Page 1 of 1

Does not work " New PaX flag format ".

PostPosted: Tue Jan 17, 2006 5:37 am
by Kurodo
I have the maked kernel 2.4.32 and grsecurity 2.1.8 with a grsecurity configuration:
Code: Select all
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CUSTOM=y
CONFIG_GRKERNSEC_PAX_SOFTMODE=y
CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS=y
CONFIG_GRKERNSEC_PAX_NO_ACL_FLAGS=y
CONFIG_GRKERNSEC_PAX_NOEXEC=y
CONFIG_GRKERNSEC_PAX_PAGEEXEC=y
CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
CONFIG_GRKERNSEC_PAX_EMUTRAMP=y
CONFIG_GRKERNSEC_PAX_MPROTECT=y
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDKSTACK=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y


Soft mode it is activated at booting - "pax_softmode=1"

paxtest-0.9.5 installed in a /opt/paxtest/ and the following ACL:
Code: Select all
...
# fragment for paxtest only
subject /opt/paxtest/paxtest
        /opt/paxtest
        /opt/paxtest/*                      rxi
        -CAP_ALL
        +PAX_MPROTECT
        +PAX_RANDMMAP
        +PAX_SEGMEXEC
        +PAX_PAGEEXEC
...


Grsecurity RBAC system enabled and worked:
Code: Select all
...grsecurity 2.1.8 RBAC system loaded by ...


Run /opt/paxtest/paxtest shows that "New Pax flags" do not allowed PaX:
Code: Select all
# ./paxtest
PaXtest - Copyright(c) 2003 by Peter Busser <peter@adamantix.org>
...
Test results:
...
Executable anonymous mapping   : Vulnerable
Executable bss                           : Vulnerable
Executable data                          : Vulnerable
Executable heap                          : Vulnerable
Executable stack                         : Vulnerable
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : No randomisation
Heap randomisation test (ET_EXEC)        : No randomisation
Heap randomisation test (ET_DYN)         : No randomisation
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (ET_DYN)   : No randomisation
Shared library randomisation test        : No randomisation
Stack randomisation test (SEGMEXEC)      : 9 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 9 bits (guessed)
Executable shared library bss            : Vulnerable
Executable shared library data           : Vulnerable
Writable text segments                   : Vulnerable


Modified PaX flags on a per-binary basis
(# chpax -qPMRS /opt/paxtest/*) allow PaX normally:
Code: Select all
# ./paxtest
PaXtest - Copyright(c) 2003 by Peter Busser <peter@adamantix.org>
...
Test results:
...
Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect)              : Killed
Anonymous mapping randomisation test     : 16 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (ET_DYN)         : 25 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (ET_DYN)   : 17 bits (guessed)
Shared library randomisation test        : 16 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 23 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 23 bits (guessed)
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Killed


In what a problem with "New PaX flag format" ?

PostPosted: Wed Jan 18, 2006 1:23 am
by spender
Your subject is on /opt/paxtest/paxtest, not on the directory /opt/paxtest, in which the various pax test binaries reside. You still won't get the same results with this setup though, since paxtest automatically chpax's some of its binaries, so you'd have to make the same kind of changes to your policy.

-Brad

change conditions - similar result.

PostPosted: Wed Jan 18, 2006 5:51 am
by Kurodo
I so have changed entry conditions:

Files:
[root@kurodo]# mkdir /root/bin
[root@kurodo]# cd /paxtestpath
[root@kurodo]# cp execstack /root/bin/
[root@kurodo]# paxctl -z /root/bin/execstack
[root@kurodo]# paxctl -v /root/bin/execstack
PaX control v0.2
Copyright 2004 PaX Team <pageexec@freemail.hu>

- PaX flags: ------------ [/root/bin/execstack]


grsec policy:
Code: Select all
#role root
....
#
subject /root/bin/execstack
        /root/bin/execstack     xX
        -CAP_ALL
        +PAX_SEGMEXEC


[root@kurodo]#gradm -R
...kurodo kernel: grsec: (root:U:/sbin/gradm) grsecurity 2.1.8 RBAC system reloaded by...

Run tests:
[root@kurodo /]# /root/bin/execstack
Executable stack : Vulnerable
kurodo kernel: grsec: (root:U:/root/bin/execstack) successful executable mmap of /root/bin/execstack by /root/bin/execstack[execstack:11836] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:14904] uid/euid:0/0 gid/egid:0/0


Let's check:
[root@kurodo]# paxctl -S /root/bin/execstack
[root@kurodo]# paxctl -v /root/bin/execstack
PaX control v0.2
Copyright 2004 PaX Team <pageexec@freemail.hu>

- PaX flags: --S--------- [/root/bin/execstack]
SEGMEXEC is enabled


[root@kurodo /]# /root/bin/execstack
Executable stack : Killed
kurodo kernel: grsec: (root:U:/root/bin/execstack) successful executable mmap of /root/bin/execstack by /root/bin/execstack[execstack:20019] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:14904] uid/euid:0/0 gid/egid:0/0
kurodo kernel: grsec: (root:U:/root/bin/execstack) successful executable mmap of /root/bin/execstack by /root/bin/execstack[execstack:20019] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:14904] uid/euid:0/0 gid/egid:0/0
kurodo kernel: PAX: execution attempt in: <anonymous mapping>,
...


What again I incorrectly do?
Why the system does not understand flag +PAX_SEGMEXEC established by ACLs for subject /root/bin/execstack?

Re: Does not work " New PaX flag format ".

PostPosted: Wed Jan 18, 2006 7:43 am
by PaX Team
Kurodo wrote:I have the maked kernel 2.4.32 and grsecurity 2.1.8 with a grsecurity configuration:
Code: Select all
CONFIG_GRKERNSEC_PAX_SOFTMODE=y
CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS=y
CONFIG_GRKERNSEC_PAX_NO_ACL_FLAGS=y

[...]
Run /opt/paxtest/paxtest shows that "New Pax flags" do not allowed PaX:
[...]
Modified PaX flags on a per-binary basis
(# chpax -qPMRS /opt/paxtest/*) allow PaX normally:
[...]
In what a problem with "New PaX flag format" ?
i think there's some confusion here. first, you set NO_ACL_FLAGS so grsecurity's ACL system won't be consulted in setting the PaX flags at all (it has to be HAVE_ACL_FLAGS). second, you didn't enable EI_PAX support either, so chpax again has no effect on the PaX flags. what would explain your second paxtest result is that if you have a patched binutils (which seems to be the case based on your second post) then the paxtest binaries have the PT_PAX_FLAGS marking and since the defaults are 'secure', paxtest succeeds. on a sidenote, if you want to restore the default flags, use -zex (pun intended so that male users can remember it easily), not -z alone.

PostPosted: Wed Jan 18, 2006 9:26 am
by Kurodo
Has replaced on CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS=y
All works now.

:lol:

Thanks!