This things usually happen when changes are put into the CFLAGS-CXXFLAGS directly in make.conf instead of using the specs (profile), without mprotect, pax does nothing, ASLR is not functional since is not needed an return into libc to get an exploit working.... since PAGEEXEC/SEGMEXEC is not useful because mappings can be done EXECUTABLE/WRITEABLE at the same time on the fly without mprotect.
2011/7/14 Anthony G. Basile <bluen...@gentoo.org> > Hi Markus, > > It looks like you missed something in the process. The steps to > converting are (skipping details): > > 1) switch profile > 2) recompile the toolchain: emerge glibc gcc binutils > 3) recompile system: emerge -e system > 4) recompile world: emerge -e world > > If you didn't do these, its possible you have some binaries left that > will trigger pax violations. > > One way to quickly check if you got hardened binaries is to use a script > called checksec.sh [1] and run it on /bin or /sbin. You should see that > all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR. > > > Ref: > > [1] http://tk-blog.blogspot.com/2009/02/checksec.html > > > > On 07/14/2011 05:54 AM, Markus Oehme wrote: > > Hi, > > > > I successfully switched to hardened profile during the last week and it > was > > quite painless. I think I can hand out some praise for the great work > done > > on Gentoo Hardened. :) > > > > Just one thing puzzles me a bit. I activated pax in hardened sources and > > this resulted in quite some segfaulting processes due to mprotect. I > found > > lines like the following in the logs. > > > > Jul 13 17:09:41 localhost kernel: [ 286.180994] grsec: denied RWX > mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393] > uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] > uid/euid:0/0 gid/egid:0/0 > > > > I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the > list > > [1] of binaries where I had to do this includes some stuff, where > mprotect > > would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in > the > > docs (which otherwise are really helpful :) about what to expect for > > excpetions from mprotect. Is this expected behaviour or have I made some > > mistake in my configuration? > > > > > > Markus > > > > [1] > > /usr/lib64/courier/courier-authlib/authdaemond > > /usr/sbin/console-kit-daemon > > /usr/libexec/polkitd > > /usr/bin/xfconf-query > > /usr/lib64/xfce4/xfconf/xfconfd > > /usr/bin/xscreensaver > > /usr/bin/xfce4-session > > /usr/bin/gkrellm > > /usr/bin/Xorg > > /usr/bin/xfdesktop > > /usr/bin/xfce4-panel > > /usr/bin/Terminal > > /usr/libexec/udisks-daemon > > /usr/bin/xfce4-session-logout > > /usr/bin/emacs-23 > > /usr/bin/sudo > > /usr/bin/perl > > /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin > > /usr/bin/xfce4-mixer > > /usr/bin/python2.7 > > /usr/libexec/git-core/git > > /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1 > > > > > > -- > > Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a > wrod > > are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in > the > > rghit pclae. The rset can be a taotl mses and you can sitll raed it in > msot > > csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by > istlef, > > but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt. > > > -- > Anthony G. Basile, Ph.D. > Gentoo Linux Developer [Hardened] > E-Mail : bluen...@gentoo.org > GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 > GnuPG ID : D0455535 > >
