denied executable mmap

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

denied executable mmap

Postby Mitya » Tue Feb 17, 2009 7:46 pm

Hi All,

I have a Debian Etch with a vanilla kernel (2.6.27.10) with the latest grsec patch (2.1.12)
I just upgraded from 2.1.10 to 2.1.12 last weekend. The upgrade was not successful, because I got error messages like this:

Code: Select all
Feb 15 01:36:11 karrier kernel: grsec: From 127.0.0.6: (root:U:/var/jail/apache/usr/local/jre1.6.0_05) denied executable mmap of /var/jail/apache/var/WWW/360/WEB-INF/lib/activation.jar by /var/jail/apache/usr/local/jre1.6.0_05/bin/java[java:2285] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


Firstly I thought that is a PAX issue, so I turned off PAX restrictions via chpax first, than recompiled the kernel without PAX support. I got the same result, so a had to put back the old kernel and go home :(

Currently the old kernel is running (2.6.19.2) with grsec 2.1.10 without any problems.

On the java binary I have PAX restrictions turned off

root@karrier:~# chpax -v /var/jail/apache/usr/local/jre1.6.0_05/bin/java

Code: Select all
----[ chpax 0.7 : Current flags for /var/jail/apache/usr/local/jre1.6.0_05/bin/java (pemrxs) ]----

 * Paging based PAGE_EXEC       : disabled
 * Trampolines                  : not emulated
 * mprotect()                   : not restricted
 * mmap() base                  : not randomized
 * ET_EXEC base                 : not randomized
 * Segmentation based PAGE_EXEC : disabled


So my question is what does the "denied executable mmap" mean ?

Somewhere I saw that it may be caused because the binary in the chain has no GNU_STACK header. Well java has no this header, but what should I do in this case ?

Code: Select all
root@karrier:~# readelf -l /var/jail/apache/usr/local/jre1.6.0_05/bin/java

Elf file type is EXEC (Executable file)
Entry point 0x40001bd0
There are 7 program headers, starting at offset 64

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  PHDR           0x0000000000000040 0x0000000040000040 0x0000000040000040
                 0x0000000000000188 0x0000000000000188  R E    8
  INTERP         0x00000000000001c8 0x00000000400001c8 0x00000000400001c8
                 0x000000000000001c 0x000000000000001c  R      1
      [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
  LOAD           0x0000000000000000 0x0000000040000000 0x0000000040000000
                 0x0000000000008e28 0x0000000000008e28  R E    100000
  LOAD           0x0000000000008e28 0x0000000040108e28 0x0000000040108e28
                 0x0000000000000f88 0x0000000000000fa8  RW     100000
  DYNAMIC        0x0000000000009948 0x0000000040109948 0x0000000040109948
                 0x00000000000001f0 0x00000000000001f0  RW     8
  NOTE           0x00000000000001e4 0x00000000400001e4 0x00000000400001e4
                 0x0000000000000020 0x0000000000000020  R      4
  GNU_EH_FRAME   0x0000000000008c74 0x0000000040008c74 0x0000000040008c74
                 0x00000000000001b4 0x00000000000001b4  R      4

 Section to Segment mapping:
  Segment Sections...
   00
   01     .interp
   02     .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr
   03     .data .eh_frame .dynamic .ctors .dtors .jcr .got .bss
   04     .dynamic
   05     .note.ABI-tag
   06     .eh_frame_hdr




Every comments are welcome.

Thanks,
Misi
Mitya
 
Posts: 5
Joined: Tue Nov 23, 2004 8:47 am

Re: denied executable mmap

Postby spender » Wed Feb 18, 2009 11:39 am

Do you own the machine you're using? It has the RBAC system enabled, and the subject in role "root" for /var/jail/apache/usr/local/jre1.6.0_05 needs to be modified to allow execution of that .jar file mentioned in the logs. This would be done by either adding a new object explicitly for that .jar file and giving it "rx" as the object mode, or by modifying a more generic applicable object to add the "x" mode.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron