grsecurity forums

[edited, see bottom at this post] Hi,

not able to start Xorg after upgrade to "xorg-server 1.8.99.904" (from xorg-server-1.7.6 which was working as expected using grsec/pax/rbac)
It runs fine with grsec rbac disabled.

From shell that starts Xorg:
#---
X.Org X Server 1.8.1.902 (1.8.2 RC 2)
Release Date: 2010-06-21
X Protocol Version 11, Revision 0
Build Operating System: Linux 2.6.34-ARCH x86_64
Current Operating System: Linux spunk 2.6.34.1-grsec #1 SMP PREEMPT Fri Aug 6 15:09:36 CEST 2010 x86_64
Kernel command line: root=/dev/sda3 ro
Build Date: 21 June 2010 12:01:49PM

Current version of pixman: 0.18.2
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Mon Aug 9 12:15:02 2010
(==) Using config file: "/etc/X11/xorg.conf"
(==) Using config directory: "/etc/X11/xorg.conf.d"
intel_bufmgr_gem.c:962: Error mapping buffer 8 (gen4 SF state): Permission denied .

Backtrace:
0: /usr/bin/X (xorg_backtrace+0x28) [0x498588]
1: /usr/bin/X (0x400000+0x672d9) [0x4672d9]
2: /lib/libpthread.so.0 (0x39f6c525000+0xf1c0) [0x39f6c5341c0]
3: /usr/lib/xorg/modules/drivers/intel_drv.so (0x39f698d5000+0x22528) [0x39f698f7528]
4: /usr/lib/xorg/modules/drivers/intel_drv.so (0x39f698d5000+0x24e6a) [0x39f698f9e6a]
5: /usr/lib/xorg/modules/drivers/intel_drv.so (0x39f698d5000+0x11d78) [0x39f698e6d78]
6: /usr/bin/X (AddScreen+0x19d) [0x42846d]
7: /usr/bin/X (InitOutput+0x217) [0x46f757]
8: /usr/bin/X (0x400000+0x21595) [0x421595]
9: /lib/libc.so.6 (__libc_start_main+0xfd) [0x39f6b4b8c4d]
10: /usr/bin/X (0x400000+0x212f9) [0x4212f9]
Segmentation fault at address (nil)

Fatal server error:
Caught signal 11 (Segmentation fault). Server aborting


Please consult the The X.Org Foundation support
at http://wiki.x.org
for help.
Please also check the log file at "/var/log/Xorg.0.log" for additional information.
#---


from dmesg:
grsec: (myuser:U:/usr/bin/Xorg) denied load of writable library /drm mm object by /usr/bin/Xorg[X:23799] uid/euid:666/0 gid/egid:100/100, parent /usr/bin/xinit[xinit:23798] uid/euid:666/666 gid/egid:100/100
grsec: (myuser:U:/usr/bin/Xorg) Segmentation fault occurred at (null) in /usr/bin/Xorg[X:23799] uid/euid:666/0 gid/egid:100/100, parent /usr/bin/xinit[xinit:23798] uid/euid:666/666 gid/egid:100/100


Not sure where /drm should be read/written/loaded (seems like a memory mapping?)



Policy for myuser

subject /usr/bin/Xorg o {
user_transition_allow root myuser
group_transition_allow users

/ h
/bin h
/bin/bash x
/etc h
/etc/X11/xorg.conf r
/etc/X11/xorg.conf.d r
/etc/ld.so.cache rx
/etc/localtime r
/lib rx
/lib/modules rx
/lib/modules/2.4.6.34.1-grsec r
/lib/modules/2.4.6.34.1-grseci/modules.dep.bin rx
/lib/modules/2.6.34.1-grsec/modules.dep r
/proc h
/proc/cmdline r
/proc/meminfo r
/proc/mtrr w
/proc/sys/kernel/modprobe r
/sys r
/usr h
/usr/bin h
/usr/bin/xinit rx
/usr/bin/Xorg rx
/usr/lib rx
/usr/lib/xorg/modules rx
/usr/share r
/var h
/var/lib/xkb
/var/log
/var/log/Xorg.0.log rwcd
/var/log/Xorg.0.log.old rwcd
/var/run/dbus/system_bus_socket rw
/sbin/modprobe rx
/dev
/dev/input rw
/dev/dri
/dev/dri/card0 rw
/dev/tty0 w
/dev/tty7 rw
/dev/vga_arbiter rw
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
/dev/log h
/tmp rwcdl
-CAP_ALL
+CAP_CHOWN
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_RAWIO
+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG
-PAX_SEGMEXEC
-PAX_PAGEEXEC
-PAX_MPROTECT
bind disabled
connect disabled
}




Pax settings on the binary:

$ paxctl -v /usr/bin/Xorg
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: -p-s-m-x-e-r [/usr/bin/Xorg]
PAGEEXEC is disabled
SEGMEXEC is disabled
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled
RANDMMAP is disabled

$


Any suggestions?


Running latest test patch available "grsecurity-2.2.0-2.6.34.1-201007162107.patch

Best Regards,
franz

Keep up the good work!!

[edited]
May be my misstake!
CONFIG_GRKERNSEC_KMEM=y
in kernel config.
I will recompile the kernel
/franz

Hi, sorry for the delay. I was in Boston yesterday presenting at the Linux Security Summit.

based on the log:
grsec: (myuser:U:/usr/bin/Xorg) denied load of writable library /drm mm object by /usr/bin/Xorg[X:23799] uid/euid:666/0 gid/egid:100/100, parent /usr/bin/xinit[xinit:23798] uid/euid:666/666 gid/egid:100/100

adding a "/drm mm object" h object to the / subject for the myuser role and the default role
(make sure you use the quotes around the path, as the spaces are part of the filename)
should solve the problem. the RBAC system prevents privileged subjects from being able to mmap executable any file which is writable by the default subject for that role or for the default role.

You also should be able to re-enable PaX on Xorg (with the possible exception of mprotect).

Let me know if the above doesn't resolve the issue.

-Brad

Hi,

"adding a "/drm mm object" h object to the / subject for the myuser role and the default role"

Should it be set like this then?:

role default
subject / {
/ h
"/drm mm object" h
-CAP_ALL
connect disabled
bind disabled
}
subject /usr/bin/Xorg o {
user_transition_allow root myuser
group_transition_allow users

/ h
"/drm mm object" h
/bin h
......

Found out that a new "full system learning" to setup a new policy prevent the Xorg execution aswell, this probably means that my policy is not causing this problem, but it's just my guess.

This is what I get when running a full system learn (if Xorg is not started already)

grsec: more alerts, logging disabled for 10 seconds
grsec: (default:D:/) denied load of writable library /drm mm object by /usr/bin/Xorg[X:4892] uid/euid:666/0 gid/egid:100/100, parent /usr/bin/
xinit[xinit:4891] uid/euid:666/666 gid/egid:100/100
grsec: (default:D:/) denied load of writable library /drm mm object by /usr/bin/Xorg[X:4892] uid/euid:666/0 gid/egid:100/100, parent /usr/bin/
xinit[xinit:4891] uid/euid:666/666 gid/egid:100/100


Xorg is not terminated if it's already running but the shell where it's started is complaining about this:
intel_bufmgr_gem.c:962: Error mapping buffer 606 (surface_state): Permission denied .
intel_bufmgr_gem.c:962: Error mapping buffer 606 (surface_state): Permission denied .
intel_bufmgr_gem.c:962: Error mapping buffer 610 (surface_state): Permission denied .
intel_bufmgr_gem.c:962: Error mapping buffer 610 (surface_state): Permission denied .
intel_bufmgr_gem.c:962: Error mapping buffer 605 (surface_state): Permission denied .
intel_bufmgr_gem.c:962: Error mapping buffer 605 (surface_state): Permission denied .
intel_bufmgr_gem.c:962: Error mapping buffer 613 (surface_state): Permission denied .
intel_bufmgr_gem.c:962: Error mapping buffer 613 (surface_state): Permission denied




A new kernel compile using the "LOW" option gave the same result.
my current kernel config:
zcat /proc/config.gz | egrep 'PAX|GRKERN|PREEM'

# CONFIG_TREE_PREEMPT_RCU is not set
CONFIG_PREEMPT_NOTIFIERS=y
CONFIG_PREEMPT_NONE=y
# CONFIG_PREEMPT_VOLUNTARY is not set
# CONFIG_PREEMPT is not set
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_LOW=y
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
# CONFIG_GRKERNSEC_CUSTOM is not set
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
# CONFIG_GRKERNSEC_NO_RBAC is not set
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_ROFS=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=1007
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_PAX=y
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=n
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y
CONFIG_PAX_KERNEXEC is not set
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y

/franz

Ok, I see the problem. I have to ignore policy on certain pseudo-filesystems like shmfs, which involves returning a fake object with the ability to read/write/exec. Since the writable mmap check was done in this case on such an object, the RBAC system was reporting that the file was permitted write access and thus the mmap for execute from shmfs was denied. I'll update the writable mmap check in the next patch so that it ignores it for shmfs.

If you want to test the fix beforehand, change the following lines in grsecurity/gracl.c:is_writable_mmap():

Code: Select all

        if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
            !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode)) {


to:

Code: Select all

        if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
            !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && filp->f_path.mnt != shm_mnt) {


-Brad

Thanks Brad!

I did start a new kernel compile with your fix included before I went home.
Will try the new kernel tomorrow
/franz

Hi,

Xorg is now working after your fix.
New version released, fix inculded I suppose

Thanks for the exellent support!

Regards,
franz

Yes, the fix is included in the new patches released yesterday.

Thanks again for the report!

-Brad