grsecurity forums

[ray]

Hi all,
I'm using grsec&PaX for some 3-4 months, but wish to activate it to the limit.
My system is Gentoo-2.6.5-hardened (~x86 - unstable).
There are known problems with X-server & PaX (doesn't work always). I'm using xorg-X11-6.7.0 (already compiled xorg-X11-6.7.0-r1).
Followed quickstart.pdf from the site but it breaks my X, so at last my questions:
1.What are the optimal or maximal PaX settings for an working X?
2.Are there any problems with grsecurity and X?
TIA.
Rumen.

[PaX Team]

My system is Gentoo-2.6.5-hardened (~x86 - unstable).
There are known problems with X-server & PaX (doesn't work always). I'm using xorg-X11-6.7.0 (already compiled xorg-X11-6.7.0-r1).
Followed quickstart.pdf from the site but it breaks my X, so at last my questions:
1.What are the optimal or maximal PaX settings for an working X?

it depends on how your X server is configured/patched. the hardened gentoo effort is a work in progress, as far as the desktop is concerned, so getting a modular X server to run with full PaX on is not all automated yet (but it's possible, i've been running it for 1.5+ years myself). the biggest problem with X is its own home grown module loader that does some silly things on ELF platforms (equivalent of runtime code generation vs. normal file mappings). this is being fixed in the main X tree but it will take a while to sort out all the module dependencies: http://bugs.gentoo.org/show_bug.cgi?id=49038 and http://freedesktop.org/bugzilla/show_bug.cgi?id=400. there's also a problem with text relocations although gentoo already has the patches for 4.3, i'll update them for 4.4 once the dlloader works fine. ssp also brings some problems but i think that's a gentoo specific toolchain issue. so what does that leave you with today? the static server (USE=static) should be ok as it doesn't use the module loader nor will it have text relocations (i don't know about ssp but i think it will fine too).

2.Are there any problems with grsecurity and X?

beyond the PaX related issues there's the /dev/mem and I/O restrictions that can't be used with X right now (these features need a finer grained control, which is on our todo list).

[ray]

Hi all,
Followed the quickstart-guide setup, quite good (many things are ON) and it's working, even with X-server, compiled (USE="static -hardened") of course. Small drawback - nvidia's binary driver isn't working, even after nvidia-kernel-5336-r4 ver. isntall, but i can live w/o it for now (using NV).
paxtest-0.9.5 give the following:
Test results:
PaXtest - Copyright(c) 2003 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 16 bits (guessed)
Heap randomisation test (ET_EXEC) : 25 bits (guessed)
Heap randomisation test (ET_DYN) : 25 bits (guessed)
Main executable randomisation (ET_EXEC) : 17 bits (guessed)
Main executable randomisation (ET_DYN) : 17 bits (guessed)
Shared library randomisation test : 16 bits (guessed)
Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
Stack randomisation test (PAGEEXEC) : 23 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed
...END CUT ...
There are still 4 marked 'Vulnerable'.
Could something be done about them?
TIA.Rumen.

[ray]

Hi again,
Forgot to say. Tried to compile paxtest-0.9.6 and the protection (or other) has prevented me from doing so.
...BEGIN CUT...
make -f Makefile.Gentoo
make[1]: Entering directory `/home/gentoo/src/paxtest-0.9.6'
gcc -specs=dumpspecs -O2 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -fPIC -DPIC -o shlibtest.o -c shlibtest.c
gcc -specs=dumpspecs -shared -o shlibtest.so shlibtest.o
gcc -specs=dumpspecs -O2 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -fPIC -DPIC -o shlibtest2.o -c shlibtest2.c
gcc -specs=dumpspecs -shared -o shlibtest2.so shlibtest2.o
gcc -specs=dumpspecs -O2 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -o body.o -c body.c
gcc -specs=dumpspecs -O2 -DRUNDIR=\"/usr/lib/paxtest\" -fno-stack-protector -o anonmap.o -c anonmap.c
gcc -specs=dumpspecs -o anonmap body.o anonmap.o
body.o(.text+0x131): In function `main':
: undefined reference to `pthread_create'
body.o(.text+0x14a): In function `main':
: undefined reference to `pthread_kill'
collect2: ld returned 1 exit status
make[1]: *** [anonmap] Error 1
rm shlibtest.o shlibtest2.o
make[1]: Leaving directory `/home/gentoo/src/paxtest-0.9.6'
make: *** [gentoo] Error 2
...END CUT...
May have some issues because of recent rebuild of glibc w/o NPTL and removal of linux-headers-2.6.x.
TIA again.
Rumen.

[PaX Team]

nvidia's binary driver isn't working, even after nvidia-kernel-5336-r4 ver. isntall, but i can live w/o it for now (using NV).

afaik, the static server won't load modules, you'd have compile that driver into the X server itself.

There are still 4 marked 'Vulnerable'.
Could something be done about them?

yes, searching the board would have led you to http://forums.grsecurity.net/viewtopic.php?t=719. as for paxtest 0.9.6, it's a known problem and i've had patches for fixing this and other things, just no time to make my own release yet.

[ray]

Thanks,
First for the nvidia thing. As the nvidia.ko (kernel) module is loaded with the kernel i think it's OK. Is this the binary part of the driver or it's the glx part or both?
So i'll have to (eventually) recompile xorg-X11 (static) with nvidia-glx included in order to have it included and working?
Any known issues with use of USE="static" xorg-x11-r1 (hardened is ON by default)?
Thanks to solar (gentoo-dev) compiled paxtest-.0.9.6 (edited LDFLAGS=-lpthread in makefile).
TIA.
Rumen.
[/quote]