public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-hardened] mprotect question
@ 2011-07-14  9:54 Markus Oehme
  2011-07-14 13:41 ` Anthony G. Basile
  2011-07-15 11:02 ` [solved] " Markus Oehme
  0 siblings, 2 replies; 10+ messages in thread
From: Markus Oehme @ 2011-07-14  9:54 UTC (permalink / raw
  To: gentoo-hardened

Hi,

I successfully switched to hardened profile during the last week and it was
quite painless. I think I can hand out some praise for the great work done
on Gentoo Hardened. :)

Just one thing puzzles me a bit. I activated pax in hardened sources and
this resulted in quite some segfaulting processes due to mprotect. I found
lines like the following in the logs.

Jul 13 17:09:41 localhost kernel: [  286.180994] grsec: denied RWX mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393] uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the list
[1] of binaries where I had to do this includes some stuff, where mprotect
would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in the
docs (which otherwise are really helpful :) about what to expect for
excpetions from mprotect. Is this expected behaviour or have I made some
mistake in my configuration?


	   Markus

[1]
/usr/lib64/courier/courier-authlib/authdaemond
/usr/sbin/console-kit-daemon
/usr/libexec/polkitd
/usr/bin/xfconf-query
/usr/lib64/xfce4/xfconf/xfconfd
/usr/bin/xscreensaver
/usr/bin/xfce4-session
/usr/bin/gkrellm
/usr/bin/Xorg
/usr/bin/xfdesktop
/usr/bin/xfce4-panel
/usr/bin/Terminal
/usr/libexec/udisks-daemon
/usr/bin/xfce4-session-logout
/usr/bin/emacs-23
/usr/bin/sudo
/usr/bin/perl
/usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
/usr/bin/xfce4-mixer
/usr/bin/python2.7
/usr/libexec/git-core/git
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1


--
Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [gentoo-hardened] mprotect question
  2011-07-14  9:54 [gentoo-hardened] mprotect question Markus Oehme
@ 2011-07-14 13:41 ` Anthony G. Basile
  2011-07-14 14:39   ` Javier Juan Martínez Cabezón
                     ` (2 more replies)
  2011-07-15 11:02 ` [solved] " Markus Oehme
  1 sibling, 3 replies; 10+ messages in thread
From: Anthony G. Basile @ 2011-07-14 13:41 UTC (permalink / raw
  To: gentoo-hardened

Hi Markus,

It looks like you missed something in the process.  The steps to
converting are (skipping details):

1) switch profile
2) recompile the toolchain: emerge glibc gcc binutils
3) recompile system: emerge -e system
4) recompile world: emerge -e world

If you didn't do these, its possible you have some  binaries left that
will trigger pax violations.

One way to quickly check if you got hardened binaries is to use a script
called checksec.sh [1] and run it on /bin or /sbin.  You should see that
all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.


Ref:

[1] http://tk-blog.blogspot.com/2009/02/checksec.html



On 07/14/2011 05:54 AM, Markus Oehme wrote:
> Hi,
> 
> I successfully switched to hardened profile during the last week and it was
> quite painless. I think I can hand out some praise for the great work done
> on Gentoo Hardened. :)
> 
> Just one thing puzzles me a bit. I activated pax in hardened sources and
> this resulted in quite some segfaulting processes due to mprotect. I found
> lines like the following in the logs.
> 
> Jul 13 17:09:41 localhost kernel: [  286.180994] grsec: denied RWX mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393] uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
> 
> I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the list
> [1] of binaries where I had to do this includes some stuff, where mprotect
> would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in the
> docs (which otherwise are really helpful :) about what to expect for
> excpetions from mprotect. Is this expected behaviour or have I made some
> mistake in my configuration?
> 
> 
> 	   Markus
> 
> [1]
> /usr/lib64/courier/courier-authlib/authdaemond
> /usr/sbin/console-kit-daemon
> /usr/libexec/polkitd
> /usr/bin/xfconf-query
> /usr/lib64/xfce4/xfconf/xfconfd
> /usr/bin/xscreensaver
> /usr/bin/xfce4-session
> /usr/bin/gkrellm
> /usr/bin/Xorg
> /usr/bin/xfdesktop
> /usr/bin/xfce4-panel
> /usr/bin/Terminal
> /usr/libexec/udisks-daemon
> /usr/bin/xfce4-session-logout
> /usr/bin/emacs-23
> /usr/bin/sudo
> /usr/bin/perl
> /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
> /usr/bin/xfce4-mixer
> /usr/bin/python2.7
> /usr/libexec/git-core/git
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
> 
> 
> --
> Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
> are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
> rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
> csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
> but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.


-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [gentoo-hardened] mprotect question
  2011-07-14 13:41 ` Anthony G. Basile
@ 2011-07-14 14:39   ` Javier Juan Martínez Cabezón
  2011-07-14 15:29   ` Markus Oehme
  2011-07-14 21:49   ` Matthew Summers
  2 siblings, 0 replies; 10+ messages in thread
From: Javier Juan Martínez Cabezón @ 2011-07-14 14:39 UTC (permalink / raw
  To: gentoo-hardened

[-- Attachment #1: Type: text/plain, Size: 3553 bytes --]

This things usually happen when changes are put into the CFLAGS-CXXFLAGS
directly in make.conf instead of using the specs (profile), without
mprotect, pax does nothing, ASLR is not functional since is not needed an
return into libc to get an exploit working....  since PAGEEXEC/SEGMEXEC is
not useful because mappings can be done EXECUTABLE/WRITEABLE at the same
time on the fly without mprotect.

2011/7/14 Anthony G. Basile <blueness@gentoo.org>

> Hi Markus,
>
> It looks like you missed something in the process.  The steps to
> converting are (skipping details):
>
> 1) switch profile
> 2) recompile the toolchain: emerge glibc gcc binutils
> 3) recompile system: emerge -e system
> 4) recompile world: emerge -e world
>
> If you didn't do these, its possible you have some  binaries left that
> will trigger pax violations.
>
> One way to quickly check if you got hardened binaries is to use a script
> called checksec.sh [1] and run it on /bin or /sbin.  You should see that
> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.
>
>
> Ref:
>
> [1] http://tk-blog.blogspot.com/2009/02/checksec.html
>
>
>
> On 07/14/2011 05:54 AM, Markus Oehme wrote:
> > Hi,
> >
> > I successfully switched to hardened profile during the last week and it
> was
> > quite painless. I think I can hand out some praise for the great work
> done
> > on Gentoo Hardened. :)
> >
> > Just one thing puzzles me a bit. I activated pax in hardened sources and
> > this resulted in quite some segfaulting processes due to mprotect. I
> found
> > lines like the following in the logs.
> >
> > Jul 13 17:09:41 localhost kernel: [  286.180994] grsec: denied RWX
> mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393]
> uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1]
> uid/euid:0/0 gid/egid:0/0
> >
> > I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the
> list
> > [1] of binaries where I had to do this includes some stuff, where
> mprotect
> > would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in
> the
> > docs (which otherwise are really helpful :) about what to expect for
> > excpetions from mprotect. Is this expected behaviour or have I made some
> > mistake in my configuration?
> >
> >
> >          Markus
> >
> > [1]
> > /usr/lib64/courier/courier-authlib/authdaemond
> > /usr/sbin/console-kit-daemon
> > /usr/libexec/polkitd
> > /usr/bin/xfconf-query
> > /usr/lib64/xfce4/xfconf/xfconfd
> > /usr/bin/xscreensaver
> > /usr/bin/xfce4-session
> > /usr/bin/gkrellm
> > /usr/bin/Xorg
> > /usr/bin/xfdesktop
> > /usr/bin/xfce4-panel
> > /usr/bin/Terminal
> > /usr/libexec/udisks-daemon
> > /usr/bin/xfce4-session-logout
> > /usr/bin/emacs-23
> > /usr/bin/sudo
> > /usr/bin/perl
> > /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
> > /usr/bin/xfce4-mixer
> > /usr/bin/python2.7
> > /usr/libexec/git-core/git
> > /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
> >
> >
> > --
> > Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a
> wrod
> > are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in
> the
> > rghit pclae. The rset can be a taotl mses and you can sitll raed it in
> msot
> > csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by
> istlef,
> > but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.
>
>
> --
> Anthony G. Basile, Ph.D.
> Gentoo Linux Developer [Hardened]
> E-Mail    : blueness@gentoo.org
> GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
> GnuPG ID  : D0455535
>
>

[-- Attachment #2: Type: text/html, Size: 4475 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [gentoo-hardened] mprotect question
  2011-07-14 13:41 ` Anthony G. Basile
  2011-07-14 14:39   ` Javier Juan Martínez Cabezón
@ 2011-07-14 15:29   ` Markus Oehme
  2011-07-14 21:46     ` Matthew Summers
       [not found]     ` <4E1F208F.8020801@gentoo.org>
  2011-07-14 21:49   ` Matthew Summers
  2 siblings, 2 replies; 10+ messages in thread
From: Markus Oehme @ 2011-07-14 15:29 UTC (permalink / raw
  To: gentoo-hardened; +Cc: Anthony G. Basile

Hi Anthony,

At Thu, 14 Jul 2011 09:41:48 -0400,
Anthony G. Basile wrote:
> It looks like you missed something in the process.  The steps to
> converting are (skipping details):
> 
> 1) switch profile
> 2) recompile the toolchain: emerge glibc gcc binutils
> 3) recompile system: emerge -e system
> 4) recompile world: emerge -e world

I did executed all steps in this order and rebuilt all packages. Just now I
did some tries and recompiled some of the packages which fail. However this
changed nothing.

One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc
4.6.0 for quite some time on ~amd64 ere I switched to hardened last week.  I
didn't encounter any special problems during the transition.

> If you didn't do these, its possible you have some  binaries left that
> will trigger pax violations.
> 
> One way to quickly check if you got hardened binaries is to use a script
> called checksec.sh [1] and run it on /bin or /sbin.  You should see that
> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.

I just executed the script for /bin and the result [1] was very mixed. Nearly all
binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I
checked whether this could be changed and rebuilt coreutils twice, but the
output was the same every time.

However this seems not to be a big problem since the system is currently
running normal (Xfce desktop session) with my current list [2] of exceptions
to mprotect which contains only binaries under /usr.


Thanks for the advice.

   	    Markus

[1]

RELRO           STACK CANARY      NX            PIE                     FILE
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/attr
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/basename
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/bash
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/bsdcpio
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/bsdtar
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/btrfs-debug-tree
Partial RELRO   No canary found   NX disabled   No PIE                  /bin/busybox
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/bzip2
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/cat
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/chacl
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/chgrp
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/chmod
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/chown
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/chroot
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/cp
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/cpio
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/cut
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/date
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/dd
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/df
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/dir
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/dirname
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/dmesg
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/du
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/echo
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/ed
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/egrep
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/env
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/expr
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/false
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/fgrep
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/findmnt
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/fuser
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/gawk
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/getfacl
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/getfattr
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/grep
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/groups
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/gzip
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/head
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/hostname
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/kill
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/ln
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/login
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/ls
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/lsblk
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/lsmod
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/mail
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/mbchk
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/mkdir
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/mkfifo
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/mknod
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/mktemp
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/more
Full RELRO      No canary found   NX disabled   PIE enabled             /binmount
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/mountpoint
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/mv
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/nano
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/netstat
Full RELRO      No canary found   NX disabled   PIE enabled             /binpasswd
Full RELRO      Canary found      NX enabled    PIE enabled             /binping
Full RELRO      Canary found      NX enabled    PIE enabled             /binping6
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/ps
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/pwd
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/readlink
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/rm
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/rmdir
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/run-parts
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/sed
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/seq
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/setfacl
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/setfattr
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/sleep
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/sort
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/stty
Full RELRO      No canary found   NX disabled   PIE enabled             /binsu
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/sync
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/tail
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/tar
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/tcsh
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/tempfile
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/touch
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/tr
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/true
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/tty
Full RELRO      No canary found   NX disabled   PIE enabled             /binumount
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/uname
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/vdir
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/wc
Full RELRO      No canary found   NX disabled   PIE enabled             /bin/yes
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/zsh
Full RELRO      Canary found      NX enabled    PIE enabled             /bin/zsh-4.3.12



[2]

/usr/bin/emacs-23
/usr/bin/gkrellm
/usr/bin/perl
/usr/bin/python2.7
/usr/bin/spamc
/usr/bin/ssh
/usr/bin/sudo
/usr/bin/Terminal
/usr/bin/xchat
/usr/bin/xfce4-mixer
/usr/bin/xfce4-panel
/usr/bin/xfce4-session
/usr/bin/xfce4-session-logout
/usr/bin/xfconf-query
/usr/bin/xfdesktop
/usr/bin/Xorg
/usr/bin/xscreensaver
/usr/games/bin/enigma
/usr/lib64/courier/courier-authlib/authdaemond
/usr/lib64/xfce4/xfconf/xfconfd
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1plus
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/lto1
/usr/libexec/git-core/git
/usr/libexec/polkitd
/usr/libexec/udisks-daemon
/usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
/usr/sbin/collectd
/usr/sbin/console-kit-daemon


--
Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [gentoo-hardened] mprotect question
  2011-07-14 15:29   ` Markus Oehme
@ 2011-07-14 21:46     ` Matthew Summers
       [not found]     ` <4E1F208F.8020801@gentoo.org>
  1 sibling, 0 replies; 10+ messages in thread
From: Matthew Summers @ 2011-07-14 21:46 UTC (permalink / raw
  To: gentoo-hardened

On Thu, Jul 14, 2011 at 10:29 AM, Markus Oehme <oehme.markus@gmx.de> wrote:
> Hi Anthony,
>
> At Thu, 14 Jul 2011 09:41:48 -0400,
> Anthony G. Basile wrote:
>> It looks like you missed something in the process.  The steps to
>> converting are (skipping details):
>>
>> 1) switch profile
>> 2) recompile the toolchain: emerge glibc gcc binutils
>> 3) recompile system: emerge -e system
>> 4) recompile world: emerge -e world
>
> I did executed all steps in this order and rebuilt all packages. Just now I
> did some tries and recompiled some of the packages which fail. However this
> changed nothing.
>
> One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc
> 4.6.0 for quite some time on ~amd64 ere I switched to hardened last week.  I
> didn't encounter any special problems during the transition.
>
>> If you didn't do these, its possible you have some  binaries left that
>> will trigger pax violations.
>>
>> One way to quickly check if you got hardened binaries is to use a script
>> called checksec.sh [1] and run it on /bin or /sbin.  You should see that
>> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.
>
> I just executed the script for /bin and the result [1] was very mixed. Nearly all
> binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I
> checked whether this could be changed and rebuilt coreutils twice, but the
> output was the same every time.
>
> However this seems not to be a big problem since the system is currently
> running normal (Xfce desktop session) with my current list [2] of exceptions
> to mprotect which contains only binaries under /usr.
>
>
> Thanks for the advice.
>
>            Markus
>
> [1]
>
> RELRO           STACK CANARY      NX            PIE                     FILE
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/attr
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/basename
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/bash
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/bsdcpio
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/bsdtar
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/btrfs-debug-tree
> Partial RELRO   No canary found   NX disabled   No PIE                  /bin/busybox
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/bzip2
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/cat
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/chacl
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/chgrp
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/chmod
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/chown
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/chroot
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/cp
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/cpio
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/cut
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/date
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/dd
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/df
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/dir
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/dirname
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/dmesg
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/du
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/echo
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/ed
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/egrep
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/env
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/expr
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/false
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/fgrep
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/findmnt
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/fuser
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/gawk
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/getfacl
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/getfattr
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/grep
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/groups
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/gzip
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/head
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/hostname
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/kill
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/ln
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/login
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/ls
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/lsblk
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/lsmod
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/mail
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/mbchk
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/mkdir
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/mkfifo
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/mknod
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/mktemp
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/more
> Full RELRO      No canary found   NX disabled   PIE enabled             /binmount
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/mountpoint
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/mv
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/nano
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/netstat
> Full RELRO      No canary found   NX disabled   PIE enabled             /binpasswd
> Full RELRO      Canary found      NX enabled    PIE enabled             /binping
> Full RELRO      Canary found      NX enabled    PIE enabled             /binping6
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/ps
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/pwd
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/readlink
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/rm
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/rmdir
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/run-parts
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/sed
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/seq
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/setfacl
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/setfattr
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/sleep
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/sort
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/stty
> Full RELRO      No canary found   NX disabled   PIE enabled             /binsu
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/sync
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/tail
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/tar
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/tcsh
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/tempfile
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/touch
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/tr
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/true
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/tty
> Full RELRO      No canary found   NX disabled   PIE enabled             /binumount
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/uname
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/vdir
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/wc
> Full RELRO      No canary found   NX disabled   PIE enabled             /bin/yes
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/zsh
> Full RELRO      Canary found      NX enabled    PIE enabled             /bin/zsh-4.3.12
>
>
>
> [2]
>
> /usr/bin/emacs-23
> /usr/bin/gkrellm
> /usr/bin/perl
> /usr/bin/python2.7
> /usr/bin/spamc
> /usr/bin/ssh
> /usr/bin/sudo
> /usr/bin/Terminal
> /usr/bin/xchat
> /usr/bin/xfce4-mixer
> /usr/bin/xfce4-panel
> /usr/bin/xfce4-session
> /usr/bin/xfce4-session-logout
> /usr/bin/xfconf-query
> /usr/bin/xfdesktop
> /usr/bin/Xorg
> /usr/bin/xscreensaver
> /usr/games/bin/enigma
> /usr/lib64/courier/courier-authlib/authdaemond
> /usr/lib64/xfce4/xfconf/xfconfd
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1plus
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/lto1
> /usr/libexec/git-core/git
> /usr/libexec/polkitd
> /usr/libexec/udisks-daemon
> /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
> /usr/sbin/collectd
> /usr/sbin/console-kit-daemon
>
>
> --
> Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
> are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
> rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
> csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
> but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.
>
>

Hi there,

What is the output of gcc-config -l ?You should see something like the
following (versions will be different).
 [1] x86_64-pc-linux-gnu-4.4.5 *
 [2] x86_64-pc-linux-gnu-4.4.5-hardenednopie
 [3] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp
 [4] x86_64-pc-linux-gnu-4.4.5-hardenednossp
 [5] x86_64-pc-linux-gnu-4.4.5-vanilla

The asterisk will be next to the one you have selected, which in this
case is the first in the list (it is hardened).

Cheers
-- 
M. Summers

"...there are no rules here -- we're trying to accomplish something."
  - Thomas A. Edison



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [gentoo-hardened] mprotect question
  2011-07-14 13:41 ` Anthony G. Basile
  2011-07-14 14:39   ` Javier Juan Martínez Cabezón
  2011-07-14 15:29   ` Markus Oehme
@ 2011-07-14 21:49   ` Matthew Summers
  2 siblings, 0 replies; 10+ messages in thread
From: Matthew Summers @ 2011-07-14 21:49 UTC (permalink / raw
  To: gentoo-hardened

On Thu, Jul 14, 2011 at 8:41 AM, Anthony G. Basile <blueness@gentoo.org> wrote:
> Hi Markus,
>
> It looks like you missed something in the process.  The steps to
> converting are (skipping details):
>
> 1) switch profile
> 2) recompile the toolchain: emerge glibc gcc binutils
> 3) recompile system: emerge -e system
> 4) recompile world: emerge -e world
>
> If you didn't do these, its possible you have some  binaries left that
> will trigger pax violations.

 <snip>

> --
> Anthony G. Basile, Ph.D.
> Gentoo Linux Developer [Hardened]
> E-Mail    : blueness@gentoo.org
> GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
> GnuPG ID  : D0455535

I might add a step in there after #2, lets call it step "2+to-be-sure"
check the output of gcc-config -l and select the hardened gcc if its
not been selected already. Its been a long time since I did a non- to
a hardened system conversion, so I am uncertain whether this is in
fact necessary. In any case it cannot hurt anything to simply check
the situation out.

-- 
M. Summers

"...there are no rules here -- we're trying to accomplish something."
  - Thomas A. Edison



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [gentoo-hardened] mprotect question
       [not found]       ` <87bowwylhl.wl%veelai@jonglieren-jena.de>
@ 2011-07-15 10:22         ` Anthony G. Basile
       [not found]           ` <87aacfzu8f.wl%veelai@jonglieren-jena.de>
  0 siblings, 1 reply; 10+ messages in thread
From: Anthony G. Basile @ 2011-07-15 10:22 UTC (permalink / raw
  To: Markus Oehme; +Cc: gentoo-hardened

On 07/15/2011 04:52 AM, Markus Oehme wrote:
> Hi Anthony,
>
> At Thu, 14 Jul 2011 12:59:59 -0400,
> Anthony G. Basile wrote:
>>> One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc
>>> 4.6.0 for quite some time on ~amd64 ere I switched to hardened last week.  I
>>> didn't encounter any special problems during the transition.
>>>
>> Time for a bug report.  If reproduceable, its a show stopper for
>> hardened gcc-4.6.1
>>
>>>> If you didn't do these, its possible you have some  binaries left that
>>>> will trigger pax violations.
>>>>
>>>> One way to quickly check if you got hardened binaries is to use a script
>>>> called checksec.sh [1] and run it on /bin or /sbin.  You should see that
>>>> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.
>>> I just executed the script for /bin and the result [1] was very mixed. Nearly all
>>> binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I
>>> checked whether this could be changed and rebuilt coreutils twice, but the
>>> output was the same every time.
>>>
>>> However this seems not to be a big problem since the system is currently
>>> running normal (Xfce desktop session) with my current list [2] of exceptions
>>> to mprotect which contains only binaries under /usr.
>>>
>> That's not right.  Can you compile the following, run checksec.sh on it
>> and see if you get all the hardening features:
>>
>> int main()
>> {
>>     ;
>>     return 0;
>> }
> I think I've found the issue. I had some rather aggresive CFLAGS
> enabled. Dropping them seems to correct the issue. The evil guy seems to be
> link time optimization. This is reproducible with your minimal example, if
> compiled with 'gcc' it turns out correctly. 'gcc -flto' gives the behaviour
> I've seen (no stack canary and no nx).
>
> I'm currently in the process of remerging @world, but hopefully everything
> will be ok afterwards.
>
>
>      	Markus
>
> --
> For instance, on the planet Earth, man had always assumed that he was more
> intelligent than dolphins because he had achieved so much---the wheel, New
> York, wars and so on---while all the dolphins had ever done was muck about
> in the water having a good time. But conversely, the dolphins had always
> believed that they were far more intelligent than man---for precisely the
> same reasons. (Douglas Adams, The Hitchhikers Guide to the Galaxy.)

Markus,

Thanks for discovering this, I was not aware.   However, when I try to
compile with -flto, I get an error:

   cc1: error: LTO support has not been enabled in this configuration

I'm going to have to investigate.

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535




^ permalink raw reply	[flat|nested] 10+ messages in thread

* [solved] Re: [gentoo-hardened] mprotect question
  2011-07-14  9:54 [gentoo-hardened] mprotect question Markus Oehme
  2011-07-14 13:41 ` Anthony G. Basile
@ 2011-07-15 11:02 ` Markus Oehme
  2011-07-15 15:50   ` Fredric Johansson
  1 sibling, 1 reply; 10+ messages in thread
From: Markus Oehme @ 2011-07-15 11:02 UTC (permalink / raw
  To: gentoo-hardened

Hi,

I seem to have messed up my mail accounts and this list seems only to accept
submissions from members, so here what I wrote to Anthony before.

The cause is using link time optimization (-flto) as optimization with
gcc. With it, the pattern is as I described, without it, everything works
fine.


		Markus

--
Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.



^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [gentoo-hardened] mprotect question
       [not found]           ` <87aacfzu8f.wl%veelai@jonglieren-jena.de>
@ 2011-07-15 11:07             ` Anthony G. Basile
  0 siblings, 0 replies; 10+ messages in thread
From: Anthony G. Basile @ 2011-07-15 11:07 UTC (permalink / raw
  To: Markus Oehme; +Cc: gentoo-hardened

On 07/15/2011 06:57 AM, Markus Oehme wrote:
> Hi Anthony,
>
> At Fri, 15 Jul 2011 06:22:24 -0400,
> Anthony G. Basile wrote:
>> On 07/15/2011 04:52 AM, Markus Oehme wrote:
>> Thanks for discovering this, I was not aware.   However, when I try to
>> compile with -flto, I get an error:
>>
>>    cc1: error: LTO support has not been enabled in this configuration
>>
>> I'm going to have to investigate.
> if you use gcc-4.5.* you have to enable the use flag 'lto' for gcc to get
> support for link time optimization. With gcc-4.6.* this seems not to be
> necessary.
>
Yep, time to use mask that on the hardened profiles.

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535




^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [solved] Re: [gentoo-hardened] mprotect question
  2011-07-15 11:02 ` [solved] " Markus Oehme
@ 2011-07-15 15:50   ` Fredric Johansson
  0 siblings, 0 replies; 10+ messages in thread
From: Fredric Johansson @ 2011-07-15 15:50 UTC (permalink / raw
  To: gentoo-hardened

On Fri, Jul 15, 2011 at 1:02 PM, Markus Oehme <oehme.markus@gmx.de> wrote:
> Hi,
>
> I seem to have messed up my mail accounts and this list seems only to accept
> submissions from members, so here what I wrote to Anthony before.
>
> The cause is using link time optimization (-flto) as optimization with
> gcc. With it, the pattern is as I described, without it, everything works
> fine.

I have experienced that lto sometimes adds text relocations when using
it. As an example in zlib-1.2.3 (but not in 1.2.5) , so thats another
reason not to use lto on hardened.
Note that -flto -fstack-protector-all  reenables the stack canaries,
but I havent checked whether or not that disables lto

//Fredric

>
>                Markus
>



^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2011-07-15 15:51 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-14  9:54 [gentoo-hardened] mprotect question Markus Oehme
2011-07-14 13:41 ` Anthony G. Basile
2011-07-14 14:39   ` Javier Juan Martínez Cabezón
2011-07-14 15:29   ` Markus Oehme
2011-07-14 21:46     ` Matthew Summers
     [not found]     ` <4E1F208F.8020801@gentoo.org>
     [not found]       ` <87bowwylhl.wl%veelai@jonglieren-jena.de>
2011-07-15 10:22         ` Anthony G. Basile
     [not found]           ` <87aacfzu8f.wl%veelai@jonglieren-jena.de>
2011-07-15 11:07             ` Anthony G. Basile
2011-07-14 21:49   ` Matthew Summers
2011-07-15 11:02 ` [solved] " Markus Oehme
2011-07-15 15:50   ` Fredric Johansson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox