1 |
This things usually happen when changes are put into the CFLAGS-CXXFLAGS |
2 |
directly in make.conf instead of using the specs (profile), without |
3 |
mprotect, pax does nothing, ASLR is not functional since is not needed an |
4 |
return into libc to get an exploit working.... since PAGEEXEC/SEGMEXEC is |
5 |
not useful because mappings can be done EXECUTABLE/WRITEABLE at the same |
6 |
time on the fly without mprotect. |
7 |
|
8 |
2011/7/14 Anthony G. Basile <blueness@g.o> |
9 |
|
10 |
> Hi Markus, |
11 |
> |
12 |
> It looks like you missed something in the process. The steps to |
13 |
> converting are (skipping details): |
14 |
> |
15 |
> 1) switch profile |
16 |
> 2) recompile the toolchain: emerge glibc gcc binutils |
17 |
> 3) recompile system: emerge -e system |
18 |
> 4) recompile world: emerge -e world |
19 |
> |
20 |
> If you didn't do these, its possible you have some binaries left that |
21 |
> will trigger pax violations. |
22 |
> |
23 |
> One way to quickly check if you got hardened binaries is to use a script |
24 |
> called checksec.sh [1] and run it on /bin or /sbin. You should see that |
25 |
> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR. |
26 |
> |
27 |
> |
28 |
> Ref: |
29 |
> |
30 |
> [1] http://tk-blog.blogspot.com/2009/02/checksec.html |
31 |
> |
32 |
> |
33 |
> |
34 |
> On 07/14/2011 05:54 AM, Markus Oehme wrote: |
35 |
> > Hi, |
36 |
> > |
37 |
> > I successfully switched to hardened profile during the last week and it |
38 |
> was |
39 |
> > quite painless. I think I can hand out some praise for the great work |
40 |
> done |
41 |
> > on Gentoo Hardened. :) |
42 |
> > |
43 |
> > Just one thing puzzles me a bit. I activated pax in hardened sources and |
44 |
> > this resulted in quite some segfaulting processes due to mprotect. I |
45 |
> found |
46 |
> > lines like the following in the logs. |
47 |
> > |
48 |
> > Jul 13 17:09:41 localhost kernel: [ 286.180994] grsec: denied RWX |
49 |
> mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393] |
50 |
> uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] |
51 |
> uid/euid:0/0 gid/egid:0/0 |
52 |
> > |
53 |
> > I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the |
54 |
> list |
55 |
> > [1] of binaries where I had to do this includes some stuff, where |
56 |
> mprotect |
57 |
> > would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in |
58 |
> the |
59 |
> > docs (which otherwise are really helpful :) about what to expect for |
60 |
> > excpetions from mprotect. Is this expected behaviour or have I made some |
61 |
> > mistake in my configuration? |
62 |
> > |
63 |
> > |
64 |
> > Markus |
65 |
> > |
66 |
> > [1] |
67 |
> > /usr/lib64/courier/courier-authlib/authdaemond |
68 |
> > /usr/sbin/console-kit-daemon |
69 |
> > /usr/libexec/polkitd |
70 |
> > /usr/bin/xfconf-query |
71 |
> > /usr/lib64/xfce4/xfconf/xfconfd |
72 |
> > /usr/bin/xscreensaver |
73 |
> > /usr/bin/xfce4-session |
74 |
> > /usr/bin/gkrellm |
75 |
> > /usr/bin/Xorg |
76 |
> > /usr/bin/xfdesktop |
77 |
> > /usr/bin/xfce4-panel |
78 |
> > /usr/bin/Terminal |
79 |
> > /usr/libexec/udisks-daemon |
80 |
> > /usr/bin/xfce4-session-logout |
81 |
> > /usr/bin/emacs-23 |
82 |
> > /usr/bin/sudo |
83 |
> > /usr/bin/perl |
84 |
> > /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin |
85 |
> > /usr/bin/xfce4-mixer |
86 |
> > /usr/bin/python2.7 |
87 |
> > /usr/libexec/git-core/git |
88 |
> > /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1 |
89 |
> > |
90 |
> > |
91 |
> > -- |
92 |
> > Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a |
93 |
> wrod |
94 |
> > are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in |
95 |
> the |
96 |
> > rghit pclae. The rset can be a taotl mses and you can sitll raed it in |
97 |
> msot |
98 |
> > csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by |
99 |
> istlef, |
100 |
> > but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt. |
101 |
> |
102 |
> |
103 |
> -- |
104 |
> Anthony G. Basile, Ph.D. |
105 |
> Gentoo Linux Developer [Hardened] |
106 |
> E-Mail : blueness@g.o |
107 |
> GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
108 |
> GnuPG ID : D0455535 |
109 |
> |
110 |
> |