grsecurity forums

[Undine]

Hello, everyone!
I really excited with grsecurity's RBAC system, it is really cool and secure. But one thing spoils its usage sometimes.
Modern Quake 3 engine called ioquake3 uses executable memory pages, and calls mprotect with PROT_EXEC. On system without RBAC I can easily allow it to call mprotect with this flag, by using paxctl, but not with RBAC enabled. RBAC rejects to call mprotect even when with NOMPROTECT flag stored in executable. The following message is printed:

kernel: grsec: (undine:U:/games/quake3/ioquake3.x86_64) denied executable mprotect of /dev/zero by /games/quake3/ioquake3.x86_64[ioquake3.x86_64:18001] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:18000] uid/euid:1000/1000 gid/egid:1000/1000

RBAC points to /dev/zero, but /dev/zero never opened by program.
I tried to add /dev/zero with 'rx' object flags without any luck.
How I can resolve this issue without patching ioquake3?

[spender]

What kernel are you using? This should have been fixed already, as the RBAC special handling for mmap/mprotect of writable "libraries" should now only apply to regular (not block/fifo/etc) files.

-Brad

[Undine]

I use 2.6.32.41 with identical patch applied (2.6.32.41-201106132135). I recently just rebuilt this stable kernel with enabled RBAC.

[spender]

First, try adding "x" to the subject mode to allow for writable and executable shared memory. If that does not solve the issue, remove the "x" and paste the subject here, as I don't know of any other reason why it wouldn't work if configured correctly.

-Brad

[Undine]

First, try adding "x" to the subject mode to allow for writable and executable shared memory.
-Brad

gradm reports about invalid mode:

"x" caused a invalid character on line 3504 of /etc/grsec/policy

This is whole subject:

Code: Select all

subject /games/quake3/ioquake3.x86_64 ox {
        /                               h
        /dev                            h
        /dev/dri
        /dev/dri/card0                  rw
        /dev/snd/controlC0              rw
        /dev/snd/pcmC0D0p               ra
        /dev/snd/timer                  r
        /etc                            r
        /etc/grsec                      h
        /etc/gshadow                    h
        /etc/gshadow-                   h
        /etc/ppp                        h
        /etc/samba/smbpasswd            h
        /etc/shadow                     h
        /etc/shadow-                    h
        /etc/ssh                        h
        /lib64                          rx
        /games
        /games/quake3                   r
        /games/q3data                   rwac
        /games/quake3/ioquake3.x86_64      x
        /proc
        /proc/bus                       h
        /proc/cpuinfo                   r
        /proc/kallsyms                  h
        /proc/kcore                     h
        /proc/meminfo                   r
        /proc/modules                   h
        /proc/slabinfo                  h
        /proc/sys                       h
        /usr                            h
# Also includes X11 libs
        /usr/lib64                      rx
        /home                           h
        /home/undine
        /home/undine/.q3a               r
        /home/undine/.Xauthority        r
        /home/undine/.alsaequal.bin     rw
        /home/undine/.asoundrc          r
        /usr/share                      r
        /var                            h
        /var/run
        -CAP_ALL
        bind 0.0.0.0/32:27960 dgram udp
        connect disabled
}


[spender]

The "x" mode should be supported if you downloaded the latest gradm at the time that you downloaded the stable patch. They were both updated 2 days before the patch you downloaded.

Can you show me the log when you add /dev/zero rwx to the subject?

-Brad

[Undine]

Hm, I using gradm-2.2.2-201106072007 now.
rwx did not help, same message and nothing more. I tried adding 'rwx' to /dev/zero in root subject, with no success too (kernel once killed the program when I removed 'x' from game directory in '/' subject in policy).
I wrote a simple hello world which checks can we use mprotect with that flag or not, and it successfully passed test with paxctl. So maybe problem in ioquake3?
One moment here: I spent much time with debugging this before mprotect issue raised, because whole /games is network mount point from other host.

[spender]

The subject you pasted me is from the undine role, or from another role?

-Brad

[Undine]

The subject you pasted me is from the undine role, or from another role?

-Brad

From undine user role.

[Undine]

I'm so sorry for misleading you in that way, spender. Thanx alot for your help, I'm just lost in gradm2 versions. I'm just now got this (newer version already contains GR_SHMEXEC which my kernel already supports). Problem solved.