be added to
<kerneldir>/include/rsbac/syscalls.h

after first boot, check syslog for NOT_GRANTED messages and dish out
permissions accordingly. There were a lot less adjustments to make than with
previous RSBAC versions, notably there were no kmem GET_STATUS_DATA complaints from
system services because there is an ACL entry for USER_0 (root) by default.

What I still keep getting since RSBAC installation is "bad: scheduling while
atomic!" kernel traces, but without any obvious discomfort so far.

What puzzles me is that I can do "echo abcdefgh > /dev/kmem" as root which
causes an oops and ends my root shell without RSBAC intervening.

Surprisingly positive experience so far, given that I'm using a development
version of RSBAC that isn't even meant to be installed on top of my kernel.
But I need kernel 2.6.0 for some pieces of hardware to work and I need to run
some services on the machine, so I'm desperate for RSBAC protection. Even if
the machine should freeze, I'd prefer that to being 0wn3d.

All the best for the development of the next stable version

Fabian



More information about the rsbac mailing list