[grsec] problems with latest 38.3 patch

Carlos Carvalho carlos at fisica.ufpr.br
Sat Apr 23 18:19:20 EDT 2011 

Brad Spengler (spender at grsecurity.net) wrote on 21 April 2011 17:43:
 >You're seeing these messages now because up until now you didn't read 
 >the configuration help ;)  See this post:
 >http://forums.grsecurity.net/viewtopic.php?f=3&t=2603

I've been looking at it for eons. Understanding a word of it is
another story :-( Besides, some of your quotes in that post don't
match the current patch...

So it seems that PaX is now turned on. And it strongly recommends
PT_PAX_FLAGS, which seems to be possible only with a patched binutils
like gentoo does, right?

Since it seems only few apps need fiddling with I tried to use
PAX_PT_PAX_FLAGS but not PAX_EI_PAX. My problem right now is that
firefox and chromium-browser don't run. java may also be a problem,
didn't try it yet. Starting with chromium, I get

/usr/lib/chromium-browser/chromium-browser: error while loading shared libraries: libGL.so.1: failed to map segment from shared object: Operation not permitted

 >You may also need to run execstack -c (from the prelink package) on the 
 >libraries that cause errors when loading.

I used strace -eopen and checked all libs called. execstack -q shows
none of them require an executable stack. In fact no lib in /usr/lib
and /lib need it. Then I tried to use paxctl:

# paxctl -c /usr/lib/chromium/chromium 
file /usr/lib/chromium/chromium had a PT_GNU_STACK program header, converted
# paxctl -p /usr/lib/chromium/chromium 

Now I just get

lcpad%~[ 7:11]  chromium-browser 
zsh: killed     chromium-browser

the last lines of strace are

execve("/usr/lib/chromium/chromium", ["/usr/lib/chromium/chromium"], [/* 35 vars */] <unfinished ...>
+++ killed by SIGKILL +++

Turning to firefox,

 >The firefox issue is a known
 >upstream bug:
 >https://secure.wikimedia.org/wikibooks/en/wiki/Grsecurity/Application-specific_Settings#Firefox_.28or_Iceweasel_with_Debian.29
 >"Firefox >= 3.5 may need RANDMMAP to be disabled, if not it will enter 
 >in an infinite loop during startup. To disable, execute paxctl -r 
 >/firefox_binary. Usually the binary is somewhere in 
 >/usr/lib64/*firefox*. See http://bugs.gentoo.org/show_bug.cgi?id=278698 
 >for more details."

So I did

# paxctl -c /usr/lib/xulrunner-1.9.1/xulrunner-stub 
file /usr/lib/xulrunner-1.9.1/xulrunner-stub had a PT_GNU_STACK program header, converted
lcpad#/lib[ 2:04]  paxctl -r /usr/lib/xulrunner-1.9.1/xulrunner-stub 

And now it just exits with launching. The last lines of the strace are

read(3, 0x3d778a87074, 4096)            = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=4, events=POLLIN}, {fd=3, events=POLLIN}, {fd=7, events=POLLIN}], 3, 0) = 0 (Timeout)
gettimeofday({1303588769, 636531}, NULL) = 0
read(3, 0x3d778a87074, 4096)            = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=4, events=POLLIN}, {fd=3, events=POLLIN}, {fd=7, events=POLLIN}], 3, 0) = 0 (Timeout)
gettimeofday({1303588769, 636531}, NULL) = 0
mmap(NULL, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3d76d7f1000
munmap(0x3d76d7f1000, 1048576)          = 0
mmap(0x3d76d800000, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3d76d7f1000
munmap(0x3d76d7f1000, 1048576)          = 0
mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3d76d6f1000
munmap(0x3d76d6f1000, 2097152)          = 0
mmap(0x3d76d700000, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3d76d700000
close(7)                                = 0
close(8)                                = 0
unlink("/path/to/lock") = 0
exit_group(1)

This is all with 38.4-201104221954.

More information about the grsecurity mailing list