PAX_NOELFRELOCS survey

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

PAX_NOELFRELOCS survey

Postby spender » Sat Jul 24, 2010 8:16 pm

The PaX Team and I are discussing making PAX_NOELFRELOCS a default-on feature of PAX_MPROTECT in combination with the new PAX_MPROTECT behavior that denies RWX mappings instead of silently demoting them to RW (so that apps like clamav can know that RWX mappings aren't allowed and implement a fallback mechanism, instead of requiring a chpax -m). We'll then combine the old PAX_MPROTECT behavior and perhaps !PAX_NOELFRELOCS and turn this into a PAX_COMPAT option, disabled by default.

So I'd like to do a little survey of those who are currently using PAX_NOELFRELOCS or have attempted to use it. If you're currently using it, could you report the distro and version it's worked for? If you've tried it and found some application incompatibilities, can you report the distro, version, and application? If there exist any current incompatibilities we can work together to resolve these upstream. If you want, you can also submit your responses to me privately at spender@grsecurity.net.

I'll start: Debian Lenny running X and sshd all works fine with PAX_NOELFRELOCS enabled.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: PAX_NOELFRELOCS survey

Postby blueness » Sat Jul 24, 2010 9:59 pm

In developing Tin Hat, which is really just Hardened Gentoo plus some extra crypto on a Gnome Desktop, I have always selected PAX_NOELFRELOCS. I have never had problems. Here's a list of the packages included on amd64 and i686 systems:

http://opensource.dyc.edu/sites/default ... .amd64.txt

http://opensource.dyc.edu/sites/default ... a.i686.txt
blueness
 
Posts: 5
Joined: Sun Jul 04, 2010 7:30 am

Re: PAX_NOELFRELOCS survey

Postby prometheanfire » Sat Jul 24, 2010 10:02 pm

Gentoo Linux x86_64

postgres
lighttpd
asterisk
dovecot
postfix
munin
openldap
puppet (testing, dunno if it can run bash code right now)

All of these work fine
Here are my use flags
caps acpi mmx sse sse2 sse3 sse4 alsa gnutls ncurses bashlogger lvm network parted pam tcpd sni ssl bash-completion clamav crypt cracklib ipv6 syslog php xml posix zip unicode gd truetype spell calendar curl curlwrappers hash hashlib imap ldap ldap-sasl mhash snmp soap threads xmlreader xmlrpc xpm fastcgi cgi sasl svg symlink vim-syntax uuid postgres postfix encode faac faad mp3 vorbis ogg aac wma flac lame xvid dbi -ssmtp -cups -X -mesa -opengl -xscreensaver -xv
prometheanfire
 
Posts: 1
Joined: Sat Jul 24, 2010 9:57 pm

Re: PAX_NOELFRELOCS survey

Postby linkfanel » Sun Aug 01, 2010 9:50 pm

I tried using PAX_NOELFRELOCS long ago on Debian unstable, but I ran into weird quirks (some vlc modules not working, sshd breaking on upgrade...) so I gave up on it.
linkfanel
 
Posts: 39
Joined: Fri Jul 14, 2006 8:26 pm

Re: PAX_NOELFRELOCS survey

Postby Hugo Mildenberger » Wed Aug 04, 2010 7:36 pm

I'm using it on hardened Gentoo X86/X86_64 and have never seen a problem I could attribute to this feature being enabled.

edit: Sorry, this statement is capable of being misunderstood: CONFIG_PAX_EMUTRAMP is not set and CONFIG_PAX_NOELFRELOCS is enabled in kernel config. So emulation of trampolin code is disabled while elf relocations are forbidden, and I never saw a problem I could relate to these conditions, for both ~x86 and ~amd64.
Hugo Mildenberger
 
Posts: 12
Joined: Sun Dec 13, 2009 6:14 pm

Re: PAX_NOELFRELOCS survey

Postby cmouse » Tue Sep 21, 2010 12:11 pm

it's worrying that most replies here are for Gentoo, where this kind of support is easy to arrange. It would be really nice to hear if there are debian/redhat/centos/ubuntu etc. users that run NOELFRELOCS as well. I can try it on one ubuntu host but that is hardly conclusive. Defaulting this feature can break lots of things for people that do not spend days to compile their operating system and it's binaries. =)
cmouse
 
Posts: 98
Joined: Tue Dec 17, 2002 10:58 am

Re: PAX_NOELFRELOCS survey

Postby specs » Wed Sep 22, 2010 2:05 am

When this discussion started I looked what my settings were.
I started disabling the ELFRELOCS somewhere during the old 2.6.32-patches (desktop, Debian i386, unstable).
I never saw problems from that configuration change.

On another pc NOELFRELOCS have been enabled for more than a year (Debian i386, stable).

However when I look at it I think the security settings in Debian are not nearly as complete as the settings in Gentoo (relro and such).
specs
 
Posts: 190
Joined: Sun Mar 26, 2006 7:00 am

Re: PAX_NOELFRELOCS survey

Postby tjh » Mon Sep 27, 2010 5:04 pm

I am, potentially, going insane here:

micro:/tmp# grep -i PAX_NOELFRELOC grsecurity-2.2.0-2.6.35.6-201009262116.patch

Returns nothing. The option doesn't exist.

Are we talking about having PAX_ELFRELOC unselected?

If so, I have it unselected on a Debian5 system with no ill effects, but I don't run X on this machine, it's a server only.

Or am I missing something?
tjh
 
Posts: 102
Joined: Sat Oct 16, 2004 8:19 pm

Re: PAX_NOELFRELOCS survey

Postby spender » Mon Sep 27, 2010 5:13 pm

The survey isn't needed anymore. We inverted the NOELFRELOCS logic so everyone has it by default. Judging from the lack of angry posts, it seems to have been the right decision ;)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: PAX_NOELFRELOCS survey

Postby amdfanatyk » Fri Nov 12, 2010 4:46 pm

There were so many things written in this topic that I don't understand anything apart from first post. I've just built 2.6.36-grsec and I would like to know if NVIDIA driver and kdeinit will work with MPROTECT enabled or will not work because I'm not stupid village idiot to still run new kernels, build new NVIDIA modules and then revert to 2.6.32.11-grsec. Thanks!
amdfanatyk
 
Posts: 50
Joined: Tue Oct 18, 2005 3:52 pm

Re: PAX_NOELFRELOCS survey

Postby amdfanatyk » Sat Nov 13, 2010 12:53 pm

After turning off MPROTECT for kdeinit I managed to run KDE on 2.6.32.25-grsec but it turned out that kdeinit is not the only piece of software that needs turning off MPROTECT, another example is Polish IM called Kadu. To be honest I no longer see any reason for using GrSecurity patch.
amdfanatyk
 
Posts: 50
Joined: Tue Oct 18, 2005 3:52 pm

Re: PAX_NOELFRELOCS survey

Postby linkfanel » Tue Feb 15, 2011 11:25 am

FFmpeg libraries on Debian i386 still contain text relocations. So that sucks for multimedia.
linkfanel
 
Posts: 39
Joined: Fri Jul 14, 2006 8:26 pm

Re: PAX_NOELFRELOCS survey

Postby spender » Tue Feb 15, 2011 11:34 am

The latest patches have a compat mode for MPROTECT.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support