When we work with hardened kernels and tools like grsecurity and PaX, we face problems like:
- The kernel kills applications.
- Some applications can not start.
- We can't compile applications.
- And many others.....
This problem depends on the security level configured in the kernel. We need to configure and tell the system that some blocked applications are reliable and trusted, this is because some legitimate applications will attempt to generate code at run time which is executed out of memory. PaX does not allow this and will promptly kill the offending application.
The most notable of these applications are XFree/Xorg, mplayer, and multimedia tools based on xine-lib and Java virtual machine.
homero / # java -version
Killed
homero / # uname -a
Linux homero 2.6.27.15-grsec-2.1.12-vs2.3.0.36.4 #11 SMP Fri Mar 25 17:30:38 CST 2011 i686 Intel(R) Xeon(TM) CPU 3.20GHz GenuineIntel GNU/Linux
homero ~ # tail -f /var/log/pax.log
Aug 8 13:06:23 homero kernel: [7748633.853670] PAX: From X.X.X.X: execution attempt in: , 48f7f000-48fa7000 48f7f000
Aug 8 13:06:23 homero kernel: [7748633.853683] PAX: terminating task: /usr/local/jdk1.6.0_26/bin/java(java):18549, uid/euid: 0/0, PC: 48f7f040, SP: 4b05dddc
Aug 8 13:06:23 homero kernel: [7748633.853695] PAX: bytes at PC: f0 83 04 24 00 8b 44 24 0c c3 00 00 00 00 00 00 00 00 00 00
Aug 8 13:06:23 homero kernel: [7748633.853718] PAX: bytes at SP-4:
homero bin # pwd
/usr/local/jdk1.6.0_26/bin
To solve this problem we need to work with some PaX utils and applications, such as paxctl and chpax, in order to change the rules of security but only with some applications.
homero bin # emerge pax-utils pax paxctl paxtest -pv
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] sys-apps/paxctl-0.5 0 kB
[ebuild R ] app-misc/pax-utils-0.2.2 USE="caps" 0 kB
[ebuild R ] app-arch/pax-3.3.4 0 kB
[ebuild R ~] app-admin/paxtest-0.9.9-r2 0 kB
Total: 4 packages (4 reinstalls), Size of downloads: 0 kB
* IMPORTANT: 4 news items need reading for repository 'gentoo'.
* Use eselect news to read news items.
First, we need to create the PT_PAX_FLAGS
homero bin # paxctl -C *
file ControlPanel is not a valid ELF executable
file HtmlConverter is not a valid ELF executable
file appletviewer got a new PT_PAX_FLAGS program header
file apt got a new PT_PAX_FLAGS program header
file extcheck got a new PT_PAX_FLAGS program header
file idlj got a new PT_PAX_FLAGS program header
file jar got a new PT_PAX_FLAGS program header
file jarsigner got a new PT_PAX_FLAGS program header
file java got a new PT_PAX_FLAGS program header
file java-rmi.cgi is not a valid ELF executable
file javac got a new PT_PAX_FLAGS program header
file javadoc got a new PT_PAX_FLAGS program header
file javah got a new PT_PAX_FLAGS program header
file javap got a new PT_PAX_FLAGS program header
file javaws got a new PT_PAX_FLAGS program header
file jconsole got a new PT_PAX_FLAGS program header
file jcontrol is not a valid ELF executable
file jdb got a new PT_PAX_FLAGS program header
file jhat got a new PT_PAX_FLAGS program header
file jinfo got a new PT_PAX_FLAGS program header
file jmap got a new PT_PAX_FLAGS program header
file jps got a new PT_PAX_FLAGS program header
file jrunscript got a new PT_PAX_FLAGS program header
file jsadebugd got a new PT_PAX_FLAGS program header
file jstack got a new PT_PAX_FLAGS program header
file jstat got a new PT_PAX_FLAGS program header
file jstatd got a new PT_PAX_FLAGS program header
file jvisualvm is not a valid ELF executable
file keytool got a new PT_PAX_FLAGS program header
file native2ascii got a new PT_PAX_FLAGS program header
file orbd got a new PT_PAX_FLAGS program header
file pack200 got a new PT_PAX_FLAGS program header
file policytool got a new PT_PAX_FLAGS program header
file rmic got a new PT_PAX_FLAGS program header
file rmid got a new PT_PAX_FLAGS program header
file rmiregistry got a new PT_PAX_FLAGS program header
file schemagen got a new PT_PAX_FLAGS program header
file serialver got a new PT_PAX_FLAGS program header
file servertool got a new PT_PAX_FLAGS program header
file tnameserv got a new PT_PAX_FLAGS program header
file unpack200 got a new PT_PAX_FLAGS program header
file wsgen got a new PT_PAX_FLAGS program header
file wsimport got a new PT_PAX_FLAGS program header
file xjc got a new PT_PAX_FLAGS program header
homero bin # paxctl -v java
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team
- PaX flags: -------x-e-- [java]
RANDEXEC is disabled
EMUTRAMP is disabled
The problem is the mprotect flag, because it is enabled.
Name
mprotect - control allowable accesses to a region of memory
Synopsis
#include
int mprotect(const void *addr, size_t len, int prot);
Description
The function mprotect() specifies the desired protection for the memory page(s) containing part or all of the interval [addr,addr+len-1]. If an access is disallowed by the protection given it, the program receives a SIGSEGV.
The goal of MPROTECT is to help prevent the introduction of new executable code into the task’s address space. This is accomplished by restricting the mmap() and mprotect() interfaces.
The restrictions prevent:
- Creating executable anonymous mappings.
- Creating executable/writable file mappings.
- Making an executable/read-only file mapping writable except for performing relocations on an ET_DYN ELF file (non-PIC shared library).
- Making a non-executable mapping executable.
So we need to disable it.
homero bin # paxctl -m *
file ControlPanel is not a valid ELF executable
file HtmlConverter is not a valid ELF executable
file java-rmi.cgi is not a valid ELF executable
file jcontrol is not a valid ELF executable
file jvisualvm is not a valid ELF executable
homero bin # paxctl -v java
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team
- PaX flags: -----m-x-e-- [java]
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled
homero bin # java -version
java version "1.6.0_26"
Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
Java HotSpot(TM) Client VM (build 20.1-b02, mixed mode)
And now we can run any java application on our hardened system.