# Clamav not paxctl-ng treated for grsecurity-hardened kernels

## miroR

title: Clamav not paxctl-ng treated for grsecurity-hardened kernels.

---

This is what I got on boot, after upgrading my system (including clamav):

```

...

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

 * Starting clamd ...                                                                       [ ok ]

 * Starting freshclam ...                                                                   [ ok ]

 * Starting conntrackd ...                                                                  [ ok ]

 * Starting dcron ...                                                                       [ ok ]

 * Starting gpm ...                                                                         [ ok ]

...

```

( and here, after gpm started, I selected the above, and was able to paste it in this text )

And now follows the entire recount of how I tackled this problem.

```

# for i in $(echo clamd clamdscan clamscan freshclam); do which $i; done;

```

```

# for i in $(echo clamd clamdscan clamscan freshclam); do which $i >> clamav_list; done;

```

The above gets me, of course:

```

# cat clamav_list 

/usr/sbin/clamd

/usr/bin/clamdscan

/usr/bin/clamscan

/usr/bin/freshclam

#

```

And on that list I'll do some tiny batch operations. All the following are somewhat cleaned up real pastes from my urxvt terminal. People with grsecurity-hardened kernel, and clamav installed, should be able to follow and check.

```

# for i in $(cat clamav_list); do paxctl-ng -v $i; done;

/usr/sbin/clamd:

   open(O_RDWR) failed: cannot change PT_PAX flags

   PT_PAX    : -e---

   XATTR_PAX : not found

/usr/bin/clamdscan:

   PT_PAX    : -e---

   XATTR_PAX : not found

/usr/bin/clamscan:

   PT_PAX    : -e---

   XATTR_PAX : not found

/usr/bin/freshclam:

   open(O_RDWR) failed: cannot change PT_PAX flags

   PT_PAX    : -e---

   XATTR_PAX : not found

#

```

So probably these actions are in order:

```

# /etc/init.d/clamd stop

 * Stopping clamd ...                                [ ok ]

 * Stopping freshclam ...                            [ ok ]

#

```

and:

```

# for i in $(cat clamav_list); do paxctl-ng -F $i; done;

```

After which:

```

# for i in $(cat clamav_list); do paxctl-ng -v $i; done;

/usr/sbin/clamd:

   PT_PAX    : -e---

   XATTR_PAX : -e---

/usr/bin/clamdscan:

   PT_PAX    : -e---

   XATTR_PAX : -e---

/usr/bin/clamscan:

   PT_PAX    : -e---

   XATTR_PAX : -e---

/usr/bin/freshclam:

   PT_PAX    : -e---

   XATTR_PAX : -e---

#

```

But:

```

# /etc/init.d/clamd start

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

 * Starting clamd ...                                  [ ok ]

 * Starting freshclam ...                              [ ok ]

```

shows that it's not done yet.

So probably:

```

# /etc/init.d/clamd stop

 * Stopping clamd ...                                  [ ok ]

 * Stopping freshclam ...                              [ ok ]

#

```

and:

```

# for i in $(cat clamav_list); do paxctl-ng -mv $i; done;

/usr/sbin/clamd:

   PT_PAX    : -em--

   XATTR_PAX : -em--

/usr/bin/clamdscan:

   PT_PAX    : -em--

   XATTR_PAX : -em--

/usr/bin/clamscan:

   PT_PAX    : -em--

   XATTR_PAX : -em--

/usr/bin/freshclam:

   PT_PAX    : -em--

   XATTR_PAX : -em--

#

```

But still not there:

```

# /etc/init.d/clamd start

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

 * Starting clamd ...                                  [ ok ]

 * Starting freshclam ...                              [ ok ]

#

```

Let me see the logs. In grsecurity-hardened, it's easy to find what causes the problems, by, in the most cases, grep'ing for the lines containg the string 'denied'. But here, I searched for 'denied RWX mmap' to get just the clamav related denies.

The following (where messages_151221_0756_gbn is the entire /var/log/messages stretch since boot):

```

# grep -a -r 'denied RWX mmap' messages_151221_0756_gbn | wc -l

16

# 

```

on that entire stretch since boot, got roughly exactly all that I've posted that I've done so far (all my tries in those 16 lines)... But all lines contain, and consequently refer only to, /usr/bin/clamconf ! Here is just one, the last, of those lines:

```

Dec 21 07:52:28 gbn kernel: [ 1368.417807] grsec: (admin:S:/) denied RWX mmap of <anonymous mapping> by /usr/bin/clamconf[clamconf:3724] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:3723] uid/euid:0/0 gid/egid:0/0

```

Because:

```

# grep -a -r 'denied RWX mmap' messages_151221_0756_gbn  | grep -v clamconf

#

```

returns empty! So, trying some more...

```

# paxctl-ng -v /usr/bin/clamconf

/usr/bin/clamconf:

   PT_PAX    : -e---

   XATTR_PAX : not found

# paxctl-ng -F /usr/bin/clamconf

# paxctl-ng -v /usr/bin/clamconf

/usr/bin/clamconf:

   PT_PAX    : -e---

   XATTR_PAX : -e---

# /etc/init.d/clamd restart

 * Stopping clamd ...                                  [ ok ]

 * Stopping freshclam ...                              [ ok ]

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted

 * Starting clamd ...                                  [ ok ]

 * Starting freshclam ...                              [ ok ]

#
```

But here I think I know what's missing:

```

# paxctl-ng -m /usr/bin/clamconf

```

which gives:

```

# paxctl-ng -v /usr/bin/clamconf

/usr/bin/clamconf:

   PT_PAX    : -em--

   XATTR_PAX : -em--

```

And now finally:

```

# /etc/init.d/clamd restart

 * Stopping clamd ...                                  [ ok ]

 * Stopping freshclam ...                              [ ok ]

 * Starting clamd ...                                  [ ok ]

 * Starting freshclam ...                              [ ok ]

# 

```

So my question is: Is this a bug? Would it make sense to try and report it?

Or has the recommendation to use (I don't think, but...) paxctl-ng been abandoned, and now the old paxctl is recommended instead? I really don't think, but...

I remember I have had to do this procedure a few times in the last few months. Exactly every time that I updated clamav.

Anyway, our devs told us they need reports on things grsec-hardened. See here

Intel Subsidiary's Violations Made Grsec withdraw Stable?

https://forums.gentoo.org/viewtopic-t-1031476.html#7835658

(where, in another context, it is asked fo "more reporting" "from our users")

Is this one they would want to have reported?

----------

## zorry

1. Clamav use JIT

2. It test if it can use JIT or not is what you see.

3. If it can't use JIT it disable bytecompileing and work the old way.

4. paxctl-ng is not abandoned but paxctl is on the way out.

----------

## miroR

 *zorry wrote:*   

> 1. Clamav use JIT
> 
> 2. It test if it can use JIT or not is what you see.

 

OK JIT is (I guess) Just In Time compiling.

Do you mean, that this that I see:

```

LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory:

Operation not permitted

```

is because of JIC (I guess you do)?

I vaguely remember that grsecurity don't like JIT...

 *zorry wrote:*   

> 3. If it can't use JIT it disable bytecompileing and work the old way.

 

"it disable bytecompiling" can't figure out what that mean, no time to search for it, thogh...

 *zorry wrote:*   

> 4. paxctl-ng is not abandoned but paxctl is on the way out.

 

Sure!

Apparently, it's not a bug that need to be reported, if it is a bug at all.

Thanks!

----------

## mimosinnet

 *miroR wrote:*   

> title: Clamav not paxctl-ng treated for grsecurity-hardened kernels.

 

Thanks a lot for the post and the detailed explanation! I have been able to get rid of this ugly message. Cheers!

----------

