grsecurity forums

Hi all

I get the following error when users run GDB (or I do it in admin mode):

GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(gdb) run 3000
Starting program: /home/mud/lots/lotscode/dist/src/swreality 3000
Warning:
Cannot insert breakpoint -2.
Error accessing memory address 0x2b7f4120: Input/output error.
The same program may be running in another process.
(gdb)

I checked the forum, and the documentation which claimed that I could do something like this:

/home PSMR {

}

to allow debugging of applications, but it doesn't work. ChPAX won't work for us, because this is a mud service (shells, etc), and the binaries get recompiled all the time.

If anyone can shed some light, Id be grateful

Regards,
Dale.

My config for GRSec is:

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_SHA256=y
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
CONFIG_GRKERNSEC_PAX_NOEXEC=y
# CONFIG_GRKERNSEC_PAX_PAGEEXEC is not set
CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
# CONFIG_GRKERNSEC_PAX_EMUTRAMP is not set
CONFIG_GRKERNSEC_PAX_MPROTECT=y
# CONFIG_GRKERNSEC_PAX_NOELFRELOCS is not set
CONFIG_GRKERNSEC_PAX_KERNEXEC=y
CONFIG_GRKERNSEC_PAX_ASLR=y
# CONFIG_GRKERNSEC_PAX_RANDKSTACK is not set
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_PAX_RANDEXEC=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_RTC=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_HIDESYM=y

#
# ACL options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=3600

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=1001
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_TPE=y
# CONFIG_GRKERNSEC_TPE_ALL is not set
CONFIG_GRKERNSEC_TPE_GID=1005

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y

#
# Logging options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

Running grsec 1.9.12 on linux 2.4.22
(with reisferfs patches for quota and data logging applied if this
matters at all)

If you need to see ACL's please let me know - Thanks

With 'Software breakpoints', gdb needs to modify executable code, which is exactly what NOEXEC/MPROTECT features from PaX are preventing.

You can use hardware breakpoints, or
Use software breakpoints and: Disable SEGMEXEC in kernel, or use chpax on the executable (to disable SEGMEXEC), or use the ACL system (to disable SEGMEXEC)

Hi, you could create a wrapper for gdb (the wrapper would disable pax protections on the binary, using chpax), or even a wrapper for gcc...

I made a simple wrapper for gcc, until now everyone seems to be happy with it, you just have to rename the original gcc binary.

Code: Select all


#!/usr/bin/env python2
# Simple gcc wrapper
                                                                               
from sys import argv
from os import spawnvp,P_WAIT,spawnlp,access,F_OK
from string import find

### vars ###                                                                               
ARG = '-o'
DEFAULT = 'a.out'
OFILE = '.o'
                                                                               
### functions ###                                                                               
def changeBinary(path):
    spawnlp(P_WAIT, '/usr/bin/bf', 'bf', '-s', path);
    spawnlp(P_WAIT, '/usr/bin/bf', 'bf', '-m', path);
                                                                               
def spawnGcc(args):
    spawnvp(P_WAIT, 'gcc.bin', args)

### main ###                                                                               
spawnGcc(argv)
                                                                               
if(argv.__contains__(ARG) and argv.count(ARG) == 1):
    output = argv[argv.index(ARG)+1]
    if(find(output, OFILE) == -1):
        changeBinary(output)
else:
    if(access(DEFAULT, F_OK)):
        changeBinary(DEFAULT)


Use it, modify it, as you seem fit. I hope it helps....

Regards,
João

Works wonderfully, thank you very much

Now to get 2.0 working with my old acl's.. bleh.

Regards,
Dale.