# PAX and nvidia-settings [solved]

## at

I am unsuccessfully trying to use nvidia-settings on 2.6.17-hardened-r1 kernel (AMD64).

nvidia-settings is killed withthe following error in /var/log/pax.log:

```
Sep 30 10:59:16 localhost PAX: execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625, 37e65f41c000-37e65f546000 006fc000

Sep 30 10:59:16 localhost PAX: terminating task: /usr/bin/nvidia-settings(nvidia-settings):1642, uid/euid: 0/0, PC: 000037e65f49df70, SP: 0000729de5701358

Sep 30 10:59:16 localhost PAX: bytes at PC: 64 48 8b 04 25 90 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc

Sep 30 10:59:16 localhost PAX: bytes at SP-8: 0000000000b73c20 000037e65ef9c1d9 0000000002800002 000000004002e058 0000000000b72e90 0000000000b3a2a0 0000000040002000 0000000000b3a2a0 000000000068c310 0000000000b463d0 0000000000b72e90
```

I have relaxed settings on /usr/bin/nvidia-settings and /usr/bin/nvidia-settings/usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625:

```
# chpax -v /usr/bin/nvidia-settings

----[ chpax 0.7 : Current flags for /usr/bin/nvidia-settings (pemrxs) ]----

 * Paging based PAGE_EXEC       : disabled

 * Trampolines                  : not emulated

 * mprotect()                   : not restricted

 * mmap() base                  : not randomized

 * ET_EXEC base                 : not randomized

 * Segmentation based PAGE_EXEC : disabled

# chpax -v /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625

----[ chpax 0.7 : Current flags for /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625 (pemrxs) ]----

 * Paging based PAGE_EXEC       : disabled

 * Trampolines                  : not emulated

 * mprotect()                   : not restricted

 * mmap() base                  : not randomized

 * ET_EXEC base                 : not randomized

 * Segmentation based PAGE_EXEC : disabled
```

But still the same problem.Last edited by at on Wed Oct 11, 2006 12:17 am; edited 1 time in total

----------

## tuxmin

Try the same for

/usr/lib64/opengl/nvidia/lib/libGLcore

Hth, Alex!!!

----------

## at

I don't think I have this file:

```
# chpax -pemrxs /usr/lib64/opengl/nvidia/lib/libGLcore

/usr/lib64/opengl/nvidia/lib/libGLcore: No such file or directory
```

So I tried:

```
chpax -pemrxs /usr/lib64/opengl/nvidia/lib/libGLcore.sochpax -pemrxs /usr/lib64/opengl/nvidia/lib/libGLcore.so
```

But the same result:

```
#dmesg

...

nvidia-settings[30750]: segfault at 000037545cfb7f70 rip 000037545cfb7f70 rsp 000076f45a5df838 error 15

PAX: execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625, 37545cf36000-37545d060000 006fc000

PAX: terminating task: /usr/bin/nvidia-settings(nvidia-settings):30750, uid/euid: 0/0, PC: 000037545cfb7f70, SP: 000076f45a5df838

PAX: bytes at PC: 64 48 8b 04 25 90 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc

PAX: bytes at SP-8: 0000000000b75330 000037545cab61d9 0000000002c00002 000000004002e058 0000000000b745a0 0000000000b3bed0 0000000040002000 0000000000b3bed0 0000000000699390 0000000000b475b0 0000000000b745a0

grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/nvidia-settings[nvidia-settings:30750] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:15567] uid/euid:0/0 gid/egid:0/0
```

----------

## tuxmin

Can you please post the gsec part of you kernel .config. I remember this being a problem

with a certain gsec option. I think I can identify it by looking over the variables...

Alex!!!

----------

## at

```
#

# Security options

#

#

# PaX

#

CONFIG_PAX=y

#

# PaX Control

#

# CONFIG_PAX_SOFTMODE is not set

CONFIG_PAX_EI_PAX=y

CONFIG_PAX_PT_PAX_FLAGS=y

# CONFIG_PAX_NO_ACL_FLAGS is not set

CONFIG_PAX_HAVE_ACL_FLAGS=y

# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#

# Non-executable pages

#

CONFIG_PAX_NOEXEC=y

CONFIG_PAX_PAGEEXEC=y

CONFIG_PAX_MPROTECT=y

CONFIG_PAX_NOELFRELOCS=y

#

# Address Space Layout Randomization

#

CONFIG_PAX_ASLR=y

CONFIG_PAX_RANDUSTACK=y

CONFIG_PAX_RANDMMAP=y

#

# Miscellaneous hardening features

#

CONFIG_PAX_MEMORY_SANITIZE=y

#

# Grsecurity

#

CONFIG_GRKERNSEC=y

# CONFIG_GRKERNSEC_LOW is not set

# CONFIG_GRKERNSEC_MEDIUM is not set

# CONFIG_GRKERNSEC_HIGH is not set

CONFIG_GRKERNSEC_CUSTOM=y

#

# Address Space Protection

#

# CONFIG_GRKERNSEC_KMEM is not set

# CONFIG_GRKERNSEC_IO is not set

CONFIG_GRKERNSEC_PROC_MEMMAP=y

CONFIG_GRKERNSEC_BRUTE=y

# CONFIG_GRKERNSEC_MODSTOP is not set

CONFIG_GRKERNSEC_HIDESYM=y

#

# Role Based Access Control Options

#

# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set

CONFIG_GRKERNSEC_ACL_MAXTRIES=3

CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#

# Filesystem Protections

#

CONFIG_GRKERNSEC_PROC=y

# CONFIG_GRKERNSEC_PROC_USER is not set

CONFIG_GRKERNSEC_PROC_USERGROUP=y

CONFIG_GRKERNSEC_PROC_GID=533

CONFIG_GRKERNSEC_PROC_ADD=y

CONFIG_GRKERNSEC_LINK=y

CONFIG_GRKERNSEC_FIFO=y

CONFIG_GRKERNSEC_CHROOT=y

CONFIG_GRKERNSEC_CHROOT_MOUNT=y

CONFIG_GRKERNSEC_CHROOT_DOUBLE=y

CONFIG_GRKERNSEC_CHROOT_PIVOT=y

CONFIG_GRKERNSEC_CHROOT_CHDIR=y

CONFIG_GRKERNSEC_CHROOT_CHMOD=y

CONFIG_GRKERNSEC_CHROOT_FCHDIR=y

CONFIG_GRKERNSEC_CHROOT_MKNOD=y

CONFIG_GRKERNSEC_CHROOT_SHMAT=y

CONFIG_GRKERNSEC_CHROOT_UNIX=y

CONFIG_GRKERNSEC_CHROOT_FINDTASK=y

CONFIG_GRKERNSEC_CHROOT_NICE=y

CONFIG_GRKERNSEC_CHROOT_SYSCTL=y

CONFIG_GRKERNSEC_CHROOT_CAPS=y

#

# Kernel Auditing

#

# CONFIG_GRKERNSEC_AUDIT_GROUP is not set

# CONFIG_GRKERNSEC_EXECLOG is not set

CONFIG_GRKERNSEC_RESLOG=y

# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set

# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set

# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set

# CONFIG_GRKERNSEC_AUDIT_IPC is not set

# CONFIG_GRKERNSEC_SIGNAL is not set

CONFIG_GRKERNSEC_FORKFAIL=y

CONFIG_GRKERNSEC_TIME=y

CONFIG_GRKERNSEC_PROC_IPADDR=y

# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#

# Executable Protections

#

CONFIG_GRKERNSEC_EXECVE=y

CONFIG_GRKERNSEC_SHM=y

CONFIG_GRKERNSEC_DMESG=y

CONFIG_GRKERNSEC_RANDPID=y

CONFIG_GRKERNSEC_TPE=y

# CONFIG_GRKERNSEC_TPE_ALL is not set

CONFIG_GRKERNSEC_TPE_INVERT=y

CONFIG_GRKERNSEC_TPE_GID=448

#

# Network Protections

#

CONFIG_GRKERNSEC_RANDNET=y

# CONFIG_GRKERNSEC_SOCKET is not set

#

# Sysctl support

#

CONFIG_GRKERNSEC_SYSCTL=y

# CONFIG_GRKERNSEC_SYSCTL_ON is not set

#

# Logging Options

#

CONFIG_GRKERNSEC_FLOODTIME=10

CONFIG_GRKERNSEC_FLOODBURST=4

# CONFIG_KEYS is not set

CONFIG_SECURITY=y

# CONFIG_SECURITY_NETWORK is not set

CONFIG_SECURITY_CAPABILITIES=y

# CONFIG_SECURITY_ROOTPLUG is not set

# CONFIG_SECURITY_SECLVL is not set
```

Thank you

----------

## tuxmin

Once I had a lot of trouble with this one

```

CONFIG_GRKERNSEC_EXECVE

```

See if it helps, when you disable it...

Hth, Alex!!!

----------

## at

Thank you, Alex.

Rebuilt the kernel with CONFIG_GRKERNSEC_EXECVE disabled. No effect.

Disabled (presumably, but obviously not true) all grsecurity in the kernel:

```
# sysctl -a | grep grsecurity

error: "Operation not permitted" reading key "net.ipv4.route.flush"

kernel.grsecurity.grsec_lock = 0

kernel.grsecurity.resource_logging = 0

kernel.grsecurity.destroy_unused_shm = 0

kernel.grsecurity.chroot_findtask = 0

kernel.grsecurity.dmesg = 0

kernel.grsecurity.rand_pids = 0

kernel.grsecurity.tpe_gid = 0

kernel.grsecurity.tpe = 0

kernel.grsecurity.chroot_deny_sysctl = 0

kernel.grsecurity.chroot_caps = 0

kernel.grsecurity.chroot_restrict_nice = 0

kernel.grsecurity.chroot_deny_mknod = 0

kernel.grsecurity.chroot_deny_chmod = 0

kernel.grsecurity.chroot_enforce_chdir = 0

kernel.grsecurity.chroot_deny_pivot = 0

kernel.grsecurity.chroot_deny_chroot = 0

kernel.grsecurity.chroot_deny_fchdir = 0

kernel.grsecurity.chroot_deny_mount = 0

kernel.grsecurity.chroot_deny_unix = 0

kernel.grsecurity.chroot_deny_shmat = 0

kernel.grsecurity.timechange_logging = 0

kernel.grsecurity.forkfail_logging = 0

kernel.grsecurity.fifo_restrictions = 0

kernel.grsecurity.linking_restrictions = 0

error: "Invalid argument" reading key "fs.binfmt_misc.register"
```

No effect.

Disabled PAX on the executable:

```
# chpax -pemrxs /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625

# chpax -pemrxs /usr/bin/nvidia-settings

# chpax -v /usr/bin/nvidia-settings

----[ chpax 0.7 : Current flags for /usr/bin/nvidia-settings (pemrxs) ]----

 * Paging based PAGE_EXEC       : disabled

 * Trampolines                  : not emulated

 * mprotect()                   : not restricted

 * mmap() base                  : not randomized

 * ET_EXEC base                 : not randomized

 * Segmentation based PAGE_EXEC : disabled
```

Still getting an error:

```
# tail /var/log/pax.log

Oct  1 19:06:04 localhost PAX: execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625, 39ed6e047000-39ed6e171000 006fc000

Oct  1 19:06:04 localhost PAX: terminating task: /usr/bin/nvidia-settings(nvidia-settings):28841, uid/euid: 0/0, PC: 000039ed6e0c8f70, SP: 0000735bf2743058

Oct  1 19:06:04 localhost PAX: bytes at PC: 64 48 8b 04 25 90 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc

Oct  1 19:06:04 localhost PAX: bytes at SP-8: 0000000000bddee0 000039ed6dbc71d9 0000000002a00002 000000004002e058 0000000000bdd150 0000000000b93bb0 0000000040002000 0000000000b93bb0 000000000069a280 0000000000bafbd0 0000000000bdd150
```

```
# dmesg

PAX: execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625, 38bd3e773000-38bd3e89d000 006fc000

PAX: terminating task: /usr/bin/nvidia-settings(nvidia-settings):28826, uid/euid: 0/0, PC: 000038bd3e7f4f70, SP: 00007eb570dcc468

PAX: bytes at PC: 64 48 8b 04 25 90 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc

PAX: bytes at SP-8: 0000000000bd5750 000038bd3e2f31d9 0000000002a00002 000000004002e058 0000000000bd49a0 0000000000bd5730 0000000040002000 0000000000bd5730 0000000000691f90 0000000000ba7050 0000000000bd49a0

nvidia-settings[28841]: segfault at 000039ed6e0c8f70 rip 000039ed6e0c8f70 rsp 0000735bf2743058 error 15

PAX: execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625, 39ed6e047000-39ed6e171000 006fc000

PAX: terminating task: /usr/bin/nvidia-settings(nvidia-settings):28841, uid/euid: 0/0, PC: 000039ed6e0c8f70, SP: 0000735bf2743058

PAX: bytes at PC: 64 48 8b 04 25 90 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc

PAX: bytes at SP-8: 0000000000bddee0 000039ed6dbc71d9 0000000002a00002 000000004002e058 0000000000bdd150 0000000000b93bb0 0000000040002000 0000000000b93bb0 000000000069a280 0000000000bafbd0 0000000000bdd150
```

----------

## tuxmin

There used to be an issue with broken dependencies in the grsec part of the kernel config. I.e. even after disabling the grsec part it would still be built, at least parts of it -- even after a "make mrproper" (which is oubviously the case for you...). Please delete the kernel tree and reemerge and try again.

----------

## at

I reinstalled kernel source, did 'make clean' and rebuilt the kernel using my .config from previous builds (with CONFIG_GRKERNSEC_EXECVE not set).

No effect.

Then I set everything mentioning grsecurity in /etc/sysctl.conf to 0:

```
# sysctl -p /etc/sysctl.conf

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.icmp_echo_ignore_broadcasts = 1

kernel.panic = 3

kernel.grsecurity.resource_logging = 0

kernel.grsecurity.destroy_unused_shm = 0

kernel.grsecurity.chroot_findtask = 0

kernel.grsecurity.dmesg = 0

kernel.grsecurity.rand_pids = 0

kernel.grsecurity.tpe_gid = 0

kernel.grsecurity.tpe = 0

kernel.grsecurity.chroot_deny_sysctl = 0

kernel.grsecurity.chroot_caps = 0

kernel.grsecurity.chroot_restrict_nice = 0

kernel.grsecurity.chroot_deny_mknod = 0

kernel.grsecurity.chroot_deny_chmod = 0

kernel.grsecurity.chroot_enforce_chdir = 0

kernel.grsecurity.chroot_deny_pivot = 0

kernel.grsecurity.chroot_deny_chroot = 0

kernel.grsecurity.chroot_deny_fchdir = 0

kernel.grsecurity.chroot_deny_mount = 0

kernel.grsecurity.chroot_deny_unix = 0

kernel.grsecurity.chroot_deny_shmat = 0

kernel.grsecurity.timechange_logging = 0

kernel.grsecurity.forkfail_logging = 0

error: "kernel.grsecurity.execve_limiting" is an unknown key

kernel.grsecurity.fifo_restrictions = 0

kernel.grsecurity.linking_restrictions = 0

#gradm -S

The RBAC system is currently disabled.
```

I would assume that that should disable grsecurity.

But no! Still the same situation, except that now I get errors not in /var/log/grsec.log or and in /var/pax/log but in dmesg:

```
nvidia-settings[16647]: segfault at 00002c529fa82f70 rip 00002c529fa82f70 rsp 0000756f01252758 error 15

PAX: execution attempt in: /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625, 2c529fa01000-2c529fb2b000 006fc000

PAX: terminating task: /usr/bin/nvidia-settings(nvidia-settings):16647, uid/euid: 1000/1000, PC: 00002c529fa82f70, SP: 0000756f01252758

PAX: bytes at PC: 64 48 8b 04 25 90 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc

PAX: bytes at SP-8: 0000000000be0990 00002c529f5811d9 0000000002a00002 000000004002e058 0000000000bdfc00 0000000000baa7e0 0000000040002000 0000000000baa7e0 000000000069c730 0000000000bb23d0 0000000000bdfc00
```

But PAX should be disabled too:

```
# chpax -v /usr/bin/nvidia-settings

----[ chpax 0.7 : Current flags for /usr/bin/nvidia-settings (pemrxs) ]----

 * Paging based PAGE_EXEC       : disabled

 * Trampolines                  : not emulated

 * mprotect()                   : not restricted

 * mmap() base                  : not randomized

 * ET_EXEC base                 : not randomized

 * Segmentation based PAGE_EXEC : disabled

# chpax -v /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625

----[ chpax 0.7 : Current flags for /usr/lib64/opengl/nvidia/lib/libGLcore.so.1.0.9625 (pemrxs) ]----

 * Paging based PAGE_EXEC       : disabled

 * Trampolines                  : not emulated

 * mprotect()                   : not restricted

 * mmap() base                  : not randomized

 * ET_EXEC base                 : not randomized

 * Segmentation based PAGE_EXEC : disabled

# chpax -v /usr/lib64/opengl/nvidia/lib/libGLcore.so

----[ chpax 0.7 : Current flags for /usr/lib64/opengl/nvidia/lib/libGLcore.so (pemrxs) ]----

 * Paging based PAGE_EXEC       : disabled

 * Trampolines                  : not emulated

 * mprotect()                   : not restricted

 * mmap() base                  : not randomized

 * ET_EXEC base                 : not randomized

 * Segmentation based PAGE_EXEC : disabled
```

Why while grsecurity, RBAC and PAX are supposed to be disabled, they still prevent legitimate programs from running???

----------

## tuxmin

This is strange... is this kernel 2.6.18? I read that PAX is partially integrated in this kernel...

It would be interesting to see what happens when you compile a vanilla kernel, maybe even a version below 2.6.18 if my assumption is true.

Hth, alex!!!

----------

## at

The kernel is 2.6.17-hardened-r1. I have some of PAX (as well as grsecurity) settings enabled in the kernel (please see above).

But my understanding was that grsecurity can be disabled through sysctl, and PAX could be disabled on the per-file basis using 'chpax'. That's what I did (or tried to do).

Is my understanding about this security model incorrect?

Thank you

----------

## tuxmin

That's the way it's supposed to work... However, it does not, obviously... It's some time that I used grsecurity, but I remember having a lot of trouble to get rid of it once the kernel was patched.

You should really try a vanilla kernel to make sure this is really grsec related what we observe here. You might also try to patch the kernel manually with grsec and try again. There could be some issue with the hardened sources that prevents disabling grsec...

Alex!!!

----------

## at

I found the culprit.

It works only if

```
# CONFIG_PAX_MPROTECT is not set
```

(CONFIG_GRKERNSEC_EXECVE can be set.)

Thank you for your help!

----------

