1 |
hallo Martin, |
2 |
|
3 |
sorry to interrupt your thoughts, but gcc trampolines are not used for |
4 |
such things :-( |
5 |
|
6 |
lets answer your questions: |
7 |
|
8 |
On Wed, 2003-09-17 at 20:01, Martin Bene wrote: |
9 |
> Hi, |
10 |
> |
11 |
> I'm trying to get kaspersky AV (4.0.3.1) to run on a gentoo box with active |
12 |
> gr security Segmentation based exec protection. |
13 |
that is good when grsecurity is active |
14 |
> |
15 |
> Problem: |
16 |
> * The kaspersky scanner / scanner daemon processess triggers the pax |
17 |
> protection |
18 |
> * The executables are statically linked |
19 |
no problem |
20 |
|
21 |
> * The executables check for modification, i.e. after modifying with |
22 |
> chpax they no longer run. |
23 |
halflife counterstrike servers do that too |
24 |
|
25 |
> |
26 |
> I expect that the triggering code would be a gcc trampoline, so compiling |
27 |
> with trampoline + automatic detection turned on might work - but it's not a |
28 |
> very good solution since it affects all executables on the system. |
29 |
> |
30 |
> Is there any way of running an executable with modified grsecurity options |
31 |
> without changing the on-disk file with chpax? |
32 |
yes, there is |
33 |
with an enabled grsec system, you have to put grsecurity acl PaX flags |
34 |
for the kaspersky binary: |
35 |
|
36 |
from grsecurity.net acl doc: |
37 |
|
38 |
· P DISABLES the PAGEEXEC feature of PaX on this subject |
39 |
|
40 |
· S DISABLES the SEGMEXEC feature of PaX on this subject |
41 |
|
42 |
· M DISABLES the MPROTECT feature of PaX on this subject |
43 |
|
44 |
· R DISABLES the RANDMMAP feature of PaX on this subject |
45 |
|
46 |
· G ENABLES the EMUTRAMP feature of PaX on this subject |
47 |
|
48 |
· X ENABLES the RANDEXEC feature of PaX on this subject |
49 |
|
50 |
read the gracl doc on the grsecurity.net website and the forums, then go |
51 |
to the section F: |
52 |
|
53 |
F. PaX flags and caveats |
54 |
|
55 |
there you find more and more docs about setting the appropriate PaX |
56 |
flags in the grsec acl. |
57 |
|
58 |
you NEED to remember that this only prevents the binary from dying when |
59 |
grsec is actually ACTIVE and RUNNING. |
60 |
otherwise the local file chpax flags INSIDE the binary will trigger. |
61 |
and the kaspersky scanner does not like it for a reason we all know: |
62 |
tampering protection :-) |
63 |
|
64 |
> |
65 |
> Thanks, Martin |
66 |
|
67 |
yo, keep on rolling! |
68 |
|
69 |
bye, |
70 |
|
71 |
Alex |
72 |
|
73 |
> |
74 |
> -- |
75 |
> gentoo-hardened@g.o mailing list |
76 |
> |
77 |
> |
78 |
|
79 |
|
80 |
|
81 |
-- |
82 |
gentoo-hardened@g.o mailing list |