Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting tpe.extras.hide_uname=1 doesn't work. #30

Closed
morfikov opened this issue Feb 23, 2019 · 3 comments
Closed

Setting tpe.extras.hide_uname=1 doesn't work. #30

morfikov opened this issue Feb 23, 2019 · 3 comments

Comments

@morfikov
Copy link

morfikov commented Feb 23, 2019
edited
Loading

Most of the tpe.extras.* options work well, but tpe.extras.hide_uname doesn't.

When I set it to "0", I get:

# sysctl -w tpe.extras.hide_uname=0
tpe.extras.hide_uname = 0

$ uname -a
Linux morfikownia 4.20.12-amd64-morficzny+ #3 SMP PREEMPT Sat Feb 23 18:43:09 CET 2019 x86_64 GNU/Linux

When I change it to "1", I get:

# sysctl -w tpe.extras.hide_uname=1
tpe.extras.hide_uname = 1
$ uname -a
Linux morfikownia 4.20.12-amd64-morficzny+ #3 SMP PREEMPT Sat Feb 23 18:43:09 CET 2019 x86_64 GNU/Linux

Also when I try to check the sysctl value using:

# sysctl -a | grep tpe.extras.hide_uname

I get the following log and the sysctl command hangs:

tpe: Denied untrusted uname of /sbin/sysctl (uid:0) by /sbin/sysctl (uid:0), parents: /bin/zsh (uid:0), /bin/su (uid:1000), /bin/zsh (uid:1000), /usr/bin/tmux (uid:1000), /lib/systemd/systemd (uid:0). Deny reason: tpe_extras
kernel: tpe: If this uname was legitimate and you cannot correct the behavior, an exception can be made to allow this by running; setfattr -n security.tpe -v "soften_uname" /sbin/sysctl. To silence this message, run; sysctl tpe.log_verbose = 0

Here are my current TPE settings:

# sysctl -a | grep tpe
tpe.admin_gid = 0
tpe.check_file = 1
tpe.dmz_gid = 0
tpe.extras.harden_ptrace = 1
tpe.extras.hide_uname = 0
tpe.extras.ignore_softmode = 0
tpe.extras.log = 1
tpe.extras.lsmod = 1
tpe.extras.proc_kallsyms = 1
tpe.extras.ps = 0
tpe.extras.ps_gid = 0
tpe.extras.restrict_setuid = 0
tpe.group_writable = 1
tpe.hardcoded_path =
tpe.kill = 0
tpe.lock = 0
tpe.log = 1
tpe.log_floodburst = 5
tpe.log_floodtime = 5
tpe.log_max = 50
tpe.log_verbose = 1
tpe.paranoid = 0
tpe.softmode = 0
tpe.strict = 1
tpe.trusted_apps = "/usr/local/bin/docker-entrypoint.sh"
tpe.trusted_gid = 0
tpe.trusted_invert = 0
tpe.xattr_soften = 1
@cormander
Copy link
Owner

The kernel undergoes a ton of changes every release cycle, so on newer versions, some features of this module break and need to be re-implemented. Can you provide me the link to the .iso file you used to install the system you encountered this on? I'm generally pretty behind on kernel versions on my own systems because I mainly use/maintain enterprise systems. Thanks,

@morfikov
Copy link
Author

Actually it's a debian system with a custom kernel (the newest stable).

@cormander
Copy link
Owner

Should be fixed in 2.0.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cormander @morfikov