* [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore
@ 2014-11-01 10:08 Alex Efros
2014-11-01 10:21 ` Amadeusz Sławiński
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Alex Efros @ 2014-11-01 10:08 UTC (permalink / raw
To: gentoo-hardened
Hi!
I wonder is something was changed in handling "grsec: denied RWX mprotect"?
Previously when I see this in kernel log it usually result in killing app
(and I've to run `paxctl-ng -m /that/app`), but now it looks like this
doesn't happens anymore. For example:
# eselect opengl list
Available OpenGL implementations:
[1] nvidia *
[2] xorg-x11
# grep PAX /etc/portage/make.conf
PAX_MARKINGS="XT"
# paxctl-ng -v /usr/bin/glxgears
/usr/bin/glxgears:
PT_PAX : -e---
XATTR_PAX : not found
# /usr/bin/glxgears
Running synchronized to the vertical refresh. The framerate should be
approximately the same as the monitor refresh rate.
302 frames in 5.0 seconds = 60.336 FPS
300 frames in 5.0 seconds = 59.960 FPS
(so, as you see, it works!)
and here is kernel log:
2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect of /usr/lib64/opengl/nvidia/lib/libGL.so.343.22 by /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0
At same time paxtest works ok (all killed).
My kernel config:
# zgrep PAX /proc/config.gz
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_PT_PAX_FLAGS is not set
CONFIG_PAX_XATTR_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
# CONFIG_PAX_KERNEXEC is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
CONFIG_PAX_ASLR=y
# CONFIG_PAX_RANDKSTACK is not set
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
# CONFIG_PAX_MEMORY_STACKLEAK is not set
CONFIG_PAX_MEMORY_STRUCTLEAK=y
# CONFIG_PAX_MEMORY_UDEREF is not set
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
# CONFIG_PAX_SIZE_OVERFLOW is not set
# CONFIG_PAX_LATENT_ENTROPY is not set
# zgrep GRKERNSEC /proc/config.gz
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
CONFIG_GRKERNSEC_PROC_GID=1000
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
# CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set
# CONFIG_GRKERNSEC_BRUTE is not set
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
# CONFIG_GRKERNSEC_RANDSTRUCT is not set
# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
CONFIG_GRKERNSEC_NO_RBAC=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
# CONFIG_GRKERNSEC_TIME is not set
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
# CONFIG_GRKERNSEC_DENYUSB is not set
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
--
WBR, Alex.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore
2014-11-01 10:08 [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore Alex Efros
@ 2014-11-01 10:21 ` Amadeusz Sławiński
2014-11-01 22:04 ` Alexander Tsoy
2014-11-01 12:09 ` "Tóth Attila"
2014-11-08 22:51 ` Krzysztof Nowicki
2 siblings, 1 reply; 5+ messages in thread
From: Amadeusz Sławiński @ 2014-11-01 10:21 UTC (permalink / raw
To: gentoo-hardened
On Sat, 1 Nov 2014 12:08:23 +0200
Alex Efros <powerman@powerman.name> wrote:
> Hi!
>
> I wonder is something was changed in handling "grsec: denied RWX
> mprotect"? Previously when I see this in kernel log it usually result
> in killing app (and I've to run `paxctl-ng -m /that/app`), but now it
> looks like this doesn't happens anymore. For example:
>
https://bugs.freedesktop.org/show_bug.cgi?id=73473
OpenGL apps fallback to software rendering if they can't mmap
executable memory.
> # eselect opengl list
> Available OpenGL implementations:
> [1] nvidia *
> [2] xorg-x11
> # grep PAX /etc/portage/make.conf
> PAX_MARKINGS="XT"
> # paxctl-ng -v /usr/bin/glxgears
> /usr/bin/glxgears:
> PT_PAX : -e---
> XATTR_PAX : not found
> # /usr/bin/glxgears
> Running synchronized to the vertical refresh. The framerate should be
> approximately the same as the monitor refresh rate.
> 302 frames in 5.0 seconds = 60.336 FPS
> 300 frames in 5.0 seconds = 59.960 FPS
> (so, as you see, it works!)
>
> and here is kernel log:
>
> 2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect
> of /usr/lib64/opengl/nvidia/lib/libGL.so.343.22
> by /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0,
> parent /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0
>
> At same time paxtest works ok (all killed).
>
>
> My kernel config:
>
> # zgrep PAX /proc/config.gz
>
> CONFIG_PAX_USERCOPY_SLABS=y
> CONFIG_PAX=y
> # CONFIG_PAX_SOFTMODE is not set
> # CONFIG_PAX_PT_PAX_FLAGS is not set
> CONFIG_PAX_XATTR_PAX_FLAGS=y
> CONFIG_PAX_NO_ACL_FLAGS=y
> # CONFIG_PAX_HAVE_ACL_FLAGS is not set
> # CONFIG_PAX_HOOK_ACL_FLAGS is not set
> CONFIG_PAX_NOEXEC=y
> CONFIG_PAX_PAGEEXEC=y
> CONFIG_PAX_EMUTRAMP=y
> CONFIG_PAX_MPROTECT=y
> # CONFIG_PAX_MPROTECT_COMPAT is not set
> # CONFIG_PAX_ELFRELOCS is not set
> # CONFIG_PAX_KERNEXEC is not set
> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
> CONFIG_PAX_ASLR=y
> # CONFIG_PAX_RANDKSTACK is not set
> CONFIG_PAX_RANDUSTACK=y
> CONFIG_PAX_RANDMMAP=y
> # CONFIG_PAX_MEMORY_SANITIZE is not set
> # CONFIG_PAX_MEMORY_STACKLEAK is not set
> CONFIG_PAX_MEMORY_STRUCTLEAK=y
> # CONFIG_PAX_MEMORY_UDEREF is not set
> CONFIG_PAX_REFCOUNT=y
> CONFIG_PAX_USERCOPY=y
> # CONFIG_PAX_USERCOPY_DEBUG is not set
> # CONFIG_PAX_SIZE_OVERFLOW is not set
> # CONFIG_PAX_LATENT_ENTROPY is not set
>
> # zgrep GRKERNSEC /proc/config.gz
>
> CONFIG_GRKERNSEC=y
> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
> CONFIG_GRKERNSEC_PROC_GID=1000
> CONFIG_GRKERNSEC_KMEM=y
> # CONFIG_GRKERNSEC_IO is not set
> CONFIG_GRKERNSEC_PERF_HARDEN=y
> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
> CONFIG_GRKERNSEC_PROC_MEMMAP=y
> # CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set
> # CONFIG_GRKERNSEC_BRUTE is not set
> CONFIG_GRKERNSEC_MODHARDEN=y
> CONFIG_GRKERNSEC_HIDESYM=y
> # CONFIG_GRKERNSEC_RANDSTRUCT is not set
> # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
> CONFIG_GRKERNSEC_NO_RBAC=y
> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
> CONFIG_GRKERNSEC_ACL_TIMEOUT=30
> CONFIG_GRKERNSEC_PROC=y
> # CONFIG_GRKERNSEC_PROC_USER is not set
> CONFIG_GRKERNSEC_PROC_USERGROUP=y
> CONFIG_GRKERNSEC_PROC_ADD=y
> CONFIG_GRKERNSEC_LINK=y
> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
> CONFIG_GRKERNSEC_FIFO=y
> # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
> # CONFIG_GRKERNSEC_ROFS is not set
> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
> CONFIG_GRKERNSEC_CHROOT=y
> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
> CONFIG_GRKERNSEC_CHROOT_UNIX=y
> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
> CONFIG_GRKERNSEC_CHROOT_NICE=y
> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
> CONFIG_GRKERNSEC_CHROOT_CAPS=y
> # CONFIG_GRKERNSEC_AUDIT_GROUP is not set
> # CONFIG_GRKERNSEC_EXECLOG is not set
> CONFIG_GRKERNSEC_RESLOG=y
> # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
> # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
> # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
> CONFIG_GRKERNSEC_SIGNAL=y
> CONFIG_GRKERNSEC_FORKFAIL=y
> # CONFIG_GRKERNSEC_TIME is not set
> CONFIG_GRKERNSEC_PROC_IPADDR=y
> CONFIG_GRKERNSEC_RWXMAP_LOG=y
> CONFIG_GRKERNSEC_DMESG=y
> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
> CONFIG_GRKERNSEC_SETXID=y
> CONFIG_GRKERNSEC_HARDEN_IPC=y
> # CONFIG_GRKERNSEC_TPE is not set
> CONFIG_GRKERNSEC_RANDNET=y
> CONFIG_GRKERNSEC_BLACKHOLE=y
> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
> # CONFIG_GRKERNSEC_SOCKET is not set
> # CONFIG_GRKERNSEC_DENYUSB is not set
> CONFIG_GRKERNSEC_SYSCTL=y
> CONFIG_GRKERNSEC_SYSCTL_ON=y
> CONFIG_GRKERNSEC_FLOODTIME=10
> CONFIG_GRKERNSEC_FLOODBURST=4
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore
2014-11-01 10:21 ` Amadeusz Sławiński
@ 2014-11-01 22:04 ` Alexander Tsoy
0 siblings, 0 replies; 5+ messages in thread
From: Alexander Tsoy @ 2014-11-01 22:04 UTC (permalink / raw
To: gentoo-hardened
В Sat, 1 Nov 2014 11:21:51 +0100
Amadeusz Sławiński <amade@asmblr.net> пишет:
> On Sat, 1 Nov 2014 12:08:23 +0200
> Alex Efros <powerman@powerman.name> wrote:
>
> > Hi!
> >
> > I wonder is something was changed in handling "grsec: denied RWX
> > mprotect"? Previously when I see this in kernel log it usually
> > result in killing app (and I've to run `paxctl-ng -m /that/app`),
> > but now it looks like this doesn't happens anymore. For example:
> >
>
> https://bugs.freedesktop.org/show_bug.cgi?id=73473
>
> OpenGL apps fallback to software rendering if they can't mmap
> executable memory.
Alex uses nvidia blob, so fdo bug is unrelated here:
> > # eselect opengl list
> > Available OpenGL implementations:
> > [1] nvidia *
> > [2] xorg-x11
--
Alexander Tsoy
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore
2014-11-01 10:08 [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore Alex Efros
2014-11-01 10:21 ` Amadeusz Sławiński
@ 2014-11-01 12:09 ` "Tóth Attila"
2014-11-08 22:51 ` Krzysztof Nowicki
2 siblings, 0 replies; 5+ messages in thread
From: "Tóth Attila" @ 2014-11-01 12:09 UTC (permalink / raw
To: gentoo-hardened
There have been changes in the toolchain:
https://sourceware.org/bugzilla/show_bug.cgi?id=12492
Application also handle these situations nowdays and survive the denial
instead of crashing.
Like clamav developers made the software aware of such a situation:
https://bugs.gentoo.org/show_bug.cgi?id=326199
BR: Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
2014.November 1.(Szo) 11:08 időpontban Alex Efros ezt írta:
> Hi!
>
> I wonder is something was changed in handling "grsec: denied RWX
> mprotect"?
> Previously when I see this in kernel log it usually result in killing app
> (and I've to run `paxctl-ng -m /that/app`), but now it looks like this
> doesn't happens anymore. For example:
>
> # eselect opengl list
> Available OpenGL implementations:
> [1] nvidia *
> [2] xorg-x11
> # grep PAX /etc/portage/make.conf
> PAX_MARKINGS="XT"
> # paxctl-ng -v /usr/bin/glxgears
> /usr/bin/glxgears:
> PT_PAX : -e---
> XATTR_PAX : not found
> # /usr/bin/glxgears
> Running synchronized to the vertical refresh. The framerate should be
> approximately the same as the monitor refresh rate.
> 302 frames in 5.0 seconds = 60.336 FPS
> 300 frames in 5.0 seconds = 59.960 FPS
> (so, as you see, it works!)
>
> and here is kernel log:
>
> 2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect of
> /usr/lib64/opengl/nvidia/lib/libGL.so.343.22 by
> /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0, parent
> /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0
>
> At same time paxtest works ok (all killed).
>
>
> My kernel config:
>
> # zgrep PAX /proc/config.gz
>
> CONFIG_PAX_USERCOPY_SLABS=y
> CONFIG_PAX=y
> # CONFIG_PAX_SOFTMODE is not set
> # CONFIG_PAX_PT_PAX_FLAGS is not set
> CONFIG_PAX_XATTR_PAX_FLAGS=y
> CONFIG_PAX_NO_ACL_FLAGS=y
> # CONFIG_PAX_HAVE_ACL_FLAGS is not set
> # CONFIG_PAX_HOOK_ACL_FLAGS is not set
> CONFIG_PAX_NOEXEC=y
> CONFIG_PAX_PAGEEXEC=y
> CONFIG_PAX_EMUTRAMP=y
> CONFIG_PAX_MPROTECT=y
> # CONFIG_PAX_MPROTECT_COMPAT is not set
> # CONFIG_PAX_ELFRELOCS is not set
> # CONFIG_PAX_KERNEXEC is not set
> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
> CONFIG_PAX_ASLR=y
> # CONFIG_PAX_RANDKSTACK is not set
> CONFIG_PAX_RANDUSTACK=y
> CONFIG_PAX_RANDMMAP=y
> # CONFIG_PAX_MEMORY_SANITIZE is not set
> # CONFIG_PAX_MEMORY_STACKLEAK is not set
> CONFIG_PAX_MEMORY_STRUCTLEAK=y
> # CONFIG_PAX_MEMORY_UDEREF is not set
> CONFIG_PAX_REFCOUNT=y
> CONFIG_PAX_USERCOPY=y
> # CONFIG_PAX_USERCOPY_DEBUG is not set
> # CONFIG_PAX_SIZE_OVERFLOW is not set
> # CONFIG_PAX_LATENT_ENTROPY is not set
>
> # zgrep GRKERNSEC /proc/config.gz
>
> CONFIG_GRKERNSEC=y
> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
> CONFIG_GRKERNSEC_PROC_GID=1000
> CONFIG_GRKERNSEC_KMEM=y
> # CONFIG_GRKERNSEC_IO is not set
> CONFIG_GRKERNSEC_PERF_HARDEN=y
> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
> CONFIG_GRKERNSEC_PROC_MEMMAP=y
> # CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set
> # CONFIG_GRKERNSEC_BRUTE is not set
> CONFIG_GRKERNSEC_MODHARDEN=y
> CONFIG_GRKERNSEC_HIDESYM=y
> # CONFIG_GRKERNSEC_RANDSTRUCT is not set
> # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
> CONFIG_GRKERNSEC_NO_RBAC=y
> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
> CONFIG_GRKERNSEC_ACL_TIMEOUT=30
> CONFIG_GRKERNSEC_PROC=y
> # CONFIG_GRKERNSEC_PROC_USER is not set
> CONFIG_GRKERNSEC_PROC_USERGROUP=y
> CONFIG_GRKERNSEC_PROC_ADD=y
> CONFIG_GRKERNSEC_LINK=y
> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
> CONFIG_GRKERNSEC_FIFO=y
> # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
> # CONFIG_GRKERNSEC_ROFS is not set
> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
> CONFIG_GRKERNSEC_CHROOT=y
> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
> CONFIG_GRKERNSEC_CHROOT_UNIX=y
> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
> CONFIG_GRKERNSEC_CHROOT_NICE=y
> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
> CONFIG_GRKERNSEC_CHROOT_CAPS=y
> # CONFIG_GRKERNSEC_AUDIT_GROUP is not set
> # CONFIG_GRKERNSEC_EXECLOG is not set
> CONFIG_GRKERNSEC_RESLOG=y
> # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
> # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
> # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
> CONFIG_GRKERNSEC_SIGNAL=y
> CONFIG_GRKERNSEC_FORKFAIL=y
> # CONFIG_GRKERNSEC_TIME is not set
> CONFIG_GRKERNSEC_PROC_IPADDR=y
> CONFIG_GRKERNSEC_RWXMAP_LOG=y
> CONFIG_GRKERNSEC_DMESG=y
> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
> CONFIG_GRKERNSEC_SETXID=y
> CONFIG_GRKERNSEC_HARDEN_IPC=y
> # CONFIG_GRKERNSEC_TPE is not set
> CONFIG_GRKERNSEC_RANDNET=y
> CONFIG_GRKERNSEC_BLACKHOLE=y
> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
> # CONFIG_GRKERNSEC_SOCKET is not set
> # CONFIG_GRKERNSEC_DENYUSB is not set
> CONFIG_GRKERNSEC_SYSCTL=y
> CONFIG_GRKERNSEC_SYSCTL_ON=y
> CONFIG_GRKERNSEC_FLOODTIME=10
> CONFIG_GRKERNSEC_FLOODBURST=4
>
> --
> WBR, Alex.
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore
2014-11-01 10:08 [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore Alex Efros
2014-11-01 10:21 ` Amadeusz Sławiński
2014-11-01 12:09 ` "Tóth Attila"
@ 2014-11-08 22:51 ` Krzysztof Nowicki
2 siblings, 0 replies; 5+ messages in thread
From: Krzysztof Nowicki @ 2014-11-08 22:51 UTC (permalink / raw
To: gentoo-hardened
On 01.11.2014 11:08, Alex Efros wrote:
> Hi!
>
> I wonder is something was changed in handling "grsec: denied RWX mprotect"?
> Previously when I see this in kernel log it usually result in killing app
> (and I've to run `paxctl-ng -m /that/app`), but now it looks like this
> doesn't happens anymore. For example:
>
> # eselect opengl list
> Available OpenGL implementations:
> [1] nvidia *
> [2] xorg-x11
> # grep PAX /etc/portage/make.conf
> PAX_MARKINGS="XT"
> # paxctl-ng -v /usr/bin/glxgears
> /usr/bin/glxgears:
> PT_PAX : -e---
> XATTR_PAX : not found
> # /usr/bin/glxgears
> Running synchronized to the vertical refresh. The framerate should be
> approximately the same as the monitor refresh rate.
> 302 frames in 5.0 seconds = 60.336 FPS
> 300 frames in 5.0 seconds = 59.960 FPS
> (so, as you see, it works!)
>
> and here is kernel log:
>
> 2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect of /usr/lib64/opengl/nvidia/lib/libGL.so.343.22 by /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0
Since nvidia-drivers-340.17 NVIDIA implemented some fallbacks for
systems where writing to executable memory is not allowed:
2014-06-09 version 340.17
[...]
* Improved support for running the NVIDIA driver in configurations
where
writing to executable memory is disallowed. Driver optimizations
that
require writing to executable memory can be forcefully disabled
using the
new __GL_WRITE_TEXT_SECTION environment variable. See the README
for more
details.
I haven't tested this myself yet, but it seems this should finally allow
running NVIDIA binary driver on PaX-enabled systems.
>
> At same time paxtest works ok (all killed).
>
>
> My kernel config:
>
> # zgrep PAX /proc/config.gz
>
> CONFIG_PAX_USERCOPY_SLABS=y
> CONFIG_PAX=y
> # CONFIG_PAX_SOFTMODE is not set
> # CONFIG_PAX_PT_PAX_FLAGS is not set
> CONFIG_PAX_XATTR_PAX_FLAGS=y
> CONFIG_PAX_NO_ACL_FLAGS=y
> # CONFIG_PAX_HAVE_ACL_FLAGS is not set
> # CONFIG_PAX_HOOK_ACL_FLAGS is not set
> CONFIG_PAX_NOEXEC=y
> CONFIG_PAX_PAGEEXEC=y
> CONFIG_PAX_EMUTRAMP=y
> CONFIG_PAX_MPROTECT=y
> # CONFIG_PAX_MPROTECT_COMPAT is not set
> # CONFIG_PAX_ELFRELOCS is not set
> # CONFIG_PAX_KERNEXEC is not set
> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
> CONFIG_PAX_ASLR=y
> # CONFIG_PAX_RANDKSTACK is not set
> CONFIG_PAX_RANDUSTACK=y
> CONFIG_PAX_RANDMMAP=y
> # CONFIG_PAX_MEMORY_SANITIZE is not set
> # CONFIG_PAX_MEMORY_STACKLEAK is not set
> CONFIG_PAX_MEMORY_STRUCTLEAK=y
> # CONFIG_PAX_MEMORY_UDEREF is not set
> CONFIG_PAX_REFCOUNT=y
> CONFIG_PAX_USERCOPY=y
> # CONFIG_PAX_USERCOPY_DEBUG is not set
> # CONFIG_PAX_SIZE_OVERFLOW is not set
> # CONFIG_PAX_LATENT_ENTROPY is not set
>
> # zgrep GRKERNSEC /proc/config.gz
>
> CONFIG_GRKERNSEC=y
> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
> CONFIG_GRKERNSEC_PROC_GID=1000
> CONFIG_GRKERNSEC_KMEM=y
> # CONFIG_GRKERNSEC_IO is not set
> CONFIG_GRKERNSEC_PERF_HARDEN=y
> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
> CONFIG_GRKERNSEC_PROC_MEMMAP=y
> # CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set
> # CONFIG_GRKERNSEC_BRUTE is not set
> CONFIG_GRKERNSEC_MODHARDEN=y
> CONFIG_GRKERNSEC_HIDESYM=y
> # CONFIG_GRKERNSEC_RANDSTRUCT is not set
> # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
> CONFIG_GRKERNSEC_NO_RBAC=y
> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
> CONFIG_GRKERNSEC_ACL_TIMEOUT=30
> CONFIG_GRKERNSEC_PROC=y
> # CONFIG_GRKERNSEC_PROC_USER is not set
> CONFIG_GRKERNSEC_PROC_USERGROUP=y
> CONFIG_GRKERNSEC_PROC_ADD=y
> CONFIG_GRKERNSEC_LINK=y
> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
> CONFIG_GRKERNSEC_FIFO=y
> # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
> # CONFIG_GRKERNSEC_ROFS is not set
> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
> CONFIG_GRKERNSEC_CHROOT=y
> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
> CONFIG_GRKERNSEC_CHROOT_UNIX=y
> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
> CONFIG_GRKERNSEC_CHROOT_NICE=y
> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
> CONFIG_GRKERNSEC_CHROOT_CAPS=y
> # CONFIG_GRKERNSEC_AUDIT_GROUP is not set
> # CONFIG_GRKERNSEC_EXECLOG is not set
> CONFIG_GRKERNSEC_RESLOG=y
> # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
> # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
> # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
> CONFIG_GRKERNSEC_SIGNAL=y
> CONFIG_GRKERNSEC_FORKFAIL=y
> # CONFIG_GRKERNSEC_TIME is not set
> CONFIG_GRKERNSEC_PROC_IPADDR=y
> CONFIG_GRKERNSEC_RWXMAP_LOG=y
> CONFIG_GRKERNSEC_DMESG=y
> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
> CONFIG_GRKERNSEC_SETXID=y
> CONFIG_GRKERNSEC_HARDEN_IPC=y
> # CONFIG_GRKERNSEC_TPE is not set
> CONFIG_GRKERNSEC_RANDNET=y
> CONFIG_GRKERNSEC_BLACKHOLE=y
> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
> # CONFIG_GRKERNSEC_SOCKET is not set
> # CONFIG_GRKERNSEC_DENYUSB is not set
> CONFIG_GRKERNSEC_SYSCTL=y
> CONFIG_GRKERNSEC_SYSCTL_ON=y
> CONFIG_GRKERNSEC_FLOODTIME=10
> CONFIG_GRKERNSEC_FLOODBURST=4
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-11-08 22:51 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-01 10:08 [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore Alex Efros
2014-11-01 10:21 ` Amadeusz Sławiński
2014-11-01 22:04 ` Alexander Tsoy
2014-11-01 12:09 ` "Tóth Attila"
2014-11-08 22:51 ` Krzysztof Nowicki
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox