[gentoo-hardened] Which hardened kernel feature disables wine?

[gentoo-hardened] Which hardened kernel feature disables wine?

[Grant]

I'm using the grsecurity "Gentoo (workstation)" setting in my hardened
kernel, but trying to use wine I get this:

err:heap:HEAP_GetPtr Invalid heap (nil)!
err:heap:HEAP_GetPtr Invalid heap (nil)!
err:module:attach_process_dlls "KERNEL32.dll" failed to initialize, aborting
err:module:LdrInitializeThunk Main exe initialization for
L"C:\\windows\\system32\\wineboot.exe" failed, status c0000005

If I remove grsecurity from the kernel, wine works fine.  Does anyone
know how to fix this or which grsecurity option I can disable to
enable wine?

- Grant

Re: [gentoo-hardened] Which hardened kernel feature disables wine?

[Javier J. Martínez Cabezón]

PaX tells you something?

2009/1/13 Grant <emailgrant@gmail.com>:
> I'm using the grsecurity "Gentoo (workstation)" setting in my hardened
> kernel, but trying to use wine I get this:
>
> err:heap:HEAP_GetPtr Invalid heap (nil)!
> err:heap:HEAP_GetPtr Invalid heap (nil)!
> err:module:attach_process_dlls "KERNEL32.dll" failed to initialize, aborting
> err:module:LdrInitializeThunk Main exe initialization for
> L"C:\\windows\\system32\\wineboot.exe" failed, status c0000005
>
> If I remove grsecurity from the kernel, wine works fine.  Does anyone
> know how to fix this or which grsecurity option I can disable to
> enable wine?
>
> - Grant
>
>

Re: [gentoo-hardened] Which hardened kernel feature disables wine?

[Ned Ludd]

On Tue, 2009-01-13 at 11:00 -0800, Grant wrote:
> I'm using the grsecurity "Gentoo (workstation)" setting in my hardened
> kernel, but trying to use wine I get this:
> 
> err:heap:HEAP_GetPtr Invalid heap (nil)!
> err:heap:HEAP_GetPtr Invalid heap (nil)!
> err:module:attach_process_dlls "KERNEL32.dll" failed to initialize, aborting
> err:module:LdrInitializeThunk Main exe initialization for
> L"C:\\windows\\system32\\wineboot.exe" failed, status c0000005
> 
> If I remove grsecurity from the kernel, wine works fine.  Does anyone
> know how to fix this or which grsecurity option I can disable to
> enable wine?


You don't want to go into the kernel and start disabling features as
that would be the wrong fix. No reason to downgrade system wide security
for one app. You want to use paxctl -flags /path/to/wine-loader

Personally I'm lazy and would just do. 
paxctl -permsx $(qlist -oe wine)



-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux

Re: [gentoo-hardened] Which hardened kernel feature disables wine?

[Javier J. Martínez Cabezón]

I would remove first mprotect and segmexec and test.

2009/1/13 Ned Ludd <solar@gentoo.org>:
> On Tue, 2009-01-13 at 11:00 -0800, Grant wrote:
>> I'm using the grsecurity "Gentoo (workstation)" setting in my hardened
>> kernel, but trying to use wine I get this:
>>
>> err:heap:HEAP_GetPtr Invalid heap (nil)!
>> err:heap:HEAP_GetPtr Invalid heap (nil)!
>> err:module:attach_process_dlls "KERNEL32.dll" failed to initialize, aborting
>> err:module:LdrInitializeThunk Main exe initialization for
>> L"C:\\windows\\system32\\wineboot.exe" failed, status c0000005
>>
>> If I remove grsecurity from the kernel, wine works fine.  Does anyone
>> know how to fix this or which grsecurity option I can disable to
>> enable wine?
>
>
> You don't want to go into the kernel and start disabling features as
> that would be the wrong fix. No reason to downgrade system wide security
> for one app. You want to use paxctl -flags /path/to/wine-loader
>
> Personally I'm lazy and would just do.
> paxctl -permsx $(qlist -oe wine)
>
>
>
> --
> Ned Ludd <solar@gentoo.org>
> Gentoo Linux
>
>
>

Re: [gentoo-hardened] Which hardened kernel feature disables wine?

[Thomas Sachau]

[-- Attachment #1: Type: text/plain, Size: 1098 bytes --]

Ned Ludd schrieb:
> On Tue, 2009-01-13 at 11:00 -0800, Grant wrote:
>> I'm using the grsecurity "Gentoo (workstation)" setting in my hardened
>> kernel, but trying to use wine I get this:
>>
>> err:heap:HEAP_GetPtr Invalid heap (nil)!
>> err:heap:HEAP_GetPtr Invalid heap (nil)!
>> err:module:attach_process_dlls "KERNEL32.dll" failed to initialize, aborting
>> err:module:LdrInitializeThunk Main exe initialization for
>> L"C:\\windows\\system32\\wineboot.exe" failed, status c0000005
>>
>> If I remove grsecurity from the kernel, wine works fine.  Does anyone
>> know how to fix this or which grsecurity option I can disable to
>> enable wine?
> 
> 
> You don't want to go into the kernel and start disabling features as
> that would be the wrong fix. No reason to downgrade system wide security
> for one app. You want to use paxctl -flags /path/to/wine-loader
> 
> Personally I'm lazy and would just do. 
> paxctl -permsx $(qlist -oe wine)
> 
> 
> 

This one should do the trick:

paxctl -m /usr/bin/wine-preloader

-- 
Thomas Sachau

Gentoo Linux Developer


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 315 bytes --]

Re: [gentoo-hardened] Which hardened kernel feature disables wine?

[Grant]

>>> I'm using the grsecurity "Gentoo (workstation)" setting in my hardened
>>> kernel, but trying to use wine I get this:
>>>
>>> err:heap:HEAP_GetPtr Invalid heap (nil)!
>>> err:heap:HEAP_GetPtr Invalid heap (nil)!
>>> err:module:attach_process_dlls "KERNEL32.dll" failed to initialize, aborting
>>> err:module:LdrInitializeThunk Main exe initialization for
>>> L"C:\\windows\\system32\\wineboot.exe" failed, status c0000005
>>>
>>> If I remove grsecurity from the kernel, wine works fine.  Does anyone
>>> know how to fix this or which grsecurity option I can disable to
>>> enable wine?
>>
>>
>> You don't want to go into the kernel and start disabling features as
>> that would be the wrong fix. No reason to downgrade system wide security
>> for one app. You want to use paxctl -flags /path/to/wine-loader
>>
>> Personally I'm lazy and would just do.
>> paxctl -permsx $(qlist -oe wine)
>>
>>
>>
>
> This one should do the trick:
>
> paxctl -m /usr/bin/wine-preloader

Thanks everyone, that worked great.  Is there a way to get a list of
files which have been operated on by paxctl?  I didn't see anything in
man paxctl.

- Grant

Re: [gentoo-hardened] Which hardened kernel feature disables wine?

[Ned Ludd]

On Tue, 2009-01-13 at 13:06 -0800, Grant wrote:
..

> Thanks everyone, that worked great.  Is there a way to get a list of
> files which have been operated on by paxctl?  I didn't see anything in
> man paxctl.


qlist -ao | scanelf -f - -q -x



-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux

Re: [gentoo-hardened] Which hardened kernel feature disables wine?

[Grant]

>> Thanks everyone, that worked great.  Is there a way to get a list of
>> files which have been operated on by paxctl?  I didn't see anything in
>> man paxctl.
>
>
> qlist -ao | scanelf -f - -q -x

Thanks Ned.  I get the following but I've only ever issued paxctl
referencing /usr/bin/wine-preloader.  Can you tell me why the other
files might be listed?

# qlist -ao | scanelf -f - -q -x
--mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/java
--mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/keytool
--mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/policytool
--mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/rmiregistry
--mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/rmid
--mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/tnameserv
--mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/orbd
--mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/servertool
--mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/unpack200
--mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/pack200
--mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/java_vm
--mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/javaws
--mxe-  /opt/VirtualBox/VBoxHeadless
--mxe-  /opt/VirtualBox/VBoxManage
--mxe-  /opt/VirtualBox/VBoxSDL
--mxe-  /opt/VirtualBox/VBoxSVC
--mxe-  /opt/VirtualBox/VBoxTunctl
--mxe-  /opt/VirtualBox/VBoxXPCOMIPCD
--mxe-  /opt/VirtualBox/VirtualBox
--mxe-  /usr/bin/wine-preloader
--mxe-  /opt/sun-jdk-1.6.0.11/bin/apt
--mxe-  /opt/sun-jdk-1.6.0.11/bin/jar
--mxe-  /opt/sun-jdk-1.6.0.11/bin/jdb
--mxe-  /opt/sun-jdk-1.6.0.11/bin/jps
--mxe-  /opt/sun-jdk-1.6.0.11/bin/xjc
--mxe-  /opt/sun-jdk-1.6.0.11/bin/idlj
--mxe-  /opt/sun-jdk-1.6.0.11/bin/java
--mxe-  /opt/sun-jdk-1.6.0.11/bin/jhat
--mxe-  /opt/sun-jdk-1.6.0.11/bin/jmap
--mxe-  /opt/sun-jdk-1.6.0.11/bin/orbd
--mxe-  /opt/sun-jdk-1.6.0.11/bin/rmic
--mxe-  /opt/sun-jdk-1.6.0.11/bin/rmid
--mxe-  /opt/sun-jdk-1.6.0.11/bin/wsimport
--mxe-  /opt/sun-jdk-1.6.0.11/bin/serialver
--mxe-  /opt/sun-jdk-1.6.0.11/bin/extcheck
--mxe-  /opt/sun-jdk-1.6.0.11/bin/keytool
--mxe-  /opt/sun-jdk-1.6.0.11/bin/javac
--mxe-  /opt/sun-jdk-1.6.0.11/bin/javah
--mxe-  /opt/sun-jdk-1.6.0.11/bin/javap
--mxe-  /opt/sun-jdk-1.6.0.11/bin/jinfo
--mxe-  /opt/sun-jdk-1.6.0.11/bin/jstat
--mxe-  /opt/sun-jdk-1.6.0.11/bin/wsgen
--mxe-  /opt/sun-jdk-1.6.0.11/bin/unpack200
--mxe-  /opt/sun-jdk-1.6.0.11/bin/native2ascii
--mxe-  /opt/sun-jdk-1.6.0.11/bin/appletviewer
--mxe-  /opt/sun-jdk-1.6.0.11/bin/schemagen
--mxe-  /opt/sun-jdk-1.6.0.11/bin/jrunscript
--mxe-  /opt/sun-jdk-1.6.0.11/bin/jstack
--mxe-  /opt/sun-jdk-1.6.0.11/bin/jstatd
--mxe-  /opt/sun-jdk-1.6.0.11/bin/tnameserv
--mxe-  /opt/sun-jdk-1.6.0.11/bin/servertool
--mxe-  /opt/sun-jdk-1.6.0.11/bin/jarsigner
--mxe-  /opt/sun-jdk-1.6.0.11/bin/pack200
--mxe-  /opt/sun-jdk-1.6.0.11/bin/jsadebugd
--mxe-  /opt/sun-jdk-1.6.0.11/bin/javadoc
--mxe-  /opt/sun-jdk-1.6.0.11/bin/rmiregistry
--mxe-  /opt/sun-jdk-1.6.0.11/bin/policytool
--mxe-  /opt/sun-jdk-1.6.0.11/bin/jconsole
--mxe-  /opt/sun-jdk-1.6.0.11/jre/bin/java
--mxe-  /opt/sun-jdk-1.6.0.11/jre/bin/orbd
--mxe-  /opt/sun-jdk-1.6.0.11/jre/bin/rmid
--mxe-  /opt/sun-jdk-1.6.0.11/jre/bin/keytool
--mxe-  /opt/sun-jdk-1.6.0.11/jre/bin/unpack200
--mxe-  /opt/sun-jdk-1.6.0.11/jre/bin/tnameserv
--mxe-  /opt/sun-jdk-1.6.0.11/jre/bin/servertool
--mxe-  /opt/sun-jdk-1.6.0.11/jre/bin/pack200
--mxe-  /opt/sun-jdk-1.6.0.11/jre/bin/rmiregistry
--mxe-  /opt/sun-jdk-1.6.0.11/jre/bin/policytool

- Grant

Re: [gentoo-hardened] Which hardened kernel feature disables wine?

[Ned Ludd]

On Tue, 2009-01-13 at 19:19 -0800, Grant wrote:
> >> Thanks everyone, that worked great.  Is there a way to get a list of
> >> files which have been operated on by paxctl?  I didn't see anything in
> >> man paxctl.
> >
> >
> > qlist -ao | scanelf -f - -q -x
> 
> Thanks Ned.  I get the following but I've only ever issued paxctl
> referencing /usr/bin/wine-preloader.  Can you tell me why the other
> files might be listed?
> 
> # qlist -ao | scanelf -f - -q -x
> --mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/java
..

portage and or the toolchain handles them.
Packages with known problems such as wine should be pax-marked 

See /usr/portage/eclass/pax-utils.eclass for more details.

Finding pkgs that use these functions can be done like this.

qgrep -Hvv 'pax-mark'

Re: [gentoo-hardened] Which hardened kernel feature disables wine?

[pageexec]

On 14 Jan 2009 at 9:49, Grant wrote:

> >> Thanks Ned.  I get the following but I've only ever issued paxctl
> >> referencing /usr/bin/wine-preloader.  Can you tell me why the other
> >> files might be listed?
> >>
> >> # qlist -ao | scanelf -f - -q -x
> >> --mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/java
> > ..
> >
> > portage and or the toolchain handles them.
> > Packages with known problems such as wine should be pax-marked
> 
> If I'm understanding correctly, emul-linux-x86-java, VirtualBox, and
> sun-jdk have known problems with pax so portage pax-marks them.
> Shouldn't portage pax-mark wine too instead of me doing it manually?

yes and ditto for valgrind. bugs.gentoo.org is probably a better place
to ask though ;).

Re: [gentoo-hardened] Which hardened kernel feature disables wine?

[Grant]

>> >> Thanks everyone, that worked great.  Is there a way to get a list of
>> >> files which have been operated on by paxctl?  I didn't see anything in
>> >> man paxctl.
>> >
>> >
>> > qlist -ao | scanelf -f - -q -x
>>
>> Thanks Ned.  I get the following but I've only ever issued paxctl
>> referencing /usr/bin/wine-preloader.  Can you tell me why the other
>> files might be listed?
>>
>> # qlist -ao | scanelf -f - -q -x
>> --mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/java
> ..
>
> portage and or the toolchain handles them.
> Packages with known problems such as wine should be pax-marked

If I'm understanding correctly, emul-linux-x86-java, VirtualBox, and
sun-jdk have known problems with pax so portage pax-marks them.
Shouldn't portage pax-mark wine too instead of me doing it manually?

- Grant

> See /usr/portage/eclass/pax-utils.eclass for more details.
>
> Finding pkgs that use these functions can be done like this.
>
> qgrep -Hvv 'pax-mark'

Re: [gentoo-hardened] Which hardened kernel feature disables wine?

[Grant]

>> >> Thanks Ned.  I get the following but I've only ever issued paxctl
>> >> referencing /usr/bin/wine-preloader.  Can you tell me why the other
>> >> files might be listed?
>> >>
>> >> # qlist -ao | scanelf -f - -q -x
>> >> --mxe-  /opt/emul-linux-x86-java-1.6.0.11/bin/java
>> > ..
>> >
>> > portage and or the toolchain handles them.
>> > Packages with known problems such as wine should be pax-marked
>>
>> If I'm understanding correctly, emul-linux-x86-java, VirtualBox, and
>> sun-jdk have known problems with pax so portage pax-marks them.
>> Shouldn't portage pax-mark wine too instead of me doing it manually?
>
> yes and ditto for valgrind. bugs.gentoo.org is probably a better place
> to ask though ;).

I'll file a bug, thanks everyone.

- Grant