Page 1 of 1

grsecurity denial in docker container: Ways to solve?

PostPosted: Sun Aug 21, 2016 3:34 pm
by Shutterfly
Hi,

at my home server I used the arch linux-grsec kernel. Without any problems so far. Today there was the first problem:

I want to use the plex media server on my home server but not directly installed. I want use the plex docker container from "linuxserver.io". The start up of the container failed:

Code: Select all
Aug 20 20:08:17 kernel: grsec: denied marking stack executable as requested by PT_GNU_STACK marking in /usr/lib/plexmediaserver/libgnsdk_dsp.so.3.07.7 by /usr/lib/plexmediaserver/Plex Media Server[Plex Media Serv:4586] uid/euid:1000/1000 gid/egid:995/995, parent /usr/sbin/start_pms[start_pms:4566] uid/euid:1000/1000 gid/egid:995/995
Aug 20 20:08:17 kernel: grsec: denied RWX mprotect of <stack> by /usr/lib/plexmediaserver/Plex Media Server[Plex Media Serv:4586] uid/euid:1000/1000 gid/egid:995/995, parent /usr/sbin/start_pms[start_pms:4566] uid/euid:1000/1000 gid/egid:995/995


I'm not so fit with grsecurity, so I started a search with google. Perhaps the best solution would be PaX exceptions but the problematic file is not accessible for setfattr:

Code: Select all
# setfattr -n user.pax.flags -v "emr" /usr/lib/plexmediaserver/libgnsdk_dsp.so.3.07.7
setfattr: /usr/lib/plexmediaserver/libgnsdk_dsp.so.3.07.7: No such file or directory


It should be clear, because the file exists only in the container.

Currently I'm without any ideas and I hope you can give me a little hint. That would be nice :)

Re: grsecurity denial in docker container: Ways to solve?

PostPosted: Wed Aug 31, 2016 12:02 pm
by andyj
You will need to install paxctl to your docker image and run paxctl -m on the files it gives warnings about inside your dockerfile or manually in the container.

Re: grsecurity denial in docker container: Ways to solve?

PostPosted: Thu Sep 01, 2016 2:16 pm
by PaX Team
PaX flags matter only on executables, never on libraries but before going that far, you should try to clear the RWE GNU_STACK header as chances are that this library doesn't really need an executable stack.