grsecurity forums

[tobij]

Hi there,

with a rule like

Code: Select all

role admin sA
subject / rvka
        / rwcdmlxi
        /sbin rxi

after switching to the admin role, everything in /sbin segfaults (including gradm.) Adding the w flag to /sbin helps -- is this intended behaviour?

Thanks,
tobij

[PaX Team]

after switching to the admin role, everything in /sbin segfaults (including gradm.) Adding the w flag to /sbin helps -- is this intended behaviour?

no, that doesn't look correct. what grsec/distro is this? can you debug the segfaults(gdb/strace)? you could also see on a working setup (with the 'w' flag) what the /sbin apps are trying to do in there (strace).

[tobij]

what grsec/distro is this? can you debug the segfaults(gdb/strace)? you could also see on a working setup (with the 'w' flag) what the /sbin apps are trying to do in there (strace).

It's gentoo with the shipped sys-kernel/hardened-sources-2.6.23-r4, unfortunately, I can find the grsec version neither in the ebuild's ChangeLog nor in /usr/src/kernel.
gradm v2.1.11, sys-apps/gradm-2.1.11.200708011700

Code: Select all

gentoo-vm ~ # cat /sbin/helloworld.c
#include <stdio.h>

int main() {
        printf("Hello, world!\n");

        return 0;
}
gentoo-vm ~ # gcc -ggdb -o /sbin/helloworld /sbin/helloworld.c
gentoo-vm ~ # gradm -E
gentoo-vm ~ # gradm -a admin
Password:
gentoo-vm ~ # /sbin/helloworld
Segmentation fault (core dumped)
gentoo-vm ~ # strace /sbin/helloworld
execve("/sbin/helloworld", ["/sbin/helloworld"], [/* 24 vars */]) = -1 EACCES (Permission denied)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV (core dumped) +++
gentoo-vm ~ # cp /sbin/helloworld /bin
gentoo-vm ~ # strace /bin/helloworld > /dev/null
execve("/bin/helloworld", ["/bin/helloworld"], [/* 24 vars */]) = 0
brk(0)                                  = 0x804a01c
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=12418, ...}) = 0
mmap2(NULL, 12418, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f79000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@a\1\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1237276, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f78000
mmap2(NULL, 1242576, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e48000
mmap2(0xb7f72000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12a) = 0xb7f72000
mmap2(0xb7f75000, 9680, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f75000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e47000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e476c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xb7f72000, 8192, PROT_READ)   = 0
mprotect(0x8049000, 4096, PROT_READ)    = 0
mprotect(0xb7f97000, 4096, PROT_READ)   = 0
munmap(0xb7f79000, 12418)               = 0
fstat64(1, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfca14d4) = -1 ENOTTY (Inappropriate ioctl for device)
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f7c000
write(1, "Hello, world!\n", 14)         = 14
exit_group(0)                           = ?

Inspecting the core:

Code: Select all

Core was generated by `/sbin/helloworld MANPATH=/usr/local/share/man:/usr/share/man:/usr/share/binutil'.
Program terminated with signal 11, Segmentation fault.
#0  0xffffe410 in ?? ()

[spender]

That's definitely not proper behavior, though I'm unable to replicate your problem here. Would it be possible to use the grsec patch and gradm from the test page against a vanilla kernel and see if the problem still occurs? I don't know what all is done to the gentoo kernel.

-Brad

[tobij]

Would it be possible to use the grsec patch and gradm from the test page against a vanilla kernel and see if the problem still occurs?

I did that (with grsecurity-2.1.11-2.6.23.14-200801231800.patch), and it did still occur.

For completeness, a full policy which causes the error:

Code: Select all

#sample default policy for grsecurity
#
# Role flags:
# A -> This role is an administrative role, thus it has special privilege normal
#      roles do not have.  In particular, this role bypasses the
#      additional ptrace restrictions
# N -> Don't require authentication for this role.  To access
#      the role, use gradm -n <rolename>
# s -> This role is a special role, meaning it does not belong to a
#      user or group, and does not require an enforced secure policy
#      base to be included in the ruleset
# u -> This role is a user role
# g -> This role is a group role
# G -> This role can use gradm to authenticate to the kernel
#      A policy for gradm will automatically be added to the role
# T -> Enable TPE for this role
# l -> Enable learning for this role
# P -> Use PAM authentication for this role.
#
# a role can only be one of user, group, or special
#
# role_allow_ip IP/optional netmask
# eg: role_allow_ip 192.168.1.0/24
# You can have as many of these per role as you want
# They restrict the use of a role to a list of IPs.  If a user
# is on the system that would normally get the role does not
# belong to those lists of IPs, the system falls back through
# its method of determining a role for the user
#
# Role hierarchy
# user -> group -> default
# First a user role attempts to match, if one is not found,
# a group role attempts to match, if one is not found,
# the default role is used.
#
# role_transitions <special role 1> <special role 2> ... <special role n>
# eg: role_transitions www_admin dns_admin
#
# role transitions specify which special roles a given role is allowed
# to authenticate to.  This applies to special roles that do not
# require password authentication as well.  If a user tries to
# authenticate to a role that is not within his transition table, he
# will receive a permission denied error
#
# Nested subjects
# subject /bin/su:/bin/bash:/bin/cat
#     / rwx
#     +CAP_ALL
# grant privilege to specific processes if they are executed
# within a trusted path.  In this case, privilege is
# granted if /bin/cat is executed from /bin/bash, which is
# executed from /bin/su.
#
# Configuration inheritance on nested subjects
# nested subjects inherit rules from their parents.  In the
# example above, the nested subject would inherit rules
# from the nested subject for /bin/su:/bin/bash,
# and the subject /bin/su
# View the 1.9.x documentation for more information on
# configuration inheritance
#
# new object modes:
# m -> allow creation of setuid/setgid files/directories
#      and modification of files/directories to be setuid/setgid
# M -> audit the setuid/setgid creation/modification
# c -> allow creation of the file/directory
# C -> audit the creation
# d -> allow deletion of the file/directory
# D -> audit the deletion
# p -> reject all ptraces to this object
# l -> allow a hardlink at this path
#   (hardlinking requires at a minimum c and l modes, and the target
#    link cannot have any greater permission than the source file)
# L -> audit link creation
# new subject modes:
# O -> disable "writable library" restrictions for this task
# t -> allow this process to ptrace any process (use with caution)
# r -> relax ptrace restrictions (allows process to ptrace processes
#      other than its own descendants)
# i -> enable inheritance-based learning for this subject, causing
#      all accesses of this subject and anything it executes to be placed
#      in this subject, and inheritance flags added to executable objects
#      in this subject
# a -> allow this process to talk to the /dev/grsec device
#
# user/group transitions:
# You may now specify what users and groups a given subject can
# transition to.  This can be done on an inclusive or exclusive basis.
# Omitting these rules allows a process with proper privilege granted by
# capabilities to transition to any user/group.
#
# Examples:
# subject /bin/su
# user_transition_allow root spender
# group_transition_allow root spender
# subject /bin/su
# user_transition_deny evilhacker
# subject /bin/su
# group_transition_deny evilhacker1 evilhacker2
#
# Domains:
# With domains you can combine users that don't share a common
# GID as well as groups so that they share a single policy
# Domains work just like roles, with the only exception being that
# the line starting with "role" is replaced with one of the following:
# domain somedomainname u user1 user2 user3 user4 ... usern
# domain somedomainname g group1 group2 group3 group4 ... groupn
#
# Inverted socket policies:
# Rules such as
# connect ! www.google.com:80 stream tcp
# are now allowed, which allows you to specify that a process can connect to anything
# except to port 80 of www.google.com with a stream tcp socket
# the inverted socket matching also works on bind rules
#
# Per-interface socket policies:
# Rules such as
# bind eth1:80 stream tcp
# bind eth0#1:22 stream tcp
# are now allowed, giving you the ability to tie specific socket rules
# to a single interface (or by using the inverted rules, all but one
# interface).  Virtual interfaces are specified by the <ifname>#<vindex>
# syntax.  If an interface is specified, no IP/netmask or host may be
# specified for the rule.
#
# New learning system:
# To learn on a given subject: add l (the letter l, not the number 1)
# to the subject mode
# To learn on a given role, add l to the role mode
# For both of these, to enable learning, enable the system like:
# gradm -L /etc/grsec/learning.logs -E
# and then generate the rules after disabling the system after the
# learning phase with:
# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy
# To use full system learning, enable the system like:
# gradm -F -L /etc/grsec/learning.logs
# and then generate the rules after disabling the system after the
# learning phase with:
# gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy
#
# New PaX flag format (replaces PaX subject flags):
# PaX flags can be forced on or off, regardless of the flags on the
# binary, by using + or - before the following PaX flag names:
# PAX_SEGMEXEC
# PAX_PAGEEXEC
# PAX_MPROTECT
# PAX_RANDMMAP
# PAX_EMUTRAMP

role admin sA
subject / rvka
   / rwcdmlxi
   /sbin rx

role default G
role_transitions admin
subject /
   /      r
   /opt      rx
   /home      rwxcd
   /mnt      rw
   /dev
   /dev/grsec   h
   /dev/urandom   r
   /dev/random   r
   /dev/zero   rw
   /dev/input   rw
   /dev/psaux   rw
   /dev/null   rw
   /dev/tty?   rw
   /dev/console   rw
   /dev/tty   rw
   /dev/pts   rw
   /dev/ptmx   rw
   /dev/dsp   rw
   /dev/mixer   rw
   /dev/initctl   rw
   /dev/fd0   r
   /dev/cdrom   r
   /dev/mem   h
   /dev/kmem   h
   /dev/port   h
   /bin      rx
   /sbin      rx
   /lib      rx
   /usr      rx
# compilation of kernel code should be done within the admin role   
   /usr/src   h
   /etc      rx
   /proc      rwx
   /proc/kcore   h
   /proc/sys   r
   /root      r
   /tmp      rwcd
   /var      rwxcd
   /var/tmp   rwcd
   /var/log   r
# hide the kernel images
   /boot      h
   /etc/grsec   h
   /etc/ssh   h

# if sshd needs to be restarted, it can be done through the admin role
   /usr/sbin/sshd
   
   -CAP_KILL
   -CAP_SYS_TTY_CONFIG
   -CAP_LINUX_IMMUTABLE
   -CAP_NET_RAW
   -CAP_MKNOD
   -CAP_SYS_ADMIN
   -CAP_SYS_RAWIO
   -CAP_SYS_MODULE
   -CAP_SYS_PTRACE
   -CAP_NET_ADMIN
   -CAP_NET_BIND_SERVICE
   -CAP_NET_RAW
   -CAP_SYS_CHROOT
   -CAP_SYS_BOOT

#   RES_AS 100M 100M

#   connect 192.168.1.0/24:22 stream tcp
#   bind   0.0.0.0 stream dgram tcp udp

# the d flag protects /proc fd and mem entries for sshd
# all daemons should have 'p' in their subject mode to prevent
# an attacker from killing the service (and restarting it with trojaned
# config file or taking the port it reserved to run a trojaned service)

subject /usr/sbin/sshd dpo
   /      h
   /bin/bash   x
   /dev      h
   /dev/log   rw
   /dev/random   r
   /dev/urandom   r
   /dev/null   rw
   /dev/ptmx   rw
   /dev/pts   rw
   /dev/tty   rw
   /dev/tty?   rw
   /etc      r
   /etc/grsec   h
   /home
   /lib      rx
   /root
   /proc      r
   /proc/kcore   h
   /proc/sys   h
   /usr/lib   rx
   /usr/share/zoneinfo r
   /var/log
   /var/mail
   /var/log/lastlog   rw
   /var/log/wtmp      w
   /var/run/sshd
   /var/run/utmp      rw

   -CAP_ALL
   +CAP_CHOWN
   +CAP_SETGID
   +CAP_SETUID
   +CAP_SYS_CHROOT
   +CAP_SYS_RESOURCE
   +CAP_SYS_TTY_CONFIG

subject /usr/X11R6/bin/XFree86
   /dev/mem   rw

   +CAP_SYS_ADMIN
   +CAP_SYS_TTY_CONFIG
   +CAP_SYS_RAWIO

   -PAX_SEGMEXEC
   -PAX_PAGEEXEC
   -PAX_MPROTECT

subject /usr/bin/ssh
   /etc/ssh/ssh_config r

subject /sbin/klogd
   +CAP_SYS_ADMIN

subject /sbin/syslog-ng
   +CAP_SYS_ADMIN

subject /usr/sbin/cron
   /dev/log rw

subject /bin/login
   /dev/log rw
   /var/log/wtmp w
   /var/log/faillog rwcd

subject /sbin/getty
   /var/log/wtmp w

subject /sbin/init
   /var/log/wtmp w


If you'd like to have it, I can give you the vmware-image the problem occurs in.

[PaX Team]

Code: Select all

Core was generated by `/sbin/helloworld MANPATH=/usr/local/share/man:/usr/share/man:/usr/share/binutil'.
Program terminated with signal 11, Segmentation fault.
#0  0xffffe410 in ?? ()

that address is in the compat vdso area, is there any reason why you enabled it? (it also disables some non-exec options in PaX...)

[tobij]

that address is in the compat vdso area, is there any reason why you enabled it?

No, no specific reason. I disabled Compat VDSO, the problem still occurs but with

Code: Select all

Core was generated by `gradm MANPATH=/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/i686'.
Program terminated with signal 11, Segmentation fault.
#0  0xb7ee7410 in ?? ()

[PaX Team]

Code: Select all

Core was generated by `gradm MANPATH=/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/i686'.
Program terminated with signal 11, Segmentation fault.
#0  0xb7ee7410 in ?? ()

can you post more info like 'x/8i $pc' and 'info reg' and 'x/8x $sp' and 'bt'?

[tobij]

can you post more info like 'x/8i $pc' and 'info reg' and 'x/8x $sp' and 'bt'?

Code: Select all

# gdb --core core
GNU gdb 6.7.1
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
Core was generated by `gradm MANPATH=/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/i686'.
Program terminated with signal 11, Segmentation fault.
#0  0xb7f9d410 in ?? ()
(gdb) x/8i $pc
0xb7f9d410:     Cannot access memory at address 0xb7f9d410
(gdb) info reg
eax            0xfffffff3       -13
ecx            0x8122548        135406920
edx            0x8121928        135403816
ebx            0x81224a0        135406752
esp            0xbfaeda64       0xbfaeda64
ebp            0xbfaedb58       0xbfaedb58
esi            0x81224a0        135406752
edi            0xb7f49ff4       -1208705036
eip            0xb7f9d410       0xb7f9d410
eflags         0x292    [ AF SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x0      0
(gdb) x/8x $sp
0xbfaeda64:     Cannot access memory at address 0xbfaeda64
(gdb) bt
#0  0xb7f9d410 in ?? ()
(gdb)