Slackware-14.1-PaX Notes

Posted 05-19-2014 at 10:06 PM by arniekat
Updated 05-30-2014 at 08:04 PM by arniekat (Added freshclam, chromium, KDE System Settings)

Laymans Explanation - PaX is a Linux Kernel patch that protects against Buffer Overflows and Heap Attacks. In other words, the PaX Patch protects against memory exploits. PaX also allows you to have separate sections in memory that are writable, but not executable and vice-versa. This is to protect against malicious code that is written to memory, then executed.

The NX Bit works in hardware while PaX works in software. PaX is compatible with the hardware NX Bit and they complement each other. The NX bit, which stands for No eXecute, is used in processors to separate areas of memory for use by either storage of processor instructions OR for storage of data. The NX Bit is used for security reasons to prevent certain types of malicious software from taking over computers by inserting their code into another program's data storage area and running their own code from within this section (also called a Buffer Overflow Attack).

Intel has the feature called the XD bit, for eXecute Disable. AMD uses the name Enhanced Virus Protection. The ARM architecture refers to it as XN for eXecute Never.

When you use the GrSecurity Patches, they contain the code for PaX, so you only need one patch. GrSecurity adds Mandatory Access Control and other System-Hardening features. As I get time, I want to write the instructions for getting GrSecurity and Pax working on Slackware 14.1. By working I mean: Creating and Installing Slackware Packages, the computer boots and runs, the PaX flags have been set so all your applications behave, and the only thing you need to do is create the Role-Based Access Control (RBAC) Policy. I have everything working up to creating/enforcing the Mandatory Access Control policy. I figure enterprising Slackers can figure that one out since the policy is custom created for an individual machine.

The PaX patches are available at: https://grsecurity.net/~paxguy1/

The PaX patch pax-linux-3.10.12-test26.patch can be applied to the Linux Kernel 3.10.12, which is closest to the stock Slackware 14.1 Kernel, i.e. 3.10.17. This worked fine on my machine.

Once a PaX-Enabled Kernel is booted, there are certain programs that will not work because PaX will squash programs that do not behave very well. What I normally do is compile the PaX Kernel to enforce protection, then I change the flags on the various binaries so they will work. There are several ways to change the flags on binaries so that the Pax-Enabled Kernel will read what memory protections to enable/disable so that the application can work.

These are the flags you can enable/disable to control the various PaX features. Lower-Case means disabled and Upper-Case means enabled.

-p disable PAGEEXEC
-P enable PAGEEXEC

-e disable EMUTRAMP
-E enable EMUTRAMP

-m disable MPROTECT
-M enable MPROTECT

-r disable RANDMMAP
-R enable RANDMMAP

-x disable RANDEXEC
-X enable RANDEXEC

-s disable SEGMEXEC
-S enable SEGMEXEC

METHOD NO. 1 EXTENDED ATTRIBUTES

You will need to be running the file mount options user_xattr on every ext3/ext4 partition. When you write information to user.pax.flags, this is read by the Pax-Enabled Kernel and the settings are adjusted accordingly. Since the PaX settings are set to enforce by default, setting user.pax.flags is the only way to disable PaX features for individual binaries so your applications will work. The /etc/fstab file will look similar to the following:

/dev/sdb2 swap swap defaults 0 0
/dev/sdb1 / ext4 defaults,user_xattr 1 1
/dev/sdb3 /tmp ext4 defaults,user_xattr 1 2
/dev/sdb4 /usr ext4 defaults,user_xattr 1 2
/dev/sdb5 /var ext4 defaults,user_xattr 1 2
/dev/sdb6 /home ext4 defaults,user_xattr 1 2

Here is a list of the programs and the commands to set the correct Pax Flags using Extended Attributes. These are valid for 32-Bit Slackware. 64-Bit will have a location of /usr/lib64/<binary_location>

KDE 4.10.5
setfattr -n user.pax.flags -v m /usr/bin/ksmserver
setfattr -n user.pax.flags -v m /usr/bin/kwrapper4
setfattr -n user.pax.flags -v m /usr/bin/kdeinit4
setfattr -n user.pax.flags -v m /usr/bin/kwin
setfattr -n user.pax.flags -v m /usr/bin/okular
setfattr -n user.pax.flags -v m /usr/bin/systemsettings

Firefox 24.4.0 ESR
setfattr -n user.pax.flags -v m /usr/lib/firefox-24.4.0/libfreebl3.so
setfattr -n user.pax.flags -v m /usr/lib/firefox-24.4.0/libmozalloc.so
setfattr -n user.pax.flags -v m /usr/lib/firefox-24.4.0/libmozsqlite3.so
setfattr -n user.pax.flags -v m /usr/lib/firefox-24.4.0/libnspr4.so
setfattr -n user.pax.flags -v m /usr/lib/firefox-24.4.0/libnss3.so
setfattr -n user.pax.flags -v m /usr/lib/firefox-24.4.0/libnssckbi.so
setfattr -n user.pax.flags -v m /usr/lib/firefox-24.4.0/libnssdbm3.so
setfattr -n user.pax.flags -v m /usr/lib/firefox-24.4.0/libnssutil3.so
setfattr -n user.pax.flags -v m /usr/lib/firefox-24.4.0/libplc4.so
setfattr -n user.pax.flags -v m /usr/lib/firefox-24.4.0/libplds4.so
setfattr -n user.pax.flags -v m /usr/lib/firefox-24.4.0/libsmime3.so
setfattr -n user.pax.flags -v m /usr/lib/firefox-24.4.0/libsoftokn3.so
setfattr -n user.pax.flags -v m /usr/lib/firefox-24.4.0/libssl3.so
setfattr -n user.pax.flags -v m /usr/lib/firefox-24.4.0/libxul.so
setfattr -n user.pax.flags -v mr /usr/lib/firefox-24.4.0/firefox
setfattr -n user.pax.flags -v mr /usr/lib/firefox-24.4.0/firefox-bin

Adobe Flash Plugin
setfattr -n user.pax.flags -v m /usr/lib/firefox-24.4.0/plugin-container

Chromium
setfattr -n user.pax.flags -v m /usr/bin/chromium/chromium
OR
setfattr -n user.pax.flags -v m /usr/bin/chromium

Midori
setfattr -n user.pax.flags -v m /usr/bin/midori

JDK 7u51
setfattr -n user.pax.flags -v m /usr/lib/java/bin/java
setfattr -n user.pax.flags -v m /usr/lib/java/bin/javaws

LibreOffice 4.2.3
setfattr -n user.pax.flags -v m /opt/libreoffice4.2/program/soffice.bin
setfattr -n user.pax.flags -v m /opt/libreoffice4.2/program/unopkg.bin

KeePass 2.25
setfattr -n user.pax.flags -v m /usr/bin/mono-sgen

Calibre 1.25.0
setfattr -n user.pax.flags -v m /usr/bin/python2.7

ClamAV 0.98.1
setfattr -n user.pax.flags -v m /usr/sbin/clamd
setfattr -n user.pax.flags -v m /usr/bin/freshclam

Sigil 0.7.4
setfattr -n user.pax.flags -v m /usr/bin/sigil

I put all these commands into a script and run it to change all the flags at once. To check that the Extended Attribute flags were set correctly, run the following command:

# getfattr -n user.pax.flags /usr/bin/ksmserver
getfattr: Removing leading '/' from absolute path names
file: usr/bin/ksmserver
user.pax.flags="m"

METHOD NO. 2 PAXCTL

Paxctl is the application that labels the binaries with the PaX Flags so the PaX-Enabled Kernel can read what protections to enable/disable. Paxctl is available from SlackBuilds.org and is paxctl-0.7. There is a newer version, paxctl-0.8, but I have not tested it myself. It is available from: http://pax.grsecurity.net/paxctl-0.8.tar.gz

Note - You do not need File System Extended Attributes if you are using paxctl!

After compiling and installing paxctl, you are ready to set the PaX Flags.

Here is a list of the programs and the commands to set the correct Pax Flags using Paxctl. These are valid for 32-Bit Slackware. 64-Bit will have a location of /usr/lib64/<binary_location>

KDE 4.10.5
paxctl -cm /usr/bin/ksmserver
paxctl -cm /usr/bin/kwrapper4
paxctl -cm /usr/bin/kdeinit4
paxctl -cm /usr/bin/kwin
paxctl -cm /usr/bin/okular
paxctl -cm /usr/bin/systemsettings

Firefox 24.4.0 ESR
paxctl -cm /usr/lib/firefox-24.4.0/libfreebl3.so
paxctl -cm /usr/lib/firefox-24.4.0/libmozalloc.so
paxctl -cm /usr/lib/firefox-24.4.0/libmozsqlite3.so
paxctl -cm /usr/lib/firefox-24.4.0/libnspr4.so
paxctl -cm /usr/lib/firefox-24.4.0/libnss3.so
paxctl -cm /usr/lib/firefox-24.4.0/libnssckbi.so
paxctl -cm /usr/lib/firefox-24.4.0/libnssdbm3.so
paxctl -cm /usr/lib/firefox-24.4.0/libnssutil3.so
paxctl -cm /usr/lib/firefox-24.4.0/libplc4.so
paxctl -cm /usr/lib/firefox-24.4.0/libplds4.so
paxctl -cm /usr/lib/firefox-24.4.0/libsmime3.so
paxctl -cm /usr/lib/firefox-24.4.0/libsoftokn3.so
paxctl -cm /usr/lib/firefox-24.4.0/libssl3.so
paxctl -cm /usr/lib/firefox-24.4.0/libxul.so
paxctl -cmr /usr/lib/firefox-24.4.0/firefox
paxctl -cmr /usr/lib/firefox-24.4.0/firefox-bin

Adobe Flash Plugin
paxctl -cm /usr/lib/firefox-24.4.0/plugin-container

Chromium
paxctl -cm /usr/bin/chromium/chromium
OR
paxctl -cm /usr/bin/chromium

Midori
paxctl -cm /usr/bin/midori

JDK 7u51
paxctl -cm /usr/lib/java/bin/java
paxctl -cm /usr/lib/java/bin/javaws

LibreOffice 4.2.3
paxctl -cm /opt/libreoffice4.2/program/soffice.bin
paxctl -cm /opt/libreoffice4.2/program/unopkg.bin

KeePass 2.25
paxctl -cm /usr/bin/mono-sgen

Calibre
paxctl -cm /usr/bin/python2.7

ClamAV 0.98.1
paxctl -cm /usr/sbin/clamd
paxctl -cm /usr/bin/freshclam

Sigil 0.7.4
paxctl -cm /usr/bin/sigil

To check that the Paxctl application set the Pax Flags correctly, run the following command:

# paxctl -v /usr/bin/vi
- PaX flags: -------x-e-- [/usr/bin/vi]
RANDEXEC is disabled
EMUTRAMP is disabled

PAXTEST

Paxtest can be used to test the functionality of memory protection on your system. I normally check my system with the stock Slackware Kernel and then with the GrSecurity/Pax Kernel. You can see the improvement in memory protection. It is available at:

https://grsecurity.net/~spender/paxtest-0.9.11.tar.gz

After you untar it, cd into the directory and run one of the following commands as root:

For Slackware 14.1 (32-Bit)
# make linux32

For Slackware64 14.1 (64-Bit)
# make linux64

In order to run paxtest:

# ./paxtest blackhat

This will create a file paxtest.log in the current directory. Copy that file to another location so you can compare readings. When you run it again with the Pax-Enabled Kernel, paxtest.log will be over-written with the new information.

For additional information, look up the Hardened Gentoo Wiki where Advanced Security topics are discussed.

Slackware-14.1-PaX Notes

Comments