grsecurity forums

[jacekalex]

Hello everyone.

I have a system Gentoo Hardened
Linux kernel 2.6.37
gcc version 4.5.1 (Gentoo Hardened 4.5.1-r1 p1.4, pie-0.4.5)
The whole system works smoothly, without too much trouble except for VirtualBox.
I tried kernels 2.6.36 and 2.6.37, and all
VirtualBox versions - 3.2.* and 4.0 .*

Virtual Machine is started (example Android3, Ubuntu Natty, & others):

Code: Select all

VBoxManage startvm Droid3
Oracle VM VirtualBox Command Line Management Interface Version 3.2.12
(C) 2005-2010 Oracle Corporation
All rights reserved.

Waiting for the VM to power on...
VM has been successfully started.

but in reality, VM is crashed:

Code: Select all

2011-03-01T15:29:52.125435+01:00 localhost -bash: HISTORY: PID=10625 UID=1001 VBoxManage startvm Droid3
2011-03-01T15:29:52.194338+01:00 localhost kernel: [  970.415378] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxManage[VBoxManage:10653] uid/euid:1001/1001 gid/egid:1001/1001, parent /bin/bash[bash:10625] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T15:29:52.196329+01:00 localhost kernel: [  970.417251] grsec: denied kernel module auto-load of net-pf-10 by /opt/VirtualBox/VBoxManage[VBoxManage:10641] uid/euid:1001/1001 gid/egid:1001/1001, parent /bin/bash[bash:10625] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T15:29:52.209357+01:00 localhost kernel: [  970.430254] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxXPCOMIPCD[VBoxXPCOMIPCD:10657] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxManage[VBoxManage:10655] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T15:29:52.209376+01:00 localhost kernel: [  970.430575] grsec: denied kernel module auto-load of net-pf-10 by /opt/VirtualBox/VBoxXPCOMIPCD[VBoxXPCOMIPCD:10656] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxManage[VBoxManage:10655] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T15:29:52.229338+01:00 localhost kernel: [  970.450255] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxSVC[VBoxSVC:10662] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxManage[VBoxManage:10641] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T15:29:52.242351+01:00 localhost kernel: [  970.463265] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxSVC[VBoxSVC:10666] uid/euid:1001/1001 gid/egid:1001/1001, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
2011-03-01T15:29:52.242374+01:00 localhost kernel: [  970.463737] grsec: denied kernel module auto-load of net-pf-10 by /opt/VirtualBox/VBoxSVC[VBoxSVC:10665] uid/euid:1001/1001 gid/egid:1001/1001, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
2011-03-01T15:29:52.424341+01:00 localhost kernel: [  970.645266] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxTestOGL[VBoxTestOGL:10674] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxSVC[VBoxSVC:10669] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T15:29:52.583344+01:00 localhost kernel: [  970.804265] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VirtualBox[VirtualBox:10679] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxSVC[VBoxSVC:10669] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T15:29:52.759333+01:00 localhost kernel: [  970.980512] grsec: denied kernel module auto-load of net-pf-10 by /opt/VirtualBox/VirtualBox[VirtualBox:10678] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxSVC[VBoxSVC:10669] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T15:29:53.061342+01:00 localhost kernel: [  971.282322] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxNetDHCP[VBoxNetDHCP:10692] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxSVC[VBoxSVC:10683] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T15:29:53.084347+01:00 localhost kernel: [  971.305424] device vboxnet0 entered promiscuous mode
2011-03-01T15:30:16.361326+01:00 localhost kernel: [  994.582076] device vboxnet0 left promiscuous mode

Virtualbox error log:
http://pastebin.com/uhsFvJS7
http://pastebin.com/pdG8PYxn

My current config grsec / pax:
http://pastebin.com/U1kuxPUx
My whole kernel config - current:
http://pastebin.com/wYWF3RDH



My current kernel was created tuxonice-sources-2.6.37 - Gentoo overlay,
patch:
Autogroup: https://lkml.org/lkml/2010/11/30/121
Grsecurity: grsecurity-2.2.1-6.2.1937-201101172105.patch
Layer7, IMQ.

Therefore, the question is:
Do you run VirtualBox Virtual Machine requires some configuration changes,
or is it completely impossible?

Yours

My native language is Polish, sorry for bad English.

EDIT:
Sysctl config:

Code: Select all

sysctl -a | egrep 'grsec|pax'
kernel.grsecurity.linking_restrictions = 1
kernel.grsecurity.fifo_restrictions = 1
kernel.grsecurity.execve_limiting = 1
kernel.grsecurity.ip_blackhole = 1
kernel.grsecurity.lastack_retries = 4
kernel.grsecurity.exec_logging = 0
kernel.grsecurity.signal_logging = 1
kernel.grsecurity.forkfail_logging = 1
kernel.grsecurity.timechange_logging = 1
kernel.grsecurity.chroot_deny_shmat = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_deny_mount = 1
kernel.grsecurity.chroot_deny_fchdir = 1
kernel.grsecurity.chroot_deny_chroot = 1
kernel.grsecurity.chroot_deny_pivot = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_deny_chmod = 1
kernel.grsecurity.chroot_deny_mknod = 1
kernel.grsecurity.chroot_restrict_nice = 1
kernel.grsecurity.chroot_execlog = 1
kernel.grsecurity.chroot_caps = 1
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.tpe = 1
kernel.grsecurity.tpe_gid = 100
kernel.grsecurity.tpe_invert = 1
kernel.grsecurity.tpe_restrict_all = 0
kernel.grsecurity.socket_all = 1
kernel.grsecurity.socket_all_gid = 6100
kernel.grsecurity.socket_client = 1
kernel.grsecurity.socket_client_gid = 6200
kernel.grsecurity.socket_server = 1
kernel.grsecurity.socket_server_gid = 6300
kernel.grsecurity.audit_group = 1
kernel.grsecurity.audit_gid = 100
kernel.grsecurity.audit_chdir = 0
kernel.grsecurity.audit_mount = 0
kernel.grsecurity.dmesg = 1
kernel.grsecurity.chroot_findtask = 1
kernel.grsecurity.resource_logging = 1
kernel.grsecurity.audit_ptrace = 1
kernel.grsecurity.harden_ptrace = 1
kernel.grsecurity.grsec_lock = 0
kernel.grsecurity.romount_protect = 0
kernel.pax.softmode = 0

[specs]

Several options are preventing virtualbox to work:

Code: Select all

grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxManage[VBoxManage:10653]


Use paxctl to change the settings so VBoxManager can work. I'd try "paxctl -cm /opt/VBoxManage" or better "paxctl -zm /opt/VBoxManage". Remember this is basically lowering your security level.
See for other options either the grsecurity wiki or the paxctl manpage.

Code: Select all

grsec: denied kernel module auto-load of net-pf-10 by /opt/VirtualBox/VBoxManage[VBoxManage:10641]


Make sure you have the modules compiled for your current kernel. Load them before you start VirtualBox. Remember that you are loading 3rd party modules into your kernel with all consequences.

[jacekalex]

Thanks

My lsmod:

Code: Select all

Module                  Size  Used by
vboxnetflt             12297  0
vboxnetadp              5337  0
vboxdrv               127709  2 vboxnetflt,vboxnetadp
dazukofs               25502  1
ebtable_nat             1354  0
ebtables               12838  1 ebtable_nat
ipt_REDIRECT             917  1
ipt_set                  992  0
ipt_SET                 1112  0
ip_set                  9780  2 ipt_set,ipt_SET
xt_CHAOS                1628  0
xt_TARPIT               1624  2
xt_DELUDE               1376  2
xt_STEAL                 812  3
xt_lscan                1900  1
xt_geoip                2176  0
xt_SYSRQ                2552  1
compat_xtables          1752  6 ipt_SET,xt_CHAOS,xt_TARPIT,xt_DELUDE,xt_STEAL,xt_SYSRQ
nvidia               9227549  38
cx22702                 3653  1
cx88_dvb               17492  0
videobuf_dvb            3654  1 cx88_dvb
dvb_core               68821  2 cx88_dvb,videobuf_dvb
tuner_simple            9569  3
tuner_types             7709  1 tuner_simple
cx8802                  9980  1 cx88_dvb
tea5767                 4640  0
cx8800                 21443  1
cx88_alsa               6569  1
tda9887                 7045  2
tda8290                 8133  0
cx88xx                 61404  4 cx88_dvb,cx8802,cx8800,cx88_alsa
bttv                   90556  0
tuner                  14506  4
i2c_algo_bit            3609  2 cx88xx,bttv
v4l2_common             5334  4 cx8800,cx88xx,tuner,bttv
ir_common               3121  2 cx88xx,bttv
videodev               49283  6 cx8800,cx88xx,tuner,bttv,v4l2_common
ir_core                11744  3 cx88xx,bttv,ir_common
v4l1_compat            11048  1 videodev
videobuf_dma_sg         6701  6 cx88_dvb,cx8802,cx8800,cx88_alsa,cx88xx,bttv
tveeprom                9701  2 cx88xx,bttv
videobuf_core          11688  6 videobuf_dvb,cx8802,cx8800,cx88xx,bttv,videobuf_dma_sg
btcx_risc               2451  5 cx8802,cx8800,cx88_alsa,cx88xx,bttv
snd_bt87x               7387  0

Code: Select all

egrep -v '#|^$' /etc/conf.d/modules
modules="${modules} nvidia dazukofs compat_xtables xt_SYSRQ xt_geoip xt_lscan xt_STEAL xt_DELUDE xt_TARPIT xt_CHAOS ipt_SET vboxdrv vboxnetflt vboxnetadp"

Code: Select all

paxctl -v VBoxNetAdpCtl VBoxSDL VBoxNetDHCP VBoxHeadless VBoxManage
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: ---s-m-x-e-r [VBoxNetAdpCtl]
   SEGMEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
   RANDMMAP is disabled
- PaX flags: ---s-m-x-e-r [VBoxSDL]
   SEGMEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
   RANDMMAP is disabled
- PaX flags: ---s-m-x-e-r [VBoxNetDHCP]
   SEGMEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
   RANDMMAP is disabled
- PaX flags: ---s-m-x-e-r [VBoxHeadless]
   SEGMEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
   RANDMMAP is disabled
- PaX flags: ---s-m-x-e-r [VBoxManage]
   SEGMEXEC is disabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
   RANDMMAP is disabled

Virtualbox error log:

Code: Select all

00:00:13.195 ********************* End of statistics **********************
00:00:13.195 VMSetError: /home/vbox/tinderbox/3.2-lnx32-rel/src/VBox/VMM/MM.cpp(684) int MMR3AdjustFixedReservation(VM*, int32_t, const char*); rc=VERR_INTERNAL_ERROR_3
00:00:13.195 VMSetError: Failed to reserve physical memory (0x2404 -> 0x2400; VMMDev Heap)
00:00:13.197 VMSetError: /home/vbox/tinderbox/3.2-lnx32-rel/src/VBox/VMM/MM.cpp(684) int MMR3AdjustFixedReservation(VM*, int32_t, const char*); rc=VERR_INTERNAL_ERROR_3
00:00:13.197 VMSetError: Failed to reserve physical memory (0x2404 -> 0x2004; VMMDev)
00:00:13.217 VMSetError: /home/vbox/tinderbox/3.2-lnx32-rel/src/VBox/VMM/MM.cpp(684) int MMR3AdjustFixedReservation(VM*, int32_t, const char*); rc=VERR_INTERNAL_ERROR_3
00:00:13.217 VMSetError: Failed to reserve physical memory (0x2404 -> 0x404; VRam)
00:00:13.220 NAT: zone(nm:mbuf, used:0)
00:00:13.220 NAT: zone(nm:mbuf_cluster, used:0)
00:00:13.220 NAT: zone(nm:mbuf_packet, used:0)
00:00:13.220 NAT: zone(nm:mbuf_jumbo_pagesize, used:0)
00:00:13.220 NAT: zone(nm:mbuf_jumbo_9k, used:0)
00:00:13.220 NAT: zone(nm:mbuf_jumbo_16k, used:0)
00:00:13.222 VMMR3Term: R0 term failed, rc=VERR_INTERNAL_ERROR_3 (-227) - Internal error no. 3.. (warning)
00:00:13.227 Changing the VM state from 'DESTROYING' to 'TERMINATED'.


in /var/log/messages:

Code: Select all

2011-03-01T23:26:11.184435+01:00 localhost -bash: HISTORY: PID=32583 UID=1001 VBoxManage startvm Droid3
2011-03-01T23:26:11.233338+01:00 localhost kernel: [29549.454809] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxManage[VBoxManage:32619] uid/euid:1001/1001 gid/egid:1001/1001, parent /bin/bash[bash:32583] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:11.234340+01:00 localhost kernel: [29549.455337] grsec: denied kernel module auto-load of net-pf-10 by /opt/VirtualBox/VBoxManage[VBoxManage:32607] uid/euid:1001/1001 gid/egid:1001/1001, parent /bin/bash[bash:32583] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:11.247360+01:00 localhost kernel: [29549.468508] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxXPCOMIPCD[VBoxXPCOMIPCD:32623] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxManage[VBoxManage:32621] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:11.247385+01:00 localhost kernel: [29549.468832] grsec: denied kernel module auto-load of net-pf-10 by /opt/VirtualBox/VBoxXPCOMIPCD[VBoxXPCOMIPCD:32622] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxManage[VBoxManage:32621] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:11.268338+01:00 localhost kernel: [29549.489064] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxSVC[VBoxSVC:32628] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxManage[VBoxManage:32607] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:11.280333+01:00 localhost kernel: [29549.501711] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxSVC[VBoxSVC:32632] uid/euid:1001/1001 gid/egid:1001/1001, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
2011-03-01T23:26:11.281333+01:00 localhost kernel: [29549.502415] grsec: denied kernel module auto-load of net-pf-10 by /opt/VirtualBox/VBoxSVC[VBoxSVC:32631] uid/euid:1001/1001 gid/egid:1001/1001, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
2011-03-01T23:26:11.463335+01:00 localhost kernel: [29549.684952] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxTestOGL[VBoxTestOGL:32640] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxSVC[VBoxSVC:32635] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:11.627341+01:00 localhost kernel: [29549.848126] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VirtualBox[VirtualBox:32645] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxSVC[VBoxSVC:32635] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:11.807337+01:00 localhost kernel: [29550.028231] grsec: denied kernel module auto-load of net-pf-10 by /opt/VirtualBox/VirtualBox[VirtualBox:32644] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxSVC[VBoxSVC:32635] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:12.137335+01:00 localhost kernel: [29550.358902] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxNetDHCP[VBoxNetDHCP:32658] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxSVC[VBoxSVC:32650] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:12.160327+01:00 localhost kernel: [29550.381513] device vboxnet0 entered promiscuous mode
2011-03-01T23:26:39.910320+01:00 localhost kernel: [29578.131049] device vboxnet0 left promiscuous mode
2011-03-01T23:26:55.376342+01:00 localhost kernel: [29593.597885] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxManage[VBoxManage:32748] uid/euid:1001/1001 gid/egid:1001/1001, parent /bin/bash[bash:32583] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:55.377391+01:00 localhost kernel: [29593.598535] grsec: denied kernel module auto-load of net-pf-10 by /opt/VirtualBox/VBoxManage[VBoxManage:32736] uid/euid:1001/1001 gid/egid:1001/1001, parent /bin/bash[bash:32583] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:55.390338+01:00 localhost kernel: [29593.611944] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxXPCOMIPCD[VBoxXPCOMIPCD:32752] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxManage[VBoxManage:32750] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:55.391342+01:00 localhost kernel: [29593.612391] grsec: denied kernel module auto-load of net-pf-10 by /opt/VirtualBox/VBoxXPCOMIPCD[VBoxXPCOMIPCD:32751] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxManage[VBoxManage:32750] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:55.411336+01:00 localhost kernel: [29593.632066] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxSVC[VBoxSVC:32757] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxManage[VBoxManage:32736] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:55.424356+01:00 localhost kernel: [29593.645405] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxSVC[VBoxSVC:32761] uid/euid:1001/1001 gid/egid:1001/1001, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
2011-03-01T23:26:55.424375+01:00 localhost kernel: [29593.645885] grsec: denied kernel module auto-load of net-pf-10 by /opt/VirtualBox/VBoxSVC[VBoxSVC:32760] uid/euid:1001/1001 gid/egid:1001/1001, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
2011-03-01T23:26:55.607337+01:00 localhost kernel: [29593.828574] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxTestOGL[VBoxTestOGL:501] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxSVC[VBoxSVC:32764] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:55.751342+01:00 localhost kernel: [29593.972536] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VirtualBox[VirtualBox:506] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxSVC[VBoxSVC:32764] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:55.929343+01:00 localhost kernel: [29594.150847] grsec: denied kernel module auto-load of net-pf-10 by /opt/VirtualBox/VirtualBox[VirtualBox:505] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxSVC[VBoxSVC:32764] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:56.252339+01:00 localhost kernel: [29594.473693] grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 30 for /opt/VirtualBox/VBoxNetDHCP[VBoxNetDHCP:519] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/VirtualBox/VBoxSVC[VBoxSVC:511] uid/euid:1001/1001 gid/egid:1001/1001
2011-03-01T23:26:56.274326+01:00 localhost kernel: [29594.495452] device vboxnet0 entered promiscuous mode
2011-03-01T23:27:12.036321+01:00 localhost kernel: [29610.257056] device vboxnet0 left promiscuous mode

Module net-pf-10 ?
I have not found such a module:

Code: Select all

 grep -i pf /usr/src/linux/.config
CONFIG_IP_NF_ARPFILTER=y
CONFIG_ATM_BR2684_IPFILTER=y
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
# CONFIG_SCSI_LPFC is not set
CONFIG_TMPFS=y
CONFIG_TMPFS_POSIX_ACL=y
# CONFIG_HPFS_FS is not set

What other settings to change?

Yours

[PaX Team]

Virtualbox error log:
[code]00:00:13.195 ********************* End of statistics **********************
00:00:13.195 VMSetError: /home/vbox/tinderbox/3.2-lnx32-rel/src/VBox/VMM/MM.cpp(684) int MMR3AdjustFixedReservation(VM*, int32_t, const char*); rc=VERR_INTERNAL_ERROR_3
00:00:13.195 VMSetError: Failed to reserve physical memory (0x2404 -> 0x2400; VMMDev Heap)
00:00:13.197 VMSetError: /home/vbox/tinderbox/3.2-lnx32-rel/src/VBox/VMM/MM.cpp(684) int MMR3AdjustFixedReservation(VM*, int32_t, const char*); rc=VERR_INTERNAL_ERROR_3
00:00:13.197 VMSetError: Failed to reserve physical memory (0x2404 -> 0x2004; VMMDev)
00:00:13.217 VMSetError: /home/vbox/tinderbox/3.2-lnx32-rel/src/VBox/VMM/MM.cpp(684) int MMR3AdjustFixedReservation(VM*, int32_t, const char*); rc=VERR_INTERNAL_ERROR_3
00:00:13.217 VMSetError: Failed to reserve physical memory (0x2404 -> 0x404; VRam)

i'd start with these and try to figure out what vbox was trying to do here exactly and why such requests were denied. probably the best is to talk to the vbox devs first, if you/they can tell me what's happening here, i can tell whether it's a bug or feature in PaX .

[blueness]

I have this working on my system and I've been working to get the stuff into Gentoo's tree. Here's a quick howto:

1. Use on of the recent kernels, it has my restructured predefined hardened settings. Use VIRTUALIZATION:

Security options --->
Grsecurity --->
[*] Grsecurity
Security Level (Hardened Gentoo [virtualization]) --->

It basically turns off KERNEXEC and UDEREF along with a few others. Compile boot.

2. Switch to the vanilla compiler. This is because VirtualBox's build system is stupid, doesn't respect CFLAGS and upstream is not helping. (And I have better things to do with my life):

gcc-config x86_64-pc-linux-gnu-4.4.5-vanilla
source /etc/profile

Now emerge virtualbox-4.0.4.

Switch back to the regular hardened compiler, and emerge virtualbox-extpack-oracle-4.0.4, virtualbox-modules-4.0.4, virtualbox-additions-4.0.4.

3. Start VirtualBox. In bash do:

for m in vbox{drv,netadp,netflt}; do modprobe $m; done
VirtualBox &

4. Install your virtual machine in the usual way.

5. If its a gentoo guest, it helps to follow this howto: http://en.gentoo-wiki.com/wiki/Virtualbox_Guest

[nickde]

Virtualbox error log:

Code: Select all

00:00:13.195 ********************* End of statistics **********************
00:00:13.195 VMSetError: /home/vbox/tinderbox/3.2-lnx32-rel/src/VBox/VMM/MM.cpp(684) int MMR3AdjustFixedReservation(VM*, int32_t, const char*); rc=VERR_INTERNAL_ERROR_3
00:00:13.195 VMSetError: Failed to reserve physical memory (0x2404 -> 0x2400; VMMDev Heap)
00:00:13.197 VMSetError: /home/vbox/tinderbox/3.2-lnx32-rel/src/VBox/VMM/MM.cpp(684) int MMR3AdjustFixedReservation(VM*, int32_t, const char*); rc=VERR_INTERNAL_ERROR_3
00:00:13.197 VMSetError: Failed to reserve physical memory (0x2404 -> 0x2004; VMMDev)
00:00:13.217 VMSetError: /home/vbox/tinderbox/3.2-lnx32-rel/src/VBox/VMM/MM.cpp(684) int MMR3AdjustFixedReservation(VM*, int32_t, const char*); rc=VERR_INTERNAL_ERROR_3
00:00:13.217 VMSetError: Failed to reserve physical memory (0x2404 -> 0x404; VRam)

i'd start with these and try to figure out what vbox was trying to do here exactly and why such requests were denied. probably the best is to talk to the vbox devs first, if you/they can tell me what's happening here, i can tell whether it's a bug or feature in PaX .

I get these too with 4.1.0 and 2.6.39, with uderef and kernexec disabled. Don't know what's going on Did this ever got figured out?
Is anyone else able to get virtualbox working? Is uderef and kernexec really necessary to be disabled?

00:00:10.322 VMSetError: /home/vbox/vbox-4.1.0/src/VBox/VMM/VMMR3/MM.cpp(684) int MMR3AdjustFixedReservation(VM*, int32_t, const char*); rc=VERR_INTERNAL_ERROR_3
00:00:10.322 VMSetError: Failed to reserve physical memory (0x1004 -> 0x1000; VMMDev Heap)
00:00:10.324 VMSetError: /home/vbox/vbox-4.1.0/src/VBox/VMM/VMMR3/MM.cpp(684) int MMR3AdjustFixedReservation(VM*, int32_t, const char*); rc=VERR_INTERNAL_ERROR_3
00:00:10.324 VMSetError: Failed to reserve physical memory (0x1004 -> 0xc04; VMMDev)
00:00:10.326 VMSetError: /home/vbox/vbox-4.1.0/src/VBox/VMM/VMMR3/MM.cpp(684) int MMR3AdjustFixedReservation(VM*, int32_t, const char*); rc=VERR_INTERNAL_ERROR_3
00:00:10.326 VMSetError: Failed to reserve physical memory (0x1004 -> 0x404; VRam)

This is the source

Code: Select all

/**
 * Interface for PGM to adjust the reservation of fixed pages.
 *
 * This can be called before MMR3InitPaging.
 *
 * @returns VBox status code. Will set VM error on failure.
 * @param   pVM                 The shared VM structure.
 * @param   cDeltaFixedPages    The number of pages to add (positive) or subtract (negative).
 * @param   pszDesc             Some description associated with the reservation.
 */
VMMR3DECL(int) MMR3AdjustFixedReservation(PVM pVM, int32_t cDeltaFixedPages, const char *pszDesc)
{
    const uint32_t cOld = pVM->mm.s.cFixedPages;
    pVM->mm.s.cFixedPages += cDeltaFixedPages;
    LogFlow(("MMR3AdjustFixedReservation: %d (%u -> %u)\n", cDeltaFixedPages, cOld, pVM->mm.s.cFixedPages));
    int rc = mmR3UpdateReservation(pVM);
    if (RT_FAILURE(rc))
    {
        VMSetError(pVM, rc, RT_SRC_POS, N_("Failed to reserve physical memory (%#x -> %#x; %s)"),
                   cOld, pVM->mm.s.cFixedPages, pszDesc);
        pVM->mm.s.cFixedPages = cOld;
    }
    return rc;
}

[PaX Team]

I get these too with 4.1.0 and 2.6.39, with uderef and kernexec disabled. Don't know what's going on Did this ever got figured out?

not to my knowledge.

Is uderef and kernexec really necessary to be disabled?

yes, vbox does things that are simply not compatible with these features and only they can fix them properly (which is unlikely to happen given the amount of work required, at least for KERNEXEC/i386).

[nickde]

I get these too with 4.1.0 and 2.6.39, with uderef and kernexec disabled. Don't know what's going on Did this ever got figured out?

not to my knowledge.

Is uderef and kernexec really necessary to be disabled?

yes, vbox does things that are simply not compatible with these features and only they can fix them properly (which is unlikely to happen given the amount of work required, at least for KERNEXEC/i386).

So I've spend the best part of the day compiling my kernel with different pax options, trying to figure out virtualbox compatibility. I'm using virtualbox 4.1.0, 2.6.39-4 and a 64bit system (core i5)
The results:

• With everything disabled and KERNEXEC enabled, virtualbox works fine if VT-x is disabled. With both VT-x and KERNEXEC enabled, there is an Oops
  

  Aug 17 01:54:31 mylaptop kernel: [ 147.059543] BUG: unable to handle kernel paging request at ffffffff81733044
  Aug 17 01:54:31 mylaptop kernel: [ 147.059592] IP: [<ffffffffa04ce247>] g_abExecMemory+0xb247/0x180000 [vboxdrv]
  Aug 17 01:54:31 mylaptop kernel: [ 147.059660] PGD 1729067 PUD 172f063 PMD 16001e1
  Aug 17 01:54:31 mylaptop kernel: [ 147.059691] Thread overran stack, or stack corrupted
  Aug 17 01:54:31 mylaptop kernel: [ 147.059715] Oops: 0003 [#1] SMP
  Aug 17 01:54:31 mylaptop kernel: [ 147.059737] last sysfs file: /sys/devices/system/cpu/cpu3/cache/index2/shared_cpu_map
  Aug 17 01:54:31 mylaptop kernel: [ 147.059785] CPU 3
  Aug 17 01:54:31 mylaptop kernel: [ 147.059806] Modules linked in: rfcomm binfmt_misc bnep pci_stub vboxpci vboxnetadp vboxnetflt vboxdrv parport_pc ppdev snd_hda_codec_hdmi snd_hda_codec_conexant ipt_REJECT ipt_LOG xt_limit xt_tcpudp xt_addrtype xt_state snd_hda_intel thinkpad_acpi arc4 snd_hda_codec snd_hwdep snd_seq_midi ip6table_filter ip6_tables snd_pcm snd_rawmidi nf_nat_irc nf_conntrack_irc nf_nat_ftp snd_seq_midi_event iwlagn nf_nat snd_seq mac80211 i915 nf_conntrack_ipv4 snd_timer nf_defrag_ipv4 snd_seq_device snd nf_conntrack_ftp cfg80211 drm_kms_helper soundcore nf_conntrack drm snd_page_alloc iptable_filter coretemp i2c_algo_bit ip_tables btusb lp nvram parport bluetooth psmouse video wmi serio_raw joydev x_tables usbhid hid ahci libahci xhci_hcd sdhci_pci sdhci e1000e
  Aug 17 01:54:31 mylaptop kernel: [ 147.060675]
  Aug 17 01:54:31 mylaptop kernel: [ 147.060685] Pid: 2299, comm: VirtualBox Not tainted 2.6.39.4-test8-grsec #5 LENOVO 4171CTO/4171CTO
  Aug 17 01:54:31 mylaptop kernel: [ 147.060762] RIP: 0010:[<ffffffffa04ce247>] [<ffffffffa04ce247>] g_abExecMemory+0xb247/0x180000 [vboxdrv]
  Aug 17 01:54:31 mylaptop kernel: [ 147.060917] RSP: 0018:ffff8801e08fbba0 EFLAGS: 00010082
  Aug 17 01:54:31 mylaptop kernel: [ 147.061008] RAX: ffffffff81733040 RBX: 0000000000000040 RCX: 0000000000000000
  Aug 17 01:54:31 mylaptop kernel: [ 147.061040] RDX: 0000000000000600 RSI: 0000000000000000 RDI: ffffc90005e38900
  Aug 17 01:54:31 mylaptop kernel: [ 147.061069] RBP: 0000000000000000 R08: ffffc90005e38000 R09: 0000002248302984
  Aug 17 01:54:31 mylaptop kernel: [ 147.061158] R10: ffffffffa04ce1e0 R11: 00000000017f18ad R12: ffffc90005e38900
  Aug 17 01:54:31 mylaptop kernel: [ 147.061241] R13: ffffc90005e1d000 R14: ffff8801e08fbd68 R15: 0000000000000001
  Aug 17 01:54:31 mylaptop kernel: [ 147.061321] FS: 000003296c412700(0000) GS:ffff88021e2c0000(0000) knlGS:0000000000000000
  Aug 17 01:54:31 mylaptop kernel: [ 147.061413] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
  Aug 17 01:54:31 mylaptop kernel: [ 147.061478] CR2: ffffffff81733044 CR3: 0000000001629000 CR4: 00000000000426f0
  Aug 17 01:54:31 mylaptop kernel: [ 147.061556] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  Aug 17 01:54:31 mylaptop kernel: [ 147.061660] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
  Aug 17 01:54:31 mylaptop kernel: [ 147.061741] Process VirtualBox (pid: 2299, threadinfo ffff88020f910d68, task ffff88020f910860)
  Aug 17 01:54:31 mylaptop kernel: [ 147.061833] Stack:
  Aug 17 01:54:31 mylaptop kernel: [ 147.061859] ffff81733000007f 000000000000ffff 0000000000000000 ffffc90005e38900
  Aug 17 01:54:31 mylaptop kernel: [ 147.061963] ffffc90005e38fe8 0000000000000000 000000001e2c0000 00000000ffff8802
  Aug 17 01:54:31 mylaptop kernel: [ 147.062063] 0000000000000000 000000006c412700 0000000000000329 0000000000000000
  Aug 17 01:54:31 mylaptop kernel: [ 147.062195] Call Trace:
  Aug 17 01:54:31 mylaptop kernel: [ 147.062267] [<ffffffffa064f02a>] ? supdrvIOCtlFast+0xaa/0xb0 [vboxdrv]
  Aug 17 01:54:31 mylaptop kernel: [ 147.062301] [<ffffffffa064b39d>] ? VBoxDrvLinuxIOCtl+0x4d/0x460 [vboxdrv]
  Aug 17 01:54:31 mylaptop kernel: [ 147.062329] [<ffffffff8117e09c>] ? do_vfs_ioctl+0xac/0x790
  Aug 17 01:54:31 mylaptop kernel: [ 147.062415] [<ffffffff8117e811>] ? sys_ioctl+0x91/0xa0
  Aug 17 01:54:31 mylaptop kernel: [ 147.062481] [<ffffffff81604f14>] ? system_call_fastpath+0x16/0x1b
  Aug 17 01:54:31 mylaptop kernel: [ 147.062551] Code: 00 00 36 89 b7 08 02 00 00 36 89 af 10 02 00 00 58 36 89 87 00 02 00 00 5b 48 83 ec 10 0f 01 04 24 48 89 d8 24 f8 48 03 44 24 02
  Aug 17 01:54:31 mylaptop kernel: [ 147.067099] RIP [<ffffffffa04ce247>] g_abExecMemory+0xb247/0x180000 [vboxdrv]
  Aug 17 01:54:31 mylaptop kernel: [ 147.071185] RSP <ffff8801e08fbba0>
  Aug 17 01:54:31 mylaptop kernel: [ 147.075248] CR2: ffffffff81733044
  Aug 17 01:54:31 mylaptop kernel: [ 147.152774] ---[ end trace 9780bbde545a77d7 ]---

  
  
• With everything disabled and UDEREF enabled, it oopses.
  

  Aug 17 00:41:27 mylaptop kernel: [ 117.814892] BUG: unable to handle kernel paging request at 000003f11d3a4798
  Aug 17 00:41:27 mylaptop kernel: [ 117.815021] IP: [<ffffffffa0554a57>] g_abExecMemory+0x49a57/0x180000 [vboxdrv]
  Aug 17 00:41:27 mylaptop kernel: [ 117.815143] PGD 1f5c61000
  Aug 17 00:41:27 mylaptop kernel: [ 117.815181] Thread overran stack, or stack corrupted
  Aug 17 00:41:27 mylaptop kernel: [ 117.815239] Oops: 0000 [#1] SMP
  Aug 17 00:41:27 mylaptop kernel: [ 117.815290] last sysfs file: /sys/devices/virtual/hwmon/hwmon0/temp1_input
  Aug 17 00:41:27 mylaptop kernel: [ 117.815399] CPU 1
  Aug 17 00:41:27 mylaptop kernel: [ 117.815426] Modules linked in: aesni_intel cryptd aes_x86_64 aes_generic rfcomm binfmt_misc bnep pci_stub vboxpci vboxnetadp vboxnetflt vboxdrv parport_pc ppdev snd_hda_codec_hdmi snd_hda_codec_conexant ipt_REJECT ipt_LOG xt_limit xt_tcpudp xt_addrtype xt_state snd_hda_intel ip6table_filter i915 snd_hda_codec drm_kms_helper drm ip6_tables thinkpad_acpi nf_nat_irc snd_hwdep nf_conntrack_irc snd_seq_midi snd_pcm nf_nat_ftp arc4 snd_rawmidi snd_seq_midi_event nf_nat snd_seq nf_conntrack_ipv4 iwlagn nf_defrag_ipv4 snd_timer mac80211 snd_seq_device coretemp nf_conntrack_ftp nf_conntrack btusb lp snd i2c_algo_bit iptable_filter bluetooth parport cfg80211 ip_tables psmouse wmi nvram video soundcore joydev serio_raw x_tables snd_page_alloc usbhid hid ahci libahci e1000e sdhci_pci sdhci xhci_hcd
  Aug 17 00:41:27 mylaptop kernel: [ 117.816531]
  Aug 17 00:41:27 mylaptop kernel: [ 117.816555] Pid: 2311, comm: VirtualBox Not tainted 2.6.39.4-test10-grsec #7 LENOVO 4171CTO/4171CTO
  Aug 17 00:41:27 mylaptop kernel: [ 117.816669] RIP: 0010:[<ffffffffa0554a57>] [<ffffffffa0554a57>] g_abExecMemory+0x49a57/0x180000 [vboxdrv]
  Aug 17 00:41:27 mylaptop kernel: [ 117.816792] RSP: 0018:ffff8801e3ce3cd8 EFLAGS: 00010246
  Aug 17 00:41:27 mylaptop kernel: [ 117.816853] RAX: 0000000000000001 RBX: ffffc90005f20000 RCX: ffffffffffffffff
  Aug 17 00:41:27 mylaptop kernel: [ 117.816932] RDX: 0000000000000001 RSI: ffffc90005f3b000 RDI: 000003f11d3a4790
  Aug 17 00:41:27 mylaptop kernel: [ 117.817017] RBP: ffff8801e3ce3d18 R08: 39e0000000000000 R09: 000003f11d3a4810
  Aug 17 00:41:27 mylaptop kernel: [ 117.817097] R10: 000003f11d3c7d00 R11: 0000000000000246 R12: 0000000000000000
  Aug 17 00:41:27 mylaptop kernel: [ 117.817175] R13: ffffc90005f28860 R14: ffff8801e3ce3d48 R15: ffffc90005f20000
  Aug 17 00:41:27 mylaptop kernel: [ 117.817256] FS: 000003f11ddcd700(0000) GS:ffff88021e240000(0000) knlGS:0000000000000000
  Aug 17 00:41:27 mylaptop kernel: [ 117.817345] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  Aug 17 00:41:27 mylaptop kernel: [ 117.817410] CR2: 000003f11d3a4798 CR3: 0000000001633000 CR4: 00000000000426f0
  Aug 17 00:41:27 mylaptop kernel: [ 117.817488] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  Aug 17 00:41:27 mylaptop kernel: [ 117.817567] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
  Aug 17 00:41:27 mylaptop kernel: [ 117.817647] Process VirtualBox (pid: 2311, threadinfo ffff8801fa0d7a48, task ffff8801fa0d7540)
  Aug 17 00:41:27 mylaptop kernel: [ 117.817740] Stack:
  Aug 17 00:41:27 mylaptop kernel: [ 117.817766] ffffffffffff4111 ffffc90005f3b000 ffffffffffff4111 00000000ffff4111
  Aug 17 00:41:27 mylaptop kernel: [ 117.817865] ffffffffffff4111 ffffc90005f20000 0000000000000000 ffffc90005f3b000
  Aug 17 00:41:27 mylaptop kernel: [ 117.817967] ffff8801e3ce3d88 ffffffffa052179f ffffffffffff4111 ffffffffffff4111
  Aug 17 00:41:27 mylaptop kernel: [ 117.818065] Call Trace:
  Aug 17 00:41:27 mylaptop kernel: [ 117.818120] [<ffffffffa06970ea>] ? supdrvIOCtlFast+0xaa/0xb0 [vboxdrv]
  Aug 17 00:41:27 mylaptop kernel: [ 117.818210] [<ffffffffa06933b3>] ? VBoxDrvLinuxIOCtl+0x53/0x510 [vboxdrv]
  Aug 17 00:41:27 mylaptop kernel: [ 117.818295] [<ffffffff8118488b>] ? do_vfs_ioctl+0xab/0x870
  Aug 17 00:41:27 mylaptop kernel: [ 117.818362] [<ffffffff811850e1>] ? sys_ioctl+0x91/0xa0
  Aug 17 00:41:27 mylaptop kernel: [ 117.818428] [<ffffffff8161fa89>] ? system_call_fastpath+0x16/0x1b
  Aug 17 00:41:27 mylaptop kernel: [ 117.818503] [<ffffffff8161fa27>] ? system_call_after_swapgs+0x17/0x63
  Aug 17 00:41:27 mylaptop kernel: [ 117.818575] Code: 75 c8 0f 88 ae fe ff ff 31 c0 86 83 fc 87 00 00 48 8b bb 28 88 00 00 45 31 e4 49 b8 00 00 00 00 00 00 e0 39 4c 8d 8f 80 00 00 00 <8b> 47 08 85 c0 74 2b 48 98 48 01 f8 74 24 8b 50 44 44 39 e2 76
  Aug 17 00:41:27 mylaptop kernel: [ 117.819085] RIP [<ffffffffa0554a57>] g_abExecMemory+0x49a57/0x180000 [vboxdrv]
  Aug 17 00:41:27 mylaptop kernel: [ 117.819182] RSP <ffff8801e3ce3cd8>
  Aug 17 00:41:27 mylaptop kernel: [ 117.819223] CR2: 000003f11d3a4798
  Aug 17 00:41:27 mylaptop kernel: [ 117.885512] ---[ end trace 0ff232153321d5ab ]---

  
  
  
• But with the weird thing is next: With everything disabled and any single one of the ASLR options enabled, virtualbox competely freezes my system - not an oops, it doesn't show anything, just everything is stuck until a hard reboot.
  
• And of course the binaries don't work with MPROTECT, but they can be marked with paxctl at least.

There should be a big fat warning somewhere that virtualbox is incompatible with most things in pax..

[PaX Team]

Aug 17 01:54:31 mylaptop kernel: [ 147.059543] BUG: unable to handle kernel paging request at ffffffff81733044
Aug 17 01:54:31 mylaptop kernel: [ 147.059592] IP: [<ffffffffa04ce247>] g_abExecMemory+0xb247/0x180000 [vboxdrv]

this is some runtime loaded vbox code (note the issue here: vbox doesn't use the kernel's own module loader system, hence the lack of proper symbols) that tries to modify read-only memory (probably the GDT or some kernel page table).

Aug 17 00:41:27 mylaptop kernel: [ 117.814892] BUG: unable to handle kernel paging request at 000003f11d3a4798
Aug 17 00:41:27 mylaptop kernel: [ 117.815021] IP: [<ffffffffa0554a57>] g_abExecMemory+0x49a57/0x180000 [vboxdrv]

similarly, this is some of its own module code that tries to access userland memory without going through the proper kernel wrappers - this is a prime suspect of being a potential security bug even and what UDEREF was designed to catch.

But with the weird thing is next: With everything disabled and any single one of the ASLR options enabled, virtualbox competely freezes my system - not an oops, it doesn't show anything, just everything is stuck until a hard reboot.

this is something you could report to oracle/vbox guys as ASLR is a userland feature, it should not cause kernel failures.

There should be a big fat warning somewhere that virtualbox is incompatible with most things in pax..

the config help for both UDEREF and KERNEXEC mentions problems with virtualization but it's really not the place to call out every single app that may not work properly. but we have a wiki, open to the public to contribute to .