| 1 |
This things usually happen when changes are put into the CFLAGS-CXXFLAGS |
| 2 |
directly in make.conf instead of using the specs (profile), without |
| 3 |
mprotect, pax does nothing, ASLR is not functional since is not needed an |
| 4 |
return into libc to get an exploit working.... since PAGEEXEC/SEGMEXEC is |
| 5 |
not useful because mappings can be done EXECUTABLE/WRITEABLE at the same |
| 6 |
time on the fly without mprotect. |
| 7 |
|
| 8 |
2011/7/14 Anthony G. Basile <blueness@g.o> |
| 9 |
|
| 10 |
> Hi Markus, |
| 11 |
> |
| 12 |
> It looks like you missed something in the process. The steps to |
| 13 |
> converting are (skipping details): |
| 14 |
> |
| 15 |
> 1) switch profile |
| 16 |
> 2) recompile the toolchain: emerge glibc gcc binutils |
| 17 |
> 3) recompile system: emerge -e system |
| 18 |
> 4) recompile world: emerge -e world |
| 19 |
> |
| 20 |
> If you didn't do these, its possible you have some binaries left that |
| 21 |
> will trigger pax violations. |
| 22 |
> |
| 23 |
> One way to quickly check if you got hardened binaries is to use a script |
| 24 |
> called checksec.sh [1] and run it on /bin or /sbin. You should see that |
| 25 |
> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR. |
| 26 |
> |
| 27 |
> |
| 28 |
> Ref: |
| 29 |
> |
| 30 |
> [1] http://tk-blog.blogspot.com/2009/02/checksec.html |
| 31 |
> |
| 32 |
> |
| 33 |
> |
| 34 |
> On 07/14/2011 05:54 AM, Markus Oehme wrote: |
| 35 |
> > Hi, |
| 36 |
> > |
| 37 |
> > I successfully switched to hardened profile during the last week and it |
| 38 |
> was |
| 39 |
> > quite painless. I think I can hand out some praise for the great work |
| 40 |
> done |
| 41 |
> > on Gentoo Hardened. :) |
| 42 |
> > |
| 43 |
> > Just one thing puzzles me a bit. I activated pax in hardened sources and |
| 44 |
> > this resulted in quite some segfaulting processes due to mprotect. I |
| 45 |
> found |
| 46 |
> > lines like the following in the logs. |
| 47 |
> > |
| 48 |
> > Jul 13 17:09:41 localhost kernel: [ 286.180994] grsec: denied RWX |
| 49 |
> mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393] |
| 50 |
> uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] |
| 51 |
> uid/euid:0/0 gid/egid:0/0 |
| 52 |
> > |
| 53 |
> > I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the |
| 54 |
> list |
| 55 |
> > [1] of binaries where I had to do this includes some stuff, where |
| 56 |
> mprotect |
| 57 |
> > would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in |
| 58 |
> the |
| 59 |
> > docs (which otherwise are really helpful :) about what to expect for |
| 60 |
> > excpetions from mprotect. Is this expected behaviour or have I made some |
| 61 |
> > mistake in my configuration? |
| 62 |
> > |
| 63 |
> > |
| 64 |
> > Markus |
| 65 |
> > |
| 66 |
> > [1] |
| 67 |
> > /usr/lib64/courier/courier-authlib/authdaemond |
| 68 |
> > /usr/sbin/console-kit-daemon |
| 69 |
> > /usr/libexec/polkitd |
| 70 |
> > /usr/bin/xfconf-query |
| 71 |
> > /usr/lib64/xfce4/xfconf/xfconfd |
| 72 |
> > /usr/bin/xscreensaver |
| 73 |
> > /usr/bin/xfce4-session |
| 74 |
> > /usr/bin/gkrellm |
| 75 |
> > /usr/bin/Xorg |
| 76 |
> > /usr/bin/xfdesktop |
| 77 |
> > /usr/bin/xfce4-panel |
| 78 |
> > /usr/bin/Terminal |
| 79 |
> > /usr/libexec/udisks-daemon |
| 80 |
> > /usr/bin/xfce4-session-logout |
| 81 |
> > /usr/bin/emacs-23 |
| 82 |
> > /usr/bin/sudo |
| 83 |
> > /usr/bin/perl |
| 84 |
> > /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin |
| 85 |
> > /usr/bin/xfce4-mixer |
| 86 |
> > /usr/bin/python2.7 |
| 87 |
> > /usr/libexec/git-core/git |
| 88 |
> > /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1 |
| 89 |
> > |
| 90 |
> > |
| 91 |
> > -- |
| 92 |
> > Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a |
| 93 |
> wrod |
| 94 |
> > are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in |
| 95 |
> the |
| 96 |
> > rghit pclae. The rset can be a taotl mses and you can sitll raed it in |
| 97 |
> msot |
| 98 |
> > csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by |
| 99 |
> istlef, |
| 100 |
> > but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt. |
| 101 |
> |
| 102 |
> |
| 103 |
> -- |
| 104 |
> Anthony G. Basile, Ph.D. |
| 105 |
> Gentoo Linux Developer [Hardened] |
| 106 |
> E-Mail : blueness@g.o |
| 107 |
> GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 108 |
> GnuPG ID : D0455535 |
| 109 |
> |
| 110 |
> |
Archives