[grsec] problems with latest 38.3 patch
Carlos Carvalho
carlos at fisica.ufpr.br
Sat Apr 23 18:19:20 EDT 2011
Brad Spengler (spender at grsecurity.net) wrote on 21 April 2011 17:43:
>You're seeing these messages now because up until now you didn't read
>the configuration help ;) See this post:
>http://forums.grsecurity.net/viewtopic.php?f=3&t=2603
I've been looking at it for eons. Understanding a word of it is
another story :-( Besides, some of your quotes in that post don't
match the current patch...
So it seems that PaX is now turned on. And it strongly recommends
PT_PAX_FLAGS, which seems to be possible only with a patched binutils
like gentoo does, right?
Since it seems only few apps need fiddling with I tried to use
PAX_PT_PAX_FLAGS but not PAX_EI_PAX. My problem right now is that
firefox and chromium-browser don't run. java may also be a problem,
didn't try it yet. Starting with chromium, I get
/usr/lib/chromium-browser/chromium-browser: error while loading shared libraries: libGL.so.1: failed to map segment from shared object: Operation not permitted
>You may also need to run execstack -c (from the prelink package) on the
>libraries that cause errors when loading.
I used strace -eopen and checked all libs called. execstack -q shows
none of them require an executable stack. In fact no lib in /usr/lib
and /lib need it. Then I tried to use paxctl:
# paxctl -c /usr/lib/chromium/chromium
file /usr/lib/chromium/chromium had a PT_GNU_STACK program header, converted
# paxctl -p /usr/lib/chromium/chromium
Now I just get
lcpad%~[ 7:11] chromium-browser
zsh: killed chromium-browser
the last lines of strace are
execve("/usr/lib/chromium/chromium", ["/usr/lib/chromium/chromium"], [/* 35 vars */] <unfinished ...>
+++ killed by SIGKILL +++
Turning to firefox,
>The firefox issue is a known
>upstream bug:
>https://secure.wikimedia.org/wikibooks/en/wiki/Grsecurity/Application-specific_Settings#Firefox_.28or_Iceweasel_with_Debian.29
>"Firefox >= 3.5 may need RANDMMAP to be disabled, if not it will enter
>in an infinite loop during startup. To disable, execute paxctl -r
>/firefox_binary. Usually the binary is somewhere in
>/usr/lib64/*firefox*. See http://bugs.gentoo.org/show_bug.cgi?id=278698
>for more details."
So I did
# paxctl -c /usr/lib/xulrunner-1.9.1/xulrunner-stub
file /usr/lib/xulrunner-1.9.1/xulrunner-stub had a PT_GNU_STACK program header, converted
lcpad#/lib[ 2:04] paxctl -r /usr/lib/xulrunner-1.9.1/xulrunner-stub
And now it just exits with launching. The last lines of the strace are
read(3, 0x3d778a87074, 4096) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=4, events=POLLIN}, {fd=3, events=POLLIN}, {fd=7, events=POLLIN}], 3, 0) = 0 (Timeout)
gettimeofday({1303588769, 636531}, NULL) = 0
read(3, 0x3d778a87074, 4096) = -1 EAGAIN (Resource temporarily unavailable)
poll([{fd=4, events=POLLIN}, {fd=3, events=POLLIN}, {fd=7, events=POLLIN}], 3, 0) = 0 (Timeout)
gettimeofday({1303588769, 636531}, NULL) = 0
mmap(NULL, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3d76d7f1000
munmap(0x3d76d7f1000, 1048576) = 0
mmap(0x3d76d800000, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3d76d7f1000
munmap(0x3d76d7f1000, 1048576) = 0
mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3d76d6f1000
munmap(0x3d76d6f1000, 2097152) = 0
mmap(0x3d76d700000, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3d76d700000
close(7) = 0
close(8) = 0
unlink("/path/to/lock") = 0
exit_group(1)
This is all with 38.4-201104221954.
More information about the grsecurity
mailing list