grsecurity forums

Hello,

We are unable to use IPMI View Text Console at all when server was booted into its grsec kernel. Upon booting the server into the newest stock kernel, we are able to interact with your server normally via IPMI View Text Console as well as KVM console. When booting the server back into the grsec kernel, Text Console functionality was lost but KVM Console functionality remained.


root@server [~]# uname -a | awk {'print $3}'
2.6.25.9-grsec
root@server [~]# cat /etc/redhat-release
Red Hat Enterprise Linux ES release 4 (Nahant Update 7)
root@server [~]#


I was advised by DC to check settings used to compile the grsec kernel and making the necessary changes. Is anyone aware of this issue?


Please advise.

More details
==============
#
# Security options
#

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
CONFIG_GRKERNSEC_BRUTE=y
# CONFIG_GRKERNSEC_MODSTOP is not set
# CONFIG_GRKERNSEC_HIDESYM is not set

#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
# CONFIG_GRKERNSEC_CHROOT_CAPS is not set

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
# CONFIG_PAX_NOEXEC is not set

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
# CONFIG_PAX_MEMORY_SANITIZE is not set
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_KEYS=y
CONFIG_KEYS_DEBUG_PROC_KEYS=y
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_NETWORK_XFRM is not set
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_FILE_CAPABILITIES is not set
# CONFIG_SECURITY_ROOTPLUG is not set
CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=0





Thanks

I'm not familiar with IPMI View Text Console, so a few questions:

1) are you seeing anything dumped to your syslog that grsec or PaX is denying access to? ( /dev/kmem or otherwise )
2) does the IPMI require a specific kernel driver to work?
3) also might want to check dmesg after you boot up with the grsec kernel

I'm also assuming the kernel that its working for you on is the 2.6.25.9 vanilla (same version as your grsec kernel).

1) and 3)

root@server [/var/spool/cron]# cat /var/log/messages | grep grsec

Aug 10 12:57:19 server kernel: grsec: From 98.204.235.48: signal 11 sent to /usr/local/cpanel/whostmgr/bin/dnsadmin-ssl[dnsadmin-ssl:27419] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/whostmgr/bin/dnsadmin-ssl[dnsadmin-ssl:27417] uid/euid:0/0 gid/egid:0/0
Aug 12 00:10:38 server kernel: grsec: From 75.120.224.165: signal 11 sent to /usr/local/cpanel/3rdparty/bin/php-cgi[php-cgi:13626] uid/euid:32049/32049 gid/egid:32051/32051, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:13422] uid/euid:32049/32049 gid/egid:32051/32051
Aug 12 05:10:02 server kernel: grsec: From IP-kept-secret: time set by /usr/bin/rdate[rdate:30205] uid/euid:0/0 gid/egid:0/0, parent /scripts/upcp[upcp:30188] uid/euid:0/0 gid/egid:0/0
Aug 12 05:25:17 server kernel: grsec: From IP-kept-secret: time set by /usr/sbin/ntpd[ntpd:9069] uid/euid:38/38 gid/egid:38/38, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 12 07:32:44 server kernel: Linux version 2.6.25.9-grsec (root@server.name.tld) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-9)) #1 SMP Sat Jun 28 02:43:29 CDT 2008
Aug 12 07:32:46 server kernel: grsec: time set by /sbin/hwclock[hwclock:923] uid/euid:0/0 gid/egid:0/0, parent /etc/rc.d/rc.sysinit[rc.sysinit:633] uid/euid:0/0 gid/egid:0/0
Aug 12 07:33:18 server kernel: grsec: time set by /usr/bin/rdate[rdate:5931] uid/euid:0/0 gid/egid:0/0, parent /etc/rc.d/rc.local[S99local:5927] uid/euid:0/0 gid/egid:0/0
Aug 12 07:40:50 server kernel: Linux version 2.6.25.9-grsec (root@server.name.tld) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-9)) #1 SMP Sat Jun 28 02:43:29 CDT 2008
Aug 12 07:40:52 server kernel: grsec: time set by /sbin/hwclock[hwclock:928] uid/euid:0/0 gid/egid:0/0, parent /etc/rc.d/rc.sysinit[rc.sysinit:633] uid/euid:0/0 gid/egid:0/0
Aug 12 07:41:21 server kernel: grsec: time set by /usr/bin/rdate[rdate:5698] uid/euid:0/0 gid/egid:0/0, parent /etc/rc.d/rc.local[S99local:5694] uid/euid:0/0 gid/egid:0/0
Aug 12 08:02:26 server kernel: grsec: time set by /usr/sbin/ntpd[ntpd:3776] uid/euid:38/38 gid/egid:38/38, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 12 10:37:33 server kernel: grsec: time set by /usr/sbin/ntpd[ntpd:3776] uid/euid:38/38 gid/egid:38/38, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 13 02:27:51 server kernel: Linux version 2.6.25.9-grsec (root@server.name.tld) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-9)) #1 SMP Sat Jun 28 02:43:29 CDT 2008
Aug 13 02:27:53 server kernel: grsec: time set by /sbin/hwclock[hwclock:925] uid/euid:0/0 gid/egid:0/0, parent /etc/rc.d/rc.sysinit[rc.sysinit:640] uid/euid:0/0 gid/egid:0/0
Aug 13 02:28:22 server kernel: grsec: time set by /usr/bin/rdate[rdate:5476] uid/euid:0/0 gid/egid:0/0, parent /etc/rc.d/rc.local[S99local:5472] uid/euid:0/0 gid/egid:0/0
Aug 13 02:37:00 server kernel: Linux version 2.6.25.9-grsec (root@server.name.tld) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-9)) #1 SMP Sat Jun 28 02:43:29 CDT 2008
Aug 13 02:37:01 server kernel: grsec: time set by /sbin/hwclock[hwclock:930] uid/euid:0/0 gid/egid:0/0, parent /etc/rc.d/rc.sysinit[rc.sysinit:640] uid/euid:0/0 gid/egid:0/0
Aug 13 02:37:31 server kernel: grsec: time set by /usr/bin/rdate[rdate:5566] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Aug 13 02:56:31 server kernel: grsec: time set by /usr/sbin/ntpd[ntpd:3706] uid/euid:38/38 gid/egid:38/38, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
root@server [/var/spool/cron]#




root@server [/var/spool/cron]# dmesg | grep grsec
Linux version 2.6.25.9-grsec (root@server.name.tld) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-9)) #1 SMP Sat Jun 28 02:43:29 CDT 2008
grsec: time set by /sbin/hwclock[hwclock:930] uid/euid:0/0 gid/egid:0/0, parent /etc/rc.d/rc.sysinit[rc.sysinit:640] uid/euid:0/0 gid/egid:0/0
grsec: time set by /usr/bin/rdate[rdate:5566] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
grsec: time set by /usr/sbin/ntpd[ntpd:3706] uid/euid:38/38 gid/egid:38/38, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
grsec: time set by /usr/bin/rdate[rdate:7259] uid/euid:0/0 gid/egid:0/0, parent /scripts/upcp[upcp:7243] uid/euid:0/0 gid/egid:0/0
grsec: time set by /usr/bin/rdate[rdate:29022] uid/euid:0/0 gid/egid:0/0, parent /scripts/upcp[upcp:29004] uid/euid:0/0 gid/egid:0/0
grsec: time set by /usr/sbin/ntpd[ntpd:3706] uid/euid:38/38 gid/egid:38/38, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
root@server [/var/spool/cron]#
root@server [/var/spool/cron]#


root@server [/var/spool/cron]# dmesg | grep /dev
Adding 2096440k swap on /dev/sda7. Priority:0 extents:1 across:2096440k
root@server [/var/spool/cron]#

---------------------------------------------------------------------------------------------------------------------------------------------------
2) does the IPMI require a specific kernel driver to work?
I will contact DC and seek their advise and will update here.






The defualt kernel that came with this server is Red Hat Enterprise Linux ES (2.6.9-67.0.15.ELsmp) where IPMI Text Console works, but not while booting in the 2.6.25.9-grsec kernel








Thanks

I'm also assuming the kernel that its working for you on is the 2.6.25.9 vanilla (same version as your grsec kernel).

So since you're running a RHEL4 kernel, my assumption was false. I got the kernel and it looks like it has a patch for the openipmi driver in there. The most likely thing that is happening is support in the linux kernel for your IPMIView Text Console hasn't been accepted by the mainstream kernel as of 2.6.25, but redhat backported the support for it to their kernels (this kind of thing happens a lot).

I did happen to find what looks like a patch to add openipmi support to the 2.6.25 kernel:

http://internap.dl.sourceforge.net/sour ... v39.2.diff

NOTE: you'll likely have to add some options for IPMI in your kernel .config after you apply the patch.

Hope this helps.

Old config was run on 2.6.25.9 when it was compiled, so all features in 2.6.9-67 was likey inlcuded onto the grsec patched 2.6.25.9 kernel.

root@server [/usr/src/kernels]# grep -i ipmi 2.6.9-67.EL-i686/.config
# IPMI
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
root@server [/usr/src/kernels]#

root@server [/usr/src/kernels]# grep -i ipmi linux-2.6.25.9/.config
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
root@server [/usr/src/kernels]#
root@server [/usr/src/kernels]#


---------------------
I was unable to apply the diff properly . I got error like

can't find file to patch at input line 5
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:


Please advise.

Thanks

Patch works for me:

Code: Select all

wget http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.25.9.tar.gz
tar zxf linux-2.6.25.9.tar.gz
cd linux-2.6.25.9
wget http://internap.dl.sourceforge.net/sourceforge/openipmi/linux-i2c-2.6.25-v39.2.diff
patch -p1 --dry-run -i linux-i2c-2.6.25-v39.2.diff


Code: Select all

patching file drivers/i2c/busses/i2c-i801.c
patching file drivers/i2c/busses/i2c-piix4.c
Hunk #4 succeeded at 231 (offset 28 lines).
Hunk #6 succeeded at 375 (offset 28 lines).
patching file drivers/i2c/i2c-core.c
patching file include/linux/i2c.h


Turns out there is more then one patch, though. Have a look here:

http://sourceforge.net/project/showfile ... _id=110139

before digging too deep into grsec, can you verify that vanilla 2.6.25.x works (even better would be 2.6.26.x because that's where we are at the moment)? if it doesn't, then i'm afraid we won't be able to support this feature, otherwise we'll have to figure out what this feature is, how it works, at which step it fails, etc.

Thanks, I am testing this. i will update you with the results soon. As the servers that have IPMI view to work remotely are highly production servers , I have scheduled a time to test it.

PaxTeam,

I confirm this is not a grsec issue. Kernel 2.6.19 onwards ( also not sure if 2.6.18 or less supports it ) seems to cause problems for IPMIView Text console functionality. As suggested by cormander, redhat seems to have backported the support for it to their kernels

root@server [~]# uname -a
Linux server-name 2.6.26.2 #1 SMP Fri Aug 15 01:42:57 CDT 2008 i686 i686 i386 GNU/Linux
root@server [~]#


cormander, thanks for your help.

I am not sure, what exact patch might help overcome this. Any idea on this is appreciated.


Following patch : ipmi-run-to-completion-fixes.patch was already applied.

root@server [/usr/src/kernels/linux-2.6.26.2]# patch -p1 --dry-run -i ../ipmi-run-to-completion-fixes.patch
patching file drivers/char/ipmi/ipmi_msghandler.c
Reversed (or previously applied) patch detected! Assume -R? [n] n
Apply anyway? [n] n
Skipping patch.
2 out of 2 hunks ignored -- saving rejects to file drivers/char/ipmi/ipmi_msghandler.c.rej
patching file drivers/char/ipmi/ipmi_poweroff.c
Hunk #1 FAILED at 99.
Hunk #2 FAILED at 155.
Hunk #3 FAILED at 545.
3 out of 3 hunks FAILED -- saving rejects to file drivers/char/ipmi/ipmi_poweroff.c.rej
patching file drivers/char/ipmi/ipmi_si_intf.c
Hunk #1 FAILED at 809.
Hunk #2 FAILED at 867.
2 out of 2 hunks FAILED -- saving rejects to file drivers/char/ipmi/ipmi_si_intf.c.rej
patching file include/linux/ipmi.h
Reversed (or previously applied) patch detected! Assume -R? [n] n
Apply anyway? [n] n
Skipping patch.
2 out of 2 hunks ignored -- saving rejects to file include/linux/ipmi.h.rej
root@server [/usr/src/kernels/linux-2.6.26.2]#






Thanks again.

fed.linuxgossip wrote:I am not sure, what exact patch might help overcome this. Any idea on this is appreciated.

the usual approach is to use git bisect to find the patch broke support but that takes quite a few recompiles/reboots.

CONFIG_IPMI_HANDLER: │
│ │
│ This enables the central IPMI message handler, required for IPMI │
│ to work. │
│ │
│ IPMI is a standard for managing sensors (temperature, │
│ voltage, etc.) in a system. │
│ │
│ See <file:Documentation/IPMI.txt> for more details on the driver. │
│ │
│ If unsure, say N. │
│ │
│ Symbol: IPMI_HANDLER [=m] │
│ Prompt: IPMI top-level message handler │
│ Defined at drivers/char/ipmi/Kconfig:5 │
│ Depends on: HAS_IOMEM │
│ Location: │
│ -> Device Drivers │
│ -> Character devices │
│ │
│






--- IPMI top-level message handler │ │
│ │ [ ] Generate a panic event to all BMCs on a panic │ │
│ │ <M> Device interface for IPMI │ │
│ │ <M> IPMI System Interface handler │ │
│ │ <M> IPMI Watchdog Timer │ │
│ │ <M> IPMI Poweroff │ │
│ │




IMPI support is already enable in the kernel , kernel/drivers/char/ipmi , seems it is missing some patch only.

There is also a good one about this in http://www.hollenback.net/index.php/Lin ... gementIpmi