Bug 559504

Summary:	app-backup/tsm needs pax-marking on hardened
Product:	Gentoo Linux	Reporter:	Andreas K. Hüttel <dilfridge>
Component:	Current packages	Assignee:	Martin von Gagern <Martin.vGagern>
Status:	RESOLVED FIXED
Severity:	normal	CC:	dilfridge, hardened, pacho
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Andreas K. Hüttel archtester

2015-09-03 10:46:43 UTC

(I will take care of this later)

[  221.048531] grsec: denied marking stack executable as requested by PT_GNU_STACK marking in /opt/ibm/gsk8_64/lib64/C/icc/osslib/libcryptoIBM082.so.1.0.1 by /opt/tivoli/tsm/client/ba/bin/dsmc[dsmc:2748] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[  221.056041] grsec: denied RWX mprotect of /lib64/ld-2.20.so by /opt/tivoli/tsm/client/ba/bin/dsmc[dsmc:2748] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[  221.061258] grsec: denied marking stack executable as requested by PT_GNU_STACK marking in /opt/ibm/gsk8_64/lib64/N/icc/osslib/libcryptoIBM083.so.1.0.1 by /opt/tivoli/tsm/client/ba/bin/dsmc[dsmc:2748] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[  221.064284] grsec: denied RWX mprotect of /lib64/ld-2.20.so by /opt/tivoli/tsm/client/ba/bin/dsmc[dsmc:2748] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/

(The error message in dsmsched.log is confusing, "connection to server lost")

Fix:

grenadine log # paxctl -C /opt/tivoli/tsm/client/ba/bin/dsmc
file /opt/tivoli/tsm/client/ba/bin/dsmc got a new PT_PAX_FLAGS program header
grenadine log # paxctl -p -m /opt/tivoli/tsm/client/ba/bin/dsmc
grenadine log #

Comment 1 Magnus Granberg gentoo-dev

2015-10-27 19:26:35 UTC

https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart

Comment 2 Andreas K. Hüttel archtester

2016-03-11 15:14:33 UTC

Fixed in tsm-7.1.3.1-r1