From: "Amadeusz Sławiński" <amade@asmblr.net>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore
Date: Sat, 1 Nov 2014 11:21:51 +0100 [thread overview]
Message-ID: <20141101112151.5b6d7a07@maelstrom.zone> (raw)
In-Reply-To: <20141101100823.GA22195@home.power>
On Sat, 1 Nov 2014 12:08:23 +0200
Alex Efros <powerman@powerman.name> wrote:
> Hi!
>
> I wonder is something was changed in handling "grsec: denied RWX
> mprotect"? Previously when I see this in kernel log it usually result
> in killing app (and I've to run `paxctl-ng -m /that/app`), but now it
> looks like this doesn't happens anymore. For example:
>
https://bugs.freedesktop.org/show_bug.cgi?id=73473
OpenGL apps fallback to software rendering if they can't mmap
executable memory.
> # eselect opengl list
> Available OpenGL implementations:
> [1] nvidia *
> [2] xorg-x11
> # grep PAX /etc/portage/make.conf
> PAX_MARKINGS="XT"
> # paxctl-ng -v /usr/bin/glxgears
> /usr/bin/glxgears:
> PT_PAX : -e---
> XATTR_PAX : not found
> # /usr/bin/glxgears
> Running synchronized to the vertical refresh. The framerate should be
> approximately the same as the monitor refresh rate.
> 302 frames in 5.0 seconds = 60.336 FPS
> 300 frames in 5.0 seconds = 59.960 FPS
> (so, as you see, it works!)
>
> and here is kernel log:
>
> 2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect
> of /usr/lib64/opengl/nvidia/lib/libGL.so.343.22
> by /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0,
> parent /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0
>
> At same time paxtest works ok (all killed).
>
>
> My kernel config:
>
> # zgrep PAX /proc/config.gz
>
> CONFIG_PAX_USERCOPY_SLABS=y
> CONFIG_PAX=y
> # CONFIG_PAX_SOFTMODE is not set
> # CONFIG_PAX_PT_PAX_FLAGS is not set
> CONFIG_PAX_XATTR_PAX_FLAGS=y
> CONFIG_PAX_NO_ACL_FLAGS=y
> # CONFIG_PAX_HAVE_ACL_FLAGS is not set
> # CONFIG_PAX_HOOK_ACL_FLAGS is not set
> CONFIG_PAX_NOEXEC=y
> CONFIG_PAX_PAGEEXEC=y
> CONFIG_PAX_EMUTRAMP=y
> CONFIG_PAX_MPROTECT=y
> # CONFIG_PAX_MPROTECT_COMPAT is not set
> # CONFIG_PAX_ELFRELOCS is not set
> # CONFIG_PAX_KERNEXEC is not set
> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
> CONFIG_PAX_ASLR=y
> # CONFIG_PAX_RANDKSTACK is not set
> CONFIG_PAX_RANDUSTACK=y
> CONFIG_PAX_RANDMMAP=y
> # CONFIG_PAX_MEMORY_SANITIZE is not set
> # CONFIG_PAX_MEMORY_STACKLEAK is not set
> CONFIG_PAX_MEMORY_STRUCTLEAK=y
> # CONFIG_PAX_MEMORY_UDEREF is not set
> CONFIG_PAX_REFCOUNT=y
> CONFIG_PAX_USERCOPY=y
> # CONFIG_PAX_USERCOPY_DEBUG is not set
> # CONFIG_PAX_SIZE_OVERFLOW is not set
> # CONFIG_PAX_LATENT_ENTROPY is not set
>
> # zgrep GRKERNSEC /proc/config.gz
>
> CONFIG_GRKERNSEC=y
> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
> CONFIG_GRKERNSEC_PROC_GID=1000
> CONFIG_GRKERNSEC_KMEM=y
> # CONFIG_GRKERNSEC_IO is not set
> CONFIG_GRKERNSEC_PERF_HARDEN=y
> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
> CONFIG_GRKERNSEC_PROC_MEMMAP=y
> # CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set
> # CONFIG_GRKERNSEC_BRUTE is not set
> CONFIG_GRKERNSEC_MODHARDEN=y
> CONFIG_GRKERNSEC_HIDESYM=y
> # CONFIG_GRKERNSEC_RANDSTRUCT is not set
> # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
> CONFIG_GRKERNSEC_NO_RBAC=y
> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
> CONFIG_GRKERNSEC_ACL_TIMEOUT=30
> CONFIG_GRKERNSEC_PROC=y
> # CONFIG_GRKERNSEC_PROC_USER is not set
> CONFIG_GRKERNSEC_PROC_USERGROUP=y
> CONFIG_GRKERNSEC_PROC_ADD=y
> CONFIG_GRKERNSEC_LINK=y
> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
> CONFIG_GRKERNSEC_FIFO=y
> # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
> # CONFIG_GRKERNSEC_ROFS is not set
> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
> CONFIG_GRKERNSEC_CHROOT=y
> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
> CONFIG_GRKERNSEC_CHROOT_UNIX=y
> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
> CONFIG_GRKERNSEC_CHROOT_NICE=y
> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
> CONFIG_GRKERNSEC_CHROOT_CAPS=y
> # CONFIG_GRKERNSEC_AUDIT_GROUP is not set
> # CONFIG_GRKERNSEC_EXECLOG is not set
> CONFIG_GRKERNSEC_RESLOG=y
> # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
> # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
> # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
> CONFIG_GRKERNSEC_SIGNAL=y
> CONFIG_GRKERNSEC_FORKFAIL=y
> # CONFIG_GRKERNSEC_TIME is not set
> CONFIG_GRKERNSEC_PROC_IPADDR=y
> CONFIG_GRKERNSEC_RWXMAP_LOG=y
> CONFIG_GRKERNSEC_DMESG=y
> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
> CONFIG_GRKERNSEC_SETXID=y
> CONFIG_GRKERNSEC_HARDEN_IPC=y
> # CONFIG_GRKERNSEC_TPE is not set
> CONFIG_GRKERNSEC_RANDNET=y
> CONFIG_GRKERNSEC_BLACKHOLE=y
> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
> # CONFIG_GRKERNSEC_SOCKET is not set
> # CONFIG_GRKERNSEC_DENYUSB is not set
> CONFIG_GRKERNSEC_SYSCTL=y
> CONFIG_GRKERNSEC_SYSCTL_ON=y
> CONFIG_GRKERNSEC_FLOODTIME=10
> CONFIG_GRKERNSEC_FLOODBURST=4
>
next prev parent reply other threads:[~2014-11-01 10:21 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-01 10:08 [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore Alex Efros
2014-11-01 10:21 ` Amadeusz Sławiński [this message]
2014-11-01 22:04 ` Alexander Tsoy
2014-11-01 12:09 ` "Tóth Attila"
2014-11-08 22:51 ` Krzysztof Nowicki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141101112151.5b6d7a07@maelstrom.zone \
--to=amade@asmblr.net \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox