grsecurity forums

Hi.

I'm getting following errors with grsecurity-2.9-2.6.32.59-201204272005.patch and gradm-2.9-201202232055 (i386):

Code: Select all

May  5 13:59:03 host kernel: : grsec: (skype:U:/usr/bin/skype) denied executable mmap of /SYSV00000000 by /usr/bin/skype[skype:6996] uid/euid:1009/1009 gid/egid:1009/1009, parent /usr/lib/kde4/libexec/kdesu_stub[kdesu_stub:6993] uid/euid:1009/1009 gid/egid:1009/1009


despite having following rule in RBAC policy:

Code: Select all

...
role skype u
...
subject /usr/bin/skype oO {
...
   /SYSV00000000  rxi
}


Similar problem was mentioned in old 2005 thread: viewtopic.php?f=3&t=1120

It seems now /SYSV... is correctly recognized in gradm2 as special and globbed mode is used for it, but I'm still getting denied errors.

Any suggestions?

no object for /SYS* should be required anymore. The problem seems to be that you're missing the 'x' subject flag that was added some time ago. From the gradm policy:

Code: Select all

# x -> allows executable anonymous shared memory for this subject


You will also need to disable MPROTECT on the subject, which you can do with:

Code: Select all

-PAX_MPROTECT


-Brad

spender wrote:no object for /SYS* should be required anymore. The problem seems to be that you're missing the 'x' subject flag that was added some time ago. From the gradm policy:

Code: Select all

# x -> allows executable anonymous shared memory for this subject


You're right, I must've missed that new mode. Works like a charm after adding it to the subject.

spender wrote:You will also need to disable MPROTECT on the subject, which you can do with:

Code: Select all

-PAX_MPROTECT


Yep, already got that.

Thanks for your help!