Page 1 of 1

PaX patch + AppArmor - shouldn't this work?

PostPosted: Sat Jul 02, 2011 8:30 pm
by Lox
2.6.39.2

patches:

http://www.kernel.org/pub/linux/securit ... 2.6.39.tgz
pax-linux-2.6.39.1-test16.patch

Result: PaX doesn't work, Kernel (and AA) work fine.

Code: Select all
# pspax
USER     PID    PAX    MAPS ETYPE      NAME             CAPS ATTR 
root     1      pemrs  w^x  ET_DYN     init             =ep cap_setpcap-e unconfined 
root     93     pemrs  w^x  ET_DYN     udevd            =ep  unconfined 


Code: Select all
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_ELFRELOCS is not set
# CONFIG_PAX_KERNEXEC is not set
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
# CONFIG_PAX_MEMORY_STACKLEAK is not set
CONFIG_PAX_MEMORY_UDEREF=y
# CONFIG_PAX_REFCOUNT is not set
CONFIG_PAX_USERCOPY=y


Re: PaX patch + AppArmor - shouldn't this work?

PostPosted: Sun Jul 03, 2011 4:43 pm
by specs
Why should it work? :wink:

https://wiki.ubuntu.com/AppArmor
"AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. ..."

If you look up LSM on the GrSecurity site you find under "Papers" a link to "Official grsecurity statement regarding LSM". Since the first introduction in the 2.6-kernels LSM has been kicked out of the kernel since no open source project used it. Lately it seems to have been reintroduced (2.6.38 if I'm correct). I have seen no new statement regarding LSM from GrSecurity so I'd guess it still is incompatible.
http://grsecurity.net/lsm.php

Re: PaX patch + AppArmor - shouldn't this work?

PostPosted: Sun Jul 03, 2011 5:49 pm
by PaX Team
Lox wrote:
Code: Select all
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
did you read the related config help and make sure your userland binaries are properly marked?

Re: PaX patch + AppArmor - shouldn't this work?

PostPosted: Sun Jul 03, 2011 10:46 pm
by Lox
Ha, thanks for catching that. I did the config in a hurry, sorry for wasting your time. Seems to work fine for now - switched to PAX_EI_PAX

Re: PaX patch + AppArmor - shouldn't this work?

PostPosted: Mon Jul 04, 2011 7:51 am
by spender
BTW if you used the grsec patch instead, that wouldn't have been a problem ;) I use default-on for PT_PAX_FLAGS now that paxctl has the -C option.

-Brad

Re: PaX patch + AppArmor - shouldn't this work?

PostPosted: Sun Jul 10, 2011 2:53 pm
by Lox
spender wrote:BTW if you used the grsec patch instead, that wouldn't have been a problem ;) I use default-on for PT_PAX_FLAGS now that paxctl has the -C option.

-Brad


Didn't know this worked too. Tried it out with 2.6.39.3 and it seems to work fine with AA. Disabled TPE and the RBAC, enabled a good chunk of the -gr options for testing. Are there any caveats or so I need to be aware of when doing this instead of going the PaX+AA only route?

Re: PaX patch + AppArmor - shouldn't this work?

PostPosted: Sun Jul 10, 2011 4:12 pm
by spender
grsecurity can be used in addition to SELinux or Apparmor or anything else. Since it doesn't use LSM it doesn't conflict with any of them.

-Brad