grsecurity denial in docker container: Ways to solve?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

grsecurity denial in docker container: Ways to solve?

Postby Shutterfly » Sun Aug 21, 2016 3:34 pm

Hi,

at my home server I used the arch linux-grsec kernel. Without any problems so far. Today there was the first problem:

I want to use the plex media server on my home server but not directly installed. I want use the plex docker container from "linuxserver.io". The start up of the container failed:

Code: Select all
Aug 20 20:08:17 kernel: grsec: denied marking stack executable as requested by PT_GNU_STACK marking in /usr/lib/plexmediaserver/libgnsdk_dsp.so.3.07.7 by /usr/lib/plexmediaserver/Plex Media Server[Plex Media Serv:4586] uid/euid:1000/1000 gid/egid:995/995, parent /usr/sbin/start_pms[start_pms:4566] uid/euid:1000/1000 gid/egid:995/995
Aug 20 20:08:17 kernel: grsec: denied RWX mprotect of <stack> by /usr/lib/plexmediaserver/Plex Media Server[Plex Media Serv:4586] uid/euid:1000/1000 gid/egid:995/995, parent /usr/sbin/start_pms[start_pms:4566] uid/euid:1000/1000 gid/egid:995/995


I'm not so fit with grsecurity, so I started a search with google. Perhaps the best solution would be PaX exceptions but the problematic file is not accessible for setfattr:

Code: Select all
# setfattr -n user.pax.flags -v "emr" /usr/lib/plexmediaserver/libgnsdk_dsp.so.3.07.7
setfattr: /usr/lib/plexmediaserver/libgnsdk_dsp.so.3.07.7: No such file or directory


It should be clear, because the file exists only in the container.

Currently I'm without any ideas and I hope you can give me a little hint. That would be nice :)
Shutterfly
 
Posts: 2
Joined: Sun Aug 21, 2016 3:27 pm

Re: grsecurity denial in docker container: Ways to solve?

Postby andyj » Wed Aug 31, 2016 12:02 pm

You will need to install paxctl to your docker image and run paxctl -m on the files it gives warnings about inside your dockerfile or manually in the container.
andyj
 
Posts: 8
Joined: Wed Feb 26, 2014 2:44 am

Re: grsecurity denial in docker container: Ways to solve?

Postby PaX Team » Thu Sep 01, 2016 2:16 pm

PaX flags matter only on executables, never on libraries but before going that far, you should try to clear the RWE GNU_STACK header as chances are that this library doesn't really need an executable stack.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support

cron