This things usually happen when changes are put into the CFLAGS-CXXFLAGS directly in make.conf instead of using the specs (profile), without mprotect, pax does nothing, ASLR is not functional since is not needed an return into libc to get an exploit working....* since PAGEEXEC/SEGMEXEC is not useful because mappings can be done EXECUTABLE/WRITEABLE at the same time on the fly without mprotect.
2011/7/14 Anthony G. Basile <blueness@gentoo.org>
Hi Markus,
It looks like you missed something in the process. *The steps to
converting are (skipping details):
1) switch profile
2) recompile the toolchain: emerge glibc gcc binutils
3) recompile system: emerge -e system
4) recompile world: emerge -e world
If you didn't do these, its possible you have some *binaries left that
will trigger pax violations.
One way to quickly check if you got hardened binaries is to use a script
called checksec.sh [1] and run it on /bin or /sbin. *You should see that
all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.
Ref:
[1] http://tk-blog.blogspot.com/2009/02/checksec.html
On 07/14/2011 05:54 AM, Markus Oehme wrote:
> Hi,
>
> I successfully switched to hardened profile during the last week and it was
> quite painless. I think I can hand out some praise for the great work done
> on Gentoo Hardened.
>
> Just one thing puzzles me a bit. I activated pax in hardened sources and
> this resulted in quite some segfaulting processes due to mprotect. I found
> lines like the following in the logs.
>
> Jul 13 17:09:41 localhost kernel: [ *286.180994] grsec: denied RWX mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393] uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
>
> I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the list
> [1] of binaries where I had to do this includes some stuff, where mprotect
> would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in the
> docs (which otherwise are really helpful
about what to expect for
> excpetions from mprotect. Is this expected behaviour or have I made some
> mistake in my configuration?
>
>
> * * * * *Markus
>
> [1]
> /usr/lib64/courier/courier-authlib/authdaemond
> /usr/sbin/console-kit-daemon
> /usr/libexec/polkitd
> /usr/bin/xfconf-query
> /usr/lib64/xfce4/xfconf/xfconfd
> /usr/bin/xscreensaver
> /usr/bin/xfce4-session
> /usr/bin/gkrellm
> /usr/bin/Xorg
> /usr/bin/xfdesktop
> /usr/bin/xfce4-panel
> /usr/bin/Terminal
> /usr/libexec/udisks-daemon
> /usr/bin/xfce4-session-logout
> /usr/bin/emacs-23
> /usr/bin/sudo
> /usr/bin/perl
> /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
> /usr/bin/xfce4-mixer
> /usr/bin/python2.7
> /usr/libexec/git-core/git
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
>
>
> --
> Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
> are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
> rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
> csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
> but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail * *: blueness@gentoo.org
GnuPG FP *: 8040 5A4D 8709 21B1 1A88 *33CE 979C AF40 D045 5535
GnuPG ID *: D0455535
mprotect question
