Grsecurity/Appendix/Subject Attributes

user/group transitions
You may specify what users and groups a given subject can transition to. This can be done on an inclusive or exclusive basis. Omitting these rules allows a subject with proper privilege granted by capabilities to transition to any user/group.

Usage: user_transition_allow ...   user_transition_deny  ...

group_transition_allow ...   group_transition_deny  ...

Example: role person u subject /bin/su user_transition_allow root spender group_transition_allow root spender ...

role person u subject /bin/su user_transition_deny specialuser user_transition_deny specialgroup ...

ip_override
It is possible to force a given subject to bind to a particular IP address on the machine. This can be useful for some sandboxed environments, to ensure the source IP used from the sandbox is one determined by RBAC policy. To restrict what other source IP addresses a subject can bind to, use the normal IP ACL support of the RBAC system. This option is solely used to override an application's use of INADDR_ANY when connecting out or binding to a local port.

Usage: ip_override 

Example: role person u subject / ip_override 192.168.0.1 ...

Socket policy (bind/connect/sock_allow_family)
bind/connect are described under The RBAC System.

When connect/bind rules are used, additional rules will be required to unlock the use of additional socket families (outside of the common unix family). Multiple families can be specified per line.

To enable use of IPv6, add the line: sock_allow_family ipv6 To enable use of netlink, add the line: sock_allow_family netlink To enable all other families, add the line: sock_allow_family all