Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Grsec and grub
Tue 26 February 2013 — download

I was updating my router, when I saw that grub's update failed, likely killed by grsecurity.

Symptoms

[146964.723607] PAX: From 192.168.xxx.xxx: execution attempt in:
<anonymous mapping>, be327000-be348000 bffdf000
[146964.723817] PAX: terminating task:
/usr/sbin/grub-mkdevicemap(grub-mkdevicema):17454, uid/euid: 0/0, PC:
be346fb4, SP: be345e4c
[146964.724109] PAX: bytes at PC: b9 a8 6f 34 be e9 22 2e d0 49 34 be
f5 67 d2 b2 90 05 eb b2
[146964.724542] PAX: bytes at SP-4: 00000000 0804a232 0aa98480 00000000
00000008 08049e20 00000000 00000000 00000000 00000000 00000000 0aa943d0
00000003 00000400 00000000 00000000 00000000 00000000 00000000 00000000
00000000
[146964.725100] grsec: From 192.168.xxx.xxx: denied resource overstep
by requesting 4096 for RLIMIT\_CORE against limit 0 for
/usr/sbin/grub-mkdevicemap[grub-mkdevicema:17454] uid/euid:0/0
gid/egid:0/0, parent
/var/lib/dpkg/info/grub-pc.postinst[grub-pc.postins:17450] uid/euid:0/0
gid/egid:0/0

Solution

apt-get install pax-utils
paxctl -c /usr/sbin/grub-mkdevicemap
paxctl -z /usr/sbin/grub-mkdevicemap
paxctl -c /usr/bin/grub-script-check
paxctl -z /usr/sbin/grub-mkdevicemap
update-grub

Explanation

This is happening because I used the Restrict mprotect() option in my kernel (see phrack 60:6), which prevents the creation of executable pages from anonymous memory. Since grub-* doesn't have the PT_PAX_FLAGS program header, paxctl -c $bin will create it by converting the PT_GNU_STACK program header. Then, paxctl -z $bin will disable all PaX related protection for $bin. Grub is now free to do its weird things without being bugged by grsec anymore.