[rsbac] Fwd: rsbac_init goes RSBAC_EINVALIDREQUEST with devicemapper
Palon Setin
palons at danwin1210.me
Thu Dec 6 11:36:00 CET 2018
(Hi again!)
Ah, I had replied to myself...
Pls. see below. This issue is old, found in the ML archives, and solved.
( In the meantime, I see the kind dev Jens Kasten replied. I'll reply,
to the list, after I send this email. )
-------- Forwarded Message --------
Subject: Re: [rsbac] rsbac_init goes RSBAC_EINVALIDREQUEST with devicemapper
Date: Wed, 05 Dec 2018 15:56:00 +0000
From: Palon Setin <palons at tt3j2x4k5ycaa5zt.onion>
To: Palon Setin <palons at tt3j2x4k5ycaa5zt.onion>
Palon Setin wrote:
[...]
> # rsbac_init /dev/dm-0
> Error: RSBAC_EINVALIDREQUEST
[...]
I was here, the solution:>
https://www.rsbac.org/pipermail/rsbac/2010-March/002512.html
more precisely here:
https://www.rsbac.org/pipermail/rsbac/2010-March/002513.html
(as in previous post, some data redacted a little)
.config - Linux/x86 4.19.6 Kernel Configuration
Security options > Rule Set Based Access Control (RSBAC) > General RSBAC
options --
+----------------------------- Delayed init for initial ramdisk ----+
| CONFIG_RSBAC_INIT_DELAY: |
| |
| This option allows to delay RSBAC initialization until the first |
| mount of a real disk partition (major number > 1). It is intended |
| to be used with initial ramdisks, which mount the final root |
| partition during boot. |
| |
| You can trigger initialization at a specific partition mount with |
| the kernel parameter rsbac_delayed_root=major:minor. If the given |
| partition is not mounted and thus RSBAC not initialized, you can |
| also call the rsbac_init() system call at any time, e.g. with the |
| rsbac_init utility. |
| |
| To disable delayed init, you have to use the kernel parameter |
| rsbac_no_delay_init. This will force the standard initialization |
| after the first root mount. If this is your initrd, the RSBAC |
| setup in there will be used instead of the configuration on your |
| real root device. |
| |
| WARNING: The delayed init option requires the RSBAC init code to |
| be kept in memory all the time, which increases your |
| kernel memory usage by a few 10s of KB. It should only |
| be used in combination with an initial ramdisk. |
| Symbol: RSBAC_INIT_DELAY [=y] |
| Type : bool |
| Prompt: Delayed init for initial ramdisk |
| Location: |
| -> Security options |
| -> Rule Set Based Access Control (RSBAC) (RSBAC [=y]) |
| -> General RSBAC options |
| Defined at rsbac/Kconfig:330 |
| Depends on: RSBAC [=y] |
|------------------------------------------------------------(99%)--|
| < Exit > |
+-------------------------------------------------------------------+
root at gdOv:/home/palon# diff /boot/config-4.19.6-rsbac
/home/palon/linux-4.19.6/.config
4707c4707
< # CONFIG_RSBAC_INIT_DELAY is not set
---
> CONFIG_RSBAC_INIT_DELAY=y
root at gdOv:/home/palon#
I just removed "quiet" which is the default in the Grub "linux ..." line
(in Debian and derivatives), and I got more info.
( BTW, I also recompiled the kernel and set: CONFIG_RSBAC_INIT_DELAY=y
which previously was "n", as can be seen in the diff above.)
[[ This is manual copying literal lines :( , "x" instead of not too
important decimal digits, also anything I suspect is unimportant glossed
over more quickly... ]]
[ 2.4xxxxx] input: HDA ...
[ 2.4xxxxx] input: HDA ...
[ 2.4xxxxx] Write protecting the kernel readonly data: 26624k
[ 2.4xxxxx] Freeing unused kernel image memory: 2024k
[ 2.4xxxxx] Freeing unused kernel image memory: 524k
[ 2.4xxxxx] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 2.4xxxxx] rodata_test: all tests were successful
[ 2.4xxxxx] Run /init as init process
[ 2.4xxxxx] mkdir (175) used greatest stack depth: 13680 bytes left
[ 2.4xxxxx] 0000000016|rsbac_mount(): RSBAC not initialized while
mounting DEV 00:17, fs-type sysfs, delaying
[ 2.4xxxxx] 0000000017|rsbac_mount(): RSBAC not initialized while
mounting DEV 00:04, fs-type proc, delaying
[ 2.4xxxxx] cat (181) used greatest stack depth: 13648 bytes left
Loading, please wait...
[ 2.4xxxxx] 0000000018|rsbac_mount(): RSBAC not initialized while
mounting DEV 00:06, fs-type devtmpfs, delaying
[ 2.4xxxxx] 0000000019|rsbac_mount(): RSBAC not initialized while
mounting DEV 00:18, fs-type devpts, delaying
[ 2.4xxxxx] 0000000020|rsbac_mount(): RSBAC not initialized while
mounting DEV 00:19, fs-type tmpfs, delaying
[ 2.4xxxxx] all_generic_ide (188) used greatest stack depth: 13592
bytes left
[ 2.4xxxxx] udevd[196]: starting version 3.2.7
[ 2.4xxxxx] random: udevd: uninitialized urandom read (16 bytes read)
[ 2.4xxxxx] random: udevd: uninitialized urandom read (16 bytes read)
[ 2.4xxxxx] udevd[197]: starting eudev-3.2.7
[ 2.4xxxxx] udevd[199]: could not open builtin file
'/lib/modules/4.19.6-rsbac/modules.builtin.bin'
[ 2.4xxxxx] (more of the above line)
[ 2.4xxxxx] (more of the above line)
[ 2.4xxxxx] ...
[ 2.4xxxxx] ...
[ 2.4xxxxx] [[ more lines about mostly random/ness things ]]
[ 2.4xxxxx] ...
[ 2.4xxxxx] ...
[ 2.4xxxxx] ...
[ 2.4xxxxx] ...
[ 2.4xxxxx] ...
[ 2.4xxxxx] ...
Begin: Loading essential dirvers ... done.
Begin: Running /scripts/init-premount ... done.
Begin: Mounting root file system ... Begin: Running /scripts/local-top
... Please unlock disk g9_dev:
Entered the phrase, unlocked, and (after a screenful or two past too
quickly to perceive) then:
[...]
[ 1063.xxxxxx] 0000000135|read_list(): list fd_cap on device 251:00 not
found trying numbered lists 0 to 31 with old name base 'fd_cap.'
[ 1063.xxxxxx] 0000000136|read_list(): list fd_res on device 251:00 not
found trying numbered lists 0 to 31 with old name base 'fd_res.'
[ 1063.xxxxxx] 0000000137|read lol_list(): list authfd on device 251:00
not found trying numbered lists 0 to 31 with old name base 'authfd.'
[ 1063.xxxxxx] 0000000138|read_list(): list aclfs on device 251:00 not
found trying numbered lists 0 to 31 with old name base 'aclfd.'
[ 1064.xxxxxx] 0000000139|rsbac_mount: repeated mount 1 of device 00:04
[ 1064.xxxxxx] 0000000140|rsbac_mount_auth: repeated mount 1 of device 00:04
[ 1064.xxxxxx] 0000000141|rsbac_mount_acl: repeated mount 1 of device 00:04
[ 1064.xxxxxx] 0000000142|rsbac_mount: repeated mount 1 of device 00:04
[ 1064.xxxxxx] 0000000143|rsbac_mount_auth: repeated mount 1 of device 00:04
[ 1064.xxxxxx] 0000000144|rsbac_mount_acl: repeated mount 1 of device 00:04
INIT: version bootin
[[ nothing more on current screen with rsbac in it ]]
[...]
Next was just a number of lines about fd_ff, fd_rc, fd_auth, fd_cap,
fd_res ... not found...
( by this time, I guess the reader will guess that I had remembered and
used "Scroll Lock" to lock the screen for some of the later lines copied
above )
It does seem to be working though! I got lines like this:
[...]
[ 1604.5xxxxx] 0000000164|rsbac_adf_request(): request CHANGE_OWNER, pid
2188, ppid 2184, prog_name apache2, prog_file /usr/sbin/apache2, uid 0,
target_type PROCESS, tid 2187(apache2,parent=2184(apache2)), attr owner,
value 33, result NOT_GRANTED (Softmode) by AUTH
[...]
Once booted fully, I get:
# rsbac_check
rsbac_check (RSBAC 1.5.3)
***
Use: rsbac_check correct check_inode
correct = 0: do not correct errors
correct = 1: correct errors
correct = 2: correct more
check_inode = 0: do not check inode numbers
check_inode = 1: also check inode numbers (only ext2/3 on 2.4 kernels)
#
And:
# rsbac_check 0 0
gets me a lot of logging in the syslog...
I think I will like this program (once I learn to use it, it's not a
low-hanging fruit by any means...)!
Thanks!
Palon
More information about the rsbac
mailing list