xorl %eax, %eax

GRKERNSEC_EXECVE Process Spawning Limit

leave a comment »

This is a nice kernel-side way to limit the number of processes a user is allowed to spawn. Here is the description:

	bool "Enforce RLIMIT_NPROC on execs"
	  If you say Y here, users with a resource limit on processes will
	  have the value checked during execve() calls.  The current system
	  only checks the system limit during fork() calls.  If the sysctl option
	  is enabled, a sysctl option with name "execve_limiting" is created.

The code is a simple routine available at grsecurity/grsec_exec.c

	const struct cred *cred = current_cred();
	if (grsec_enable_execve && cred->user &&
	    (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
	    !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
		gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
		return -EAGAIN;
	return 0;

This checks that ‘grsec_enable_execve’ is non-zero, ‘cred’ structure for the current task exists, its processes do not exceed the ‘RLIMIT_NPROC’ limit and the task has neither ‘CAP_SYS_ADMIN’ (System Administrator) nor ‘CAP_SYS_RESOURCE’ (Resources) POSIX capabilities set. If all these are true, it will print a message to the kernel’s log and return with ‘-EAGAIN’ (Error Try Again).
The ‘grsec_enable_execve’ integer is declared and initiallized at grsecurity/grsec_init.c…

int grsec_enable_execve;
	grsec_enable_execve = 1;

and it can be easily manipulated through ‘execve_limiting’ sysctl entry as we can read at grsecurity/grsec_sysctl.c file.

struct ctl_table grsecurity_table[] = {
		.procname	= "execve_limiting",
		.data		= &grsec_enable_execve,
		.maxlen		= sizeof(int),
		.mode		= 0600,
		.proc_handler	= &proc_dointvec,
	{ }

So, the name is ‘execve_limiting’ and it uses Linux kernel’s proc_dointvec() to store the user-space derived integer to ‘grsec_enable_execve’.

Written by xorl

November 9, 2010 at 05:17

Posted in grsecurity, linux, security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s