Re: [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore - gentoo-hardened

From:	Krzysztof Nowicki <krissn@××.pl>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore
Date:	Sat, 08 Nov 2014 22:51:32
Message-Id:	`545E9E6D.5040405@op.pl`
In Reply to:	[gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore by Alex Efros

1

On 01.11.2014 11:08, Alex Efros wrote:

2

> Hi!

3

>

4

> I wonder is something was changed in handling "grsec: denied RWX mprotect"?

5

> Previously when I see this in kernel log it usually result in killing app

6

> (and I've to run `paxctl-ng -m /that/app`), but now it looks like this

7

> doesn't happens anymore. For example:

8

>

9

> # eselect opengl list

10

> Available OpenGL implementations:

11

>    [1]   nvidia *

12

>    [2]   xorg-x11

13

> # grep PAX /etc/portage/make.conf

14

> PAX_MARKINGS="XT"

15

> # paxctl-ng -v /usr/bin/glxgears

16

> /usr/bin/glxgears:

17

> 	PT_PAX    : -e---

18

> 	XATTR_PAX : not found

19

> # /usr/bin/glxgears

20

> Running synchronized to the vertical refresh.  The framerate should be

21

> approximately the same as the monitor refresh rate.

22

> 302 frames in 5.0 seconds = 60.336 FPS

23

> 300 frames in 5.0 seconds = 59.960 FPS

24

> (so, as you see, it works!)

25

>

26

> and here is kernel log:

27

>

28

> 2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect of /usr/lib64/opengl/nvidia/lib/libGL.so.343.22 by /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0

29

Since nvidia-drivers-340.17 NVIDIA implemented some fallbacks for 

30

systems where writing to executable memory is not allowed:

31

32

2014-06-09 version 340.17

33

34

  [...]

35

36

     * Improved support for running the NVIDIA driver in configurations 

37

where

38

       writing to executable memory is disallowed.  Driver optimizations 

39

that

40

       require writing to executable memory can be forcefully disabled 

41

using the

42

       new __GL_WRITE_TEXT_SECTION environment variable.  See the README 

43

for more

44

       details.

45

46

I haven't tested this myself yet, but it seems this should finally allow 

47

running NVIDIA binary driver on PaX-enabled systems.

48

49

>

50

> At same time paxtest works ok (all killed).

51

>

52

>

53

> My kernel config:

54

>

55

> # zgrep PAX /proc/config.gz

56

>

57

> CONFIG_PAX_USERCOPY_SLABS=y

58

> CONFIG_PAX=y

59

> # CONFIG_PAX_SOFTMODE is not set

60

> # CONFIG_PAX_PT_PAX_FLAGS is not set

61

> CONFIG_PAX_XATTR_PAX_FLAGS=y

62

> CONFIG_PAX_NO_ACL_FLAGS=y

63

> # CONFIG_PAX_HAVE_ACL_FLAGS is not set

64

> # CONFIG_PAX_HOOK_ACL_FLAGS is not set

65

> CONFIG_PAX_NOEXEC=y

66

> CONFIG_PAX_PAGEEXEC=y

67

> CONFIG_PAX_EMUTRAMP=y

68

> CONFIG_PAX_MPROTECT=y

69

> # CONFIG_PAX_MPROTECT_COMPAT is not set

70

> # CONFIG_PAX_ELFRELOCS is not set

71

> # CONFIG_PAX_KERNEXEC is not set

72

> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""

73

> CONFIG_PAX_ASLR=y

74

> # CONFIG_PAX_RANDKSTACK is not set

75

> CONFIG_PAX_RANDUSTACK=y

76

> CONFIG_PAX_RANDMMAP=y

77

> # CONFIG_PAX_MEMORY_SANITIZE is not set

78

> # CONFIG_PAX_MEMORY_STACKLEAK is not set

79

> CONFIG_PAX_MEMORY_STRUCTLEAK=y

80

> # CONFIG_PAX_MEMORY_UDEREF is not set

81

> CONFIG_PAX_REFCOUNT=y

82

> CONFIG_PAX_USERCOPY=y

83

> # CONFIG_PAX_USERCOPY_DEBUG is not set

84

> # CONFIG_PAX_SIZE_OVERFLOW is not set

85

> # CONFIG_PAX_LATENT_ENTROPY is not set

86

>

87

> # zgrep GRKERNSEC /proc/config.gz

88

>

89

> CONFIG_GRKERNSEC=y

90

> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set

91

> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y

92

> CONFIG_GRKERNSEC_PROC_GID=1000

93

> CONFIG_GRKERNSEC_KMEM=y

94

> # CONFIG_GRKERNSEC_IO is not set

95

> CONFIG_GRKERNSEC_PERF_HARDEN=y

96

> CONFIG_GRKERNSEC_RAND_THREADSTACK=y

97

> CONFIG_GRKERNSEC_PROC_MEMMAP=y

98

> # CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set

99

> # CONFIG_GRKERNSEC_BRUTE is not set

100

> CONFIG_GRKERNSEC_MODHARDEN=y

101

> CONFIG_GRKERNSEC_HIDESYM=y

102

> # CONFIG_GRKERNSEC_RANDSTRUCT is not set

103

> # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set

104

> CONFIG_GRKERNSEC_NO_RBAC=y

105

> CONFIG_GRKERNSEC_ACL_HIDEKERN=y

106

> CONFIG_GRKERNSEC_ACL_MAXTRIES=3

107

> CONFIG_GRKERNSEC_ACL_TIMEOUT=30

108

> CONFIG_GRKERNSEC_PROC=y

109

> # CONFIG_GRKERNSEC_PROC_USER is not set

110

> CONFIG_GRKERNSEC_PROC_USERGROUP=y

111

> CONFIG_GRKERNSEC_PROC_ADD=y

112

> CONFIG_GRKERNSEC_LINK=y

113

> # CONFIG_GRKERNSEC_SYMLINKOWN is not set

114

> CONFIG_GRKERNSEC_FIFO=y

115

> # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set

116

> # CONFIG_GRKERNSEC_ROFS is not set

117

> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y

118

> CONFIG_GRKERNSEC_CHROOT=y

119

> CONFIG_GRKERNSEC_CHROOT_MOUNT=y

120

> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y

121

> CONFIG_GRKERNSEC_CHROOT_PIVOT=y

122

> CONFIG_GRKERNSEC_CHROOT_CHDIR=y

123

> CONFIG_GRKERNSEC_CHROOT_CHMOD=y

124

> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y

125

> CONFIG_GRKERNSEC_CHROOT_MKNOD=y

126

> CONFIG_GRKERNSEC_CHROOT_SHMAT=y

127

> CONFIG_GRKERNSEC_CHROOT_UNIX=y

128

> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y

129

> CONFIG_GRKERNSEC_CHROOT_NICE=y

130

> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y

131

> CONFIG_GRKERNSEC_CHROOT_CAPS=y

132

> # CONFIG_GRKERNSEC_AUDIT_GROUP is not set

133

> # CONFIG_GRKERNSEC_EXECLOG is not set

134

> CONFIG_GRKERNSEC_RESLOG=y

135

> # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set

136

> CONFIG_GRKERNSEC_AUDIT_PTRACE=y

137

> # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set

138

> # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set

139

> CONFIG_GRKERNSEC_SIGNAL=y

140

> CONFIG_GRKERNSEC_FORKFAIL=y

141

> # CONFIG_GRKERNSEC_TIME is not set

142

> CONFIG_GRKERNSEC_PROC_IPADDR=y

143

> CONFIG_GRKERNSEC_RWXMAP_LOG=y

144

> CONFIG_GRKERNSEC_DMESG=y

145

> CONFIG_GRKERNSEC_HARDEN_PTRACE=y

146

> CONFIG_GRKERNSEC_PTRACE_READEXEC=y

147

> CONFIG_GRKERNSEC_SETXID=y

148

> CONFIG_GRKERNSEC_HARDEN_IPC=y

149

> # CONFIG_GRKERNSEC_TPE is not set

150

> CONFIG_GRKERNSEC_RANDNET=y

151

> CONFIG_GRKERNSEC_BLACKHOLE=y

152

> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y

153

> # CONFIG_GRKERNSEC_SOCKET is not set

154

> # CONFIG_GRKERNSEC_DENYUSB is not set

155

> CONFIG_GRKERNSEC_SYSCTL=y

156

> CONFIG_GRKERNSEC_SYSCTL_ON=y

157

> CONFIG_GRKERNSEC_FLOODTIME=10

158

> CONFIG_GRKERNSEC_FLOODBURST=4

159

>

1	On 01.11.2014 11:08, Alex Efros wrote:
2	> Hi!
3	>
4	> I wonder is something was changed in handling "grsec: denied RWX mprotect"?
5	> Previously when I see this in kernel log it usually result in killing app
6	> (and I've to run `paxctl-ng -m /that/app`), but now it looks like this
7	> doesn't happens anymore. For example:
8	>
9	> # eselect opengl list
10	> Available OpenGL implementations:
11	> [1] nvidia *
12	> [2] xorg-x11
13	> # grep PAX /etc/portage/make.conf
14	> PAX_MARKINGS="XT"
15	> # paxctl-ng -v /usr/bin/glxgears
16	> /usr/bin/glxgears:
17	> PT_PAX : -e---
18	> XATTR_PAX : not found
19	> # /usr/bin/glxgears
20	> Running synchronized to the vertical refresh. The framerate should be
21	> approximately the same as the monitor refresh rate.
22	> 302 frames in 5.0 seconds = 60.336 FPS
23	> 300 frames in 5.0 seconds = 59.960 FPS
24	> (so, as you see, it works!)
25	>
26	> and here is kernel log:
27	>
28	> 2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect of /usr/lib64/opengl/nvidia/lib/libGL.so.343.22 by /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0
29	Since nvidia-drivers-340.17 NVIDIA implemented some fallbacks for
30	systems where writing to executable memory is not allowed:
31
32	2014-06-09 version 340.17
33
34	[...]
35
36	* Improved support for running the NVIDIA driver in configurations
37	where
38	writing to executable memory is disallowed. Driver optimizations
39	that
40	require writing to executable memory can be forcefully disabled
41	using the
42	new __GL_WRITE_TEXT_SECTION environment variable. See the README
43	for more
44	details.
45
46	I haven't tested this myself yet, but it seems this should finally allow
47	running NVIDIA binary driver on PaX-enabled systems.
48
49	>
50	> At same time paxtest works ok (all killed).
51	>
52	>
53	> My kernel config:
54	>
55	> # zgrep PAX /proc/config.gz
56	>
57	> CONFIG_PAX_USERCOPY_SLABS=y
58	> CONFIG_PAX=y
59	> # CONFIG_PAX_SOFTMODE is not set
60	> # CONFIG_PAX_PT_PAX_FLAGS is not set
61	> CONFIG_PAX_XATTR_PAX_FLAGS=y
62	> CONFIG_PAX_NO_ACL_FLAGS=y
63	> # CONFIG_PAX_HAVE_ACL_FLAGS is not set
64	> # CONFIG_PAX_HOOK_ACL_FLAGS is not set
65	> CONFIG_PAX_NOEXEC=y
66	> CONFIG_PAX_PAGEEXEC=y
67	> CONFIG_PAX_EMUTRAMP=y
68	> CONFIG_PAX_MPROTECT=y
69	> # CONFIG_PAX_MPROTECT_COMPAT is not set
70	> # CONFIG_PAX_ELFRELOCS is not set
71	> # CONFIG_PAX_KERNEXEC is not set
72	> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
73	> CONFIG_PAX_ASLR=y
74	> # CONFIG_PAX_RANDKSTACK is not set
75	> CONFIG_PAX_RANDUSTACK=y
76	> CONFIG_PAX_RANDMMAP=y
77	> # CONFIG_PAX_MEMORY_SANITIZE is not set
78	> # CONFIG_PAX_MEMORY_STACKLEAK is not set
79	> CONFIG_PAX_MEMORY_STRUCTLEAK=y
80	> # CONFIG_PAX_MEMORY_UDEREF is not set
81	> CONFIG_PAX_REFCOUNT=y
82	> CONFIG_PAX_USERCOPY=y
83	> # CONFIG_PAX_USERCOPY_DEBUG is not set
84	> # CONFIG_PAX_SIZE_OVERFLOW is not set
85	> # CONFIG_PAX_LATENT_ENTROPY is not set
86	>
87	> # zgrep GRKERNSEC /proc/config.gz
88	>
89	> CONFIG_GRKERNSEC=y
90	> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
91	> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
92	> CONFIG_GRKERNSEC_PROC_GID=1000
93	> CONFIG_GRKERNSEC_KMEM=y
94	> # CONFIG_GRKERNSEC_IO is not set
95	> CONFIG_GRKERNSEC_PERF_HARDEN=y
96	> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
97	> CONFIG_GRKERNSEC_PROC_MEMMAP=y
98	> # CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set
99	> # CONFIG_GRKERNSEC_BRUTE is not set
100	> CONFIG_GRKERNSEC_MODHARDEN=y
101	> CONFIG_GRKERNSEC_HIDESYM=y
102	> # CONFIG_GRKERNSEC_RANDSTRUCT is not set
103	> # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
104	> CONFIG_GRKERNSEC_NO_RBAC=y
105	> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
106	> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
107	> CONFIG_GRKERNSEC_ACL_TIMEOUT=30
108	> CONFIG_GRKERNSEC_PROC=y
109	> # CONFIG_GRKERNSEC_PROC_USER is not set
110	> CONFIG_GRKERNSEC_PROC_USERGROUP=y
111	> CONFIG_GRKERNSEC_PROC_ADD=y
112	> CONFIG_GRKERNSEC_LINK=y
113	> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
114	> CONFIG_GRKERNSEC_FIFO=y
115	> # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
116	> # CONFIG_GRKERNSEC_ROFS is not set
117	> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
118	> CONFIG_GRKERNSEC_CHROOT=y
119	> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
120	> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
121	> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
122	> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
123	> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
124	> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
125	> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
126	> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
127	> CONFIG_GRKERNSEC_CHROOT_UNIX=y
128	> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
129	> CONFIG_GRKERNSEC_CHROOT_NICE=y
130	> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
131	> CONFIG_GRKERNSEC_CHROOT_CAPS=y
132	> # CONFIG_GRKERNSEC_AUDIT_GROUP is not set
133	> # CONFIG_GRKERNSEC_EXECLOG is not set
134	> CONFIG_GRKERNSEC_RESLOG=y
135	> # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
136	> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
137	> # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
138	> # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
139	> CONFIG_GRKERNSEC_SIGNAL=y
140	> CONFIG_GRKERNSEC_FORKFAIL=y
141	> # CONFIG_GRKERNSEC_TIME is not set
142	> CONFIG_GRKERNSEC_PROC_IPADDR=y
143	> CONFIG_GRKERNSEC_RWXMAP_LOG=y
144	> CONFIG_GRKERNSEC_DMESG=y
145	> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
146	> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
147	> CONFIG_GRKERNSEC_SETXID=y
148	> CONFIG_GRKERNSEC_HARDEN_IPC=y
149	> # CONFIG_GRKERNSEC_TPE is not set
150	> CONFIG_GRKERNSEC_RANDNET=y
151	> CONFIG_GRKERNSEC_BLACKHOLE=y
152	> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
153	> # CONFIG_GRKERNSEC_SOCKET is not set
154	> # CONFIG_GRKERNSEC_DENYUSB is not set
155	> CONFIG_GRKERNSEC_SYSCTL=y
156	> CONFIG_GRKERNSEC_SYSCTL_ON=y
157	> CONFIG_GRKERNSEC_FLOODTIME=10
158	> CONFIG_GRKERNSEC_FLOODBURST=4
159	>

Gentoo Archives: gentoo-hardened