On Sat, 1 Nov 2014 12:08:23 +0200 Alex Efros <power...@powerman.name> wrote:
> Hi! > > I wonder is something was changed in handling "grsec: denied RWX > mprotect"? Previously when I see this in kernel log it usually result > in killing app (and I've to run `paxctl-ng -m /that/app`), but now it > looks like this doesn't happens anymore. For example: > https://bugs.freedesktop.org/show_bug.cgi?id=73473 OpenGL apps fallback to software rendering if they can't mmap executable memory. > # eselect opengl list > Available OpenGL implementations: > [1] nvidia * > [2] xorg-x11 > # grep PAX /etc/portage/make.conf > PAX_MARKINGS="XT" > # paxctl-ng -v /usr/bin/glxgears > /usr/bin/glxgears: > PT_PAX : -e--- > XATTR_PAX : not found > # /usr/bin/glxgears > Running synchronized to the vertical refresh. The framerate should be > approximately the same as the monitor refresh rate. > 302 frames in 5.0 seconds = 60.336 FPS > 300 frames in 5.0 seconds = 59.960 FPS > (so, as you see, it works!) > > and here is kernel log: > > 2014-11-01_10:00:19.58867 kern.alert: grsec: denied RWX mprotect > of /usr/lib64/opengl/nvidia/lib/libGL.so.343.22 > by /usr/bin/glxgears[glxgears:12208] uid/euid:0/0 gid/egid:0/0, > parent /bin/bash[bash:8601] uid/euid:0/0 gid/egid:0/0 > > At same time paxtest works ok (all killed). > > > My kernel config: > > # zgrep PAX /proc/config.gz > > CONFIG_PAX_USERCOPY_SLABS=y > CONFIG_PAX=y > # CONFIG_PAX_SOFTMODE is not set > # CONFIG_PAX_PT_PAX_FLAGS is not set > CONFIG_PAX_XATTR_PAX_FLAGS=y > CONFIG_PAX_NO_ACL_FLAGS=y > # CONFIG_PAX_HAVE_ACL_FLAGS is not set > # CONFIG_PAX_HOOK_ACL_FLAGS is not set > CONFIG_PAX_NOEXEC=y > CONFIG_PAX_PAGEEXEC=y > CONFIG_PAX_EMUTRAMP=y > CONFIG_PAX_MPROTECT=y > # CONFIG_PAX_MPROTECT_COMPAT is not set > # CONFIG_PAX_ELFRELOCS is not set > # CONFIG_PAX_KERNEXEC is not set > CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="" > CONFIG_PAX_ASLR=y > # CONFIG_PAX_RANDKSTACK is not set > CONFIG_PAX_RANDUSTACK=y > CONFIG_PAX_RANDMMAP=y > # CONFIG_PAX_MEMORY_SANITIZE is not set > # CONFIG_PAX_MEMORY_STACKLEAK is not set > CONFIG_PAX_MEMORY_STRUCTLEAK=y > # CONFIG_PAX_MEMORY_UDEREF is not set > CONFIG_PAX_REFCOUNT=y > CONFIG_PAX_USERCOPY=y > # CONFIG_PAX_USERCOPY_DEBUG is not set > # CONFIG_PAX_SIZE_OVERFLOW is not set > # CONFIG_PAX_LATENT_ENTROPY is not set > > # zgrep GRKERNSEC /proc/config.gz > > CONFIG_GRKERNSEC=y > # CONFIG_GRKERNSEC_CONFIG_AUTO is not set > CONFIG_GRKERNSEC_CONFIG_CUSTOM=y > CONFIG_GRKERNSEC_PROC_GID=1000 > CONFIG_GRKERNSEC_KMEM=y > # CONFIG_GRKERNSEC_IO is not set > CONFIG_GRKERNSEC_PERF_HARDEN=y > CONFIG_GRKERNSEC_RAND_THREADSTACK=y > CONFIG_GRKERNSEC_PROC_MEMMAP=y > # CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set > # CONFIG_GRKERNSEC_BRUTE is not set > CONFIG_GRKERNSEC_MODHARDEN=y > CONFIG_GRKERNSEC_HIDESYM=y > # CONFIG_GRKERNSEC_RANDSTRUCT is not set > # CONFIG_GRKERNSEC_KERN_LOCKOUT is not set > CONFIG_GRKERNSEC_NO_RBAC=y > CONFIG_GRKERNSEC_ACL_HIDEKERN=y > CONFIG_GRKERNSEC_ACL_MAXTRIES=3 > CONFIG_GRKERNSEC_ACL_TIMEOUT=30 > CONFIG_GRKERNSEC_PROC=y > # CONFIG_GRKERNSEC_PROC_USER is not set > CONFIG_GRKERNSEC_PROC_USERGROUP=y > CONFIG_GRKERNSEC_PROC_ADD=y > CONFIG_GRKERNSEC_LINK=y > # CONFIG_GRKERNSEC_SYMLINKOWN is not set > CONFIG_GRKERNSEC_FIFO=y > # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set > # CONFIG_GRKERNSEC_ROFS is not set > CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y > CONFIG_GRKERNSEC_CHROOT=y > CONFIG_GRKERNSEC_CHROOT_MOUNT=y > CONFIG_GRKERNSEC_CHROOT_DOUBLE=y > CONFIG_GRKERNSEC_CHROOT_PIVOT=y > CONFIG_GRKERNSEC_CHROOT_CHDIR=y > CONFIG_GRKERNSEC_CHROOT_CHMOD=y > CONFIG_GRKERNSEC_CHROOT_FCHDIR=y > CONFIG_GRKERNSEC_CHROOT_MKNOD=y > CONFIG_GRKERNSEC_CHROOT_SHMAT=y > CONFIG_GRKERNSEC_CHROOT_UNIX=y > CONFIG_GRKERNSEC_CHROOT_FINDTASK=y > CONFIG_GRKERNSEC_CHROOT_NICE=y > CONFIG_GRKERNSEC_CHROOT_SYSCTL=y > CONFIG_GRKERNSEC_CHROOT_CAPS=y > # CONFIG_GRKERNSEC_AUDIT_GROUP is not set > # CONFIG_GRKERNSEC_EXECLOG is not set > CONFIG_GRKERNSEC_RESLOG=y > # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set > CONFIG_GRKERNSEC_AUDIT_PTRACE=y > # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set > # CONFIG_GRKERNSEC_AUDIT_MOUNT is not set > CONFIG_GRKERNSEC_SIGNAL=y > CONFIG_GRKERNSEC_FORKFAIL=y > # CONFIG_GRKERNSEC_TIME is not set > CONFIG_GRKERNSEC_PROC_IPADDR=y > CONFIG_GRKERNSEC_RWXMAP_LOG=y > CONFIG_GRKERNSEC_DMESG=y > CONFIG_GRKERNSEC_HARDEN_PTRACE=y > CONFIG_GRKERNSEC_PTRACE_READEXEC=y > CONFIG_GRKERNSEC_SETXID=y > CONFIG_GRKERNSEC_HARDEN_IPC=y > # CONFIG_GRKERNSEC_TPE is not set > CONFIG_GRKERNSEC_RANDNET=y > CONFIG_GRKERNSEC_BLACKHOLE=y > CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y > # CONFIG_GRKERNSEC_SOCKET is not set > # CONFIG_GRKERNSEC_DENYUSB is not set > CONFIG_GRKERNSEC_SYSCTL=y > CONFIG_GRKERNSEC_SYSCTL_ON=y > CONFIG_GRKERNSEC_FLOODTIME=10 > CONFIG_GRKERNSEC_FLOODBURST=4 >
