On Sun, Feb 09, 2014 at 02:10:47PM +0100, Luis Ressel wrote:
> > Isn't there any mount option that you can pass so that all members of
> > a certain group can still access sysfs? Perhaps "gid="?
>
> I guess that would be a safer approach. But I'd prefer a standardized
> approach for this - surely there are more non-root applications which
> need extended /sys access. I think not every hardened user should have
> to figure this out himself.
It needs to be staged a bit before we should consider optimizations in our
current setup.
> The best way I can imagine to solve this would be a new eclass. It
> would be called in an ebuild (unconditionally) with an user name, would
> then check if a certain USE flag (either "hardened" or something more
> specific) was set and then add the user in question to a certain group,
> perhaps "sysfs". Before doing this for the first time, it would create
> that group and ask the user to add an appropriate mount option.
>
> What do you think about this? Is it just overcomplicated or a good way
> to go? Also, do you know of other programs which have problems with
> GRKERNSEC_SYSFS_RESTRICT? I'd be willing to write the eclass if you
> like the idea.
There are others (I google'd a bit and found a few), but not that much. If
the solution (group access) works and is sufficient, I don't know if there
is a need for creating an eclass.
After all, it might be as simple as:
#v+
use hardened && egroupadd sysfs <username>
#v-
if egroupadd would exist, that is. I haven't looked in detail at the
user.eclass, but that would be all that is needed.
But again, I think this needs to stage a bit - document it on the wiki, test
it out. See if applications still work if they are member of said group
without that group being the primary group, etc.
Wkr,
Sven Vermeulen
