grsecurity forums

[DaviXX]

Hi,

I have a _problem_ with PAX, i d'on't understand why it KILL my kavscanner : /opt/kav/bin/kavscanner -i0 -xp -j2 /home/nav/

So i have an entry in /var/log/kernel/current :
Mar 2 16:38:37 [kernel] PAX: terminating task: /opt/kav/bin/kavscanner(kavscanner):3586, uid/euid: 1028/1028, PC: 0819d070, SP: 5cad4fbc

What i have to do if i want to let kavscanner to run ?

thanks (i'm french, sorry if i don't speak very well english).

thanks.

---

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
# CONFIG_GRKERNSEC_BRUTE is not set
# CONFIG_GRKERNSEC_HIDESYM is not set

#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=1001
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
# CONFIG_GRKERNSEC_PROC_IPADDR is not set
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
# CONFIG_GRKERNSEC_SHM is not set
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
# CONFIG_GRKERNSEC_SYSCTL is not set

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4


#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_DEFAULT_PAGEEXEC is not set
CONFIG_PAX_DEFAULT_SEGMEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_RANDEXEC=y
CONFIG_PAX_NOVSYSCALL=y
# CONFIG_KEYS is not set
# CONFIG_SECURITY is not set

[PaX Team]

I have a _problem_ with PAX, i d'on't understand why it KILL my kavscanner : /opt/kav/bin/kavscanner -i0 -xp -j2 /home/nav/

as i recall, kav decrypts itself at runtime, that's a form of runtime code generation and is not compatible with PaX.

What i have to do if i want to let kavscanner to run ?

chpax -sprm /opt/kav/bin/kavscanner

[DaviXX]

as i recall, kav decrypts itself at runtime, that's a form of runtime code generation and is not compatible with PaX.

Thanks for the information.

chpax -sprm /opt/kav/bin/kavscanner

i supposed that chpax is a part of gradm package. it's that ?

have i to make all my commands whith "chpax -sprm" before, or after this command all runs of kavscanner should run without problem

thanks a lot

[PaX Team]

i supposed that chpax is a part of gradm package. it's that ?

it's separate, look at the PaX homepage.

have i to make all my commands whith "chpax -sprm" before, or after this command all runs of kavscanner should run without problem

before as it modifies the file itself which the kernel will interpret accordingly.

[DaviXX]

Sorry to ask you again, but i don't understand something :

- In the PaX homepage, which package i have to choise if i have linux-2.6.10 with the last grsecurity patch :

- paxctl v0.2
- chpax v0.7
- chpax.sh

So for the rest, i i understand well, each times i use kavscanner i have to precede it with "chpax -sprm'.

Thanks.

[DaviXX]

- In the PaX homepage, which package i have to choise if i have linux-2.6.10 with the last grsecurity patch :

- paxctl v0.2
- chpax v0.7
- chpax.sh

So i'm answering myself chpax v0.7.
make && make install

so if i realy understand, i think that i have to use this commande one time only, next time i use kavscanner normally :

chpax -sprm /opt/kav/bin/kavscanner

[...] later...

/opt/kav/bin/kavscanner -i0 -xp -j2 /home/nav/
/opt/kav/bin/kavscanner -i0 -xp -j2 /home/otheruser/