kang | 9 Jan 02:37 2005

Re: patch-2.6.10-v1.2.3 in pre

Amon Ott wrote:

>Hi folks,
>
>RSBAC v1.2.3 has been ported to kernel 2.6.10. Patch and pre-patched 
>kernel are now uploading to http://rsbac.org/download/pre/
>
>Amon.
>  
>

Hi,

I got some probs with it. I use gcc 3.4.3 and pax test 17:

- "hook": if your MAC system uses the pax_set_flags_func callback.
=> It seems there is no pax_set_flags_func in the pax patch ? compilation fails, so i replaced with
pax_set_initial_flags_func, but i guess that's probably not right :)
=> I of course had "Hook" mode in kernel config.

Then later, seems like a rsbac issue:
  CC      mm/mmap.o
mm/mmap.c: In function `__vm_stat_account':
mm/mmap.c:758: warning: unused variable `rsbac_target'
mm/mmap.c:759: warning: unused variable `rsbac_target_id'
mm/mmap.c:760: warning: unused variable `rsbac_attribute_value'
mm/mmap.c: In function `__do_mmap_pgoff':
mm/mmap.c:1009: error: `rsbac_target' undeclared (first use in this function)
mm/mmap.c:1009: error: (Each undeclared identifier is reported only once
mm/mmap.c:1009: error: for each function it appears in.)
(Continue reading)

Murf | 8 Jan 22:33 2005
Picon

PAX PAGEXEC doesn't work on 2.6.7 rsbac kernel

Hello everybody!

I downloaded prepatched kernel 
linux-2.6.7-rsbac-v1.2.3-bf2-pax-200406252135 from rsbac.org.

*
When I created kernel with rsbac and pax enabled, paxtest
reports me all things releated to execute code in non executable
memory as "Vulnerable". Randomization works ok.

*
When I created the same kernel with pax enabled, but rsbac disabled
paxtest reports things releated to execution correctly (code Killed).

You can find theese files in attachement:

only_pax_paxtest.log ... paxtest report when run only pax enabled kernel
only_pax_config ... config of only pax enabled kernel

rsbac_pax_paxtest.log ... paxtest report when run rsbac and pax together
rsbac_pax_config ... config of rsbac + pax enabled kernel

Notes:
Paxtest is version 0.9.6 and I run Gentoo Hardened x86 with enabled 
SSP+PIE. The same result is achieved by both kiddie and blackhat mode.
Things didn't change when i try both hook and direct as MAC integration.

Thank you for any suggestion!

Bye!
(Continue reading)

Amon Ott | 9 Jan 20:43 2005

Re: patch-2.6.10-v1.2.3 in pre

On Sonntag, 9. Januar 2005 02:37, kang wrote:
> Amon Ott wrote:
> >RSBAC v1.2.3 has been ported to kernel 2.6.10. Patch and 
pre-patched 
> >kernel are now uploading to http://rsbac.org/download/pre/

> I got some probs with it. I use gcc 3.4.3 and pax test 17:
> 
> - "hook": if your MAC system uses the pax_set_flags_func callback.
> => It seems there is no pax_set_flags_func in the pax patch ? 
compilation fails, so i replaced with pax_set_initial_flags_func, but 
i guess that's probably not right :)
> => I of course had "Hook" mode in kernel config.

The new PaX test versions for 2.6.10 changed the names of these 
functions and the place for the PaX flags, so it does not work. I 
will create a v1.2.3 bugfix as soon as the final PaX for 2.6.10 has 
been released.

The attached patch worked with PaX test11 on my test system, but it 
might not work correctly with another test version.

Amon.
--

-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
Attachment (pax.diff): text/x-diff, 1241 bytes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
(Continue reading)

Amon Ott | 10 Jan 16:31 2005

Medium Bugfixes v1.2.3-10 and v1.2.3-11

Medium RSBAC Bugfixes v1.2.3-10 and v1.2.3-11 have been released:

10. General/Kernels 2.6: Lockups with secure_delete

    * Urgency: Medium.
    * What you see: 2.6 kernels can lockup when files are deleted with 
secure_delete.
    * What is wrong: The secure_delete code tries to acquire a lock, 
which is already held by the kernel unlink function.
    * Implications: Possible lockup.
    * RSBAC versions affected: 1.2.3.
    * Bugtracker issue: None.
    * What you should do: Apply this patch (MD5 / GnuPG Cert) to get 
the bug corrected, recompile the kernel, reinstall and reboot.

11. General/Kernel 2.6.10: PaX and RSBAC PAX module do not compile 
together

    * Urgency: Medium.
    * What you see: Kernel 2.6.10 with PaX patch does not compile 
together with the RSBAC PAX module.
    * What is wrong: The PaX interception function has been renamed, 
and the PaX process flags have moved to another place.
    * Implications: 2.6.10 cannot be controlled by RSBAC module.
    * RSBAC versions affected: 1.2.3.
    * Bugtracker issue: None.
    * What you should do: Apply this patch (MD5 / GnuPG Cert) to get 
the RSBAC PAX module updated, recompile the kernel, reinstall and 
reboot.

(Continue reading)

Amon Ott | 10 Jan 16:34 2005

Re: patch-2.6.10-v1.2.3 in pre

On Mittwoch, 29. Dezember 2004 13:46, Amon Ott wrote:
> RSBAC v1.2.3 has been ported to kernel 2.6.10. Patch and pre-patched 
> kernel are now uploading to http://rsbac.org/download/pre/

The patch has been moved to its official place. The pre-patched kernel 
has been updated to bugfix 11 and is now uploading to the kernels 
dir.

In the pre dir you will also find a pre-patched 2.6.10 kernel with the 
latest PaX test version test17, which seems to be running quite well.

Amon.
--

-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
_______________________________________________
rsbac mailing list
rsbac <at> rsbac.org
http://www.rsbac.org/mailman/listinfo/rsbac
Amon Ott | 10 Jan 16:40 2005

Re: PAX PAGEXEC doesn't work on 2.6.7 rsbac kernel

On Montag, 10. Januar 2005 10:20, Andrea Pasquinucci wrote:
> Hi, I attach the paxtest-0.6.9 output from one of my machines 
running 
> 2.6.7-rsbac-v1.2.3-bf7-pax-soft built from the same prepatched 
kernel. 
> You can find the kernel I use on 
http://fedora.rsbac.mprivacy-update.de/ 
> as RPM. As you see, all the first tests are killed, so there should 
be 
> something wrong in your building the kernel. I attach also my kernel 
> config for you to check.

The issue has just been solved: The RSBAC default PaX flags do not 
enable PAGEEXEC, which was the recommended behaviour. The kernel in 
question had no SEGMEXEC support, so no protection was left.

If you encounter the same problem, either apply bugfix v1.2.3-11, 
which adds the flag, or change it by hand in include/rsbac/types.h.

Amon.
--

-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
_______________________________________________
rsbac mailing list
rsbac <at> rsbac.org
http://www.rsbac.org/mailman/listinfo/rsbac
Andrea Pasquinucci | 10 Jan 10:20 2005
Picon

Re: PAX PAGEXEC doesn't work on 2.6.7 rsbac kernel

Hi, I attach the paxtest-0.6.9 output from one of my machines running 
2.6.7-rsbac-v1.2.3-bf7-pax-soft built from the same prepatched kernel. 
You can find the kernel I use on http://fedora.rsbac.mprivacy-update.de/ 
as RPM. As you see, all the first tests are killed, so there should be 
something wrong in your building the kernel. I attach also my kernel 
config for you to check.

Andrea

On Sat, Jan 08, 2005 at 10:33:53PM +0100, Murf wrote:
* Hello everybody!
* 
* I downloaded prepatched kernel 
* linux-2.6.7-rsbac-v1.2.3-bf2-pax-200406252135 from rsbac.org.
* 
* *
* When I created kernel with rsbac and pax enabled, paxtest
* reports me all things releated to execute code in non executable
* memory as "Vulnerable". Randomization works ok.
* 
* *
* When I created the same kernel with pax enabled, but rsbac disabled
* paxtest reports things releated to execution correctly (code Killed).
* 
* You can find theese files in attachement:
* 
* only_pax_paxtest.log ... paxtest report when run only pax enabled kernel
* only_pax_config ... config of only pax enabled kernel
* 
* rsbac_pax_paxtest.log ... paxtest report when run rsbac and pax together
(Continue reading)

Amon Ott | 10 Jan 17:01 2005

Bugfixing the kernel uselib vulnerability

Several new vulnerabilities have been found for kernel 2.4.28, the 
most important one got known as uselib bug.

The more or less official bugfix, which also made its way into 
2.4.29-rc1, does not apply cleanly to an RSBAC patched kernel. The 
attached patch is a modified version, which does apply without 
rejects. The fix should be correct, but please recheck yourself.

Please note that there have also been several vulnerabilities found in 
kernel 2.6.10 (as in almost any kernel in the 2.6 series so far). I 
strongly recommend to at least follow the -ac patches by Alan Cox, if 
you happen to use 2.6 kernels for production use.

The pre-patched RSBAC kernels do not contain third party fixes, it is 
impossible to maintain all these patches here!

Amon.
--

-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
Attachment (rsbac-uselib.diff): text/x-diff, 8 KiB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBB4qV6q9yn6h5RTo8RAjbvAJsF6HakNQ+A3b4aZ7YYl2yp1jjhhwCcCZsc
Os+PiudcjredsokvLt0RE3Q=
=bAVe
-----END PGP SIGNATURE-----
(Continue reading)

Andrea Pasquinucci | 12 Jan 11:29 2005
Picon

Re: Bugfixing the kernel uselib vulnerability

On Mon, Jan 10, 2005 at 05:01:52PM +0100, Amon Ott wrote:
* Several new vulnerabilities have been found for kernel 2.4.28, the 
* most important one got known as uselib bug.
* 
* The more or less official bugfix, which also made its way into 
* 2.4.29-rc1, does not apply cleanly to an RSBAC patched kernel. The 
* attached patch is a modified version, which does apply without 
* rejects. The fix should be correct, but please recheck yourself.
* 
* Please note that there have also been several vulnerabilities found in 
* kernel 2.6.10 (as in almost any kernel in the 2.6 series so far). I 
* strongly recommend to at least follow the -ac patches by Alan Cox, if 
* you happen to use 2.6 kernels for production use.
* 
* The pre-patched RSBAC kernels do not contain third party fixes, it is 
* impossible to maintain all these patches here!

I perfectly understand your point, but this creates sometimes a problem
for people like me. Little explanation, I do not have the time right now
to try to patch the kernel (2.6.10 or 2.4.28) with the security fixes,
then try to patch it with rsbac and if succesfull try to compile and if
succesful try it on a machine just to discover that it crashes (kernel
panic on boot). Obviously I did something wrong... But I do not have the
time right now to do anything else, so I have to decide if to keep a
buggy kernel with rsbac or to use a patched vendor kernel without rsbac.
Today I decided for the vendor kernel and to wait until there will be a
patched rsbac kernel (hopefully with 2.6.11).

I suspect that there are many in my situation. So I have a suggestion,
can we try to produce pre-patched RSBAC kernel with the main security
(Continue reading)

Murf | 12 Jan 11:48 2005
Picon

Re: Bugfixing the kernel uselib vulnerability

Hello,

You can apply security patches from
http://www.grsecurity.org/grsecurity-2.1.0-2.6.10-200501081640.patch.

It works for me, kernel build is without problem. You have
to patch it after all the patches (pax and rsbac). It contain
also correction to use-lib bug (I didn't check it. It was
said to me by the author of that patch).

Also you can wait until there will be rsbac ebuild in Gentoo that
kang preparing. Other distribution hardly have prebuild
packages with rsbac.

Regards,

Murf

Andrea Pasquinucci wrote:
> On Mon, Jan 10, 2005 at 05:01:52PM +0100, Amon Ott wrote:
> * Several new vulnerabilities have been found for kernel 2.4.28, the 
> * most important one got known as uselib bug.
> * 
> * The more or less official bugfix, which also made its way into 
> * 2.4.29-rc1, does not apply cleanly to an RSBAC patched kernel. The 
> * attached patch is a modified version, which does apply without 
> * rejects. The fix should be correct, but please recheck yourself.
> * 
> * Please note that there have also been several vulnerabilities found in 
> * kernel 2.6.10 (as in almost any kernel in the 2.6 series so far). I 
(Continue reading)


Gmane