grsecurity forums

My goal is to run multiple guest Debian grsec/PaX UMLs inside of a Debian grsec/PaX host. As a quick test, in a non-grsec/PaX kernel (2.6.18-6-amd64 from the Debian install), I downloaded the Debian 4.0 AMD64 filesystem from http://uml.nagafix.co.uk/ and compiled a guest 2.6.26.5 (non-grsec/PaX) UML kernel with the following commands:

Code: Select all

sudo make ARCH=um oldconfig
sudo make ARCH=um

The guest UML compiled fine and was fired off with:

Code: Select all

./linux ubd0=/path/to/Debian-4.0-AMD64-root_fs

When I boot into my 2.6.26-grsec kernel and attempt the same command (./linux ubd0=...), the process is killed by PaX. Here are the lines from dmesg:

Code: Select all

PAX: From 192.168.1.147: execution attempt in: /usr/src/linux-2.6.26.5/linux, 60000000-6026c000 00000000
PAX: terminating task: /usr/src/linux-2.6.26.5/linux(linux):2287, uid/euid: 1000/1000, PC: 0000000060010450, SP: 00007ce4079003b0
PAX: bytes at PC: 31 ed 49 89 d1 5e 48 89 e2 48 83 e4 f0 50 54 49 c7 c0 30 7d
PAX: bytes at SP-8:

/usr/src/linux-2.6.26/.config (snipped):

Code: Select all

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
CONFIG_GRKERNSEC_HIDESYM=y

#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
# CONFIG_GRKERNSEC_RESLOG is not set
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
# CONFIG_GRKERNSEC_SIGNAL is not set
# CONFIG_GRKERNSEC_FORKFAIL is not set
# CONFIG_GRKERNSEC_TIME is not set
# CONFIG_GRKERNSEC_PROC_IPADDR is not set
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
# CONFIG_GRKERNSEC_SYSCTL is not set

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_SANITIZE=y
# CONFIG_KEYS is not set
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_FILE_CAPABILITIES is not set
# CONFIG_SECURITY_ROOTPLUG is not set
CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=0
CONFIG_CRYPTO=y

$ uname -a

Code: Select all

Linux hostname 2.6.26-grsec #2 SMP Mon Aug 4 03:12:51 PDT 2008 x86_64 GNU/Linux

$ gcc --version

Code: Select all

gcc (Debian 4.3.2-1) 4.3.2

$ gdb --version

Code: Select all

GNU gdb 6.8-debian

I have also tried loading the linux binary in gdb and breaking on main, but it dies right when I run it.

Code: Select all

$ gdb -q /usr/src/linux-2.6.26.5/linux
(gdb) break main
Breakpoint 1 at 0x60002ecb: file arch/um/os-Linux/main.c, line 28.
(gdb) set args ubd0=/path/to/Debian-4.0-AMD64-root_fs
(gdb) run
Starting program: /usr/src/linux-2.6.26.5/linux udb0=/path/to/Debian-4.0-AMD64-root_fs

Program terminated with signal SIGKILL, Killed.
The program no longer exists.
(gdb)

Any thoughts on the root cause(s) of this issue? This is the non-grsec/PaX guest running inside the grsec/PaX host, so not exactly my end goal. Though it brings up another set of questions, possibly off topic:

a) If the host is grsec/PaX, are the guests also protected via grsec/PaX even if the grsec/PaX protections are not turned in their config? I am guessing that both the host and guest would need to have grsec/PaX enabled to protect everything.
b) Is it even possible to run grsec/PaX guest UMLs inside of a grsec/PaX host?

Unfortunately I know very little about how the protections from grsecurity and PaX actually work.

If you would like me to post any additional information, command output, etc from the system; please request it and I will post it ASAP. Thanks!

int80 wrote:My goal is to run multiple guest Debian grsec/PaX UMLs inside of a Debian grsec/PaX host.

first of all, note that we made no effort so far to support UML kernels, so it's normal that things break left and right. e.g., the i386 version didn't even compile for me, let alone run without further tweaks. as for using grsec (or PaX at least) in the guest kernel, that's another can of worms that i'll explain below.

When I boot into my 2.6.26-grsec kernel and attempt the same command (./linux ubd0=...), the process is killed by PaX. Here are the lines from dmesg:

Code: Select all

PAX: From 192.168.1.147: execution attempt in: /usr/src/linux-2.6.26.5/linux, 60000000-6026c000 00000000
PAX: terminating task: /usr/src/linux-2.6.26.5/linux(linux):2287, uid/euid: 1000/1000, PC: 0000000060010450, SP: 00007ce4079003b0
PAX: bytes at PC: 31 ed 49 89 d1 5e 48 89 e2 48 83 e4 f0 50 54 49 c7 c0 30 7d
PAX: bytes at SP-8:

this just means that the UML kernel ran afoul of the runtime code generation restrictions of PaX, paxctl/chpax -m should fix it. note that the UML kernel image is not exactly a PaX friendly ELF file, it has one big RWE PT_LOAD segment (not to mention the RWE GNU_STACK segment), that will die right away there and fixing it in the UML kernel linker script and the kernel makefiles so far seems to be an uphill battle (why on earth do they generate empty built-in.o files for one...).

a) If the host is grsec/PaX, are the guests also protected via grsec/PaX even if the grsec/PaX protections are not turned in their config? I am guessing that both the host and guest would need to have grsec/PaX enabled to protect everything.

since UML kernels run as normal userland processes, they will get whatever protections you enable on them, but as i indicated above, there're limits as to how much you can enforce (no MPROTECT for now). what protections userland processes run by the UML kernel get depends on how UML runs them, if they also appear as host processes, then they get the same protection as any other host userland process would (i.e., subject to their PT_PAX_FLAGS/etc markings) and not even the UML kernel process will be able to circumvent them, but if the host kernel doesn't see them as individual host processes (or only sees them as fork'ed copies of the UML kernel process), then it's up to the UML kernel to enforce protections.

b) Is it even possible to run grsec/PaX guest UMLs inside of a grsec/PaX host?

depends on the guest kernel's config, i think most grsec features should work but certain PaX features will never work (e.g., the old PAGEEXEC method but i'm also not sure about UDEREF for example, depends on how well UML could handle the descriptor table changes required by certain PaX features) and in any case, PaX would need a proper port to the um architecture, right now you can't enable much beyond SANITIZE.