Comments (10)
cormander
commented on August 22, 2024
Did you load the tpe module after install? The rpm set it to load at boot, but doesn't look like it loads at install time. Run this:
sudo modprobe tpe
The modprobe command should read in the config - if not, run this and then retry testing your features:
sudo sysctl -p /etc/sysctl.d/tpe.conf
If still not working, run the test suite (from the git repository) and let me know the output:
make clean test
The test assumes you have sudo permissions. It also unloads the module after it finishes.
from tpe-lkm.
cormander
commented on August 22, 2024
Also I just noticed you have:
tpe.softmode = 1
The softmode makes all features permissable. Check your dmesg or look in /var/log/messages to see the denial of access to /proc/kallsyms. It won't log on the ps denials.
from tpe-lkm.
rfxn
commented on August 22, 2024
After further poking it appears as though the behavior of tpe.softmode has changed. In 1.1.0 when softmode = 1 the 'extras' features still operate as intended. However, in 2.x when softmode = 1, they do not.
I verified this on multiple el6 systems I have running 1.0.3 and 1.1.0 where softmode = 1 w/ extras also enabled and all work as intended (e.g: create test user, cant cat kallsysm, list kmods or list unowned processes).
When testing the same against 2.x, softmode = 1 is causing all 'extras' to not operate. Is this an intentional change?
from tpe-lkm.
cormander
commented on August 22, 2024
Yes that was an intended change. Softmode was meant to not deny anything at all - so the extras working in softmode was a bug that was fixed in 2.0. Do you run this module just for the extras, and not tpe itself?
from tpe-lkm.
rfxn
commented on August 22, 2024
On shared systems I run it for just the extras, on more tightly controlled internal systems and/or PCI compliant ones, I more broadly leverage all TPE features.
It is a nice to have in high user count shared systems where the extra's make allot of sense.
from tpe-lkm.
rfxn
commented on August 22, 2024
How practical would it be to separate softmode into two sysctl knobs?
Such as:
tpe.softmode
tpe.extras.softmode
Or, an alternative approach:
tpe.extras.softmode.ignore
Thoughts?
from tpe-lkm.
cormander
commented on August 22, 2024
I can do a tpe.extras.ignore_softmode. I just pushed a commit to branch feature/ignore_softmode that is, for now, a hard-coded ignore softmode. I'll merge it back to master after it's properly tiedied up.
from tpe-lkm.
rfxn
commented on August 22, 2024
Awesome, thank you. That will be super helpful to have as a mainline feature!
from tpe-lkm.
cormander
commented on August 22, 2024
Feature added in db55610
from tpe-lkm.
cormander
commented on August 22, 2024
Also added tpe.extras.log in 8ced813 so you can still log denied extras when normal tpe.log is off.
from tpe-lkm.
Related Issues (20)
- Feature request - multiple values for trusted_gid HOT 6
- Possibility for 4.x kernels ? HOT 2
- Build failed on linux-4.11 HOT 3
- Unable to insert module, ftrace is not enabled HOT 13
- Compile failed with kernel 4.9 HOT 3
- In-tree build HOT 2
- [info] Attempt to upstream TPE HOT 13
- Can't compile on Debian/Devuan 8 HOT 6
- Random kernel panics on boot HOT 2
- Setting tpe.extras.hide_uname=1 doesn't work. HOT 3
- Lack of documentation on some TPE parameters HOT 2
- Can TPE work with Docker containers? HOT 2
- kernel: tpe: warning: cred->security was not remapped; the soften_mmap flag won't persist to child processes. HOT 1
- tpe.trusted_apps doesn't work HOT 1
- How to define trusted gid ? HOT 1
- #error "Arch not currently supported.
- user-space programs can not get the correct errno
- Harden_symlinks not available via package? HOT 1
- Project dead? HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tpe-lkm.