Gentoo Archives: gentoo-hardened

From:	"Tóth Attila" <atoth@××××××××××.hu>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore
Date:	Sat, 01 Nov 2014 12:09:44
Message-Id:	`9bbbd99030ae9c4d1e0b58304bec9b36.squirrel@atoth.sote.hu`
In Reply to:	[gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore by Alex Efros

1	There have been changes in the toolchain:
2	https://sourceware.org/bugzilla/show_bug.cgi?id=12492
3
4	Application also handle these situations nowdays and survive the denial
5	instead of crashing.
6	Like clamav developers made the software aware of such a situation:
7	https://bugs.gentoo.org/show_bug.cgi?id=326199
8
9	BR: Dw.
10	--
11	dr Tóth Attila, Radiológus, 06-20-825-8057
12	Attila Toth MD, Radiologist, +36-20-825-8057
13
14	2014.November 1.(Szo) 11:08 időpontban Alex Efros ezt írta:
15	> Hi!
16	>
17	> I wonder is something was changed in handling "grsec: denied RWX
18	> mprotect"?
19	> Previously when I see this in kernel log it usually result in killing app
20	> (and I've to run `paxctl-ng -m /that/app`), but now it looks like this
21	> doesn't happens anymore. For example:
22	>
23	> # eselect opengl list
24	> Available OpenGL implementations:
25	> [1] nvidia *
26	> [2] xorg-x11
27	> # grep PAX /etc/portage/make.conf
28	> PAX_MARKINGS="XT"
29	> # paxctl-ng -v /usr/bin/glxgears
30	> /usr/bin/glxgears:
31	> PT_PAX : -e---
32	> XATTR_PAX : not found
33	> # /usr/bin/glxgears
34	> Running synchronized to the vertical refresh. The framerate should be
35	> approximately the same as the monitor refresh rate.
36	> 302 frames in 5.0 seconds = 60.336 FPS
37	> 300 frames in 5.0 seconds = 59.960 FPS
38	> (so, as you see, it works!)
39	>
40	> and here is kernel log:
41	>
42	> 2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect of
43	> /usr/lib64/opengl/nvidia/lib/libGL.so.343.22 by
44	> /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0, parent
45	> /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0
46	>
47	> At same time paxtest works ok (all killed).
48	>
49	>
50	> My kernel config:
51	>
52	> # zgrep PAX /proc/config.gz
53	>
54	> CONFIG_PAX_USERCOPY_SLABS=y
55	> CONFIG_PAX=y
56	> # CONFIG_PAX_SOFTMODE is not set
57	> # CONFIG_PAX_PT_PAX_FLAGS is not set
58	> CONFIG_PAX_XATTR_PAX_FLAGS=y
59	> CONFIG_PAX_NO_ACL_FLAGS=y
60	> # CONFIG_PAX_HAVE_ACL_FLAGS is not set
61	> # CONFIG_PAX_HOOK_ACL_FLAGS is not set
62	> CONFIG_PAX_NOEXEC=y
63	> CONFIG_PAX_PAGEEXEC=y
64	> CONFIG_PAX_EMUTRAMP=y
65	> CONFIG_PAX_MPROTECT=y
66	> # CONFIG_PAX_MPROTECT_COMPAT is not set
67	> # CONFIG_PAX_ELFRELOCS is not set
68	> # CONFIG_PAX_KERNEXEC is not set
69	> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
70	> CONFIG_PAX_ASLR=y
71	> # CONFIG_PAX_RANDKSTACK is not set
72	> CONFIG_PAX_RANDUSTACK=y
73	> CONFIG_PAX_RANDMMAP=y
74	> # CONFIG_PAX_MEMORY_SANITIZE is not set
75	> # CONFIG_PAX_MEMORY_STACKLEAK is not set
76	> CONFIG_PAX_MEMORY_STRUCTLEAK=y
77	> # CONFIG_PAX_MEMORY_UDEREF is not set
78	> CONFIG_PAX_REFCOUNT=y
79	> CONFIG_PAX_USERCOPY=y
80	> # CONFIG_PAX_USERCOPY_DEBUG is not set
81	> # CONFIG_PAX_SIZE_OVERFLOW is not set
82	> # CONFIG_PAX_LATENT_ENTROPY is not set
83	>
84	> # zgrep GRKERNSEC /proc/config.gz
85	>
86	> CONFIG_GRKERNSEC=y
87	> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
88	> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
89	> CONFIG_GRKERNSEC_PROC_GID=1000
90	> CONFIG_GRKERNSEC_KMEM=y
91	> # CONFIG_GRKERNSEC_IO is not set
92	> CONFIG_GRKERNSEC_PERF_HARDEN=y
93	> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
94	> CONFIG_GRKERNSEC_PROC_MEMMAP=y
95	> # CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set
96	> # CONFIG_GRKERNSEC_BRUTE is not set
97	> CONFIG_GRKERNSEC_MODHARDEN=y
98	> CONFIG_GRKERNSEC_HIDESYM=y
99	> # CONFIG_GRKERNSEC_RANDSTRUCT is not set
100	> # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
101	> CONFIG_GRKERNSEC_NO_RBAC=y
102	> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
103	> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
104	> CONFIG_GRKERNSEC_ACL_TIMEOUT=30
105	> CONFIG_GRKERNSEC_PROC=y
106	> # CONFIG_GRKERNSEC_PROC_USER is not set
107	> CONFIG_GRKERNSEC_PROC_USERGROUP=y
108	> CONFIG_GRKERNSEC_PROC_ADD=y
109	> CONFIG_GRKERNSEC_LINK=y
110	> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
111	> CONFIG_GRKERNSEC_FIFO=y
112	> # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
113	> # CONFIG_GRKERNSEC_ROFS is not set
114	> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
115	> CONFIG_GRKERNSEC_CHROOT=y
116	> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
117	> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
118	> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
119	> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
120	> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
121	> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
122	> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
123	> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
124	> CONFIG_GRKERNSEC_CHROOT_UNIX=y
125	> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
126	> CONFIG_GRKERNSEC_CHROOT_NICE=y
127	> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
128	> CONFIG_GRKERNSEC_CHROOT_CAPS=y
129	> # CONFIG_GRKERNSEC_AUDIT_GROUP is not set
130	> # CONFIG_GRKERNSEC_EXECLOG is not set
131	> CONFIG_GRKERNSEC_RESLOG=y
132	> # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
133	> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
134	> # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
135	> # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
136	> CONFIG_GRKERNSEC_SIGNAL=y
137	> CONFIG_GRKERNSEC_FORKFAIL=y
138	> # CONFIG_GRKERNSEC_TIME is not set
139	> CONFIG_GRKERNSEC_PROC_IPADDR=y
140	> CONFIG_GRKERNSEC_RWXMAP_LOG=y
141	> CONFIG_GRKERNSEC_DMESG=y
142	> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
143	> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
144	> CONFIG_GRKERNSEC_SETXID=y
145	> CONFIG_GRKERNSEC_HARDEN_IPC=y
146	> # CONFIG_GRKERNSEC_TPE is not set
147	> CONFIG_GRKERNSEC_RANDNET=y
148	> CONFIG_GRKERNSEC_BLACKHOLE=y
149	> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
150	> # CONFIG_GRKERNSEC_SOCKET is not set
151	> # CONFIG_GRKERNSEC_DENYUSB is not set
152	> CONFIG_GRKERNSEC_SYSCTL=y
153	> CONFIG_GRKERNSEC_SYSCTL_ON=y
154	> CONFIG_GRKERNSEC_FLOODTIME=10
155	> CONFIG_GRKERNSEC_FLOODBURST=4
156	>
157	> --
158	> WBR, Alex.
159	>

Report Message

Find on MARC Find on Google Groups