grsecurity forums

Hello all,

I've run into a strange problem with grsecurity-3.0-3.12.6-201312251834 and grsecurity-3.0-3.12.6-201312221037 patches and kernel 2.12.6. The running system seems to ignore execution flags set with paxctl, even if the same binary works under grsecurity-2.9.1-3.11.1-201309181826 based kernel (w/3.11.1, obviously). In both cases, this is vanilla kernel with no other patches but grsec.

Observe:

Code: Select all

root@storage:~# uname -a
Linux storage 3.11.1-el1-grs-grsec #2 SMP Sat Sep 21 21:02:24 CEST 2013 x86_64 x86_64 x86_64 GNU/Linux
root@storage:~# grub-probe
No path or device is specified.
Usage: grub-probe [OPTION...] [OPTION]... [PATH|DEVICE]
Try `grub-probe --help' or `grub-probe --usage' for more information.
root@storage:~# java -version
java version "1.7.0_25"
OpenJDK Runtime Environment (IcedTea 2.3.10) (7u25-2.3.10-1ubuntu0.13.04.2)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)


versus:

Code: Select all

root@storage:~# uname -a
Linux storage 3.12.6-el2-grs-grsec #2 SMP Sat Dec 26 11:02:24 CEST 2013 x86_64 x86_64 x86_64 GNU/Linux
root@storage:/usr/lib/jvm/java-7-openjdk-amd64/jre/bin# java -version
Killed
root@storage:/usr/lib/jvm/java-7-openjdk-amd64/jre/bin# grub-probe
Killed


There is *no* output in dmesg following the above.

Binaries, obviously, are the same in both cases, as are their pax flags:

Code: Select all

root@storage:~# paxctl -v /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -p-s-m-x-e-r [/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java]
        PAGEEXEC is disabled
        SEGMEXEC is disabled
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled
        RANDMMAP is disabled
root@storage:~# paxctl -v /usr/sbin/grub-probe
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -p-s-m-x-e-- [/usr/sbin/grub-probe]
        PAGEEXEC is disabled
        SEGMEXEC is disabled
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled


RBAC is disabled.

The configuration of both kernels is virtually identical, with following gsecurity options:

Code: Select all

silke@builder-raring:~/src/linux/linux-3.12.6$ grep GRKERNSEC .config
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CONFIG_AUTO=y
# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
CONFIG_GRKERNSEC_CONFIG_SERVER=y
# CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_NONE=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_HOST is not set
CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y
# CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set
CONFIG_GRKERNSEC_PROC_GID=50
CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=53
CONFIG_GRKERNSEC_SYMLINKOWN_GID=51
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_JIT_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
# CONFIG_GRKERNSEC_NO_RBAC is not set
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_SYMLINKOWN=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_CHROOT_INITRD=y
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=52
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
CONFIG_GRKERNSEC_SIGNAL=y
# CONFIG_GRKERNSEC_FORKFAIL is not set
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
CONFIG_GRKERNSEC_TPE=y
# CONFIG_GRKERNSEC_TPE_ALL is not set
# CONFIG_GRKERNSEC_TPE_INVERT is not set
CONFIG_GRKERNSEC_TPE_GID=53
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
CONFIG_GRKERNSEC_DENYUSB=y
# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
CONFIG_GRKERNSEC_SYSCTL=y
# CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6


Can somebody suggest what's going on?

my guess would be that you have CONFIG_PAX_XATTR_PAX_FLAGS enabled but don't have the corresponding user.pax.flags set up as well despite what the config help says .

Does that mean that "3.0" in patch version means "Three different ways" to label binaries?

I'm somewhat confused, though. As I said, I haven't changed grsec's configuration, so why the difference in behaviour?

Additionally, *which* label system is recommended now? What about paxctl? Is it deprecated or not?

And finally, why there are no errors logged under new kernel?

I'll try without CONFIG_PAX_XATTR_PAX_FLAGS in a bit and report.

The latest test patch reverts the recent change in behavior in PaX markings. We'll be making a more comprehensive revamp to it soon that won't break existing setups.

-Brad