Re: [gentoo-hardened] XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more - gentoo-hardened

From:	"Tóth Attila" <atoth@××××××××××.hu>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more
Date:	Sun, 14 Dec 2014 03:18:44
Message-Id:	`036cdd6973d0aefe96d2f6858cf90ec3.squirrel@atoth.sote.hu`
In Reply to:	[gentoo-hardened] XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more by Karl-Johan Karlsson

1

I've made an observation long before, that although PT_PAX flags are

2

properly handled on my systems, the installed binaries and libraries lack

3

XATTR_PAX markings. This has been the situation for a long time now. I've

4

made a script scanning the system for inconsistent markings and issuing

5

paxctl-ng -F for those files, where it's necessary.

6

I have both PT and XT present in my make.conf for markings. I was told

7

before, that I should rather opt for only one of the two possibilities -

8

kernel-option wise and make.conf-marking-selection wise. Kinda both PT and

9

XT are not supported at the same time using the current utilities.

10

Moreover: there is the question if PT marking is present and XATTR is

11

missing at the same time: which one takes precedence? I suspect the system

12

tries to interpret the missing XATTR, falling back to apply the default

13

flags, while paying no attention to the PT flags present. Additionally, I

14

haven't mentioned any policy defined PAX flags.

15

Elfutils, paxutils and all other relevant packages are keyworded on my

16

systems.

17

So ordinary executables are installed with an inconsistent marking by

18

default. The new install mechanism is working on my systems. Strangely

19

enough, I see how html files are processed during install. Ordinary

20

binaries somehow slip through the mechanism.

21

22

It would be so good to see consistent markings on a system having both PT

23

and XT enabled. The kernel could also behave a bit differently. These

24

possibilities can potentially confuse some users, while I'm still fine

25

with my scripts and have some understanding of the background.

26

27

In the mean time I see some progress as well! Compile time markings

28

definitely seem to work fine on my systems for awhile. Emerging icedtea

29

goes flawlessly, since markings are performed in a proper fashion - even

30

for PT & XT combo setup. I understand that compile time marking in an

31

ebuild is a separate mechanism compared to normal ebuild file install, but

32

I still see some room for improvements. And possibly fix this scenario.

33

Not for me, because I think I understand the situation and I believe I

34

know what I'm doing (just like when trying to change the multcount value

35

for a hard drive in smartctl). But n00bs or newcomers might have a benefit

36

from.

37

38

Thanks:

39

Dw.

40

--

41

dr Tóth Attila, Radiológus, 06-20-825-8057

42

Attila Toth MD, Radiologist, +36-20-825-8057

43

44

2014.December 14.(V) 00:52 időpontban Karl-Johan Karlsson ezt írta:

45

> Hi list,

46

>

47

> I seem to have at least three problems related to PaX markings

48

> simultaneously,

49

> and since it's after midnight here and I need to write down some notes

50

> anyway

51

> so I know how to continue tomorrow, I might as well send them out to the

52

> world

53

> and see if someone else solves my problems for me while I'm asleep.

54

>

55

> It all started when I couldn't upgrade from my existing dev-

56

> java/icedtea-7.2.4.5. Building dev-java/icedtea-7.2.5.3 failed, with the

57

> following messages at the bottom of the log:

58

>

59

>

60

> if [ -x /usr/sbin/paxmark.sh ] ; then \

61

>   if [ -w /export/portage/portage/dev-

62

> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java ] ;

63

> then \

64

>     /usr/sbin/paxmark.sh -m /export/portage/portage/dev-

65

> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java ; \

66

>   fi ; \

67

> fi

68

> /usr/sbin/paxmark.sh: line 82: elog: command not found

69

> Makefile:124: recipe for target '/export/portage/portage/dev-

70

> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-

71

> boot/classes/javax/management/

72

> remote/rmi/RMIConnectionImpl_Stub.class' failed

73

>

74

>

75

> That's problem number one: paxmark.sh (from sys-apps/elfix-0.9.0) tries to

76

> call elog and fails.

77

>

78

> That code was introduced in 0.9.0 (actually, commit 41a91c04), but I've

79

> obviously managed to build icedtea before, so let's downgrade to 0.8.4 and

80

> try

81

> again. The build dies in the same location, but without the line

82

> complaining

83

> about elog. So paxmark.sh from 0.8.4 still fails, it's just silent about

84

> it:

85

>

86

>

87

> # /usr/sbin/paxmark.sh -m /export/portage/portage/dev-

88

> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java

89

>

90

> # echo $?

91

> 1

92

>

93

> # paxctl-ng -v /export/portage/portage/dev-

94

> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java

95

> /export/portage/portage/dev-

96

> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java:

97

>         PT_PAX    : -em--

98

>         XATTR_PAX : not found

99

>

100

>

101

> So it's managed to set PT_PAX flags, but not XATTR_PAX. Looking at the

102

> code,

103

> paxmark.sh first tries to set PT_PAX, then XATTR_PAX, and if either fails,

104

> the

105

> entire thing returns failure. Unless PAX_MARKINGS is set, in which case

106

> that

107

> controls which type of markings is used. It isn't set on this machine.

108

>

109

> Problem number two: that's not what the docs say should happen. Acording

110

> to

111

> https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart:

112

>

113

> "If you decide on PaX marking method, you should adjust PAX_MARKINGS

114

> variable

115

> in your /etc/portage/make.conf with either XT (for extended attributes) or

116

> PT

117

> (for program header marking). You can set both XT PT if you wish. Default

118

> is

119

> PT."

120

>

121

> But why isn't XATTR_PAX working? I thought I completed that transition

122

> ages

123

> ago.

124

>

125

>

126

> # paxctl-ng -v /bin/ls

127

> /bin/ls:

128

>         PT_PAX    : -e---

129

>         XATTR_PAX : not found

130

>

131

>

132

> Obviously not. Maybe I forgot this machine. Would it work?

133

>

134

>

135

> # paxctl-ng -F /bin/ls

136

>

137

> # paxctl-ng -v /bin/ls

138

> /bin/ls:

139

>         PT_PAX    : -e---

140

>         XATTR_PAX : -e---

141

>

142

>

143

> Yes. So why couldn't paxmark.sh set XATTR_PAX?

144

>

145

>

146

> # paxctl-ng -d /bin/ls

147

>

148

> # paxctl-ng -v /bin/ls

149

> /bin/ls:

150

>         PT_PAX    : -e---

151

>         XATTR_PAX : not found

152

>

153

> # cp /bin/ls $PORTAGE_TMPDIR

154

>

155

> # paxctl-ng -v $PORTAGE_TMPDIR/ls

156

> /export/portage/ls:

157

>         PT_PAX    : -e---

158

>         XATTR_PAX : not found

159

>

160

> # paxctl-ng -F $PORTAGE_TMPDIR/ls

161

>

162

> # echo $?

163

> 1

164

>

165

> # paxctl-ng -v $PORTAGE_TMPDIR/ls

166

> /export/portage/ls:

167

>         PT_PAX    : -e---

168

>         XATTR_PAX : not found

169

>

170

> # strace paxctl-ng -F $PORTAGE_TMPDIR/ls 2>&1 | grep user.pax

171

> fsetxattr(3, "user.pax.flags", "e", 1, 0) = -1 EOPNOTSUPP (Operation not

172

> supported)

173

>

174

>

175

> OK, so XATTR_PAX works in /bin, but gets EOPNOTSUPP in $PORTAGE_TMPDIR.

176

> They're on different mounts, so that's not unreasonable. But where do they

177

> differ?

178

>

179

>

180

> # di -h /bin

181

> Filesystem         Mount               Size     Used    Avail %Used  fs

182

> Type

183

> /dev/root          /                  75,0G    56,7G    14,5G   81%  ext4

184

>

185

> # di -h $PORTAGE_TMPDIR

186

> Filesystem         Mount               Size     Used    Avail %Used  fs

187

> Type

188

> /dev/mapper/crypt- /export             2,5T     2,2T   258,8G   90%  ext3

189

>

190

> # grep -E ' (/|/export) ' /proc/mounts

191

> rootfs / rootfs rw 0 0

192

> /dev/root / ext4 rw,relatime,data=ordered 0 0

193

> /dev/mapper/crypt-export /export ext3

194

> rw,noatime,errors=continue,barrier=1,data=ordered 0 0

195

>

196

> # tune2fs -l /dev/root | grep ext_attr

197

> Filesystem features:      has_journal ext_attr resize_inode dir_index

198

> filetype

199

> needs_recovery extent sparse_super large_file uninit_bg

200

>

201

> # tune2fs -l /dev/mapper/crypt-export | grep ext_attr

202

> Filesystem features:      has_journal ext_attr resize_inode dir_index

203

> filetype

204

> needs_recovery sparse_super large_file

205

>

206

>

207

> So it works on ext4, but not ext3, even though both have the ext_attr flag

208

> on

209

> disk. Any difference in kernel support?

210

>

211

>

212

> # uname -r

213

> 3.16.5-hardened

214

>

215

> # gunzip -c /proc/config.gz | grep XATTR

216

> CONFIG_EXT3_FS_XATTR=y

217

> CONFIG_TMPFS_XATTR=y

218

> CONFIG_PAX_XATTR_PAX_FLAGS=y

219

>

220

> # gunzip -c /proc/config.gz | grep EXT[34]

221

> CONFIG_EXT3_FS=y

222

> CONFIG_EXT3_DEFAULTS_TO_ORDERED=y

223

> CONFIG_EXT3_FS_XATTR=y

224

> # CONFIG_EXT3_FS_POSIX_ACL is not set

225

> CONFIG_EXT3_FS_SECURITY=y

226

> CONFIG_EXT4_FS=y

227

> CONFIG_EXT4_USE_FOR_EXT23=y

228

> # CONFIG_EXT4_FS_POSIX_ACL is not set

229

> CONFIG_EXT4_FS_SECURITY=y

230

> # CONFIG_EXT4_DEBUG is not set

231

>

232

>

233

> Not that I can see, especially with CONFIG_EXT4_USE_FOR_EXT23=y. And it

234

> should

235

> be an automatic dependency anyway, since PAX_XATTR_PAX_FLAGS is set.

236

>

237

> Which brings us to problem number three: why aren't xattrs working in

238

> $PORTAGE_TMPDIR on ext3 when they are in /bin on ext4?

239

>

240

> Problems one and two are clearly bugs, one in sys-apps/elfix and two in

241

> sys-

242

> apps/elfix or the documentation. Should I file them in Bugzilla, or is

243

> this

244

> mail enough?

245

>

246

> Problem three seems to be unique to this machine. Does anyone know what's

247

> going on?

248

>

249

> --

250

> Karl-Johan Karlsson

Gentoo Archives: gentoo-hardened

Replies

1	I've made an observation long before, that although PT_PAX flags are
2	properly handled on my systems, the installed binaries and libraries lack
3	XATTR_PAX markings. This has been the situation for a long time now. I've
4	made a script scanning the system for inconsistent markings and issuing
5	paxctl-ng -F for those files, where it's necessary.
6	I have both PT and XT present in my make.conf for markings. I was told
7	before, that I should rather opt for only one of the two possibilities -
8	kernel-option wise and make.conf-marking-selection wise. Kinda both PT and
9	XT are not supported at the same time using the current utilities.
10	Moreover: there is the question if PT marking is present and XATTR is
11	missing at the same time: which one takes precedence? I suspect the system
12	tries to interpret the missing XATTR, falling back to apply the default
13	flags, while paying no attention to the PT flags present. Additionally, I
14	haven't mentioned any policy defined PAX flags.
15	Elfutils, paxutils and all other relevant packages are keyworded on my
16	systems.
17	So ordinary executables are installed with an inconsistent marking by
18	default. The new install mechanism is working on my systems. Strangely
19	enough, I see how html files are processed during install. Ordinary
20	binaries somehow slip through the mechanism.
21
22	It would be so good to see consistent markings on a system having both PT
23	and XT enabled. The kernel could also behave a bit differently. These
24	possibilities can potentially confuse some users, while I'm still fine
25	with my scripts and have some understanding of the background.
26
27	In the mean time I see some progress as well! Compile time markings
28	definitely seem to work fine on my systems for awhile. Emerging icedtea
29	goes flawlessly, since markings are performed in a proper fashion - even
30	for PT & XT combo setup. I understand that compile time marking in an
31	ebuild is a separate mechanism compared to normal ebuild file install, but
32	I still see some room for improvements. And possibly fix this scenario.
33	Not for me, because I think I understand the situation and I believe I
34	know what I'm doing (just like when trying to change the multcount value
35	for a hard drive in smartctl). But n00bs or newcomers might have a benefit
36	from.
37
38	Thanks:
39	Dw.
40	--
41	dr Tóth Attila, Radiológus, 06-20-825-8057
42	Attila Toth MD, Radiologist, +36-20-825-8057
43
44	2014.December 14.(V) 00:52 időpontban Karl-Johan Karlsson ezt írta:
45	> Hi list,
46	>
47	> I seem to have at least three problems related to PaX markings
48	> simultaneously,
49	> and since it's after midnight here and I need to write down some notes
50	> anyway
51	> so I know how to continue tomorrow, I might as well send them out to the
52	> world
53	> and see if someone else solves my problems for me while I'm asleep.
54	>
55	> It all started when I couldn't upgrade from my existing dev-
56	> java/icedtea-7.2.4.5. Building dev-java/icedtea-7.2.5.3 failed, with the
57	> following messages at the bottom of the log:
58	>
59	>
60	> if [ -x /usr/sbin/paxmark.sh ] ; then \
61	> if [ -w /export/portage/portage/dev-
62	> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java ] ;
63	> then \
64	> /usr/sbin/paxmark.sh -m /export/portage/portage/dev-
65	> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java ; \
66	> fi ; \
67	> fi
68	> /usr/sbin/paxmark.sh: line 82: elog: command not found
69	> Makefile:124: recipe for target '/export/portage/portage/dev-
70	> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-
71	> boot/classes/javax/management/
72	> remote/rmi/RMIConnectionImpl_Stub.class' failed
73	>
74	>
75	> That's problem number one: paxmark.sh (from sys-apps/elfix-0.9.0) tries to
76	> call elog and fails.
77	>
78	> That code was introduced in 0.9.0 (actually, commit 41a91c04), but I've
79	> obviously managed to build icedtea before, so let's downgrade to 0.8.4 and
80	> try
81	> again. The build dies in the same location, but without the line
82	> complaining
83	> about elog. So paxmark.sh from 0.8.4 still fails, it's just silent about
84	> it:
85	>
86	>
87	> # /usr/sbin/paxmark.sh -m /export/portage/portage/dev-
88	> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java
89	>
90	> # echo $?
91	> 1
92	>
93	> # paxctl-ng -v /export/portage/portage/dev-
94	> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java
95	> /export/portage/portage/dev-
96	> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java:
97	> PT_PAX : -em--
98	> XATTR_PAX : not found
99	>
100	>
101	> So it's managed to set PT_PAX flags, but not XATTR_PAX. Looking at the
102	> code,
103	> paxmark.sh first tries to set PT_PAX, then XATTR_PAX, and if either fails,
104	> the
105	> entire thing returns failure. Unless PAX_MARKINGS is set, in which case
106	> that
107	> controls which type of markings is used. It isn't set on this machine.
108	>
109	> Problem number two: that's not what the docs say should happen. Acording
110	> to
111	> https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart:
112	>
113	> "If you decide on PaX marking method, you should adjust PAX_MARKINGS
114	> variable
115	> in your /etc/portage/make.conf with either XT (for extended attributes) or
116	> PT
117	> (for program header marking). You can set both XT PT if you wish. Default
118	> is
119	> PT."
120	>
121	> But why isn't XATTR_PAX working? I thought I completed that transition
122	> ages
123	> ago.
124	>
125	>
126	> # paxctl-ng -v /bin/ls
127	> /bin/ls:
128	> PT_PAX : -e---
129	> XATTR_PAX : not found
130	>
131	>
132	> Obviously not. Maybe I forgot this machine. Would it work?
133	>
134	>
135	> # paxctl-ng -F /bin/ls
136	>
137	> # paxctl-ng -v /bin/ls
138	> /bin/ls:
139	> PT_PAX : -e---
140	> XATTR_PAX : -e---
141	>
142	>
143	> Yes. So why couldn't paxmark.sh set XATTR_PAX?
144	>
145	>
146	> # paxctl-ng -d /bin/ls
147	>
148	> # paxctl-ng -v /bin/ls
149	> /bin/ls:
150	> PT_PAX : -e---
151	> XATTR_PAX : not found
152	>
153	> # cp /bin/ls $PORTAGE_TMPDIR
154	>
155	> # paxctl-ng -v $PORTAGE_TMPDIR/ls
156	> /export/portage/ls:
157	> PT_PAX : -e---
158	> XATTR_PAX : not found
159	>
160	> # paxctl-ng -F $PORTAGE_TMPDIR/ls
161	>
162	> # echo $?
163	> 1
164	>
165	> # paxctl-ng -v $PORTAGE_TMPDIR/ls
166	> /export/portage/ls:
167	> PT_PAX : -e---
168	> XATTR_PAX : not found
169	>
170	> # strace paxctl-ng -F $PORTAGE_TMPDIR/ls 2>&1 \| grep user.pax
171	> fsetxattr(3, "user.pax.flags", "e", 1, 0) = -1 EOPNOTSUPP (Operation not
172	> supported)
173	>
174	>
175	> OK, so XATTR_PAX works in /bin, but gets EOPNOTSUPP in $PORTAGE_TMPDIR.
176	> They're on different mounts, so that's not unreasonable. But where do they
177	> differ?
178	>
179	>
180	> # di -h /bin
181	> Filesystem Mount Size Used Avail %Used fs
182	> Type
183	> /dev/root / 75,0G 56,7G 14,5G 81% ext4
184	>
185	> # di -h $PORTAGE_TMPDIR
186	> Filesystem Mount Size Used Avail %Used fs
187	> Type
188	> /dev/mapper/crypt- /export 2,5T 2,2T 258,8G 90% ext3
189	>
190	> # grep -E ' (/\|/export) ' /proc/mounts
191	> rootfs / rootfs rw 0 0
192	> /dev/root / ext4 rw,relatime,data=ordered 0 0
193	> /dev/mapper/crypt-export /export ext3
194	> rw,noatime,errors=continue,barrier=1,data=ordered 0 0
195	>
196	> # tune2fs -l /dev/root \| grep ext_attr
197	> Filesystem features: has_journal ext_attr resize_inode dir_index
198	> filetype
199	> needs_recovery extent sparse_super large_file uninit_bg
200	>
201	> # tune2fs -l /dev/mapper/crypt-export \| grep ext_attr
202	> Filesystem features: has_journal ext_attr resize_inode dir_index
203	> filetype
204	> needs_recovery sparse_super large_file
205	>
206	>
207	> So it works on ext4, but not ext3, even though both have the ext_attr flag
208	> on
209	> disk. Any difference in kernel support?
210	>
211	>
212	> # uname -r
213	> 3.16.5-hardened
214	>
215	> # gunzip -c /proc/config.gz \| grep XATTR
216	> CONFIG_EXT3_FS_XATTR=y
217	> CONFIG_TMPFS_XATTR=y
218	> CONFIG_PAX_XATTR_PAX_FLAGS=y
219	>
220	> # gunzip -c /proc/config.gz \| grep EXT[34]
221	> CONFIG_EXT3_FS=y
222	> CONFIG_EXT3_DEFAULTS_TO_ORDERED=y
223	> CONFIG_EXT3_FS_XATTR=y
224	> # CONFIG_EXT3_FS_POSIX_ACL is not set
225	> CONFIG_EXT3_FS_SECURITY=y
226	> CONFIG_EXT4_FS=y
227	> CONFIG_EXT4_USE_FOR_EXT23=y
228	> # CONFIG_EXT4_FS_POSIX_ACL is not set
229	> CONFIG_EXT4_FS_SECURITY=y
230	> # CONFIG_EXT4_DEBUG is not set
231	>
232	>
233	> Not that I can see, especially with CONFIG_EXT4_USE_FOR_EXT23=y. And it
234	> should
235	> be an automatic dependency anyway, since PAX_XATTR_PAX_FLAGS is set.
236	>
237	> Which brings us to problem number three: why aren't xattrs working in
238	> $PORTAGE_TMPDIR on ext3 when they are in /bin on ext4?
239	>
240	> Problems one and two are clearly bugs, one in sys-apps/elfix and two in
241	> sys-
242	> apps/elfix or the documentation. Should I file them in Bugzilla, or is
243	> this
244	> mail enough?
245	>
246	> Problem three seems to be unique to this machine. Does anyone know what's
247	> going on?
248	>
249	> --
250	> Karl-Johan Karlsson