It's rsbac ebuild made by Anthony Basile, its related with this: http://www.gossamer-threads.com/lists/gentoo/hardened/263114
In the thread appears the fixation Patch I made. In concrete, This. diff -rupN '--exclude=*.rej' '--exclude=*.orig' linuxnopax-3.4.1/0000_README linux-3.4.1/0000_README --- linuxnopax-3.4.1/0000_README 1970-01-01 01:00:00.000000000 +0100 +++ linux-3.4.1/0000_README 2012-08-29 21:46:21.000000000 +0200 @@ -0,0 +1,12 @@ +README +----------------------------------------------------------------------------- + +Individual Patch Descriptions: +----------------------------------------------------------------------------- +Patch: 4500_patch-linux-3.4.1-rsbac-1.4.6.diff +From: Amon Ott <[email protected]> +Desc: RSBAC patch from http://www.rsbac.org/ + +Patch: 4520_pax-linux-3.4-test7.patch +From: pipacs <[email protected]> +Desc: http://grsecurity.net/test.php diff -rupN '--exclude=*.rej' '--exclude=*.orig' linuxnopax-3.4.1/fs/aio.c linux-3.4.1/fs/aio.c --- linuxnopax-3.4.1/fs/aio.c 2012-12-03 17:36:16.000000000 +0100 +++ linux-3.4.1/fs/aio.c 2012-08-29 22:08:45.000000000 +0200 @@ -1440,21 +1440,26 @@ static ssize_t aio_fsync(struct kiocb *i static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat) { ssize_t ret; + struct iovec iovstack; #ifdef CONFIG_COMPAT if (compat) ret = compat_rw_copy_check_uvector(type, (struct compat_iovec __user *)kiocb->ki_buf, - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec, - &kiocb->ki_iovec, 1); +kiocb->ki_nbytes, 1, &iovstack, &kiocb->ki_iovec, 1); + else #endif ret = rw_copy_check_uvector(type, (struct iovec __user *)kiocb->ki_buf, - kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec, + kiocb->ki_nbytes, 1, &iovstack, &kiocb->ki_iovec, 1); if (ret < 0) goto out; + if (kiocb->ki_iovec == &iovstack) { + kiocb->ki_inline_vec = iovstack; + kiocb->ki_iovec = &kiocb->ki_inline_vec; + } ret = rw_verify_area(type, kiocb->ki_filp, &kiocb->ki_pos, ret); if (ret < 0) diff -rupN '--exclude=*.rej' '--exclude=*.orig' linuxnopax-3.4.1/fs/namei.c linux-3.4.1/fs/namei.c --- linuxnopax-3.4.1/fs/namei.c 2012-12-03 17:36:16.000000000 +0100 +++ linux-3.4.1/fs/namei.c 2012-08-29 23:23:38.000000000 +0200 @@ -4198,8 +4198,15 @@ int vfs_readlink(struct dentry *dentry, } else #endif - if (copy_to_user(buffer, link, len)) - len = -EFAULT; + + if (len < sizeof(tmpbuf)) { + memcpy(tmpbuf, link, len); + newlink = tmpbuf; + } else + newlink = link; + + if (copy_to_user(buffer, newlink, len)) + len = -EFAULT; out: return len; } diff -rupN '--exclude=*.rej' '--exclude=*.orig' linuxnopax-3.4.1/fs/pipe.c linux-3.4.1/fs/pipe.c --- linuxnopax-3.4.1/fs/pipe.c 2012-12-03 17:36:16.000000000 +0100 +++ linux-3.4.1/fs/pipe.c 2012-08-29 23:19:39.000000000 +0200 @@ -816,19 +816,15 @@ static int pipe_release(struct inode *inode, int decr, int decw) { struct pipe_inode_info *pipe; - mutex_lock(&inode->i_mutex); pipe = inode->i_pipe; - pipe->readers -= decr; - pipe->writers -= decw; - - if (!pipe->readers && !pipe->writers) { - + atomic_sub(decr, &pipe->readers); + atomic_sub(decw, &pipe->writers); + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) { #ifdef CONFIG_RSBAC - union rsbac_target_id_t rsbac_target_id; + union rsbac_target_id_t rsbac_target_id; #endif - - free_pipe_info(inode); + free_pipe_info(inode); #ifdef CONFIG_RSBAC rsbac_pr_debug(aef, "calling ACI remove_target()\n"); @@ -836,7 +832,7 @@ pipe_release(struct inode *inode, int de rsbac_target_id.ipc.id.id_nr = inode->i_ino; rsbac_remove_target(T_IPC, rsbac_target_id); #endif - + } else { wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP); kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN); diff -rupN '--exclude=*.rej' '--exclude=*.orig' linuxnopax-3.4.1/init/do_mounts.c linux-3.4.1/init/do_mounts.c --- linuxnopax-3.4.1/init/do_mounts.c 2012-12-03 17:36:16.000000000 +0100 +++ linux-3.4.1/init/do_mounts.c 2012-08-29 22:00:26.000000000 +0200 @@ -563,8 +563,8 @@ void __init prepare_namespace(void) mount_root(); out: devtmpfs_mount("dev"); - sys_mount(".", "/", NULL, MS_MOVE, NULL); - sys_chroot((const char __user __force *)"."); + sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL); + sys_chroot((const char __force_user *)"."); #ifdef CONFIG_RSBAC #ifdef CONFIG_RSBAC_INIT_DELAY diff -rupN '--exclude=*.rej' '--exclude=*.orig' linuxnopax-3.4.1/mm/mempolicy.c linux-3.4.1/mm/mempolicy.c --- linuxnopax-3.4.1/mm/mempolicy.c 2012-12-03 17:36:16.000000000 +0100 +++ linux-3.4.1/mm/mempolicy.c 2012-08-29 21:55:27.000000000 +0200 @@ -1109,6 +1109,17 @@ static long do_mbind(unsigned long start if (end < start) return -EINVAL; + +#ifdef CONFIG_PAX_SEGMEXEC + if (mm->pax_flags & MF_PAX_SEGMEXEC) { + if (end > SEGMEXEC_TASK_SIZE) + return -EINVAL; + } else +#endif + + if (end > TASK_SIZE) + return -EINVAL; + if (end == start) return 0; diff -rupN '--exclude=*.rej' '--exclude=*.orig' linuxnopax-3.4.1/mm/mprotect.c linux-3.4.1/mm/mprotect.c --- linuxnopax-3.4.1/mm/mprotect.c 2012-12-03 17:36:16.000000000 +0100 +++ linux-3.4.1/mm/mprotect.c 2012-08-29 21:51:37.000000000 +0200 @@ -28,7 +28,11 @@ #include <asm/cacheflush.h> #include <asm/tlbflush.h> #include <rsbac/hooks.h> - +#ifdef CONFIG_PAX_MPROTECT +#include <linux/elf.h> +#include <linux/binfmts.h> +#endif +#include <asm/mmu_context.h> #ifndef pgprot_modify static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot) { 2013/7/16 Jens Kasten <[email protected]> > Hi, > > first which rsbac version you are using. > Appears this bug also when you try the rsbac-sources without pax? > > Jens > > Am 2013-07-15 03:07, schrieb Javier Juan Martínez Cabezón: > > I send related PaX .config if you need it: >> >> # >> # PaX >> # >> CONFIG_ARCH_TRACK_EXEC_LIMIT=y >> CONFIG_PAX_PER_CPU_PGD=y >> CONFIG_PAX=y >> >> # >> # PaX Control >> # >> CONFIG_PAX_SOFTMODE=y >> # CONFIG_PAX_EI_PAX is not set >> CONFIG_PAX_PT_PAX_FLAGS=y >> # CONFIG_PAX_XATTR_PAX_FLAGS is not set >> # CONFIG_PAX_NO_ACL_FLAGS is not set >> CONFIG_PAX_HAVE_ACL_FLAGS=y >> # CONFIG_PAX_HOOK_ACL_FLAGS is not set >> >> # >> # Non-executable pages >> # >> CONFIG_PAX_NOEXEC=y >> CONFIG_PAX_PAGEEXEC=y >> # CONFIG_PAX_SEGMEXEC is not set >> CONFIG_PAX_EMUTRAMP=y >> CONFIG_PAX_MPROTECT=y >> # CONFIG_PAX_ELFRELOCS is not set >> CONFIG_PAX_KERNEXEC=y >> CONFIG_PAX_KERNEXEC_PLUGIN_**METHOD="" >> >> # >> # Address Space Layout Randomization >> # >> CONFIG_PAX_ASLR=y >> CONFIG_PAX_RANDKSTACK=y >> CONFIG_PAX_RANDUSTACK=y >> CONFIG_PAX_RANDMMAP=y >> >> # >> # Miscellaneous hardening features >> # >> # CONFIG_PAX_MEMORY_SANITIZE is not set >> # CONFIG_PAX_MEMORY_STACKLEAK is not set >> # CONFIG_PAX_MEMORY_UDEREF is not set >> CONFIG_PAX_REFCOUNT=y >> # CONFIG_PAX_USERCOPY is not set >> # CONFIG_PAX_CONSTIFY_PLUGIN is not set >> # CONFIG_PAX_SIZE_OVERFLOW is not set >> # CONFIG_KEYS is not set >> CONFIG_SECURITY_DMESG_**RESTRICT=y >> # CONFIG_SECURITY is not set >> # CONFIG_SECURITYFS is not set >> CONFIG_DEFAULT_SECURITY_DAC=y >> CONFIG_DEFAULT_SECURITY="" >> CONFIG_XOR_BLOCKS=y >> CONFIG_ASYNC_CORE=y >> CONFIG_ASYNC_MEMCPY=y >> CONFIG_ASYNC_XOR=y >> CONFIG_ASYNC_PQ=y >> CONFIG_ASYNC_RAID6_RECOV=y >> CONFIG_CRYPTO=y >> >> # >> >> 2013/7/15 Javier Juan Martínez Cabezón <[email protected]> >> >> Hi all >>> >>> I'm with this several months and I still without knowing if it was >>> mistake from me while patching PaX with rsbac at hand or is a >>> kernel bug, or it's from VirtualBox (the behaviour is horrible, >>> sorry): >>> >>> After the bug hits system guest gets unusable, hard reset is >>> required, every command executed gets segfaulted from there. >>> >>> I can reproduce it easily, using backup_all (a shell script that >>> makes the sec policy backup (as in this case)) or with ./configure >>> when compiling (as emerge does something), so emerge usually does >>> seg fault. The EIP is always at the same, strnlen+0x6/0x18 >>> >>> Jul 13 22:50:02 orion kernel: BUG: unable to handle kernel paging >>> request at 00001033 >>> Jul 13 22:50:02 orion kernel: IP: [<001aa8e2>] strnlen+0x6/0x18 >>> Jul 13 22:50:02 orion kernel: *pdpt = 000000000e965001 *pde = >>> 0000000000000000 >>> Jul 13 22:50:02 orion kernel: Oops: 0000 [#1] >>> Jul 13 22:50:02 orion kernel: >>> Jul 13 22:50:02 orion kernel: Pid: 4147, comm: bash Not tainted >>> 3.4.0-rsbac #9 innotek GmbH VirtualBox >>> Jul 13 22:50:02 orion kernel: EIP: 0060:[<001aa8e2>] EFLAGS: >>> 00010217 CPU: 0 >>> Jul 13 22:50:02 orion kernel: EIP is at strnlen+0x6/0x18 >>> Jul 13 22:50:02 orion kernel: EAX: 00001033 EBX: ce9c0069 ECX: >>> 00001033 EDX: 0000000e >>> Jul 13 22:50:02 orion kernel: ESI: 00001033 EDI: ce9c0069 EBP: >>> ce9c07f5 ESP: c66d3b38 >>> Jul 13 22:50:02 orion kernel: DS: 0068 ES: 0068 FS: 0000 GS: 0000 >>> SS: 0068 >>> Jul 13 22:50:02 orion kernel: CR0: 8005003b CR2: 00001033 CR3: >>> 01415000 CR4: 000006f0 >>> Jul 13 22:50:02 orion kernel: DR0: 00000000 DR1: 00000000 DR2: >>> 00000000 DR3: 00000000 >>> Jul 13 22:50:02 orion kernel: DR6: ffff0ff0 DR7: 00000400 >>> Jul 13 22:50:02 orion kernel: Process bash (pid: 4147, ti=e738ee3c >>> task=e738ebd0 task.ti=e738ee3c) >>> Jul 13 22:50:02 orion kernel: Stack: >>> Jul 13 22:50:02 orion kernel: 001a884b c66d3bb4 c66d3bb0 c66d3bb4 >>> ce9c0069 ce9c0069 001a916e 000fff00 >>> Jul 13 22:50:02 orion kernel: 000fffff 0000000f ce9c07f5 ce9c000b >>> c1514bcb 000007ea ff0a0004 000fffff >>> Jul 13 22:50:02 orion kernel: ce9c0000 c66d3bdc c66d3bac c66d3bdc >>> 0004dfc6 c66d3ba8 e702a4c0 c66d3bdc >>> Jul 13 22:50:02 orion kernel: Call Trace: >>> Jul 13 22:50:02 orion kernel: [<001a884b>] ? >>> string.isra.1+0x25/0x8c >>> Jul 13 22:50:02 orion kernel: [<001a916e>] ? vsnprintf+0x139/0x257 >>> Jul 13 22:50:02 orion kernel: [<000fff00>] ? bio_map_user+0x13/0x25 >>> Jul 13 22:50:02 orion kernel: [<000fffff>] ? bio_map_kern+0xb0/0xd9 >>> Jul 13 22:50:02 orion kernel: [<000fffff>] ? bio_map_kern+0xb0/0xd9 >>> Jul 13 22:50:02 orion kernel: [<0004dfc6>] ? rsbac_printk+0x52/0x18e >>> Jul 13 22:50:02 orion kernel: [<0007d3ee>] ? >>> rsbac_adf_set_attr_cap+0x680/**0x9a6 >>> Jul 13 22:50:02 orion kernel: [<00038a00>] ? >>> smp_apic_timer_interrupt+0x62/**0x6a >>> Jul 13 22:50:02 orion kernel: [<00407f91>] ? >>> resume_userspace_sig+0x1b/0x2a >>> Jul 13 22:50:02 orion kernel: [<0007148e>] ? >>> rsbac_adf_set_attr+0x45f/**0x12b3 >>> Jul 13 22:50:02 orion kernel: [<00800001>] ? 0x800000 >>> Jul 13 22:50:02 orion kernel: [<0009fa4f>] ? do_adjtimex+0x2ab/0x550 >>> Jul 13 22:50:02 orion kernel: [<000e85ec>] ? >>> do_path_lookup+0x17/0x4a >>> Jul 13 22:50:02 orion kernel: [<000e8963>] ? >>> user_path_at_empty+0x4b/0x69 >>> Jul 13 22:50:02 orion kernel: [<000e8963>] ? >>> user_path_at_empty+0x4b/0x69 >>> Jul 13 22:50:02 orion kernel: [<000c6a52>] ? __do_fault+0x357/0x389 >>> Jul 13 22:50:02 orion kernel: [<0002cc9e>] ? >>> free_thread_xstate+0x17/0x23 >>> Jul 13 22:50:02 orion kernel: [<00110c60>] ? >>> load_elf_binary+0xf05/0xfbf >>> Jul 13 22:50:02 orion kernel: [<00110c60>] ? >>> load_elf_binary+0xf05/0xfbf >>> Jul 13 22:50:02 orion kernel: [<00030502>] ? >>> x86_pmu_event_init+0x23c/0x2d1 >>> Jul 13 22:50:02 orion kernel: [<000e2f53>] ? >>> do_execve_common+0x363/0x45e >>> Jul 13 22:50:02 orion kernel: [<00800001>] ? 0x800000 >>> Jul 13 22:50:02 orion kernel: [<0009fa4f>] ? do_adjtimex+0x2ab/0x550 >>> Jul 13 22:50:02 orion kernel: [<000e85ec>] ? >>> do_path_lookup+0x17/0x4a >>> Jul 13 22:50:02 orion kernel: [<000e8963>] ? >>> user_path_at_empty+0x4b/0x69 >>> Jul 13 22:50:02 orion kernel: [<000e8963>] ? >>> user_path_at_empty+0x4b/0x69 >>> Jul 13 22:50:02 orion kernel: [<000c6a52>] ? __do_fault+0x357/0x389 >>> Jul 13 22:50:02 orion kernel: [<00800001>] ? 0x800000 >>> Jul 13 22:50:02 orion kernel: [<0009fa4f>] ? >>> do_adjtimex+0x2ab/0x550 >>> Jul 13 22:50:02 orion kernel: [<00800001>] ? 0x800000 >>> Jul 13 22:50:02 orion kernel: [<0009fa4f>] ? do_adjtimex+0x2ab/0x550 >>> Jul 13 22:50:02 orion kernel: [<000e85ec>] ? >>> do_path_lookup+0x17/0x4a >>> Jul 13 22:50:02 orion kernel: [<000e8963>] ? >>> user_path_at_empty+0x4b/0x69 >>> Jul 13 22:50:02 orion kernel: [<000e8963>] ? >>> user_path_at_empty+0x4b/0x69 >>> Jul 13 22:50:02 orion kernel: [<00800001>] ? 0x800000 >>> Jul 13 22:50:02 orion kernel: [<0009fa4f>] ? >>> do_adjtimex+0x2ab/0x550 >>> Jul 13 22:50:02 orion kernel: [<000c6a52>] ? __do_fault+0x357/0x389 >>> Jul 13 22:50:02 orion kernel: [<000e626c>] ? getname_flags+0x1b/0xbf >>> Jul 13 22:50:02 orion kernel: [<000e3057>] ? do_execve+0x9/0xb >>> Jul 13 22:50:02 orion kernel: [<0002d0f1>] ? sys_execve+0x2c/0x50 >>> Jul 13 22:50:02 orion kernel: [<004087f2>] ? ptregs_execve+0x12/0x20 >>> Jul 13 22:50:02 orion kernel: [<00408009>] ? syscall_call+0x7/0xb >>> Jul 13 22:50:02 orion kernel: [<00408024>] ? restore_all_pax+0x7/0x7 >>> Jul 13 22:50:02 orion kernel: [<000290d5>] ? >>> math_state_restore+0x96/0x96 >>> Jul 13 22:50:02 orion kernel: [<00010206>] ? >>> kvm_arch_vcpu_ioctl_run+0x79a/**0xbdc >>> Jul 13 22:50:02 orion kernel: [<0003c0a9>] ? >>> vmalloc_sync_all+0x1/0x1 >>> Jul 13 22:50:02 orion kernel: [<00408024>] ? restore_all_pax+0x7/0x7 >>> Jul 13 22:50:02 orion kernel: [<0040007b>] ? >>> pcnet32_remove_one+0x22/0xe3 >>> Jul 13 22:50:02 orion kernel: [<0001007b>] ? >>> kvm_arch_vcpu_ioctl_run+0x60f/**0xbdc >>> Jul 13 22:50:02 orion kernel: [<0003c0a9>] ? >>> vmalloc_sync_all+0x1/0x1 >>> Jul 13 22:50:02 orion kernel: [<00010287>] ? >>> kvm_arch_vcpu_ioctl_run+0x81b/**0xbdc >>> Jul 13 22:50:02 orion kernel: Code: d0 f2 ae 74 05 bf 01 00 00 00 4f >>> eb 02 31 ff 89 f8 5f c3 85 c9 57 89 c7 74 07 89 d0 f2 ae 75 01 4f 89 >>> f8 5f c3 89 c1 89 c8 eb 06 <80> 38 00 74 07 40 4a 83 fa ff 75 f4 29 >>> c8 c3 90 90 90 57 83 c9 >>> Jul 13 22:50:02 orion kernel: EIP: [<001aa8e2>] strnlen+0x6/0x18 >>> SS:ESP 0068:c66d3b38 >>> Jul 13 22:50:02 orion kernel: CR2: 0000000000001033 >>> Jul 13 22:50:02 orion kernel: ---[ end trace 4a7d8fa933a5d5dd ]--- >>> >>> Jul 13 22:59:01 orion kernel: BUG: unable to handle kernel paging >>> request at 000010a1 >>> Jul 13 22:59:01 orion kernel: IP: [<001aa8e2>] strnlen+0x6/0x18 >>> Jul 13 22:59:01 orion kernel: *pdpt = 000000000df00001 *pde = >>> 0000000000000000 >>> Jul 13 22:59:01 orion kernel: Oops: 0000 [#2] >>> Jul 13 22:59:01 orion kernel: >>> Jul 13 22:59:01 orion kernel: Pid: 4257, comm: bash Tainted: >>> G D 3.4.0-rsbac #9 innotek GmbH VirtualBox >>> Jul 13 22:59:01 orion kernel: EIP: 0060:[<001aa8e2>] EFLAGS: >>> 00010217 CPU: 0 >>> Jul 13 22:59:01 orion kernel: EIP is at strnlen+0x6/0x18 >>> Jul 13 22:59:01 orion kernel: EAX: 000010a1 EBX: ce9c0869 ECX: >>> 000010a1 EDX: 0000000e >>> Jul 13 22:59:01 orion kernel: ESI: 000010a1 EDI: ce9c0869 EBP: >>> ce9c0ff5 ESP: c66cfb48 >>> Jul 13 22:59:01 orion kernel: DS: 0068 ES: 0068 FS: 0000 GS: 0000 >>> SS: 0068 >>> Jul 13 22:59:01 orion kernel: CR0: 8005003b CR2: 000010a1 CR3: >>> 01415000 CR4: 000006f0 >>> Jul 13 22:59:01 orion kernel: DR0: 00000000 DR1: 00000000 DR2: >>> 00000000 DR3: 00000000 >>> Jul 13 22:59:01 orion kernel: DR6: ffff0ff0 DR7: 00000400 >>> Jul 13 22:59:01 orion kernel: Process bash (pid: 4257, ti=e738ee3c >>> task=e738ebd0 task.ti=e738ee3c) >>> >> >
