| 1 |
Hi! |
| 2 |
|
| 3 |
I wonder is something was changed in handling "grsec: denied RWX mprotect"? |
| 4 |
Previously when I see this in kernel log it usually result in killing app |
| 5 |
(and I've to run `paxctl-ng -m /that/app`), but now it looks like this |
| 6 |
doesn't happens anymore. For example: |
| 7 |
|
| 8 |
# eselect opengl list |
| 9 |
Available OpenGL implementations: |
| 10 |
[1] nvidia * |
| 11 |
[2] xorg-x11 |
| 12 |
# grep PAX /etc/portage/make.conf |
| 13 |
PAX_MARKINGS="XT" |
| 14 |
# paxctl-ng -v /usr/bin/glxgears |
| 15 |
/usr/bin/glxgears: |
| 16 |
PT_PAX : -e--- |
| 17 |
XATTR_PAX : not found |
| 18 |
# /usr/bin/glxgears |
| 19 |
Running synchronized to the vertical refresh. The framerate should be |
| 20 |
approximately the same as the monitor refresh rate. |
| 21 |
302 frames in 5.0 seconds = 60.336 FPS |
| 22 |
300 frames in 5.0 seconds = 59.960 FPS |
| 23 |
(so, as you see, it works!) |
| 24 |
|
| 25 |
and here is kernel log: |
| 26 |
|
| 27 |
2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect of /usr/lib64/opengl/nvidia/lib/libGL.so.343.22 by /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0 |
| 28 |
|
| 29 |
At same time paxtest works ok (all killed). |
| 30 |
|
| 31 |
|
| 32 |
My kernel config: |
| 33 |
|
| 34 |
# zgrep PAX /proc/config.gz |
| 35 |
|
| 36 |
CONFIG_PAX_USERCOPY_SLABS=y |
| 37 |
CONFIG_PAX=y |
| 38 |
# CONFIG_PAX_SOFTMODE is not set |
| 39 |
# CONFIG_PAX_PT_PAX_FLAGS is not set |
| 40 |
CONFIG_PAX_XATTR_PAX_FLAGS=y |
| 41 |
CONFIG_PAX_NO_ACL_FLAGS=y |
| 42 |
# CONFIG_PAX_HAVE_ACL_FLAGS is not set |
| 43 |
# CONFIG_PAX_HOOK_ACL_FLAGS is not set |
| 44 |
CONFIG_PAX_NOEXEC=y |
| 45 |
CONFIG_PAX_PAGEEXEC=y |
| 46 |
CONFIG_PAX_EMUTRAMP=y |
| 47 |
CONFIG_PAX_MPROTECT=y |
| 48 |
# CONFIG_PAX_MPROTECT_COMPAT is not set |
| 49 |
# CONFIG_PAX_ELFRELOCS is not set |
| 50 |
# CONFIG_PAX_KERNEXEC is not set |
| 51 |
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="" |
| 52 |
CONFIG_PAX_ASLR=y |
| 53 |
# CONFIG_PAX_RANDKSTACK is not set |
| 54 |
CONFIG_PAX_RANDUSTACK=y |
| 55 |
CONFIG_PAX_RANDMMAP=y |
| 56 |
# CONFIG_PAX_MEMORY_SANITIZE is not set |
| 57 |
# CONFIG_PAX_MEMORY_STACKLEAK is not set |
| 58 |
CONFIG_PAX_MEMORY_STRUCTLEAK=y |
| 59 |
# CONFIG_PAX_MEMORY_UDEREF is not set |
| 60 |
CONFIG_PAX_REFCOUNT=y |
| 61 |
CONFIG_PAX_USERCOPY=y |
| 62 |
# CONFIG_PAX_USERCOPY_DEBUG is not set |
| 63 |
# CONFIG_PAX_SIZE_OVERFLOW is not set |
| 64 |
# CONFIG_PAX_LATENT_ENTROPY is not set |
| 65 |
|
| 66 |
# zgrep GRKERNSEC /proc/config.gz |
| 67 |
|
| 68 |
CONFIG_GRKERNSEC=y |
| 69 |
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set |
| 70 |
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y |
| 71 |
CONFIG_GRKERNSEC_PROC_GID=1000 |
| 72 |
CONFIG_GRKERNSEC_KMEM=y |
| 73 |
# CONFIG_GRKERNSEC_IO is not set |
| 74 |
CONFIG_GRKERNSEC_PERF_HARDEN=y |
| 75 |
CONFIG_GRKERNSEC_RAND_THREADSTACK=y |
| 76 |
CONFIG_GRKERNSEC_PROC_MEMMAP=y |
| 77 |
# CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set |
| 78 |
# CONFIG_GRKERNSEC_BRUTE is not set |
| 79 |
CONFIG_GRKERNSEC_MODHARDEN=y |
| 80 |
CONFIG_GRKERNSEC_HIDESYM=y |
| 81 |
# CONFIG_GRKERNSEC_RANDSTRUCT is not set |
| 82 |
# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set |
| 83 |
CONFIG_GRKERNSEC_NO_RBAC=y |
| 84 |
CONFIG_GRKERNSEC_ACL_HIDEKERN=y |
| 85 |
CONFIG_GRKERNSEC_ACL_MAXTRIES=3 |
| 86 |
CONFIG_GRKERNSEC_ACL_TIMEOUT=30 |
| 87 |
CONFIG_GRKERNSEC_PROC=y |
| 88 |
# CONFIG_GRKERNSEC_PROC_USER is not set |
| 89 |
CONFIG_GRKERNSEC_PROC_USERGROUP=y |
| 90 |
CONFIG_GRKERNSEC_PROC_ADD=y |
| 91 |
CONFIG_GRKERNSEC_LINK=y |
| 92 |
# CONFIG_GRKERNSEC_SYMLINKOWN is not set |
| 93 |
CONFIG_GRKERNSEC_FIFO=y |
| 94 |
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set |
| 95 |
# CONFIG_GRKERNSEC_ROFS is not set |
| 96 |
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y |
| 97 |
CONFIG_GRKERNSEC_CHROOT=y |
| 98 |
CONFIG_GRKERNSEC_CHROOT_MOUNT=y |
| 99 |
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y |
| 100 |
CONFIG_GRKERNSEC_CHROOT_PIVOT=y |
| 101 |
CONFIG_GRKERNSEC_CHROOT_CHDIR=y |
| 102 |
CONFIG_GRKERNSEC_CHROOT_CHMOD=y |
| 103 |
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y |
| 104 |
CONFIG_GRKERNSEC_CHROOT_MKNOD=y |
| 105 |
CONFIG_GRKERNSEC_CHROOT_SHMAT=y |
| 106 |
CONFIG_GRKERNSEC_CHROOT_UNIX=y |
| 107 |
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y |
| 108 |
CONFIG_GRKERNSEC_CHROOT_NICE=y |
| 109 |
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y |
| 110 |
CONFIG_GRKERNSEC_CHROOT_CAPS=y |
| 111 |
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set |
| 112 |
# CONFIG_GRKERNSEC_EXECLOG is not set |
| 113 |
CONFIG_GRKERNSEC_RESLOG=y |
| 114 |
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set |
| 115 |
CONFIG_GRKERNSEC_AUDIT_PTRACE=y |
| 116 |
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set |
| 117 |
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set |
| 118 |
CONFIG_GRKERNSEC_SIGNAL=y |
| 119 |
CONFIG_GRKERNSEC_FORKFAIL=y |
| 120 |
# CONFIG_GRKERNSEC_TIME is not set |
| 121 |
CONFIG_GRKERNSEC_PROC_IPADDR=y |
| 122 |
CONFIG_GRKERNSEC_RWXMAP_LOG=y |
| 123 |
CONFIG_GRKERNSEC_DMESG=y |
| 124 |
CONFIG_GRKERNSEC_HARDEN_PTRACE=y |
| 125 |
CONFIG_GRKERNSEC_PTRACE_READEXEC=y |
| 126 |
CONFIG_GRKERNSEC_SETXID=y |
| 127 |
CONFIG_GRKERNSEC_HARDEN_IPC=y |
| 128 |
# CONFIG_GRKERNSEC_TPE is not set |
| 129 |
CONFIG_GRKERNSEC_RANDNET=y |
| 130 |
CONFIG_GRKERNSEC_BLACKHOLE=y |
| 131 |
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y |
| 132 |
# CONFIG_GRKERNSEC_SOCKET is not set |
| 133 |
# CONFIG_GRKERNSEC_DENYUSB is not set |
| 134 |
CONFIG_GRKERNSEC_SYSCTL=y |
| 135 |
CONFIG_GRKERNSEC_SYSCTL_ON=y |
| 136 |
CONFIG_GRKERNSEC_FLOODTIME=10 |
| 137 |
CONFIG_GRKERNSEC_FLOODBURST=4 |
| 138 |
|
| 139 |
-- |
| 140 |
WBR, Alex. |
Archives