grsecurity forums

[Ovencleaner]

Hi, I just downloaded and built kernel 2.6.24.5 and patched it with the according grsecurity patch. I am running archlinux if it makes any difference.

I at first tested softmode, but then disabled it. /proc/sys/pax/softmode is 0

for some reason, whenever I run paxtest I get this:

Code: Select all

PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: kiddie
Linux st00ner-desktop 2.6.24.5-grsec-ARCH #1 SMP PREEMPT Fri Jul 11 09:40:55 CDT 2008 i686 AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ AuthenticAMD GNU/Linux

Executable anonymous mapping             : Vulnerable
Executable bss                           : Vulnerable
Executable data                          : Vulnerable
Executable heap                          : Vulnerable
Executable stack                         : Vulnerable
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : 9 bits (guessed)
Heap randomisation test (ET_EXEC)        : No randomisation
Heap randomisation test (ET_DYN)         : No randomisation
Main executable randomisation (ET_EXEC)  : 10 bits (guessed)
Main executable randomisation (ET_DYN)   : 10 bits (guessed)
Shared library randomisation test        : 10 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 19 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 19 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (memcpy, RANDEXEC)    : Vulnerable
Executable shared library bss            : Vulnerable
Executable shared library data           : Killed
Writable text segments                   : Vulnerable


It seems the only thing pax is doing is protecing shared libararies.... This just creates a hassle for me and gives me no protection otherwise! I have made sure to set -PEMRX (when running pageexec) and -EMRXS (when running segexec) just in case. Take a look at my kernel configuration.

I have tried both SEGEXEC and PAGEEXEC to no avail.

Code: Select all

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
CONFIG_PAX_SOFTMODE=y
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
# CONFIG_PAX_SEGMEXEC is not set
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y


Grub Configuration:

Code: Select all

title Arch Linux PaX
root (hd0,0)
kernel /vmlinuz-2.6.24-pax root=/dev/sda6 ro
initrd /kernel26-pax.img


I have used grsecurity and pax once before on hardened gentoo. Is there something I am doing wrong


EDIT:

I got it working with paxctl now, but for some reason it seems like the system by default has protection DISABLED on all programs unless I remark them? Softmode is not even enabled in my new kernel! what gives?

[PaX Team]

I am running archlinux if it makes any difference.

it does if you rely on PT_PAX_FLAGS markings which you seem to do based on your posted .config excerpt. in particular, are you using a patched binutils to build your userland? otherwise you'll have to use paxctl -C to add the PT_PAX_FLAGS program header else nothing will get protected (did you read the config help?).

It seems the only thing pax is doing is protecing shared libararies....

what you're seeing is the vanilla kernel's own randomization, not that of PaX.

I have made sure to set -PEMRX (when running pageexec) and -EMRXS (when running segexec) just in case.

set where? besides, enabling all features doesn't equal best security , better read up on what each option does (for one, RANDEXEC does no longer exist).

I got it working with paxctl now, but for some reason it seems like the system by default has protection DISABLED on all programs unless I remark them? Softmode is not even enabled in my new kernel! what gives?

see my first question, do your binaries have a PT_PAX_FLAGS header already?

[Ovencleaner]

so if a program does not have a PAX header, there is no kind of default protection that will be enabled on it? That is what I am trying to do. I thought softmode disabled protection unless a program had a header that specified otherwise...

I am not using any patched tools, just paxctl and a modifed update script that converts binaries and enables protection after every update.

If I disable PT_PAX_FLAGS, would I be able to even change protections on any programs?

I am trying to do one of the two:

Enable all pax protections by default, disable with PT_PAX_FLAGS using paxctl on a per application basis (Some programs I use need an executable stack)

Disable all protections besides on marked applications (I thought softmode did this but still programs that need an executable stack are killed because of the exacutable shared library protection which I am not sure how to disable)

I have with all of my kernel recompiling only succeeded in getting somewhere in the middle of these two...

[PaX Team]

so if a program does not have a PAX header, there is no kind of default protection that will be enabled on it?

(assuming you meant PT_PAX_FLAGS by 'PAX header') if you don't have EI_PAX support as a fallback, then no, there is no protection, this is very clearly described in the config help.

That is what I am trying to do. I thought softmode disabled protection unless a program had a header that specified otherwise...

softmode simply makes use of a 2nd set of control bits from the PT_PAX_FLAGS header.

If I disable PT_PAX_FLAGS, would I be able to even change protections on any programs?

sure, the old and obsolete method of EI_PAX markings still works if you enable it in .config (those markings come from an always present part of the ELF header).

[Ovencleaner]

Allright this is my new configuration, however, I can no longer disable any protection on marked aps (using paxctl to disable all protections) BUT default protection is working. does enabling CONFIG_PAX_EI_PAX=y mean I cannot use paxctl to disable protections even if I also have CONFIG_PAX_PT_PAX_FLAGS=y?

I have resorted to setting setting softmode to 1 when I need to disable any protection...

Code: Select all

# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
CONFIG_PAX_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
# CONFIG_PAX_MPROTECT is not set

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
# CONFIG_PAX_MEMORY_SANITIZE is not set
# CONFIG_PAX_MEMORY_UDEREF is not set
CONFIG_KEYS=y
# CONFIG_KEYS_DEBUG_PROC_KEYS is not set
CONFIG_SECURITY=y


[PaX Team]

Allright this is my new configuration, however, I can no longer disable any protection on marked aps (using paxctl to disable all protections) BUT default protection is working. does enabling CONFIG_PAX_EI_PAX=y mean I cannot use paxctl to disable protections even if I also have CONFIG_PAX_PT_PAX_FLAGS=y?

it means that you're welcome to read the config help about EI_PAX and learn that it's not paxctl that controls those flags .

[Ovencleaner]

So EI_PAX + chpax was the soultion all along for a non pax userland....

I did not understand that paxctl only supported PT_PAX, and would not work on EI_PAX until you gave me that last nudge...

Thanks for the help, everything is working great now