Get (some old version?, a fork?) of GNU Debugger to work with PaX?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Re: PAX terminating task on /usr/bin/gdb

Postby timbgo » Thu Jul 14, 2016 8:25 pm

Firstly, that is a real bug, and grsecurity shines there, with the exec_logging and and audit_chdir set in my kernel. It tells so much to the user!

Now, the bug that I found there is double, as one dev made clear:
https://www.wireshark.org/lists/wiresha ... 00008.html

and this report is what appeared (in my slow wiriing of the previous post to this one that you're reading on forums.grsecurity.net), to me, after I was already posting here on grsec forums:
https://bugs.wireshark.org/bugzilla/sho ... d=12616#c8

I knew I needed gdb before that post by Peter Wu there.

If gdb was fixed for work with grsec-hardened, I could have posted such a backtrace myself in the bug report that I opened on bugs.wireshark.org !

Let me, not repeat my tries, but go for the logs of how gdp still does not work. Because I tried yesterday and maybe even the day before, and I always keep the fine grsec-enhanced logs to have the record.

In the next post, if I manage to do it.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: PAX terminating task on /usr/bin/gdb

Postby timbgo » Thu Jul 14, 2016 9:18 pm

I had tried these commands (was able to find them in the history of my
urxvt terminals):

(below is mosty in order, but vaguely, only searching for the exact events)

One terminal:

Code: Select all
whereis wireshark
whereis wireshark | cut -f2 -d:
whereis wireshark | cut -f2 -d: | cut -d' ' -f2
gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& bt.txt
gdb /usr/bin/tshark core |& tee bt.txt
cat bt.txt
gdb /usr/bin/tshark core |& tee bt.txt
whereis wireshark | cut -f2 -d: | cut -d' ' -f2
libtool --mode-execute gdb /usr/bin/tshark    # error there
libtool --mode=execute gdb /usr/bin/tshark


The other:

Code: Select all
gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& bt.txt
gdb /usr/bin/wireshark core |& tee bt.txt



I found only two traces:

Code: Select all
$ ls -l /Cmn/m/B/bt.txt
-rw-r--r-- 1 miro miro 851 2016-07-14 11:48 /Cmn/m/B/bt.txt
$


and

Code: Select all
$ ls -l bt.txt
-rw-r--r-- 1 miro miro 881 2016-07-14 11:52 bt.txt
$


And apparently these correspond to the lines in my syslog:

Code: Select all
Jul 14 11:47:13 g0n kernel: [62893.273114] grsec: (miro:U:/usr/bin/tee) exec
of /usr/bin/tee (tee bt.txt ) by /usr/bin/tee[bash:19184] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:3884] uid/euid:1000/1000
gid/egid:1000/1000

Jul 14 11:47:13 g0n kernel: [62893.273842] grsec: (miro:U:/usr/bin/gdb) exec
of /usr/bin/gdb (gdb /usr/bin/wireshark core ) by /usr/bin/gdb[bash:19183]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3884]
uid/euid:1000/1000 gid/egid:1000/1000

Jul 14 11:47:13 g0n kernel: [62893.281493] grsec: (miro:U:/) exec of
/usr/bin/iconv (iconv -l ) by /usr/bin/iconv[gdb:19185] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/gdb[gdb:19183] uid/euid:1000/1000
gid/egid:1000/1000

Jul 14 11:47:35 g0n kernel: [62914.374050] grsec: (root:U:/bin/ls) exec of
/bin/ls (ls --color=auto -ltr /Cmn/m/B/ ) by /bin/ls[bash:19186] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:3322] uid/euid:0/0 gid/egid:0/0

Jul 14 11:48:16 g0n kernel: [62956.146701] grsec: (miro:U:/bin/bash) chdir to
/home/miro by /bin/bash[bash:3884] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/urxvt[urxvt:3881] uid/euid:1000/1000 gid/egid:1000/1000

Jul 14 11:48:18 g0n kernel: [62957.674992] grsec: (miro:U:/usr/bin/gdb) exec
of /usr/bin/gdb (gdb /usr/bin/wireshark core ) by /usr/bin/gdb[bash:19192]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3884]
uid/euid:1000/1000 gid/egid:1000/1000

Jul 14 11:48:18 g0n kernel: [62957.675726] grsec: (miro:U:/usr/bin/tee) exec
of /usr/bin/tee (tee bt.txt ) by /usr/bin/tee[bash:19193] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:3884] uid/euid:1000/1000
gid/egid:1000/1000

Jul 14 11:48:18 g0n kernel: [62957.681491] grsec: (miro:U:/) exec of
/usr/bin/iconv (iconv -l ) by /usr/bin/iconv[gdb:19194] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/gdb[gdb:19192] uid/euid:1000/1000
gid/egid:1000/1000

Jul 14 11:50:01 g0n kernel: [63061.177485] grsec: (root:U:/usr/sbin/crond)
chdir to /root by /usr/sbin/crond[crond:19196] uid/euid:0/0 gid/egid:0/0,
parent /usr/sbin/crond[crond:2846] uid/euid:0/0 gid/egid:0/0

... [ 38 lines cut here ] ...

Jul 14 11:51:23 g0n kernel: [63142.588061] grsec: (miro:U:/bin/cat) exec of
/bin/cat (cat bt.txt ) by /bin/cat[bash:19209] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:3884] uid/euid:1000/1000
gid/egid:1000/1000

Jul 14 11:52:17 g0n kernel: [63196.767308] grsec: (miro:U:/usr/bin/tee) exec
of /usr/bin/tee (tee bt.txt ) by /usr/bin/tee[bash:19215] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:3884] uid/euid:1000/1000
gid/egid:1000/1000

Jul 14 11:52:17 g0n kernel: [63196.768162] grsec: (miro:U:/usr/bin/gdb) exec
of /usr/bin/gdb (gdb /usr/bin/tshark core ) by /usr/bin/gdb[bash:19214]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3884]
uid/euid:1000/1000 gid/egid:1000/1000

Jul 14 11:52:17 g0n kernel: [63196.777698] grsec: (miro:U:/) exec of
/usr/bin/iconv (iconv -l ) by /usr/bin/iconv[gdb:19218] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/gdb[gdb:19214] uid/euid:1000/1000
gid/egid:1000/1000

Jul 14 11:52:29 g0n kernel: [63208.555662] grsec: (miro:U:/bin/cat) exec of
/bin/cat (cat bt.txt ) by /bin/cat[bash:19219] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:3884] uid/euid:1000/1000
gid/egid:1000/1000


And now of course, the two backtraces:
-rw-r--r-- 1 miro miro 851 2016-07-14 11:48 /Cmn/m/B/bt.txt:
Code: Select all
GNU gdb (Gentoo 7.11.1 vanilla) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/wireshark...(no debugging symbols found)...done.
/Cmn/m/B/core: No such file or directory.
(gdb) quit


and the:
-rw-r--r-- 1 miro miro 881 2016-07-14 11:52 /home/miro/bt.txt:
Code: Select all
GNU gdb (Gentoo 7.11.1 vanilla) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/tshark...(no debugging symbols found)...done.
/home/miro/core: No such file or directory.
(gdb) backtracke
No stack.
(gdb) quit


(
I dont' get why the line before the "No stack." near the end of the last
backtrace got funny characters... IIRC, I did, and with attention, type
"backtrace" and hit Enter...

Those two lines look normal when cat'ed, and I can copy and paste them with
mouse normal:

Code: Select all
(gdb) backtrace
No stack.

( the above was copy/paste with mouse )

But, just in case, here are those two lines in hex:

Code: Select all
00000000   28 67 64 62  29 20 62 61  63 6B 74 72  61 63 6B 08  (gdb) backtrack.
00000010   1B 5B 4B 65  0A 4E 6F 20  73 74 61 63  6B 2E 0A     .[Ke.No stack..

)

As seems apparent to me, gdb does not work in my box. Still.

And I don't know if I can try and look up the gdb source. It's overwhelming to me.

---
Regards!

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: PAX terminating task on /usr/bin/gdb

Postby timbgo » Tue Jul 26, 2016 10:13 am

I've modeled this example after somewhere at https://www.codingunit.com:

Code: Select all
#include<stdio.h>

int main()
{
   char *ptr_my;
   ptr_my = "Grüße!";
   printf("%s\n", ptr_my);

   return 0;
}


First let'c compile it:

Code: Select all
$ gcc -g CU_112_string.c -o CU_112_string
$


Here's how it works with the current gdb, on my (testing) ~amd64 Gentoo, regularly updated from portage.

To be able to describe how it works, I'll be trying to capture the output with
this command:

Code: Select all
$ gdb CU_112_string |& tee \
   gdb_CU_112_string_$(date +%y%m%d_%H%M)_$(hostname).log


And it got me this:

Code: Select all
GNU gdb (Gentoo 7.11.1 vanilla) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from CU_112_string...done.
(gdb) r
Starting program: /Cmn/mr_C/CU_112_string
warning: Cannot call inferior functions, Linux kernel PaX protection forbids return to non-executable pages!
Grüße!
[Inferior 1 (process 14114) exited normally]
(gdb) q


The "r" and "q" (without quotes) are of my typing.

However, that is with grsecurity RBAC policy of my grsec-hardened kernel disabled. To document it, I'll now search for the logs of what happened...

Code: Select all
Jul 26 11:42:03 g0n kernel: [488527.363130] grsec: (admin:S:/) exec of /sbin/gradm (gradm -D ) by /sbin/gradm[bash:3198] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3376] uid/euid:0/0 gid/egid:0/0
Jul 26 11:42:08 g0n kernel: [488532.669247] grsec: shutdown auth success for /sbin/gradm[gradm:3198] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3376] uid/euid:0/0 gid/egid:0/0

( RBAC long disabled by: )
Code: Select all
Jul 26 12:17:47 g0n kernel: [490671.210843] grsec: exec of /usr/bin/gdb (gdb CU_112_string ) by /usr/bin/gdb[bash:14049] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4400] uid/euid:1000/1000 gid/egid:1000/1000

Jul 26 12:17:47 g0n kernel: [490671.211559] grsec: exec of /bin/date (date +%y%m%d_%H%M ) by /bin/date[bash:14051] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14050] uid/euid:1000/1000 gid/egid:1000/1000

Jul 26 12:17:47 g0n kernel: [490671.214322] grsec: exec of /bin/hostname (hostname ) by /bin/hostname[bash:14052] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:14050] uid/euid:1000/1000 gid/egid:1000/1000

Jul 26 12:17:47 g0n kernel: [490671.216744] grsec: exec of /usr/bin/tee (tee gdb_CU_112_string_160726_1217_g0n.log ) by /usr/bin/tee[bash:14050] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4400] uid/euid:1000/1000 gid/egid:1000/1000

Jul 26 12:17:47 g0n kernel: [490671.221651] grsec: exec of /usr/bin/iconv (iconv -l ) by /usr/bin/iconv[gdb:14053] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gdb[gdb:14049] uid/euid:1000/1000 gid/egid:1000/1000

Jul 26 12:17:58 g0n kernel: [490682.111292] grsec: exec of /bin/bash (/bin/bash -c exec /Cmn/mr_C/CU_112_string  ) by /bin/bash[gdb:14114] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gdb[gdb:14049] uid/euid:1000/1000 gid/egid:1000/1000

Jul 26 12:17:58 g0n kernel: [490682.113231] grsec: exec of /Cmn/mr_C/CU_112_string (/Cmn/mr_C/CU_112_string ) by /Cmn/mr_C/CU_112_string[bash:14114] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gdb[gdb:14049] uid/euid:1000/1000 gid/egid:1000/1000

Jul 26 12:17:58 g0n kernel: [490682.118581] PAX: execution attempt in: <anonymous mapping>, 3ddd5587000-3ddd5588000 3ddd5587000

Jul 26 12:17:58 g0n kernel: [490682.118596] PAX: terminating task: /usr/bin/gdb(gdb):14119, uid/euid: 1000/1000, PC: 000003ddd5587000, SP: 000003e2777614f0

Jul 26 12:17:58 g0n kernel: [490682.118604] PAX: bytes at PC: cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Jul 26 12:17:58 g0n kernel: [490682.118642] PAX: bytes at SP-8: 000003ddd5587000 0000000000000000 876570a7b4107700 000000358e075120 0000000000003722 00000035927cd250 00000035927cc110 0000003592709680 000000358dec3003 0000003500003722 0000000000000000

Jul 26 12:17:58 g0n kernel: [490682.118698] grsec: bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds.  Please investigate the crash report for /usr/bin/gdb[gdb:14119] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gdb[gdb:14049] uid/euid:1000/1000 gid/egid:1000/1000

Jul 26 12:17:58 g0n kernel: [490682.118758] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/gdb[gdb:14119] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gdb[gdb:14049] uid/euid:1000/1000 gid/egid:1000/1000


And keeping RBAC at disabled means I don't really feel like I'm safe online...
If I can't use gdb with RBAC enabled, then I can't really use it...

But I'll enable RBAC to show you how it then gets even worse. The command I
used is exactly the same as above, and here's the tee'd output:

Code: Select all
GNU gdb (Gentoo 7.11.1 vanilla) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from CU_112_string...done.
(gdb) r
Starting program: /Cmn/mr_C/CU_112_string
/bin/bash: /Cmn/mr_C/CU_112_string: Permission denied
/bin/bash: /Cmn/mr_C/CU_112_string: Success
During startup program exited with code 126.
(gdb) q


The "r" and "q" are just as above, of my own typing.

Here's what I got in the logs:

Code: Select all
Jul 26 12:32:16 g0n kernel: [491540.781868] grsec: exec of /sbin/gradm (gradm -E ) by /sbin/gradm[bash:18497] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:31287] uid/euid:0/0 gid/egid:0/0

Jul 26 12:32:16 g0n kernel: [491540.783906] grsec: chdir to /etc/grsec by /sbin/gradm[gradm:18497] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:31287] uid/euid:0/0 gid/egid:0/0

Jul 26 12:32:16 g0n kernel: [491540.841432] grsec: (root:U:/sbin/gradm) grsecurity 3.1 RBAC system loaded by /sbin/gradm[gradm:18497] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:31287] uid/euid:0/0 gid/egid:0/0

Jul 26 12:32:28 g0n kernel: [491552.566696] grsec: (miro:U:/usr/bin/gdb) exec of /usr/bin/gdb (gdb CU_112_string ) by /usr/bin/gdb[bash:18560] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4400] uid/euid:1000/1000 gid/egid:1000/1000

Jul 26 12:32:28 g0n kernel: [491552.568894] grsec: (miro:U:/) exec of /bin/date (date +%y%m%d_%H%M ) by /bin/date[bash:18563] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:18561] uid/euid:1000/1000 gid/egid:1000/1000

Jul 26 12:32:28 g0n kernel: [491552.573225] grsec: (miro:U:/bin/hostname) exec of /bin/hostname (hostname ) by /bin/hostname[bash:18566] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:18561] uid/euid:1000/1000 gid/egid:1000/1000

Jul 26 12:32:28 g0n kernel: [491552.575688] grsec: (miro:U:/usr/bin/tee) exec of /usr/bin/tee (tee gdb_CU_112_string_160726_1232_g0n.log ) by /usr/bin/tee[bash:18561] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4400] uid/euid:1000/1000 gid/egid:1000/1000

Jul 26 12:32:28 g0n kernel: [491552.579044] grsec: (miro:U:/) exec of /usr/bin/iconv (iconv -l ) by /usr/bin/iconv[gdb:18567] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gdb[gdb:18560] uid/euid:1000/1000 gid/egid:1000/1000

Jul 26 12:32:36 g0n kernel: [491560.340694] grsec: (miro:U:/bin/bash) exec of /bin/bash (/bin/bash -c exec /Cmn/mr_C/CU_112_string  ) by /bin/bash[gdb:18608] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gdb[gdb:18560] uid/euid:1000/1000 gid/egid:1000/1000

Jul 26 12:32:36 g0n kernel: [491560.346134] grsec: (miro:U:/bin/bash) denied ptrace of /Cmn/mr_C/CU_112_string by /Cmn/mr_C/CU_112_string[bash:18608] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gdb[gdb:18560] uid/euid:1000/1000 gid/egid:1000/1000


The "...denied ptrace..." gives this issue here an additional complexity. That part could be due to other reasons, and not the lack of support for grsecurity, which appears to be deliberate with some of the GNU people (somehow apparently supporting, what a hipocrysy!, the NSA Linux, sorry: SELinux, and not grsec... What software freedom is anyone really fighting for, if they support hooks in the kernel, made for those geheimdienst!).

So that part may be by more complex reasons.

But I need to give all the info (that I'm able to provide) to explain why it appears so to me. In the next post.
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: PAX terminating task on /usr/bin/gdb

Postby timbgo » Tue Jul 26, 2016 10:28 am

It is strange to me that I got that "...denied ptrace..." message because I've even named the backup of my current /etc/grsec/policy :

Code: Select all
grsec_160726_g0n_00_PTRACE_miro_bash
!

Because it's ptrace'ing that is generally used to break into people's computers, and I don't want a regular user miro (or me as regular user on my machine) to have that one among the linux capabilities.

( For beginners reading here, ptrace'ing is reading what a process, any process, does, by special programs. A program does what it does when it starts its process or processes. So ptrace'ing is reading programs at work. The programs that read what process(es) of other programs in, a remote computer, or your own computer, do, have been developed for that purpose. They are in the range from those known to public at large as gdb, the GNU Debugger, to up to very soffisticated programs completely obscured from the public, that can be as expensive as only state-funded institutions or big business can afford --but I'm only deducing likely facts in this latter part. Very likely facts though... ptrace'ing is an important part in intrusion, and grsecurity is a great protection against ptrace abuse. )

Here are the relevant sections of my RBAC policy:

Code: Select all
role miro u
...
# Role: miro
subject /  {
   /            
   ...
   /<some-dir>/<some-dir>*      rwxcd
   ...
   /bin            rx
   /boot            h
   /dev            
   /dev/grsec         h
   /dev/kmem         h
   /dev/log         h
   ...
   /dev/mem         h
   /dev/null         rw
   /dev/port         h
   /dev/ptmx         rw
   /dev/pts         rw
   /dev/snd         rw
   /dev/sr*         rw
   /dev/tty         rw
   /dev/tty6         rw
   /dev/urandom         r
   /dev/v4l         h
   /dev/v4l/video0         rw
   /dev/video0         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /export            h
   /export/data         
   /export/home         
   /home            
   /home/miro         rwxcdl
   /lib64            rx
   /lib64/modules         h
   /mnt            r
   /mnt/<some-dir>*-*         rwxcd
   ...
   /opt            
   /opt/icedtea-bin-*   rx
   /proc            r
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /run            
   /run/utmp         r
   /sbin            h
   /sbin/macchanger      
   /sbin/openrc         
   /sbin/xtables-multi      
   /sys            
   /sys/fs/cgroup         
   /tmp            rwcd
   /usr            
   /usr/bin         rx
   /usr/lib64         rx
   /usr/libexec         rx
   /usr/local         
   /usr/local/bin         rx
   /usr/sbin         h
   /usr/sbin/sendmail      rx
   /usr/share         r
   /usr/share/locale      r
   /usr/share/doc         r
   /usr/src         h
   /usr/x86_64-pc-linux-gnu   x
   /var            
   /var/cache         h
   /var/cache/fontconfig      r
   /var/lib         h
   /var/lib/lurker         rwcdl
   /var/lib/nfs/rpc_pipefs      
   /var/log         h
   /var/www
   /var/www/localhost/htdocs      rwcdl
   /var/www/lurker*      rwcdl
   -CAP_ALL
   +CAP_SYS_PTRACE
   bind   disabled
   connect   disabled
}

Pls. notice above the line:
Code: Select all
   +CAP_SYS_PTRACE


Code: Select all
# Role: miro
subject /bin/bash o {
   /            
   /<some-dir>            r
   ...
   /<some-dir>/<some-dir>         rwxcd
   ...
   /export            rwxcd
   /bin            x
   /boot            h
   /dev            
   /dev/grsec         h
   /dev/kmem         h
   /dev/log         h
   /dev/mem         h
   /dev/null         rw
   /dev/port         h
   /dev/sr0         r
   /dev/tty         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home
   /home/miro         rwxcdl
   /lib/modules         h
   /lib64            rx
   /lib64/modules         h
   /mnt            r
   /mnt/g*-*         rwxcd
   /mnt/sr0         r
   /mnt/sd?1         rwxcdl
   /mnt/sr*         r
   /opt            
   /opt/cin         x
   /opt/icedtea-bin-*   rx
   /proc            h
   /proc/meminfo         r
   /sbin            h
   /sbin/conntrack      x      
   /sbin/ldconfig      x
   /sbin/macchanger      
   /sbin/openrc         
   /sbin/xtables-multi      
   /sys            h
   /tmp            rwcd
   /usr            
   /usr/bin         x
   /usr/bin/java      rx
   /usr/bin/ssh      rx
   /usr/bin/xkbcomp   rx
   /usr/bin/urxvt         rx
   /usr/lib64         rx
   /usr/libexec      rx
   /usr/local         
   /usr/local/bin         rwxc
   /usr/sbin         h
   /usr/sbin/sendmail      rx
   /usr/share         h
   /usr/share/cvs/contrib/rcs2log
   /usr/share/doc         r
   /usr/share/info      r
   /usr/share/locale      r
   /usr/share/terminfo      r
   /usr/src         rwxc
   # needed by youtube-dl
   /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/objdump   x
   /var            
   /var/lib
   /var/lib/lurker         rwcdl
   /var/log         h
   /var/tmp         rwcd
   /var/www            
   /var/www/lurker*         rwcd
   /var/www/localhost
   /var/www/localhost/htdocs         rwcd
   -CAP_ALL
   +CAP_SYS_PTRACE
   bind   disabled
   connect   disabled
   sock_allow_family all
}

Pls. notice above the line:
Code: Select all
   +CAP_SYS_PTRACE


And here's the gdb policy:
Code: Select all
# Role: miro
subject /usr/bin/gdb o {
   /            h
   /Cmn
   /Cmn/m*         rwxcd
   /bin            h
   /bin/bash         rxt
   /dev            h
   /dev/urandom         r
   /etc            h
   /etc/inputrc         r
   /etc/ld.so.cache      r
   /etc/terminfo         
   /lib64            rx
   /lib64/modules         h
   /proc         r
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /usr            
   /usr/bin         rx
   /usr/lib64         rx
   /usr/share         r
   /usr/share/gdb         r
   /usr/share/gdb/python      r
   /usr/share/gdb/python/gdb   rwcdl
   /usr/src         h
   /tmp      rwcd
   /var
   /var/tmp      rwcd
   -CAP_ALL
   +CAP_SYS_PTRACE
   bind   disabled
   connect   disabled
   sock_allow_family unix inet
}


I gave complete policy for gdb, unlike giving some hidden entries in the subject / and subject /bin/bash of role miro, which is my regular role.

So my question is where do I look for reasons that gdb is still "...denied ptrace..." as in the syslog lines in the previous post?

And what I intend to do next is I'll try and post how I managed to install old versions of gdb
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: PAX terminating task on /usr/bin/gdb

Postby timbgo » Tue Jul 26, 2016 10:34 am

[And], I was saying that [what I intended to do next], was... Because this is a persevering issue with gdb, is, I'll try and post how I managed to install old versions of gdb, I'll try and basically show you here only the successful installs:

There have been:

Code: Select all
# ls -l /var/log/portage_logs/ | grep gdb-7 | wc -l
75
#
that's 75 attempted installs of gdb in the period of time from:
Code: Select all
# ls -ltr /var/log/portage_logs/ | grep gdb-7 | head -1
-rw-rw---- 1 portage portage    6662 2016-07-23 21:11 sys-devel:gdb-7.11.1:20160723-191056.log
#
to:
Code: Select all
# ls -ltr /var/log/portage_logs/ | grep gdb-7 | tail -1
-rw-rw---- 1 portage portage  373127 2016-07-26 09:25 sys-devel:gdb-7.4.1-r3:20160726-072230.log
#

That's some two and a half days of my working on only that... These below are only tails of some of the logs, to spare you. The first is uninstall of the gdb-7.11.1 (which is the current regular package from portage).

Code: Select all
-rw-rw---- 1 portage portage 6662 2016-07-23 21:11 /var/log/portage_logs/sys-devel:gdb-7.11.1:20160723-191056.log
--- !empty   dir /usr/share/gdb/python/gdb/command
--- !empty   dir /usr/share/gdb/python/gdb
--- !empty   dir /usr/share/gdb/python
--- !empty   dir /usr/share/gdb
<<<          dir /usr/share/doc/gdb-7.11.1/sim
<<<          dir /usr/share/doc/gdb-7.11.1/gdbserver
<<<          dir /usr/share/doc/gdb-7.11.1/gdb
<<<          dir /usr/share/doc/gdb-7.11.1
--- !empty   dir /usr/share/doc
--- !empty   dir /usr/share
--- !empty   dir /usr/lib64
<<<          dir /usr/include/gdb
--- !empty   dir /usr/include
--- !empty   dir /usr/bin
--- !empty   dir /usr
>>> Regenerating /etc/ld.so.cache...

-rw-rw---- 1 portage portage 516691 2016-07-24 21:04 /var/log/portage_logs/sys-devel:gdb-7.5.1-r1:20160724-190027.log
>>> /usr/share/info/gdbint.info-2.bz2
--- /usr/share/man/
--- /usr/share/man/man1/
>>> /usr/share/man/man1/gdbserver.1.bz2
>>> /usr/share/man/man1/gdb.1.bz2
--- /usr/include/
>>> /usr/include/gdb/
>>> /usr/include/gdb/jit-reader.h
--- /usr/lib64/
>>> /usr/lib64/libinproctrace.so
--- /usr/bin/
>>> /usr/bin/gdbreplay
>>> /usr/bin/gdb
>>> /usr/bin/gdbserver
>>> sys-devel/gdb-7.5.1-r1 merged.
>>> Regenerating /etc/ld.so.cache...

-rw-rw---- 1 portage portage 332005 2016-07-25 17:19 /var/log/portage_logs/sys-devel:gdb-7.1-r1:20160725-151603.log
--- replaced obj /usr/share/doc/gdb-7.1-r1/gdb/CONTRIBUTE.bz2
--- replaced dir /usr/share/doc/gdb-7.1-r1/gdb
--- replaced obj /usr/share/doc/gdb-7.1-r1/README.bz2
--- replaced dir /usr/share/doc/gdb-7.1-r1
--- replaced dir /usr/share/doc
--- replaced dir /usr/share
--- replaced dir /usr/lib64
--- replaced obj /usr/bin/gdbtui
--- replaced obj /usr/bin/gdbserver
--- replaced obj /usr/bin/gdbreplay
--- replaced obj /usr/bin/gdb
--- replaced dir /usr/bin
--- replaced dir /usr
>>> Regenerating /etc/ld.so.cache...
>>> Original instance of package unmerged safely.
>>> sys-devel/gdb-7.1-r1 merged.

-rw-rw---- 1 portage portage 330916 2016-07-25 17:28 /var/log/portage_logs/sys-devel:gdb-7.1-r3:20160725-152542.log
<<<          obj /usr/share/doc/gdb-7.1-r1/README.bz2
--- replaced dir /usr/share/doc
--- replaced dir /usr/share
--- replaced dir /usr/lib64
--- replaced obj /usr/bin/gdbtui
--- replaced obj /usr/bin/gdbserver
--- replaced obj /usr/bin/gdbreplay
--- replaced obj /usr/bin/gdb
--- replaced dir /usr/bin
--- replaced dir /usr
<<<          dir /usr/share/doc/gdb-7.1-r1/sim
<<<          dir /usr/share/doc/gdb-7.1-r1/gdb
<<<          dir /usr/share/doc/gdb-7.1-r1
>>> Regenerating /etc/ld.so.cache...
>>> Original instance of package unmerged safely.
>>> sys-devel/gdb-7.1-r3 merged.

-rw-rw---- 1 portage portage 373127 2016-07-26 09:25 /var/log/portage_logs/sys-devel:gdb-7.4.1-r3:20160726-072230.log
<<<          obj /usr/share/doc/gdb-7.1-r3/README.bz2
--- replaced dir /usr/share/doc
--- replaced dir /usr/share
--- replaced dir /usr/lib64
--- replaced obj /usr/bin/gdbtui
<<<          obj /usr/bin/gdbserver
<<<          obj /usr/bin/gdbreplay
--- replaced obj /usr/bin/gdb
--- replaced dir /usr/bin
--- replaced dir /usr
<<<          dir /usr/share/doc/gdb-7.1-r3/sim
<<<          dir /usr/share/doc/gdb-7.1-r3/gdb
<<<          dir /usr/share/doc/gdb-7.1-r3
>>> Regenerating /etc/ld.so.cache...
>>> Original instance of package unmerged safely.
>>> sys-devel/gdb-7.4.1-r3 merged.


So I have successfully installed, at separate times, gdb-7.5.1, gdb-7.4.1 and gdb-7.1.

What I'll try to do is I'll try to post all the ebuilds that I used and how I got the sources, and what issues I have with each one, and more.

Again, I'll try and provide the ebuilds that I rewrote (mostly adapting later version ebuilds, and modifying them with simple non-advanced changes), and additional patches that I wrote or adapted, and then used for patching the sources, and I'll try to do it in such way that it can be replicated by (at least some) readers. I'll also try and post the packages which I modified and successfully installed (so readers can replicate the procedures that I used, and install those if they want to try them) .

But give me some time. I'm not available to do this work all the time.

But this is an itch to me, and a tormenting one. I want to see if I can do anything about this.

And if only I could get real programmers to look into this, give advice, or even patch what is needed to get a gdb that would not be too obsolete and which would be working fine with grsecurity-hardened kernels.

---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: PAX terminating task on /usr/bin/gdb

Postby timbgo » Sat Jul 30, 2016 6:19 pm

I have just uploaded all that is needed for building the few old versions of
GNU Debugger in the quest to get it to work with grsec/PaX hardened:

http://www.croatiafidelis.hr/foss/grsec/gdb/

Will also try and rename this topic to: "Get (some old, forked? version) of
GNU Debugger to Work with PaX?"

The text below, and two more posts, I have also already prepared previously.
---
Just to clear a possible reason for "... denied ptrace..." messages above, this is what I run, and will be running, before I test various (old) gdb versions:

Code: Select all
# for i in $(ls -1 /proc/sys/kernel/grsecurity/harden_ptrace \
   /proc/sys/kernel/grsecurity/ptrace_readexec \
   /proc/sys/kernel/grsecurity/tpe \
   /proc/sys/kernel/grsecurity/tpe_restrict_all); do \
   echo $i:; cat $i; read FAKE; \
   echo 0 > $i; echo $i:; cat $i; read FAKE;
   done ;
#


( And:

Code: Select all
# for i in $(ls -1 /proc/sys/kernel/grsecurity/harden_ptrace \
   /proc/sys/kernel/grsecurity/ptrace_readexec \
   /proc/sys/kernel/grsecurity/tpe \
   /proc/sys/kernel/grsecurity/tpe_restrict_all); do \
   sleep 3600 && echo 1 > $i && echo $i: && cat $i & \
   done ;


lest I forget to reset those to my default which is 1 later. I hate if I foget
to do it and go online with tpe or ptrace'ing enabled...
)


Now, one of the reasons that there is probably no point trying to go older than 7.1, is:

Code: Select all
# cat /usr/portage/profiles/hardened/linux/package.mask

Code: Select all
# Copyright 1999-2015 Gentoo Foundation.
# Distributed under the terms of the GNU General Public License v2
# $Id$

# Hardened versions of gcc-4.0* through gcc-4.2* are not available.
=sys-devel/gcc-4.0*
=sys-devel/gcc-4.1*
=sys-devel/gcc-4.2*

# =sys-devel/gdb-7.0 is not hardened-ready according to xake & Zorry.
# sys-devel/gdb-7.1 works fine
# 2010-03-26 zorry
=sys-devel/gdb-7.0*

# Can't be used on hardened. See upstream,
# http://developer.skype.com/jira/browse/SCL-616
media-sound/skype-call-recorder
...


That file is in the current portage tree. I'll try and find it on gentoo.org ...

LINK HERE (note at posting time: haven't found it)

That statement there tells us one more thing. At that time (2010 it was), the GNU Debugger team wasn't so averse to grsecurity-hardening. Their aversity (Oh My, am I using the right words, my English is getting rusted...)... has grown later... So I imagined the gdb packages from that time and maybe up until 2012 or 2013, who knows? could still be working fine with grsec..

I'm in the process of putting together the necessary sources (they are not all available, or sometimes they are not available fully or not correctly --or I am missing some understanding-- from:

git://sourceware.org/git/binutils-gdb.git (I cloned it, and tried.)

let alone from Gentoo mirrors...

[I'm in the process of putting together the necessary sources], patches, and what else might be necessary. If any of the procedures can not be replicated or if some ebuild fails or some checksum is bad, pls. let me know.

To be able to compile gdb-7.1 with the ebuild:

Code: Select all
gdb-7.1-r3.ebuild


set this in the package.mask:

Code: Select all
# echo ">sys-devel/gdb-7.1-r3" >> /etc/portage/package.mask


Also add:

Code: Select all
# echo "sys-devel/gdb -nls" >> /etc/portage/package.use


Else probably there will be dependencies that won't allow compiling.

This is what I get:

Code: Select all
# emerge -1 gdb

These are the packages that would be merged, in order:

Calculating dependencies                     ... done!       
[ebuild     UD ] sys-devel/gdb-7.1-r3::miro [7.11.1::gentoo] USE="client
zlib%* -expat -multitarget -nls* -python* -server* {-test} -vanilla (-lzma%)"
PYTHON_SINGLE_TARGET="(-python2_7%) (-python3_3%) (-python3_4%*)
(-python3_5%)" PYTHON_TARGETS="(-python2_7%*) (-python3_3%) (-python3_4%*)
(-python3_5%)" 0 KiB

Total: 1 package (1 downgrade), Size of downloads: 0 KiB

Would you like to merge these packages? [Yes/No]


This actually is now building (I've decided to re-test all before posting)...

And it has installed fine. However, it's probably too ancient:

Code: Select all
$ gdb CU_112_string
GNU gdb (Gentoo 7.1 p1) 7.1
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>...
Reading symbols from /Cmn/mr_C/CU_112_string...Dwarf Error: wrong version in
compilation unit header (is 4, should be 2) [in module
/Cmn/mr_C/CU_112_string]
(gdb)

Here:
Code: Select all
(gdb) b CU_112_string.c:3
No symbol table is loaded.  Use the "file" command.
Make breakpoint pending on future shared library load? (y or [n]) n
(gdb) q

I can try and:
Code: Select all
$ gcc -gdwarf-2 -g CU_112_string.c -o CU_112_string

and:
Code: Select all
$ gdb CU_112_string
GNU gdb (Gentoo 7.1 p1) 7.1
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>...
Reading symbols from /Cmn/mr_C/CU_112_string...done.
(gdb) b CU_112_string.c:3
Breakpoint 1 at 0x849: file CU_112_string.c, line 3.
(gdb) r
Starting program: /Cmn/mr_C/CU_112_string
/bin/bash: /Cmn/mr_C/CU_112_string: Permission denied
/bin/bash: /Cmn/mr_C/CU_112_string: Success
During startup program exited with code 126.
(gdb) q

Sure, I got:
Code: Select all
Jul 30 11:55:14 g0n kernel: [177521.117260] grsec: (miro:U:/bin/bash) denied ptrace of /Cmn/mr_C/CU_112_string by /Cmn/mr_C/CU_112_string[bash:8652] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/gdb[gdb:8648] uid/euid:1000/1000 gid/egid:1000/1000

which I explained is an enigma for me...
So disabling RBAC (gradm -D)... and:
Code: Select all
$ gdb CU_112_string
GNU gdb (Gentoo 7.1 p1) 7.1
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>...
Reading symbols from /Cmn/mr_C/CU_112_string...done.
(gdb) b CU_112_string.c:3
Breakpoint 1 at 0x849: file CU_112_string.c, line 3.
(gdb) r
Starting program: /Cmn/mr_C/CU_112_string
warning: no loadable sections found in added symbol-file system-supplied DSO
at 0x3bf63310000
Warning:
Cannot insert breakpoint 1.
Error accessing memory address 0x7c164ad849: Input/output error.
Cannot insert breakpoint -1.
Temporarily disabling shared library breakpoints:
breakpoint #-1

(gdb) q
A debugging session is active.

   Inferior 1 [process 8718] will be killed.

Quit anyway? (y or n) y
$[code]
...still no luck...
The syslog says:
[code]
Jul 30 11:59:57 g0n kernel: [177804.108470] grsec: exec of /usr/bin/gdb (gdb
CU_112_string ) by /usr/bin/gdb[bash:8702] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:30120] uid/euid:1000/1000
gid/egid:1000/1000

Jul 30 11:59:57 g0n kernel: [177804.117573] grsec: exec of /usr/bin/iconv
(iconv -l ) by /usr/bin/iconv[gdb:8705] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/gdb[gdb:8702] uid/euid:1000/1000 gid/egid:1000/1000

...

Jul 30 12:00:08 g0n kernel: [177815.076404] grsec: exec of
/Cmn/mr_C/CU_112_string (/Cmn/mr_C/CU_112_string ) by
/Cmn/mr_C/CU_112_string[bash:8718] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/gdb[gdb:8702] uid/euid:1000/1000 gid/egid:1000/1000
[/code]
...[The syslog] doesn't say much at all...

It must be some incompatibility with binutils installed:
[code]
# equery l binutils
 * Searching for binutils ...
[IP-] [  ] sys-devel/binutils-2.25.1-r1:2.25.1
[IP-] [  ] sys-devel/binutils-2.26.1:2.26.1
[/code]
but it is far too unclear to me what it may be...
[code]
$ $ binutils-config -c
x86_64-pc-linux-gnu-2.25.1
$


I looked the README's in the binutils source, but much more is needed for
understanding...

Try and install a less ancient version... Next.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: Get (some old version?, a fork?) of GNU Debugger to work with PaX?

Postby timbgo » Sat Jul 30, 2016 6:32 pm

Try gdb-7.3 ?
Code: Select all
-rw-r--r-- 1     9207 2010-03-19 04:00 gdb_distfiles/gdb-7.1-patches-1.tar.lzma
-rw-r--r-- 1 17977195 2010-03-18 22:27 gdb_distfiles/gdb-7.1.tar.bz2
-rw-rw-r-- 1    17344 2011-12-08 06:56 gdb_distfiles/gdb-7.3.1-patches-2.tar.xz
-rw-r--r-- 1 19500995 2011-09-04 20:30 gdb_distfiles/gdb-7.3.1.tar.bz2

It's less ancient...

/etc/portage/package.mask now:
Code: Select all
>sys-devel/gdb-7.3.1-r2


And:
Code: Select all
# emerge -1 gdb

These are the packages that would be merged, in order:

Calculating dependencies          ... done!                 
[ebuild   R    ] sys-devel/gdb-7.1-r3::miro  USE="client zlib -expat -multitarget -nls -python -server {-test} -vanilla" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB

Would you like to merge these packages? [Yes/No]

and it is now building.

============== SCRAPPED FOR NOW ============
I wasn't able to compile 7.3. But very little tweak I believe is missing. And gdb-7.3 might be needed yet... So leaving the above.

7.4 easily compiles. Similar procedure and similar tweaks as before of the package.mask, and by the time I post this, I'll try and make all (my clumsy) sources, ebuilds and (primitive) patches available at http://www.CroatiaFidelis.hr/foss/grsec/gdb/ somewhere...

Let's see if it's any worth. I'm back at using that command I posted two or so posts ago:
Code: Select all
gdb CU_112_string |& tee \
   gdb_CU_112_string_$(date +%y%m%d_%H%M)_$(hostname).log

I got:
Code: Select all
GNU gdb (Gentoo 7.4.1 p3) 7.4.1
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>...
Reading symbols from /Cmn/mr_C/CU_112_string...done.
(gdb) b CU_112_string.c:3
Breakpoint 1 at 0x849: file CU_112_string.c, line 3.
(gdb) r
Starting program: /Cmn/mr_C/CU_112_string
/bin/bash: /Cmn/mr_C/CU_112_string: Permission denied
/bin/bash: /Cmn/mr_C/CU_112_string: Success
During startup program exited with code 126.
(gdb) kill
The program is not being run.
(gdb) q
, but that is of course because gradm has been enabled in the meantime.
Disabling it, as well as the harden_ptrace, ptrace_readexec, tpe and
tpe_restrict_all.

Now, plain running of it:
Code: Select all
GNU gdb (Gentoo 7.4.1 p3) 7.4.1
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>...
Reading symbols from /Cmn/mr_C/CU_112_string...done.
(gdb) r
Starting program: /Cmn/mr_C/CU_112_string
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x3ce6c5e5000
Grüße!
[Inferior 1 (process 12950) exited normally]
(gdb) q
, shows it can run the program, but the error is ugly.

Listing the program source and setting a break now:
Code: Select all
GNU gdb (Gentoo 7.4.1 p3) 7.4.1
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>...
Reading symbols from /Cmn/mr_C/CU_112_string...done.
(gdb) l
1   #include<stdio.h>
2   
3   int main()
4   {
5       char *ptr_my;
6       ptr_my = "Grüße!";
7       printf("%s\n", ptr_my);
8   
9       return 0;
10   }
(gdb) b CU_112_string.c:3
Breakpoint 1 at 0x849: file CU_112_string.c, line 3.
(gdb) r
Starting program: /Cmn/mr_C/CU_112_string
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x3a857318000
Warning:
Cannot insert breakpoint 1.
Error accessing memory address 0x55fe811849: Input/output error.
Cannot insert breakpoint -1.
Temporarily disabling shared library breakpoints:
breakpoint #-1

(gdb) s
Cannot find bounds of current function
(gdb)
Cannot find bounds of current function
(gdb) k
Kill the program being debugged? (y or n) (gdb) q


I left the unsuccessful attempt to install 7.3 further above, because I applied the same amateur-style attempt at fixing it which worked for 7.4.

I'm talking about they both fail when they install texinfo pages. I could do without those (by reading them from elsewhere), but my knowledge is insufficient to edit the Makefile's and stuff and install without those. And so I used an entire direcory from 7.5 and replaced it into 7.3 (but a minor hurdle remained) and into 7.4, which worked.


I am talking about unpacking the 7.5 archive and also 7.3 (applies for 7.4 as well) archive and doing simply:

Code: Select all
cp -iav  gdb-7.5.1/gdb/doc/* gdb-7.3.1/gdb/doc/


and then packaging it as gdb-7.3.1.tar.gz and changing in the ebuild just the '.bz2' into '.gz'.

I'll post the plaintext (color-codes I blanked out) portage logs:

Code: Select all
-rw-rw---- 1 portage portage 358177 2016-07-30 14:55 sys-devel:gdb-7.3.1-r3:20160730-120503.log
-rw-rw---- 1 portage portage 368128 2016-07-30 15:39 sys-devel:gdb-7.4.1-r3:20160730-130233.log


and regardless of not speaking automake I'll try and see how to fix the little one small problem that remains there.

In shorter terms than perusing those two logs, here are excerpts.

The 7.4 up to the completion of the build process (shortened where possible):
Code: Select all
cp ./all-cfg.texi gdb-cfg.texi
echo "@set GDBVN `sed q ./../version.in`" > ./GDBvn.new
if [ -n "(Gentoo 7.4.1 p3) " ]; then \
  echo "@set VERSION_PACKAGE (Gentoo 7.4.1 p3) " >> ./GDBvn.new; \
fi
echo "@set BUGURL @uref{http://bugs.gentoo.org/}" >> ./GDBvn.new
if [ "@uref{http://bugs.gentoo.org/}" = "@uref{http://www.gnu.org/software/gdb/bugs/}" ]; then \
  echo "@set BUGURL_DEFAULT" >> ./GDBvn.new; \
fi
if test -z ""; then \
  echo "@set SYSTEM_READLINE" >> ./GDBvn.new; \
fi
mv GDBvn.new GDBvn.texi
makeinfo --split-size=5000000 --split-size=5000000  -DHAVE_MAKEINFO_CLICK  -I ./../mi -I . \
   -o gdb.info ./gdb.texinfo
makeinfo --split-size=5000000 --split-size=5000000  -DHAVE_MAKEINFO_CLICK -I . -o gdbint.info ./gdbint.texinfo
makeinfo --split-size=5000000 --split-size=5000000  -DHAVE_MAKEINFO_CLICK -I . -o annotate.info ./annotate.texinfo
./gdb.texinfo:31: warning: @syncodeindex leads to a merging of fn in itself, ignoring
./gdb.texinfo:23002: warning: @table has text but no @item
./gdb.texinfo:23054: warning: @table has text but no @item
./gdb.texinfo:23310: warning: @table has text but no @item
...[ 18 similar lines cut here ]...
./gdb.texinfo:25356: warning: @table has text but no @item
./gdb.texinfo:25369: warning: @table has text but no @item
./gdb.texinfo:35432: warning: @item missing argument
./gdb.texinfo:35602: warning: @item missing argument
...[ 20 similar lines cut here ]...
./gdb.texinfo:37753: warning: @item missing argument
./gdb.texinfo:37890: warning: @item missing argument
./gdb.texinfo:33701: warning: node next `GDB Bugs' in menu `(rluserman)' and in sectioning `In Memoriam' differ
./gdb.texinfo:33954: warning: node prev `In Memoriam' in menu `(history)' and in sectioning `GDB Bugs' differ
./gdb.texinfo:1919: warning: @xref node name should not contain `.'
./gdb.texinfo:16452: warning: @ref node name should not contain `.'
/bin/sh ./../../mkinstalldirs /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/info
 /usr/lib/portage/python3.4/ebuild-helpers/xattr/install -c -m 644 ./gdb.info /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/info/gdb.info
 /usr/lib/portage/python3.4/ebuild-helpers/xattr/install -c -m 644 ./gdb.info-1 /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/info/gdb.info-1
 ...
 /usr/lib/portage/python3.4/ebuild-helpers/xattr/install -c -m 644 ./gdbint.info /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/info/gdbint.info
 ...
 /usr/lib/portage/python3.4/ebuild-helpers/xattr/install -c -m 644 ./stabs.info /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/info/stabs.info
 /usr/lib/portage/python3.4/ebuild-helpers/xattr/install -c -m 644 ./annotate.info /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/info/annotate.info
 install-info --info-dir=/var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/info /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/info/gdb.info
 install-info --info-dir=/var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/info /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/info/gdbint.info
 install-info --info-dir=/var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/info /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/info/stabs.info
 install-info --info-dir=/var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/info /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/info/annotate.info
make[5]: Leaving directory '/var/tmp/portage/sys-devel/gdb-7.4.1-r3/work/gdb-7.4.1/gdb/doc'
make[5]: Entering directory '/var/tmp/portage/sys-devel/gdb-7.4.1-r3/work/gdb-7.4.1/gdb/testsuite'
make[5]: Nothing to be done for 'install'.
make[5]: Leaving directory '/var/tmp/portage/sys-devel/gdb-7.4.1-r3/work/gdb-7.4.1/gdb/testsuite'
make[5]: Entering directory '/var/tmp/portage/sys-devel/gdb-7.4.1-r3/work/gdb-7.4.1/gdb/data-directory'
make[6]: Entering directory '/var/tmp/portage/sys-devel/gdb-7.4.1-r3/work/gdb-7.4.1/gdb/data-directory'
/bin/sh ./../../mkinstalldirs /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/gdb/syscalls
files='gdb/__init__.py gdb/types.py gdb/printing.py gdb/prompt.py gdb/command/__init__.py gdb/command/pretty_printers.py gdb/command/prompt.py' ; \
for file in $files ; do \
  dir=`echo "$file" | sed 's,/[^/]*$,,'` ; \
  /bin/sh ./../../mkinstalldirs /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/gdb/python/$dir ; \
  /usr/lib/portage/python3.4/ebuild-helpers/xattr/install -c -m 644 ./python/$file /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/gdb/python/$dir ; \
done
mkdir -p -- /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/gdb/syscalls
files='gdb-syscalls.dtd ppc-linux.xml ppc64-linux.xml i386-linux.xml amd64-linux.xml sparc-linux.xml sparc64-linux.xml mips-o32-linux.xml mips-n32-linux.xml mips-n64-linux.xml' ; \
for file in $files; do \
  f=./../syscalls/$file ; \
  if test -f $f ; then \
    /usr/lib/portage/python3.4/ebuild-helpers/xattr/install -c -m 644 $f /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/gdb/syscalls ; \
  fi ; \
done
mkdir -p -- /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/gdb/python/gdb
mkdir -p -- /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image//usr/share/gdb/python/gdb/command
make[6]: Leaving directory '/var/tmp/portage/sys-devel/gdb-7.4.1-r3/work/gdb-7.4.1/gdb/data-directory'
make[5]: Leaving directory '/var/tmp/portage/sys-devel/gdb-7.4.1-r3/work/gdb-7.4.1/gdb/data-directory'
make[4]: Leaving directory '/var/tmp/portage/sys-devel/gdb-7.4.1-r3/work/gdb-7.4.1/gdb'
make[3]: Leaving directory '/var/tmp/portage/sys-devel/gdb-7.4.1-r3/work/gdb-7.4.1/gdb'
make[2]: Leaving directory '/var/tmp/portage/sys-devel/gdb-7.4.1-r3/work/gdb-7.4.1/gdb'
make[1]: Leaving directory '/var/tmp/portage/sys-devel/gdb-7.4.1-r3/work/gdb-7.4.1'
>>> Completed installing gdb-7.4.1-r3 into /var/tmp/portage/sys-devel/gdb-7.4.1-r3/image/

 * Final size of build directory: 214832 KiB
 * Final size of installed tree: 17072 KiB



And the 7.3 (the failing one to build) from about the same place:
Code: Select all
cp ./all-cfg.texi gdb-cfg.texi
echo "@set GDBVN `sed q ./../version.in`" > ./GDBvn.new
if [ -n "(Gentoo 7.3.1 p2) " ]; then \
  echo "@set VERSION_PACKAGE (Gentoo 7.3.1 p2) " >> ./GDBvn.new; \
fi
echo "@set BUGURL @uref{http://bugs.gentoo.org/}" >> ./GDBvn.new
if [ "@uref{http://bugs.gentoo.org/}" = "@uref{http://www.gnu.org/software/gdb/bugs/}" ]; then \
  echo "@set BUGURL_DEFAULT" >> ./GDBvn.new; \
fi
if test -z ""; then \
  echo "@set SYSTEM_READLINE" >> ./GDBvn.new; \
fi
mv GDBvn.new GDBvn.texi
makeinfo --split-size=5000000 --split-size=5000000 @MAKEINFOFLAGS@ @MAKEINFO_EXTRA_FLAGS@  -I ./../mi -I . \
   -o gdb.info ./gdb.texinfo
makeinfo --split-size=5000000 --split-size=5000000 @MAKEINFOFLAGS@ @MAKEINFO_EXTRA_FLAGS@ -I . -o gdbint.info ./gdbint.texinfo
makeinfo --split-size=5000000 --split-size=5000000 @MAKEINFOFLAGS@ @MAKEINFO_EXTRA_FLAGS@ -I . -o annotate.info ./annotate.texinfo
could not open @MAKEINFOFLAGS@: No such file or directory
could not open @MAKEINFOFLAGS@: No such file or directory
make[5]: *** [Makefile:522: annotate.info] Error 1
make[5]: *** Waiting for unfinished jobs....
could not open @MAKEINFOFLAGS@: No such file or directory
make[5]: *** [Makefile:470: gdbint.info] Error 1
make[5]: *** [Makefile:371: gdb.info] Error 1
make[5]: Leaving directory '/var/tmp/portage/sys-devel/gdb-7.3.1-r3/work/gdb-7.3.1/gdb/doc'
make[4]: *** [Makefile:1288: subdir_do] Error 1
make[4]: Leaving directory '/var/tmp/portage/sys-devel/gdb-7.3.1-r3/work/gdb-7.3.1/gdb'
make[3]: *** [Makefile:1018: install-only] Error 2
make[3]: Leaving directory '/var/tmp/portage/sys-devel/gdb-7.3.1-r3/work/gdb-7.3.1/gdb'
make[2]: *** [Makefile:1014: install] Error 2
make[2]: Leaving directory '/var/tmp/portage/sys-devel/gdb-7.3.1-r3/work/gdb-7.3.1/gdb'
make[1]: *** [Makefile:11427: install-gdb] Error 2
make[1]: Leaving directory '/var/tmp/portage/sys-devel/gdb-7.3.1-r3/work/gdb-7.3.1'
make: *** [Makefile:2676: install] Error 2
emake failed
 * ERROR: sys-devel/gdb-7.3.1-r3::miro failed (install phase):
 *   (no error message)
 *
 * Call stack:
 *     ebuild.sh, line 115:  Called src_install
 *   environment, line 2338:  Called die
 * The specific snippet of code:
 *       emake DESTDIR="${D}" install || die;
 *
 * If you need support, post the output of `emerge --info '=sys-devel/gdb-7.3.1-r3::miro'`,
 * the complete build log and the output of `emerge -pqv '=sys-devel/gdb-7.3.1-r3::miro'`.
 * !!! User patches were applied to this build!


It appears to me that sorting only this issue here:
The 7.4 is OK:
Code: Select all
...
makeinfo --split-size=5000000 --split-size=5000000  -DHAVE_MAKEINFO_CLICK  -I ./../mi -I . \
   -o gdb.info ./gdb.texinfo
makeinfo --split-size=5000000 --split-size=5000000  -DHAVE_MAKEINFO_CLICK -I . -o gdbint.info ./gdbint.texinfo
makeinfo --split-size=5000000 --split-size=5000000  -DHAVE_MAKEINFO_CLICK -I . -o annotate.info ./annotate.texinfo
...


The 7.3 fails to make the necessary substitution here:
Code: Select all
...
makeinfo --split-size=5000000 --split-size=5000000 @MAKEINFOFLAGS@ @MAKEINFO_EXTRA_FLAGS@  -I ./../mi -I . \
   -o gdb.info ./gdb.texinfo
makeinfo --split-size=5000000 --split-size=5000000 @MAKEINFOFLAGS@ @MAKEINFO_EXTRA_FLAGS@ -I . -o gdbint.info ./gdbint.texinfo
makeinfo --split-size=5000000 --split-size=5000000 @MAKEINFOFLAGS@ @MAKEINFO_EXTRA_FLAGS@ -I . -o annotate.info ./annotate.texinfo
could not open @MAKEINFOFLAGS@: No such file or directory
could not open @MAKEINFOFLAGS@: No such file or directory
make[5]: *** [Makefile:522: annotate.info] Error 1
make[5]: *** Waiting for unfinished jobs....
could not open @MAKEINFOFLAGS@: No such file or directory
...

should get the 7.3 to build and then install.

But I was only able to pinpoint where I lack understanding yet to fix the problem...

---
I'll just try and point a few more of my pondering over the issues I deployed in this topic...

Probably because of the lack of any desire on the part of GNU Debugger team to let the user have PaX protection in their kernel and for them to adapt their program to work with such grsecurity-hardeneed kernel (grsecurity being in some way a twin program, the PaX set of patches to the kernel and the grsecurity proper set of patches to the kernel)...

In the next post I'll try and deploy/propose a few more of my thoughts.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Re: Get (some old version?, a fork?) of GNU Debugger to work with PaX?

Postby timbgo » Sat Jul 30, 2016 6:34 pm

Actually, first, a careful reader will have noticed that I didn't explain the building and installation of the gdb-7.5.

That is because I need to be away in very small number of hours and a next day may and may not be tomorrow for this gdb-work-with-grsec task/desire/pledge of mine.

But also because it should just work with the same/similar little modifications to the package.mask and package.use, and with the sources that I'll will have posted (my clumsy) sources, ebuilds and (primitive) patches at http://www.CroatiaFidelis.hr/foss/grsec/gdb/ somewhere by the time I post this.


I'd like to post this about where gdb is mentioned in the grsecurity-patched contemporary kernel tree.

Turn it around this way or some other, the following does not seem to hold completely:

Code: Select all
 .config - Linux/x86 4.6.4-hardened Kernel Configuration
 → Security options → Grsecurity → Customize Configuration → Executable Protections ──
  ┌──────────────────────────── Executable Protections ────────────────────────────┐
  ...
  │ ┌────────────────────────────────────────────────────────────────────────────┐ │ 
  │ │    [*] Dmesg(8) restriction                                           │ │ 
  │ │    [*] Deter ptrace-based process snooping                                 │ │ 
  │ │    [*] Require read access to ptrace sensitive binaries                    │ │ 
  │ │    [*] Enforce consistent multithreaded privileges                         │ │ 
  │ │    [*] Disallow access to overly-permissive IPC objects                    │ │ 
  │ │    [ ] Disallow unprivileged use of command injection                      │ │ 
  │ │    [*] Trusted Path Execution (TPE)                                        │ │ 
  │ │    [*]   Partially restrict all non-root users                             │ │ 
  │ │    [ ]   Invert GID option                                                 │ │ 
  │ │    (100) GID for TPE-untrusted users                                       │ │ 
  │ │                                                                            │ │ 
  ...
  │ │                                                                            │ │ 
  │ └────────────────────────────────────────────────────────────────────────────┘ │ 
  ├────────────────────────────────────────────────────────────────────────────────┤ 
  │            <Select>    < Exit >    < Help >    < Save >    < Load >            │ 
  └────────────────────────────────────────────────────────────────────────────────┘ 

 ...
  ┌───────────────────── Deter ptrace-based process snooping ──────────────────────┐
  │ CONFIG_GRKERNSEC_HARDEN_PTRACE:                                                │ 
  │                                                                                │ 
  │ If you say Y here, TTY sniffers and other malicious monitoring                 │ 
  │ programs implemented through ptrace will be defeated.  If you                  │ 
  │ have been using the RBAC system, this option has already been                  │ 
  │ enabled for several years for all users, with the ability to make         │ 
  │ fine-grained exceptions.                                                       │ 
  │                                                                                │ 
  │ This option only affects the ability of non-root users to ptrace         │ 
  │ processes that are not a descendent of the ptracing process.         │ 

This bit does not hold true completely:
Code: Select all
  │ This means that strace ./binary and gdb ./binary will still work,         │ 

Actually strace does work (I tried it). The gdb does not.
Code: Select all
  │ but attaching to arbitrary processes will not.  If the sysctl         │ 
  │ option is enabled, a sysctl option with name "harden_ptrace" is         │ 
  │ created.                                                                       │ 
  │                                                                                │ 
  │ Symbol: GRKERNSEC_HARDEN_PTRACE [=y]                                           │ 
  │ Type  : boolean                                                                │ 
  │ Prompt: Deter ptrace-based process snooping                                    │ 
  │   Location:                                                                    │ 
  │     -> Security options                                                        │ 
  │       -> Grsecurity                                                            │ 
  │         -> Grsecurity (GRKERNSEC [=y])                                         │ 
  │           -> Customize Configuration                                           │ 
  │             -> Executable Protections                                          │ 
  │   Defined at grsecurity/Kconfig:822                                            │ 
  ├────────────────────────────────────────────────────────────────────────( 96%)──┤ 
  │                                    < Exit >                                    │ 
  └────────────────────────────────────────────────────────────────────────────────┘ 

And remember that I was disabling ptrace_readexec and ptrace_harden in my /proc/sys/kernel/grsecurity/ . And still couldn't get it to work. Sure, it could be something additional/different amiss, I'm not an expert, never said I was...

---
And there's another research needed here. I only hinted at it when I wrote about:
Code: Select all
...
warning: no loadable sections found in added symbol-file system-supplied DSO
at 0x3bf63310000
Warning:
Cannot insert breakpoint 1.
Error accessing memory address 0x7c164ad849: Input/output error.
Cannot insert breakpoint -1.
Temporarily disabling shared library breakpoints:
breakpoint #-1
...


how:
It must be some incompatibility with binutils installed


Is the
Code: Select all
symbol-file system-supplied DSO

that which I find explained over here:

https://0xax.gitbooks.io/linux-insides/ ... all-3.html

Dear, what hard and lengthy read that will be for me...!
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am

Previous

Return to grsecurity support