I have been trying to install a fresh hardened system, but I have ran into pax marking issues. The stage3 archive has the correct markings on the relevant binaries, however as soon as I reinstall those package, the pax markings are not set anymore. Two very visible examples: Python (3.4.5) and polkit. /usr/lib/polkit-1/polkitd: PT_PAX : not found XATTR_PAX : not found /usr/bin/python3.4m: PT_PAX : not found XATTR_PAX : not found polkit crashes if the pax markings are absent, and also prevent systemd from working properly. Python is not really an issue, but the constant message error is annoying at least. [ 7177.012350] grsec: denied RWX mmap of <anonymous mapping> by /usr/lib64/python-exec/python3.4/emerge[emerge:18122] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:2272] uid/euid:0/0 gid/egid:0/0 looking at the emerge logs from polkit (attached) , the pax markings should have been set.
Portage 2.3.3 (python 3.4.5-final-0, hardened/linux/amd64, gcc-4.9.4, glibc-2.23-r3, 4.8.17-hardened-r2-q x86_64) ================================================================= System uname: Linux-4.8.17-hardened-r2-q-x86_64-Intel-R-_Core-TM-_i7-4800MQ_CPU_@_2.70GHz-with-gentoo-2.3 KiB Mem: 16331104 total, 15660368 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Fri, 31 Mar 2017 20:30:01 +0000 sh bash 4.3_p48-r2 ld GNU ld (Gentoo 2.26.1 p1.0) 2.26.1 app-shells/bash: 4.3_p48-r2::local dev-lang/perl: 5.22.3_rc4::gentoo dev-lang/python: 2.7.12::gentoo, 3.4.5::gentoo dev-util/cmake: 3.7.2::gentoo dev-util/pkgconfig: 0.28-r2::gentoo sys-apps/baselayout: 2.3::gentoo sys-apps/openrc: 0.23.2::gentoo sys-apps/sandbox: 2.10-r3::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69::gentoo sys-devel/automake: 1.14.1::gentoo, 1.15::gentoo sys-devel/binutils: 2.26.1::gentoo sys-devel/gcc: 4.9.4::gentoo sys-devel/gcc-config: 1.7.3::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1::gentoo sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers) sys-libs/glibc: 2.23-r3::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 local location: /usr/local/portage masters: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=native" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=native" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://gentoo.osuosl.org" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j8" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X acl alsa amd64 bash-completion berkdb bzip2 cli cracklib crypt cryptsetup cups cxx dbus device-mapper dri dvb dvd ffmpeg gdbm gif glamor hardened iconv icu ipv6 jpeg jpeg2k justify kde lua lzma modules mp3 mtp multilib mysql ncurses networkmanager nls nptl openmp pam pax_kernel pcre pie png policykit pulseaudio python qt3support qt4 readline seccomp session ssl ssp systemd tcpd threads tiff udev unicode urandom v4l vim-syntax wayland xattr xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="evdev mouse keyboard synaptics roccat_koneplus" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-minimizer nlpsolver scripting-javascript" LINGUAS="en gb fr" LLVM_TARGETS="AMDGPU BPF NVPTX X86 ARM Mips" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python3_4" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby21 ruby22" USERLAND="GNU" VIDEO_CARDS="intel radeon amdgpu radeonsi" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="2.7 3.4" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Created attachment 468828 [details] polkit emerge logs
Just checked into the /var/tmp/portage/sys-auth/polkit-0.113/image, and there are no pax marking on the binaries as well.
Looks like no one is there anymore, but as I found the answer here it is: My /var/tmp/portage is on tmpfs, which does not support pax marking apparently. unmounting it and re-emerging works fine. As a side note, it would be good to have the pax markings set after the install to avoid that.
Check that you have CONFIG_TMPFS_XATTR set in the kernel
So my previous comment #4 was incorrect, this did not solve the problem at all, and yes, my kernel configuration as CONFIG_TMPFS_XATTR set to "y". After a little digging I found out what was the actual issue ... I verified this time. I have two servers with hardened installed, on one the pax markings are set fine, on the other one they are never set. The problem occurs during the install phase in image/ on the first server the installation command is: /usr/lib/portage/python3.4/ebuild-helpers/xattr/install -c python /var/tmp/portage/dev-lang/python-3.4.5/image//usr/bin/python3.4m; where as on the second one it is: /usr/bin/install -c python /var/tmp/portage/dev-lang/python-3.4.5/image//usr/bin/python3.4m; the use of /usr/bin/install discard the xattr markings. Unfortunately I am not verse enough in the ebuild system to go any further yet, maybe someone has a quick fix ?
All right so the python environment seems to be causing this: first server: /usr/lib/python3.4/config-3.4m/Makefile 57:INSTALL= /usr/lib/portage/python3.4/ebuild-helpers/xattr/install -c /usr/lib/python3.4/_sysconfigdata.py 471: 'INSTALL': '/usr/lib/portage/python3.4/ebuild-helpers/xattr/install -c', 472: 'INSTALL_DATA': '/usr/lib/portage/python3.4/ebuild-helpers/xattr/install -c ' 474: 'INSTALL_PROGRAM': '/usr/lib/portage/python3.4/ebuild-helpers/xattr/install ' 476: 'INSTALL_SCRIPT': '/usr/lib/portage/python3.4/ebuild-helpers/xattr/install ' 478: 'INSTALL_SHARED': '/usr/lib/portage/python3.4/ebuild-helpers/xattr/install ' second server: /usr/lib/python3.4/config-3.4m/Makefile 57:INSTALL= /usr/bin/install -c /usr/lib/python3.4/_sysconfigdata.py 471: 'INSTALL': '/usr/bin/install -c', 472: 'INSTALL_DATA': '/usr/bin/install -c -m644' 474: 'INSTALL_PROGRAM': '/usr/bin/install -c' 476: 'INSTALL_SCRIPT': '/usr/bin/install -c' 478: 'INSTALL_SHARED': '/usr/bin/install -c -m555'
Not the Python env, but the "configure" pass on all those packages: " checking for a BSD-compatible install... install-xattr: setxattr() failed: Operation not permitted " which then defaults to /usr/bin/install I have tried to disable grsec in the kernel, but still the same behavior.
setxattr needs CAP_SYS_ADMIN to be able to set extended attributes properly (see man xattr). But the emerge process seems to be dropping all capabilities: I checked that the install-xattr process user ("portage" during emerge) does not have any capabilities at all. not sure how to fix that.
Just switched from "Simplified Mandatory Access Control" to "Unix Discretionary Access Control" in the Kernel security settings. The issue disappeared, and the pax markings are now correctly applied.
It would be nice to have some dev/maintainer comments for this bug. To summarize, filesystem pax markings are not set if the kernel is configured to use the SMAC (Simplified Mandatory Access Control) as default security module instead of UDAC (Unix Discretionary Access Controls). I feel this is a rather important bug as it prevent systemd (at least) to work properly on hardened. I am also not sure why UDAC authorize this in the first place ...
Given that the grsec path is not really available anymore, closing this bug.
