Solaris 11.3 扩展权限配置文件 execve return EOVERFLOW
Solaris 11.3 Extended Privilege Profile execve return EOVERFLOW
当 运行ning java 的配置文件包含一长串 file_read 扩展属性时,我收到以下错误:
# pfexec /usr/jdk/instances/jdk1.8.0/bin/java -cp /vagrant HelloWorld
/usr/jdk/instances/jdk1.8.0/bin/java: Value too large for defined data type
当我 运行 它与 truss 我看到执行错误消息是:
execve("/usr/jdk/instances/jdk1.8.0/bin/java", 0xFCEA4B60, 0xFCEA4B74) Err#79 EOVERFLOW
execve 的手册页未将 EOVERFLOW 列为可能的 return。
这似乎与我在配置文件中放置的 file_read 扩展属性的数量有关。以下是重现问题的方法。 HelloWorld.java 来源很简单,但有助于确保从 ppriv -v pid
正确分配权限
public class HelloWorld {
public static void main( String[] args ) {
System.out.println("Sleeping");
try {
Thread.sleep(50000);
} catch( Exception e ) {
}
System.out.println("Hello World");
}
}
profiles 命令中似乎存在错误,而且 profiles 命令不愿意生成足够大的 file_read 列表
贡品。为了创建配置文件,您必须按如下方式编辑生成的 /etc/security/exec_attr:
# profiles -p test 'set desc=testing; add cmd=/usr/jdk/instances/jdk1.8.0/bin/java; set privs=basic; end; commit'
# usermod -P+test root
手动编辑 /etc/security/exec_attr 并使用以下内容为 java 设置最小权限以在没有任何权限错误的情况下执行(添加反斜杠是为了便于阅读,并且允许在 exec_attr 文件中使用) :
test:solaris:cmd:::/usr/jdk/instances/jdk1.8.0/bin/java:privs=\
{file_read}\:/lib/amd64/libc.so.1,\
{file_read}\:/lib/amd64/libcryptoutil.so.1,\
{file_read}\:/lib/amd64/libdl.so.1,\
{file_read}\:/lib/amd64/libdoor.so.1,\
{file_read}\:/lib/amd64/libelf.so.1,\
{file_read}\:/lib/amd64/libgen.so.1,\
{file_read}\:/lib/amd64/libkstat.so.1,\
{file_read}\:/lib/amd64/libm.so.1,\
{file_read}\:/lib/amd64/libm.so.2,\
{file_read}\:/lib/amd64/libmp.so.2,\
{file_read}\:/lib/amd64/libnsl.so.1,\
{file_read}\:/lib/amd64/libnvpair.so.1,\
{file_read}\:/lib/amd64/libscf.so.1,\
{file_read}\:/lib/amd64/libsocket.so.1,\
{file_read}\:/lib/amd64/libthread.so.1,\
{file_read}\:/lib/amd64/libucrypto.so.1,\
{file_read}\:/lib/amd64/libuutil.so.1,\
{file_read}\:/lib/amd64/libz.so.1,\
{file_read}\:/proc/*,\
{file_read}\:/system/volatile/name_service_door,\
{file_read}\:/system/volatile/tzsync,\
{file_read}\:/tmp,\
{file_read}\:/tmp/hsperfdata_root,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/bin/java,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/amd64/jvm.cfg,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/amd64/libjava.so,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/amd64/libverify.so,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/amd64/libzip.so,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/amd64/server/libjvm.so,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/ext,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/ext/meta-index,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/meta-index,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/resources.jar,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/rt.jar,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/lib/amd64/jli/libjli.so,\
{file_read}\:/usr/lib/amd64/libCrun.so.1,\
{file_read}\:/usr/lib/amd64/libdemangle.so.1,\
{file_read}\:/usr/lib/amd64/libsched.so.1,\
{file_read}\:/usr/lib/amd64/libsmbios.so.1,\
{file_read}\:/usr/share/lib/zoneinfo/US/Eastern,\
{file_read}\:/vagrant/HelloWorld.class;limitprivs=file_read
为了产生错误,我添加了 {file_read}\:/absolute/path 条目,直到产生错误。我使用了通过调用 find /usr/lib -name '*.jar' 生成的预先存在的文件并添加它们直到失败 EOVERFLOW
就我而言,以下文件列表就足够了。删除其中任何一个都足以让它再次工作。
{file_read}\:/usr/lib/rad/java/authentication.jar,\
{file_read}\:/usr/lib/rad/java/authentication_1.jar,\
{file_read}\:/usr/lib/rad/java/config.jar,\
{file_read}\:/usr/lib/rad/java/config_1.jar,\
{file_read}\:/usr/lib/rad/java/container.jar,\
{file_read}\:/usr/lib/rad/java/container_1.jar,\
{file_read}\:/usr/lib/rad/java/control.jar,\
{file_read}\:/usr/lib/rad/java/control_1.jar,\
{file_read}\:/usr/lib/rad/java/dlmgr.jar,\
{file_read}\:/usr/lib/rad/java/dlmgr_1.jar,\
{file_read}\:/usr/lib/rad/java/errors.jar,\
{file_read}\:/usr/lib/rad/java/errors_1.jar,\
{file_read}\:/usr/lib/rad/java/evscntl.jar,\
{file_read}\:/usr/lib/rad/java/evscntl_1.jar,\
{file_read}\:/usr/lib/rad/java/files.jar,\
{file_read}\:/usr/lib/rad/java/files_1.jar,\
{file_read}\:/usr/lib/rad/java/kstat.jar,\
{file_read}\:/usr/lib/rad/java/kstat_1.jar,\
{file_read}\:/usr/lib/rad/java/modules.jar,\
{file_read}\:/usr/lib/rad/java/modules_1.jar,\
{file_read}\:/usr/lib/rad/java/network.jar,\
{file_read}\:/usr/lib/rad/java/network_1.jar,\
{file_read}\:/usr/lib/rad/java/pam.jar,\
{file_read}\:/usr/lib/rad/java/pam_1.jar,\
{file_read}\:/usr/lib/rad/java/panels.jar,\
{file_read}\:/usr/lib/rad/java/panels_1.jar,\
{file_read}\:/usr/lib/rad/java/rad.jar,\
{file_read}\:/usr/lib/rad/java/smf.jar,\
{file_read}\:/usr/lib/rad/java/smf_1.jar,\
{file_read}\:/usr/lib/rad/java/smf_old.jar,\
{file_read}\:/usr/lib/rad/java/smf_old_1.jar,\
{file_read}\:/usr/lib/rad/java/time.jar,\
{file_read}\:/usr/lib/rad/java/time_1.jar,\
{file_read}\:/usr/lib/rad/java/usermgr.jar,\
{file_read}\:/usr/lib/rad/java/usermgr_1.jar,\
{file_read}\:/usr/lib/rad/java/zfsmgr.jar,\
{file_read}\:/usr/lib/rad/java/zfsmgr_1.jar,\
{file_read}\:/usr/lib/rad/java/zonemgr.jar,\
{file_read}\:/usr/lib/rad/java/zonemgr_1.jar,\
{file_read}\:/usr/lib/rad/java/zonesbridge.jar,\
{file_read}\:/usr/lib/rad/java/zonesbridge_1.jar,\
{file_read}\:/usr/lib/ocm/ccr/inventory/engines.jar,\
{file_read}\:/usr/lib/ocm/ccr/inventory/metricdata.jar,\
{file_read}\:/usr/lib/ocm/ccr/inventory/core.jar,\
{file_read}\:/usr/lib/ocm/ccr/inventory/scripts.jar,\
{file_read}\:/usr/lib/ocm/ccr/inventory/ocmcert.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/OraPrereq.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/OraCheckPoint.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/OraInstallerNet.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/OraInstaller.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/share.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/xmlparserv2.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/OCMRFCreator.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/OpsCenterHarvester.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emCCR.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emgcharvester.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emocmclnt-14.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emocmclnt.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emocmcommon.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emocmdsf.jar
通过执行 profiles -l
确保您的个人资料更改得到反映
这只是 Solaris 11.3 下的两个错误吗?一个在 profiles 命令中(可以解决),另一个在内核中? (这不容易解决)
首先,为什么不用像{file_read}\:/usr/lib/rad/java/*这样的通配符呢?
这将限制条目的数量。此外,当我们谈论 {file_read} 时,拥有这么多文件将非常昂贵。
规则数量有限,但有一个(未记录的)可调参数:
xpol_rules_max 您可以在 /etc/system 中设置,方法是添加以下行:set xpol_rules_max=100 或使用 mdb -wk 即时设置,如下所示:
# mdb -wk
Loading modules: [ unix genunix specfs dtrace mac cpu.generic uppc pcplusmp zvpsm scsi_vhci zfs sata sd ip hook neti arp usba kssl sockfs lofs random idm cpc crypto fcip fctl nfs ufs logindmux ptm sppp ]
> xpol_rules_max/x
xpol_rules_max:
xpol_rules_max: 64
> xpol_rules_max/w 100
xpol_rules_max: 0x64 = 0x100
当 运行ning java 的配置文件包含一长串 file_read 扩展属性时,我收到以下错误:
# pfexec /usr/jdk/instances/jdk1.8.0/bin/java -cp /vagrant HelloWorld
/usr/jdk/instances/jdk1.8.0/bin/java: Value too large for defined data type
当我 运行 它与 truss 我看到执行错误消息是:
execve("/usr/jdk/instances/jdk1.8.0/bin/java", 0xFCEA4B60, 0xFCEA4B74) Err#79 EOVERFLOW
execve 的手册页未将 EOVERFLOW 列为可能的 return。
这似乎与我在配置文件中放置的 file_read 扩展属性的数量有关。以下是重现问题的方法。 HelloWorld.java 来源很简单,但有助于确保从 ppriv -v pid
public class HelloWorld {
public static void main( String[] args ) {
System.out.println("Sleeping");
try {
Thread.sleep(50000);
} catch( Exception e ) {
}
System.out.println("Hello World");
}
}
profiles 命令中似乎存在错误,而且 profiles 命令不愿意生成足够大的 file_read 列表
贡品。为了创建配置文件,您必须按如下方式编辑生成的 /etc/security/exec_attr:
# profiles -p test 'set desc=testing; add cmd=/usr/jdk/instances/jdk1.8.0/bin/java; set privs=basic; end; commit'
# usermod -P+test root
手动编辑 /etc/security/exec_attr 并使用以下内容为 java 设置最小权限以在没有任何权限错误的情况下执行(添加反斜杠是为了便于阅读,并且允许在 exec_attr 文件中使用) :
test:solaris:cmd:::/usr/jdk/instances/jdk1.8.0/bin/java:privs=\
{file_read}\:/lib/amd64/libc.so.1,\
{file_read}\:/lib/amd64/libcryptoutil.so.1,\
{file_read}\:/lib/amd64/libdl.so.1,\
{file_read}\:/lib/amd64/libdoor.so.1,\
{file_read}\:/lib/amd64/libelf.so.1,\
{file_read}\:/lib/amd64/libgen.so.1,\
{file_read}\:/lib/amd64/libkstat.so.1,\
{file_read}\:/lib/amd64/libm.so.1,\
{file_read}\:/lib/amd64/libm.so.2,\
{file_read}\:/lib/amd64/libmp.so.2,\
{file_read}\:/lib/amd64/libnsl.so.1,\
{file_read}\:/lib/amd64/libnvpair.so.1,\
{file_read}\:/lib/amd64/libscf.so.1,\
{file_read}\:/lib/amd64/libsocket.so.1,\
{file_read}\:/lib/amd64/libthread.so.1,\
{file_read}\:/lib/amd64/libucrypto.so.1,\
{file_read}\:/lib/amd64/libuutil.so.1,\
{file_read}\:/lib/amd64/libz.so.1,\
{file_read}\:/proc/*,\
{file_read}\:/system/volatile/name_service_door,\
{file_read}\:/system/volatile/tzsync,\
{file_read}\:/tmp,\
{file_read}\:/tmp/hsperfdata_root,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/bin/java,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/amd64/jvm.cfg,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/amd64/libjava.so,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/amd64/libverify.so,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/amd64/libzip.so,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/amd64/server/libjvm.so,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/ext,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/ext/meta-index,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/meta-index,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/resources.jar,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/jre/lib/rt.jar,\
{file_read}\:/usr/jdk/instances/jdk1.8.0/lib/amd64/jli/libjli.so,\
{file_read}\:/usr/lib/amd64/libCrun.so.1,\
{file_read}\:/usr/lib/amd64/libdemangle.so.1,\
{file_read}\:/usr/lib/amd64/libsched.so.1,\
{file_read}\:/usr/lib/amd64/libsmbios.so.1,\
{file_read}\:/usr/share/lib/zoneinfo/US/Eastern,\
{file_read}\:/vagrant/HelloWorld.class;limitprivs=file_read
为了产生错误,我添加了 {file_read}\:/absolute/path 条目,直到产生错误。我使用了通过调用 find /usr/lib -name '*.jar' 生成的预先存在的文件并添加它们直到失败 EOVERFLOW
就我而言,以下文件列表就足够了。删除其中任何一个都足以让它再次工作。
{file_read}\:/usr/lib/rad/java/authentication.jar,\
{file_read}\:/usr/lib/rad/java/authentication_1.jar,\
{file_read}\:/usr/lib/rad/java/config.jar,\
{file_read}\:/usr/lib/rad/java/config_1.jar,\
{file_read}\:/usr/lib/rad/java/container.jar,\
{file_read}\:/usr/lib/rad/java/container_1.jar,\
{file_read}\:/usr/lib/rad/java/control.jar,\
{file_read}\:/usr/lib/rad/java/control_1.jar,\
{file_read}\:/usr/lib/rad/java/dlmgr.jar,\
{file_read}\:/usr/lib/rad/java/dlmgr_1.jar,\
{file_read}\:/usr/lib/rad/java/errors.jar,\
{file_read}\:/usr/lib/rad/java/errors_1.jar,\
{file_read}\:/usr/lib/rad/java/evscntl.jar,\
{file_read}\:/usr/lib/rad/java/evscntl_1.jar,\
{file_read}\:/usr/lib/rad/java/files.jar,\
{file_read}\:/usr/lib/rad/java/files_1.jar,\
{file_read}\:/usr/lib/rad/java/kstat.jar,\
{file_read}\:/usr/lib/rad/java/kstat_1.jar,\
{file_read}\:/usr/lib/rad/java/modules.jar,\
{file_read}\:/usr/lib/rad/java/modules_1.jar,\
{file_read}\:/usr/lib/rad/java/network.jar,\
{file_read}\:/usr/lib/rad/java/network_1.jar,\
{file_read}\:/usr/lib/rad/java/pam.jar,\
{file_read}\:/usr/lib/rad/java/pam_1.jar,\
{file_read}\:/usr/lib/rad/java/panels.jar,\
{file_read}\:/usr/lib/rad/java/panels_1.jar,\
{file_read}\:/usr/lib/rad/java/rad.jar,\
{file_read}\:/usr/lib/rad/java/smf.jar,\
{file_read}\:/usr/lib/rad/java/smf_1.jar,\
{file_read}\:/usr/lib/rad/java/smf_old.jar,\
{file_read}\:/usr/lib/rad/java/smf_old_1.jar,\
{file_read}\:/usr/lib/rad/java/time.jar,\
{file_read}\:/usr/lib/rad/java/time_1.jar,\
{file_read}\:/usr/lib/rad/java/usermgr.jar,\
{file_read}\:/usr/lib/rad/java/usermgr_1.jar,\
{file_read}\:/usr/lib/rad/java/zfsmgr.jar,\
{file_read}\:/usr/lib/rad/java/zfsmgr_1.jar,\
{file_read}\:/usr/lib/rad/java/zonemgr.jar,\
{file_read}\:/usr/lib/rad/java/zonemgr_1.jar,\
{file_read}\:/usr/lib/rad/java/zonesbridge.jar,\
{file_read}\:/usr/lib/rad/java/zonesbridge_1.jar,\
{file_read}\:/usr/lib/ocm/ccr/inventory/engines.jar,\
{file_read}\:/usr/lib/ocm/ccr/inventory/metricdata.jar,\
{file_read}\:/usr/lib/ocm/ccr/inventory/core.jar,\
{file_read}\:/usr/lib/ocm/ccr/inventory/scripts.jar,\
{file_read}\:/usr/lib/ocm/ccr/inventory/ocmcert.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/OraPrereq.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/OraCheckPoint.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/OraInstallerNet.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/OraInstaller.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/share.jar,\
{file_read}\:/usr/lib/ocm/ccr/oui/jlib/xmlparserv2.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/OCMRFCreator.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/OpsCenterHarvester.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emCCR.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emgcharvester.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emocmclnt-14.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emocmclnt.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emocmcommon.jar,\
{file_read}\:/usr/lib/ocm/ccr/lib/emocmdsf.jar
通过执行 profiles -l
这只是 Solaris 11.3 下的两个错误吗?一个在 profiles 命令中(可以解决),另一个在内核中? (这不容易解决)
首先,为什么不用像{file_read}\:/usr/lib/rad/java/*这样的通配符呢?
这将限制条目的数量。此外,当我们谈论 {file_read} 时,拥有这么多文件将非常昂贵。
规则数量有限,但有一个(未记录的)可调参数:
xpol_rules_max 您可以在 /etc/system 中设置,方法是添加以下行:set xpol_rules_max=100 或使用 mdb -wk 即时设置,如下所示:
# mdb -wk
Loading modules: [ unix genunix specfs dtrace mac cpu.generic uppc pcplusmp zvpsm scsi_vhci zfs sata sd ip hook neti arp usba kssl sockfs lofs random idm cpc crypto fcip fctl nfs ufs logindmux ptm sppp ]
> xpol_rules_max/x
xpol_rules_max:
xpol_rules_max: 64
> xpol_rules_max/w 100
xpol_rules_max: 0x64 = 0x100