Mailing List Archive: Gentoo: Hardened

Running Skype on Hardened

Index | Next | Previous | View Threaded

postmanmiler at gmail

Mar 29, 2012, 10:20 AM

Post #1 of 7 (378 views)
Permalink

Running Skype on Hardened

I am currently trying to run: net-im/skype on an amd64 non-multilib hardened
profile. I have grsec and pax enabled in kernel (.config in attachment), and I
am aware of this bug: [1], I am also aware that Skype is masked on hardened
profiles, but, while reading the bug report I saw mentions of some people
actually getting Skype to run on their machines.

When I try to run Skype, it dies with the message: "Killed!"
dmesg says:
"[98725.282864] grsec: denied RWX mmap of /opt/skype/skype by /opt/skype/skype[skype:19989] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:19519] uid/euid:1000/1000 gid/egid:100/100"

I tried using paxctl on $(which skype) but I get:
"file /usr/bin/skype is not a valid ELF executable"

I am subscribed to this list for two/three years now and I couldn't find any
mention of this problem.

Does anyone know:
"Why /usr/bin/skype isn't listed as a valid ELF executable on my machine" and
"Is is possible to run this thing anyhow on a hardened profile"?

1. https://bugs.gentoo.org/show_bug.cgi?id=302589
--
. O . | Djordje Todorovic [http://barabbas.github.com] | O . O
. . O | GPG-Key: 2048R/1E133339 (http://pgp.mit.edu) | . O O
O O O | BFF2 1C7F A70D ECCD FA8F C946 DB32 B498 1E13 3339 | . O .

Attachments:

.config (77.3 KB)

signature.asc (0.48 KB)

swift at gentoo

Mar 29, 2012, 10:23 AM

Post #2 of 7 (362 views)
Permalink

Re: Running Skype on Hardened [In reply to]

On Fri, Mar 30, 2012 at 07:13:38PM +0200, Ђорђе Тодоровић wrote:
> I am currently trying to run: net-im/skype on an amd64 non-multilib hardened
> profile. I have grsec and pax enabled in kernel (.config in attachment), and I
> am aware of this bug: [1], I am also aware that Skype is masked on hardened
> profiles, but, while reading the bug report I saw mentions of some people
> actually getting Skype to run on their machines.
>
> When I try to run Skype, it dies with the message: "Killed!"
> dmesg says:
> "[98725.282864] grsec: denied RWX mmap of /opt/skype/skype by /opt/skype/skype[skype:19989] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:19519] uid/euid:1000/1000 gid/egid:100/100"
>
> I tried using paxctl on $(which skype) but I get:
> "file /usr/bin/skype is not a valid ELF executable"

You can try to make it a valid ELF header first, and then paxmark it.

I have the following for my Skype:
paxctl -C /opt/skype/skype
paxctl -me /opt/skype/skype

Wkr,
Sven Vermeulen

postmanmiler at gmail

Mar 29, 2012, 12:20 PM

Post #3 of 7 (365 views)
Permalink

Re: Running Skype on Hardened [In reply to]

On Thu, 29 Mar 2012, Sven Vermeulen wrote:

>You can try to make it a valid ELF header first, and then paxmark it.
>
>I have the following for my Skype:
>paxctl -C /opt/skype/skype
>paxctl -me /opt/skype/skype

I tried running paxctl -Cm on it (should be ran on install with pax_kernel USE
flag), by it still reports an invalid ELF executable.

This is listed in the ebuld:

if use pax_kernel; then
pax-mark Cm "${D}"/opt/skype/skype || die
eqawarn "You have set USE=pax_kernel meaning that you intend to run"
eqawarn "skype under a PaX enabled kernel. To do so, we must modify"
eqawarn "the skype binary itself and this *may* lead to breakage! If"
eqawarn "you suspect that skype is being broken by this modification,"
eqawarn "please open a bug."
fi

BTW,I checked the skype changelog and this was added recently:
29 Feb 2012; mthode <mthode [at] gentoo> skype-2.2.0.35-r1.ebuild:
fix the paxmarking syntax

28 Feb 2012; mthode <mthode [at] gentoo> skype-2.2.0.35-r1.ebuild:
paxmarked m skype to work on hardened

But it somehow fails to complete on my machine when I try it manually.
I also just checked, my current profile is multilib (I said earlier no-mulitlib)

I seriously am not sure if it is of any help,but attached the ELF header of the
skype executable (/opt/skype/skype) so maybe (IDK) someone can tell if
there is an obvious problem there.

file /opt/skype/skype says:
/opt/skype/skype: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped

--
. O . | Djordje Todorovic [http://barabbas.github.com] | O . O
. . O | GPG-Key: 2048R/1E133339 (http://pgp.mit.edu) | . O O
O O O | BFF2 1C7F A70D ECCD FA8F C946 DB32 B498 1E13 3339 | . O .

Attachments:

skype_ELF_header.tar.bz (2.87 KB)

signature.asc (0.48 KB)

pageexec at freemail

Mar 29, 2012, 12:52 PM

Post #4 of 7 (361 views)
Permalink

Re: Running Skype on Hardened [In reply to]

On 30 Mar 2012 at 20:12, wrote:

> On Thu, 29 Mar 2012, Sven Vermeulen wrote:
>
> >You can try to make it a valid ELF header first, and then paxmark it.
> >
> >I have the following for my Skype:
> >paxctl -C /opt/skype/skype
> >paxctl -me /opt/skype/skype
>
> I tried running paxctl -Cm on it (should be ran on install with pax_kernel USE
> flag), by it still reports an invalid ELF executable.

because it is an invalid ELF (it reports sections headers but it doesn't seem to
have any, or at least not where the ELF header says they should be). paxctl is not
the only one that complains, try readelf or eu-elflint for similar results.

as for the solution, you can try out the xattr control method that was written for
cases like this.

ma1l1ists at yahoo

Mar 29, 2012, 12:58 PM

Post #5 of 7 (360 views)
Permalink

Re: Running Skype on Hardened [In reply to]

On Thu, 29 Mar 2012 17:23:06 +0000
Sven Vermeulen wrote:

> You can try to make it a valid ELF header first, and then paxmark it.

I'm sure it's unrelated as I'd guess skype would give the error mesage
and shouldn't be able to overwrite it's binary but there's a new CONFIG
in the recent grsecurity test patches to allow paxmarking without paxctl
apparently because skype refuses to run a modified binary.

wampir98 at gmail

Mar 29, 2012, 1:04 PM

Post #6 of 7 (370 views)
Permalink

Re: Running Skype on Hardened [In reply to]

W dniu 30.03.2012 20:12, Ђорђе Тодоровић pisze:
> On Thu, 29 Mar 2012, Sven Vermeulen wrote:
>
>> You can try to make it a valid ELF header first, and then paxmark it.
>>
>> I have the following for my Skype:
>> paxctl -C /opt/skype/skype
>> paxctl -me /opt/skype/skype
>
> I tried running paxctl -Cm on it (should be ran on install with
> pax_kernel USE
> flag), by it still reports an invalid ELF executable.
>
> This is listed in the ebuld:
>
> if use pax_kernel; then
> pax-mark Cm "${D}"/opt/skype/skype || die
> eqawarn "You have set USE=pax_kernel meaning that you intend to run"
> eqawarn "skype under a PaX enabled kernel. To do so, we must modify"
> eqawarn "the skype binary itself and this *may* lead to breakage!
> If"
> eqawarn "you suspect that skype is being broken by this
> modification,"
> eqawarn "please open a bug."
> fi
>
> BTW,I checked the skype changelog and this was added recently:
> 29 Feb 2012; mthode <mthode [at] gentoo> skype-2.2.0.35-r1.ebuild:
> fix the paxmarking syntax
> 28 Feb 2012; mthode <mthode [at] gentoo> skype-2.2.0.35-r1.ebuild:
> paxmarked m skype to work on hardened
>
>
> But it somehow fails to complete on my machine when I try it manually.
> I also just checked, my current profile is multilib (I said earlier
> no-mulitlib)
>
> I seriously am not sure if it is of any help,but attached the ELF
> header of the
> skype executable (/opt/skype/skype) so maybe (IDK) someone can tell if
> there is an obvious problem there.
> file /opt/skype/skype says:
> /opt/skype/skype: ELF 32-bit LSB executable, Intel 80386, version 1
> (SYSV), dynamically linked (uses shared libs), stripped
>
>

Hi

scanelf -x /opt/skype/skype
TYPE PAX FILE
ET_EXEC --mxe- /opt/skype/skype

ls -l /opt/skype/skype
-rwxr-xr-x 1 root root 21362552 03-01 11:22 /opt/skype/skype

*Skype works fine on pax-kernel.*

Linux localhost 3.3.0-gl1 #1 SMP PREEMPT Wed Mar 28 00:21:14 CEST
2012 *x86_64* Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz
GenuineIntel GNU/Linux

My Pax configuration:

* zgrep -i pax /proc/config.gz *
# PaX
CONFIG_PAX=y
# PaX Control
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_MPROTECT_COMPAT=y
CONFIG_PAX_ELFRELOCS=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y

*paxtest blackhat*
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter [at] adamantix>
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter [at] adamantix>
Released under the GNU Public Licence version 2 or later

Mode: blackhat
Linux localhost 3.3.0-gl1 #1 SMP PREEMPT Wed Mar 28 00:21:14 CEST
2012 x86_64 Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz GenuineIntel
GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 33 bits (guessed)
Heap randomisation test (ET_EXEC) : 23 bits (guessed)
Heap randomisation test (PIE) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (PIE) : 32 bits (guessed)
Shared library randomisation test : 33 bits (guessed)
Stack randomisation test (SEGMEXEC) : 40 bits (guessed)
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : paxtest: return address
contains a NULL byte.
Return to function (memcpy) : Killed
Return to function (strcpy, PIE) : paxtest: return address
contains a NULL byte.
Return to function (memcpy, PIE) : Killed

Cheers
;)

Attachments:

signature.asc (0.48 KB)

atoth at atoth

Mar 29, 2012, 1:22 PM

Post #7 of 7 (362 views)
Permalink

Re: Running Skype on Hardened [In reply to]

BTW:
What is the current state of xt_pax compared to the initial announcement?
http://archives.gentoo.org/gentoo-dev/msg_4fc5b8e2bdd09f7394b23b44d944c4d7.xml
I see the new USE flag for hardened-sources. What should I expect upon
enabling it on a regular hardened system?
Can I help with testing? If yes: what should I do?

Regards:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2012.Március 29.(Cs) 21:52 időpontban PaX Team ezt írta:
> On 30 Mar 2012 at 20:12, wrote:
>
>> On Thu, 29 Mar 2012, Sven Vermeulen wrote:
>>
>> >You can try to make it a valid ELF header first, and then paxmark it.
>> >
>> >I have the following for my Skype:
>> >paxctl -C /opt/skype/skype
>> >paxctl -me /opt/skype/skype
>>
>> I tried running paxctl -Cm on it (should be ran on install with
>> pax_kernel USE
>> flag), by it still reports an invalid ELF executable.
>
> because it is an invalid ELF (it reports sections headers but it doesn't
> seem to
> have any, or at least not where the ELF header says they should be).
> paxctl is not
> the only one that complains, try readelf or eu-elflint for similar
> results.
>
> as for the solution, you can try out the xattr control method that was
> written for
> cases like this.
>
>
>

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads