For quite some time prior to grsecurity-3.0-3.12.6-201401021726.patch I was able to successfully run Firefox 26 with the PaX flags PSmXEr and Python 2.7.6 with PSmXER flags. I missed a couple versions there before 3.0-3.12.6-201401021726, so the problem may've been introduced before then.
With grsecurity-3.0-3.12.7-201401120824.patch (Linux localhost.localdomain 3.12.7-2-grsec #1 SMP PREEMPT Mon Jan 13 20:21:45 UTC 2014 x86_64 GNU/Linux) when I launch Firefox or Python 2.7 they are immediately killed. Strangely, I see no log entry in dmesg about the killing of the process as I am accustomed.
A strace of Firefox under this kernel shows only:
- Code: Select all
execve("/usr/bin/firefox", ["firefox"], [/* 16 vars */] <unfinished ...>
+++ killed by SIGKILL +++
Killed
Python shows the same.
I tried setting psmxer on both binaries with paxctl, but this didn't change the situation.
I spent some time tweaking with GRKERNSEC/PaX features in the config this weekend and never found a successful formula on either hardware or virtualized systems.
When I got in to the office this morning, I took a look to see how things worked with the patch from January 2nd (which I had running on a couple test systems, it's uname-a: Linux localhost.localdomain 3.12.6-4-grsec #1 SMP PREEMPT Tue Jan 7 02:45:29 UTC 2014 x86_64 GNU/Linux). I was still unable to run Firefox, but got more from the strace this time, here are the last couple lines:
- Code: Select all
mmap(NULL, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x6dfb1c700000
mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x6dfb1c400000
munmap(0x6dfb1c500000, 1048576) = 0
mmap(NULL, 65536, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = -1 EPERM (Operation not permitted)
+++ killed by SIGKILL (core dumped) +++
This version also provided the log messages I've come to expect:
- Code: Select all
[ 182.258525] grsec: denied RWX mmap of <anonymous mapping> by /usr/lib/firefox/firefox[firefox:367] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[ 182.258558] PAX: execution attempt in: (null), 00000000-00000000 00000000
[ 182.258562] PAX: terminating task: /usr/lib/firefox/firefox(firefox):367, uid/euid: 1000/1000, PC: (nil), SP: 00007c172aa1c768
[ 182.258565] PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
[ 182.258588] PAX: bytes at SP-8: 00006e4097a68d00 00006e40964e1ea1 0000000000000009 00007c172aa1c7b0 00007c172aa1cc70 00006e40964f837f 00006e4084a94448 0000000000000000 00006e408508c580 00006e40851dac00 00006e4000000000
[ 182.266617] grsec: denied resource overstep by requesting 64 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:367] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[ 182.266633] grsec: denied resource overstep by requesting 120 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:367] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[ 182.266643] grsec: denied resource overstep by requesting 176 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:367] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[ 182.266652] grsec: denied resource overstep by requesting 232 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:367] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[ 182.266661] grsec: denied resource overstep by requesting 288 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:367] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[ 182.266671] grsec: denied resource overstep by requesting 344 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:367] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[ 182.266673] grsec: more alerts, logging disabled for 10 seconds
[ 454.971453] grsec: process /usr/bin/strace(strace:418) attached to via ptrace by /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[ 454.971767] grsec: process /usr/bin/strace(strace:419) attached to via ptrace by /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[ 455.902450] grsec: denied RWX mmap of <anonymous mapping> by /usr/lib/firefox/firefox[firefox:419] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000
[ 455.902890] PAX: execution attempt in: (null), 00000000-00000000 00000000
[ 455.902895] PAX: terminating task: /usr/lib/firefox/firefox(firefox):419, uid/euid: 1000/1000, PC: (nil), SP: 0000750380584288
[ 455.902897] PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
[ 455.902926] PAX: bytes at SP-8: 00006996e0968d00 00006996df3e1ea1 0000000000000009 00006996da87baf4 00006996d00c1be0 00006996d00c1be0 00006996e05754b0 00006996de76213d 00007503805847e0 0000750380584400 00006996e0968d00
[ 455.903165] grsec: denied resource overstep by requesting 64 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:419] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000
[ 455.903175] grsec: denied resource overstep by requesting 120 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:419] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000
[ 455.903181] grsec: denied resource overstep by requesting 176 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:419] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000
[ 455.903188] grsec: denied resource overstep by requesting 232 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:419] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000
[ 455.903194] grsec: denied resource overstep by requesting 288 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:419] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000
[ 455.903200] grsec: denied resource overstep by requesting 344 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:419] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000
[ 455.903202] grsec: more alerts, logging disabled for 10 seconds
For both, I used this config...
zgrep GRKERN /proc/config.gz:
- Code: Select all
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
CONFIG_GRKERNSEC_PROC_GID=9998
CONFIG_GRKERNSEC_TPE_TRUSTED_GID=9999
CONFIG_GRKERNSEC_SYMLINKOWN_GID=33
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_JIT_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
# CONFIG_GRKERNSEC_NO_RBAC is not set
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_SYMLINKOWN=y
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
CONFIG_GRKERNSEC_ROFS=y
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_CHROOT_INITRD=y
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=9994
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_INVERT=y
CONFIG_GRKERNSEC_TPE_GID=9999
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
CONFIG_GRKERNSEC_SOCKET=y
I believe the Arch user Ahmad24 was/is likely experiencing similar problems (at least with grsecurity-3.0-3.12.6-201401021726), based on their post in the AUR comments for the linux-grsec PKGBUILD.
Please let me know if I can provide any additional details, re-try something or otherwise make it easier to help with this issue.