I've been trying to get grsecurity working on linux 3.11.6 ARM vexpress (cortexa15). I should point out that I am trying all this on qemu so that could be the reason why I'm getting this issue.
When I build the kernel without applying the grsecurity patch, it boots fine and I am able to use an initramfs with busybox in it. However when I apply the grsecurity patch (grsecurity-2.9.1-3.11.6-201311021635.patch), booting fails.
I tried two different configs but none worked although one of them seemed to have gotten me further.
Here is the diff of the config-without-grsec the default config when I enable grsec:
- Code: Select all
$ diff config_good config_grsec1
108a109
> # CONFIG_CHECKPOINT_RESTORE is not set
159c160
< # CONFIG_COMPAT_BRK is not set
---
> CONFIG_COMPAT_BRK=y
363a365
> CONFIG_KUSER_HELPERS=y
441c443
< CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
---
> CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
447a450
> # CONFIG_UACCESS_WITH_MEMCPY is not set
1049c1052
< # CONFIG_DEVKMEM is not set
---
> CONFIG_DEVKMEM=y
1648a1652
> CONFIG_PROC_PAGE_MONITOR=y
1824a1829,1832
> # CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
> # CONFIG_DEBUG_LOCK_ALLOC is not set
> # CONFIG_PROVE_LOCKING is not set
> # CONFIG_LOCK_STAT is not set
1906,2037d1913
<
< #
< # Grsecurity
< #
< CONFIG_GRKERNSEC=y
< # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
< CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
<
< #
< # Customize Configuration
< #
<
< #
< # PaX
< #
< CONFIG_PAX=y
<
< #
< # PaX Control
< #
< # CONFIG_PAX_SOFTMODE is not set
< # CONFIG_PAX_EI_PAX is not set
< # CONFIG_PAX_PT_PAX_FLAGS is not set
< # CONFIG_PAX_XATTR_PAX_FLAGS is not set
< # CONFIG_PAX_NO_ACL_FLAGS is not set
< CONFIG_PAX_HAVE_ACL_FLAGS=y
< # CONFIG_PAX_HOOK_ACL_FLAGS is not set
<
< #
< # Non-executable pages
< #
< # CONFIG_PAX_NOEXEC is not set
< CONFIG_PAX_KERNEXEC=y
< CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
<
< #
< # Address Space Layout Randomization
< #
< CONFIG_PAX_ASLR=y
< CONFIG_PAX_RANDUSTACK=y
< CONFIG_PAX_RANDMMAP=y
<
< #
< # Miscellaneous hardening features
< #
< # CONFIG_PAX_MEMORY_SANITIZE is not set
< # CONFIG_PAX_MEMORY_STRUCTLEAK is not set
< CONFIG_PAX_MEMORY_UDEREF=y
< # CONFIG_PAX_REFCOUNT is not set
< CONFIG_PAX_CONSTIFY_PLUGIN=y
< # CONFIG_PAX_USERCOPY is not set
< # CONFIG_PAX_LATENT_ENTROPY is not set
<
< #
< # Memory Protections
< #
< # CONFIG_GRKERNSEC_KMEM is not set
< # CONFIG_GRKERNSEC_PERF_HARDEN is not set
< # CONFIG_GRKERNSEC_RAND_THREADSTACK is not set
< CONFIG_GRKERNSEC_PROC_MEMMAP=y
< # CONFIG_GRKERNSEC_BRUTE is not set
< # CONFIG_GRKERNSEC_MODHARDEN is not set
< # CONFIG_GRKERNSEC_HIDESYM is not set
< # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
<
< #
< # Role Based Access Control Options
< #
< # CONFIG_GRKERNSEC_NO_RBAC is not set
< # CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
< CONFIG_GRKERNSEC_ACL_MAXTRIES=3
< CONFIG_GRKERNSEC_ACL_TIMEOUT=30
<
< #
< # Filesystem Protections
< #
< # CONFIG_GRKERNSEC_PROC is not set
< # CONFIG_GRKERNSEC_LINK is not set
< # CONFIG_GRKERNSEC_SYMLINKOWN is not set
< # CONFIG_GRKERNSEC_FIFO is not set
< # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
< # CONFIG_GRKERNSEC_ROFS is not set
< # CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL is not set
< # CONFIG_GRKERNSEC_CHROOT is not set
<
< #
< # Kernel Auditing
< #
< # CONFIG_GRKERNSEC_AUDIT_GROUP is not set
< # CONFIG_GRKERNSEC_EXECLOG is not set
< # CONFIG_GRKERNSEC_RESLOG is not set
< # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
< # CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
< # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
< # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
< # CONFIG_GRKERNSEC_SIGNAL is not set
< # CONFIG_GRKERNSEC_FORKFAIL is not set
< # CONFIG_GRKERNSEC_TIME is not set
< # CONFIG_GRKERNSEC_PROC_IPADDR is not set
<
< #
< # Executable Protections
< #
< # CONFIG_GRKERNSEC_DMESG is not set
< # CONFIG_GRKERNSEC_HARDEN_PTRACE is not set
< # CONFIG_GRKERNSEC_PTRACE_READEXEC is not set
< # CONFIG_GRKERNSEC_SETXID is not set
< # CONFIG_GRKERNSEC_TPE is not set
<
< #
< # Network Protections
< #
< # CONFIG_GRKERNSEC_RANDNET is not set
< # CONFIG_GRKERNSEC_BLACKHOLE is not set
< # CONFIG_GRKERNSEC_NO_SIMULT_CONNECT is not set
< # CONFIG_GRKERNSEC_SOCKET is not set
<
< #
< # Physical Protections
< #
< # CONFIG_GRKERNSEC_DENYUSB is not set
<
< #
< # Sysctl Support
< #
< # CONFIG_GRKERNSEC_SYSCTL is not set
<
< #
< # Logging Options
< #
< CONFIG_GRKERNSEC_FLOODTIME=10
< CONFIG_GRKERNSEC_FLOODBURST=6
2051,2052d1926
< CONFIG_CRYPTO_HASH=y
< CONFIG_CRYPTO_HASH2=y
2104c1978
< CONFIG_CRYPTO_SHA256=y
---
> # CONFIG_CRYPTO_SHA256 is not set
And this is the error I get:
- Code: Select all
Freeing unused kernel memory: 192K (80600000 - 80630000)
Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
CPU: 0 PID: 1 Comm: init Not tainted 3.11.6-grsec #8
[<80110f30>] (unwind_backtrace+0x0/0xf8) from [<8010c280>] (show_stack+0x14/0x20)
[<8010c280>] (show_stack+0x14/0x20) from [<804d9f6c>] (dump_stack+0x80/0x90)
[<804d9f6c>] (dump_stack+0x80/0x90) from [<804d6a28>] (panic+0xa4/0x1e8)
[<804d6a28>] (panic+0xa4/0x1e8) from [<8011f820>] (do_exit+0x868/0x924)
[<8011f820>] (do_exit+0x868/0x924) from [<80120e28>] (do_group_exit+0x4c/0xd0)
[<80120e28>] (do_group_exit+0x4c/0xd0) from [<8012e50c>] (get_signal_to_deliver+0x1e4/0x600)
[<8012e50c>] (get_signal_to_deliver+0x1e4/0x600) from [<8010b818>] (do_signal+0x118/0x568)
[<8010b818>] (do_signal+0x118/0x568) from [<8010be04>] (do_work_pending+0x80/0xb8)
[<8010be04>] (do_work_pending+0x80/0xb8) from [<80106d34>] (work_pending+0xc/0x20)
The second .config I tried is the same as the grsecurity .config I used earlier but I modified a few things. It seemed like when the grsecurity patch is applied, some CONFIG_ flags that aren't under the Grsecurity / PaX sections are enabled so I just compared it to the .config of the build without the grsecurity patch and disabled the ones that weren't under the Grsecurity / PaX sections. (Although I wasn't sure whether grsecurity purposedly turned those on, because it might need them. Just didn't know what else to try...)
The error I get then is:
- Code: Select all
PAX: execution attempt in: (null), 00000000-00000000 00000000
PAX: terminating task: /bin/busybox(init):1, uid/euid: 0/0, PC: ffff0fc0, SP: 74afa5c8
PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
PAX: bytes at SP-4: 00000000 00000014 001f5c20 74afa618 00114ef8 001f60c0 00000014 00000002 74afa618 00000014 00000000 000eed64 001152d4 001152bc 00113eec 00000001 00000003 00000002 74afa618 001f5560 00182344
Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
CPU: 0 PID: 1 Comm: init Not tainted 3.11.6-grsec #7
[<800161e0>] (unwind_backtrace+0x0/0xf8) from [<8001244c>] (show_stack+0x14/0x20)
[<8001244c>] (show_stack+0x14/0x20) from [<803ccdc0>] (dump_stack+0x80/0x90)
[<803ccdc0>] (dump_stack+0x80/0x90) from [<803c99d8>] (panic+0xa4/0x1e8)
[<803c99d8>] (panic+0xa4/0x1e8) from [<800240f0>] (do_exit+0x87c/0x938)
[<800240f0>] (do_exit+0x87c/0x938) from [<8002504c>] (do_group_exit+0x4c/0xd0)
[<8002504c>] (do_group_exit+0x4c/0xd0) from [<8001b068>] (do_page_fault+0x0/0x3b8)
[<8001b068>] (do_page_fault+0x0/0x3b8) from [<9f861fb0>] (0x9f861fb0)
Even when I disabled UDEREF, I still got that error.
Not sure what else to try here...
The .config for the working machine I generated with
- Code: Select all
make ARCH=arm CROSS_COMPILE=arm-cortex_a15-linux-gnueabi- vexpress_defconfig
And after applying the patch I used menuconfig to enable grsecurity.
I am just trying to get a kernel with UDEREF and KERNEXEC enabled that works under qemu.
Sorry for the lengthy description but I thought the more details I gave the more it would help you.
Thanks