524202 – app-emulation/virtualbox-4.3.16: some executables need PAX flag MPROTECT disabled

Bug 524202 - app-emulation/virtualbox-4.3.16: some executables need PAX flag MPROTECT disabled

Summary: app-emulation/virtualbox-4.3.16: some executables need PAX flag MPROTECT disa...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Lars Wendler (Polynomial-C) (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-10-01 12:58 UTC by Miroslav Šulc
Modified:	2014-12-29 14:14 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Miroslav Šulc gentoo-dev

2014-10-01 12:58:58 UTC

when running VirtualBox on hardened gentoo with grsec enabled, /usr/lib64/virtualbox/VBoxXPCOMIPCD is killed with following:

grsec: denied RWX mprotect of /usr/lib64/virtualbox/VBoxRT.so by /usr/lib64/virtualbox/VBoxXPCOMIPCD[VBoxXPCOMIPCD:23097] uid/euid:1000/1000 gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

disabling MPROTECT on that executable makes virtualbox start successfully


Portage 2.2.14_rc1 (python 3.3.5-final-0, hardened/linux/amd64, gcc-4.8.3, glibc-2.19-r1, 3.16.3-hardened-r1 x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-3.16.3-hardened-r1-x86_64-Intel-R-_Core-TM-_i7-4700HQ_CPU_@_2.40GHz-with-gentoo-2.2
KiB Mem:     8129528 total,   3811836 free
KiB Swap:          0 total,         0 free
Timestamp of tree: Wed, 01 Oct 2014 12:00:01 +0000
ld GNU ld (Gentoo 2.24 p1.4) 2.24
app-shells/bash:          4.2_p50-r1
dev-java/java-config:     2.2.0
dev-lang/python:          2.7.8, 3.3.5-r1, 3.4.1
dev-util/cmake:           3.0.2
dev-util/pkgconfig:       0.28-r2
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.13.1 
sys-apps/sandbox:         2.6-r1 
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.10.3, 1.11.6, 1.14.1
sys-devel/binutils:       2.24-r3
sys-devel/gcc:            4.8.3  
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2-r1
sys-devel/make:           4.0-r1 
sys-kernel/linux-headers: 3.16 (virtual/os-headers)
sys-libs/glibc:           2.19-r1
Repositories: gentoo proaudio fordfrog x-portage
ACCEPT_KEYWORDS="amd64 ~amd64"   
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe" 
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.1/conf /var/bind /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles" 
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms sign strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo"
LANG="cs_CZ.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j9"
PKGDIR="/usr/portage/packages"   
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/src/proaudio.svn /usr/src/gentoo-fordfrog.git /usr/local/portage"
USE="X a52 aac acl acpi alsa amd64 apng berkdb bluetooth bluray branding bzip2 cairo caps cdda cdr cjk cli consolekit cracklib crypt cups cxx dbus dri dts dv dvd encode exif ffmpeg flac fluidsynth gdbm gif gimp gnome-keyring gphoto2 gpm gtk gtk3 hardened iconv icu id3tag iptc ipv6 jack jackmidi jpeg jpeg2k justify ladspa lash lcms libnotify lm_sensors lto mad matroska midi mikmod mjpeg mmx mmxext mng mod modplug modules mp3 mp4 mpeg mtp multilib ncurses networkmanager nls nptl ogg openexr opengl openmp orc pam pango pax_kernel pcre pdf png policykit pulseaudio qt3support qt4 quicktime raw readline scanner sdl session smp smpeg spell sse sse2 sse3 sse4 sse4_1 sse4_2 ssl ssse3 startup-notification svg tiff timidity truetype udev udisks unicode upower urandom usb vdpau vorbis wacom wxwidgets x264 xattr xcb xkb xml xmp xtpax xv xvid xvmc zlib" ABI_X86="32 64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_core authn_dbm authn_default authn_file authz_core authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp rewrite setenvif socache_shmcb speling status unique_id unixd userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev keyboard mouse synaptics wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="cs cs_CZ de de_DE en en_GB en_US es es_ES it it_IT ja ja_JP pl pl_PL pt pt_PT ru ru_RU sk sk_SK zh zh_CN zh_HK zh_TW" NETBEANS_MODULES="*" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby20" SANE_BACKENDS="genesys" USERLAND="GNU" VIDEO_CARDS="fbdev glx intel modesetting nouveau vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="2.7 3.3"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, SYNC

=================================================================
                        Package Settings
=================================================================

app-emulation/virtualbox-4.3.16 was built with the following:
USE="additions alsa extensions java opengl pam pulseaudio qt4 sdk -doc -headless -python -vboxwebsrv -vnc" ABI_X86="64" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7"

Comment 1 Miroslav Šulc gentoo-dev

2014-10-01 15:07:41 UTC

another executable that needs MPROTECT to be disabled is /usr/lib64/virtualbox/VBoxTestOGL:

grsec: denied RWX mprotect of /usr/lib64/virtualbox/VBoxRT.so by /usr/lib64/virtualbox/VBoxTestOGL[VBoxTestOGL:4334] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/virtualbox/VirtualBox[VirtualBox:4175] uid/euid:1000/1000 gid/egid:1000/1000

Comment 2 Jory A. Pratt gentoo-dev

2014-12-29 02:50:36 UTC

(In reply to Miroslav Šulc from comment #1)
> another executable that needs MPROTECT to be disabled is
> /usr/lib64/virtualbox/VBoxTestOGL:
> 
> grsec: denied RWX mprotect of /usr/lib64/virtualbox/VBoxRT.so by
> /usr/lib64/virtualbox/VBoxTestOGL[VBoxTestOGL:4334] uid/euid:1000/1000
> gid/egid:1000/1000, parent /usr/lib64/virtualbox/VirtualBox[VirtualBox:4175]
> uid/euid:1000/1000 gid/egid:1000/1000

VBoxXPCOMIPCD will also need MPROTECT disabled for hardened.

Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2014-12-29 14:14:09 UTC

+*virtualbox-4.3.20-r1 (29 Dec 2014)
+
+  29 Dec 2014; Lars Wendler <polynomial-c@gentoo.org>
+  +virtualbox-4.3.20-r1.ebuild, metadata.xml:
+  Make installation of udev rules optional (bug #532930). pax-mark some more
+  files (bug #524202).
+