/usr/X11R6/bin/XFree86 needs to have: - paging based on non-executable pages disabled - segmentation based on non-executable pages disabled - mprotect() restrictions lifed which would be equivalent to chpax -pms /usr/X11R6/bin/XFree86 suggest adding /usr/X11R6/bin/XFree86 to in MPROTECT_EXEMPT line in /etc/conf.d/grsecurity . . . however, there is no line in /etc/conf.d/grsecurity with which segmentation based on non-executable pages (equivalent to chpax -s ...) can be disabled. I suggest either adding another line to /etc/conf.d/grsecurity to accomodate this feature or modifying /etc/init.d/grsecurity to apply `chpax -ps` instead of just `chpax -p` Reproducible: Always Steps to Reproduce: 1.compile and boot a kernel with "Enforce non-executable pages" (CONFIG_GRKERNSEC_PAX_NOEXEC), "Segmentation based non-executable pages" (CONFIG_GRKERNSEC_PAX_SEGMEXEC), and "Restrict mprotect()" (CONFIG_GRKERNSEC_PAX_MPROTECT) options enabled. 2. Attempt to run XFree86 Actual Results: Can only kill X with Magic SysRQ if paging based on non-executable pages isn't disabled. System is unusable. Any commands or actions which attempt to access process namespace (e.g. pstree command) freeze system to point where only Magic SysRQ can interrupt. Failure to disable other two options results in an XServer that fails to start and eventually drops back to console. Not an extremely pertinent issue; but nice for those who are running grsecurity kernels with the above options enabled.
good info, Nick
I was going to suggest the same thing about adding a line for segmentation based non-executable pages to /etc/conf.d/grsecurity. Indeed, XFree86 needs executable pages, but I am using XFree86 with mprotect() restricted without problems.
Odd . . . I'm assuming you do have CONFIG_GRKERNSEC_PAX_MPROTECT enabled in your kernel config. Do you have CONFIG_GRKERNSEC_PAX_NOELFRELOCS enabled? I do. I see this appears to be a sub-option under MPROTECT in the kernel config. On my system, `chpax -M /usr/X11R6/bin/XFree86` as root followed by `startx` by my unprivledged user results in a black screen. The only way I can get out of this is with Magic SysKey. X Server proccesses remain active and any attempts to kill/ps processes as root in the system results in a console lockup.
I've added support for SEGMENTATION_EXEMPT to the {init,conf}.d/grsecuirty and you should notice its when gradm-1.9.9h-r2 & gradm-2 get commited. We now support the chpax options -perms (cute eh?) I have nearly every option in grsecurity(-NOELFRELOCS) enabled and my X & xinit works flawless. On my system (chpax -v file) ----[ chpax 0.4 : Current flags for /usr/X11R6/bin/XFree86 ]---- * Paging based PAGE_EXEC : disabled * Trampolines : not emulated * mprotect() : restricted * mmap() base : randomized * ET_EXEC base : not randomized * Segmentation based PAGE_EXEC : disabled ----[ chpax 0.4 : Current flags for /usr/X11R6/bin/xinit ]---- * Paging based PAGE_EXEC : enabled (overridden) * Trampolines : not emulated * mprotect() : restricted * mmap() base : randomized * ET_EXEC base : not randomized * Segmentation based PAGE_EXEC : enabled
Great! I'll look forward to the new versions of the packages. As far as why no one else seems to be affected by restricting mprotect(), maybe my CFLAGS or USE are to blame? #emerge info ]1;]2;Started emerge on: Jun 11, 2003 20:22:54]1;]2; *** emerge --buildpkg info]1;]2; *** terminating.]1;]2;rxvtPortage 2.0.48-r1 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r1) ================================================================= System uname: 2.4.20-gentoo-r5 i686 Intel(R) Pentium(R) 4 CPU 3.06GHz GENTOO_MIRRORS="http://gentoo.oregonstate.edu/ http://distro.ibiblio.org/pub/Linux/distributions/gentoo" CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/config /usr/kde/3/share/config /usr/X11R6/lib/X11/xkb" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" PORTDIR="/usr/portage" DISTDIR="/usr/portage/distfiles" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR_OVERLAY="" USE="x86 apm arts avi crypt cups encode gif gpm jpeg gnome libg++ libwww mikmod mmx mpeg ncurses pdflib png qt quicktime sdl spell svga truetype xml2 xmms xv zlib gdbm slang readline java guile X pam ssl python esd imlib oggvorbis gtk motif opengl 3dfx -3dnow acl alsa apache2 -berkdb bonobo cdr dga directfb doc dvd ethereal fbcon flash gd gphoto2 gps gtkhtml imap jikes -kde lirc maildir matrox mozilla moznoirc moznomail moznocompose mysql nls odbc -oss perl ruby samba sse tcltk -tcpd tiff usb xinerama xml" COMPILER="gcc3" CHOST="i686-pc-linux-gnu" CFLAGS="-march=pentium3 -O3 -pipe -fforce-addr -foptimize-sibling-calls -fno-inline -finline-limit=1000" CXXFLAGS="-march=pentium3 -O3 -pipe -fforce-addr -foptimize-sibling-calls -fno-inline -finline-limit=1000 -fno-default-inline" ACCEPT_KEYWORDS="x86 ~x86" MAKEOPTS="-j2" AUTOCLEAN="yes" SYNC="rsync://rsync.gentoo.org/gentoo-portage" FEATURES="sandbox buildpkg ccache fixpackages userpriv usersandbox digest"
can we close this then?
Looks good to me. I've been having a lot of problems with the MPROTECT feature in general; so I don't think it's pertinent to add /usr/X11R6/bin/XFree86 to MPROTECT_EXEMPT in /etc/conf.d/grsecurity.
this bug can be closed.