grsecurity forums

input data:
`'`'`'`'`'``'
gentoo distribution
kernel 2.6.7 with grsecurity applied ( from /~spender
sun jdk 1.4.2.04 (also tested blackdown 1.4.1 and 1.4.2_rc1)
paxctl 0.2
chpax 0.6.1 (also tested 0.7)
browser with java plugin affected: all (opera,konqueror, mozilla)

results:
`'`'``'`
1. chpax modification of correct (?) jdk .so files results in flags being properly written (chpax -v shows changes)
2. but java segfaults
3. due to fact (look below for .config) that I enabled CONFIG_PAX_PT_PAX_FLAGS=y i think that paxctl usage is critical, but paxctl -v BINARY shows nothing
4. browser/java still segfaults

any ideas ??


questions unanswered:
`'`'`'`'`'`'``'`'`'`'`'`'`'
1. will java compiled from scratch with patched binutils work ? /it is compiling now, so we will see in few hours /
2. which one should i use chpax/paxctl for:
a. binaries built with patched binutils
b. binaries built without patched binutils
3. ekhmm maybe i chpax'ed/paxctl'ed wrong files ???



my kernel .config related to pax:
`'``'`'`'`'``'`'`'`'`'`'`'`'`'``'`'`'
#
# PaX Control
#
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_RANDEXEC is not set
CONFIG_PAX_NOVSYSCALL=y
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_CAPABILITIES=y
CONFIG_SECURITY_ROOTPLUG=m
CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# CONFIG_SECURITY_SELINUX_DISABLE is not set
# CONFIG_SECURITY_SELINUX_DEVELOP is not set
# CONFIG_SECURITY_SELINUX_MLS is not set

paxctl only works for binaries with the pax flag fields in the binary. Other binaries must be dealth with chpax.

By the way, you have enabled softmode. This means, if I don't remember entirely wrong, that pax is enabled only for certain binaries. Not for all. So your java binaries shouldn't even be affected in the first place, unless you enable the protection with chpax.

afaik softmode is enabled only if specified on kernel boot param. i didnt do it, so its not enable. correct me if im wrong.

chpax on java binaries has no effect on this system (marked but sitll core dumps). (A)

paxctl has effect on X on this system (with success), while chpax on X was not enough!!! (B)

paxctl on old binaries (non java, no new binutils), shows correctly its state. But on java binaries it shows just version info and exits (C)

A+B+C leads me to conclusion that there is some bug/problem ???

oh, normal binaries are enabled per default with chpax. you have to explicit mark them to disable protection. i think its a default behabiour.


unfortunatly, java from sources segfaults on build so i can not test it as i wrote in my last post. still no solution to my problem :/

radek wrote:afaik softmode is enabled only if specified on kernel boot param. i didnt do it, so its not enable. correct me if im wrong.

correct, softmode must be explicitly activated, that can be the boot option or a sysctl later. and you can always change the source code of course .

chpax on java binaries has no effect on this system (marked but sitll core dumps). (A)
paxctl has effect on X on this system (with success), while chpax on X was not enough!!! (B)

if your java binaries carry the PT_PAX_FLAGS marking then chpax has zero effect in your case as PT_PAX_FLAGS kernel support takes precedence over EI_PAX (the configure help says so too).

paxctl on old binaries (non java, no new binutils), shows correctly its state. But on java binaries it shows just version info and exits (C)

binaries created with a non-patched binutils don't have PT_PAX_FLAGS therefore paxctl can't possibly print it (let alone change the flags there). on the other hand your java binaries are apparently not marked by PT_PAX_FLAGS therefore you have to use chpax on them (and only on executables, marking libraries achieves nothing). from my own experience, you have to disable not only the non-exec feature but also randomization to get java to work, have you done that?