PaX Quickstart Demystified
Posted: Fri Apr 29, 2016 12:38 pm
title: PaX Quickstart Demystified
---
The title reflects what has only started happening for me.
However, having read the PaX Quickstart, currently at this Gentoo Wiki page:
Hardened/PaX Quickstart
https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart
for a few times in the span of many months, proper understanding of that tutuorial has always eluded me.
I think I'll finally be getting the grip on it, but in slow time, as I'm an older man, late adopter of FOSS *nix knowledge, I don't go fast.
And I don't promise nor pretend to do a good job, but I'd like to try. I have had some success in the past in presenting the very basic on compiling a grsecurity-hardened kernel in Debian:
Grsecurity/Pax installation on Debian GNU/Linux
http://forums.debian.net/viewtopic.php?f=16&t=108616
but that is generally for newcomers to grsecurity, and has been for my presenting of it, an easy start. This leg of my quest is harder.
And having today made a tiny breakthrough, I thought I'd post my undestanding of it that is (hopefully) beginning to finally start arriving, for other users with similar difficulty in understanding of these matters.
Before I post my notes: read the man pages when the need arises (such as for mmap, mprotect, sysconf, capabilities, and others).
And also read some tutorial on C. I found there are really great and pretty easy to grasp tutorials at:
CodingUnit C Tutorials
https://www.codingunit.com/category/c-tutorials
This I create as an aid to understanding that Gentoo Wiki page (linked at the start). Very far from a substitute! E.g. in this first post I only try to help in demystifying what has been an insurmountable hurdle during my repeated reading of that Wiki page in, let me correct my previous statement above (as I begin to recollect more clearly during final proofreading), not just numerous months, but maybe two or three years!
And I've been back to reading it because I'm recently having trouble figuring out how to resolve:
Building Cinelerra and stack exec and mprotect issues
viewtopic.php?f=3&t=4453
and I decided to give me a refresher on PaX.
For stubborn newbies, I hope my notes might help a little, so I'm posting them.
From:
Hardened/PaX Quickstart
https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart
mmap-rwx.c Violate MPROTECT with RWX mmap
And I ran it (entire output here):
The logs:
Trying the alternative given in the comments of the script:
Logs:
Maybe because 30 minutes haven't passed?
Or is it because in the kernel mprotect in PaX configuration, is enabled... See:
NOTE: You need to look at the new subject
/usr/libexec/gcc/x86_64-pc-linux-gnu
in the article with my (old) policy:
A no-poetterware desktop RBAC policy
viewtopic.php?f=5&t=4153&p=16248#p16248
And you'll figure out why today it has changed to:
< same title >
viewtopic.php?f=5&t=4153&p=16248#p16249
, when you reach the bottom of this first post.
Added:
From 'man capabilities' :
Waiting just in case a few minutes to get past 30 minutes later: 2016-04-29 16:09+02:00
Still:
Maybe try:
After:
And that is a whole load of a difference... Finally this mistery is starting to crack up and slowly open to my mind. Still vaguely, but it was less than vaguely before now...
Let's see the logs:
Trying adding:
Compiled!
Logs:
The last one is (I guess) because that subject in question had:
We'll change that too. All changes so far on that subject:
Correct thinking! See:
Logs:
Nothing anymore denied there.
Finally the beginning of Hardened/Pax Quickstart has been demystified.
I want to share this for other newbies like I formerly used to be . What are you laughing at? I didn't say I was an expert! )) .
I hope I'll make more progress and be able to post more as I study the PaX Quickstart Gentoo Wiki page with more understanding then before. In slow time.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
---
The title reflects what has only started happening for me.
However, having read the PaX Quickstart, currently at this Gentoo Wiki page:
Hardened/PaX Quickstart
https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart
for a few times in the span of many months, proper understanding of that tutuorial has always eluded me.
I think I'll finally be getting the grip on it, but in slow time, as I'm an older man, late adopter of FOSS *nix knowledge, I don't go fast.
And I don't promise nor pretend to do a good job, but I'd like to try. I have had some success in the past in presenting the very basic on compiling a grsecurity-hardened kernel in Debian:
Grsecurity/Pax installation on Debian GNU/Linux
http://forums.debian.net/viewtopic.php?f=16&t=108616
but that is generally for newcomers to grsecurity, and has been for my presenting of it, an easy start. This leg of my quest is harder.
And having today made a tiny breakthrough, I thought I'd post my undestanding of it that is (hopefully) beginning to finally start arriving, for other users with similar difficulty in understanding of these matters.
Before I post my notes: read the man pages when the need arises (such as for mmap, mprotect, sysconf, capabilities, and others).
And also read some tutorial on C. I found there are really great and pretty easy to grasp tutorials at:
CodingUnit C Tutorials
https://www.codingunit.com/category/c-tutorials
This I create as an aid to understanding that Gentoo Wiki page (linked at the start). Very far from a substitute! E.g. in this first post I only try to help in demystifying what has been an insurmountable hurdle during my repeated reading of that Wiki page in, let me correct my previous statement above (as I begin to recollect more clearly during final proofreading), not just numerous months, but maybe two or three years!
And I've been back to reading it because I'm recently having trouble figuring out how to resolve:
Building Cinelerra and stack exec and mprotect issues
viewtopic.php?f=3&t=4453
and I decided to give me a refresher on PaX.
For stubborn newbies, I hope my notes might help a little, so I'm posting them.
From:
Hardened/PaX Quickstart
https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart
mmap-rwx.c Violate MPROTECT with RWX mmap
- Code: Select all
/*
* Contrast compiling with:
* gcc -UBAD -o mmap-rw mmap-rwx.c
* gcc -DBAD -o mmap-rwx mmap-rwx.c
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <errno.h>
#include <string.h>
int main() {
size_t *m;
#ifdef BAD
m = mmap( NULL, 1024, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0 );
#else
m = mmap( NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0 );
#endif
if( m == MAP_FAILED )
printf("mmap failed: %s\n", strerror(errno));
else
printf("mmap succeeded: %p\n", m);
return 0;
}
And I ran it (entire output here):
- Code: Select all
$ gcc -UBAD -o mmap-rw mmap-rwx.c
gcc: internal compiler error: Segmentation fault (program collect2)
Please submit a full bug report,
with preprocessed source if appropriate.
See <https://bugs.gentoo.org/> for instructions.
$
The logs:
- Code: Select all
Apr 29 13:43:13 g0n kernel: [1110168.637144] grsec: (miro:U:/) exec of /usr/bin/gcc (gcc -UBAD -o mmap-rw mmap-rwx.c ) by /usr/bin/gcc[bash:6535] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:43:13 g0n kernel: [1110168.639369] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc (/usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/gcc -UBAD -o mmap-rw mmap-rwx.c ) by /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6535] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:43:13 g0n kernel: [1110168.700768] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 -quiet -U BAD mmap-rwx.c -fno-strict-overflow -quiet -dumpbase mmap-rwx.c -mtune=) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1[gcc:6536] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6535] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:43:15 g0n kernel: [1110170.164953] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/as --64 -o /tmp/ccUDNLqe.o /tmp/cc0iXSUy.s ) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as[gcc:6537] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6535] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:43:15 g0n kernel: [1110170.424845] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/liblto_plugin.so -plugin-) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[gcc:6538] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6535] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:43:15 g0n kernel: [1110170.424996] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied executable mmap of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:6538] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6535] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:43:15 g0n kernel: [1110170.425036] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) Segmentation fault occurred at (nil) in /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:6538] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6535] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:43:15 g0n kernel: [1110170.425081] grsec: (miro:U:/) bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[collect2:6538] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6535] uid/euid:1000/1000 gid/egid:1000/1000
Trying the alternative given in the comments of the script:
- Code: Select all
$ gcc -DBAD -o mmap-rwx mmap-rwx.c
gcc: internal compiler error: Segmentation fault (program collect2)
Please submit a full bug report,
with preprocessed source if appropriate.
See <https://bugs.gentoo.org/> for instructions.
miro@g0n ~ $
Logs:
- Code: Select all
Apr 29 13:51:53 g0n kernel: [1110688.208636] grsec: (miro:U:/) exec of /usr/bin/gcc (gcc -DBAD -o mmap-rwx mmap-rwx.c ) by /usr/bin/gcc[bash:6594] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:51:53 g0n kernel: [1110688.209468] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc (/usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/gcc -DBAD -o mmap-rwx mmap-rwx.c ) by /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6594] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:51:53 g0n kernel: [1110688.211259] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 -quiet -D BAD mmap-rwx.c -fno-strict-overflow -quiet -dumpbase mmap-rwx.c -mtune=) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1[gcc:6597] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6594] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:51:53 g0n kernel: [1110688.245002] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/as --64 -o /tmp/cc5I1EAF.o /tmp/ccGVI7b3.s ) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as[gcc:6598] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6594] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:51:53 g0n kernel: [1110688.261310] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/liblto_plugin.so -plugin-) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[gcc:6599] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6594] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:51:53 g0n kernel: [1110688.261360] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied executable mmap of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:6599] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6594] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:51:53 g0n kernel: [1110688.261371] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) Segmentation fault occurred at (nil) in /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:6599] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6594] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 13:51:53 g0n kernel: [1110688.261384] grsec: (miro:U:/) bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[collect2:6599] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6594] uid/euid:1000/1000 gid/egid:1000/1000
Maybe because 30 minutes haven't passed?
Or is it because in the kernel mprotect in PaX configuration, is enabled... See:
- Code: Select all
$ gcc -DBAD -o mmap-rwx mmap-rwx.c
gcc: internal compiler error: Segmentation fault (program collect2)
Please submit a full bug report,
with preprocessed source if appropriate.
See <https://bugs.gentoo.org/> for instructions.
$
- Code: Select all
Apr 29 15:44:27 g0n kernel: [1117442.385660] grsec: (miro:U:/) exec of /usr/bin/gcc (gcc -DBAD -o mmap-rwx mmap-rwx.c ) by /usr/bin/gcc[bash:6942] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 15:44:27 g0n kernel: [1117442.387768] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc (/usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/gcc -DBAD -o mmap-rwx mmap-rwx.c ) by /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6942] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Mpr 29 15:44:27 g0n kernel: [1117442.389546] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 -quiet -D BAD mmap-rwx.c -fno-strict-overflow -quiet -dumpbase mmap-rwx.c -mtune=) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1[gcc:6945] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6942] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 15:44:27 g0n kernel: [1117442.421877] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/as --64 -o /tmp/ccKKgCVv.o /tmp/ccFgXM4t.s ) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as[gcc:6946] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6942] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 15:44:27 g0n kernel: [1117442.430869] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/liblto_plugin.so -plugin-) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[gcc:6947] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6942] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 15:44:27 g0n kernel: [1117442.431023] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied executable mmap of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:6947] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6942] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 15:44:27 g0n kernel: [1117442.431063] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) Segmentation fault occurred at (nil) in /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:6947] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6942] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 15:44:27 g0n kernel: [1117442.431128] grsec: (miro:U:/) bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[collect2:6947] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:6942] uid/euid:1000/1000 gid/egid:1000/1000
NOTE: You need to look at the new subject
/usr/libexec/gcc/x86_64-pc-linux-gnu
in the article with my (old) policy:
A no-poetterware desktop RBAC policy
viewtopic.php?f=5&t=4153&p=16248#p16248
And you'll figure out why today it has changed to:
< same title >
viewtopic.php?f=5&t=4153&p=16248#p16249
, when you reach the bottom of this first post.
Added:
- Code: Select all
subject /usr/libexec/gcc/x86_64-pc-linux-gnu o {
...
+CAP_IPC_LOCK
...
From 'man capabilities' :
- Code: Select all
CAP_IPC_LOCK
Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).
Waiting just in case a few minutes to get past 30 minutes later: 2016-04-29 16:09+02:00
Still:
- Code: Select all
$ gcc -DBAD -o mmap-rwx mmap-rwx.c
gcc: internal compiler error: Segmentation fault (program collect2)
Please submit a full bug report,
with preprocessed source if appropriate.
See <https://bugs.gentoo.org/> for instructions.
$
Maybe try:
- Code: Select all
CAP_SYS_RAWIO
* Perform I/O port operations (iopl(2) and ioperm(2));
* access /proc/kcore;
* employ the FIBMAP ioctl(2) operation;
* open devices for accessing x86 model-specific registers (MSRs, see msr(4))
* update /proc/sys/vm/mmap_min_addr;
* create memory mappings at addresses below the value specified by
/proc/sys/vm/mmap_min_addr;
* map files in /proc/bus/pci;
* open /dev/mem and /dev/kmem;
* perform various SCSI device commands;
* perform certain operations on hpsa(4) and cciss(4) devices;
* perform a range of device-specific operations on other devices.
- Code: Select all
subject /usr/libexec/gcc/x86_64-pc-linux-gnu o {
...
+CAP_IPC_LOCK
+CAP_SYS_RAWIO
...
- Code: Select all
Apr 29 16:22:59 g0n kernel: [1119754.501723] grsec: (miro:U:/) exec of /usr/bin/gcc (gcc -DBAD -o mmap-rwx mmap-rwx.c ) by /usr/bin/gcc[bash:7476] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:22:59 g0n kernel: [1119754.503796] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc (/usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/gcc -DBAD -o mmap-rwx mmap-rwx.c ) by /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7476] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:22:59 g0n kernel: [1119754.508281] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 -quiet -D BAD mmap-rwx.c -fno-strict-overflow -quiet -dumpbase mmap-rwx.c -mtune=) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1[gcc:7477] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7476] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:22:59 g0n kernel: [1119754.541827] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/as --64 -o /tmp/ccmmoE9L.o /tmp/ccWmHNgE.s ) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as[gcc:7478] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7476] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:22:59 g0n kernel: [1119754.550379] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/liblto_plugin.so -plugin-) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[gcc:7479] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7476] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:22:59 g0n kernel: [1119754.550521] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied executable mmap of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7479] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7476] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:22:59 g0n kernel: [1119754.550561] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) Segmentation fault occurred at (nil) in /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7479] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7476] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:22:59 g0n kernel: [1119754.550605] grsec: (miro:U:/) bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[collect2:7479] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7476] uid/euid:1000/1000 gid/egid:1000/1000
After:
- Code: Select all
subject /usr/libexec/gcc/x86_64-pc-linux-gnu o {
...
/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 x
...
+CAP_IPC_LOCK
+CAP_SYS_RAWIO
...
- Code: Select all
$ gcc -DBAD -o mmap-rw mmap-rwx.c
collect2: error trying to exec
'/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/ld':
execvp: Permission denied
collect2: error: ld returned 255 exit status
collect2: error trying to exec
'/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/ld':
execvp: Permission denied
$
And that is a whole load of a difference... Finally this mistery is starting to crack up and slowly open to my mind. Still vaguely, but it was less than vaguely before now...
Let's see the logs:
- Code: Select all
Apr 29 16:33:13 g0n kernel: [1120368.511438] grsec: (miro:U:/) exec of /usr/bin/gcc (gcc -DBAD -o mmap-rw mmap-rwx.c ) by /usr/bin/gcc[bash:7816] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.513604] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc (/usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/gcc -DBAD -o mmap-rw mmap-rwx.c ) by /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7816] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.517526] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 -quiet -D BAD mmap-rwx.c -fno-strict-overflow -quiet -dumpbase mmap-rwx.c -mtune=) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1[gcc:7817] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7816] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.553790] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/as --64 -o /tmp/ccDxz1E4.o /tmp/ccZ2Vs1g.s ) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as[gcc:7818] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7816] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.562191] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/liblto_plugin.so -plugin-) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[gcc:7819] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7816] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.591854] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied execution of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7820] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7819] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.592428] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied unlink of /tmp/ccKukuH0.ld by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7819] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7816] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.592730] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied unlink of /tmp/ccDDaQtO.le by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7819] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7816] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:33:13 g0n kernel: [1120368.592796] grsec: more alerts, logging disabled for 10 seconds
Trying adding:
- Code: Select all
subject /usr/libexec/gcc/x86_64-pc-linux-gnu o {
...
/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 x
/usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld x
...
+CAP_IPC_LOCK
+CAP_SYS_RAWIO
...
- Code: Select all
$ gcc -DBAD -o mmap-rw mmap-rwx.c
$
Compiled!
- Code: Select all
$ ls -ltr
...
-rwxr-xr-x 1 miro miro 8032 2016-04-29 16:56 mmap-rw
miro@g0n ~ $ file mmap-rw
mmap-rw: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, not stripped
$
Logs:
- Code: Select all
Apr 29 16:56:20 g0n kernel: [1121755.904933] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc (/usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/gcc -DBAD -o mmap-rw mmap-rwx.c ) by /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7902] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121755.909516] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 -quiet -D BAD mmap-rwx.c -fno-strict-overflow -quiet -dumpbase mmap-rwx.c -mtune=) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1[gcc:7903] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7902] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121755.945310] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/as --64 -o /tmp/ccg7xAbe.o /tmp/ccUuVXSy.s ) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as[gcc:7904] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7902] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121755.953609] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/liblto_plugin.so -plugin-) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[gcc:7905] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7902] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121755.969700] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/ld -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld[collect2:7906] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7905] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121756.126296] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied unlink of /tmp/ccytliGY.ld by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7905] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7902] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121756.126398] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied unlink of /tmp/ccJltc1D.le by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7905] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7902] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121756.126441] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) denied unlink of /tmp/ccLUTu0D.c by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7905] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7902] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 16:56:20 g0n kernel: [1121756.126464] grsec: more alerts, logging disabled for 10 seconds
The last one is (I guess) because that subject in question had:
- Code: Select all
/tmp rwc
We'll change that too. All changes so far on that subject:
- Code: Select all
subject /usr/libexec/gcc/x86_64-pc-linux-gnu o {
...
/tmp rwcdl
...
/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 x
/usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld x
...
+CAP_IPC_LOCK
+CAP_SYS_RAWIO
...
Correct thinking! See:
- Code: Select all
$ rm mmap-rw
$ gcc -DBAD -o mmap-rw mmap-rwx.c
$ ls -l mmap-rw
-rwxr-xr-x 1 miro miro 8032 2016-04-29 17:03 mmap-rw
$
Logs:
- Code: Select all
Apr 29 17:03:52 g0n kernel: [1122207.651869] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc (/usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/gcc -DBAD -o mmap-rw mmap-rwx.c ) by /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7957] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14260] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 17:03:52 g0n kernel: [1122207.656187] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1 -quiet -D BAD mmap-rwx.c -fno-strict-overflow -quiet -dumpbase mmap-rwx.c -mtune=) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/cc1[gcc:7958] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7957] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 17:03:52 g0n kernel: [1122207.688934] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/as --64 -o /tmp/ccSSq8bS.o /tmp/ccKuds2d.s ) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/as[gcc:7959] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7957] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 17:03:52 g0n kernel: [1122207.702865] grsec: (miro:U:/usr/libexec/gcc/x86_64-pc-linux-gnu) exec of /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 (/usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2 -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/liblto_plugin.so -plugin-) by /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[gcc:7960] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/x86_64-pc-linux-gnu/gcc-bin/5.3.0/x86_64-pc-linux-gnu-gcc[gcc:7957] uid/euid:1000/1000 gid/egid:1000/1000
Apr 29 17:03:52 g0n kernel: [1122207.704347] grsec: (miro:U:/) exec of /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld (/usr/lib/gcc/x86_64-pc-linux-gnu/5.3.0/../../../../x86_64-pc-linux-gnu/bin/ld -plugin /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0) by /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/ld[collect2:7961] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/libexec/gcc/x86_64-pc-linux-gnu/5.3.0/collect2[collect2:7960] uid/euid:1000/1000 gid/egid:1000/1000
Nothing anymore denied there.
Finally the beginning of Hardened/Pax Quickstart has been demystified.
I want to share this for other newbies like I formerly used to be . What are you laughing at? I didn't say I was an expert! )) .
I hope I'll make more progress and be able to post more as I study the PaX Quickstart Gentoo Wiki page with more understanding then before. In slow time.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)