grsecurity forums

[x14sg1]

Hello,

I enabled GRKERNSEC_IO in my last kernel build (3.10.7-201308171249) after
reading the comments about hwclock below. I have verified that the 3 RTC_*
config options below are set. However, I get the error in the subject line. Shouldn't
hwclock work? I can email you my config if you want it. Comcast will not let me upload it at the moment.

Thanks,

Tim

+config GRKERNSEC_IO
+ bool "Disable privileged I/O"
+ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
+ depends on X86
+ select RTC_CLASS
+ select RTC_INTF_DEV
+ select RTC_DRV_CMOS
+
+ help
+ If you say Y here, all ioperm and iopl calls will return an error.
+ Ioperm and iopl can be used to modify the running kernel.
+ Unfortunately, some programs need this access to operate properly,
+ the most notable of which are XFree86 and hwclock. hwclock can be
+ remedied by having RTC support in the kernel, so real-time
+ clock support is enabled if this option is enabled, to ensure
+ that hwclock operates correctly. XFree86 still will not
+ operate correctly with this option enabled, so DO NOT CHOOSE Y
+ IF YOU USE XFree86. If you use XFree86 and you still want to
+ protect your kernel against modification, use the RBAC system.

[x14sg1]

My config file:

https://home.comcast.net/~x14sg1/config

[tigusoft2]

My config file:

https://home.comcast.net/~x14sg1/config

Is this the correct file, where are the "GRKERNSEC" options?

[x14sg1]

Sorry, I uploaded the wrong kernel. I compile a non-grsec kernel for the host I run Virtualbox on, as I haven't had a chance to investigate what I need to turn off to run Virtualbox with a grsec kernel (probably one or both of KERNEXEC and UDEREF, probably others).

The correct .config was uploaded (and the problem happens with the latest patch -
grsecurity-2.9.1-3.10.7-201308181813.patch)

https://home.comcast.net/~x14sg1/config

[x14sg1]

Hello,

The behavior is the same with the grsecurity-2.9.1-3.10.7-201308192211.patch.

Can anyone run hwclock with GRKERNSEC_IO enabled without getting the "denied use of iopl()" message in the subject line?

[spender]

Can you give me an strace of hwclock with the same arguments used during startup?

-Brad

[x14sg1]

from hwclock on shutdown

https://home.comcast.net/~x14sg1/hwclock.strace

from hwclock on startup

https://home.comcast.net/~x14sg1/hwclock.strace.2

[spender]

Hi,

This is because you're using the --directisa argument to hwclock. Remove it from whatever init script is forcing it, and then hwclock will attempt to use /dev/rtc instead of immediately going the iopl route.

-Brad

[x14sg1]

Thanks - verified it works

I realized after I posted it and left for work I should have tried that.