FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 07-14-2011, 09:54 AM
Markus Oehme
 
Default mprotect question

Hi,

I successfully switched to hardened profile during the last week and it was
quite painless. I think I can hand out some praise for the great work done
on Gentoo Hardened.

Just one thing puzzles me a bit. I activated pax in hardened sources and
this resulted in quite some segfaulting processes due to mprotect. I found
lines like the following in the logs.

Jul 13 17:09:41 localhost kernel: [ 286.180994] grsec: denied RWX mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393] uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the list
[1] of binaries where I had to do this includes some stuff, where mprotect
would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in the
docs (which otherwise are really helpful about what to expect for
excpetions from mprotect. Is this expected behaviour or have I made some
mistake in my configuration?


Markus

[1]
/usr/lib64/courier/courier-authlib/authdaemond
/usr/sbin/console-kit-daemon
/usr/libexec/polkitd
/usr/bin/xfconf-query
/usr/lib64/xfce4/xfconf/xfconfd
/usr/bin/xscreensaver
/usr/bin/xfce4-session
/usr/bin/gkrellm
/usr/bin/Xorg
/usr/bin/xfdesktop
/usr/bin/xfce4-panel
/usr/bin/Terminal
/usr/libexec/udisks-daemon
/usr/bin/xfce4-session-logout
/usr/bin/emacs-23
/usr/bin/sudo
/usr/bin/perl
/usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
/usr/bin/xfce4-mixer
/usr/bin/python2.7
/usr/libexec/git-core/git
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1


--
Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.
 
Old 07-14-2011, 01:41 PM
"Anthony G. Basile"
 
Default mprotect question

Hi Markus,

It looks like you missed something in the process. The steps to
converting are (skipping details):

1) switch profile
2) recompile the toolchain: emerge glibc gcc binutils
3) recompile system: emerge -e system
4) recompile world: emerge -e world

If you didn't do these, its possible you have some binaries left that
will trigger pax violations.

One way to quickly check if you got hardened binaries is to use a script
called checksec.sh [1] and run it on /bin or /sbin. You should see that
all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.


Ref:

[1] http://tk-blog.blogspot.com/2009/02/checksec.html



On 07/14/2011 05:54 AM, Markus Oehme wrote:
> Hi,
>
> I successfully switched to hardened profile during the last week and it was
> quite painless. I think I can hand out some praise for the great work done
> on Gentoo Hardened.
>
> Just one thing puzzles me a bit. I activated pax in hardened sources and
> this resulted in quite some segfaulting processes due to mprotect. I found
> lines like the following in the logs.
>
> Jul 13 17:09:41 localhost kernel: [ 286.180994] grsec: denied RWX mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393] uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
>
> I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the list
> [1] of binaries where I had to do this includes some stuff, where mprotect
> would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in the
> docs (which otherwise are really helpful about what to expect for
> excpetions from mprotect. Is this expected behaviour or have I made some
> mistake in my configuration?
>
>
> Markus
>
> [1]
> /usr/lib64/courier/courier-authlib/authdaemond
> /usr/sbin/console-kit-daemon
> /usr/libexec/polkitd
> /usr/bin/xfconf-query
> /usr/lib64/xfce4/xfconf/xfconfd
> /usr/bin/xscreensaver
> /usr/bin/xfce4-session
> /usr/bin/gkrellm
> /usr/bin/Xorg
> /usr/bin/xfdesktop
> /usr/bin/xfce4-panel
> /usr/bin/Terminal
> /usr/libexec/udisks-daemon
> /usr/bin/xfce4-session-logout
> /usr/bin/emacs-23
> /usr/bin/sudo
> /usr/bin/perl
> /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
> /usr/bin/xfce4-mixer
> /usr/bin/python2.7
> /usr/libexec/git-core/git
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
>
>
> --
> Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
> are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
> rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
> csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
> but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.


--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
 
Old 07-14-2011, 02:39 PM
Javier Juan Martínez Cabezón
 
Default mprotect question

This things usually happen when changes are put into the CFLAGS-CXXFLAGS directly in make.conf instead of using the specs (profile), without mprotect, pax does nothing, ASLR is not functional since is not needed an return into libc to get an exploit working....* since PAGEEXEC/SEGMEXEC is not useful because mappings can be done EXECUTABLE/WRITEABLE at the same time on the fly without mprotect.


2011/7/14 Anthony G. Basile <blueness@gentoo.org>

Hi Markus,



It looks like you missed something in the process. *The steps to

converting are (skipping details):



1) switch profile

2) recompile the toolchain: emerge glibc gcc binutils

3) recompile system: emerge -e system

4) recompile world: emerge -e world



If you didn't do these, its possible you have some *binaries left that

will trigger pax violations.



One way to quickly check if you got hardened binaries is to use a script

called checksec.sh [1] and run it on /bin or /sbin. *You should see that

all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.





Ref:



[1] http://tk-blog.blogspot.com/2009/02/checksec.html







On 07/14/2011 05:54 AM, Markus Oehme wrote:

> Hi,

>

> I successfully switched to hardened profile during the last week and it was

> quite painless. I think I can hand out some praise for the great work done

> on Gentoo Hardened.

>

> Just one thing puzzles me a bit. I activated pax in hardened sources and

> this resulted in quite some segfaulting processes due to mprotect. I found

> lines like the following in the logs.

>

> Jul 13 17:09:41 localhost kernel: [ *286.180994] grsec: denied RWX mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393] uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


>

> I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the list

> [1] of binaries where I had to do this includes some stuff, where mprotect

> would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in the

> docs (which otherwise are really helpful about what to expect for

> excpetions from mprotect. Is this expected behaviour or have I made some

> mistake in my configuration?

>

>

> * * * * *Markus

>

> [1]

> /usr/lib64/courier/courier-authlib/authdaemond

> /usr/sbin/console-kit-daemon

> /usr/libexec/polkitd

> /usr/bin/xfconf-query

> /usr/lib64/xfce4/xfconf/xfconfd

> /usr/bin/xscreensaver

> /usr/bin/xfce4-session

> /usr/bin/gkrellm

> /usr/bin/Xorg

> /usr/bin/xfdesktop

> /usr/bin/xfce4-panel

> /usr/bin/Terminal

> /usr/libexec/udisks-daemon

> /usr/bin/xfce4-session-logout

> /usr/bin/emacs-23

> /usr/bin/sudo

> /usr/bin/perl

> /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin

> /usr/bin/xfce4-mixer

> /usr/bin/python2.7

> /usr/libexec/git-core/git

> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1

>

>

> --

> Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod

> are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the

> rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot

> csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,

> but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.





--

Anthony G. Basile, Ph.D.

Gentoo Linux Developer [Hardened]

E-Mail * *: blueness@gentoo.org

GnuPG FP *: 8040 5A4D 8709 21B1 1A88 *33CE 979C AF40 D045 5535

GnuPG ID *: D0455535
 
Old 07-14-2011, 03:29 PM
Markus Oehme
 
Default mprotect question

Hi Anthony,

At Thu, 14 Jul 2011 09:41:48 -0400,
Anthony G. Basile wrote:
> It looks like you missed something in the process. The steps to
> converting are (skipping details):
>
> 1) switch profile
> 2) recompile the toolchain: emerge glibc gcc binutils
> 3) recompile system: emerge -e system
> 4) recompile world: emerge -e world

I did executed all steps in this order and rebuilt all packages. Just now I
did some tries and recompiled some of the packages which fail. However this
changed nothing.

One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc
4.6.0 for quite some time on ~amd64 ere I switched to hardened last week. I
didn't encounter any special problems during the transition.

> If you didn't do these, its possible you have some binaries left that
> will trigger pax violations.
>
> One way to quickly check if you got hardened binaries is to use a script
> called checksec.sh [1] and run it on /bin or /sbin. You should see that
> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.

I just executed the script for /bin and the result [1] was very mixed. Nearly all
binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I
checked whether this could be changed and rebuilt coreutils twice, but the
output was the same every time.

However this seems not to be a big problem since the system is currently
running normal (Xfce desktop session) with my current list [2] of exceptions
to mprotect which contains only binaries under /usr.


Thanks for the advice.

Markus

[1]

RELRO STACK CANARY NX PIE FILE
Full RELRO Canary found NX enabled PIE enabled /bin/attr
Full RELRO No canary found NX disabled PIE enabled /bin/basename
Full RELRO Canary found NX enabled PIE enabled /bin/bash
Full RELRO No canary found NX disabled PIE enabled /bin/bsdcpio
Full RELRO No canary found NX disabled PIE enabled /bin/bsdtar
Full RELRO No canary found NX disabled PIE enabled /bin/btrfs-debug-tree
Partial RELRO No canary found NX disabled No PIE /bin/busybox
Full RELRO No canary found NX disabled PIE enabled /bin/bzip2
Full RELRO No canary found NX disabled PIE enabled /bin/cat
Full RELRO Canary found NX enabled PIE enabled /bin/chacl
Full RELRO No canary found NX disabled PIE enabled /bin/chgrp
Full RELRO No canary found NX disabled PIE enabled /bin/chmod
Full RELRO No canary found NX disabled PIE enabled /bin/chown
Full RELRO No canary found NX disabled PIE enabled /bin/chroot
Full RELRO No canary found NX disabled PIE enabled /bin/cp
Full RELRO No canary found NX disabled PIE enabled /bin/cpio
Full RELRO No canary found NX disabled PIE enabled /bin/cut
Full RELRO No canary found NX disabled PIE enabled /bin/date
Full RELRO No canary found NX disabled PIE enabled /bin/dd
Full RELRO No canary found NX disabled PIE enabled /bin/df
Full RELRO No canary found NX disabled PIE enabled /bin/dir
Full RELRO No canary found NX disabled PIE enabled /bin/dirname
Full RELRO No canary found NX disabled PIE enabled /bin/dmesg
Full RELRO No canary found NX disabled PIE enabled /bin/du
Full RELRO No canary found NX disabled PIE enabled /bin/echo
Full RELRO Canary found NX enabled PIE enabled /bin/ed
Full RELRO No canary found NX disabled PIE enabled /bin/egrep
Full RELRO No canary found NX disabled PIE enabled /bin/env
Full RELRO No canary found NX disabled PIE enabled /bin/expr
Full RELRO No canary found NX disabled PIE enabled /bin/false
Full RELRO No canary found NX disabled PIE enabled /bin/fgrep
Full RELRO No canary found NX disabled PIE enabled /bin/findmnt
Full RELRO No canary found NX disabled PIE enabled /bin/fuser
Full RELRO Canary found NX enabled PIE enabled /bin/gawk
Full RELRO Canary found NX enabled PIE enabled /bin/getfacl
Full RELRO Canary found NX enabled PIE enabled /bin/getfattr
Full RELRO No canary found NX disabled PIE enabled /bin/grep
Full RELRO No canary found NX disabled PIE enabled /bin/groups
Full RELRO No canary found NX disabled PIE enabled /bin/gzip
Full RELRO No canary found NX disabled PIE enabled /bin/head
Full RELRO Canary found NX enabled PIE enabled /bin/hostname
Full RELRO No canary found NX disabled PIE enabled /bin/kill
Full RELRO No canary found NX disabled PIE enabled /bin/ln
Full RELRO No canary found NX disabled PIE enabled /bin/login
Full RELRO No canary found NX disabled PIE enabled /bin/ls
Full RELRO No canary found NX disabled PIE enabled /bin/lsblk
Full RELRO No canary found NX disabled PIE enabled /bin/lsmod
Full RELRO Canary found NX enabled PIE enabled /bin/mail
Full RELRO Canary found NX enabled PIE enabled /bin/mbchk
Full RELRO No canary found NX disabled PIE enabled /bin/mkdir
Full RELRO No canary found NX disabled PIE enabled /bin/mkfifo
Full RELRO No canary found NX disabled PIE enabled /bin/mknod
Full RELRO No canary found NX disabled PIE enabled /bin/mktemp
Full RELRO No canary found NX disabled PIE enabled /bin/more
Full RELRO No canary found NX disabled PIE enabled /binmount
Full RELRO Canary found NX enabled PIE enabled /bin/mountpoint
Full RELRO No canary found NX disabled PIE enabled /bin/mv
Full RELRO No canary found NX disabled PIE enabled /bin/nano
Full RELRO Canary found NX enabled PIE enabled /bin/netstat
Full RELRO No canary found NX disabled PIE enabled /binpasswd
Full RELRO Canary found NX enabled PIE enabled /binping
Full RELRO Canary found NX enabled PIE enabled /binping6
Full RELRO No canary found NX disabled PIE enabled /bin/ps
Full RELRO No canary found NX disabled PIE enabled /bin/pwd
Full RELRO No canary found NX disabled PIE enabled /bin/readlink
Full RELRO No canary found NX disabled PIE enabled /bin/rm
Full RELRO No canary found NX disabled PIE enabled /bin/rmdir
Full RELRO No canary found NX disabled PIE enabled /bin/run-parts
Full RELRO No canary found NX disabled PIE enabled /bin/sed
Full RELRO No canary found NX disabled PIE enabled /bin/seq
Full RELRO Canary found NX enabled PIE enabled /bin/setfacl
Full RELRO Canary found NX enabled PIE enabled /bin/setfattr
Full RELRO No canary found NX disabled PIE enabled /bin/sleep
Full RELRO No canary found NX disabled PIE enabled /bin/sort
Full RELRO No canary found NX disabled PIE enabled /bin/stty
Full RELRO No canary found NX disabled PIE enabled /binsu
Full RELRO No canary found NX disabled PIE enabled /bin/sync
Full RELRO No canary found NX disabled PIE enabled /bin/tail
Full RELRO No canary found NX disabled PIE enabled /bin/tar
Full RELRO Canary found NX enabled PIE enabled /bin/tcsh
Full RELRO No canary found NX disabled PIE enabled /bin/tempfile
Full RELRO No canary found NX disabled PIE enabled /bin/touch
Full RELRO No canary found NX disabled PIE enabled /bin/tr
Full RELRO No canary found NX disabled PIE enabled /bin/true
Full RELRO No canary found NX disabled PIE enabled /bin/tty
Full RELRO No canary found NX disabled PIE enabled /binumount
Full RELRO No canary found NX disabled PIE enabled /bin/uname
Full RELRO No canary found NX disabled PIE enabled /bin/vdir
Full RELRO No canary found NX disabled PIE enabled /bin/wc
Full RELRO No canary found NX disabled PIE enabled /bin/yes
Full RELRO Canary found NX enabled PIE enabled /bin/zsh
Full RELRO Canary found NX enabled PIE enabled /bin/zsh-4.3.12



[2]

/usr/bin/emacs-23
/usr/bin/gkrellm
/usr/bin/perl
/usr/bin/python2.7
/usr/bin/spamc
/usr/bin/ssh
/usr/bin/sudo
/usr/bin/Terminal
/usr/bin/xchat
/usr/bin/xfce4-mixer
/usr/bin/xfce4-panel
/usr/bin/xfce4-session
/usr/bin/xfce4-session-logout
/usr/bin/xfconf-query
/usr/bin/xfdesktop
/usr/bin/Xorg
/usr/bin/xscreensaver
/usr/games/bin/enigma
/usr/lib64/courier/courier-authlib/authdaemond
/usr/lib64/xfce4/xfconf/xfconfd
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1plus
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/lto1
/usr/libexec/git-core/git
/usr/libexec/polkitd
/usr/libexec/udisks-daemon
/usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
/usr/sbin/collectd
/usr/sbin/console-kit-daemon


--
Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.
 
Old 07-14-2011, 09:46 PM
Matthew Summers
 
Default mprotect question

On Thu, Jul 14, 2011 at 10:29 AM, Markus Oehme <oehme.markus@gmx.de> wrote:
> Hi Anthony,
>
> At Thu, 14 Jul 2011 09:41:48 -0400,
> Anthony G. Basile wrote:
>> It looks like you missed something in the process. *The steps to
>> converting are (skipping details):
>>
>> 1) switch profile
>> 2) recompile the toolchain: emerge glibc gcc binutils
>> 3) recompile system: emerge -e system
>> 4) recompile world: emerge -e world
>
> I did executed all steps in this order and rebuilt all packages. Just now I
> did some tries and recompiled some of the packages which fail. However this
> changed nothing.
>
> One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc
> 4.6.0 for quite some time on ~amd64 ere I switched to hardened last week. *I
> didn't encounter any special problems during the transition.
>
>> If you didn't do these, its possible you have some *binaries left that
>> will trigger pax violations.
>>
>> One way to quickly check if you got hardened binaries is to use a script
>> called checksec.sh [1] and run it on /bin or /sbin. *You should see that
>> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.
>
> I just executed the script for /bin and the result [1] was very mixed. Nearly all
> binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I
> checked whether this could be changed and rebuilt coreutils twice, but the
> output was the same every time.
>
> However this seems not to be a big problem since the system is currently
> running normal (Xfce desktop session) with my current list [2] of exceptions
> to mprotect which contains only binaries under /usr.
>
>
> Thanks for the advice.
>
> * * * * * *Markus
>
> [1]
>
> RELRO * * * * * STACK CANARY * * *NX * * * * * *PIE * * * * * * * * * * FILE
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/attr
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/basename
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/bash
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/bsdcpio
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/bsdtar
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/btrfs-debug-tree
> Partial RELRO * No canary found * NX disabled * No PIE * * * * * * * * */bin/busybox
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/bzip2
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/cat
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/chacl
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/chgrp
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/chmod
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/chown
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/chroot
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/cp
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/cpio
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/cut
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/date
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/dd
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/df
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/dir
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/dirname
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/dmesg
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/du
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/echo
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/ed
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/egrep
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/env
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/expr
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/false
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/fgrep
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/findmnt
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/fuser
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/gawk
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/getfacl
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/getfattr
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/grep
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/groups
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/gzip
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/head
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/hostname
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/kill
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/ln
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/login
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/ls
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/lsblk
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/lsmod
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/mail
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/mbchk
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/mkdir
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/mkfifo
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/mknod
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/mktemp
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/more
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /binmount
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/mountpoint
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/mv
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/nano
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/netstat
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /binpasswd
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /binping
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /binping6
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/ps
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/pwd
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/readlink
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/rm
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/rmdir
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/run-parts
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/sed
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/seq
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/setfacl
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/setfattr
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/sleep
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/sort
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/stty
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /binsu
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/sync
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/tail
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/tar
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/tcsh
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/tempfile
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/touch
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/tr
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/true
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/tty
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /binumount
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/uname
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/vdir
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/wc
> Full RELRO * * *No canary found * NX disabled * PIE enabled * * * * * * /bin/yes
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/zsh
> Full RELRO * * *Canary found * * *NX enabled * *PIE enabled * * * * * * /bin/zsh-4.3.12
>
>
>
> [2]
>
> /usr/bin/emacs-23
> /usr/bin/gkrellm
> /usr/bin/perl
> /usr/bin/python2.7
> /usr/bin/spamc
> /usr/bin/ssh
> /usr/bin/sudo
> /usr/bin/Terminal
> /usr/bin/xchat
> /usr/bin/xfce4-mixer
> /usr/bin/xfce4-panel
> /usr/bin/xfce4-session
> /usr/bin/xfce4-session-logout
> /usr/bin/xfconf-query
> /usr/bin/xfdesktop
> /usr/bin/Xorg
> /usr/bin/xscreensaver
> /usr/games/bin/enigma
> /usr/lib64/courier/courier-authlib/authdaemond
> /usr/lib64/xfce4/xfconf/xfconfd
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1plus
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/lto1
> /usr/libexec/git-core/git
> /usr/libexec/polkitd
> /usr/libexec/udisks-daemon
> /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
> /usr/sbin/collectd
> /usr/sbin/console-kit-daemon
>
>
> --
> Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
> are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
> rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
> csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
> but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.
>
>

Hi there,

What is the output of gcc-config -l ?You should see something like the
following (versions will be different).
[1] x86_64-pc-linux-gnu-4.4.5 *
[2] x86_64-pc-linux-gnu-4.4.5-hardenednopie
[3] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp
[4] x86_64-pc-linux-gnu-4.4.5-hardenednossp
[5] x86_64-pc-linux-gnu-4.4.5-vanilla

The asterisk will be next to the one you have selected, which in this
case is the first in the list (it is hardened).

Cheers
--
M. Summers

"...there are no rules here -- we're trying to accomplish something."
* - Thomas A. Edison
 
Old 07-14-2011, 09:49 PM
Matthew Summers
 
Default mprotect question

On Thu, Jul 14, 2011 at 8:41 AM, Anthony G. Basile <blueness@gentoo.org> wrote:
> Hi Markus,
>
> It looks like you missed something in the process. *The steps to
> converting are (skipping details):
>
> 1) switch profile
> 2) recompile the toolchain: emerge glibc gcc binutils
> 3) recompile system: emerge -e system
> 4) recompile world: emerge -e world
>
> If you didn't do these, its possible you have some *binaries left that
> will trigger pax violations.

<snip>

> --
> Anthony G. Basile, Ph.D.
> Gentoo Linux Developer [Hardened]
> E-Mail * *: blueness@gentoo.org
> GnuPG FP *: 8040 5A4D 8709 21B1 1A88 *33CE 979C AF40 D045 5535
> GnuPG ID *: D0455535

I might add a step in there after #2, lets call it step "2+to-be-sure"
check the output of gcc-config -l and select the hardened gcc if its
not been selected already. Its been a long time since I did a non- to
a hardened system conversion, so I am uncertain whether this is in
fact necessary. In any case it cannot hurt anything to simply check
the situation out.

--
M. Summers

"...there are no rules here -- we're trying to accomplish something."
* - Thomas A. Edison
 
Old 07-15-2011, 10:22 AM
"Anthony G. Basile"
 
Default mprotect question

On 07/15/2011 04:52 AM, Markus Oehme wrote:
> Hi Anthony,
>
> At Thu, 14 Jul 2011 12:59:59 -0400,
> Anthony G. Basile wrote:
>>> One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc
>>> 4.6.0 for quite some time on ~amd64 ere I switched to hardened last week. I
>>> didn't encounter any special problems during the transition.
>>>
>> Time for a bug report. If reproduceable, its a show stopper for
>> hardened gcc-4.6.1
>>
>>>> If you didn't do these, its possible you have some binaries left that
>>>> will trigger pax violations.
>>>>
>>>> One way to quickly check if you got hardened binaries is to use a script
>>>> called checksec.sh [1] and run it on /bin or /sbin. You should see that
>>>> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.
>>> I just executed the script for /bin and the result [1] was very mixed. Nearly all
>>> binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I
>>> checked whether this could be changed and rebuilt coreutils twice, but the
>>> output was the same every time.
>>>
>>> However this seems not to be a big problem since the system is currently
>>> running normal (Xfce desktop session) with my current list [2] of exceptions
>>> to mprotect which contains only binaries under /usr.
>>>
>> That's not right. Can you compile the following, run checksec.sh on it
>> and see if you get all the hardening features:
>>
>> int main()
>> {
>> ;
>> return 0;
>> }
> I think I've found the issue. I had some rather aggresive CFLAGS
> enabled. Dropping them seems to correct the issue. The evil guy seems to be
> link time optimization. This is reproducible with your minimal example, if
> compiled with 'gcc' it turns out correctly. 'gcc -flto' gives the behaviour
> I've seen (no stack canary and no nx).
>
> I'm currently in the process of remerging @world, but hopefully everything
> will be ok afterwards.
>
>
> Markus
>
> --
> For instance, on the planet Earth, man had always assumed that he was more
> intelligent than dolphins because he had achieved so much---the wheel, New
> York, wars and so on---while all the dolphins had ever done was muck about
> in the water having a good time. But conversely, the dolphins had always
> believed that they were far more intelligent than man---for precisely the
> same reasons. (Douglas Adams, The Hitchhikers Guide to the Galaxy.)

Markus,

Thanks for discovering this, I was not aware. However, when I try to
compile with -flto, I get an error:

cc1: error: LTO support has not been enabled in this configuration

I'm going to have to investigate.

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
 
Old 07-15-2011, 11:02 AM
Markus Oehme
 
Default mprotect question

Hi,

I seem to have messed up my mail accounts and this list seems only to accept
submissions from members, so here what I wrote to Anthony before.

The cause is using link time optimization (-flto) as optimization with
gcc. With it, the pattern is as I described, without it, everything works
fine.


Markus

--
Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.
 
Old 07-15-2011, 11:07 AM
"Anthony G. Basile"
 
Default mprotect question

On 07/15/2011 06:57 AM, Markus Oehme wrote:
> Hi Anthony,
>
> At Fri, 15 Jul 2011 06:22:24 -0400,
> Anthony G. Basile wrote:
>> On 07/15/2011 04:52 AM, Markus Oehme wrote:
>> Thanks for discovering this, I was not aware. However, when I try to
>> compile with -flto, I get an error:
>>
>> cc1: error: LTO support has not been enabled in this configuration
>>
>> I'm going to have to investigate.
> if you use gcc-4.5.* you have to enable the use flag 'lto' for gcc to get
> support for link time optimization. With gcc-4.6.* this seems not to be
> necessary.
>
Yep, time to use mask that on the hardened profiles.

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
 
Old 07-15-2011, 03:50 PM
Fredric Johansson
 
Default mprotect question

On Fri, Jul 15, 2011 at 1:02 PM, Markus Oehme <oehme.markus@gmx.de> wrote:
> Hi,
>
> I seem to have messed up my mail accounts and this list seems only to accept
> submissions from members, so here what I wrote to Anthony before.
>
> The cause is using link time optimization (-flto) as optimization with
> gcc. With it, the pattern is as I described, without it, everything works
> fine.

I have experienced that lto sometimes adds text relocations when using
it. As an example in zlib-1.2.3 (but not in 1.2.5) , so thats another
reason not to use lto on hardened.
Note that -flto -fstack-protector-all reenables the stack canaries,
but I havent checked whether or not that disables lto

//Fredric

>
> * * * * * * * *Markus
>
 

Thread Tools




All times are GMT. The time now is 10:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org