Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
"grsec: denied RWX mprotect" doesn't kill app anymore
powerman at powerman
Nov 1, 2014, 3:08 AM
Post #1 of 5 (2906 views)
Permalink
Hi!

I wonder is something was changed in handling "grsec: denied RWX mprotect"?
Previously when I see this in kernel log it usually result in killing app
(and I've to run `paxctl-ng -m /that/app`), but now it looks like this
doesn't happens anymore. For example:

# eselect opengl list
Available OpenGL implementations:
[1] nvidia *
[2] xorg-x11
# grep PAX /etc/portage/make.conf
PAX_MARKINGS="XT"
# paxctl-ng -v /usr/bin/glxgears
/usr/bin/glxgears:
PT_PAX : -e---
XATTR_PAX : not found
# /usr/bin/glxgears
Running synchronized to the vertical refresh. The framerate should be
approximately the same as the monitor refresh rate.
302 frames in 5.0 seconds = 60.336 FPS
300 frames in 5.0 seconds = 59.960 FPS
(so, as you see, it works!)

and here is kernel log:

2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect of /usr/lib64/opengl/nvidia/lib/libGL.so.343.22 by /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0

At same time paxtest works ok (all killed).


My kernel config:

# zgrep PAX /proc/config.gz

CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_PT_PAX_FLAGS is not set
CONFIG_PAX_XATTR_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
# CONFIG_PAX_KERNEXEC is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
CONFIG_PAX_ASLR=y
# CONFIG_PAX_RANDKSTACK is not set
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
# CONFIG_PAX_MEMORY_STACKLEAK is not set
CONFIG_PAX_MEMORY_STRUCTLEAK=y
# CONFIG_PAX_MEMORY_UDEREF is not set
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
# CONFIG_PAX_SIZE_OVERFLOW is not set
# CONFIG_PAX_LATENT_ENTROPY is not set

# zgrep GRKERNSEC /proc/config.gz

CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
CONFIG_GRKERNSEC_PROC_GID=1000
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
# CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set
# CONFIG_GRKERNSEC_BRUTE is not set
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
# CONFIG_GRKERNSEC_RANDSTRUCT is not set
# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
CONFIG_GRKERNSEC_NO_RBAC=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
# CONFIG_GRKERNSEC_TIME is not set
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
# CONFIG_GRKERNSEC_DENYUSB is not set
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

--
WBR, Alex.
Re: "grsec: denied RWX mprotect" doesn't kill app anymore [ In reply to ]
amade at asmblr
Nov 1, 2014, 3:21 AM
Post #2 of 5 (2875 views)
Permalink
On Sat, 1 Nov 2014 12:08:23 +0200
Alex Efros <powerman@powerman.name> wrote:

> Hi!
>
> I wonder is something was changed in handling "grsec: denied RWX
> mprotect"? Previously when I see this in kernel log it usually result
> in killing app (and I've to run `paxctl-ng -m /that/app`), but now it
> looks like this doesn't happens anymore. For example:
>

https://bugs.freedesktop.org/show_bug.cgi?id=73473

OpenGL apps fallback to software rendering if they can't mmap
executable memory.

> # eselect opengl list
> Available OpenGL implementations:
> [1] nvidia *
> [2] xorg-x11
> # grep PAX /etc/portage/make.conf
> PAX_MARKINGS="XT"
> # paxctl-ng -v /usr/bin/glxgears
> /usr/bin/glxgears:
> PT_PAX : -e---
> XATTR_PAX : not found
> # /usr/bin/glxgears
> Running synchronized to the vertical refresh. The framerate should be
> approximately the same as the monitor refresh rate.
> 302 frames in 5.0 seconds = 60.336 FPS
> 300 frames in 5.0 seconds = 59.960 FPS
> (so, as you see, it works!)
>
> and here is kernel log:
>
> 2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect
> of /usr/lib64/opengl/nvidia/lib/libGL.so.343.22
> by /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0,
> parent /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0
>
> At same time paxtest works ok (all killed).
>
>
> My kernel config:
>
> # zgrep PAX /proc/config.gz
>
> CONFIG_PAX_USERCOPY_SLABS=y
> CONFIG_PAX=y
> # CONFIG_PAX_SOFTMODE is not set
> # CONFIG_PAX_PT_PAX_FLAGS is not set
> CONFIG_PAX_XATTR_PAX_FLAGS=y
> CONFIG_PAX_NO_ACL_FLAGS=y
> # CONFIG_PAX_HAVE_ACL_FLAGS is not set
> # CONFIG_PAX_HOOK_ACL_FLAGS is not set
> CONFIG_PAX_NOEXEC=y
> CONFIG_PAX_PAGEEXEC=y
> CONFIG_PAX_EMUTRAMP=y
> CONFIG_PAX_MPROTECT=y
> # CONFIG_PAX_MPROTECT_COMPAT is not set
> # CONFIG_PAX_ELFRELOCS is not set
> # CONFIG_PAX_KERNEXEC is not set
> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
> CONFIG_PAX_ASLR=y
> # CONFIG_PAX_RANDKSTACK is not set
> CONFIG_PAX_RANDUSTACK=y
> CONFIG_PAX_RANDMMAP=y
> # CONFIG_PAX_MEMORY_SANITIZE is not set
> # CONFIG_PAX_MEMORY_STACKLEAK is not set
> CONFIG_PAX_MEMORY_STRUCTLEAK=y
> # CONFIG_PAX_MEMORY_UDEREF is not set
> CONFIG_PAX_REFCOUNT=y
> CONFIG_PAX_USERCOPY=y
> # CONFIG_PAX_USERCOPY_DEBUG is not set
> # CONFIG_PAX_SIZE_OVERFLOW is not set
> # CONFIG_PAX_LATENT_ENTROPY is not set
>
> # zgrep GRKERNSEC /proc/config.gz
>
> CONFIG_GRKERNSEC=y
> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
> CONFIG_GRKERNSEC_PROC_GID=1000
> CONFIG_GRKERNSEC_KMEM=y
> # CONFIG_GRKERNSEC_IO is not set
> CONFIG_GRKERNSEC_PERF_HARDEN=y
> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
> CONFIG_GRKERNSEC_PROC_MEMMAP=y
> # CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set
> # CONFIG_GRKERNSEC_BRUTE is not set
> CONFIG_GRKERNSEC_MODHARDEN=y
> CONFIG_GRKERNSEC_HIDESYM=y
> # CONFIG_GRKERNSEC_RANDSTRUCT is not set
> # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
> CONFIG_GRKERNSEC_NO_RBAC=y
> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
> CONFIG_GRKERNSEC_ACL_TIMEOUT=30
> CONFIG_GRKERNSEC_PROC=y
> # CONFIG_GRKERNSEC_PROC_USER is not set
> CONFIG_GRKERNSEC_PROC_USERGROUP=y
> CONFIG_GRKERNSEC_PROC_ADD=y
> CONFIG_GRKERNSEC_LINK=y
> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
> CONFIG_GRKERNSEC_FIFO=y
> # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
> # CONFIG_GRKERNSEC_ROFS is not set
> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
> CONFIG_GRKERNSEC_CHROOT=y
> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
> CONFIG_GRKERNSEC_CHROOT_UNIX=y
> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
> CONFIG_GRKERNSEC_CHROOT_NICE=y
> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
> CONFIG_GRKERNSEC_CHROOT_CAPS=y
> # CONFIG_GRKERNSEC_AUDIT_GROUP is not set
> # CONFIG_GRKERNSEC_EXECLOG is not set
> CONFIG_GRKERNSEC_RESLOG=y
> # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
> # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
> # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
> CONFIG_GRKERNSEC_SIGNAL=y
> CONFIG_GRKERNSEC_FORKFAIL=y
> # CONFIG_GRKERNSEC_TIME is not set
> CONFIG_GRKERNSEC_PROC_IPADDR=y
> CONFIG_GRKERNSEC_RWXMAP_LOG=y
> CONFIG_GRKERNSEC_DMESG=y
> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
> CONFIG_GRKERNSEC_SETXID=y
> CONFIG_GRKERNSEC_HARDEN_IPC=y
> # CONFIG_GRKERNSEC_TPE is not set
> CONFIG_GRKERNSEC_RANDNET=y
> CONFIG_GRKERNSEC_BLACKHOLE=y
> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
> # CONFIG_GRKERNSEC_SOCKET is not set
> # CONFIG_GRKERNSEC_DENYUSB is not set
> CONFIG_GRKERNSEC_SYSCTL=y
> CONFIG_GRKERNSEC_SYSCTL_ON=y
> CONFIG_GRKERNSEC_FLOODTIME=10
> CONFIG_GRKERNSEC_FLOODBURST=4
>
Re: "grsec: denied RWX mprotect" doesn't kill app anymore [ In reply to ]
atoth at atoth
Nov 1, 2014, 5:09 AM
Post #3 of 5 (2867 views)
Permalink
There have been changes in the toolchain:
https://sourceware.org/bugzilla/show_bug.cgi?id=12492

Application also handle these situations nowdays and survive the denial
instead of crashing.
Like clamav developers made the software aware of such a situation:
https://bugs.gentoo.org/show_bug.cgi?id=326199

BR: Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2014.November 1.(Szo) 11:08 időpontban Alex Efros ezt írta:
> Hi!
>
> I wonder is something was changed in handling "grsec: denied RWX
> mprotect"?
> Previously when I see this in kernel log it usually result in killing app
> (and I've to run `paxctl-ng -m /that/app`), but now it looks like this
> doesn't happens anymore. For example:
>
> # eselect opengl list
> Available OpenGL implementations:
> [1] nvidia *
> [2] xorg-x11
> # grep PAX /etc/portage/make.conf
> PAX_MARKINGS="XT"
> # paxctl-ng -v /usr/bin/glxgears
> /usr/bin/glxgears:
> PT_PAX : -e---
> XATTR_PAX : not found
> # /usr/bin/glxgears
> Running synchronized to the vertical refresh. The framerate should be
> approximately the same as the monitor refresh rate.
> 302 frames in 5.0 seconds = 60.336 FPS
> 300 frames in 5.0 seconds = 59.960 FPS
> (so, as you see, it works!)
>
> and here is kernel log:
>
> 2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect of
> /usr/lib64/opengl/nvidia/lib/libGL.so.343.22 by
> /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0, parent
> /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0
>
> At same time paxtest works ok (all killed).
>
>
> My kernel config:
>
> # zgrep PAX /proc/config.gz
>
> CONFIG_PAX_USERCOPY_SLABS=y
> CONFIG_PAX=y
> # CONFIG_PAX_SOFTMODE is not set
> # CONFIG_PAX_PT_PAX_FLAGS is not set
> CONFIG_PAX_XATTR_PAX_FLAGS=y
> CONFIG_PAX_NO_ACL_FLAGS=y
> # CONFIG_PAX_HAVE_ACL_FLAGS is not set
> # CONFIG_PAX_HOOK_ACL_FLAGS is not set
> CONFIG_PAX_NOEXEC=y
> CONFIG_PAX_PAGEEXEC=y
> CONFIG_PAX_EMUTRAMP=y
> CONFIG_PAX_MPROTECT=y
> # CONFIG_PAX_MPROTECT_COMPAT is not set
> # CONFIG_PAX_ELFRELOCS is not set
> # CONFIG_PAX_KERNEXEC is not set
> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
> CONFIG_PAX_ASLR=y
> # CONFIG_PAX_RANDKSTACK is not set
> CONFIG_PAX_RANDUSTACK=y
> CONFIG_PAX_RANDMMAP=y
> # CONFIG_PAX_MEMORY_SANITIZE is not set
> # CONFIG_PAX_MEMORY_STACKLEAK is not set
> CONFIG_PAX_MEMORY_STRUCTLEAK=y
> # CONFIG_PAX_MEMORY_UDEREF is not set
> CONFIG_PAX_REFCOUNT=y
> CONFIG_PAX_USERCOPY=y
> # CONFIG_PAX_USERCOPY_DEBUG is not set
> # CONFIG_PAX_SIZE_OVERFLOW is not set
> # CONFIG_PAX_LATENT_ENTROPY is not set
>
> # zgrep GRKERNSEC /proc/config.gz
>
> CONFIG_GRKERNSEC=y
> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
> CONFIG_GRKERNSEC_PROC_GID=1000
> CONFIG_GRKERNSEC_KMEM=y
> # CONFIG_GRKERNSEC_IO is not set
> CONFIG_GRKERNSEC_PERF_HARDEN=y
> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
> CONFIG_GRKERNSEC_PROC_MEMMAP=y
> # CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set
> # CONFIG_GRKERNSEC_BRUTE is not set
> CONFIG_GRKERNSEC_MODHARDEN=y
> CONFIG_GRKERNSEC_HIDESYM=y
> # CONFIG_GRKERNSEC_RANDSTRUCT is not set
> # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
> CONFIG_GRKERNSEC_NO_RBAC=y
> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
> CONFIG_GRKERNSEC_ACL_TIMEOUT=30
> CONFIG_GRKERNSEC_PROC=y
> # CONFIG_GRKERNSEC_PROC_USER is not set
> CONFIG_GRKERNSEC_PROC_USERGROUP=y
> CONFIG_GRKERNSEC_PROC_ADD=y
> CONFIG_GRKERNSEC_LINK=y
> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
> CONFIG_GRKERNSEC_FIFO=y
> # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
> # CONFIG_GRKERNSEC_ROFS is not set
> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
> CONFIG_GRKERNSEC_CHROOT=y
> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
> CONFIG_GRKERNSEC_CHROOT_UNIX=y
> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
> CONFIG_GRKERNSEC_CHROOT_NICE=y
> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
> CONFIG_GRKERNSEC_CHROOT_CAPS=y
> # CONFIG_GRKERNSEC_AUDIT_GROUP is not set
> # CONFIG_GRKERNSEC_EXECLOG is not set
> CONFIG_GRKERNSEC_RESLOG=y
> # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
> # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
> # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
> CONFIG_GRKERNSEC_SIGNAL=y
> CONFIG_GRKERNSEC_FORKFAIL=y
> # CONFIG_GRKERNSEC_TIME is not set
> CONFIG_GRKERNSEC_PROC_IPADDR=y
> CONFIG_GRKERNSEC_RWXMAP_LOG=y
> CONFIG_GRKERNSEC_DMESG=y
> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
> CONFIG_GRKERNSEC_SETXID=y
> CONFIG_GRKERNSEC_HARDEN_IPC=y
> # CONFIG_GRKERNSEC_TPE is not set
> CONFIG_GRKERNSEC_RANDNET=y
> CONFIG_GRKERNSEC_BLACKHOLE=y
> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
> # CONFIG_GRKERNSEC_SOCKET is not set
> # CONFIG_GRKERNSEC_DENYUSB is not set
> CONFIG_GRKERNSEC_SYSCTL=y
> CONFIG_GRKERNSEC_SYSCTL_ON=y
> CONFIG_GRKERNSEC_FLOODTIME=10
> CONFIG_GRKERNSEC_FLOODBURST=4
>
> --
> WBR, Alex.
>
Re: "grsec: denied RWX mprotect" doesn't kill app anymore [ In reply to ]
alexander at tsoy
Nov 1, 2014, 4:04 PM
Post #4 of 5 (2869 views)
Permalink
Ð’ Sat, 1 Nov 2014 11:21:51 +0100
Amadeusz Sławiński <amade@asmblr.net> пишет:

> On Sat, 1 Nov 2014 12:08:23 +0200
> Alex Efros <powerman@powerman.name> wrote:
>
> > Hi!
> >
> > I wonder is something was changed in handling "grsec: denied RWX
> > mprotect"? Previously when I see this in kernel log it usually
> > result in killing app (and I've to run `paxctl-ng -m /that/app`),
> > but now it looks like this doesn't happens anymore. For example:
> >
>
> https://bugs.freedesktop.org/show_bug.cgi?id=73473
>
> OpenGL apps fallback to software rendering if they can't mmap
> executable memory.

Alex uses nvidia blob, so fdo bug is unrelated here:

> > # eselect opengl list
> > Available OpenGL implementations:
> > [1] nvidia *
> > [2] xorg-x11

--
Alexander Tsoy
Re: "grsec: denied RWX mprotect" doesn't kill app anymore [ In reply to ]
krissn at op
Nov 8, 2014, 2:51 PM
Post #5 of 5 (2863 views)
Permalink
On 01.11.2014 11:08, Alex Efros wrote:
> Hi!
>
> I wonder is something was changed in handling "grsec: denied RWX mprotect"?
> Previously when I see this in kernel log it usually result in killing app
> (and I've to run `paxctl-ng -m /that/app`), but now it looks like this
> doesn't happens anymore. For example:
>
> # eselect opengl list
> Available OpenGL implementations:
> [1] nvidia *
> [2] xorg-x11
> # grep PAX /etc/portage/make.conf
> PAX_MARKINGS="XT"
> # paxctl-ng -v /usr/bin/glxgears
> /usr/bin/glxgears:
> PT_PAX : -e---
> XATTR_PAX : not found
> # /usr/bin/glxgears
> Running synchronized to the vertical refresh. The framerate should be
> approximately the same as the monitor refresh rate.
> 302 frames in 5.0 seconds = 60.336 FPS
> 300 frames in 5.0 seconds = 59.960 FPS
> (so, as you see, it works!)
>
> and here is kernel log:
>
> 2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect of /usr/lib64/opengl/nvidia/lib/libGL.so.343.22 by /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0
Since nvidia-drivers-340.17 NVIDIA implemented some fallbacks for
systems where writing to executable memory is not allowed:

2014-06-09 version 340.17

[...]

* Improved support for running the NVIDIA driver in configurations
where
writing to executable memory is disallowed. Driver optimizations
that
require writing to executable memory can be forcefully disabled
using the
new __GL_WRITE_TEXT_SECTION environment variable. See the README
for more
details.

I haven't tested this myself yet, but it seems this should finally allow
running NVIDIA binary driver on PaX-enabled systems.

>
> At same time paxtest works ok (all killed).
>
>
> My kernel config:
>
> # zgrep PAX /proc/config.gz
>
> CONFIG_PAX_USERCOPY_SLABS=y
> CONFIG_PAX=y
> # CONFIG_PAX_SOFTMODE is not set
> # CONFIG_PAX_PT_PAX_FLAGS is not set
> CONFIG_PAX_XATTR_PAX_FLAGS=y
> CONFIG_PAX_NO_ACL_FLAGS=y
> # CONFIG_PAX_HAVE_ACL_FLAGS is not set
> # CONFIG_PAX_HOOK_ACL_FLAGS is not set
> CONFIG_PAX_NOEXEC=y
> CONFIG_PAX_PAGEEXEC=y
> CONFIG_PAX_EMUTRAMP=y
> CONFIG_PAX_MPROTECT=y
> # CONFIG_PAX_MPROTECT_COMPAT is not set
> # CONFIG_PAX_ELFRELOCS is not set
> # CONFIG_PAX_KERNEXEC is not set
> CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
> CONFIG_PAX_ASLR=y
> # CONFIG_PAX_RANDKSTACK is not set
> CONFIG_PAX_RANDUSTACK=y
> CONFIG_PAX_RANDMMAP=y
> # CONFIG_PAX_MEMORY_SANITIZE is not set
> # CONFIG_PAX_MEMORY_STACKLEAK is not set
> CONFIG_PAX_MEMORY_STRUCTLEAK=y
> # CONFIG_PAX_MEMORY_UDEREF is not set
> CONFIG_PAX_REFCOUNT=y
> CONFIG_PAX_USERCOPY=y
> # CONFIG_PAX_USERCOPY_DEBUG is not set
> # CONFIG_PAX_SIZE_OVERFLOW is not set
> # CONFIG_PAX_LATENT_ENTROPY is not set
>
> # zgrep GRKERNSEC /proc/config.gz
>
> CONFIG_GRKERNSEC=y
> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
> CONFIG_GRKERNSEC_PROC_GID=1000
> CONFIG_GRKERNSEC_KMEM=y
> # CONFIG_GRKERNSEC_IO is not set
> CONFIG_GRKERNSEC_PERF_HARDEN=y
> CONFIG_GRKERNSEC_RAND_THREADSTACK=y
> CONFIG_GRKERNSEC_PROC_MEMMAP=y
> # CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set
> # CONFIG_GRKERNSEC_BRUTE is not set
> CONFIG_GRKERNSEC_MODHARDEN=y
> CONFIG_GRKERNSEC_HIDESYM=y
> # CONFIG_GRKERNSEC_RANDSTRUCT is not set
> # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
> CONFIG_GRKERNSEC_NO_RBAC=y
> CONFIG_GRKERNSEC_ACL_HIDEKERN=y
> CONFIG_GRKERNSEC_ACL_MAXTRIES=3
> CONFIG_GRKERNSEC_ACL_TIMEOUT=30
> CONFIG_GRKERNSEC_PROC=y
> # CONFIG_GRKERNSEC_PROC_USER is not set
> CONFIG_GRKERNSEC_PROC_USERGROUP=y
> CONFIG_GRKERNSEC_PROC_ADD=y
> CONFIG_GRKERNSEC_LINK=y
> # CONFIG_GRKERNSEC_SYMLINKOWN is not set
> CONFIG_GRKERNSEC_FIFO=y
> # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
> # CONFIG_GRKERNSEC_ROFS is not set
> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
> CONFIG_GRKERNSEC_CHROOT=y
> CONFIG_GRKERNSEC_CHROOT_MOUNT=y
> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
> CONFIG_GRKERNSEC_CHROOT_PIVOT=y
> CONFIG_GRKERNSEC_CHROOT_CHDIR=y
> CONFIG_GRKERNSEC_CHROOT_CHMOD=y
> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
> CONFIG_GRKERNSEC_CHROOT_MKNOD=y
> CONFIG_GRKERNSEC_CHROOT_SHMAT=y
> CONFIG_GRKERNSEC_CHROOT_UNIX=y
> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
> CONFIG_GRKERNSEC_CHROOT_NICE=y
> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
> CONFIG_GRKERNSEC_CHROOT_CAPS=y
> # CONFIG_GRKERNSEC_AUDIT_GROUP is not set
> # CONFIG_GRKERNSEC_EXECLOG is not set
> CONFIG_GRKERNSEC_RESLOG=y
> # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
> CONFIG_GRKERNSEC_AUDIT_PTRACE=y
> # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
> # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
> CONFIG_GRKERNSEC_SIGNAL=y
> CONFIG_GRKERNSEC_FORKFAIL=y
> # CONFIG_GRKERNSEC_TIME is not set
> CONFIG_GRKERNSEC_PROC_IPADDR=y
> CONFIG_GRKERNSEC_RWXMAP_LOG=y
> CONFIG_GRKERNSEC_DMESG=y
> CONFIG_GRKERNSEC_HARDEN_PTRACE=y
> CONFIG_GRKERNSEC_PTRACE_READEXEC=y
> CONFIG_GRKERNSEC_SETXID=y
> CONFIG_GRKERNSEC_HARDEN_IPC=y
> # CONFIG_GRKERNSEC_TPE is not set
> CONFIG_GRKERNSEC_RANDNET=y
> CONFIG_GRKERNSEC_BLACKHOLE=y
> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
> # CONFIG_GRKERNSEC_SOCKET is not set
> # CONFIG_GRKERNSEC_DENYUSB is not set
> CONFIG_GRKERNSEC_SYSCTL=y
> CONFIG_GRKERNSEC_SYSCTL_ON=y
> CONFIG_GRKERNSEC_FLOODTIME=10
> CONFIG_GRKERNSEC_FLOODBURST=4
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal