# qemu vs grsec [SOLVED]

## Caiman

Hello 

attempt to start qemu failed with /var/log/messages

Oct 24 21:45:19 dell2650 kernel: grsec: From 192.168.4.14: denied RWX mmap of <anonymous mapping> by /usr/bin/qemu-system-x86_64[qemu-system-x86:27758] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:27747] uid/euid:1000/1000 gid/egid:100/100

What changes on grsec should be done to allow qemu to start ?

 emerge --info

Portage 2.2.1 (hardened/linux/x86, gcc-4.7.3, glibc-2.15-r3, 3.11.2-hardened i686)

=================================================================

System uname: Linux-3.11.2-hardened-i686-Intel-R-_Xeon-TM-_CPU_3.20GHz-with-gentoo-2.2

KiB Mem:     3113168 total,   1808312 free

KiB Swap:    6291452 total,   6291452 free

Timestamp of tree: Fri, 25 Oct 2013 00:15:01 +0000

ld GNU ld (GNU Binutils) 2.23.1

app-shells/bash:          4.2_p45

dev-lang/python:          2.7.5-r3, 3.2.5-r3

dev-util/cmake:           2.8.10.2-r2

dev-util/pkgconfig:       0.28

sys-apps/baselayout:      2.2

sys-apps/openrc:          0.11.8

sys-apps/sandbox:         2.6-r1

sys-devel/autoconf:       2.69

sys-devel/automake:       1.13.4

sys-devel/binutils:       2.23.1

sys-devel/gcc:            4.7.3-r1

sys-devel/gcc-config:     1.7.3

sys-devel/libtool:        2.4.2

sys-devel/make:           3.82-r4

sys-kernel/linux-headers: 3.9 (virtual/os-headers)

sys-libs/glibc:           2.15-r3

Repositories: gentoo

ACCEPT_KEYWORDS="x86"

ACCEPT_LICENSE="* -@EULA"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-O2 -march=i686 -pipe"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-O2 -march=i686 -pipe"

DISTDIR="/usr/portage/distfiles"

FCFLAGS="-march=i686 -O2 -pipe"

FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"

FFLAGS="-march=i686 -O2 -pipe"

GENTOO_MIRRORS="ftp://gentoo.arcticnetwork.ca/pub/gentoo/ http://gentoo.arcticnetwork.ca/"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

MAKEOPTS="-j3"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY=""

SYNC="rsync://rsync.ca.gentoo.org/gentoo-portage"

USE="X acl berkdb bindist bzip2 caps cli cracklib crypt curl cxx device-mapper dri gdbm gtk3 gudev hardened hwdb iconv ipv6 iscsi jpeg modules mudflap ncurses nptl opengl openmp pam pax_kernel pcre pic python qemu readline session spice ssl tcpd tls udev unicode urandom vde virt-network x86 zlib" ABI_X86="32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" QEMU_SOFTMMU_TARGETS="x86_64 i386" QEMU_USER_TARGETS="x86_64 i386" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

Thanks in advance,

Caiman.Last edited by Caiman on Sat Oct 26, 2013 10:55 pm; edited 1 time in total

----------

## Caiman

working now.Stepsa I did :

#was 

grep CONFIG_PAX_MPROTECT/etc/kernels/kernel-config-x86-3.11.2-hardened 

CONFIG_PAX_MPROTECT=y

# CONFIG_PAX_MPROTECT_COMPAT is not set

#changed to 

grep CONFIG_PAX_MPROTECT/etc/kernels/kernel-config-x86-3.11.2-hardened 

CONFIG_PAX_MPROTECT=y

CONFIG_PAX_MPROTECT_COMPAT=y

#then another error during qemu start 

Oct 26 12:00:05 dell2650 kernel: grsec: From 192.168.4.14: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/qemu-system-i386[qemu-system-i38:13341] uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:12354] uid/euid:1000/1000 gid/egid:100/100

#solved by :

#set to default 

paxctl -z /usr/bin/qemu-system-i386

#-m: disable MPROTECT

paxctl -m /usr/bin/qemu-system-i386

#s: disable SEGMEXEC

paxctl -s /usr/bin/qemu-system-i386

#working settings

dell2650 ~ # paxctl -v /usr/bin/qemu-system-i386

PaX control v0.7

Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: ---s-m-x---- [/usr/bin/qemu-system-i386]

        SEGMEXEC is disabled

        MPROTECT is disabled

        RANDEXEC is disabled

# qemu started without any problems

not sure if this proper procedure ,or workaround.

If any idea , please let me know.

Thanks,

Konstantin.

----------

