Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

After update to 0.2 version some rules fail to load #9

Closed
Mdyrl7777777 opened this issue Jun 5, 2018 · 6 comments
Closed

After update to 0.2 version some rules fail to load #9

Mdyrl7777777 opened this issue Jun 5, 2018 · 6 comments
Assignees
@smeso
Labels
bug

Comments

@Mdyrl7777777
Copy link
Contributor

Mdyrl7777777 commented Jun 5, 2018
edited
Loading

I have following rules which cause SARA: WXP: failed to load rules. error message when I invoke saractl load command.

# imagemagick
/usr/bin/animate none
/usr/bin/compare none
/usr/bin/composite none
/usr/bin/conjure none
/usr/bin/convert none
/usr/bin/display none
/usr/bin/identify none
/usr/bin/import none
/usr/bin/mogrify none
/usr/bin/montage none

After downgrading to 0.1 version they work: SARA: WXP: new rules loaded.

I have global flag set to /* MPROTECT,VERBOSE.

# main.conf
sara_enabled=1				# enable S.A.R.A. LSM

sara_locked=0				# lock S.A.R.A. config
					# after it has been loaded

wxprot_enabled=1			# enable WX Protections

wxprot_emutramp_missing_default=none	# default option to use
					# when emutramp is not
					# supported.
					# It can be set to "none"
					# or "mprotect".

wxprot_xattr_enabled=0			# enable security XATTRs
					# support

wxprot_xattr_user_allowed=0		# enable user XATTRs support

cat /proc/config.gz |zgrep SARA
CONFIG_SECURITY_SARA=y
# CONFIG_SECURITY_SARA_DEFAULT_DISABLED is not set
CONFIG_SECURITY_SARA_WXPROT=y
# CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_COMPLAIN_VERBOSE is not set
# CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_ENFORCE_VERBOSE is not set
# CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_ENFORCE is not set
CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS_NONE=y
# CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP is not set
# CONFIG_SECURITY_SARA_WXPROT_XATTRS_ENABLED is not set
# CONFIG_SECURITY_SARA_WXPROT_DISABLED is not set
CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS=0

Side note: it would be nice if SARA log which rules caused failure. I have several hundreds (migrated from pax) rules and it's wasn't easy to find relevant ones.

Side note 2: When I exec saractl -vvv test it errors with:

Traceback (most recent call last):
  File "/usr/bin/saractl", line 11, in <module>
    load_entry_point('saractl==0.2', 'console_scripts', 'saractl')()
  File "/usr/lib/python3.6/site-packages/sara/main.py", line 33, in main
    return _main(argv)
  File "/usr/lib/python3.6/site-packages/sara/main.py", line 30, in _main
    return cli.do_cmd()
  File "/usr/lib/python3.6/site-packages/sara/CLI.py", line 132, in do_cmd
    return int(not self._safe_call(self.sara.test))
  File "/usr/lib/python3.6/site-packages/sara/CLI.py", line 67, in _safe_call
    return fname(*args, **kwargs)
  File "/usr/lib/python3.6/site-packages/sara/Sara.py", line 56, in test
    if not self.__sml.test_config():
  File "/usr/lib/python3.6/site-packages/sara/SubModLoader.py", line 198, in test_config
    self.__load_config_objects_binary()
  File "/usr/lib/python3.6/site-packages/sara/SubModLoader.py", line 299, in __load_config_objects_binary
    extra_files=exf)
  File "/usr/lib/python3.6/site-packages/sara/submodules/wxprot.py", line 109, in __init__
    extra_files=extra_files)
  File "/usr/lib/python3.6/site-packages/sara/submodules/BaseConfig.py", line 80, in __init__
    self.build_dicts_from_binary()
  File "/usr/lib/python3.6/site-packages/sara/submodules/wxprot.py", line 348, in build_dicts_from_binary
    raise WXPBinaryException('wrong magic number')
sara.submodules.wxprot.WXPBinaryException: WX protection binary error: wrong magic number.
@Mdyrl7777777
Copy link
Contributor Author

Below is output from: saractl config_to_file -F c

sara-v0.1.txt
sara-v0.2.txt

@smeso smeso self-assigned this Jun 10, 2018
@smeso smeso added the bug label Jun 10, 2018
@smeso
Copy link
Owner

smeso commented Jun 10, 2018
edited
Loading

Are you using the latest kernel patch?
If that is the case, which kernel version are you running?

@Mdyrl7777777
Copy link
Contributor Author

It's on linux 4.17 with latest SARA https://github.com/smeso/sara/releases/download/SARAv5/sara-4.17.y.patch

@smeso
Copy link
Owner

smeso commented Jun 11, 2018

I'm not able to reproduce this issue. Can you please send me your full kernel config and /etc/sara/ dir contents?

Thank you for your help!

@Mdyrl7777777
Copy link
Contributor Author

I think I have found something: all below files are symlinks to /usr/bin/magick. If I comment all except one of them rule loading succeeds. If I uncomment two or more of them rule loading fails.

/usr/bin/animate none
/usr/bin/compare none
/usr/bin/composite none
/usr/bin/conjure none
/usr/bin/convert none
/usr/bin/display none
/usr/bin/identify none
/usr/bin/import none
/usr/bin/mogrify none
/usr/bin/montage none

It seems SARA rule loading fails when two or more symlinks are pointing to the same file.

I checked duplicate line like below and it works so it's symlink which causes this issue.

/usr/bin/magick none
/usr/bin/magick none

It also fails when I use real file and at least one symlink to it:

/usr/bin/magick none
/usr/bin/animate none

I created symlinks to other binaries and behavior was the same as with /usr/bin/magick

@smeso smeso closed this as completed in f6a4e25 Jun 12, 2018
@smeso
Copy link
Owner

smeso commented Jun 12, 2018

Yeah! Symlinks were the problem!
Thank you!

@Mdyrl7777777 Mdyrl7777777 mentioned this issue Jun 12, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@smeso smeso

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@smeso @Mdyrl7777777