GDB problems

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

GDB problems

Postby wolfpaw » Thu Sep 25, 2003 2:40 am

Hi all :)

I get the following error when users run GDB (or I do it in admin mode):

GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(gdb) run 3000
Starting program: /home/mud/lots/lotscode/dist/src/swreality 3000
Warning:
Cannot insert breakpoint -2.
Error accessing memory address 0x2b7f4120: Input/output error.
The same program may be running in another process.
(gdb)

I checked the forum, and the documentation which claimed that I could do something like this:

/home PSMR {

}

to allow debugging of applications, but it doesn't work. ChPAX won't work for us, because this is a mud service (shells, etc), and the binaries get recompiled all the time.

If anyone can shed some light, Id be grateful :)

Regards,
Dale.

My config for GRSec is:

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_SHA256=y
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
CONFIG_GRKERNSEC_PAX_NOEXEC=y
# CONFIG_GRKERNSEC_PAX_PAGEEXEC is not set
CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
# CONFIG_GRKERNSEC_PAX_EMUTRAMP is not set
CONFIG_GRKERNSEC_PAX_MPROTECT=y
# CONFIG_GRKERNSEC_PAX_NOELFRELOCS is not set
CONFIG_GRKERNSEC_PAX_KERNEXEC=y
CONFIG_GRKERNSEC_PAX_ASLR=y
# CONFIG_GRKERNSEC_PAX_RANDKSTACK is not set
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_PAX_RANDEXEC=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_RTC=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_HIDESYM=y

#
# ACL options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=3600

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=1001
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_TPE=y
# CONFIG_GRKERNSEC_TPE_ALL is not set
CONFIG_GRKERNSEC_TPE_GID=1005

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y

#
# Logging options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

Running grsec 1.9.12 on linux 2.4.22
(with reisferfs patches for quota and data logging applied if this
matters at all)

If you need to see ACL's please let me know - Thanks :)
wolfpaw
 
Posts: 9
Joined: Mon Sep 22, 2003 10:46 am

Postby Julien TINNES » Sun Sep 28, 2003 7:15 am

With 'Software breakpoints', gdb needs to modify executable code, which is exactly what NOEXEC/MPROTECT features from PaX are preventing.

You can use hardware breakpoints, or
Use software breakpoints and: Disable SEGMEXEC in kernel, or use chpax on the executable (to disable SEGMEXEC), or use the ACL system (to disable SEGMEXEC)
Julien TINNES
 
Posts: 4
Joined: Tue Sep 09, 2003 7:47 pm

Postby darko » Sun Sep 28, 2003 10:51 am

Hi, you could create a wrapper for gdb (the wrapper would disable pax protections on the binary, using chpax), or even a wrapper for gcc...

I made a simple wrapper for gcc, until now everyone seems to be happy with it, you just have to rename the original gcc binary.

Code: Select all

#!/usr/bin/env python2
# Simple gcc wrapper
                                                                               
from sys import argv
from os import spawnvp,P_WAIT,spawnlp,access,F_OK
from string import find

### vars ###                                                                               
ARG = '-o'
DEFAULT = 'a.out'
OFILE = '.o'
                                                                               
### functions ###                                                                               
def changeBinary(path):
    spawnlp(P_WAIT, '/usr/bin/bf', 'bf', '-s', path);
    spawnlp(P_WAIT, '/usr/bin/bf', 'bf', '-m', path);
                                                                               
def spawnGcc(args):
    spawnvp(P_WAIT, 'gcc.bin', args)

### main ###                                                                               
spawnGcc(argv)
                                                                               
if(argv.__contains__(ARG) and argv.count(ARG) == 1):
    output = argv[argv.index(ARG)+1]
    if(find(output, OFILE) == -1):
        changeBinary(output)
else:
    if(access(DEFAULT, F_OK)):
        changeBinary(DEFAULT)


Use it, modify it, as you seem fit. I hope it helps....

Regards,
João
darko
 
Posts: 9
Joined: Thu Jun 12, 2003 8:22 am

Postby wolfpaw » Tue Sep 30, 2003 2:36 pm

Works wonderfully, thank you very much :)

Now to get 2.0 working with my old acl's.. bleh.

Regards,
Dale.
wolfpaw
 
Posts: 9
Joined: Mon Sep 22, 2003 10:46 am


Return to grsecurity support