[grsec] UML strange problem...

Massimo Cetra mcetra at navynet.it
Wed Jun 1 09:32:03 EDT 2005 

> On 1 Jun 2005 at 1:55, Massimo Cetra wrote:
> 
> > Host Kernel has been patched with grsec and ck patchset.
> > Pax is enabled but not used...
> 
> i'm wondering what you did for 'not used' because this:
> 
> > intserver:~/UML/usr/bin# ./linux
> > Killed
> > intserver:~/UML/usr/bin# strace ./linux execve("./linux", 
> ["./linux"], 
> > [/* 20 vars */]) = 0
> > +++ killed by SIGKILL +++
> 
> means that most likely the pax flags on 'linux' are in an 
> inconsistent state. what pax control scheme are you using and 
> what are the corresponding pax flags on 'linux'?

Well, pax is compiled in, even softmode.
To tell the truth I have never fully understood how to play with pax but i
have never had problems... Documentation is not very clear to me...
However ...

----[ chpax 0.7 : Current flags for linux (PeMRxS) ]----

 * Paging based PAGE_EXEC       : enabled (overridden)
 * Trampolines                  : not emulated
 * mprotect()                   : restricted
 * mmap() base                  : randomized
 * ET_EXEC base                 : not randomized
 * Segmentation based PAGE_EXEC : enabled

And it dows'n work.

Following peter suggestion: chpax -spm ./linux 

----[ chpax 0.7 : Current flags for linux (pemRxs) ]----

 * Paging based PAGE_EXEC       : disabled
 * Trampolines                  : not emulated
 * mprotect()                   : not restricted
 * mmap() base                  : randomized
 * ET_EXEC base                 : not randomized
 * Segmentation based PAGE_EXEC : disabled

And it works...
Ok, problems solved.

Could you explain Why everything works except UML kernel ?
Were flags in an inconsistent state ?

To Igmar: 
intserver:~# zcat /proc/config.gz  |grep CONFIG_PAX
CONFIG_PAX=y
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_EI_PAX=y
# CONFIG_PAX_PT_PAX_FLAGS is not set
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_NOVSYSCALL=y
intserver:~#


------------------------------

I find that the  approach to pax is difficult because the Documentation does
not point out how to do the whole work... There are lots of tech docs but
IMHO they are too long and do not cover basic tasks. I have tried to turn
(by hand) my debian into hardened debian but i dod not manage to do it... I
have read every docs on line (gentoo howto on hardening a system is the best
one for me).
Please note that this is only my opinion and that I appreciate all your
work... 

Thanks guys!

Max

More information about the grsecurity mailing list