Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 428682

Summary: System.map has an incorrect kernel version reported when grsec enabled
Product: Gentoo Linux Reporter: linuxwarz
Component: HardenedAssignee: The Gentoo Linux Hardened Team <hardened>
Status: UNCONFIRMED ---    
Severity: normal    
Priority: Normal    
Version: autobuilds   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: grsec kernel configuration

Description linuxwarz 2012-07-30 17:29:04 UTC
Created attachment 319748 [details]
grsec kernel configuration

I haven't setup a hardened install for roughly a year, but here's what happens when I make a new one using the same steps I normally use:

1) Boot x64 minimal live cd
2) Grab latest (aka current folder) hardened stage3
3) Profile set to hardened (non-selinux)
4) Grsec enabled in kernel (High w/ process hiding)
5) Finish install and reboot

test linux # ps -l
Warning: /usr/src/linux/System.map has an incorrect kernel version.
F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD
4 S 0 1921 1918 0 80 0 - 3948 - pts/1 00:00:00 bash
0 R 0 20080 1921 0 80 0 - 3729 - pts/1 00:00:00 ps

Regular users can also see all processes when they shouldn't.

Linux soulreaper 3.4.2-hardened-r1 #1 SMP Mon Jul 30 12:00:17 CDT 2012 x86_64 Intel(R) Xeon(R) CPU E5620 @ 2.40GHz GenuineIntel GNU/Linux

Troubleshooting steps that have failed:

1) Rebuild package containing ps command
2) Test install of an x86 gentoo hardened w/ same settings
3) Copied system.map to /boot
4) Built multiple old version 3 kernels with same or similar settings
5) Tried older stage3 build stage3-amd64-hardened-20120517

Disabling grsec itself but keeping all of my existing kernel settings in tact seems to stop the issue, but obviously users can still see all processes.

Next troubleshooting steps:

Downloaded kernel from kernel.org, applied grsec patch:

test home # ps -l
Warning: /usr/src/linux/System.map has an incorrect kernel version.
F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD
4 S 0 1766 1762 0 80 0 - 11900 - pts/0 00:00:00 su
0 S 0 1767 1766 0 80 0 - 8275 - pts/0 00:00:00 bash
4 R 0 1771 1767 0 80 0 - 1883 - pts/0 00:00:00 ps

test home # uname -a
Linux test 3.4.6-grsec #1 SMP Sun Jul 29 17:23:48 CDT 2012 i686 Intel(R) Xeon(R) CPU E5620 @ 2.40GHz GenuineIntel GNU/Linux

test home # exit
user@test ~ $ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
user 1761 0.0 0.0 41284 1492 ? S 17:31 0:00 sshd: user@pts/0
user 1762 0.0 0.0 48100 1848 pts/0 Ss 17:31 0:00 -bash
user 1773 0.0 0.0 37544 996 pts/0 R+ 17:33 0:00 ps aux 

User is forbidden from seeing others processes, as intended. Warning still appears in 'ps -l'
Comment 1 linuxwarz 2012-08-03 15:29:25 UTC
I have been able to confirm the issue on more hardware and this doesn't seem to be an issue with certain hardware.

1) VMware ESXi 4.1 VM (x86/64 tested)
2) Zotac ZBOX-ID41-U Intel Atom D525 (x64 tested)