[grsec] Nvidia libGL.so Problem
sqmishra at o2.ie
sqmishra at o2.ie
Mon Sep 6 18:06:11 EDT 2004
OK I tried chpax/paxctl -m again, and I was able to get glxgears & glxinfo working. Not sure how/what the problem was the last time - needs investigating.
Problem is, instead of my usual ~2600 FPS, I'm now getting ~70 FPS with glxgears.
I'm adding the stuff you asked for below. This is from before I had glx{gears,info} working.
It's late, and I'll try and repeat all this again tomorrow after a clean reboot. If there's anything more I can provide you with, please do let me know.
Thanks.
------------------------------
PAX features -
------------------------------
CONFIG_PAX=y
CONFIG_PAX_SOFTMODE=y
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_RANDEXEC is not set
CONFIG_PAX_NOVSYSCALL=y
------------------------------
GRSEC features (in case it's useful) -
------------------------------
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=9007
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_GID=9005
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_ALL_GID=9004
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=9003
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=9002
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
------------------------------
readelf -e glxinfo
------------------------------
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x8048d50
Start of program headers: 52 (bytes into file)
Start of section headers: 14532 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 8
Size of section headers: 40 (bytes)
Number of section headers: 25
Section header string table index: 24
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .interp PROGBITS 08048134 000134 000013 00 A 0 0 1
[ 2] .note.ABI-tag NOTE 08048148 000148 000020 00 A 0 0 4
[ 3] .hash HASH 08048168 000168 00016c 04 A 4 0 4
[ 4] .dynsym DYNSYM 080482d4 0002d4 000340 10 A 5 1 4
[ 5] .dynstr STRTAB 08048614 000614 0002c2 00 A 0 0 1
[ 6] .gnu.version VERSYM 080488d6 0008d6 000068 02 A 4 0 2
[ 7] .gnu.version_r VERNEED 08048940 000940 000040 00 A 5 1 4
[ 8] .rel.dyn REL 08048980 000980 000040 08 A 4 0 4
[ 9] .rel.plt REL 080489c0 0009c0 000120 08 A 4 b 4
[10] .init PROGBITS 08048ae0 000ae0 000017 00 AX 0 0 4
[11] .plt PROGBITS 08048af8 000af8 000250 04 AX 0 0 4
[12] .text PROGBITS 08048d50 000d50 001818 00 AX 0 0 16
[13] .fini PROGBITS 0804a568 002568 00001b 00 AX 0 0 4
[14] .rodata PROGBITS 0804a5a0 0025a0 000dd6 00 A 0 0 32
[15] .eh_frame PROGBITS 0804b378 003378 000004 00 A 0 0 4
[16] .data PROGBITS 0804c380 003380 000074 00 WA 0 0 32
[17] .dynamic DYNAMIC 0804c3f4 0033f4 000100 08 WA 5 0 4
[18] .ctors PROGBITS 0804c4f4 0034f4 000008 00 WA 0 0 4
[19] .dtors PROGBITS 0804c4fc 0034fc 000008 00 WA 0 0 4
[20] .jcr PROGBITS 0804c504 003504 000004 00 WA 0 0 4
[21] .got PROGBITS 0804c508 003508 0000b8 04 WA 0 0 4
[22] .bss NOBITS 0804c5c0 0035c0 000008 00 WA 0 0 4
[23] .comment PROGBITS 00000000 0035c0 000244 00 0 0 1
[24] .shstrtab STRTAB 00000000 003804 0000be 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings)
I (info), L (link order), G (group), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4
INTERP 0x000134 0x08048134 0x08048134 0x00013 0x00013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08048000 0x08048000 0x0337c 0x0337c R E 0x1000
LOAD 0x003380 0x0804c380 0x0804c380 0x00240 0x00248 RW 0x1000
DYNAMIC 0x0033f4 0x0804c3f4 0x0804c3f4 0x00100 0x00100 RW 0x4
NOTE 0x000148 0x08048148 0x08048148 0x00020 0x00020 R 0x4
STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4
PAX_FLAGS 0x000000 0x00000000 0x00000000 0x00000 0x00000 0x4
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame
03 .data .dynamic .ctors .dtors .jcr .got .bss
04 .dynamic
05 .note.ABI-tag
06
07
------------------------------
chpax -v glxinfo
------------------------------
----[ chpax 0.7 : Current flags for /usr/X11R6/bin/glxinfo (PeMRxS) ]----
* Paging based PAGE_EXEC : enabled (overridden)
* Trampolines : not emulated
* mprotect() : restricted
* mmap() base : randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : enabled
------------------------------
paxctl -v glxinfo
------------------------------
PaX control v0.2
Copyright 2004 PaX Team <pageexec at freemail.hu>
- PaX flags: -------x-e-- [/usr/X11R6/bin/glxinfo]
RANDEXEC is disabled
EMUTRAMP is disabled
On Tuesday 07 September 2004 01:24, pageexec at freemail.hu wrote:
| > Again, thanks very much. Someone (Tim, from mailing list) provided me with an
| > account to upload the file to (see below)
|
| so, i've taken a look at all this, and it seems that we have a fundemental
| problem with the nvidia libGL as its data segment contains a section called
| .writetext, which is what it says, a writable/executable section, apparently
| meant for runtime code generation. so unless nvidia redesigns their code
| (if it can be done at all in their case, that is), it won't ever work with
| full PaX enabled on apps that use this library. what i don't understand
| however is why paxctl/chpax -m didn't help, can you tell me what PaX features
| you have in your kernel .config (and in particular, which executable marking
| support you're using)? also a 'readelf -e', 'chpax -v' and 'paxctl -vQ' on
| any of the failed apps would be helpful.
|
| ps: i'm cc'ing the list again, in case someone else runs into this in
| the future.
|
|
|
More information about the grsecurity
mailing list