Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Clamav not paxctl-ng treated for grsecurity-hardened kernels
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Mon Dec 21, 2015 11:54 am    Post subject: Clamav not paxctl-ng treated for grsecurity-hardened kernels Reply with quote

title: Clamav not paxctl-ng treated for grsecurity-hardened kernels.
---

This is what I got on boot, after upgrading my system (including clamav):

Code:

...
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
 * Starting clamd ...                                                                       [ ok ]
 * Starting freshclam ...                                                                   [ ok ]
 * Starting conntrackd ...                                                                  [ ok ]
 * Starting dcron ...                                                                       [ ok ]
 * Starting gpm ...                                                                         [ ok ]
...


( and here, after gpm started, I selected the above, and was able to paste it in this text )

And now follows the entire recount of how I tackled this problem.

Code:

# for i in $(echo clamd clamdscan clamscan freshclam); do which $i; done;


Code:

# for i in $(echo clamd clamdscan clamscan freshclam); do which $i >> clamav_list; done;


The above gets me, of course:
Code:

# cat clamav_list
/usr/sbin/clamd
/usr/bin/clamdscan
/usr/bin/clamscan
/usr/bin/freshclam
#


And on that list I'll do some tiny batch operations. All the following are somewhat cleaned up real pastes from my urxvt terminal. People with grsecurity-hardened kernel, and clamav installed, should be able to follow and check.

Code:

# for i in $(cat clamav_list); do paxctl-ng -v $i; done;
/usr/sbin/clamd:
   open(O_RDWR) failed: cannot change PT_PAX flags
   PT_PAX    : -e---
   XATTR_PAX : not found

/usr/bin/clamdscan:
   PT_PAX    : -e---
   XATTR_PAX : not found

/usr/bin/clamscan:
   PT_PAX    : -e---
   XATTR_PAX : not found

/usr/bin/freshclam:
   open(O_RDWR) failed: cannot change PT_PAX flags
   PT_PAX    : -e---
   XATTR_PAX : not found

#


So probably these actions are in order:

Code:

# /etc/init.d/clamd stop
 * Stopping clamd ...                                [ ok ]
 * Stopping freshclam ...                            [ ok ]
#


and:

Code:

# for i in $(cat clamav_list); do paxctl-ng -F $i; done;


After which:

Code:

# for i in $(cat clamav_list); do paxctl-ng -v $i; done;
/usr/sbin/clamd:
   PT_PAX    : -e---
   XATTR_PAX : -e---

/usr/bin/clamdscan:
   PT_PAX    : -e---
   XATTR_PAX : -e---

/usr/bin/clamscan:
   PT_PAX    : -e---
   XATTR_PAX : -e---

/usr/bin/freshclam:
   PT_PAX    : -e---
   XATTR_PAX : -e---

#


But:

Code:

# /etc/init.d/clamd start
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
 * Starting clamd ...                                  [ ok ]
 * Starting freshclam ...                              [ ok ]


shows that it's not done yet.

So probably:

Code:

# /etc/init.d/clamd stop
 * Stopping clamd ...                                  [ ok ]
 * Stopping freshclam ...                              [ ok ]
#


and:

Code:

# for i in $(cat clamav_list); do paxctl-ng -mv $i; done;
/usr/sbin/clamd:
   PT_PAX    : -em--
   XATTR_PAX : -em--

/usr/bin/clamdscan:
   PT_PAX    : -em--
   XATTR_PAX : -em--

/usr/bin/clamscan:
   PT_PAX    : -em--
   XATTR_PAX : -em--

/usr/bin/freshclam:
   PT_PAX    : -em--
   XATTR_PAX : -em--

#


But still not there:

Code:

# /etc/init.d/clamd start
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
 * Starting clamd ...                                  [ ok ]
 * Starting freshclam ...                              [ ok ]
#


Let me see the logs. In grsecurity-hardened, it's easy to find what causes the problems, by, in the most cases, grep'ing for the lines containg the string 'denied'. But here, I searched for 'denied RWX mmap' to get just the clamav related denies.

The following (where messages_151221_0756_gbn is the entire /var/log/messages stretch since boot):

Code:

# grep -a -r 'denied RWX mmap' messages_151221_0756_gbn | wc -l
16
#


on that entire stretch since boot, got roughly exactly all that I've posted that I've done so far (all my tries in those 16 lines)... But all lines contain, and consequently refer only to, /usr/bin/clamconf ! Here is just one, the last, of those lines:

Code:

Dec 21 07:52:28 gbn kernel: [ 1368.417807] grsec: (admin:S:/) denied RWX mmap of <anonymous mapping> by /usr/bin/clamconf[clamconf:3724] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:3723] uid/euid:0/0 gid/egid:0/0


Because:

Code:

# grep -a -r 'denied RWX mmap' messages_151221_0756_gbn  | grep -v clamconf
#


returns empty! So, trying some more...

Code:

# paxctl-ng -v /usr/bin/clamconf
/usr/bin/clamconf:
   PT_PAX    : -e---
   XATTR_PAX : not found

# paxctl-ng -F /usr/bin/clamconf
# paxctl-ng -v /usr/bin/clamconf
/usr/bin/clamconf:
   PT_PAX    : -e---
   XATTR_PAX : -e---

# /etc/init.d/clamd restart
 * Stopping clamd ...                                  [ ok ]
 * Stopping freshclam ...                              [ ok ]
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
 * Starting clamd ...                                  [ ok ]
 * Starting freshclam ...                              [ ok ]
#


But here I think I know what's missing:

Code:

# paxctl-ng -m /usr/bin/clamconf


which gives:

Code:

# paxctl-ng -v /usr/bin/clamconf
/usr/bin/clamconf:
   PT_PAX    : -em--
   XATTR_PAX : -em--


And now finally:

Code:

# /etc/init.d/clamd restart
 * Stopping clamd ...                                  [ ok ]
 * Stopping freshclam ...                              [ ok ]
 * Starting clamd ...                                  [ ok ]
 * Starting freshclam ...                              [ ok ]
#


So my question is: Is this a bug? Would it make sense to try and report it?

Or has the recommendation to use (I don't think, but...) paxctl-ng been abandoned, and now the old paxctl is recommended instead? I really don't think, but...

I remember I have had to do this procedure a few times in the last few months. Exactly every time that I updated clamav.

Anyway, our devs told us they need reports on things grsec-hardened. See here

Intel Subsidiary's Violations Made Grsec withdraw Stable?
https://forums.gentoo.org/viewtopic-t-1031476.html#7835658

(where, in another context, it is asked fo "more reporting" "from our users")

Is this one they would want to have reported?
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 380
Location: Umeå The north part of scandinavia

PostPosted: Mon Dec 21, 2015 4:38 pm    Post subject: Reply with quote

1. Clamav use JIT
2. It test if it can use JIT or not is what you see.
3. If it can't use JIT it disable bytecompileing and work the old way.
4. paxctl-ng is not abandoned but paxctl is on the way out.
_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1)
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Mon Dec 21, 2015 5:48 pm    Post subject: Reply with quote

zorry wrote:
1. Clamav use JIT
2. It test if it can use JIT or not is what you see.

OK JIT is (I guess) Just In Time compiling.
Do you mean, that this that I see:
Code:

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory:
Operation not permitted

is because of JIC (I guess you do)?
I vaguely remember that grsecurity don't like JIT...
zorry wrote:
3. If it can't use JIT it disable bytecompileing and work the old way.

"it disable bytecompiling" can't figure out what that mean, no time to search for it, thogh...

zorry wrote:
4. paxctl-ng is not abandoned but paxctl is on the way out.

Sure!
Apparently, it's not a bug that need to be reported, if it is a bug at all.

Thanks!
Back to top
View user's profile Send private message
mimosinnet
l33t
l33t


Joined: 10 Aug 2006
Posts: 660
Location: Barcelona, Spain

PostPosted: Sat Apr 15, 2017 3:58 pm    Post subject: Re: Clamav not paxctl-ng treated for grsecurity-hardened ker Reply with quote

miroR wrote:
title: Clamav not paxctl-ng treated for grsecurity-hardened kernels.


Thanks a lot for the post and the detailed explanation! I have been able to get rid of this ugly message. Cheers!
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved.
Take care of the community answering unanswered posts.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum