grsecurity forums

Hi all,
I'm using grsec&PaX for some 3-4 months, but wish to activate it to the limit.
My system is Gentoo-2.6.5-hardened (~x86 - unstable).
There are known problems with X-server & PaX (doesn't work always). I'm using xorg-X11-6.7.0 (already compiled xorg-X11-6.7.0-r1).
Followed quickstart.pdf from the site but it breaks my X, so at last my questions:
1.What are the optimal or maximal PaX settings for an working X?
2.Are there any problems with grsecurity and X?
TIA.
Rumen.

ray wrote:My system is Gentoo-2.6.5-hardened (~x86 - unstable).
There are known problems with X-server & PaX (doesn't work always). I'm using xorg-X11-6.7.0 (already compiled xorg-X11-6.7.0-r1).
Followed quickstart.pdf from the site but it breaks my X, so at last my questions:
1.What are the optimal or maximal PaX settings for an working X?

it depends on how your X server is configured/patched. the hardened gentoo effort is a work in progress, as far as the desktop is concerned, so getting a modular X server to run with full PaX on is not all automated yet (but it's possible, i've been running it for 1.5+ years myself). the biggest problem with X is its own home grown module loader that does some silly things on ELF platforms (equivalent of runtime code generation vs. normal file mappings). this is being fixed in the main X tree but it will take a while to sort out all the module dependencies: http://bugs.gentoo.org/show_bug.cgi?id=49038 and http://freedesktop.org/bugzilla/show_bug.cgi?id=400. there's also a problem with text relocations although gentoo already has the patches for 4.3, i'll update them for 4.4 once the dlloader works fine. ssp also brings some problems but i think that's a gentoo specific toolchain issue. so what does that leave you with today? the static server (USE=static) should be ok as it doesn't use the module loader nor will it have text relocations (i don't know about ssp but i think it will fine too).

2.Are there any problems with grsecurity and X?

beyond the PaX related issues there's the /dev/mem and I/O restrictions that can't be used with X right now (these features need a finer grained control, which is on our todo list).

Hi all,
Followed the quickstart-guide setup, quite good (many things are ON) and it's working, even with X-server, compiled (USE="static -hardened") of course. Small drawback - nvidia's binary driver isn't working, even after nvidia-kernel-5336-r4 ver. isntall, but i can live w/o it for now (using NV).
paxtest-0.9.5 give the following:
Test results:
PaXtest - Copyright(c) 2003 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 16 bits (guessed)
Heap randomisation test (ET_EXEC) : 25 bits (guessed)
Heap randomisation test (ET_DYN) : 25 bits (guessed)
Main executable randomisation (ET_EXEC) : 17 bits (guessed)
Main executable randomisation (ET_DYN) : 17 bits (guessed)
Shared library randomisation test : 16 bits (guessed)
Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
Stack randomisation test (PAGEEXEC) : 23 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed
...END CUT ...
There are still 4 marked 'Vulnerable'.
Could something be done about them?
TIA.Rumen.

Hi again,
Forgot to say. Tried to compile paxtest-0.9.6 and the protection (or other) has prevented me from doing so.
...BEGIN CUT...
make -f Makefile.Gentoo
make[1]: Entering directory `/home/gentoo/src/paxtest-0.9.6'
gcc -specs=dumpspecs -O2 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -fPIC -DPIC -o shlibtest.o -c shlibtest.c
gcc -specs=dumpspecs -shared -o shlibtest.so shlibtest.o
gcc -specs=dumpspecs -O2 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -fPIC -DPIC -o shlibtest2.o -c shlibtest2.c
gcc -specs=dumpspecs -shared -o shlibtest2.so shlibtest2.o
gcc -specs=dumpspecs -O2 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -o body.o -c body.c
gcc -specs=dumpspecs -O2 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -o anonmap.o -c anonmap.c
gcc -specs=dumpspecs -o anonmap body.o anonmap.o
body.o(.text+0x131): In function `main':
: undefined reference to `pthread_create'
body.o(.text+0x14a): In function `main':
: undefined reference to `pthread_kill'
collect2: ld returned 1 exit status
make[1]: *** [anonmap] Error 1
rm shlibtest.o shlibtest2.o
make[1]: Leaving directory `/home/gentoo/src/paxtest-0.9.6'
make: *** [gentoo] Error 2
...END CUT...
May have some issues because of recent rebuild of glibc w/o NPTL and removal of linux-headers-2.6.x.
TIA again.
Rumen.

ray wrote:nvidia's binary driver isn't working, even after nvidia-kernel-5336-r4 ver. isntall, but i can live w/o it for now (using NV).

afaik, the static server won't load modules, you'd have compile that driver into the X server itself.

There are still 4 marked 'Vulnerable'.
Could something be done about them?

yes, searching the board would have led you to http://forums.grsecurity.net/viewtopic.php?t=719. as for paxtest 0.9.6, it's a known problem and i've had patches for fixing this and other things, just no time to make my own release yet.

Thanks,
First for the nvidia thing. As the nvidia.ko (kernel) module is loaded with the kernel i think it's OK. Is this the binary part of the driver or it's the glx part or both?
So i'll have to (eventually) recompile xorg-X11 (static) with nvidia-glx included in order to have it included and working?
Any known issues with use of USE="static" xorg-x11-r1 (hardened is ON by default)?
Thanks to solar (gentoo-dev) compiled paxtest-.0.9.6 (edited LDFLAGS=-lpthread in makefile).
TIA.
Rumen.
[/quote]