You are not logged in.
I've tried to follow the Wiki on GRSecurity and Pax but it seems it's outdate because a lot of the commands there don't work (see below).
So I really don't know how to configure a few things! For example, I already set "kernel.pax.softmode" to "0" but I'm still "vulnerable" according to paxtest:
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments : Vulnerable
I've also set "kernel.grsecurity.disable_priv_io = 1" and "kernel.grsecurity.tpe = 1"on "/etc/sysctl.d/05-grsecurity.conf".
I don't know how to configure PAX, the sysctl commands don't work:
# sysctl kernel.grsecurity.audit_group=1
sysctl: cannot stat /proc/sys/kernel/grsecurity/audit_group: No such file or directory
How can I be protected from those vulnerabilities?
Last edited by Amanda (2015-08-13 00:34:20)
Offline
No result at all from both commands.
Offline
How can I boot the correct one, then? o.O
Upon installing 'linux-grsec' it made mkinitcpio, I though it would be loaded automatically.
Offline
You are not booting the correct kernel.
I was just reading this thread out of curiosity, and was wondering "What the devil is he talking about?" when you said this, and then I realized I'd forgotten to edit my arch.conf to vmlinuz-linux-grsec all that time ago.
Thank you, Stebalien.
OP, if you're using gummiboot, it's just editing /boot/loader/entries/arch.conf from vmlinuz-linux to vmlinuz-linux-grsec. Probably very similar and available on the wiki if you're using another bootloader.
Last edited by BlueYoshi (2015-08-12 21:07:58)
Offline
I use syslinux, so I just edit the line in bold?
LABEL arch
MENU LABEL Arch Linux
LINUX ../vmlinuz-linux
APPEND root=bla bla bla rw
INITRD ../initramfs-linux.img[/b]
to
LABEL arch
MENU LABEL Arch Linux
[b]LINUX ../vmlinuz-linux-grsec[/b]
APPEND root=bla bla bla rw
INITRD ../initramfs-linux.img[/b]
I'll try that in one moment.
Offline
I use syslinux, so I just edit the line in bold?
LABEL arch MENU LABEL Arch Linux LINUX ../vmlinuz-linux APPEND root=bla bla bla rw INITRD ../initramfs-linux.img[/b]
to
LABEL arch MENU LABEL Arch Linux [b]LINUX ../vmlinuz-linux-grsec[/b] APPEND root=bla bla bla rw INITRD ../initramfs-linux.img[/b]
I'll try that in one moment.
I just noticed we probably have to change the initramfs as well. I haven't rebooted to test yet, but I just looked at the directory contents of /boot/:
Last edited by BlueYoshi (2015-08-12 21:24:46)
Offline
Aparently sddm can't start after boot. Some message appeared about not being able to load the kernel module at boot.
I just tried to "mkinitcpio -p linux-grsec" and this appeared:
libkmod: kmod_config_parse: /etc/modprobe.d/modprobe.conf line 1: ignoring bad line starting with 'radeon'
My syslinux.cfg:
LABEL arch
MENU LABEL Arch Linux
LINUX ../vmlinuz-linux-grsec
APPEND root=/dev/mapper/system-root cryptdevice=/dev/sda2:root nomodeset rw
INITRD ../initramfs-linux-grsec.img
LABEL archfallback
MENU LABEL Arch Linux Fallback
LINUX ../vmlinuz-linux-fallback
APPEND root=/dev/sda3 rw
INITRD ../initramfs-linux-fallback.img
Why would I set the fallback image to "initramfs-linux-grsec-fallback" if there is no "vmlinuz-grsec-fallback" file?
Thanks everyone for the help.
EDIT:
I just noticed that 'linux-grsec' is in version 4.1.5 while the vanilla kernel on version 4.1.4.
I don't know if this could cause any problems.
Last edited by Amanda (2015-08-12 22:01:03)
Offline
Aparently sddm can't start after boot. Some message appeared about not being able to load the kernel module at boot.
I just tried to "mkinitcpio -p linux-grsec" and this appeared:
libkmod: kmod_config_parse: /etc/modprobe.d/modprobe.conf line 1: ignoring bad line starting with 'radeon'
My syslinux.cfg:
LABEL arch MENU LABEL Arch Linux LINUX ../vmlinuz-linux-grsec APPEND root=/dev/mapper/system-root cryptdevice=/dev/sda2:root nomodeset rw INITRD ../initramfs-linux-grsec.img LABEL archfallback MENU LABEL Arch Linux Fallback LINUX ../vmlinuz-linux-fallback APPEND root=/dev/sda3 rw INITRD ../initramfs-linux-fallback.img
Why would I set the fallback image to "initramfs-linux-grsec-fallback" if there is no "vmlinuz-grsec-fallback" file?
Thanks everyone for the help.
EDIT:
I just noticed that 'linux-grsec' is in version 4.1.5 while the vanilla kernel on version 4.1.4.
I don't know if this could cause any problems.
Just changed my arch.conf to:
title Arch Linux
linux /vmlinuz-linux-grsec
initrd /initramfs-linux-grsec.img
options root=/dev/sda2 rw ipv6.disable=1
Ran mkinitcpio -p linux-grsec, and then rebooted. Everything is working fine here.
Offline
I guess there are two factors working against me:
1) I have full-disk encryption
2) I have an AMD card with Catalyst installed (see radeon problem in my other post).
systemd[1]: Failed to start Apply Kernel Variables
systemd-modules-load[285]: Failed to find module 'fglrx'
grsec: denied use of ioperm() by /usr/lib/xorg-server/Xorg[Xorg:526] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sddm[sddm:506] uid/euid:0/0 gid/egid:0/0
grsec: denied use of iopl() by /usr/lib/xorg-server/Xorg[Xorg:526] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sddm[sddm:506] uid/euid:0/0 gid/egid:0/0
grsec: denied use of iopl() by /usr/lib/xorg-server/Xorg[Xorg:526] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sddm[sddm:506] uid/euid:0/0 gid/egid:0/0
[drm:radeon_init [radeon]] *ERROR* No UMS support in radeon module!
EDIT: I think fglrx is not compatible with kernel 4.1.5.
Last edited by Amanda (2015-08-12 23:27:55)
Offline
I guess there are two factors working against me:
1) I have full-disk encryption
2) I have an AMD card with Catalyst installed (see radeon problem in my other post).
systemd[1]: Failed to start Apply Kernel Variables
systemd-modules-load[285]: Failed to find module 'fglrx'
grsec: denied use of ioperm() by /usr/lib/xorg-server/Xorg[Xorg:526] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sddm[sddm:506] uid/euid:0/0 gid/egid:0/0
grsec: denied use of iopl() by /usr/lib/xorg-server/Xorg[Xorg:526] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sddm[sddm:506] uid/euid:0/0 gid/egid:0/0
grsec: denied use of iopl() by /usr/lib/xorg-server/Xorg[Xorg:526] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sddm[sddm:506] uid/euid:0/0 gid/egid:0/0
[drm:radeon_init [radeon]] *ERROR* No UMS support in radeon module!
EDIT: I think fglrx is not compatible with kernel 4.1.5.
I'm not sure. My system isn't encrypted, and I use the open source AMD/ATI drivers.
mkinitcpio.conf for the module: https://bpaste.net/raw/700d20b01888
Driver package: https://www.archlinux.org/packages/extr … video-ati/
Offline
Well, I reinstalled Arch and configured grsec, now it seems everything is fine:
[root@amanda ~]# sysctl -a -r kernel.grsecurity.
kernel.grsecurity.audit_chdir = 0
kernel.grsecurity.audit_gid = 201
kernel.grsecurity.audit_group = 0
kernel.grsecurity.audit_mount = 0
kernel.grsecurity.audit_ptrace = 0
kernel.grsecurity.chroot_caps = 0
kernel.grsecurity.chroot_deny_bad_rename = 1
kernel.grsecurity.chroot_deny_chmod = 0
kernel.grsecurity.chroot_deny_chroot = 0
kernel.grsecurity.chroot_deny_fchdir = 1
kernel.grsecurity.chroot_deny_mknod = 0
kernel.grsecurity.chroot_deny_mount = 0
kernel.grsecurity.chroot_deny_pivot = 0
kernel.grsecurity.chroot_deny_shmat = 1
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_execlog = 0
kernel.grsecurity.chroot_findtask = 1
kernel.grsecurity.chroot_restrict_nice = 0
kernel.grsecurity.consistent_setxid = 1
kernel.grsecurity.deny_new_usb = 0
kernel.grsecurity.deter_bruteforce = 1
kernel.grsecurity.disable_priv_io = 0
kernel.grsecurity.enforce_symlinksifowner = 1
kernel.grsecurity.exec_logging = 0
kernel.grsecurity.fifo_restrictions = 1
kernel.grsecurity.forkfail_logging = 0
kernel.grsecurity.grsec_lock = 0
kernel.grsecurity.harden_ipc = 1
kernel.grsecurity.harden_ptrace = 1
kernel.grsecurity.ip_blackhole = 0
kernel.grsecurity.lastack_retries = 4
kernel.grsecurity.ptrace_readexec = 1
kernel.grsecurity.resource_logging = 0
kernel.grsecurity.romount_protect = 0
kernel.grsecurity.rwxmap_logging = 1
kernel.grsecurity.signal_logging = 0
kernel.grsecurity.socket_all = 1
kernel.grsecurity.socket_all_gid = 202
kernel.grsecurity.socket_client = 1
kernel.grsecurity.socket_client_gid = 203
kernel.grsecurity.socket_server = 1
kernel.grsecurity.socket_server_gid = 204
kernel.grsecurity.symlinkown_gid = 33
kernel.grsecurity.timechange_logging = 0
kernel.grsecurity.tpe = 1
kernel.grsecurity.tpe_gid = 200
kernel.grsecurity.tpe_invert = 1
kernel.grsecurity.tpe_restrict_all = 1
[root@amanda ~]# zgrep PAX /proc/config.gz
CONFIG_PAX_KERNEXEC_PLUGIN=y
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_PAX=y
CONFIG_PAX_SOFTMODE=y
# CONFIG_PAX_EI_PAX is not set
# CONFIG_PAX_PT_PAX_FLAGS is not set
CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_MEMORY_STRUCTLEAK=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
# CONFIG_PAX_LATENT_ENTROPY is not set
[root@amanda ~]#
HOWEVER, I didn't install Catalyst yet. I'm afraid it will bork my system if I do so.
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Offline
Any particular reason you must use the proprietary drivers? I've personally never been able to get them to work on any distro before using Arch Linux, and I just use the open source ones here.
And as a follow up question to any experienced users of linux-grsec.. Is it recommended to uninstall the normal linux kernel if you're using linux-grsec? Would it pose a security risk in any way to keep the original? (in the sense that it may defeat the purpose of booting grsec)
Offline
(edited by amanda, because it's not true anymore)
But I'll re-test the open source drivers today, if their performance is good then I'll stick to them!
Last edited by Amanda (2015-08-14 00:05:55)
Offline
atm catalyst doesn't support grsec kernel, im getting these errors on module build:
cc1: error: incompatible gcc/plugin versions
cc1: error: fail to initialize plugin ./tools/gcc/constify_plugin.so
cc1: error: incompatible gcc/plugin versions
cc1: error: fail to initialize plugin ./tools/gcc/stackleak_plugin.so
cc1: error: incompatible gcc/plugin versions
cc1: error: fail to initialize plugin ./tools/gcc/colorize_plugin.so
cc1: error: incompatible gcc/plugin versions
cc1: error: fail to initialize plugin ./tools/gcc/initify_plugin.so
cc1: error: incompatible gcc/plugin versions
cc1: error: fail to initialize plugin ./tools/gcc/kernexec_plugin.so
cc1: error: incompatible gcc/plugin versions
cc1: error: fail to initialize plugin ./tools/gcc/size_overflow_plugin/size_overflow_plugin.so
cc1: error: incompatible gcc/plugin versions
cc1: error: fail to initialize plugin ./tools/gcc/structleak_plugin.so
I will look at it on Saturday
Offline
OK
Remember, I use the drivers from your repo, not the AUR.
Thanks!!
Offline
Wow! I just tested the open source drivers, and their performance is amazing! Pretty much the same as the proprietary.
Only thing bugging me is this damn screen flickering. I'll create a thread about it since none of my research gave results.
Offline
Wow! I just tested the open source drivers, and their performance is amazing! Pretty much the same as the proprietary.
Only thing bugging me is this damn screen flickering. I'll create a thread about it since none of my research gave results.
I remember seeing a significant enough amount of screen flickering to notice back when I first installed arch, but since then, I must've done something that corrected it. I only see a very slight amount that's practically unnoticeable.
I'm no expert, but did you add the radeon module in your mkinitcpio.conf?
Offline
Yes, I followed the wiki to the letter
Nowadays the drivers are so good, I can't even believe it. Their better than the proprietary! Much better.
I'll upgrade to 4.1.5 (grsec) and see if the flickering disappears.
Damn. Flickering stopps, but Steam won't open, I get a ton of permission denied errors. I was supposed to finish this tonight, guess I'll lose a few hours doing research.
Last edited by Amanda (2015-08-14 01:06:41)
Offline
Yes, I followed the wiki to the letter
Nowadays the drivers are so good, I can't even believe it. Their better than the proprietary! Much better.
I'll upgrade to 4.1.5 (grsec) and see if the flickering disappears.
Damn. Flickering stopps, but Steam won't open, I get a ton of permission denied errors. I was supposed to finish this tonight, guess I'll lose a few hours doing research.
Really just unraveling many different subsequent issues, aren't we? I just tried as well to see if Steam would run, and it won't now using grsec.
Do you use the script from the wiki to launch Steam? I put it into a file called steam.sh to launch Steam like so: https://bpaste.net/raw/84c7dfc35bda
$ steam
/home/yoshi/.local/share/Steam/steam.sh: line 161: VERSION_ID: unbound variable
/home/yoshi/.local/share/Steam/steam.sh: line 161: VERSION_ID: unbound variable
Running Steam on arch 64-bit
/home/yoshi/.local/share/Steam/steam.sh: line 161: VERSION_ID: unbound variable
STEAM_RUNTIME is enabled automatically
/home/yoshi/.local/share/Steam/ubuntu12_32/steam: error while loading shared libraries: cannot make segment writable for relocation: Permission denied
$ ./steam.sh
/home/yoshi/.local/share/Steam/steam.sh: line 161: VERSION_ID: unbound variable
/home/yoshi/.local/share/Steam/steam.sh: line 161: VERSION_ID: unbound variable
Running Steam on arch 64-bit
/home/yoshi/.local/share/Steam/steam.sh: line 161: VERSION_ID: unbound variable
STEAM_RUNTIME is enabled automatically
/home/yoshi/.local/share/Steam/ubuntu12_32/steam: error while loading shared libraries: cannot make segment writable for relocation: Permission denied
Last edited by BlueYoshi (2015-08-14 02:04:46)
Offline
I tried that, no result
Offline
I GOT IT!! Holy Zeus!!
Wait for an edit of this thread!
EDIT:
Could you try:
setfattr -n user.pax.flags -v "PEmRS" /home/YourUser/.local/share/Steam/ubuntu12_32/steam
and open Steam through a Terminal to see the output?
Also, note that you're gonna have to set permissions for your games as well. For example, Counter Strike:
setfattr -n user.pax.flags -v "PEmRS" /home/amanda/.steam/steam/steamapps/common/Half-Life/hl_linux
Last edited by Amanda (2015-08-14 18:28:19)
Offline
I GOT IT!! Holy Zeus!!
Wait for an edit of this thread!EDIT:
Could you try:
setfattr -n user.pax.flags -v "PEmRS" /home/YourUser/.local/share/Steam/ubuntu12_32/steam
and open Steam through a Terminal to see the output?
Also, note that you're gonna have to set permissions for your games as well. For example, Counter Strike:
setfattr -n user.pax.flags -v "PEmRS" /home/amanda/.steam/steam/steamapps/common/Half-Life/hl_linux
Heh, guess I forgot what I was installing is actually a shield. I just read about paxd and its flags, and tried what you said on running Steam itself.
It works and gets through updating, but it encounters a similar error from earlier like the ones documented on the Steam GitHub repositories and also on Steam's website.
https://github.com/ValveSoftware/steam- … ssues/3851
https://github.com/ValveSoftware/steam- … ssues/3851
The error aside from all of the "unbound variable" is: "error while loading shared libraries: cannot make segment writable for relocation: Permission denied"
What architecture are you using?
Offline
How is your /etc/sysctl.d/05-grsecurity.conf setup? Steam will run only if the following line is commented out (#):
#kernel.grsecurity.tpe = 1
The only lines I edited on my file are:
kernel.pax.softmode = 0
kernel.grsecurity.disable_priv_io = 1
I'm running x86_64.
The error aside from all of the "unbound variable" is: "error while loading shared libraries: cannot make segment writable for relocation: Permission denied"
Great, now I'm getting this one too.
EDIT: looks like Pax Flags are not set upon reboot. Weird. I just set the flags again and it worked.
EDIT: I think you need to allow Steam to run for the first time without mitigations in order for it to work later with mitigations. This worked for me.
Last edited by Amanda (2015-08-15 20:06:45)
Offline