| View previous topic :: View next topic |
| Author |
Message |
at
Apprentice
Joined: 20 Aug 2006
Posts: 185
|
 Posted: Sat Sep 30, 2006 3:01 pm Post subject: PAX and nvidia-settings [solved] |
 |
|
I am unsuccessfully trying to use nvidia-settings on 2.6.17-hardened-r1 kernel (AMD64).
nvidia-settings is killed withthe following error in /var/log/pax.log:
| Code: | Sep 30 10:59:16 localhost PAX: execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625, 37e65f41c000-37e65f546000 006fc000
Sep 30 10:59:16 localhost PAX: terminating task: /usr/bin/nvidia-settings(nvidia-settings):1642, uid/euid: 0/0, PC: 000037e65f49df70, SP: 0000729de5701358
Sep 30 10:59:16 localhost PAX: bytes at PC: 64 48 8b 04 25 90 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc
Sep 30 10:59:16 localhost PAX: bytes at SP-8: 0000000000b73c20 000037e65ef9c1d9 0000000002800002 000000004002e058 0000000000b72e90 0000000000b3a2a0 0000000040002000 0000000000b3a2a0 000000000068c310 0000000000b463d0 0000000000b72e90 |
I have relaxed settings on /usr/bin/nvidia-settings and /usr/bin/nvidia-settings/usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625:
| Code: | # chpax -v /usr/bin/nvidia-settings
----[ chpax 0.7 : Current flags for /usr/bin/nvidia-settings (pemrxs) ]----
* Paging based PAGE_EXEC : disabled
* Trampolines : not emulated
* mprotect() : not restricted
* mmap() base : not randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : disabled
# chpax -v /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625
----[ chpax 0.7 : Current flags for /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625 (pemrxs) ]----
* Paging based PAGE_EXEC : disabled
* Trampolines : not emulated
* mprotect() : not restricted
* mmap() base : not randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : disabled |
But still the same problem.
Last edited by at on Wed Oct 11, 2006 12:17 am; edited 1 time in total |
|
| Back to top |
|
 |
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Sat Sep 30, 2006 7:36 pm Post subject: |
|
|
Try the same for
/usr/lib64/opengl/nvidia/lib/libGLcore
Hth, Alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
at
Apprentice
Joined: 20 Aug 2006
Posts: 185
|
| Posted: Sat Sep 30, 2006 9:22 pm Post subject: |
|
|
I don't think I have this file:
| Code: | # chpax -pemrxs /usr/lib64/opengl/nvidia/lib/libGLcore
/usr/lib64/opengl/nvidia/lib/libGLcore: No such file or directory |
So I tried:
| Code: | | chpax -pemrxs /usr/lib64/opengl/nvidia/lib/libGLcore.sochpax -pemrxs /usr/lib64/opengl/nvidia/lib/libGLcore.so |
But the same result:
| Code: | #dmesg
...
nvidia-settings[30750]: segfault at 000037545cfb7f70 rip 000037545cfb7f70 rsp 000076f45a5df838 error 15
PAX: execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625, 37545cf36000-37545d060000 006fc000
PAX: terminating task: /usr/bin/nvidia-settings(nvidia-settings):30750, uid/euid: 0/0, PC: 000037545cfb7f70, SP: 000076f45a5df838
PAX: bytes at PC: 64 48 8b 04 25 90 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc
PAX: bytes at SP-8: 0000000000b75330 000037545cab61d9 0000000002c00002 000000004002e058 0000000000b745a0 0000000000b3bed0 0000000040002000 0000000000b3bed0 0000000000699390 0000000000b475b0 0000000000b745a0
grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/nvidia-settings[nvidia-settings:30750] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:15567] uid/euid:0/0 gid/egid:0/0 |
|
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Sun Oct 01, 2006 6:05 am Post subject: |
|
|
Can you please post the gsec part of you kernel .config. I remember this being a problem
with a certain gsec option. I think I can identify it by looking over the variables...
Alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
at
Apprentice
Joined: 20 Aug 2006
Posts: 185
|
| Posted: Sun Oct 01, 2006 4:34 pm Post subject: |
|
|
| Code: | #
# Security options
#
#
# PaX
#
CONFIG_PAX=y
#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y
#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_SANITIZE=y
#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y
#
# Address Space Protection
#
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
# CONFIG_GRKERNSEC_MODSTOP is not set
CONFIG_GRKERNSEC_HIDESYM=y
#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=533
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
# CONFIG_GRKERNSEC_SIGNAL is not set
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_TPE=y
# CONFIG_GRKERNSEC_TPE_ALL is not set
CONFIG_GRKERNSEC_TPE_INVERT=y
CONFIG_GRKERNSEC_TPE_GID=448
#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
# CONFIG_GRKERNSEC_SOCKET is not set
#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y
# CONFIG_GRKERNSEC_SYSCTL_ON is not set
#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
# CONFIG_KEYS is not set
CONFIG_SECURITY=y
# CONFIG_SECURITY_NETWORK is not set
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_ROOTPLUG is not set
# CONFIG_SECURITY_SECLVL is not set |
Thank you |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Sun Oct 01, 2006 6:07 pm Post subject: |
|
|
Once I had a lot of trouble with this one
| Code: |
CONFIG_GRKERNSEC_EXECVE
|
See if it helps, when you disable it...
Hth, Alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
at
Apprentice
Joined: 20 Aug 2006
Posts: 185
|
| Posted: Sun Oct 01, 2006 11:07 pm Post subject: |
|
|
Thank you, Alex.
Rebuilt the kernel with CONFIG_GRKERNSEC_EXECVE disabled. No effect.
Disabled (presumably, but obviously not true) all grsecurity in the kernel:
| Code: | # sysctl -a | grep grsecurity
error: "Operation not permitted" reading key "net.ipv4.route.flush"
kernel.grsecurity.grsec_lock = 0
kernel.grsecurity.resource_logging = 0
kernel.grsecurity.destroy_unused_shm = 0
kernel.grsecurity.chroot_findtask = 0
kernel.grsecurity.dmesg = 0
kernel.grsecurity.rand_pids = 0
kernel.grsecurity.tpe_gid = 0
kernel.grsecurity.tpe = 0
kernel.grsecurity.chroot_deny_sysctl = 0
kernel.grsecurity.chroot_caps = 0
kernel.grsecurity.chroot_restrict_nice = 0
kernel.grsecurity.chroot_deny_mknod = 0
kernel.grsecurity.chroot_deny_chmod = 0
kernel.grsecurity.chroot_enforce_chdir = 0
kernel.grsecurity.chroot_deny_pivot = 0
kernel.grsecurity.chroot_deny_chroot = 0
kernel.grsecurity.chroot_deny_fchdir = 0
kernel.grsecurity.chroot_deny_mount = 0
kernel.grsecurity.chroot_deny_unix = 0
kernel.grsecurity.chroot_deny_shmat = 0
kernel.grsecurity.timechange_logging = 0
kernel.grsecurity.forkfail_logging = 0
kernel.grsecurity.fifo_restrictions = 0
kernel.grsecurity.linking_restrictions = 0
error: "Invalid argument" reading key "fs.binfmt_misc.register" |
No effect.
Disabled PAX on the executable:
| Code: | # chpax -pemrxs /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625
# chpax -pemrxs /usr/bin/nvidia-settings
# chpax -v /usr/bin/nvidia-settings
----[ chpax 0.7 : Current flags for /usr/bin/nvidia-settings (pemrxs) ]----
* Paging based PAGE_EXEC : disabled
* Trampolines : not emulated
* mprotect() : not restricted
* mmap() base : not randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : disabled |
Still getting an error:
| Code: | # tail /var/log/pax.log
Oct 1 19:06:04 localhost PAX: execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625, 39ed6e047000-39ed6e171000 006fc000
Oct 1 19:06:04 localhost PAX: terminating task: /usr/bin/nvidia-settings(nvidia-settings):28841, uid/euid: 0/0, PC: 000039ed6e0c8f70, SP: 0000735bf2743058
Oct 1 19:06:04 localhost PAX: bytes at PC: 64 48 8b 04 25 90 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc
Oct 1 19:06:04 localhost PAX: bytes at SP-8: 0000000000bddee0 000039ed6dbc71d9 0000000002a00002 000000004002e058 0000000000bdd150 0000000000b93bb0 0000000040002000 0000000000b93bb0 000000000069a280 0000000000bafbd0 0000000000bdd150 |
| Code: | # dmesg
PAX: execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625, 38bd3e773000-38bd3e89d000 006fc000
PAX: terminating task: /usr/bin/nvidia-settings(nvidia-settings):28826, uid/euid: 0/0, PC: 000038bd3e7f4f70, SP: 00007eb570dcc468
PAX: bytes at PC: 64 48 8b 04 25 90 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc
PAX: bytes at SP-8: 0000000000bd5750 000038bd3e2f31d9 0000000002a00002 000000004002e058 0000000000bd49a0 0000000000bd5730 0000000040002000 0000000000bd5730 0000000000691f90 0000000000ba7050 0000000000bd49a0
nvidia-settings[28841]: segfault at 000039ed6e0c8f70 rip 000039ed6e0c8f70 rsp 0000735bf2743058 error 15
PAX: execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625, 39ed6e047000-39ed6e171000 006fc000
PAX: terminating task: /usr/bin/nvidia-settings(nvidia-settings):28841, uid/euid: 0/0, PC: 000039ed6e0c8f70, SP: 0000735bf2743058
PAX: bytes at PC: 64 48 8b 04 25 90 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc
PAX: bytes at SP-8: 0000000000bddee0 000039ed6dbc71d9 0000000002a00002 000000004002e058 0000000000bdd150 0000000000b93bb0 0000000040002000 0000000000b93bb0 000000000069a280 0000000000bafbd0 0000000000bdd150 |
|
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Mon Oct 02, 2006 6:51 am Post subject: |
|
|
There used to be an issue with broken dependencies in the grsec part of the kernel config. I.e. even after disabling the grsec part it would still be built, at least parts of it -- even after a "make mrproper" (which is oubviously the case for you...). Please delete the kernel tree and reemerge and try again.
_________________
ALT-F4 |
|
| Back to top |
|
|
at
Apprentice
Joined: 20 Aug 2006
Posts: 185
|
| Posted: Mon Oct 02, 2006 11:52 pm Post subject: |
|
|
I reinstalled kernel source, did 'make clean' and rebuilt the kernel using my .config from previous builds (with CONFIG_GRKERNSEC_EXECVE not set).
No effect.
Then I set everything mentioning grsecurity in /etc/sysctl.conf to 0:
| Code: | # sysctl -p /etc/sysctl.conf
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
kernel.panic = 3
kernel.grsecurity.resource_logging = 0
kernel.grsecurity.destroy_unused_shm = 0
kernel.grsecurity.chroot_findtask = 0
kernel.grsecurity.dmesg = 0
kernel.grsecurity.rand_pids = 0
kernel.grsecurity.tpe_gid = 0
kernel.grsecurity.tpe = 0
kernel.grsecurity.chroot_deny_sysctl = 0
kernel.grsecurity.chroot_caps = 0
kernel.grsecurity.chroot_restrict_nice = 0
kernel.grsecurity.chroot_deny_mknod = 0
kernel.grsecurity.chroot_deny_chmod = 0
kernel.grsecurity.chroot_enforce_chdir = 0
kernel.grsecurity.chroot_deny_pivot = 0
kernel.grsecurity.chroot_deny_chroot = 0
kernel.grsecurity.chroot_deny_fchdir = 0
kernel.grsecurity.chroot_deny_mount = 0
kernel.grsecurity.chroot_deny_unix = 0
kernel.grsecurity.chroot_deny_shmat = 0
kernel.grsecurity.timechange_logging = 0
kernel.grsecurity.forkfail_logging = 0
error: "kernel.grsecurity.execve_limiting" is an unknown key
kernel.grsecurity.fifo_restrictions = 0
kernel.grsecurity.linking_restrictions = 0
#gradm -S
The RBAC system is currently disabled. |
I would assume that that should disable grsecurity.
But no! Still the same situation, except that now I get errors not in /var/log/grsec.log or and in /var/pax/log but in dmesg:
| Code: | nvidia-settings[16647]: segfault at 00002c529fa82f70 rip 00002c529fa82f70 rsp 0000756f01252758 error 15
PAX: execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625, 2c529fa01000-2c529fb2b000 006fc000
PAX: terminating task: /usr/bin/nvidia-settings(nvidia-settings):16647, uid/euid: 1000/1000, PC: 00002c529fa82f70, SP: 0000756f01252758
PAX: bytes at PC: 64 48 8b 04 25 90 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc
PAX: bytes at SP-8: 0000000000be0990 00002c529f5811d9 0000000002a00002 000000004002e058 0000000000bdfc00 0000000000baa7e0 0000000040002000 0000000000baa7e0 000000000069c730 0000000000bb23d0 0000000000bdfc00 |
But PAX should be disabled too:
| Code: | # chpax -v /usr/bin/nvidia-settings
----[ chpax 0.7 : Current flags for /usr/bin/nvidia-settings (pemrxs) ]----
* Paging based PAGE_EXEC : disabled
* Trampolines : not emulated
* mprotect() : not restricted
* mmap() base : not randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : disabled
# chpax -v /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625
----[ chpax 0.7 : Current flags for /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625 (pemrxs) ]----
* Paging based PAGE_EXEC : disabled
* Trampolines : not emulated
* mprotect() : not restricted
* mmap() base : not randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : disabled
# chpax -v /usr/lib64/opengl/nvidia/lib/libGLcore.so
----[ chpax 0.7 : Current flags for /usr/lib64/opengl/nvidia/lib/libGLcore.so (pemrxs) ]----
* Paging based PAGE_EXEC : disabled
* Trampolines : not emulated
* mprotect() : not restricted
* mmap() base : not randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : disabled |
Why while grsecurity, RBAC and PAX are supposed to be disabled, they still prevent legitimate programs from running??? |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Tue Oct 03, 2006 3:41 pm Post subject: |
|
|
This is strange... is this kernel 2.6.18? I read that PAX is partially integrated in this kernel...
It would be interesting to see what happens when you compile a vanilla kernel, maybe even a version below 2.6.18 if my assumption is true.
Hth, alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
at
Apprentice
Joined: 20 Aug 2006
Posts: 185
|
| Posted: Tue Oct 03, 2006 5:56 pm Post subject: |
|
|
The kernel is 2.6.17-hardened-r1. I have some of PAX (as well as grsecurity) settings enabled in the kernel (please see above).
But my understanding was that grsecurity can be disabled through sysctl, and PAX could be disabled on the per-file basis using 'chpax'. That's what I did (or tried to do).
Is my understanding about this security model incorrect?
Thank you |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Tue Oct 03, 2006 6:36 pm Post subject: |
|
|
That's the way it's supposed to work... However, it does not, obviously... It's some time that I used grsecurity, but I remember having a lot of trouble to get rid of it once the kernel was patched.
You should really try a vanilla kernel to make sure this is really grsec related what we observe here. You might also try to patch the kernel manually with grsec and try again. There could be some issue with the hardened sources that prevents disabling grsec...
Alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
at
Apprentice
Joined: 20 Aug 2006
Posts: 185
|
| Posted: Wed Oct 11, 2006 12:20 am Post subject: |
|
|
I found the culprit.
It works only if
| Code: | | # CONFIG_PAX_MPROTECT is not set |
(CONFIG_GRKERNSEC_EXECVE can be set.)
Thank you for your help! |
|
| Back to top |
|
|
|
Networking & Security
