From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 07528138825 for ; Sat, 1 Nov 2014 12:09:44 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DFAB3E0A40; Sat, 1 Nov 2014 12:09:41 +0000 (UTC) Received: from atoth.sote.hu (atoth.sote.hu [195.111.75.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1FA6DE0A03 for ; Sat, 1 Nov 2014 12:09:40 +0000 (UTC) Received: from atoth.sote.hu (apache@localhost [127.0.0.1]) by atoth.sote.hu (8.14.9/8.14.9/atoth@atoth.sote.hu) with ESMTP id sA1C9Z9K004258 for ; Sat, 1 Nov 2014 13:09:36 +0100 DKIM-Filter: OpenDKIM Filter v2.9.2 atoth.sote.hu sA1C9Z9K004258 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=atoth.sote.hu; s=dwokfur; t=1414843779; bh=52AsLCqjxfbQRlwxGK06Z/WRt4d1s8v6c/IM9potF6c=; h=In-Reply-To:References:Date:Subject:From:To; b=gwtn0T0m2CesuX7IXddFeZLefBDknBMsqeGgWMzyXDEZ8PO2GUVoTqNd4Kp3/k5Ww RUPsW8oM312McRNs5ncBTGbrKpu3KPdbpKwWFgjZ4/vdTShWE9EYrMdRqv++OboRg2 1RDL9FkQqouBIPnuR0ErRTTCfBZFtgyE60vX8tbE= X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98.4 at atoth Received: from 193.6.26.154 (SquirrelMail authenticated user atoth) by atoth.sote.hu with HTTP; Sat, 1 Nov 2014 13:09:36 +0100 Message-ID: <9bbbd99030ae9c4d1e0b58304bec9b36.squirrel@atoth.sote.hu> In-Reply-To: <20141101100823.GA22195@home.power> References: <20141101100823.GA22195@home.power> Date: Sat, 1 Nov 2014 13:09:36 +0100 Subject: Re: [gentoo-hardened] "grsec: denied RWX mprotect" doesn't kill app anymore From: =?utf-8?B?IlTDs3RoIEF0dGlsYSI=?= To: gentoo-hardened@lists.gentoo.org User-Agent: SquirrelMail/1.4.23 [SVN] Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Status: No, score=-100.1 required=5.0 tests=ALL_TRUSTED,AWL, DKIM_ADSP_ALL,UPPERCASE_50_75,USER_IN_WHITELIST autolearn=no autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on atoth.sote.hu X-List-Milter: local mail X-DCC-URT-Metrics: atoth 1060; Body=2 Fuz1=2 Fuz2=2 X-Archives-Salt: 0e76cde9-143e-42c5-a23b-d82ef762a8ab X-Archives-Hash: e30250ae137e33c0c8bd6cdd28a33f52 There have been changes in the toolchain: https://sourceware.org/bugzilla/show_bug.cgi?id=12492 Application also handle these situations nowdays and survive the denial instead of crashing. Like clamav developers made the software aware of such a situation: https://bugs.gentoo.org/show_bug.cgi?id=326199 BR: Dw. -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057 2014.November 1.(Szo) 11:08 időpontban Alex Efros ezt írta: > Hi! > > I wonder is something was changed in handling "grsec: denied RWX > mprotect"? > Previously when I see this in kernel log it usually result in killing app > (and I've to run `paxctl-ng -m /that/app`), but now it looks like this > doesn't happens anymore. For example: > > # eselect opengl list > Available OpenGL implementations: > [1] nvidia * > [2] xorg-x11 > # grep PAX /etc/portage/make.conf > PAX_MARKINGS="XT" > # paxctl-ng -v /usr/bin/glxgears > /usr/bin/glxgears: > PT_PAX : -e--- > XATTR_PAX : not found > # /usr/bin/glxgears > Running synchronized to the vertical refresh. The framerate should be > approximately the same as the monitor refresh rate. > 302 frames in 5.0 seconds = 60.336 FPS > 300 frames in 5.0 seconds = 59.960 FPS > (so, as you see, it works!) > > and here is kernel log: > > 2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect of > /usr/lib64/opengl/nvidia/lib/libGL.so.343.22 by > /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0, parent > /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0 > > At same time paxtest works ok (all killed). > > > My kernel config: > > # zgrep PAX /proc/config.gz > > CONFIG_PAX_USERCOPY_SLABS=y > CONFIG_PAX=y > # CONFIG_PAX_SOFTMODE is not set > # CONFIG_PAX_PT_PAX_FLAGS is not set > CONFIG_PAX_XATTR_PAX_FLAGS=y > CONFIG_PAX_NO_ACL_FLAGS=y > # CONFIG_PAX_HAVE_ACL_FLAGS is not set > # CONFIG_PAX_HOOK_ACL_FLAGS is not set > CONFIG_PAX_NOEXEC=y > CONFIG_PAX_PAGEEXEC=y > CONFIG_PAX_EMUTRAMP=y > CONFIG_PAX_MPROTECT=y > # CONFIG_PAX_MPROTECT_COMPAT is not set > # CONFIG_PAX_ELFRELOCS is not set > # CONFIG_PAX_KERNEXEC is not set > CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="" > CONFIG_PAX_ASLR=y > # CONFIG_PAX_RANDKSTACK is not set > CONFIG_PAX_RANDUSTACK=y > CONFIG_PAX_RANDMMAP=y > # CONFIG_PAX_MEMORY_SANITIZE is not set > # CONFIG_PAX_MEMORY_STACKLEAK is not set > CONFIG_PAX_MEMORY_STRUCTLEAK=y > # CONFIG_PAX_MEMORY_UDEREF is not set > CONFIG_PAX_REFCOUNT=y > CONFIG_PAX_USERCOPY=y > # CONFIG_PAX_USERCOPY_DEBUG is not set > # CONFIG_PAX_SIZE_OVERFLOW is not set > # CONFIG_PAX_LATENT_ENTROPY is not set > > # zgrep GRKERNSEC /proc/config.gz > > CONFIG_GRKERNSEC=y > # CONFIG_GRKERNSEC_CONFIG_AUTO is not set > CONFIG_GRKERNSEC_CONFIG_CUSTOM=y > CONFIG_GRKERNSEC_PROC_GID=1000 > CONFIG_GRKERNSEC_KMEM=y > # CONFIG_GRKERNSEC_IO is not set > CONFIG_GRKERNSEC_PERF_HARDEN=y > CONFIG_GRKERNSEC_RAND_THREADSTACK=y > CONFIG_GRKERNSEC_PROC_MEMMAP=y > # CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set > # CONFIG_GRKERNSEC_BRUTE is not set > CONFIG_GRKERNSEC_MODHARDEN=y > CONFIG_GRKERNSEC_HIDESYM=y > # CONFIG_GRKERNSEC_RANDSTRUCT is not set > # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set > CONFIG_GRKERNSEC_NO_RBAC=y > CONFIG_GRKERNSEC_ACL_HIDEKERN=y > CONFIG_GRKERNSEC_ACL_MAXTRIES=3 > CONFIG_GRKERNSEC_ACL_TIMEOUT=30 > CONFIG_GRKERNSEC_PROC=y > # CONFIG_GRKERNSEC_PROC_USER is not set > CONFIG_GRKERNSEC_PROC_USERGROUP=y > CONFIG_GRKERNSEC_PROC_ADD=y > CONFIG_GRKERNSEC_LINK=y > # CONFIG_GRKERNSEC_SYMLINKOWN is not set > CONFIG_GRKERNSEC_FIFO=y > # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set > # CONFIG_GRKERNSEC_ROFS is not set > CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y > CONFIG_GRKERNSEC_CHROOT=y > CONFIG_GRKERNSEC_CHROOT_MOUNT=y > CONFIG_GRKERNSEC_CHROOT_DOUBLE=y > CONFIG_GRKERNSEC_CHROOT_PIVOT=y > CONFIG_GRKERNSEC_CHROOT_CHDIR=y > CONFIG_GRKERNSEC_CHROOT_CHMOD=y > CONFIG_GRKERNSEC_CHROOT_FCHDIR=y > CONFIG_GRKERNSEC_CHROOT_MKNOD=y > CONFIG_GRKERNSEC_CHROOT_SHMAT=y > CONFIG_GRKERNSEC_CHROOT_UNIX=y > CONFIG_GRKERNSEC_CHROOT_FINDTASK=y > CONFIG_GRKERNSEC_CHROOT_NICE=y > CONFIG_GRKERNSEC_CHROOT_SYSCTL=y > CONFIG_GRKERNSEC_CHROOT_CAPS=y > # CONFIG_GRKERNSEC_AUDIT_GROUP is not set > # CONFIG_GRKERNSEC_EXECLOG is not set > CONFIG_GRKERNSEC_RESLOG=y > # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set > CONFIG_GRKERNSEC_AUDIT_PTRACE=y > # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set > # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set > CONFIG_GRKERNSEC_SIGNAL=y > CONFIG_GRKERNSEC_FORKFAIL=y > # CONFIG_GRKERNSEC_TIME is not set > CONFIG_GRKERNSEC_PROC_IPADDR=y > CONFIG_GRKERNSEC_RWXMAP_LOG=y > CONFIG_GRKERNSEC_DMESG=y > CONFIG_GRKERNSEC_HARDEN_PTRACE=y > CONFIG_GRKERNSEC_PTRACE_READEXEC=y > CONFIG_GRKERNSEC_SETXID=y > CONFIG_GRKERNSEC_HARDEN_IPC=y > # CONFIG_GRKERNSEC_TPE is not set > CONFIG_GRKERNSEC_RANDNET=y > CONFIG_GRKERNSEC_BLACKHOLE=y > CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y > # CONFIG_GRKERNSEC_SOCKET is not set > # CONFIG_GRKERNSEC_DENYUSB is not set > CONFIG_GRKERNSEC_SYSCTL=y > CONFIG_GRKERNSEC_SYSCTL_ON=y > CONFIG_GRKERNSEC_FLOODTIME=10 > CONFIG_GRKERNSEC_FLOODBURST=4 > > -- > WBR, Alex. >