grsecurity forums

I recently upgraded to kernel 2.6.10 (Gentoo hardened release), and decided to also tighten security a bit. I enabled KMEM restrictions (GRKERNSEC_KMEM) and found out that Xorg and VMWare still work as they should. The only thing that seems to b0rk out is Wine (specially, wine-preloader).

Here's "strace wine":

Code: Select all

execve("/usr/bin/wine", ["wine"], [/* 85 vars */]) = 0
uname({sys="Linux", node="sql", ...})   = 0
brk(0)                                  = 0x178d4a90
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=150553, ...}) = 0
mmap2(NULL, 150553, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb5b51000
close(3)                                = 0
open("/usr/lib/libwine.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\33\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=30912, ...}) = 0
mmap2(NULL, 107616, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x424a2000
mmap2(0x424a9000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6) = 0x424a9000
mmap2(0x424ab000, 70752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x424ab000
close(3)                                = 0
open("/lib/tls/libpthread.so.0", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360H\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=124728, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb5b50000
mmap2(NULL, 73968, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x424bd000
mprotect(0x424cb000, 16624, PROT_NONE)  = 0
mmap2(0x424cc000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xe) = 0x424cc000
mmap2(0x424ce000, 4336, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x424ce000
close(3)                                = 0
open("/lib/tls/libc.so.6", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340P\1"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1230720, ...}) = 0
mmap2(NULL, 1133772, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x424d0000
mprotect(0x425de000, 27852, PROT_NONE)  = 0
mmap2(0x425df000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x10e) = 0x425df000
mmap2(0x425e3000, 7372, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x425e3000
close(3)                                = 0
open("/lib/libdl.so.2", O_RDONLY)       = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\v\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=10932, ...}) = 0
mmap2(NULL, 12332, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x425e5000
mmap2(0x425e7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0x425e7000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb5b4f000
mprotect(0x425df000, 4096, PROT_READ)   = 0
mprotect(0x424cc000, 4096, PROT_READ)   = 0
mprotect(0x178c2000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0x178c2000, 4096, PROT_READ|PROT_EXEC) = 0
set_thread_area({entry_number:-1 -> 6, base_addr:0xb5b4f6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0,useable:1}) = 0
munmap(0xb5b51000, 150553)              = 0
set_tid_address(0xb5b4f708)             = 14754
rt_sigaction(SIGRTMIN, {0x424c1440, [], SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x424c14c0, [], SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
_sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xb05feb18, 35, (nil), 0}) = 0
open("/dev/urandom", O_RDONLY)          = 3
read(3, ">\23o}", 4)                    = 4
close(3)                                = 0
mmap2(NULL, 8392704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb534e000
brk(0)                                  = 0x178d4a90
brk(0x178f5a90)                         = 0x178f5a90
brk(0x178f6000)                         = 0x178f6000
mprotect(0xb534e000, 4096, PROT_NONE)   = 0
clone(child_stack=0xb5b4e4c8, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0xb5b4ebf8, {entry_number:6, base_addr:0xb5b4ebb0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}, child_tidptr=0xb5b4ebf8) = 19951
futex(0xb5b4ebf8, FUTEX_WAIT, 19951, NULL) = 0
execve("/usr/bin/wine-preloader", ["/usr/bin/wine-preloader", "/usr/bin/wine-pthread"], [/* 85 vars */]) = 0
old_mmap(NULL, 1114112, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0
old_mmap(0x80000000, 16777216, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = -1 E??? (errno -2147483648)
old_mmap(0x110000, 267321344, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x110000
open("/usr/bin/wine-pthread", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0%\0\3\0\3\0\1\0\0\0\220\17\360"..., 2048) = 2048
old_mmap(0x77f00000, 12468, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x45f3d000
mprotect(0x45f3f000, 4276, PROT_NONE)   = 0
old_mmap(0x45f3f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x1000) = 0x45f3f000
close(3)                                = 0
open("/lib/ld-linux.so.2", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\10\0"..., 2048) = 2048
old_mmap(NULL, 95472, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x45f41000
mprotect(0x45f57000, 5360, PROT_NONE)   = 0
old_mmap(0x45f57000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x15000) = 0x45f57000
close(3)                                = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

"paxctl -v /usr/bin/wine-preloader":

Code: Select all

- PaX flags: -p-s-m-x-e-- [/usr/bin/wine-preloader]
        PAGEEXEC is disabled
        SEGMEXEC is disabled
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled

What I see in syslog:

Code: Select all

grsec: signal 11 sent to /usr/bin/wine-preloader[wine-preloader:14754] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/strace[strace:31499] uid/euid:0/0 gid/egid:0/0

Wine has been built with hardened gcc 3.4.3 with "-O3 -pipe -fno-inline-functions -fomit-frame-pointer -march=athlon-xp".

Am I to assume that Wine does not like KMEM restrictions? Is there any way to make Wine work with GRKERNSEC_KMEM or is that a lost cause?

Also, I sometimes see grsec messages in syslog saying that signal 11 was sent to some application, but the application concerned does not quit and runs happily after. Especially vmware-vmx does that, but virtual machines still work as usual. Should I do something about that?

Shapemaker wrote:"paxctl -v /usr/bin/wine-preloader":[code]- PaX flags: -p-s-m-x-e-- [/usr/bin/wine-preloader]

disable randomization, it works for me then.

Also, I sometimes see grsec messages in syslog saying that signal 11 was sent to some application, but the application concerned does not quit and runs happily after. Especially vmware-vmx does that, but virtual machines still work as usual. Should I do something about that?

if the app has its own sigsegv handler then it won't necessarily die (although it's rare to recover from a sigsegv like that). you could try turning off randomization to see if it has any effect, else only debugging the apps will reveal what's going on.

PaX Team wrote:disable randomization, it works for me then.

Thank you, that did the trick! I missed that -r option completely, since Gentoo's chpax's configuration file is quite horribly structured and wine-preloader is not even included there by default.

Also, I found out that KMEM restrictions were not affecting anything here. Xorg, wine and VMWare work perfectly now after a little bit of tweaking. I was lazy at first (didn't want to boot the machine with a reconfigured kernel to save time), but testing with both KMEM restrictions on and off produces the same results - everything works.

if the app has its own sigsegv handler then it won't necessarily die (although it's rare to recover from a sigsegv like that). you could try turning off randomization to see if it has any effect, else only debugging the apps will reveal what's going on.

vmware-vmx has old ELF format, it appears, since paxctl does not work.

Code: Select all

chpax -psemxr /opt/vmware/lib/bin/vmware-vmx

has no effect though, signal 11 does get sent to it with every possible option combination, but only when a virtual machine is started, which is curious. Stracing the process does not help, since the virtual machine does not even attempt to start then.

Anyway, since the virtual machines work even after sig 11 and nothing seems to break currently, I think I'll pass this for the monent. "If it works, don't fix it."

Thank you for your help with this!