Firefox & Python issues w/grsecurity-3.0-3.12.7-201401120824

a forum for discussing usability issues, general maintenance, and general support for a grsecurity-enabled system.

Moderators: spender, PaX Team

Firefox & Python issues w/grsecurity-3.0-3.12.7-201401120824

Postby maximus » Mon Jan 13, 2014 6:49 pm

I have been experimenting with the two most recent testing patches grsecurity-3.0-3.12.6-201401021726.patch and the more current grsecurity-3.0-3.12.7-201401120824.patch -- these are the only grsecurity test patches I happen to have on hand at the moment.

For quite some time prior to grsecurity-3.0-3.12.6-201401021726.patch I was able to successfully run Firefox 26 with the PaX flags PSmXEr and Python 2.7.6 with PSmXER flags. I missed a couple versions there before 3.0-3.12.6-201401021726, so the problem may've been introduced before then.

With grsecurity-3.0-3.12.7-201401120824.patch (Linux localhost.localdomain 3.12.7-2-grsec #1 SMP PREEMPT Mon Jan 13 20:21:45 UTC 2014 x86_64 GNU/Linux) when I launch Firefox or Python 2.7 they are immediately killed. Strangely, I see no log entry in dmesg about the killing of the process as I am accustomed.

A strace of Firefox under this kernel shows only:
Code: Select all
execve("/usr/bin/firefox", ["firefox"], [/* 16 vars */] <unfinished ...>
+++ killed by SIGKILL +++
Killed


Python shows the same.

I tried setting psmxer on both binaries with paxctl, but this didn't change the situation.

I spent some time tweaking with GRKERNSEC/PaX features in the config this weekend and never found a successful formula on either hardware or virtualized systems.

When I got in to the office this morning, I took a look to see how things worked with the patch from January 2nd (which I had running on a couple test systems, it's uname-a: Linux localhost.localdomain 3.12.6-4-grsec #1 SMP PREEMPT Tue Jan 7 02:45:29 UTC 2014 x86_64 GNU/Linux). I was still unable to run Firefox, but got more from the strace this time, here are the last couple lines:
Code: Select all
mmap(NULL, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x6dfb1c700000
mmap(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x6dfb1c400000
munmap(0x6dfb1c500000, 1048576)         = 0
mmap(NULL, 65536, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = -1 EPERM (Operation not permitted)
+++ killed by SIGKILL (core dumped) +++


This version also provided the log messages I've come to expect:
Code: Select all
[  182.258525] grsec: denied RWX mmap of <anonymous mapping> by /usr/lib/firefox/firefox[firefox:367] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[  182.258558] PAX: execution attempt in: (null), 00000000-00000000 00000000
[  182.258562] PAX: terminating task: /usr/lib/firefox/firefox(firefox):367, uid/euid: 1000/1000, PC:            (nil), SP: 00007c172aa1c768
[  182.258565] PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
[  182.258588] PAX: bytes at SP-8: 00006e4097a68d00 00006e40964e1ea1 0000000000000009 00007c172aa1c7b0 00007c172aa1cc70 00006e40964f837f 00006e4084a94448 0000000000000000 00006e408508c580 00006e40851dac00 00006e4000000000
[  182.266617] grsec: denied resource overstep by requesting 64 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:367] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[  182.266633] grsec: denied resource overstep by requesting 120 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:367] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[  182.266643] grsec: denied resource overstep by requesting 176 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:367] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[  182.266652] grsec: denied resource overstep by requesting 232 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:367] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[  182.266661] grsec: denied resource overstep by requesting 288 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:367] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[  182.266671] grsec: denied resource overstep by requesting 344 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:367] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[  182.266673] grsec: more alerts, logging disabled for 10 seconds
[  454.971453] grsec: process /usr/bin/strace(strace:418) attached to via ptrace by /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[  454.971767] grsec: process /usr/bin/strace(strace:419) attached to via ptrace by /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:366] uid/euid:1000/1000 gid/egid:1000/1000
[  455.902450] grsec: denied RWX mmap of <anonymous mapping> by /usr/lib/firefox/firefox[firefox:419] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000
[  455.902890] PAX: execution attempt in: (null), 00000000-00000000 00000000
[  455.902895] PAX: terminating task: /usr/lib/firefox/firefox(firefox):419, uid/euid: 1000/1000, PC:            (nil), SP: 0000750380584288
[  455.902897] PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
[  455.902926] PAX: bytes at SP-8: 00006996e0968d00 00006996df3e1ea1 0000000000000009 00006996da87baf4 00006996d00c1be0 00006996d00c1be0 00006996e05754b0 00006996de76213d 00007503805847e0 0000750380584400 00006996e0968d00
[  455.903165] grsec: denied resource overstep by requesting 64 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:419] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000
[  455.903175] grsec: denied resource overstep by requesting 120 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:419] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000
[  455.903181] grsec: denied resource overstep by requesting 176 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:419] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000
[  455.903188] grsec: denied resource overstep by requesting 232 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:419] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000
[  455.903194] grsec: denied resource overstep by requesting 288 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:419] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000
[  455.903200] grsec: denied resource overstep by requesting 344 for RLIMIT_CORE against limit 0 for /usr/lib/firefox/firefox[firefox:419] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/strace[strace:416] uid/euid:1000/1000 gid/egid:1000/1000
[  455.903202] grsec: more alerts, logging disabled for 10 seconds


For both, I used this config...
zgrep GRKERN /proc/config.gz:
Code: Select all
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
CONFIG_GRKERNSEC_PROC_GID=9998
CONFIG_GRKERNSEC_TPE_TRUSTED_GID=9999
CONFIG_GRKERNSEC_SYMLINKOWN_GID=33
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_JIT_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
# CONFIG_GRKERNSEC_NO_RBAC is not set
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_SYMLINKOWN=y
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
CONFIG_GRKERNSEC_ROFS=y
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_CHROOT_INITRD=y
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=9994
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_INVERT=y
CONFIG_GRKERNSEC_TPE_GID=9999
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
CONFIG_GRKERNSEC_SOCKET=y


I believe the Arch user Ahmad24 was/is likely experiencing similar problems (at least with grsecurity-3.0-3.12.6-201401021726), based on their post in the AUR comments for the linux-grsec PKGBUILD.

Please let me know if I can provide any additional details, re-try something or otherwise make it easier to help with this issue.
maximus
 
Posts: 3
Joined: Wed Nov 27, 2013 6:14 pm

Re: Firefox & Python issues w/grsecurity-3.0-3.12.7-20140112

Postby spender » Mon Jan 13, 2014 7:16 pm

Hi,

Sorry about this -- it was fixed in an earlier 3.12.6 patch but was accidentally removed in the 3.12.7 patch. I committed it to the PaX branch instead of to my own, losing it on the 3.12.7 port when updating the PaX branch due to the revert having not been made there (as I had assumed).

I've included the revert in my branch so this won't get lost in the future, and have uploaded a new patch that should resolve your problem.

Thanks,
-Brad
spender
 
Posts: 1933
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: Firefox & Python issues w/grsecurity-3.0-3.12.7-20140112

Postby maximus » Tue Jan 14, 2014 3:18 pm

Thanks for the quick response! Yes, this fixed the FF/python issues.
maximus
 
Posts: 3
Joined: Wed Nov 27, 2013 6:14 pm


Return to grsecurity support