Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 366167 - CONFIG_PAX_MPROTECT_COMPAT must be enabled in in hardened "virtualization" profile
Summary: CONFIG_PAX_MPROTECT_COMPAT must be enabled in in hardened "virtualization" pr...
Status: RESOLVED NEEDINFO
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: The Gentoo Linux Hardened Kernel Team (OBSOLETE)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-06 05:27 UTC by Anton Bolshakov
Modified: 2011-10-21 15:57 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Anton Bolshakov 2011-05-06 05:27:36 UTC 
vmware-workstation, vmware-player, and dev-util/android-sdk-update-manager fails to run if CONFIG_PAX_MPROTECT_COMPAT is not enable. Here is the error message:

Apr 30 12:24:40 [kernel] Program vmware-vmx tried to access /dev/mem between 0->100000.                                                                      
Apr 30 12:24:41 [kernel] grsec: denied RWX mmap of <anonymous mapping> by /opt/vmware/lib/vmware/bin/vmware-vmx[vmware-vmx:1844] uid/euid:1000/1000 gid/egid:
Apr 30 12:24:41 [kernel] grsec: Abort occurred at 000003e80000075a in /opt/vmware/lib/vmware/bin/vmware-vmx[vmware-vmx:1882] uid/euid:1000/1000 gid/egid:100/
Apr 30 12:24:41 [kernel] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /opt/vmware/lib/vmware/bin/vmware-vmx[vmware-

May 05 17:01:06 [kernel] grsec: denied RWX mmap of <anonymous mapping> by /opt/android-sdk-update-manager/tools/emulator[emulator:10530] uid/euid:1000/1000 g

So I suggest to enable that option in the virtualization profile.

emerge --info
Portage 2.1.9.42 (hardened/linux/amd64, gcc-4.4.5, libc-0-r0, 2.6.37-hardened-r7 x86_64)
=================================================================
System uname: Linux-2.6.37-hardened-r7-x86_64-Intel-R-_Core-TM-_i5_CPU_M_520_@_2.40GHz-with-gentoo-2.0.2
Timestamp of tree: Wed, 04 May 2011 12:00:01 +0000
app-shells/bash:     4.1_p9
dev-java/java-config: 2.1.11-r3
dev-lang/python:     2.7.1-r1, 3.1.3-r1
dev-util/cmake:      2.8.4-r1
sys-apps/baselayout: 2.0.2
sys-apps/openrc:     0.8.2-r1::pentoo
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.9.6-r3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.5
sys-devel/gcc-config: 1.4.1-r1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
sys-kernel/linux-headers: 2.6.36.1
sys-libs/glibc:      2.11.3
virtual/os-headers:  0
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA PUEL AdobeFlash-10.1"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -mtune=generic -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=core2 -mtune=generic -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://gentoo.channelx.biz/"
INSTALL_MASK=" /usr/lib/lib[0-9]*.la /usr/lib/lib[a-k]*.la /usr/lib/lib[m-z]*.la /usr/lib/libl[0-9]*.la /usr/lib/libl[a-s]*.la /usr/lib/libl[u-z]*.la /usr/lib/liblt[0-9]*.la /usr/lib/liblt[a-c]*.la /usr/lib/liblt[e-z]*.la /usr/lib/libltd[0-9]*.la /usr/lib/libltd[a-k]*.la /usr/lib/libltd[m-z]*.la /usr/lib/libltdl[0-9]*.la /usr/lib/libltdl[a-z]*.la "
LANG="C"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en ru"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/vmware /var/lib/layman/ikelos /usr/local/portage /pentoo"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X acl alsa amd64 avahi bash-completion berkdb branding bzip2 cli consolekit cracklib crypt cxx dbus dri exif flac gdbm gnome gnome-keyring gstreamer gtk hardened iconv java jpeg justify libnotify mmx modules mp3 mudflap multilib ncurses networkmanager nls nptl nptlonly opengl openmp oss pam pcre perl policykit pppd python qt4 readline samba session sse sse2 ssl sysfs syslog tcpd udev unicode urandom vaapi x264 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en ru" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="vesa intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Francisco Blas Izquierdo Riera (RETIRED) gentoo-dev 2011-05-06 05:32:10 UTC 
Hi, IIRC the Virtualization profile is meant mainly to be used with KVM and virtualbox as these are the one we test and support to some extent. Anyway maybe the people on the kernel team can be of more help than I am.
Comment 2 Anton Bolshakov 2011-05-06 06:15:11 UTC 
Just as additional info, I've got this idea from the forum:
http://forums.grsecurity.net/viewtopic.php?f=3&t=2441

and it did the trick.
Comment 3 Anthony Basile gentoo-dev 2011-05-06 10:37:40 UTC 
(In reply to comment #2)
> Just as additional info, I've got this idea from the forum:
> http://forums.grsecurity.net/viewtopic.php?f=3&t=2441
> 
> and it did the trick.

I assume you tested this because I don't run vmware.  I switched to virtualbox on hardened.

If so, I'll enable PAX_MPROTECT_COMPAT, although I have mixed feelings about it from a security point of view.
Comment 4 Anton Bolshakov 2011-10-21 15:57:23 UTC 
I've found a workaround for my problem and not very confident with my request any more. I'll reopen it when I have more facts and bug #382793 fixed.