I did a system upgrade recently, recompiled everything again with gcc-4.8.2 and upgraded the kernel to 3.12.6-r4 and glibc to 2.17. My system is multilib and has support for both 64 and 32 bit ABIs. Everything is compiled with the hardened toolchain (both pie and ssp enabled) except binary packages of course. I use the inverted gid flag on grsecurity's tpe allowing a group I call "notpe" to be excluded from TPE restrictions. Currently only portage and my local user are members of this group. Portage has no issues with TPE but my local user does... When running plugin-container through firefox this is what I get on the logs: grsec: denied untrusted exec (due to file in world-writable directory) of / by /usr/lib64/firefox/plugin-container[plugin-containe:4256] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/firefox/firefox[Gecko_IOThread:2484] uid/euid:1000/1000 gid/egid:1000/1000 Note that / is not world-writable, it's not an executable and my local user (with uid/gid 1000) is supposed to be excluded from tpe restrictions. The same thing happens with chrome and dropbox. All of them are binary packages (flash plugin is what plugin-container runs so it's also a binary package). grsec: denied untrusted exec (due to file in world-writable directory) of / by /opt/dropbox/dropbox[dropbox:2322] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0 grsec: denied untrusted exec (due to file in world-writable directory) of / by /opt/google/chrome/chrome[chrome:6474] uid/euid:1000/1000 gid/egid:1000/1000, parent /opt/google/chrome/chrome[chrome:6422] uid/euid:1000/1000 gid/egid:1000/1000 This one at least mentions an executable and the /tmp and /var/tmp directories are indeed world writable but again my user should be excluded from this restriction: grsec: denied untrusted exec (due to file in world-writable directory) of /tmp/ffiftcE08 by /opt/SpiderOak/lib/SpiderOak[SpiderOak:2428] uid/euid:1000/1000 gid/egid:1000/1000, parent /opt/SpiderOak/lib/SpiderOak[SpiderOak:2301] uid/euid:1000/1000 gid/egid:1000/1000 grsec: denied untrusted exec (due to file in world-writable directory) of /var/tmp/ffiSdNFu0 by /opt/SpiderOak/lib/SpiderOak[SpiderOak:2428] uid/euid:1000/1000 gid/egid:1000/1000, parent /opt/SpiderOak/lib/SpiderOak[SpiderOak:2301] uid/euid:1000/1000 gid/egid:1000/1000 And the same as above: grsec: denied untrusted exec (due to file in world-writable directory) of /tmp/orcexec.Nyrrb5 by /usr/lib64/firefox/firefox[mpegaudioparse0:2579] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gnome-shell[gnome-shell:2218] uid/euid:1000/1000 gid/egid:1000/1000 Everything works fine with TPE disabled (kernel.grsecurity.tpe=0). Another weird thing: I can still run binaries from non-root owned directories, e.g. I can compile something on my home directory and run it, so this part of TPE works as expected (I'm excluded). The errors I'm getting are only for world writable dirs. Reproducible: Always Actual Results: TPE check doesn't work as expected on world-writable directories Expected Results: The check should check against executables (it shouldn't report / as an executable) and my local user should be excluded from the restriction.
Portage 2.2.7 (hardened/linux/amd64, gcc-4.8.2, glibc-2.17, 3.12.6-hardened-r4 x86_64) ================================================================= System uname: Linux-3.12.6-hardened-r4-x86_64-AMD_FX-tm-8120_Eight-Core_Processor-with-gentoo-2.2 KiB Mem: 8105048 total, 4192928 free KiB Swap: 0 total, 0 free Timestamp of tree: Sun, 05 Jan 2014 15:45:01 +0000 ld GNU ld (GNU Binutils) 2.24 ccache version 3.1.9 [enabled] app-shells/bash: 4.2_p45 dev-java/java-config: 2.2.0 dev-lang/python: 2.7.6, 3.3.3 dev-util/ccache: 3.1.9-r3 dev-util/cmake: 2.8.12.1-r2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.12.6, 1.14.1 sys-devel/binutils: 2.24 sys-devel/gcc: 4.8.2-r1::hardened-dev sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.2 sys-devel/make: 4.0-r1 sys-kernel/linux-headers: 3.12 (virtual/os-headers) sys-libs/glibc: 2.17 Repositories: gentoo hardened-dev x11 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -fomit-frame-pointer -march=native -mtune=native -mcx16 -msahf -maes -mpclmul -mpopcnt -mabm -mlwp -mavx -floop-interchange -floop-strip-mine -floop-block" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -pipe -fomit-frame-pointer -march=native -mtune=native -mcx16 -msahf -maes -mpclmul -mpopcnt -mabm -mlwp -mavx -floop-interchange -floop-strip-mine -floop-block" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs ccache config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync metadata-transfer news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_GB.UTF8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j9" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/hardened-development /var/lib/layman/x11" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X X509 a52 aac acl acpi alsa amd64 avahi avx bash-completion berkdb branding btrfs bzip2 cairo caps cdda cdparanoia cjk cli cracklib crypt curl curlwrappers cxx dbus dhclient djvu dri dvi encode exif fbcon ffmpeg flac fontconfig fontforge fuse g3dvl gbm gdbm geoip git glamor gnome gnome-keyring gstreamer gtk gtk3 gzip hardened iconv icu idn ieee1394 imagemagick infinality introspection iproute2 ipv6 jack java jpeg jpeg2k justify kvm ladspa lame latex libffi libvirt lm-sensors lvm lvm2 lzma lzo mad matroska midi mime mmx mod modplug modules mozilla mp3 mp4 mpeg mplayer mudflap multilib musepack nautilus ncurses networkmanager nls nptl nsplugin ogg openal openexr opengl opensc openvg orc pam pax_kernel pcre pcsc-lite pdf perl pkcs11 png policykit poppler posix pulseaudio python qt4 quicktime readline rtmp s3tc samba sdl security session sharedmem smartcard smp sndfile sockets spell spice sse sse2 sse3 ssl subversion svg syslog systemd tcpd theora threads tidy tiff timidity tls truetype ttf udev unicode urandom usb vaapi vde vdpau vorbis wavpack x264 xattr xcomposite xml xorg xv xvid xvmc zlib" ABI_X86="64 32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CURL_SSL="nss" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="imon" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en el" LIRC_DEVICES="imon_pad" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="radeon r600 vesa radeonsi" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Unfortunately I can't get the latest in the tree because our git repo is broken. I *can* put it in untested. @upstream was this a known issue for grsecurity-3.0-3.12.6-201401021726 If so, I'll close and wait till I can get a 3.12.7 up.
This isn't a bug -- your config changed, and the behavior you describe is exactly what would happen if both invert and tpe_restrict_all are enabled. If you do: cat /proc/sys/kernel/grsecurity/tpe_restrict_all I'm sure you'll see it's set to 1. If you don't want "trusted" users to be restricted in this way, disable tpe_restrict_all. -Brad
My config didn't change at all. I just upgraded my system with the same kernel config (make oldconfig). What you mention explains the second part (why I can still run executables from my home folder), it doesn't explain why / is being reported as an executable that's being ran from a world-writable directory.
The / path is a misnomer. What it probably was (and you can easily verify with strace) was some executable shared memory which uses a private filesystem in the kernel (thus no paths that make sense can be generated from it). TPE denies this executable shared memory as they are technically files and everyone is able to create them (minus TPE and PAX_MPROTECT). -Brad
I don't know of any internal kernel filesystem related to executing shared memory that everyone is able to create files, execute them etc. Can you please give me an example ? Since you mentioned strace what happens is that calls to shmat return -EACCESS. I don't see how attaching shared memory to the calling process counts as executing it. Have in mind it even happens on IPC_CREAT with IPC_PRIVATE, shmget returns fine and shmat fails. With tpe disabled: shmget(IPC_PRIVATE, 4096, IPC_CREAT|0600) = 6684681 shmat(6684681, 0, 0) = 0x366e4d88000 With tpe enabled: shmget(IPC_PRIVATE, 393216, IPC_CREAT|0600) = 6881287 shmat(6881287, 0, 0) = -1 EACCES (Permission denied) Since there is no path involved there I don't see how trusted path execution should be relevant. It seems mostly relevant to harden_ipc option but it still happens with harden_ipc disabled and even pax softmode enabled. It makes no sense at all !
Btw thank you both for the quick replies and the work you are putting on Grsecurity and hardened Gentoo. The community here is amazing...
(In reply to Nick Kossifidis from comment #7) > Btw thank you both for the quick replies and the work you are putting on > Grsecurity and hardened Gentoo. The community here is amazing... I don't know if this resolved the issue or not, bug I'm going to close this bug because it looks obsolete. If I'm wrong, feel free to reopen.
