| View previous topic :: View next topic |
| Author |
Message |
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
 Posted: Mon Dec 21, 2015 11:54 am Post subject: Clamav not paxctl-ng treated for grsecurity-hardened kernels |
 |
|
title: Clamav not paxctl-ng treated for grsecurity-hardened kernels.
---
This is what I got on boot, after upgrading my system (including clamav):
| Code: |
...
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
* Starting clamd ... [ ok ]
* Starting freshclam ... [ ok ]
* Starting conntrackd ... [ ok ]
* Starting dcron ... [ ok ]
* Starting gpm ... [ ok ]
...
|
( and here, after gpm started, I selected the above, and was able to paste it in this text )
And now follows the entire recount of how I tackled this problem.
| Code: |
# for i in $(echo clamd clamdscan clamscan freshclam); do which $i; done;
|
| Code: |
# for i in $(echo clamd clamdscan clamscan freshclam); do which $i >> clamav_list; done;
|
The above gets me, of course:
| Code: |
# cat clamav_list
/usr/sbin/clamd
/usr/bin/clamdscan
/usr/bin/clamscan
/usr/bin/freshclam
#
|
And on that list I'll do some tiny batch operations. All the following are somewhat cleaned up real pastes from my urxvt terminal. People with grsecurity-hardened kernel, and clamav installed, should be able to follow and check.
| Code: |
# for i in $(cat clamav_list); do paxctl-ng -v $i; done;
/usr/sbin/clamd:
open(O_RDWR) failed: cannot change PT_PAX flags
PT_PAX : -e---
XATTR_PAX : not found
/usr/bin/clamdscan:
PT_PAX : -e---
XATTR_PAX : not found
/usr/bin/clamscan:
PT_PAX : -e---
XATTR_PAX : not found
/usr/bin/freshclam:
open(O_RDWR) failed: cannot change PT_PAX flags
PT_PAX : -e---
XATTR_PAX : not found
#
|
So probably these actions are in order:
| Code: |
# /etc/init.d/clamd stop
* Stopping clamd ... [ ok ]
* Stopping freshclam ... [ ok ]
#
|
and:
| Code: |
# for i in $(cat clamav_list); do paxctl-ng -F $i; done;
|
After which:
| Code: |
# for i in $(cat clamav_list); do paxctl-ng -v $i; done;
/usr/sbin/clamd:
PT_PAX : -e---
XATTR_PAX : -e---
/usr/bin/clamdscan:
PT_PAX : -e---
XATTR_PAX : -e---
/usr/bin/clamscan:
PT_PAX : -e---
XATTR_PAX : -e---
/usr/bin/freshclam:
PT_PAX : -e---
XATTR_PAX : -e---
#
|
But:
| Code: |
# /etc/init.d/clamd start
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
* Starting clamd ... [ ok ]
* Starting freshclam ... [ ok ]
|
shows that it's not done yet.
So probably:
| Code: |
# /etc/init.d/clamd stop
* Stopping clamd ... [ ok ]
* Stopping freshclam ... [ ok ]
#
|
and:
| Code: |
# for i in $(cat clamav_list); do paxctl-ng -mv $i; done;
/usr/sbin/clamd:
PT_PAX : -em--
XATTR_PAX : -em--
/usr/bin/clamdscan:
PT_PAX : -em--
XATTR_PAX : -em--
/usr/bin/clamscan:
PT_PAX : -em--
XATTR_PAX : -em--
/usr/bin/freshclam:
PT_PAX : -em--
XATTR_PAX : -em--
#
|
But still not there:
| Code: |
# /etc/init.d/clamd start
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
* Starting clamd ... [ ok ]
* Starting freshclam ... [ ok ]
#
|
Let me see the logs. In grsecurity-hardened, it's easy to find what causes the problems, by, in the most cases, grep'ing for the lines containg the string 'denied'. But here, I searched for 'denied RWX mmap' to get just the clamav related denies.
The following (where messages_151221_0756_gbn is the entire /var/log/messages stretch since boot):
| Code: |
# grep -a -r 'denied RWX mmap' messages_151221_0756_gbn | wc -l
16
#
|
on that entire stretch since boot, got roughly exactly all that I've posted that I've done so far (all my tries in those 16 lines)... But all lines contain, and consequently refer only to, /usr/bin/clamconf ! Here is just one, the last, of those lines:
| Code: |
Dec 21 07:52:28 gbn kernel: [ 1368.417807] grsec: (admin:S:/) denied RWX mmap of <anonymous mapping> by /usr/bin/clamconf[clamconf:3724] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:3723] uid/euid:0/0 gid/egid:0/0
|
Because:
| Code: |
# grep -a -r 'denied RWX mmap' messages_151221_0756_gbn | grep -v clamconf
#
|
returns empty! So, trying some more...
| Code: |
# paxctl-ng -v /usr/bin/clamconf
/usr/bin/clamconf:
PT_PAX : -e---
XATTR_PAX : not found
# paxctl-ng -F /usr/bin/clamconf
# paxctl-ng -v /usr/bin/clamconf
/usr/bin/clamconf:
PT_PAX : -e---
XATTR_PAX : -e---
# /etc/init.d/clamd restart
* Stopping clamd ... [ ok ]
* Stopping freshclam ... [ ok ]
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
* Starting clamd ... [ ok ]
* Starting freshclam ... [ ok ]
# |
But here I think I know what's missing:
| Code: |
# paxctl-ng -m /usr/bin/clamconf
|
which gives:
| Code: |
# paxctl-ng -v /usr/bin/clamconf
/usr/bin/clamconf:
PT_PAX : -em--
XATTR_PAX : -em--
|
And now finally:
| Code: |
# /etc/init.d/clamd restart
* Stopping clamd ... [ ok ]
* Stopping freshclam ... [ ok ]
* Starting clamd ... [ ok ]
* Starting freshclam ... [ ok ]
#
|
So my question is: Is this a bug? Would it make sense to try and report it?
Or has the recommendation to use (I don't think, but...) paxctl-ng been abandoned, and now the old paxctl is recommended instead? I really don't think, but...
I remember I have had to do this procedure a few times in the last few months. Exactly every time that I updated clamav.
Anyway, our devs told us they need reports on things grsec-hardened. See here
Intel Subsidiary's Violations Made Grsec withdraw Stable?
https://forums.gentoo.org/viewtopic-t-1031476.html#7835658
(where, in another context, it is asked fo "more reporting" "from our users")
Is this one they would want to have reported? |
|
| Back to top |
|
 |
zorry
Developer
Joined: 30 Mar 2008
Posts: 380
Location: Umeå The north part of scandinavia
|
| Posted: Mon Dec 21, 2015 4:38 pm Post subject: |
|
|
1. Clamav use JIT
2. It test if it can use JIT or not is what you see.
3. If it can't use JIT it disable bytecompileing and work the old way.
4. paxctl-ng is not abandoned but paxctl is on the way out.
_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1) |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Mon Dec 21, 2015 5:48 pm Post subject: |
|
|
| zorry wrote: | 1. Clamav use JIT
2. It test if it can use JIT or not is what you see. |
OK JIT is (I guess) Just In Time compiling.
Do you mean, that this that I see:
| Code: |
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory:
Operation not permitted
|
is because of JIC (I guess you do)?
I vaguely remember that grsecurity don't like JIT...
| zorry wrote: | | 3. If it can't use JIT it disable bytecompileing and work the old way. |
"it disable bytecompiling" can't figure out what that mean, no time to search for it, thogh...
| zorry wrote: | | 4. paxctl-ng is not abandoned but paxctl is on the way out. |
Sure!
Apparently, it's not a bug that need to be reported, if it is a bug at all.
Thanks! |
|
| Back to top |
|
|
mimosinnet
l33t
Joined: 10 Aug 2006
Posts: 713
Location: Barcelona, Spain
|
| Posted: Sat Apr 15, 2017 3:58 pm Post subject: Re: Clamav not paxctl-ng treated for grsecurity-hardened ker |
|
|
| miroR wrote: | | title: Clamav not paxctl-ng treated for grsecurity-hardened kernels. |
Thanks a lot for the post and the detailed explanation! I have been able to get rid of this ugly message. Cheers!
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved.
Take care of the community answering unanswered posts. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
