Grsecurity for 2.4.23 vs i855 centrino laptop

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Postby siti » Sun Jan 11, 2004 3:58 am

You want to grab "chpax" from pax.grsecurity.net (or if debian includes a package for it?).

Then on the programs that have problems you can do a "chpax -s PROGRAM" to stop enforcing no exec pages on it so then the offending program will work but not have the protection unfornotly. Also to see all the options with chpax you can run "chpax -h". Although there is not point disabling options that are not included in your kernel :)
siti
 
Posts: 18
Joined: Fri Aug 08, 2003 6:30 pm

Re: Grsecurity for 2.4.23 vs i855 centrino laptop

Postby PaX Team » Sun Jan 11, 2004 6:52 am

mikeeusa wrote:I aquired my new laptop, installed debian, installed X 4.3, worked great, had a wholy insecure kernel, needed to be hardened... So i put 2.4.24 on tha down-low and then kicked up my server's kernel config into the machiene, disabled the diablining of privledged IO and disabled enforcing non-executable stacks....
[...]
still no go, X complains of some symbols in its files... and then tells me it cant find any screens.
can you please post your .config and the XFree86 logs (and maybe any relevant kernel logs from grsec/PaX)?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Kern COnfig and X log files:

Postby PaX Team » Sun Jan 11, 2004 8:11 pm

mikeeusa wrote:https://cat2.ath.cx/cat2/kernconfig.txt
https://cat2.ath.cx/cat2/xerrors.txt
https://cat2.ath.cx/cat2/kernlog.txt
for a start, disable CONFIG_GRKERNSEC_KMEM and it will hopefully work. but before you do that, could you run a strace -e trace=open,close,old_mmap,mmap2,munmap,mprotect on your server binary directly? it seems that your server wants to map the video BIOS in some unexpected way, would be nice to see the exact numbers.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby PaX Team » Mon Jan 12, 2004 6:09 am

mikeeusa wrote::) Here's the strace output (on xinit)
thanks but i really need it on the server binary itself, /etc/X11/X is normally a symlink to it or try /usr/X11/bin/XFree86 (or try strace -f on xinit). you will know you got the right one when you'll see a failed old_mmap request towards the end of the trace (that would be the video BIOS mapping attempt).
can i chpax X to something to make it work (what would i have to chpax it to, which binaries do you think? just xinit?)
no, this is really the /dev/mem restrictions that you ran into, your X server wanted to mmap the physical memory range of the video BIOS for writing - that's a no-no at least until we know what that range is exactly and can grant an explicit exception, hence my need for the strace output ;-).
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Strace Output on /etc/X11/X as requested

Postby PaX Team » Sun Jan 18, 2004 10:36 am

mikeeusa wrote:[...]
open("/etc/libsafe.exclude", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/X11/Xwrapper.config", O_RDONLY) = 3
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x495b2000
close(3) = 0
munmap(0x495b2000, 4096) = 0
is this the full trace? it doesn't look like it ever got to mapping any of the X drivers or the failed mmap() of the video BIOS...
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby PaX Team » Thu Jan 22, 2004 11:32 am

mikeeusa wrote:OOo, does it need to be run withou the -pm flags?
I did it in an X term so it didnt have perm to open fully.
Should i get a trace regular, or without the protections disabled via chpax?
chpax flags don't matter as long as X doesn't get killed which is your case i think. so just exit from X and do the strace then.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support

cron