extras disabled by softmode in 2.0

[rfxn]

I am not currently able to get tpe.extra features to work on el7 with the latest kernel (3.10.0-514.16.1.el7.x86_64) running tpe-lkm 2.0.1. I am using the elrepo kmod-tpe package and also tried the in-testing 2.0.2 version with no difference built by @pjperry a few days ago.

I even went as far as to rebuild the rpm manually against latest commit from the elrepo spec file and it made no difference. I am not sure if this is an issue with the spec and how elrepo rpm is built (@pjperry ) or if its a tpe-lkm issue directly (@cormander).

Testing has been conducted on two separate el7 sytems, one KVM based and one bare metal with same results.

All extra features are not working, that is to say all processes are visible for non-root users, lsmod can be run without issue, kallsyms can be cat'd and hide_uname makes no difference (when enabled).

Find below current sysctl values for TPE.

tpe.admin_gid = 0 tpe.check_file = 0 tpe.dmz_gid = 0 tpe.extras.harden_ptrace = 1 tpe.extras.hide_uname = 0 tpe.extras.lsmod = 1 tpe.extras.proc_kallsyms = 1 tpe.extras.ps = 1 tpe.extras.ps_gid = 0 tpe.extras.restrict_setuid = 0 tpe.group_writable = 1 tpe.hardcoded_path = tpe.kill = 0 tpe.lock = 0 tpe.log = 0 tpe.log_floodburst = 5 tpe.log_floodtime = 5 tpe.log_max = 50 tpe.log_verbose = 1 tpe.paranoid = 0 tpe.softmode = 1 tpe.strict = 0 tpe.trusted_apps = tpe.trusted_gid = 0 tpe.trusted_invert = 0 tpe.xattr_soften = 1

[cormander]

Did you load the tpe module after install? The rpm set it to load at boot, but doesn't look like it loads at install time. Run this: sudo modprobe tpe The modprobe command should read in the config - if not, run this and then retry testing your features: sudo sysctl -p /etc/sysctl.d/tpe.conf If still not working, run the test suite (from the git repository) and let me know the output: make clean test The test assumes you have sudo permissions. It also unloads the module after it finishes.

[cormander]

Also I just noticed you have: tpe.softmode = 1 The softmode makes all features permissable. Check your dmesg or look in /var/log/messages to see the denial of access to /proc/kallsyms. It won't log on the ps denials.

[rfxn]

After further poking it appears as though the behavior of tpe.softmode has changed. In 1.1.0 when softmode = 1 the 'extras' features still operate as intended. However, in 2.x when softmode = 1, they do not.

I verified this on multiple el6 systems I have running 1.0.3 and 1.1.0 where softmode = 1 w/ extras also enabled and all work as intended (e.g: create test user, cant cat kallsysm, list kmods or list unowned processes).

When testing the same against 2.x, softmode = 1 is causing all 'extras' to not operate. Is this an intentional change?

[cormander]

Yes that was an intended change. Softmode was meant to not deny anything at all - so the extras working in softmode was a bug that was fixed in 2.0. Do you run this module just for the extras, and not tpe itself?

[rfxn]

On shared systems I run it for just the extras, on more tightly controlled internal systems and/or PCI compliant ones, I more broadly leverage all TPE features.

It is a nice to have in high user count shared systems where the extra's make allot of sense.

[rfxn]

How practical would it be to separate softmode into two sysctl knobs?

Such as: tpe.softmode tpe.extras.softmode

Or, an alternative approach: tpe.extras.softmode.ignore

Thoughts?

[cormander]

I can do a tpe.extras.ignore_softmode. I just pushed a commit to branch feature/ignore_softmode that is, for now, a hard-coded ignore softmode. I'll merge it back to master after it's properly tiedied up.

[rfxn]

Awesome, thank you. That will be super helpful to have as a mainline feature!

[cormander]

Feature added in db556100167b9f325d59cdb8892f378d75c5ff06

[cormander]

Also added tpe.extras.log in 8ced8135d0b37a566e51aa40bc38d79037199955 so you can still log denied extras when normal tpe.log is off.