grsecurity forums

Hi,

I'm running Debian Sid with custom kernel 2.4.29+grsec2. I've attached my grsec config. The problem is that paxtest is reporting all PAX protections as disabled, while all exec protections in my config are enabled.

debian:~# paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: blackhat
Linux debian 2.4.29-grsec-vfs #1 Sat Mar 5 19:54:49 CET 2005 i686 GNU/Linux

Executable anonymous mapping : Vulnerable
Executable bss : Vulnerable
Executable data : Vulnerable
Executable heap : Vulnerable
Executable stack : Vulnerable
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect) : Vulnerable
Anonymous mapping randomisation test : No randomisation
Heap randomisation test (ET_EXEC) : No randomisation
Heap randomisation test (ET_DYN) : No randomisation
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : No randomisation
Shared library randomisation test : No randomisation
Stack randomisation test (SEGMEXEC) : No randomisation
Stack randomisation test (PAGEEXEC) : No randomisation
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Vulnerable
Executable shared library data : Vulnerable
Writable text segments : Vulnerable


Why?

This is my config:

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_SHA256=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# PaX Control
#
# CONFIG_GRKERNSEC_PAX_SOFTMODE is not set
# CONFIG_GRKERNSEC_PAX_EI_PAX is not set
# CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS is not set
CONFIG_GRKERNSEC_PAX_NO_ACL_FLAGS=y
# CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_GRKERNSEC_PAX_HOOK_ACL_FLAGS is not set

#
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_RTC=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y

#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=110
# CONFIG_GRKERNSEC_PROC_ADD is not set
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
# CONFIG_GRKERNSEC_CHROOT_FINDTASK is not set
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
# CONFIG_GRKERNSEC_CHROOT_CAPS is not set

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDSRC=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
# CONFIG_GRKERNSEC_SYSCTL is not set

#
# Logging options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

Any help/hint will be appreciated.

-rs

# CONFIG_GRKERNSEC_PAX_EI_PAX is not set
# CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS is not set

PaX is not enabled in your configuration. One (or both) of these options need to be enabled so that you can enable the various PaX features. Read the configuration help for more information.

-Brad

Thanks for your answer, Brad, but it is still not working.

I reconfigured & recompiled kernel so:

debian:/usr/src/linux# grep CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS .config
CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS=y

But paxtest is still reporting all protections as "vulnerable".

I read all the help dialogs while (re)configuring the kernel (indeed I had done this task even before my 1st post to this forum). According to the docs:

- CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS is used to manage PAX via paxctl. This is good (for instance to deactivate PAX for certain executables).
- CONFIG_GRKERNSEC_PAX_EI_PAX is used to manage PAX via chpax, which could be good too.

But what I want is to enable PAX _by default_. Management via chpax / paxctl should be optional but not mandatory. Perhaps it should exist a switch clearly stating: "Enable PAX", apart from the other options.

What am I missing? How could I get a "default-PAX-on" kernel? Perhaps activating "CONFIG_GRKERNSEC_PAX_EI_PAX" too? (if that's the solution, I think the help dialogs are not clear).

Thanks again.
-rs

Once you enable those options, in the Address Space Protections section you will be able to enable the various PaX features.

-Brad

Hello,

I already had PAX options enabled. In particular:

[*] Enforce Non-executable pages
[*] Paging based non-executable pages
[*] Segmentation based non-executable pages
[ ] Emulate trampolines
[*] Restrict mprotect()
[ ] Disallow ELF text relocations (DANGEROUS)
[*] Address Space Layout Randomization
[ ] Randomize kernel stack base
[*] Randomize user stack base
[*] Randomize mmap() base
[*] Deny writing to /dev/kmem, /dev/mem, and /dev/port
[*] Disable privileged I/O
[*] Remove addresses from /proc/pid/[maps|stat]
[*] Deter exploit bruteforcing
[*] Hide kernel symbols

With the above options and CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS enabled, PAX protections were DISABLED by default!!!!

Now I've recompiled keeping the PT_PAX_FLAGS but I've also added:
CONFIG_GRKERNSEC_PAX_EI_PAX=y

Now PAX is working by default. So it seams that:
CONFIG_GRKERNSEC_PAX_EI_PAX ~= ENABLE_PAX_BY_DEFAULT

which is not intuitive at all. The help says:
"Enabling this option will allow you to control PaX features on a per executable basis via the 'chpax' utility". Somebody (like me) reading this will think that this option is for enabling chpax util usage, not for enabling default-PAX-protection.

Moreover, the same help says that this option is deprecated by PT_PAX_FLAGS, which seems quite similar, except that the util used is paxctl. So at least we could expect a PAX enabling by default when only this last choice is enabled (which is my previous test, and it didn't work).

So my problem is fixed by now but I think it should be some clarification on the help documentation, stating how to get default PAX protection, without using paxctl or chpax, and differentiating between the default enabling and the chpax/paxctl use enabling. Only that.

Cheers,
-rs

rs wrote:Now PAX is working by default. So it seams that:
CONFIG_GRKERNSEC_PAX_EI_PAX ~= ENABLE_PAX_BY_DEFAULT

which is not intuitive at all. The help says:
"Enabling this option will allow you to control PaX features on a per executable basis via the 'chpax' utility". Somebody (like me) reading this will think that this option is for enabling chpax util usage, not for enabling default-PAX-protection.

and what would somebody like you think when reading this from the same config help:

Code: Select all

CONFIG_GRKERNSEC_PAX_EI_PAX

If you have applications not marked by the PT_PAX_FLAGS ELF
program header then you MUST enable this option otherwise they
will not get any protection.

or was this april's fool?

I'll think that the refered "warning" is not concordant with the main definition of the flag, which is:

"CONFIG_GRKERNSEC_PAX_EI_PAX:
Enabling this option will allow you to control PaX features on
a per executable basis via the 'chpax' utility"

I'd also think that the behaviour is not coherent with:

"CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS:
Enabling this option will allow you to control PaX features on
a per executable basis via the 'paxctl' utility"

Both choices seems similar (except that they applies for different control utils), but:
- in any case it is said what the default PAX status for _any_ executable will be
- moreover, one is "enabling by default" and the other is not.

Sorry, but no, it was not an April's fool joke. It was a constructive criticism from someone who read the documentation and found some incoherences (IMHO). Please, take it as a suggestion, it's not a flame. I think PAX/grsec are both a nice work.

Regards,
-rs