Bug 559436

Summary:	polkitd segmentation fault with grsecurity
Product:	Gentoo Linux	Reporter:	abandoned account disabled email <zazdxscf+bugs.gentoo.org>
Component:	Hardened	Assignee:	The Gentoo Linux Hardened Team <hardened>
Status:	RESOLVED INVALID
Severity:	normal	CC:	zazdxscf+bugs.gentoo.org
Priority:	Normal
Version:	unspecified
Hardware:	AMD64
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description abandoned account disabled email 2015-09-02 18:14:31 UTC

Mistakenly posted here first: https://bugs.gentoo.org/show_bug.cgi?id=472098#c31
Sorry for the hijacking(there).

I'm using openrc-0.17(not systemd) on hardened gentoo and grsec might be the one causing polkitd to segfault.

Tried to start it manually here:

# /usr/lib/polkit-1/polkitd
Successfully changed to user polkitd
Killed

dmesg says:
[ 1864.475910] grsec: From 10.0.2.2: chdir to /var/lib/polkit-1 by /usr/lib64/polkit-1/polkitd[polkitd:16619] uid/euid:102/102 gid/egid:245/245, parent /bin/bash[bash:16548] uid/euid:0/0 gid/egid:0/0
[ 1864.539922] grsec: From 10.0.2.2: denied RWX mmap of <anonymous mapping> by /usr/lib64/polkit-1/polkitd[polkitd:16619] uid/euid:102/102 gid/egid:245/245, parent /bin/bash[bash:16548] uid/euid:0/0 gid/egid:0/0
[ 1864.541373] polkitd[16619]: segfault at 10 ip 0000036e56cd7ce7 sp 000003ca9ced1cb0 error 4 in libpthread-2.21.so[36e56cce000+18000]
[ 1864.541428] grsec: From 10.0.2.2: Segmentation fault occurred at 0000000000000010 in /usr/lib64/polkit-1/polkitd[polkitd:16619] uid/euid:102/102 gid/egid:245/245, parent /bin/bash[bash:16548] uid/euid:0/0 gid/egid:0/0
[ 1864.541580] grsec: From 10.0.2.2: bruteforce prevention initiated due to crash of /usr/lib64/polkit-1/polkitd against uid 102, banning suid/sgid execs for 15 minutes.  Please investigate the crash report for /usr/lib64/polkit-1/polkitd[polkitd:16619] uid/euid:102/102 gid/egid:245/245, parent /bin/bash[bash:16548] uid/euid:0/0 gid/egid:0/0
...
# gdb /lib64/libpthread-2.21.so
...
(gdb) info symbol 0x0000036e56cd7ce7-0x36e56cce000
pthread_mutex_lock + 23 in section .text
(gdb) list *pthread_mutex_lock+23
0x9ce7 is in __GI___pthread_mutex_lock (../nptl/pthread_mutex_lock.c:67).
62	__pthread_mutex_lock (mutex)
63	     pthread_mutex_t *mutex;
64	{
65	  assert (sizeof (mutex->__size) >= sizeof (mutex->__data));
66	
67	  unsigned int type = PTHREAD_MUTEX_TYPE_ELISION (mutex);
68	
69	  LIBC_PROBE (mutex_entry, 1, mutex);
70	
71	  if (__builtin_expect (type & ~(PTHREAD_MUTEX_KIND_MASK_NP
...

Any ideas? I wonder how I could get it to dump a 'core' file (having 
*               soft    core            unlimited
 in /etc/security/limits.conf is not doing it(nor # ulimit -c unlimited ) - but works fine for firefox for example) Does anyone know?

# emerge --info sys-auth/polkit
Portage 2.2.20.1 (python 3.4.3-final-0, hardened/linux/amd64/no-multilib, gcc-5.2.0, glibc-2.21-r1, 4.1.6-hardened-r1-g45b4b78 x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-4.1.6-hardened-r1-g45b4b78-x86_64-AMD_A6-3400M_APU_with_Radeon-tm-_HD_Graphics-with-gentoo-2.2
KiB Mem:    10809864 total,   9085548 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Tue, 01 Sep 2015 00:45:02 +0000
sh bash 4.3_p42
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
ccache version 3.2.3 [enabled]
app-shells/bash:          4.3_p42::gentoo
dev-lang/perl:            5.22.0::gentoo
dev-lang/python:          2.7.10::gentoo, 3.4.3::gentoo
dev-util/ccache:          3.2.3::gentoo
dev-util/cmake:           3.3.1-r1::gentoo
dev-util/pkgconfig:       0.28-r3::gentoo
sys-apps/baselayout:      2.2::gentoo
sys-apps/openrc:          0.17::gentoo
sys-apps/sandbox:         2.6-r1::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69-r1::gentoo
sys-devel/automake:       1.13.4::gentoo, 1.14.1::gentoo, 1.15::gentoo
sys-devel/binutils:       2.25.1-r1::gentoo
sys-devel/gcc:            4.8.5::gentoo, 5.2.0::gentoo
sys-devel/gcc-config:     1.8::gentoo
sys-devel/libtool:        2.4.6-r1::gentoo
sys-devel/make:           4.1-r1::gentoo
sys-kernel/linux-headers: 4.1::gentoo (virtual/os-headers)
sys-libs/glibc:           2.21-r1::gentoo
Repositories:

gentoo
    location: /usr/portage
    priority: -1000

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native -ggdb -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2 -fstack-protector-all -fPIC"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=native -ggdb -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2 -fstack-protector-all -fPIC"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs ccache cgroup collision-protect config-protect-if-modified distlocks downgrade-backup ebuild-locks fakeroot fixlafiles force-mirror installsources ipc-sandbox merge-sync multilib-strict network-sandbox news nostrip parallel-fetch parallel-install prelink-checksums preserve-libs sandbox sfperms split-elog split-log strict unknown-features-warn unmerge-backup unmerge-logs userfetch userpriv usersandbox webrsync-gpg"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://ftp.romnet.org/gentoo/ http://tux.rainside.sk/gentoo/ http://de-mirror.org/gentoo/ http://gd.tuwien.ac.at/opsys/linux/gentoo/ http://www.las.ic.unicamp.br/pub/gentoo/"
INSTALL_MASK="/lib/systemd /lib32/systemd /lib64/systemd /usr/lib/systemd /usr/lib32/systemd /usr/lib64/systemd /etc/systemd"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
USE="3dnow 3dnowext X acl amd64 berkdb bindist btrfs bzip2 cli consolekit cracklib crypt cryptsetup cscope cxx dbus device-mapper dri egl extensions gdbm git gpg gpm gtk3 hardened iconv jpeg justify lock mmx mmxext modules mosh-hardening ncurses nptl openmp pam pax_kernel pcre pie policykit pulseaudio qt4 readline seccomp session sse sse2 sse3 ssl ssp startup-notification strong-security system-icu system-jpeg system-libvpx system-sqlite urandom xattr xcomposite xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="3dnow 3dnowext mmx mmxext sse sse2 sse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="keyboard virtualbox evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="virtualbox" XFCE_PLUGINS="brightness clock trash battery power" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="2.7"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

sys-auth/polkit-0.113::gentoo was built with the following:
USE="introspection pam -examples -gtk -jit -kde -nls (-selinux) -systemd -test"
CFLAGS="-O2 -pipe -march=native -ggdb -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2 -fstack-protector-all"
CXXFLAGS="-O2 -pipe -march=native -ggdb -fvar-tracking-assignments -fno-omit-frame-pointer -ftrack-macro-expansion=2 -fstack-protector-all"


Without polkitd running, there's a delay(1-2min) when the Logout dialog or menu(depending on where you click) shows up, and shutdown/restart are not available.

Comment 1 abandoned account disabled email 2015-09-03 04:57:24 UTC

My bad, the above is true only when this kernel config is unset:
[ ] Use ELF program header marking
aka CONFIG_PAX_PT_PAX_FLAGS

which meant that all these existing pax flags were ignored:
# paxctl -v /usr/lib64/polkit-1/polkitd
PaX control v0.9
Copyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-r [/usr/lib64/polkit-1/polkitd]
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is disabled
	RANDMMAP is disabled


But this doesn't solve the delay problem, which means that there's something else(unrelated) that I didn't do right.

Comment 2 abandoned account disabled email 2015-09-03 05:00:58 UTC

For completeness, this is the same thing as reported above with paxctl, but with paxctl-ng, which actually led me to the realization due to the "PT_PAX" string :

# paxctl-ng -v /usr/lib64/polkit-1/polkitd
/usr/lib64/polkit-1/polkitd:
	PT_PAX    : -emr-
	XATTR_PAX : not found

Comment 3 abandoned account disabled email 2015-09-03 05:50:04 UTC

Everything works now after recompiling kernel with CONFIG_PAX_PT_PAX_FLAGS set - solved the delay problem too.
(I think, it didn't previously work because I only disabled mmprotect for polkitd, via XATTR_PAX)