Page 1 of 1

PaX Quickstart Demystified

PostPosted: Fri Apr 29, 2016 12:38 pm
by timbgo
title: PaX Quickstart Demystified
---

The title reflects what has only started happening for me.

However, having read the PaX Quickstart, currently at this Gentoo Wiki page:

Hardened/PaX Quickstart
https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart

for a few times in the span of many months, proper understanding of that tutuorial has always eluded me.

I think I'll finally be getting the grip on it, but in slow time, as I'm an older man, late adopter of FOSS *nix knowledge, I don't go fast.

And I don't promise nor pretend to do a good job, but I'd like to try. I have had some success in the past in presenting the very basic on compiling a grsecurity-hardened kernel in Debian:

Grsecurity/Pax installation on Debian GNU/Linux
http://forums.debian.net/viewtopic.php?f=16&t=108616

but that is generally for newcomers to grsecurity, and has been for my presenting of it, an easy start. This leg of my quest is harder.

And having today made a tiny breakthrough, I thought I'd post my undestanding of it that is (hopefully) beginning to finally start arriving, for other users with similar difficulty in understanding of these matters.

Before I post my notes: read the man pages when the need arises (such as for mmap, mprotect, sysconf, capabilities, and others).

And also read some tutorial on C. I found there are really great and pretty easy to grasp tutorials at:
CodingUnit C Tutorials
https://www.codingunit.com/category/c-tutorials

This I create as an aid to understanding that Gentoo Wiki page (linked at the start). Very far from a substitute! E.g. in this first post I only try to help in demystifying what has been an insurmountable hurdle during my repeated reading of that Wiki page in, let me correct my previous statement above (as I begin to recollect more clearly during final proofreading), not just numerous months, but maybe two or three years!

And I've been back to reading it because I'm recently having trouble figuring out how to resolve:

Building Cinelerra and stack exec and mprotect issues
viewtopic.php?f=3&t=4453

and I decided to give me a refresher on PaX.

For stubborn newbies, I hope my notes might help a little, so I'm posting them.

From:

Hardened/PaX Quickstart
https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart

mmap-rwx.c Violate MPROTECT with RWX mmap

Code: Select all
/*
 * Contrast compiling with:
 *   gcc -UBAD -o mmap-rw mmap-rwx.c
 *   gcc -DBAD -o mmap-rwx mmap-rwx.c
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <errno.h>
#include <string.h>
 
int main() {
   size_t *m;
 
#ifdef BAD
   m = mmap( NULL, 1024, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0 );
#else
   m = mmap( NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0 );
#endif
 
   if( m == MAP_FAILED )
      printf("mmap failed: %s\n", strerror(errno));
   else
      printf("mmap succeeded: %p\n", m);
     
        return 0;
}


And I ran it (entire output here):

Code: Select all
$ gcc -UBAD -o mmap-rw mmap-rwx.c
gcc: internal compiler error: Segmentation fault (program collect2)
Please submit a full bug report,
with preprocessed source if appropriate.
See <https://bugs.gentoo.org/> for instructions.
$


The logs:

Code: Select all
Apr 29 13:43:13 g0n kernel: [1110168.637144] grsec: (miro:U:/) exec of /usr/bin/gcc (gcc -UBAD -o mmap-rw mmap-rwx.c ) by /usr/bin/gcc[bash:6535] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:43:13 g0n kernel: [1110168.639369] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc (/usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/gcc -UBAD -o mmap-rw mmap-rwx.c ) by /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6535] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:43:13 g0n kernel: [1110168.700768] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 -quiet -U BAD mmap-rwx.c -fno-strict-overflow -quiet -dumpbase mmap-rwx.c -mtune=) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1[gcc:6536] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6535] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:43:15 g0n kernel: [1110170.164953] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/as --64 -o /tmp/ccUDNLqe.o /tmp/cc0iXSUy.s ) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as[gcc:6537] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6535] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:43:15 g0n kernel: [1110170.424845] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/liblto_plugin.so -plugin-) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[gcc:6538] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6535] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:43:15 g0n kernel: [1110170.424996] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied executable mmap of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:6538] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6535] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:43:15 g0n kernel: [1110170.425036] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) Segmentation fault occurred at            (nil) in /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:6538] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6535] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:43:15 g0n kernel: [1110170.425081] grsec: (miro:U:/) bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds.  Please investigate the crash report for /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[collect2:6538] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6535] uid/euid:1000/1000 gid/egid:1000/1000


Trying the alternative given in the comments of the script:

Code: Select all
$ gcc -DBAD -o mmap-rwx mmap-rwx.c
gcc: internal compiler error: Segmentation fault (program collect2)
Please submit a full bug report,
with preprocessed source if appropriate.
See <https://bugs.gentoo.org/> for instructions.
miro@g0n ~ $


Logs:

Code: Select all
Apr 29 13:51:53 g0n kernel: [1110688.208636] grsec: (miro:U:/) exec of /usr/bin/gcc (gcc -DBAD -o mmap-rwx mmap-rwx.c ) by /usr/bin/gcc[bash:6594] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:51:53 g0n kernel: [1110688.209468] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc (/usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/gcc -DBAD -o mmap-rwx mmap-rwx.c ) by /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6594] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:51:53 g0n kernel: [1110688.211259] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 -quiet -D BAD mmap-rwx.c -fno-strict-overflow -quiet -dumpbase mmap-rwx.c -mtune=) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1[gcc:6597] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6594] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:51:53 g0n kernel: [1110688.245002] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/as --64 -o /tmp/cc5I1EAF.o /tmp/ccGVI7b3.s ) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as[gcc:6598] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6594] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:51:53 g0n kernel: [1110688.261310] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/liblto_plugin.so -plugin-) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[gcc:6599] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6594] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:51:53 g0n kernel: [1110688.261360] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied executable mmap of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:6599] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6594] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:51:53 g0n kernel: [1110688.261371] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) Segmentation fault occurred at            (nil) in /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:6599] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6594] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:51:53 g0n kernel: [1110688.261384] grsec: (miro:U:/) bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds.  Please investigate the crash report for /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[collect2:6599] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6594] uid/euid:1000/1000 gid/egid:1000/1000


Maybe because 30 minutes haven't passed?


Or is it because in the kernel mprotect in PaX configuration, is enabled... See:

Code: Select all
$ gcc -DBAD -o mmap-rwx mmap-rwx.c
gcc: internal compiler error: Segmentation fault (program collect2)
Please submit a full bug report,
with preprocessed source if appropriate.
See <https://bugs.gentoo.org/> for instructions.
$


Code: Select all
Apr 29 15:44:27 g0n kernel: [1117442.385660] grsec: (miro:U:/) exec of /usr/bin/gcc (gcc -DBAD -o mmap-rwx mmap-rwx.c ) by /usr/bin/gcc[bash:6942] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 15:44:27 g0n kernel: [1117442.387768] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc (/usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/gcc -DBAD -o mmap-rwx mmap-rwx.c ) by /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6942] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Mpr 29 15:44:27 g0n kernel: [1117442.389546] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 -quiet -D BAD mmap-rwx.c -fno-strict-overflow -quiet -dumpbase mmap-rwx.c -mtune=) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1[gcc:6945] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6942] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 15:44:27 g0n kernel: [1117442.421877] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/as --64 -o /tmp/ccKKgCVv.o /tmp/ccFgXM4t.s ) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as[gcc:6946] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6942] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 15:44:27 g0n kernel: [1117442.430869] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/liblto_plugin.so -plugin-) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[gcc:6947] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6942] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 15:44:27 g0n kernel: [1117442.431023] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied executable mmap of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:6947] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6942] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 15:44:27 g0n kernel: [1117442.431063] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) Segmentation fault occurred at            (nil) in /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:6947] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6942] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 15:44:27 g0n kernel: [1117442.431128] grsec: (miro:U:/) bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds.  Please investigate the crash report for /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[collect2:6947] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6942] uid/euid:1000/1000 gid/egid:1000/1000


NOTE: You need to look at the new subject
/usr/libexec/gcc/x86_64-pc-linux-gnu
in the article with my (old) policy:

A no-poetterware desktop RBAC policy
viewtopic.php?f=5&t=4153&p=16248#p16248

And you'll figure out why today it has changed to:
< same title >
viewtopic.php?f=5&t=4153&p=16248#p16249

, when you reach the bottom of this first post.

Added:

Code: Select all
subject /usr/libexec/gcc/x86_64-pc-linux-gnu o {
...
   +CAP_IPC_LOCK
...


From 'man capabilities' :

Code: Select all
       CAP_IPC_LOCK
         Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).

Waiting just in case a few minutes to get past 30 minutes later: 2016-04-29 16:09+02:00

Still:

Code: Select all
$ gcc -DBAD -o mmap-rwx mmap-rwx.c
gcc: internal compiler error: Segmentation fault (program collect2)
Please submit a full bug report,
with preprocessed source if appropriate.
See <https://bugs.gentoo.org/> for instructions.
$




Maybe try:

Code: Select all
       CAP_SYS_RAWIO
         * Perform I/O port operations (iopl(2) and ioperm(2));
         * access /proc/kcore;
         * employ the FIBMAP ioctl(2) operation;
         * open devices for accessing x86 model-specific registers (MSRs, see msr(4))
         * update /proc/sys/vm/mmap_min_addr;
         * create    memory     mappings   at     addresses    below   the    value   specified    by
      /proc/sys/vm/mmap_min_addr;
         * map files in /proc/bus/pci;
         * open /dev/mem and /dev/kmem;
         * perform various SCSI device commands;
         * perform certain operations on hpsa(4) and cciss(4) devices;
         * perform a range of device-specific operations on other devices.


Code: Select all
subject /usr/libexec/gcc/x86_64-pc-linux-gnu o {
...
   +CAP_IPC_LOCK
   +CAP_SYS_RAWIO
...


Code: Select all
Apr 29 16:22:59 g0n kernel: [1119754.501723] grsec: (miro:U:/) exec of /usr/bin/gcc (gcc -DBAD -o mmap-rwx mmap-rwx.c ) by /usr/bin/gcc[bash:7476] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:22:59 g0n kernel: [1119754.503796] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc (/usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/gcc -DBAD -o mmap-rwx mmap-rwx.c ) by /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7476] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:22:59 g0n kernel: [1119754.508281] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 -quiet -D BAD mmap-rwx.c -fno-strict-overflow -quiet -dumpbase mmap-rwx.c -mtune=) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1[gcc:7477] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7476] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:22:59 g0n kernel: [1119754.541827] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/as --64 -o /tmp/ccmmoE9L.o /tmp/ccWmHNgE.s ) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as[gcc:7478] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7476] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:22:59 g0n kernel: [1119754.550379] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/liblto_plugin.so -plugin-) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[gcc:7479] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7476] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:22:59 g0n kernel: [1119754.550521] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied executable mmap of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7479] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7476] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:22:59 g0n kernel: [1119754.550561] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) Segmentation fault occurred at            (nil) in /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7479] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7476] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:22:59 g0n kernel: [1119754.550605] grsec: (miro:U:/) bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds.  Please investigate the crash report for /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[collect2:7479] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7476] uid/euid:1000/1000 gid/egid:1000/1000


After:

Code: Select all
subject /usr/libexec/gcc/x86_64-pc-linux-gnu o {
...
    /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2   x
...
   +CAP_IPC_LOCK
   +CAP_SYS_RAWIO
...


Code: Select all
$ gcc -DBAD -o mmap-rw mmap-rwx.c
collect2: error trying to exec
'/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/ld':
execvp: Permission denied
collect2: error: ld returned 255 exit status
collect2: error trying to exec
'/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/ld':
execvp: Permission denied
$


And that is a whole load of a difference... Finally this mistery is starting to crack up and slowly open to my mind. Still vaguely, but it was less than vaguely before now...

Let's see the logs:


Code: Select all
Apr 29 16:33:13 g0n kernel: [1120368.511438] grsec: (miro:U:/) exec of /usr/bin/gcc (gcc -DBAD -o mmap-rw mmap-rwx.c ) by /usr/bin/gcc[bash:7816] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.513604] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc (/usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/gcc -DBAD -o mmap-rw mmap-rwx.c ) by /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7816] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.517526] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 -quiet -D BAD mmap-rwx.c -fno-strict-overflow -quiet -dumpbase mmap-rwx.c -mtune=) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1[gcc:7817] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7816] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.553790] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/as --64 -o /tmp/ccDxz1E4.o /tmp/ccZ2Vs1g.s ) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as[gcc:7818] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7816] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.562191] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/liblto_plugin.so -plugin-) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[gcc:7819] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7816] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.591854] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied execution of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7820] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7819] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.592428] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied unlink of /tmp/ccKukuH0.ld by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7819] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7816] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.592730] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied unlink of /tmp/ccDDaQtO.le by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7819] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7816] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.592796] grsec: more alerts, logging disabled for 10 seconds


Trying adding:

Code: Select all
subject /usr/libexec/gcc/x86_64-pc-linux-gnu o {
...
   /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2   x
   /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld      x
...
   +CAP_IPC_LOCK
   +CAP_SYS_RAWIO
...


Code: Select all
$ gcc -DBAD -o mmap-rw mmap-rwx.c
$


Compiled!

Code: Select all
$ ls -ltr
...
-rwxr-xr-x  1 miro miro     8032 2016-04-29 16:56 mmap-rw
miro@g0n ~ $ file mmap-rw
mmap-rw: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, not stripped
$


Logs:

Code: Select all
Apr 29 16:56:20 g0n kernel: [1121755.904933] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc (/usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/gcc -DBAD -o mmap-rw mmap-rwx.c ) by /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7902] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121755.909516] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 -quiet -D BAD mmap-rwx.c -fno-strict-overflow -quiet -dumpbase mmap-rwx.c -mtune=) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1[gcc:7903] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7902] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121755.945310] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/as --64 -o /tmp/ccg7xAbe.o /tmp/ccUuVXSy.s ) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as[gcc:7904] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7902] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121755.953609] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/liblto_plugin.so -plugin-) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[gcc:7905] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7902] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121755.969700] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/ld -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld[collect2:7906] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7905] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121756.126296] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied unlink of /tmp/ccytliGY.ld by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7905] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7902] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121756.126398] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied unlink of /tmp/ccJltc1D.le by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7905] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7902] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121756.126441] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied unlink of /tmp/ccLUTu0D.c by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7905] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7902] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121756.126464] grsec: more alerts, logging disabled for 10 seconds


The last one is (I guess) because that subject in question had:

Code: Select all
   /tmp            rwc


We'll change that too. All changes so far on that subject:

Code: Select all
subject /usr/libexec/gcc/x86_64-pc-linux-gnu o {
...
   /tmp            rwcdl
...
    /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2   x
   /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld      x
...
   +CAP_IPC_LOCK
   +CAP_SYS_RAWIO
...


Correct thinking! See:

Code: Select all
$ rm mmap-rw
$ gcc -DBAD -o mmap-rw mmap-rwx.c
$ ls -l mmap-rw
-rwxr-xr-x 1 miro miro 8032 2016-04-29 17:03 mmap-rw
$


Logs:

Code: Select all
Apr 29 17:03:52 g0n kernel: [1122207.651869] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc (/usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/gcc -DBAD -o mmap-rw mmap-rwx.c ) by /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7957] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 17:03:52 g0n kernel: [1122207.656187] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 -quiet -D BAD mmap-rwx.c -fno-strict-overflow -quiet -dumpbase mmap-rwx.c -mtune=) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1[gcc:7958] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7957] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 17:03:52 g0n kernel: [1122207.688934] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/as --64 -o /tmp/ccSSq8bS.o /tmp/ccKuds2d.s ) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as[gcc:7959] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7957] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 17:03:52 g0n kernel: [1122207.702865] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/liblto_plugin.so -plugin-) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[gcc:7960] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7957] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 17:03:52 g0n kernel: [1122207.704347] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/ld -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld[collect2:7961] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7960] uid/euid:1000/1000 gid/egid:1000/1000


Nothing anymore denied there.

Finally the beginning of Hardened/Pax Quickstart has been demystified.

I want to share this for other newbies like I formerly used to be ;-) . What are you laughing at? I didn't say I was an expert! ;-))) .

I hope I'll make more progress and be able to post more as I study the PaX Quickstart Gentoo Wiki page with more understanding then before. In slow time.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)