Closed
Bug 834886
Opened 13 years ago
Closed 13 years ago
RSBAC policy change review request for train-2013.01.18
Categories
(Security Assurance :: General, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: gene, Assigned: kang)
References
Details
Attachments
(2 files, 3 obsolete files)
|
13.94 KB,
patch
|
kang
:
review+
|
Details | Diff | Splinter Review |
|
19.58 KB,
patch
|
Details | Diff | Splinter Review |
Guillaume,
New functionality in the browserid app have caused a mismatch with the existing RSBAC policy. Please take a look at the attached policy patch and review it.
Here are the debug lines that I used to create the patch :
<7>0003161399|check_comp_rc(): pid 23228 (node), owner 450, rc_role 50005, FILE rc_type 50001, request MAP_EXEC -> NOT_GRANTED!
<6>0003161400|rsbac_adf_request(): request MAP_EXEC, pid 23228, ppid 7730, prog_name node, uid 450, target_type FILE, tid Device 08:03 Inode 8407900 Path /opt/browserid/node_modules/toobusy/build/Release/toobusy.node, attr prot_bits, value 5, result NOT_GRANTED (Softmode) by RC
<7>0003161401|check_comp_rc(): pid 23228 (node), owner 450, rc_role 50005, FILE rc_type 50001, request MAP_EXEC -> NOT_GRANTED!
<6>0003161402|rsbac_adf_request(): request MAP_EXEC, pid 23228, ppid 7730, prog_name node, uid 450, target_type FILE, tid Device 08:03 Inode 8407900 Path /opt/browserid/node_modules/toobusy/build/Release/toobusy.node, attr prot_bits, value 7, result NOT_GRANTED (Softmode) by RC
|
Reporter | |
Comment 1•13 years ago
|
||
Attachment #706586 -
Flags: review?(gdestuynder)
|
|
Reporter | |
Comment 2•13 years ago
|
||
Talked with Guillaume and one of these will look better :
If this is a rare instance of a c library in node_module then :
attr_set_file_dir -V 66565 FD "//opt/browserid/node_modules/toobusy/build/Release/toobusy.node" rc_type_fd 50003
if we're going to be doing this more generally then this :
attr_set_file_dir -V 66565 FD "//opt/browserid/node_modules" rc_type_fd 50003
|
|
Reporter | |
Comment 3•13 years ago
|
||
I'll talk to the developer to find out if this is a one off or if we expect to see more of these to know which of the above policy changes we should implement.
Status: NEW → ASSIGNED
|
|
Reporter | |
Updated•13 years ago
|
Assignee: nobody → gene
|
|
Reporter | |
Comment 4•13 years ago
|
||
This patch ignores the fact that previously "/opt/browserid/node_modules/jwcrypto/node_modules/bigint/build/Release/bigint.node" had enjoyed the permissions of being a "sys-libs" file and now it's only a "BrowserID-lib" file. I'm guessing that the BrowserID-lib permissions will satisfy but I'll have to look when the app is running.
Attachment #707211 -
Flags: review?(gdestuynder)
|
Assignee | |
Comment 5•13 years ago
|
||
Comment on attachment 707211 [details] [diff] [review]
New patch which recategorizes node_modules as BrowserID-lib
Looks good to me. There's an additional thing that you wanna do, it's to reset the FD type of files that don't need it anymore, otherwise, RSBAC doesn't know (it stops applying it, but it wont remove anything previously set)
That's ok for access requests because you actually rewrite them.
I use the "fixups.policy" file in puppet for this, for example here what you want in fixups.policy is:
attr_set_file_dir -v 66565 FD "//opt/browserid/node_modules/jwcrypto/node_modules/bigint/build/Release/bigint.node" rc_type_fd 4294967294
(that's "inherit")
Attachment #707211 -
Flags: review?(gdestuynder) → review+
|
|
Reporter | |
Comment 6•13 years ago
|
||
Attachment #707211 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 7•13 years ago
|
||
Cool, I'll plan to deploy this today at 2pm to stage, test it out and then move it onto prod.
|
|
Reporter | |
Comment 8•13 years ago
|
||
Attachment #706586 -
Attachment is obsolete: true
Attachment #707251 -
Attachment is obsolete: true
Attachment #706586 -
Flags: review?(gdestuynder)
Attachment #707322 -
Flags: review?(gdestuynder)
|
|
Assignee | |
Updated•13 years ago
|
Attachment #707322 -
Flags: review?(gdestuynder) → review+
|
|
Reporter | |
Comment 9•13 years ago
|
||
I've run out of time for my prod rsbac change. I will roll back the staging change, disable rsbac in stage (so as to not break staging) and redeploy to stage and prod tomorrow.
|
|
Reporter | |
Comment 10•13 years ago
|
||
Side note : I've seen this error which probably isn't a show stopper and can be ignored but I thought I'd drop it here so I could look at it tomorrow :
<7>0000046070|check_comp_rc(): pid 6766 (nginx), owner 0, rc_role 10010, DIR rc_type 201, request SEARCH -> NOT_GRANTED!
<6>0000046071|rsbac_adf_request(): request SEARCH, pid 6766, ppid 6765, prog_name nginx, prog_file /bin/bash, uid 0, target_type DIR, tid Device 08:03 Inode 6435073 Path /sbin, attr none, value none, result NOT_GRANTED by RC
|
|
||
Comment 11•13 years ago
|
||
(In reply to Gene Wood [:gene] from comment #9)
> I've run out of time for my prod rsbac change. I will roll back the staging
> change, disable rsbac in stage (so as to not break staging) and redeploy to
> stage and prod tomorrow.
So,actually the sweb{1,2,3} appear to have rsbac still enabled (the dbwriter log/main/current is showing a "failed to map segment from shared object: Operation not permitted" startup crash, and the daemon is just flapping.
|
|
Assignee | |
Comment 12•13 years ago
|
||
@comment 10 you can add SEARCH GET_STATUS_DATA CLOSE CHDIR for this (201=sys-exec)
@comment 11 rsbac generally stays enabled on stage, but rules are probably not back to default (?)
|
|
Reporter | |
Comment 13•13 years ago
|
||
I've deployed the changes (the patch not the ones you metion in Comment 12) along with a handful of additional changes which I'll detail tomorrow.
|
|
Reporter | |
Comment 14•13 years ago
|
||
Guillaume, here are the final set of changes that I implemented and deployed. Let me know if it's not clear from the patch what was changed and why.
Attachment #708215 -
Flags: review?(gdestuynder)
|
|
Reporter | |
Updated•13 years ago
|
Assignee: gene → gdestuynder
|
|
Assignee | |
Comment 15•13 years ago
|
||
I would also add:
+rc_set_item -V 66565 ROLE 300 admin_roles 50007 1
+rc_set_item -V 66565 ROLE 300 admin_roles 50008 1
+rc_set_item -V 66565 ROLE 300 admin_roles 50009 1
rc_set_item -V 66565 ROLE 300 assign_roles 50000 1
rc_set_item -V 66565 ROLE 300 assign_roles 50001 1
rc_set_item -V 66565 ROLE 300 assign_roles 50002 1
@@ -15,6 +18,9 @@
rc_set_item -V 66565 ROLE 300 assign_roles 50004 1
rc_set_item -V 66565 ROLE 300 assign_roles 50005 1
rc_set_item -V 66565 ROLE 300 assign_roles 50006 1
+rc_set_item -V 66565 ROLE 300 assign_roles 50007 1
+rc_set_item -V 66565 ROLE 300 assign_roles 50008 1
+rc_set_item -V 66565 ROLE 300 assign_roles 50009 1
To ROLE 1 (security), so that we can interactively make those changes as well (300 being puppet)
|
|
Reporter | |
Comment 16•13 years ago
|
||
done and comitted
|
|
Reporter | |
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•13 years ago
|
Attachment #708215 -
Flags: review?(gdestuynder)
|
||
Updated•10 years ago
|
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
You need to log in
before you can comment on or make changes to this bug.
Description
•