Mailing List Archive: Gentoo: Hardened

mprotect question

Index | Next | Previous | View Threaded

oehme.markus at gmx

Jul 14, 2011, 2:54 AM

Post #1 of 8 (855 views)
Permalink

mprotect question

Hi,

I successfully switched to hardened profile during the last week and it was
quite painless. I think I can hand out some praise for the great work done
on Gentoo Hardened. :)

Just one thing puzzles me a bit. I activated pax in hardened sources and
this resulted in quite some segfaulting processes due to mprotect. I found
lines like the following in the logs.

Jul 13 17:09:41 localhost kernel: [ 286.180994] grsec: denied RWX mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393] uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the list
[1] of binaries where I had to do this includes some stuff, where mprotect
would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in the
docs (which otherwise are really helpful :) about what to expect for
excpetions from mprotect. Is this expected behaviour or have I made some
mistake in my configuration?

Markus

[1]
/usr/lib64/courier/courier-authlib/authdaemond
/usr/sbin/console-kit-daemon
/usr/libexec/polkitd
/usr/bin/xfconf-query
/usr/lib64/xfce4/xfconf/xfconfd
/usr/bin/xscreensaver
/usr/bin/xfce4-session
/usr/bin/gkrellm
/usr/bin/Xorg
/usr/bin/xfdesktop
/usr/bin/xfce4-panel
/usr/bin/Terminal
/usr/libexec/udisks-daemon
/usr/bin/xfce4-session-logout
/usr/bin/emacs-23
/usr/bin/sudo
/usr/bin/perl
/usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
/usr/bin/xfce4-mixer
/usr/bin/python2.7
/usr/libexec/git-core/git
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1

--
Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.

blueness at gentoo

Jul 14, 2011, 6:41 AM

Post #2 of 8 (834 views)
Permalink

Re: mprotect question [In reply to]

Hi Markus,

It looks like you missed something in the process. The steps to
converting are (skipping details):

1) switch profile
2) recompile the toolchain: emerge glibc gcc binutils
3) recompile system: emerge -e system
4) recompile world: emerge -e world

If you didn't do these, its possible you have some binaries left that
will trigger pax violations.

One way to quickly check if you got hardened binaries is to use a script
called checksec.sh [1] and run it on /bin or /sbin. You should see that
all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.

Ref:

[1] http://tk-blog.blogspot.com/2009/02/checksec.html

On 07/14/2011 05:54 AM, Markus Oehme wrote:
> Hi,
>
> I successfully switched to hardened profile during the last week and it was
> quite painless. I think I can hand out some praise for the great work done
> on Gentoo Hardened. :)
>
> Just one thing puzzles me a bit. I activated pax in hardened sources and
> this resulted in quite some segfaulting processes due to mprotect. I found
> lines like the following in the logs.
>
> Jul 13 17:09:41 localhost kernel: [ 286.180994] grsec: denied RWX mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393] uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
>
> I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the list
> [1] of binaries where I had to do this includes some stuff, where mprotect
> would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in the
> docs (which otherwise are really helpful :) about what to expect for
> excpetions from mprotect. Is this expected behaviour or have I made some
> mistake in my configuration?
>
>
> Markus
>
> [1]
> /usr/lib64/courier/courier-authlib/authdaemond
> /usr/sbin/console-kit-daemon
> /usr/libexec/polkitd
> /usr/bin/xfconf-query
> /usr/lib64/xfce4/xfconf/xfconfd
> /usr/bin/xscreensaver
> /usr/bin/xfce4-session
> /usr/bin/gkrellm
> /usr/bin/Xorg
> /usr/bin/xfdesktop
> /usr/bin/xfce4-panel
> /usr/bin/Terminal
> /usr/libexec/udisks-daemon
> /usr/bin/xfce4-session-logout
> /usr/bin/emacs-23
> /usr/bin/sudo
> /usr/bin/perl
> /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
> /usr/bin/xfce4-mixer
> /usr/bin/python2.7
> /usr/libexec/git-core/git
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
>
>
> --
> Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
> are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
> rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
> csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
> but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness [at] gentoo
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535

tazok.id0 at gmail

Jul 14, 2011, 7:39 AM

Post #3 of 8 (842 views)
Permalink

Re: mprotect question [In reply to]

This things usually happen when changes are put into the CFLAGS-CXXFLAGS
directly in make.conf instead of using the specs (profile), without
mprotect, pax does nothing, ASLR is not functional since is not needed an
return into libc to get an exploit working.... since PAGEEXEC/SEGMEXEC is
not useful because mappings can be done EXECUTABLE/WRITEABLE at the same
time on the fly without mprotect.

2011/7/14 Anthony G. Basile <blueness [at] gentoo>

> Hi Markus,
>
> It looks like you missed something in the process. The steps to
> converting are (skipping details):
>
> 1) switch profile
> 2) recompile the toolchain: emerge glibc gcc binutils
> 3) recompile system: emerge -e system
> 4) recompile world: emerge -e world
>
> If you didn't do these, its possible you have some binaries left that
> will trigger pax violations.
>
> One way to quickly check if you got hardened binaries is to use a script
> called checksec.sh [1] and run it on /bin or /sbin. You should see that
> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.
>
>
> Ref:
>
> [1] http://tk-blog.blogspot.com/2009/02/checksec.html
>
>
>
> On 07/14/2011 05:54 AM, Markus Oehme wrote:
> > Hi,
> >
> > I successfully switched to hardened profile during the last week and it
> was
> > quite painless. I think I can hand out some praise for the great work
> done
> > on Gentoo Hardened. :)
> >
> > Just one thing puzzles me a bit. I activated pax in hardened sources and
> > this resulted in quite some segfaulting processes due to mprotect. I
> found
> > lines like the following in the logs.
> >
> > Jul 13 17:09:41 localhost kernel: [ 286.180994] grsec: denied RWX
> mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393]
> uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1]
> uid/euid:0/0 gid/egid:0/0
> >
> > I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the
> list
> > [1] of binaries where I had to do this includes some stuff, where
> mprotect
> > would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in
> the
> > docs (which otherwise are really helpful :) about what to expect for
> > excpetions from mprotect. Is this expected behaviour or have I made some
> > mistake in my configuration?
> >
> >
> > Markus
> >
> > [1]
> > /usr/lib64/courier/courier-authlib/authdaemond
> > /usr/sbin/console-kit-daemon
> > /usr/libexec/polkitd
> > /usr/bin/xfconf-query
> > /usr/lib64/xfce4/xfconf/xfconfd
> > /usr/bin/xscreensaver
> > /usr/bin/xfce4-session
> > /usr/bin/gkrellm
> > /usr/bin/Xorg
> > /usr/bin/xfdesktop
> > /usr/bin/xfce4-panel
> > /usr/bin/Terminal
> > /usr/libexec/udisks-daemon
> > /usr/bin/xfce4-session-logout
> > /usr/bin/emacs-23
> > /usr/bin/sudo
> > /usr/bin/perl
> > /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
> > /usr/bin/xfce4-mixer
> > /usr/bin/python2.7
> > /usr/libexec/git-core/git
> > /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
> >
> >
> > --
> > Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a
> wrod
> > are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in
> the
> > rghit pclae. The rset can be a taotl mses and you can sitll raed it in
> msot
> > csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by
> istlef,
> > but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.
>
>
> --
> Anthony G. Basile, Ph.D.
> Gentoo Linux Developer [Hardened]
> E-Mail : blueness [at] gentoo
> GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
> GnuPG ID : D0455535
>
>

oehme.markus at gmx

Jul 14, 2011, 8:29 AM

Post #4 of 8 (846 views)
Permalink

Re: mprotect question [In reply to]

Hi Anthony,

At Thu, 14 Jul 2011 09:41:48 -0400,
Anthony G. Basile wrote:
> It looks like you missed something in the process. The steps to
> converting are (skipping details):
>
> 1) switch profile
> 2) recompile the toolchain: emerge glibc gcc binutils
> 3) recompile system: emerge -e system
> 4) recompile world: emerge -e world

I did executed all steps in this order and rebuilt all packages. Just now I
did some tries and recompiled some of the packages which fail. However this
changed nothing.

One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc
4.6.0 for quite some time on ~amd64 ere I switched to hardened last week. I
didn't encounter any special problems during the transition.

> If you didn't do these, its possible you have some binaries left that
> will trigger pax violations.
>
> One way to quickly check if you got hardened binaries is to use a script
> called checksec.sh [1] and run it on /bin or /sbin. You should see that
> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.

I just executed the script for /bin and the result [1] was very mixed. Nearly all
binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I
checked whether this could be changed and rebuilt coreutils twice, but the
output was the same every time.

However this seems not to be a big problem since the system is currently
running normal (Xfce desktop session) with my current list [2] of exceptions
to mprotect which contains only binaries under /usr.

Thanks for the advice.

Markus

[1]

RELRO STACK CANARY NX PIE FILE
Full RELRO Canary found NX enabled PIE enabled /bin/attr
Full RELRO No canary found NX disabled PIE enabled /bin/basename
Full RELRO Canary found NX enabled PIE enabled /bin/bash
Full RELRO No canary found NX disabled PIE enabled /bin/bsdcpio
Full RELRO No canary found NX disabled PIE enabled /bin/bsdtar
Full RELRO No canary found NX disabled PIE enabled /bin/btrfs-debug-tree
Partial RELRO No canary found NX disabled No PIE /bin/busybox
Full RELRO No canary found NX disabled PIE enabled /bin/bzip2
Full RELRO No canary found NX disabled PIE enabled /bin/cat
Full RELRO Canary found NX enabled PIE enabled /bin/chacl
Full RELRO No canary found NX disabled PIE enabled /bin/chgrp
Full RELRO No canary found NX disabled PIE enabled /bin/chmod
Full RELRO No canary found NX disabled PIE enabled /bin/chown
Full RELRO No canary found NX disabled PIE enabled /bin/chroot
Full RELRO No canary found NX disabled PIE enabled /bin/cp
Full RELRO No canary found NX disabled PIE enabled /bin/cpio
Full RELRO No canary found NX disabled PIE enabled /bin/cut
Full RELRO No canary found NX disabled PIE enabled /bin/date
Full RELRO No canary found NX disabled PIE enabled /bin/dd
Full RELRO No canary found NX disabled PIE enabled /bin/df
Full RELRO No canary found NX disabled PIE enabled /bin/dir
Full RELRO No canary found NX disabled PIE enabled /bin/dirname
Full RELRO No canary found NX disabled PIE enabled /bin/dmesg
Full RELRO No canary found NX disabled PIE enabled /bin/du
Full RELRO No canary found NX disabled PIE enabled /bin/echo
Full RELRO Canary found NX enabled PIE enabled /bin/ed
Full RELRO No canary found NX disabled PIE enabled /bin/egrep
Full RELRO No canary found NX disabled PIE enabled /bin/env
Full RELRO No canary found NX disabled PIE enabled /bin/expr
Full RELRO No canary found NX disabled PIE enabled /bin/false
Full RELRO No canary found NX disabled PIE enabled /bin/fgrep
Full RELRO No canary found NX disabled PIE enabled /bin/findmnt
Full RELRO No canary found NX disabled PIE enabled /bin/fuser
Full RELRO Canary found NX enabled PIE enabled /bin/gawk
Full RELRO Canary found NX enabled PIE enabled /bin/getfacl
Full RELRO Canary found NX enabled PIE enabled /bin/getfattr
Full RELRO No canary found NX disabled PIE enabled /bin/grep
Full RELRO No canary found NX disabled PIE enabled /bin/groups
Full RELRO No canary found NX disabled PIE enabled /bin/gzip
Full RELRO No canary found NX disabled PIE enabled /bin/head
Full RELRO Canary found NX enabled PIE enabled /bin/hostname
Full RELRO No canary found NX disabled PIE enabled /bin/kill
Full RELRO No canary found NX disabled PIE enabled /bin/ln
Full RELRO No canary found NX disabled PIE enabled /bin/login
Full RELRO No canary found NX disabled PIE enabled /bin/ls
Full RELRO No canary found NX disabled PIE enabled /bin/lsblk
Full RELRO No canary found NX disabled PIE enabled /bin/lsmod
Full RELRO Canary found NX enabled PIE enabled /bin/mail
Full RELRO Canary found NX enabled PIE enabled /bin/mbchk
Full RELRO No canary found NX disabled PIE enabled /bin/mkdir
Full RELRO No canary found NX disabled PIE enabled /bin/mkfifo
Full RELRO No canary found NX disabled PIE enabled /bin/mknod
Full RELRO No canary found NX disabled PIE enabled /bin/mktemp
Full RELRO No canary found NX disabled PIE enabled /bin/more
Full RELRO No canary found NX disabled PIE enabled /binmount
Full RELRO Canary found NX enabled PIE enabled /bin/mountpoint
Full RELRO No canary found NX disabled PIE enabled /bin/mv
Full RELRO No canary found NX disabled PIE enabled /bin/nano
Full RELRO Canary found NX enabled PIE enabled /bin/netstat
Full RELRO No canary found NX disabled PIE enabled /binpasswd
Full RELRO Canary found NX enabled PIE enabled /binping
Full RELRO Canary found NX enabled PIE enabled /binping6
Full RELRO No canary found NX disabled PIE enabled /bin/ps
Full RELRO No canary found NX disabled PIE enabled /bin/pwd
Full RELRO No canary found NX disabled PIE enabled /bin/readlink
Full RELRO No canary found NX disabled PIE enabled /bin/rm
Full RELRO No canary found NX disabled PIE enabled /bin/rmdir
Full RELRO No canary found NX disabled PIE enabled /bin/run-parts
Full RELRO No canary found NX disabled PIE enabled /bin/sed
Full RELRO No canary found NX disabled PIE enabled /bin/seq
Full RELRO Canary found NX enabled PIE enabled /bin/setfacl
Full RELRO Canary found NX enabled PIE enabled /bin/setfattr
Full RELRO No canary found NX disabled PIE enabled /bin/sleep
Full RELRO No canary found NX disabled PIE enabled /bin/sort
Full RELRO No canary found NX disabled PIE enabled /bin/stty
Full RELRO No canary found NX disabled PIE enabled /binsu
Full RELRO No canary found NX disabled PIE enabled /bin/sync
Full RELRO No canary found NX disabled PIE enabled /bin/tail
Full RELRO No canary found NX disabled PIE enabled /bin/tar
Full RELRO Canary found NX enabled PIE enabled /bin/tcsh
Full RELRO No canary found NX disabled PIE enabled /bin/tempfile
Full RELRO No canary found NX disabled PIE enabled /bin/touch
Full RELRO No canary found NX disabled PIE enabled /bin/tr
Full RELRO No canary found NX disabled PIE enabled /bin/true
Full RELRO No canary found NX disabled PIE enabled /bin/tty
Full RELRO No canary found NX disabled PIE enabled /binumount
Full RELRO No canary found NX disabled PIE enabled /bin/uname
Full RELRO No canary found NX disabled PIE enabled /bin/vdir
Full RELRO No canary found NX disabled PIE enabled /bin/wc
Full RELRO No canary found NX disabled PIE enabled /bin/yes
Full RELRO Canary found NX enabled PIE enabled /bin/zsh
Full RELRO Canary found NX enabled PIE enabled /bin/zsh-4.3.12

[2]

/usr/bin/emacs-23
/usr/bin/gkrellm
/usr/bin/perl
/usr/bin/python2.7
/usr/bin/spamc
/usr/bin/ssh
/usr/bin/sudo
/usr/bin/Terminal
/usr/bin/xchat
/usr/bin/xfce4-mixer
/usr/bin/xfce4-panel
/usr/bin/xfce4-session
/usr/bin/xfce4-session-logout
/usr/bin/xfconf-query
/usr/bin/xfdesktop
/usr/bin/Xorg
/usr/bin/xscreensaver
/usr/games/bin/enigma
/usr/lib64/courier/courier-authlib/authdaemond
/usr/lib64/xfce4/xfconf/xfconfd
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1plus
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/lto1
/usr/libexec/git-core/git
/usr/libexec/polkitd
/usr/libexec/udisks-daemon
/usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
/usr/sbin/collectd
/usr/sbin/console-kit-daemon

--
Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.

msummers42 at gmail

Jul 14, 2011, 2:46 PM

Post #5 of 8 (831 views)
Permalink

Re: mprotect question [In reply to]

On Thu, Jul 14, 2011 at 10:29 AM, Markus Oehme <oehme.markus [at] gmx> wrote:
> Hi Anthony,
>
> At Thu, 14 Jul 2011 09:41:48 -0400,
> Anthony G. Basile wrote:
>> It looks like you missed something in the process. The steps to
>> converting are (skipping details):
>>
>> 1) switch profile
>> 2) recompile the toolchain: emerge glibc gcc binutils
>> 3) recompile system: emerge -e system
>> 4) recompile world: emerge -e world
>
> I did executed all steps in this order and rebuilt all packages. Just now I
> did some tries and recompiled some of the packages which fail. However this
> changed nothing.
>
> One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc
> 4.6.0 for quite some time on ~amd64 ere I switched to hardened last week. I
> didn't encounter any special problems during the transition.
>
>> If you didn't do these, its possible you have some binaries left that
>> will trigger pax violations.
>>
>> One way to quickly check if you got hardened binaries is to use a script
>> called checksec.sh [1] and run it on /bin or /sbin. You should see that
>> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.
>
> I just executed the script for /bin and the result [1] was very mixed. Nearly all
> binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I
> checked whether this could be changed and rebuilt coreutils twice, but the
> output was the same every time.
>
> However this seems not to be a big problem since the system is currently
> running normal (Xfce desktop session) with my current list [2] of exceptions
> to mprotect which contains only binaries under /usr.
>
>
> Thanks for the advice.
>
> Markus
>
> [1]
>
> RELRO STACK CANARY NX PIE FILE
> Full RELRO Canary found NX enabled PIE enabled /bin/attr
> Full RELRO No canary found NX disabled PIE enabled /bin/basename
> Full RELRO Canary found NX enabled PIE enabled /bin/bash
> Full RELRO No canary found NX disabled PIE enabled /bin/bsdcpio
> Full RELRO No canary found NX disabled PIE enabled /bin/bsdtar
> Full RELRO No canary found NX disabled PIE enabled /bin/btrfs-debug-tree
> Partial RELRO No canary found NX disabled No PIE /bin/busybox
> Full RELRO No canary found NX disabled PIE enabled /bin/bzip2
> Full RELRO No canary found NX disabled PIE enabled /bin/cat
> Full RELRO Canary found NX enabled PIE enabled /bin/chacl
> Full RELRO No canary found NX disabled PIE enabled /bin/chgrp
> Full RELRO No canary found NX disabled PIE enabled /bin/chmod
> Full RELRO No canary found NX disabled PIE enabled /bin/chown
> Full RELRO No canary found NX disabled PIE enabled /bin/chroot
> Full RELRO No canary found NX disabled PIE enabled /bin/cp
> Full RELRO No canary found NX disabled PIE enabled /bin/cpio
> Full RELRO No canary found NX disabled PIE enabled /bin/cut
> Full RELRO No canary found NX disabled PIE enabled /bin/date
> Full RELRO No canary found NX disabled PIE enabled /bin/dd
> Full RELRO No canary found NX disabled PIE enabled /bin/df
> Full RELRO No canary found NX disabled PIE enabled /bin/dir
> Full RELRO No canary found NX disabled PIE enabled /bin/dirname
> Full RELRO No canary found NX disabled PIE enabled /bin/dmesg
> Full RELRO No canary found NX disabled PIE enabled /bin/du
> Full RELRO No canary found NX disabled PIE enabled /bin/echo
> Full RELRO Canary found NX enabled PIE enabled /bin/ed
> Full RELRO No canary found NX disabled PIE enabled /bin/egrep
> Full RELRO No canary found NX disabled PIE enabled /bin/env
> Full RELRO No canary found NX disabled PIE enabled /bin/expr
> Full RELRO No canary found NX disabled PIE enabled /bin/false
> Full RELRO No canary found NX disabled PIE enabled /bin/fgrep
> Full RELRO No canary found NX disabled PIE enabled /bin/findmnt
> Full RELRO No canary found NX disabled PIE enabled /bin/fuser
> Full RELRO Canary found NX enabled PIE enabled /bin/gawk
> Full RELRO Canary found NX enabled PIE enabled /bin/getfacl
> Full RELRO Canary found NX enabled PIE enabled /bin/getfattr
> Full RELRO No canary found NX disabled PIE enabled /bin/grep
> Full RELRO No canary found NX disabled PIE enabled /bin/groups
> Full RELRO No canary found NX disabled PIE enabled /bin/gzip
> Full RELRO No canary found NX disabled PIE enabled /bin/head
> Full RELRO Canary found NX enabled PIE enabled /bin/hostname
> Full RELRO No canary found NX disabled PIE enabled /bin/kill
> Full RELRO No canary found NX disabled PIE enabled /bin/ln
> Full RELRO No canary found NX disabled PIE enabled /bin/login
> Full RELRO No canary found NX disabled PIE enabled /bin/ls
> Full RELRO No canary found NX disabled PIE enabled /bin/lsblk
> Full RELRO No canary found NX disabled PIE enabled /bin/lsmod
> Full RELRO Canary found NX enabled PIE enabled /bin/mail
> Full RELRO Canary found NX enabled PIE enabled /bin/mbchk
> Full RELRO No canary found NX disabled PIE enabled /bin/mkdir
> Full RELRO No canary found NX disabled PIE enabled /bin/mkfifo
> Full RELRO No canary found NX disabled PIE enabled /bin/mknod
> Full RELRO No canary found NX disabled PIE enabled /bin/mktemp
> Full RELRO No canary found NX disabled PIE enabled /bin/more
> Full RELRO No canary found NX disabled PIE enabled /binmount
> Full RELRO Canary found NX enabled PIE enabled /bin/mountpoint
> Full RELRO No canary found NX disabled PIE enabled /bin/mv
> Full RELRO No canary found NX disabled PIE enabled /bin/nano
> Full RELRO Canary found NX enabled PIE enabled /bin/netstat
> Full RELRO No canary found NX disabled PIE enabled /binpasswd
> Full RELRO Canary found NX enabled PIE enabled /binping
> Full RELRO Canary found NX enabled PIE enabled /binping6
> Full RELRO No canary found NX disabled PIE enabled /bin/ps
> Full RELRO No canary found NX disabled PIE enabled /bin/pwd
> Full RELRO No canary found NX disabled PIE enabled /bin/readlink
> Full RELRO No canary found NX disabled PIE enabled /bin/rm
> Full RELRO No canary found NX disabled PIE enabled /bin/rmdir
> Full RELRO No canary found NX disabled PIE enabled /bin/run-parts
> Full RELRO No canary found NX disabled PIE enabled /bin/sed
> Full RELRO No canary found NX disabled PIE enabled /bin/seq
> Full RELRO Canary found NX enabled PIE enabled /bin/setfacl
> Full RELRO Canary found NX enabled PIE enabled /bin/setfattr
> Full RELRO No canary found NX disabled PIE enabled /bin/sleep
> Full RELRO No canary found NX disabled PIE enabled /bin/sort
> Full RELRO No canary found NX disabled PIE enabled /bin/stty
> Full RELRO No canary found NX disabled PIE enabled /binsu
> Full RELRO No canary found NX disabled PIE enabled /bin/sync
> Full RELRO No canary found NX disabled PIE enabled /bin/tail
> Full RELRO No canary found NX disabled PIE enabled /bin/tar
> Full RELRO Canary found NX enabled PIE enabled /bin/tcsh
> Full RELRO No canary found NX disabled PIE enabled /bin/tempfile
> Full RELRO No canary found NX disabled PIE enabled /bin/touch
> Full RELRO No canary found NX disabled PIE enabled /bin/tr
> Full RELRO No canary found NX disabled PIE enabled /bin/true
> Full RELRO No canary found NX disabled PIE enabled /bin/tty
> Full RELRO No canary found NX disabled PIE enabled /binumount
> Full RELRO No canary found NX disabled PIE enabled /bin/uname
> Full RELRO No canary found NX disabled PIE enabled /bin/vdir
> Full RELRO No canary found NX disabled PIE enabled /bin/wc
> Full RELRO No canary found NX disabled PIE enabled /bin/yes
> Full RELRO Canary found NX enabled PIE enabled /bin/zsh
> Full RELRO Canary found NX enabled PIE enabled /bin/zsh-4.3.12
>
>
>
> [2]
>
> /usr/bin/emacs-23
> /usr/bin/gkrellm
> /usr/bin/perl
> /usr/bin/python2.7
> /usr/bin/spamc
> /usr/bin/ssh
> /usr/bin/sudo
> /usr/bin/Terminal
> /usr/bin/xchat
> /usr/bin/xfce4-mixer
> /usr/bin/xfce4-panel
> /usr/bin/xfce4-session
> /usr/bin/xfce4-session-logout
> /usr/bin/xfconf-query
> /usr/bin/xfdesktop
> /usr/bin/Xorg
> /usr/bin/xscreensaver
> /usr/games/bin/enigma
> /usr/lib64/courier/courier-authlib/authdaemond
> /usr/lib64/xfce4/xfconf/xfconfd
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1plus
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/lto1
> /usr/libexec/git-core/git
> /usr/libexec/polkitd
> /usr/libexec/udisks-daemon
> /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
> /usr/sbin/collectd
> /usr/sbin/console-kit-daemon
>
>
> --
> Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
> are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
> rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
> csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
> but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.
>
>

Hi there,

What is the output of gcc-config -l ?You should see something like the
following (versions will be different).
[1] x86_64-pc-linux-gnu-4.4.5 *
[2] x86_64-pc-linux-gnu-4.4.5-hardenednopie
[3] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp
[4] x86_64-pc-linux-gnu-4.4.5-hardenednossp
[5] x86_64-pc-linux-gnu-4.4.5-vanilla

The asterisk will be next to the one you have selected, which in this
case is the first in the list (it is hardened).

Cheers
--
M. Summers

"...there are no rules here -- we're trying to accomplish something."
- Thomas A. Edison

msummers42 at gmail

Jul 14, 2011, 2:49 PM

Post #6 of 8 (836 views)
Permalink

Re: mprotect question [In reply to]

On Thu, Jul 14, 2011 at 8:41 AM, Anthony G. Basile <blueness [at] gentoo> wrote:
> Hi Markus,
>
> It looks like you missed something in the process. The steps to
> converting are (skipping details):
>
> 1) switch profile
> 2) recompile the toolchain: emerge glibc gcc binutils
> 3) recompile system: emerge -e system
> 4) recompile world: emerge -e world
>
> If you didn't do these, its possible you have some binaries left that
> will trigger pax violations.

<snip>

> --
> Anthony G. Basile, Ph.D.
> Gentoo Linux Developer [Hardened]
> E-Mail : blueness [at] gentoo
> GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
> GnuPG ID : D0455535

I might add a step in there after #2, lets call it step "2+to-be-sure"
check the output of gcc-config -l and select the hardened gcc if its
not been selected already. Its been a long time since I did a non- to
a hardened system conversion, so I am uncertain whether this is in
fact necessary. In any case it cannot hurt anything to simply check
the situation out.

--
M. Summers

"...there are no rules here -- we're trying to accomplish something."
- Thomas A. Edison

blueness at gentoo

Jul 15, 2011, 3:22 AM

Post #7 of 8 (823 views)
Permalink

Re: mprotect question [In reply to]

On 07/15/2011 04:52 AM, Markus Oehme wrote:
> Hi Anthony,
>
> At Thu, 14 Jul 2011 12:59:59 -0400,
> Anthony G. Basile wrote:
>>> One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc
>>> 4.6.0 for quite some time on ~amd64 ere I switched to hardened last week. I
>>> didn't encounter any special problems during the transition.
>>>
>> Time for a bug report. If reproduceable, its a show stopper for
>> hardened gcc-4.6.1
>>
>>>> If you didn't do these, its possible you have some binaries left that
>>>> will trigger pax violations.
>>>>
>>>> One way to quickly check if you got hardened binaries is to use a script
>>>> called checksec.sh [1] and run it on /bin or /sbin. You should see that
>>>> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.
>>> I just executed the script for /bin and the result [1] was very mixed. Nearly all
>>> binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I
>>> checked whether this could be changed and rebuilt coreutils twice, but the
>>> output was the same every time.
>>>
>>> However this seems not to be a big problem since the system is currently
>>> running normal (Xfce desktop session) with my current list [2] of exceptions
>>> to mprotect which contains only binaries under /usr.
>>>
>> That's not right. Can you compile the following, run checksec.sh on it
>> and see if you get all the hardening features:
>>
>> int main()
>> {
>> ;
>> return 0;
>> }
> I think I've found the issue. I had some rather aggresive CFLAGS
> enabled. Dropping them seems to correct the issue. The evil guy seems to be
> link time optimization. This is reproducible with your minimal example, if
> compiled with 'gcc' it turns out correctly. 'gcc -flto' gives the behaviour
> I've seen (no stack canary and no nx).
>
> I'm currently in the process of remerging @world, but hopefully everything
> will be ok afterwards.
>
>
> Markus
>
> --
> For instance, on the planet Earth, man had always assumed that he was more
> intelligent than dolphins because he had achieved so much---the wheel, New
> York, wars and so on---while all the dolphins had ever done was muck about
> in the water having a good time. But conversely, the dolphins had always
> believed that they were far more intelligent than man---for precisely the
> same reasons. (Douglas Adams, The Hitchhikers Guide to the Galaxy.)

Markus,

Thanks for discovering this, I was not aware. However, when I try to
compile with -flto, I get an error:

cc1: error: LTO support has not been enabled in this configuration

I'm going to have to investigate.

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness [at] gentoo
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535

blueness at gentoo

Jul 15, 2011, 4:07 AM

Post #8 of 8 (827 views)
Permalink

Re: mprotect question [In reply to]

On 07/15/2011 06:57 AM, Markus Oehme wrote:
> Hi Anthony,
>
> At Fri, 15 Jul 2011 06:22:24 -0400,
> Anthony G. Basile wrote:
>> On 07/15/2011 04:52 AM, Markus Oehme wrote:
>> Thanks for discovering this, I was not aware. However, when I try to
>> compile with -flto, I get an error:
>>
>> cc1: error: LTO support has not been enabled in this configuration
>>
>> I'm going to have to investigate.
> if you use gcc-4.5.* you have to enable the use flag 'lto' for gcc to get
> support for link time optimization. With gcc-4.6.* this seems not to be
> necessary.
>
Yep, time to use mask that on the hardened profiles.

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness [at] gentoo
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads