[vserver] [Grsec] audit denies pivot_root ?:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

[vserver] [Grsec] audit denies pivot_root ?

From: Romain Riviere <romain.riviere_at_gmail.com>
Date: Fri 19 Nov 2010 - 15:39:44 GMT
Message-Id: <EE1D530D-FCC6-4F8C-907D-4F99863204EE@gmail.com>

Hello,

I've just set up a brand new Gentoo box with the latest experimental release (2.6.36-grsec2.2.0-vs2.3.0.36.38) and util-vserver (0.30.216_pre2924). I have created a guest from the latest Gentoo stage4, assigned a public IP from the host's eth0, and everything else is default.

The problem is that "vserver <name> start" fails with "vcontext: pivot_root(): Invalid argument" if kernel.grsecurity.audit_mount or kernel.grsecurity.audit_chdir are enabled. However, while audit_mount is seemingly an impassable obstacle (ie. the guest never starts), audit_chdir can be defeated after several start attempts (3 in my experience). There are no errors in dmesg/kernel.log whatsoever, only the expected mount/chdir audit lines can be seen.

Attached is the current status of my grsec/pax settings. Any clues/pointers would be appreciated !

Cheers,

Romain

kernel.grsecurity.linking_restrictions = 1
kernel.grsecurity.fifo_restrictions = 1
kernel.grsecurity.execve_limiting = 1
kernel.grsecurity.ip_blackhole = 1
kernel.grsecurity.lastack_retries = 4
kernel.grsecurity.exec_logging = 0
kernel.grsecurity.signal_logging = 1
kernel.grsecurity.forkfail_logging = 1
kernel.grsecurity.timechange_logging = 1
kernel.grsecurity.chroot_deny_shmat = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_deny_fchdir = 1
kernel.grsecurity.chroot_deny_pivot = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_deny_mknod = 1
kernel.grsecurity.chroot_restrict_nice = 1
kernel.grsecurity.chroot_execlog = 1
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.tpe = 1
kernel.grsecurity.tpe_gid = 32767
kernel.grsecurity.tpe_restrict_all = 1
kernel.grsecurity.socket_all = 1
kernel.grsecurity.socket_all_gid = 32768
kernel.grsecurity.socket_client = 1
kernel.grsecurity.socket_client_gid = 32768
kernel.grsecurity.socket_server = 1
kernel.grsecurity.socket_server_gid = 32768
kernel.grsecurity.audit_chdir = 0
kernel.grsecurity.audit_mount = 0
kernel.grsecurity.dmesg = 1
kernel.grsecurity.resource_logging = 1
kernel.grsecurity.audit_ptrace = 1
kernel.grsecurity.harden_ptrace = 1
kernel.grsecurity.grsec_lock = 0

CONFIG_PAX_PER_CPU_PGD=y
CONFIG_PAX_ENABLE_PAE=y
CONFIG_PAX=y
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
# CONFIG_PAX_SEGMEXEC is not set
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
Received on Fri Nov 19 15:40:40 2010

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Fri 19 Nov 2010 - 15:40:40 GMT by hypermail 2.1.8