From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9E968138825 for ; Sat, 1 Nov 2014 10:21:43 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0028CE09E5; Sat, 1 Nov 2014 10:21:40 +0000 (UTC) Received: from srv3.whshost.com (srv3.whshost.com [46.229.151.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4DB59E09E0 for ; Sat, 1 Nov 2014 10:21:38 +0000 (UTC) Received: from agme216.neoplus.adsl.tpnet.pl ([217.99.184.216]:59790 helo=maelstrom.zone) by srv3.whshost.com with esmtpsa (SSLv3:AES128-SHA:128) (Exim 4.82) (envelope-from ) id 1XkVoP-001s3O-Qo for gentoo-hardened@lists.gentoo.org; Sat, 01 Nov 2014 11:21:37 +0100 Date: Sat, 1 Nov 2014 11:21:51 +0100 From: Amadeusz =?UTF-8?B?U8WCYXdpxYRza2k=?= To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore Message-ID: <20141101112151.5b6d7a07@maelstrom.zone> In-Reply-To: <20141101100823.GA22195@home.power> References: <20141101100823.GA22195@home.power> X-Mailer: Claws Mail 3.10.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - srv3.whshost.com X-AntiAbuse: Original Domain - lists.gentoo.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - asmblr.net X-Get-Message-Sender-Via: srv3.whshost.com: authenticated_id: amade@asmblr.net X-Source: X-Source-Args: X-Source-Dir: X-Archives-Salt: 3873fb5e-46a0-47cc-9176-a68a29e66145 X-Archives-Hash: c3ff212ba3408f59cac2421fb96a82cb On Sat, 1 Nov 2014 12:08:23 +0200 Alex Efros wrote: > Hi! > > I wonder is something was changed in handling "grsec: denied RWX > mprotect"? Previously when I see this in kernel log it usually result > in killing app (and I've to run `paxctl-ng -m /that/app`), but now it > looks like this doesn't happens anymore. For example: > https://bugs.freedesktop.org/show_bug.cgi?id=73473 OpenGL apps fallback to software rendering if they can't mmap executable memory. > # eselect opengl list > Available OpenGL implementations: > [1] nvidia * > [2] xorg-x11 > # grep PAX /etc/portage/make.conf > PAX_MARKINGS="XT" > # paxctl-ng -v /usr/bin/glxgears > /usr/bin/glxgears: > PT_PAX : -e--- > XATTR_PAX : not found > # /usr/bin/glxgears > Running synchronized to the vertical refresh. The framerate should be > approximately the same as the monitor refresh rate. > 302 frames in 5.0 seconds = 60.336 FPS > 300 frames in 5.0 seconds = 59.960 FPS > (so, as you see, it works!) > > and here is kernel log: > > 2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect > of /usr/lib64/opengl/nvidia/lib/libGL.so.343.22 > by /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0, > parent /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0 > > At same time paxtest works ok (all killed). > > > My kernel config: > > # zgrep PAX /proc/config.gz > > CONFIG_PAX_USERCOPY_SLABS=y > CONFIG_PAX=y > # CONFIG_PAX_SOFTMODE is not set > # CONFIG_PAX_PT_PAX_FLAGS is not set > CONFIG_PAX_XATTR_PAX_FLAGS=y > CONFIG_PAX_NO_ACL_FLAGS=y > # CONFIG_PAX_HAVE_ACL_FLAGS is not set > # CONFIG_PAX_HOOK_ACL_FLAGS is not set > CONFIG_PAX_NOEXEC=y > CONFIG_PAX_PAGEEXEC=y > CONFIG_PAX_EMUTRAMP=y > CONFIG_PAX_MPROTECT=y > # CONFIG_PAX_MPROTECT_COMPAT is not set > # CONFIG_PAX_ELFRELOCS is not set > # CONFIG_PAX_KERNEXEC is not set > CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="" > CONFIG_PAX_ASLR=y > # CONFIG_PAX_RANDKSTACK is not set > CONFIG_PAX_RANDUSTACK=y > CONFIG_PAX_RANDMMAP=y > # CONFIG_PAX_MEMORY_SANITIZE is not set > # CONFIG_PAX_MEMORY_STACKLEAK is not set > CONFIG_PAX_MEMORY_STRUCTLEAK=y > # CONFIG_PAX_MEMORY_UDEREF is not set > CONFIG_PAX_REFCOUNT=y > CONFIG_PAX_USERCOPY=y > # CONFIG_PAX_USERCOPY_DEBUG is not set > # CONFIG_PAX_SIZE_OVERFLOW is not set > # CONFIG_PAX_LATENT_ENTROPY is not set > > # zgrep GRKERNSEC /proc/config.gz > > CONFIG_GRKERNSEC=y > # CONFIG_GRKERNSEC_CONFIG_AUTO is not set > CONFIG_GRKERNSEC_CONFIG_CUSTOM=y > CONFIG_GRKERNSEC_PROC_GID=1000 > CONFIG_GRKERNSEC_KMEM=y > # CONFIG_GRKERNSEC_IO is not set > CONFIG_GRKERNSEC_PERF_HARDEN=y > CONFIG_GRKERNSEC_RAND_THREADSTACK=y > CONFIG_GRKERNSEC_PROC_MEMMAP=y > # CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set > # CONFIG_GRKERNSEC_BRUTE is not set > CONFIG_GRKERNSEC_MODHARDEN=y > CONFIG_GRKERNSEC_HIDESYM=y > # CONFIG_GRKERNSEC_RANDSTRUCT is not set > # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set > CONFIG_GRKERNSEC_NO_RBAC=y > CONFIG_GRKERNSEC_ACL_HIDEKERN=y > CONFIG_GRKERNSEC_ACL_MAXTRIES=3 > CONFIG_GRKERNSEC_ACL_TIMEOUT=30 > CONFIG_GRKERNSEC_PROC=y > # CONFIG_GRKERNSEC_PROC_USER is not set > CONFIG_GRKERNSEC_PROC_USERGROUP=y > CONFIG_GRKERNSEC_PROC_ADD=y > CONFIG_GRKERNSEC_LINK=y > # CONFIG_GRKERNSEC_SYMLINKOWN is not set > CONFIG_GRKERNSEC_FIFO=y > # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set > # CONFIG_GRKERNSEC_ROFS is not set > CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y > CONFIG_GRKERNSEC_CHROOT=y > CONFIG_GRKERNSEC_CHROOT_MOUNT=y > CONFIG_GRKERNSEC_CHROOT_DOUBLE=y > CONFIG_GRKERNSEC_CHROOT_PIVOT=y > CONFIG_GRKERNSEC_CHROOT_CHDIR=y > CONFIG_GRKERNSEC_CHROOT_CHMOD=y > CONFIG_GRKERNSEC_CHROOT_FCHDIR=y > CONFIG_GRKERNSEC_CHROOT_MKNOD=y > CONFIG_GRKERNSEC_CHROOT_SHMAT=y > CONFIG_GRKERNSEC_CHROOT_UNIX=y > CONFIG_GRKERNSEC_CHROOT_FINDTASK=y > CONFIG_GRKERNSEC_CHROOT_NICE=y > CONFIG_GRKERNSEC_CHROOT_SYSCTL=y > CONFIG_GRKERNSEC_CHROOT_CAPS=y > # CONFIG_GRKERNSEC_AUDIT_GROUP is not set > # CONFIG_GRKERNSEC_EXECLOG is not set > CONFIG_GRKERNSEC_RESLOG=y > # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set > CONFIG_GRKERNSEC_AUDIT_PTRACE=y > # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set > # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set > CONFIG_GRKERNSEC_SIGNAL=y > CONFIG_GRKERNSEC_FORKFAIL=y > # CONFIG_GRKERNSEC_TIME is not set > CONFIG_GRKERNSEC_PROC_IPADDR=y > CONFIG_GRKERNSEC_RWXMAP_LOG=y > CONFIG_GRKERNSEC_DMESG=y > CONFIG_GRKERNSEC_HARDEN_PTRACE=y > CONFIG_GRKERNSEC_PTRACE_READEXEC=y > CONFIG_GRKERNSEC_SETXID=y > CONFIG_GRKERNSEC_HARDEN_IPC=y > # CONFIG_GRKERNSEC_TPE is not set > CONFIG_GRKERNSEC_RANDNET=y > CONFIG_GRKERNSEC_BLACKHOLE=y > CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y > # CONFIG_GRKERNSEC_SOCKET is not set > # CONFIG_GRKERNSEC_DENYUSB is not set > CONFIG_GRKERNSEC_SYSCTL=y > CONFIG_GRKERNSEC_SYSCTL_ON=y > CONFIG_GRKERNSEC_FLOODTIME=10 > CONFIG_GRKERNSEC_FLOODBURST=4 >