grsecurity forums


https://forums.grsecurity.net./

grsec: denied use of iopl() by /sbin/hwclock[hwclock:241]

https://forums.grsecurity.net./viewtopic.php?f=3&t=3703

Page 1 of 1

grsec: denied use of iopl() by /sbin/hwclock[hwclock:241]

PostPosted: Sat Aug 17, 2013 7:13 pm
by x14sg1
Hello,

I enabled GRKERNSEC_IO in my last kernel build (3.10.7-201308171249) after
reading the comments about hwclock below. I have verified that the 3 RTC_*
config options below are set. However, I get the error in the subject line. Shouldn't
hwclock work? I can email you my config if you want it. Comcast will not let me upload it at the moment.

Thanks,

Tim

+config GRKERNSEC_IO
+ bool "Disable privileged I/O"
+ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
+ depends on X86
+ select RTC_CLASS
+ select RTC_INTF_DEV
+ select RTC_DRV_CMOS
+
+ help
+ If you say Y here, all ioperm and iopl calls will return an error.
+ Ioperm and iopl can be used to modify the running kernel.
+ Unfortunately, some programs need this access to operate properly,
+ the most notable of which are XFree86 and hwclock. hwclock can be
+ remedied by having RTC support in the kernel, so real-time
+ clock support is enabled if this option is enabled, to ensure
+ that hwclock operates correctly. XFree86 still will not
+ operate correctly with this option enabled, so DO NOT CHOOSE Y
+ IF YOU USE XFree86. If you use XFree86 and you still want to
+ protect your kernel against modification, use the RBAC system.

Re: grsec: denied use of iopl() by /sbin/hwclock[hwclock:241

PostPosted: Sat Aug 17, 2013 7:18 pm
by x14sg1
My config file:

https://home.comcast.net/~x14sg1/config

Re: grsec: denied use of iopl() by /sbin/hwclock[hwclock:241

PostPosted: Sun Aug 18, 2013 8:00 pm
by tigusoft2
x14sg1 wrote:My config file:

https://home.comcast.net/~x14sg1/config


Is this the correct file, where are the "GRKERNSEC" options?

Re: grsec: denied use of iopl() by /sbin/hwclock[hwclock:241

PostPosted: Sun Aug 18, 2013 9:22 pm
by x14sg1
Sorry, I uploaded the wrong kernel. I compile a non-grsec kernel for the host I run Virtualbox on, as I haven't had a chance to investigate what I need to turn off to run Virtualbox with a grsec kernel (probably one or both of KERNEXEC and UDEREF, probably others).

The correct .config was uploaded (and the problem happens with the latest patch -
grsecurity-2.9.1-3.10.7-201308181813.patch)

https://home.comcast.net/~x14sg1/config

Re: grsec: denied use of iopl() by /sbin/hwclock[hwclock:241

PostPosted: Tue Aug 20, 2013 1:08 am
by x14sg1
Hello,

The behavior is the same with the grsecurity-2.9.1-3.10.7-201308192211.patch.

Can anyone run hwclock with GRKERNSEC_IO enabled without getting the "denied use of iopl()" message in the subject line?

Re: grsec: denied use of iopl() by /sbin/hwclock[hwclock:241

PostPosted: Tue Aug 20, 2013 7:02 am
by spender
Can you give me an strace of hwclock with the same arguments used during startup?

-Brad

Re: grsec: denied use of iopl() by /sbin/hwclock[hwclock:241

PostPosted: Tue Aug 20, 2013 2:30 pm
by x14sg1
from hwclock on shutdown

https://home.comcast.net/~x14sg1/hwclock.strace

from hwclock on startup

https://home.comcast.net/~x14sg1/hwclock.strace.2

Re: grsec: denied use of iopl() by /sbin/hwclock[hwclock:241

PostPosted: Tue Aug 20, 2013 5:14 pm
by spender
Hi,

This is because you're using the --directisa argument to hwclock. Remove it from whatever init script is forcing it, and then hwclock will attempt to use /dev/rtc instead of immediately going the iopl route.

-Brad

Re: grsec: denied use of iopl() by /sbin/hwclock[hwclock:241

PostPosted: Tue Aug 20, 2013 8:33 pm
by x14sg1
Thanks - verified it works

I realized after I posted it and left for work I should have tried that.
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/