Grsecurity/Appendix/Subject Attributes

From Wikibooks, open books for an open world
< Grsecurity‎ | Appendix
Jump to: navigation, search
Grsecurity/Appendix
Subject Modes Subject Attributes Object Modes


user/group transitions[edit]

You may specify what users and groups a given subject can transition to. This can be done on an inclusive or exclusive basis. Omitting these rules allows a subject with proper privilege granted by capabilities to transition to any user/group.

Usage:

  user_transition_allow <user 1> <user 2> ... <user n>
  user_transition_deny <protected user 1> <protected user 2> ... <protected user n>

  group_transition_allow <group 1> <group 2> ... <group n>
  group_transition_deny <protected group 1> <protected group 2> ... <protected group n>

Example:

  role person u
  subject /bin/su
  user_transition_allow root spender
  group_transition_allow root spender
  ...

  role person u
  subject /bin/su
  user_transition_deny specialuser
  user_transition_deny specialgroup
  ...

ip_override[edit]

It is possible to force a given subject to bind to a particular IP address on the machine. This can be useful for some sandboxed environments, to ensure the source IP used from the sandbox is one determined by RBAC policy. To restrict what other source IP addresses a subject can bind to, use the normal IP ACL support of the RBAC system. This option is solely used to override an application's use of INADDR_ANY when connecting out or binding to a local port.

Usage:

 ip_override <IP>

Example:

 role person u
 subject /
 ip_override 192.168.0.1
 ...

Next Page: Object Modes | Previous Page: Subject Modes

Home: Grsecurity/Appendix