From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1ObzAI-0004kC-5z for garchives@archives.gentoo.org; Thu, 22 Jul 2010 17:02:34 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 651C0E0B2F for ; Thu, 22 Jul 2010 17:02:33 +0000 (UTC) Received: from mail-fx0-f53.google.com (mail-fx0-f53.google.com [209.85.161.53]) by pigeon.gentoo.org (Postfix) with ESMTP id DB4B2E0ACC for ; Thu, 22 Jul 2010 16:27:26 +0000 (UTC) Received: by fxm19 with SMTP id 19so5762919fxm.40 for ; Thu, 22 Jul 2010 09:27:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type; bh=Z1SzzT8UEHnBQXu3pgJIvDGnEbvqqa3y42q9m60MR6g=; b=k8vWtB1Okc51jBPgXLyFhT/Kz8QWpDTKefD+etFRLl3kCI8WCF9x1s/pp5NCmNu9VK HIKVdu0x9/bopZjl3tVWAcQxIbLWSpGjjKIWCkwUs5ZJW6vMEJDBMspuaO3pNM9HbDGT X7GAKcTJuNdk+z8XKOEB+ct5oJ5ca4BiQxZd4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type; b=TTWMGXatiT3p39vhqnJw+7zD/YTAloEFC77CIsQo6Wy6LyTWJTeshN7fepdqtxk5p4 rr1lsOllm5Rh//ur788l1clTsMUInykWunw61cYvQMlXDhr5zTpj3LUbnCbxYIwZJ1Ep odXHq5cNak8qaPHDf86sM/nGWzCG8QB5PftTo= Received: by 10.223.107.211 with SMTP id c19mr2193455fap.20.1279816045720; Thu, 22 Jul 2010 09:27:25 -0700 (PDT) Received: from debian ([79.114.61.208]) by mx.google.com with ESMTPS id k15sm3375603fai.40.2010.07.22.09.27.25 (version=SSLv3 cipher=RC4-MD5); Thu, 22 Jul 2010 09:27:25 -0700 (PDT) Date: Thu, 22 Jul 2010 19:27:20 +0300 From: =?UTF-8?B?VMO2csO2aw==?= Edwin To: gentoo-hardened@lists.gentoo.org Cc: p.labushev@gmail.com, Kyle Bader Subject: Re: [gentoo-hardened] FYI: Clamav bytecode feature isn't compatible with PaX Message-ID: <20100722192720.3c598d42@debian> In-Reply-To: <4C4862D6.5070107@gmail.com> References: <135383e85ff4aae9a95200f2b7e53354.squirrel@atoth.sote.hu> <4C4862D6.5070107@gmail.com> X-Mailer: Claws Mail 3.7.6 (GTK+ 2.20.1; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/XQ.TWe37_E=YXxE=p_OrBmH" X-Archives-Salt: 63992575-7d22-428d-929b-478f6a78a2b1 X-Archives-Hash: 9536255bb345ad220e27229a6b80b990 --MP_/XQ.TWe37_E=YXxE=p_OrBmH Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thu, 22 Jul 2010 23:25:10 +0800 Pavel Labushev wrote: > 22.07.2010 19:52, "T=C3=B3th Attila" =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >=20 > > 1. What is the neat way of detecting PaX running on a system? >=20 > To check /proc/self/status for "PaX:". That's what host-is-pax from > pax-utils.eclass does. >=20 On Thu, 22 Jul 2010 07:08:30 -0700 Kyle Bader wrote: > > https://wwws.clamav.net/bugzilla/show_bug.cgi?id=3D2092 > > http://bugs.gentoo.org/show_bug.cgi?id=3D326199 > > > > https://wwws.clamav.net/bugzilla/show_bug.cgi?id=3D2092#c39 > > It raises two questions: > > 1. What is the neat way of detecting PaX running on a system? >=20 > http://tk-blog.blogspot.com/2009/02/checksec.html >=20 > > 2. Edwin T=C3=B6r=C3=B6k says PaX allows RWX mapping and kills the prog= ram > > after that. >=20 > http://pax.grsecurity.net/docs/pageexec.txt >=20 Thanks. I have implemented PaX detection, see attached patch. I'll commit it shortly to the ClamAV repository. Best regards, --Edwin --MP_/XQ.TWe37_E=YXxE=p_OrBmH Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=pax.patch diff --git a/libclamav/c++/bytecode2llvm.cpp b/libclamav/c++/bytecode2llvm.cpp index 22b5413..de01f4c 100644 --- a/libclamav/c++/bytecode2llvm.cpp +++ b/libclamav/c++/bytecode2llvm.cpp @@ -1914,6 +1914,7 @@ int cli_bytecode_init_jit(struct cli_all_bc *bcs, unsigned dconfmask) bcs->engine = 0; DEBUG(errs() << "i[34]86 detected, falling back to interpreter (JIT needs pentium or better\n"); /* i386 and i486 has to fallback to interpreter */ + have_clamjit=0; return 0; } std::string ErrMsg; @@ -1921,12 +1922,35 @@ int cli_bytecode_init_jit(struct cli_all_bc *bcs, unsigned dconfmask) if (B.base() == 0) { errs() << MODULE << ErrMsg << "\n"; #ifdef __linux__ - errs() << MODULE << "SELinux is preventing 'execmem' access. Run 'setsebool -P clamd_use_jit on' to allow access\n"; + errs() << MODULE << "SELinux or PaX is preventing 'execmem' access." + << "Run 'setsebool -P clamd_use_jit on' or 'paxctl -m ' to allow access\n"; #endif errs() << MODULE << "falling back to interpreter mode\n"; + have_clamjit=0; return 0; } else { sys::Memory::ReleaseRWX(B); +#ifdef __linux__ + FILE *f = fopen("/proc/self/status", "r"); + if (f) { + char line[128]; + while (fgets(line, sizeof(line), f)) { + if (!memcmp(line, "PaX:", 4)) { + if (cli_debug_flag) { + errs() << "bytecode JIT: PaX found: " << line; + } + if (!strchr(line,'m')) { + errs() << MODULE << "PaX is preventing MPROTECT, use 'paxctl -m ' to allow\n"; + errs() << MODULE << "falling back to interpreter mode\n"; + fclose(f); + have_clamjit=0; + return 0; + } + } + } + fclose(f); + } +#endif } bcs->engine = new(std::nothrow) cli_bcengine; --MP_/XQ.TWe37_E=YXxE=p_OrBmH--