Page 1 of 1

RBAC and java

PostPosted: Tue Feb 26, 2008 2:12 pm
by bsxx
I cannot run java in grsec kernel.
I tried apply settings like:
Code: Select all
subject /home/knoppix/jre1.6.0_03/bin/java {
        /             h
   /home/knoppix/jre1.6.0_03   rx
   /home/knoppix/azureus      rwxcd
   /home/knoppix/.azureus      rwcdl
   "/home/knoppix/angielski pobieranie" rwcdl
   -CAP_ALL
   -PAX_SEGMEXEC
   -PAX_PAGEEXEC
   -PAX_MPROTECT
   -PAX_RANDMMAP
   -PAX_EMUTRAMP
   bind 127.0.0.1/32 stream tcp
   bind 0.0.0.0/32:1024-65535 stream dgram ip tcp udp
   bind 0.0.0.0/32:0 stream dgram ip tcp udp
   connect 192.168.1.1/32 stream dgram tcp udp
   connect 192.168.1.1/32 stream dgram tcp udp
   connect 0.0.0.0/0:1024-65535 stream dgram tcp udp
   connect 0.0.0.0/0:53 stream dgram tcp udp
   connect 0.0.0.0/0:80 stream dgram tcp udp
   connect 0.0.0.0/0:31 stream dgram tcp udp
}


and I have got messages:
Code: Select all
Feb 26 18:56:41 localhost kernel: PAX: execution attempt in: <anonymous mapping>, 52bd9000-52c01000 52bd9000
Feb 26 18:56:41 localhost kernel: PAX: terminating task: /home/knoppix/jre1.6.0_03/bin/java(java):5901, uid/euid: 500/500, PC: 52bd9040, SP: 54c97f7c
Feb 26 18:56:41 localhost kernel: PAX: bytes at PC: 55 8b 6c 24 08 53 56 9c 58 50 8b c8 81 f0 00 00 04 00 50 9d
Feb 26 18:56:41 localhost kernel: PAX: bytes at SP-4: 00000002 5508484e 550ec660 00000000 555767f1 00000003 00000000 00000005 00000002 52bd9040 00000006 ffffffff ffffffff 0000000c 550e75a8 00000000 00000000 00000010 00000002 08062938 00000000
Feb 26 18:56:41 localhost kernel: grsec: (knoppix:U:/) denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /home/knoppix/jre1.6.0_03/bin/java[java:5901] uid/euid:500/500 gid/egid:500/500, parent /home/knoppix/azureus/azureus[azureus:5896] uid/euid:500/500 gid/egid:500/500
Feb 26 18:56:42 localhost kernel: PAX: execution attempt in: <anonymous mapping>, 50187000-501af000 50187000
Feb 26 18:56:42 localhost kernel: PAX: terminating task: /home/knoppix/jre1.6.0_03/bin/java(java):5905, uid/euid: 500/500, PC: 50187040, SP: 52245f7c
Feb 26 18:56:42 localhost kernel: PAX: bytes at PC: 55 8b 6c 24 08 53 56 9c 58 50 8b c8 81 f0 00 00 04 00 50 9d
Feb 26 18:56:42 localhost kernel: PAX: bytes at SP-4: 00000002 5263284e 5269a660 00000000 52b247f1 00000003 00000000 00000005 00000002 50187040 00000006 ffffffff ffffffff 0000000c 526955a8 00000000 00000000 00000010 00000002 0805f020 00000000
Feb 26 18:56:42 localhost kernel: grsec: (knoppix:U:/) denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /home/knoppix/jre1.6.0_03/bin/java[java:5905] uid/euid:500/500 gid/egid:500/500, parent /home/knoppix/azureus/azureus[azureus:5896] uid/euid:500/500 gid/egid:500/500
Feb 26 18:56:42 localhost kernel: PAX: execution attempt in: <anonymous mapping>, 4e3f8000-4e420000 4e3f8000
Feb 26 18:56:42 localhost kernel: PAX: terminating task: /home/knoppix/jre1.6.0_03/bin/java(java):5907, uid/euid: 500/500, PC: 4e3f8040, SP: 504b6f7c
Feb 26 18:56:42 localhost kernel: PAX: bytes at PC: 55 8b 6c 24 08 53 56 9c 58 50 8b c8 81 f0 00 00 04 00 50 9d
Feb 26 18:56:42 localhost kernel: PAX: bytes at SP-4: 00000002 508a384e 5090b660 00000000 50d957f1 00000003 00000000 00000005 00000002 4e3f8040 00000006 ffffffff ffffffff 0000000c 509065a8 00000000 00000000 00000010 00000002 08063258 00000000


Could anyone help me with this settings?

Re: RBAC and java

PostPosted: Tue Feb 26, 2008 8:35 pm
by PaX Team
bsxx wrote:I cannot run java in grsec kernel.
I tried apply settings like:
Code: Select all
subject /home/knoppix/jre1.6.0_03/bin/java {
   -PAX_SEGMEXEC
   -PAX_PAGEEXEC
   -PAX_MPROTECT
   -PAX_RANDMMAP
   -PAX_EMUTRAMP
}
are you sure you set grsecurity/RBAC to control the PaX flags (PAX_HAVE_ACL_FLAGS)? also java can run with MPROTECT disabled only.

Re: RBAC and java

PostPosted: Fri Feb 29, 2008 1:24 pm
by bsxx
I have set PAX_HAVE_ACL_FLAG, but when I disable kernel CONFIG_PAX_MPROTECT java works.

Re: RBAC and java

PostPosted: Sun Mar 02, 2008 4:52 am
by PaX Team
bsxx wrote:I have set PAX_HAVE_ACL_FLAG, but when I disable kernel CONFIG_PAX_MPROTECT java works.
ok, so it looks like some RBAC problem as seemingly MPROTECT doesn't get disabled when you use it to control MPROTECT et al. you should not disable MPROTECT in .config however as it'll disable it for all apps then, better bug spender to look into it (email him your policy and other info).