I have grsec patched kernels running on different hardware platforms.
All of the hardware platforms bellow share the following setup:
The kernel version is 3.2.39-grsec SMP x86_64.
The OS is Debian Squeeze 6.0.3 32bit.
All of the kernels have the CONFIG_GRKERNSEC_KMEM option enabled.
When I run dmidecode to check various system information on SuperMicro X7DVL motherboard with Intel Xeon E5345
everything works fine:
- Code: Select all
open("/dev/mem", O_RDONLY) = 3
mmap2(NULL, 65536, PROT_READ, MAP_SHARED, 3, 0xf0) = 0xea0c6000
munmap(0xea0c6000, 65536) = 0
close(3) = 0
open("/dev/mem", O_RDONLY) = 3
mmap2(NULL, 1674, PROT_READ, MAP_SHARED, 3, 0xcff6a) = 0xea223000
munmap(0xea223000, 1674) = 0
close(3) = 0
write(1, "# dmidecode 2.9\nSMBIOS 2.4 prese"..., 4096# dmidecode 2.9
SMBIOS 2.4 present.
45 structures occupying 1674 bytes.
Table at 0xCFF6A000.
On X9DR3 and Xeon E5-2630 everything is OK too.
- Code: Select all
open("/dev/mem", O_RDONLY) = 3
mmap2(NULL, 65536, PROT_READ, MAP_SHARED, 3, 0xf0) = 0xe5002000
munmap(0xe5002000, 65536) = 0
close(3) = 0
open("/dev/mem", O_RDONLY) = 3
mmap2(NULL, 6662, PROT_READ, MAP_SHARED, 3, 0xeb) = 0xe5162000
munmap(0xe5162000, 6662) = 0
close(3) = 0
write(1, "# dmidecode 2.9\nSMBIOS 2.7 prese"..., 4096# dmidecode 2.9
SMBIOS 2.7 present.
135 structures occupying 5910 bytes.
Table at 0x000EB2F0.
Handle 0x0000, DMI type 0, 24 bytes
When I try to run dmidecode ot the same OS, kernel and grsec config, but on SuperMicro X8DTL motherboard with Intel Xeon E5620,
grsec denies the access of dmidecode to /dev/mem:
- Code: Select all
open("/dev/mem", O_RDONLY) = 3
mmap2(NULL, 5923, PROT_READ, MAP_SHARED, 3, 0x99) = -1 EPERM (Operation not permitted)
lseek(3, 629760, SEEK_SET) = 629760
read(3, 0x3cae320, 2851) = -1 EPERM (Operation not permitted)
close(3) = 0
dup(2) = 3
fcntl64(3, F_GETFL) = 0x8002 (flags O_RDWR|O_LARGEFILE)
fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xde6c3000
_llseek(3, 0, 0xf640f738, SEEK_CUR) = -1 ESPIPE (Illegal seek)
write(3, "/dev/mem: Operation not permitte"..., 34/dev/mem: Operation not permitted
) = 34
close(3) = 0
munmap(0xde6c3000, 4096) = 0
write(2, "Table is unreachable, sorry.\n", 29Table is unreachable, sorry.
) = 29
exit_group(0) = ?
This error message is shown in dmesg:
- Code: Select all
denied access of range 9a000 -> 9a723 in /dev/mem by /usr/sbin/dmidecode[dmidecode:29086] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:29071] uid/euid:0/0 gid/egid:0/0
I checked the grsec patch code and I saw that some /dev/mem address ranges are allowed.
Is it possible to make dmidecode work on my Xeon 5620 platform without disabling CONFIG_GRKERNSEC_KMEM?
Thank you!