1 |
There have been changes in the toolchain: |
2 |
https://sourceware.org/bugzilla/show_bug.cgi?id=12492 |
3 |
|
4 |
Application also handle these situations nowdays and survive the denial |
5 |
instead of crashing. |
6 |
Like clamav developers made the software aware of such a situation: |
7 |
https://bugs.gentoo.org/show_bug.cgi?id=326199 |
8 |
|
9 |
BR: Dw. |
10 |
-- |
11 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
12 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
13 |
|
14 |
2014.November 1.(Szo) 11:08 időpontban Alex Efros ezt írta: |
15 |
> Hi! |
16 |
> |
17 |
> I wonder is something was changed in handling "grsec: denied RWX |
18 |
> mprotect"? |
19 |
> Previously when I see this in kernel log it usually result in killing app |
20 |
> (and I've to run `paxctl-ng -m /that/app`), but now it looks like this |
21 |
> doesn't happens anymore. For example: |
22 |
> |
23 |
> # eselect opengl list |
24 |
> Available OpenGL implementations: |
25 |
> [1] nvidia * |
26 |
> [2] xorg-x11 |
27 |
> # grep PAX /etc/portage/make.conf |
28 |
> PAX_MARKINGS="XT" |
29 |
> # paxctl-ng -v /usr/bin/glxgears |
30 |
> /usr/bin/glxgears: |
31 |
> PT_PAX : -e--- |
32 |
> XATTR_PAX : not found |
33 |
> # /usr/bin/glxgears |
34 |
> Running synchronized to the vertical refresh. The framerate should be |
35 |
> approximately the same as the monitor refresh rate. |
36 |
> 302 frames in 5.0 seconds = 60.336 FPS |
37 |
> 300 frames in 5.0 seconds = 59.960 FPS |
38 |
> (so, as you see, it works!) |
39 |
> |
40 |
> and here is kernel log: |
41 |
> |
42 |
> 2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect of |
43 |
> /usr/lib64/opengl/nvidia/lib/libGL.so.343.22 by |
44 |
> /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0, parent |
45 |
> /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0 |
46 |
> |
47 |
> At same time paxtest works ok (all killed). |
48 |
> |
49 |
> |
50 |
> My kernel config: |
51 |
> |
52 |
> # zgrep PAX /proc/config.gz |
53 |
> |
54 |
> CONFIG_PAX_USERCOPY_SLABS=y |
55 |
> CONFIG_PAX=y |
56 |
> # CONFIG_PAX_SOFTMODE is not set |
57 |
> # CONFIG_PAX_PT_PAX_FLAGS is not set |
58 |
> CONFIG_PAX_XATTR_PAX_FLAGS=y |
59 |
> CONFIG_PAX_NO_ACL_FLAGS=y |
60 |
> # CONFIG_PAX_HAVE_ACL_FLAGS is not set |
61 |
> # CONFIG_PAX_HOOK_ACL_FLAGS is not set |
62 |
> CONFIG_PAX_NOEXEC=y |
63 |
> CONFIG_PAX_PAGEEXEC=y |
64 |
> CONFIG_PAX_EMUTRAMP=y |
65 |
> CONFIG_PAX_MPROTECT=y |
66 |
> # CONFIG_PAX_MPROTECT_COMPAT is not set |
67 |
> # CONFIG_PAX_ELFRELOCS is not set |
68 |
> # CONFIG_PAX_KERNEXEC is not set |
69 |
> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="" |
70 |
> CONFIG_PAX_ASLR=y |
71 |
> # CONFIG_PAX_RANDKSTACK is not set |
72 |
> CONFIG_PAX_RANDUSTACK=y |
73 |
> CONFIG_PAX_RANDMMAP=y |
74 |
> # CONFIG_PAX_MEMORY_SANITIZE is not set |
75 |
> # CONFIG_PAX_MEMORY_STACKLEAK is not set |
76 |
> CONFIG_PAX_MEMORY_STRUCTLEAK=y |
77 |
> # CONFIG_PAX_MEMORY_UDEREF is not set |
78 |
> CONFIG_PAX_REFCOUNT=y |
79 |
> CONFIG_PAX_USERCOPY=y |
80 |
> # CONFIG_PAX_USERCOPY_DEBUG is not set |
81 |
> # CONFIG_PAX_SIZE_OVERFLOW is not set |
82 |
> # CONFIG_PAX_LATENT_ENTROPY is not set |
83 |
> |
84 |
> # zgrep GRKERNSEC /proc/config.gz |
85 |
> |
86 |
> CONFIG_GRKERNSEC=y |
87 |
> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set |
88 |
> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y |
89 |
> CONFIG_GRKERNSEC_PROC_GID=1000 |
90 |
> CONFIG_GRKERNSEC_KMEM=y |
91 |
> # CONFIG_GRKERNSEC_IO is not set |
92 |
> CONFIG_GRKERNSEC_PERF_HARDEN=y |
93 |
> CONFIG_GRKERNSEC_RAND_THREADSTACK=y |
94 |
> CONFIG_GRKERNSEC_PROC_MEMMAP=y |
95 |
> # CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set |
96 |
> # CONFIG_GRKERNSEC_BRUTE is not set |
97 |
> CONFIG_GRKERNSEC_MODHARDEN=y |
98 |
> CONFIG_GRKERNSEC_HIDESYM=y |
99 |
> # CONFIG_GRKERNSEC_RANDSTRUCT is not set |
100 |
> # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set |
101 |
> CONFIG_GRKERNSEC_NO_RBAC=y |
102 |
> CONFIG_GRKERNSEC_ACL_HIDEKERN=y |
103 |
> CONFIG_GRKERNSEC_ACL_MAXTRIES=3 |
104 |
> CONFIG_GRKERNSEC_ACL_TIMEOUT=30 |
105 |
> CONFIG_GRKERNSEC_PROC=y |
106 |
> # CONFIG_GRKERNSEC_PROC_USER is not set |
107 |
> CONFIG_GRKERNSEC_PROC_USERGROUP=y |
108 |
> CONFIG_GRKERNSEC_PROC_ADD=y |
109 |
> CONFIG_GRKERNSEC_LINK=y |
110 |
> # CONFIG_GRKERNSEC_SYMLINKOWN is not set |
111 |
> CONFIG_GRKERNSEC_FIFO=y |
112 |
> # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set |
113 |
> # CONFIG_GRKERNSEC_ROFS is not set |
114 |
> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y |
115 |
> CONFIG_GRKERNSEC_CHROOT=y |
116 |
> CONFIG_GRKERNSEC_CHROOT_MOUNT=y |
117 |
> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y |
118 |
> CONFIG_GRKERNSEC_CHROOT_PIVOT=y |
119 |
> CONFIG_GRKERNSEC_CHROOT_CHDIR=y |
120 |
> CONFIG_GRKERNSEC_CHROOT_CHMOD=y |
121 |
> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y |
122 |
> CONFIG_GRKERNSEC_CHROOT_MKNOD=y |
123 |
> CONFIG_GRKERNSEC_CHROOT_SHMAT=y |
124 |
> CONFIG_GRKERNSEC_CHROOT_UNIX=y |
125 |
> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y |
126 |
> CONFIG_GRKERNSEC_CHROOT_NICE=y |
127 |
> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y |
128 |
> CONFIG_GRKERNSEC_CHROOT_CAPS=y |
129 |
> # CONFIG_GRKERNSEC_AUDIT_GROUP is not set |
130 |
> # CONFIG_GRKERNSEC_EXECLOG is not set |
131 |
> CONFIG_GRKERNSEC_RESLOG=y |
132 |
> # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set |
133 |
> CONFIG_GRKERNSEC_AUDIT_PTRACE=y |
134 |
> # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set |
135 |
> # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set |
136 |
> CONFIG_GRKERNSEC_SIGNAL=y |
137 |
> CONFIG_GRKERNSEC_FORKFAIL=y |
138 |
> # CONFIG_GRKERNSEC_TIME is not set |
139 |
> CONFIG_GRKERNSEC_PROC_IPADDR=y |
140 |
> CONFIG_GRKERNSEC_RWXMAP_LOG=y |
141 |
> CONFIG_GRKERNSEC_DMESG=y |
142 |
> CONFIG_GRKERNSEC_HARDEN_PTRACE=y |
143 |
> CONFIG_GRKERNSEC_PTRACE_READEXEC=y |
144 |
> CONFIG_GRKERNSEC_SETXID=y |
145 |
> CONFIG_GRKERNSEC_HARDEN_IPC=y |
146 |
> # CONFIG_GRKERNSEC_TPE is not set |
147 |
> CONFIG_GRKERNSEC_RANDNET=y |
148 |
> CONFIG_GRKERNSEC_BLACKHOLE=y |
149 |
> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y |
150 |
> # CONFIG_GRKERNSEC_SOCKET is not set |
151 |
> # CONFIG_GRKERNSEC_DENYUSB is not set |
152 |
> CONFIG_GRKERNSEC_SYSCTL=y |
153 |
> CONFIG_GRKERNSEC_SYSCTL_ON=y |
154 |
> CONFIG_GRKERNSEC_FLOODTIME=10 |
155 |
> CONFIG_GRKERNSEC_FLOODBURST=4 |
156 |
> |
157 |
> -- |
158 |
> WBR, Alex. |
159 |
> |