usb_inst.sh: fail on PaX kernel [workaround]

Post there if you have problem when downloading the iso, or burning it.
powerman
Posts: 1
Joined: 16 Oct 2013, 00:39

usb_inst.sh: fail on PaX kernel [workaround]

Postby powerman » 16 Oct 2013, 00:51

On Hardened Gentoo Linux (and, I suppose, on any other kernel with PaX patch) usb_inst.sh script fails because it attempt to run binaries which use RWX mmap and thus they are killed by kernel because of PaX:

Code: Select all

/mnt/iso # bash ./usb_inst.sh
Device [/dev/sdb] detected as [Corsair  Flash Voyager   ] is removable and size=7648MB
* Device [/dev/sdb] is not mounted
PROT_EXEC|PROT_WRITE failed.
PROT_EXEC|PROT_WRITE failed.

And this is from kernel log:

Code: Select all

2013-10-16_00:42:37.80910 kern.alert: grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/usb_inst.tmp/dialog[dialog:20877] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:20830] uid/euid:0/0 gid/egid:0/0
2013-10-16_00:42:37.82410 kern.alert: grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/usb_inst.tmp/dialog[dialog:20883] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:20830] uid/euid:0/0 gid/egid:0/0
2013-10-16_00:42:37.82411 kern.alert: grsec: denied RWX mmap of <anonymous mapping> by /var/tmp/usb_inst.tmp/dialog[dialog:20884] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:20830] uid/euid:0/0 gid/egid:0/0

To fix this we need to run `paxctl -m` or `paxctl-ng -m` on few binaries before running them to partially relax PaX protection for these binaries. Here is the patch:

Code: Select all

--- usb_inst.sh   2013-03-24 20:53:05.000000000 +0200
+++ usb_inst.sh   2013-10-16 03:28:35.238234236 +0300
@@ -565,6 +565,9 @@
    PROG_MKVFATFS="${TMPDIR}/mkfs.vfat"
    PROG_SYSLINUX="${TMPDIR}/syslinux"
    PROG_DIALOG="${TMPDIR}/dialog"
+   paxctl-ng -m ${PROG_DIALOG}
+   paxctl-ng -m ${PROG_INSTMBR}
+   paxctl-ng -m ${PROG_MKVFATFS}
    # syslinux requires mtools
    ln -s mtools ${TMPDIR}/mcopy
    ln -s mtools ${TMPDIR}/mmove

But we can't patch this script itself because it's on read-only mounted iso, and it refuses to work when started from another directory. So, let's save patched script to /tmp/usb_inst.sh and run it with faked $0 using this trick:

Code: Select all

/mnt/iso # bash -c '. /tmp/usb_inst.sh' usb_inst.sh

Return to “Downloading and burning”

Who is online

Users browsing this forum: No registered users and 1 guest