usb_inst.sh: fail on PaX kernel [workaround]

Post there if you have problem when downloading the iso, or burning it.
Post Reply
powerman
Posts: 1
Joined: 16 Oct 2013, 00:39

usb_inst.sh: fail on PaX kernel [workaround]

Post by powerman » 16 Oct 2013, 00:51

On Hardened Gentoo Linux (and, I suppose, on any other kernel with PaX patch) usb_inst.sh script fails because it attempt to run binaries which use RWX mmap and thus they are killed by kernel because of PaX:

Code: Select all

/mnt/iso # bash ./usb_inst.sh 
Device [/dev/sdb] detected as [Corsair  Flash Voyager   ] is removable and size=7648MB
* Device [/dev/sdb] is not mounted
PROT_EXEC|PROT_WRITE failed.
PROT_EXEC|PROT_WRITE failed.
And this is from kernel log:

Code: Select all

2013-10-16_00:42:37.80910 kern.alert: grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/usb_inst.tmp/dialog[dialog:20877] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:20830] uid/euid:0/0 gid/egid:0/0
2013-10-16_00:42:37.82410 kern.alert: grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/usb_inst.tmp/dialog[dialog:20883] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:20830] uid/euid:0/0 gid/egid:0/0
2013-10-16_00:42:37.82411 kern.alert: grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/usb_inst.tmp/dialog[dialog:20884] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:20830] uid/euid:0/0 gid/egid:0/0
To fix this we need to run `paxctl -m` or `paxctl-ng -m` on few binaries before running them to partially relax PaX protection for these binaries. Here is the patch:

Code: Select all

--- usb_inst.sh	2013-03-24 20:53:05.000000000 +0200
+++ usb_inst.sh	2013-10-16 03:28:35.238234236 +0300
@@ -565,6 +565,9 @@
 	PROG_MKVFATFS="${TMPDIR}/mkfs.vfat"
 	PROG_SYSLINUX="${TMPDIR}/syslinux"
 	PROG_DIALOG="${TMPDIR}/dialog"
+	paxctl-ng -m ${PROG_DIALOG}
+	paxctl-ng -m ${PROG_INSTMBR}
+	paxctl-ng -m ${PROG_MKVFATFS}
 	# syslinux requires mtools
 	ln -s mtools ${TMPDIR}/mcopy
 	ln -s mtools ${TMPDIR}/mmove
But we can't patch this script itself because it's on read-only mounted iso, and it refuses to work when started from another directory. So, let's save patched script to /tmp/usb_inst.sh and run it with faked $0 using this trick:

Code: Select all

/mnt/iso # bash -c '. /tmp/usb_inst.sh' usb_inst.sh

Post Reply