grsecurity: no data - no errors

[cgzones]

When using a grsecurity enhanced kernel and running vnstatd with the user vnstat, no data is collected.
Due to proc restrictions by grsec, the vnstat user must be a member of the grsec-proc group.

When this is not the case, vnstatd collects no data and produces no error or warning log messages.
Please add one for this case.

Maybe at

vnstat/src/ifinfo.c

Line 68 in 4e1b097

if ((fp=fopen(PROCNETDEV, "r"))!=NULL) {

and

vnstat/src/ifinfo.c

Line 22 in 4e1b097

if (readproc(inface)!=1) {

?

[vergoh]

I have access to one server using a grsecurity enhanced kernel. Looking at the content of /proc/net/dev, I really can't see any way to identify if the lack of traffic is caused by the interface actually having seen no traffic or by some masking by kernel related changes. Therefore, producing any warnings based on that data could result in false warnings.

Possibly a note to the non-root install instructions and the RESTRICTIONS section of the man page would be the correct place to include documentation related to this use scenario.

[cgzones]

I misunderstood the problem at first, so the previous suggestions are void.

A note on the man page sounds good.

What about this patch

diff --git a/src/vnstatd.c b/src/vnstatd.c
index f42f562..4ef1440 100644
--- a/src/vnstatd.c
+++ b/src/vnstatd.c
@@ -162,6 +162,32 @@ int main(int argc, char *argv[])
        snprintf(errorstring, 512, "vnStat daemon %s started. (pid:%d uid:%d gid:%d)", getversion(), (int)getpid(), (int)getuid(), (int)getgid());
        printe(PT_Info);

+#if defined(__linux__)
+       /* grsecurity check, regarding /proc access */
+       {
+               const uid_t curr_euid = geteuid();
+               const struct group *grsec_grp = getgrnam("grsec-proc");
+
+               if (curr_euid != 0 && grsec_grp != NULL) {
+                       gid_t list[8];
+                       const int group_count = getgroups(8, list);
+                       if (group_count > 0) {
+                               int match = 0;
+                               for (int i = 0; i < group_count; ++i) {
+                                       if (list[i] == grsec_grp->gr_gid) {
+                                               match = 1;
+                                               break;
+                                       }
+                               }
+                               if (!match) {
+                                       snprintf(errorstring, 512, "grsecurity might block data collection, see man:vnstatd(1)");
+                                       printe(PT_Info);
+                               }
+                       }
+               }
+       }
+#endif
+
        /* main loop */
        while (s.running) {

[vergoh]

I'd prefer to have some way of detecting when a grsecurity enhanced kernel is being used. That way, the logic could be to check if the user is something else than root, then check for grsecurity and if found and traffic equals zero, show the warning.

The problem is, even after reading the grsecurity documentation, I haven't seen a way of detecting when grsecurity is enabled. The grsec-proc group at most indicates that the system may have had grsecurity enabled at some point. That group name may also be Debian specific as I didn't see such group name suggested by the grsecurity documentation directly.

[cgzones]

Maybe for now an addition to the man page is sufficient, as adding detection for a running grsecurity enhanced kernel is not (meant to be?) simple and might invoke too extensive access (e.g. when using an LSM, like SELinux).
Also with the latest grsecurity announcement I do not know if and how grsecurity is shipped by distros in the future.