Updated README.md #533

Merged
merged 3 commits into from Nov 11, 2016

Projects

None yet

4 participants

@srse
Contributor
srse commented Oct 18, 2016

added requirements hint for linux systems running with PaX (see djberg96/sys-filesystem#17 for details)

@srse srse Updated README.md
added requirements hint for linux systems running with PaX (see djberg96/sys-filesystem#17 for details)
375aa65
@srse srse referenced this pull request in djberg96/sys-filesystem Oct 18, 2016
Closed

Getting a RuntimeError exception when requiring #17

README.md
@@ -43,6 +43,8 @@ At a minimum, you will need:
* A C compiler (e.g. Xcode on OSX, gcc on everything else)
* libffi development library - this is commonly in the libffi-dev or libffi-devel
+On Linux systems running with PaX (Gentoo, Alpine, etc.) you may need to disable mprotect for ruby (`paxctl -m [/path/to/ruby]`).
@simi
simi Oct 18, 2016 Contributor

PaX and mprotect are new terms for me. Can you add some links please?

@tduehr
Member
tduehr commented Oct 20, 2016

https://wiki.archlinux.org/index.php/PaX

Can we get a copy of the violations linux-grsec sent to the kernel log?

I would rather work within the bounds of PaX than tell people to disable it.

@srse srse Updated README.md
added links for pax and mprotect
b4eaeae
@srse
Contributor
srse commented Oct 21, 2016

@simi I added some links in the readme as well ;-)

@srse
Contributor
srse commented Oct 21, 2016 edited

@tduehr: sure the entry in /var/log/kern.log is (machine specifics masked with ***):

Oct 21 18:34:09 *** kernel: *** grsec: From ***: denied RWX mprotect of <anonymous mapping> by ***/ruby-1.9.2-p330/bin/ruby[ruby:31586] uid/euid:***/*** gid/egid:***/***, parent /bin/bash[sh:31578] uid/euid:***/*** gid/egid:***/**
@tduehr
Member
tduehr commented Oct 21, 2016

Bah! I was hoping something more like apparmor that you'd be able to give permissions to for specific files but that info isn't there and I'm not sure there's a way to do this without triggering PaX...

@srse
Contributor
srse commented Oct 22, 2016

I doubt that too, but my PaX knowledge is fairly basic still. Other programming languages and libs trigger the same PaX reaction. Maybe somebody from the @gentoo project can help out with some expert knowledge here? (e.g. @asarubbo or @pacho2)

@asarubbo

The commit message we are talking about says:

On Linux systems running with PaX (Gentoo, Alpine, etc.) you may need to disable mprotect for ruby

For me, the word 'may' is ambiguous.You should mention where it works or where it doesn't

Anyway, a good hardening expects an hardened kernel(grsec,pax) and the hardening from the toolchain.
In the past I discovered bugs where there is an hardened kernel but not an hardened toolchain (in other words the binary was not PIE).
In which environment it was tested?
If there is a real testcase/reproducer I can give it a try.

@srse
Contributor
srse commented Oct 22, 2016

I installed ruby-1.9.2 through rvm on a gentoo with a hardened kernel and then tried to run some ruby code that indirectly requires ffi which failed at the require statement require 'ffi' because it failed on an attach_function call within ffi, e.g. if requiring scrypt, it will trigger PaX with an mprotect violation: on this find in this class: https://github.com/pbhogan/scrypt/blob/master/lib/scrypt/scrypt_ext.rb
I suppose in that toolchain the c lib that the scrypt ruby gem wraps around is not position independent and therefore triggering PaX? (if so, it would have to be fixed in any ruby lib that dynamically loads c libs?)

@asarubbo

I don't understand much about ruby, but I downloaded the mentioned script and I tried to execute it:

# ruby scrypt_ext.rb 
/usr/lib64/ruby/site_ruby/2.0.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- ffi-compiler/loader (LoadError)                                                  
        from /usr/lib64/ruby/site_ruby/2.0.0/rubygems/core_ext/kernel_require.rb:55:in `require'                                                                                               
        from scrypt_ext.rb:2:in `<main>'

Is that the expected error? Am I missing something?

@srse
Contributor
srse commented Oct 24, 2016 edited

to reproduce the problem with scrypt:

  1. install scrypt gem into ruby gemset: gem install scrypt
  2. start interactive ruby session: irb
  3. in irb: `require 'scrypt'

Step 3 will generate the following error:

RuntimeError: �
    from ***/gems/ffi-1.9.14/lib/ffi/library.rb:277:in `attach'
    from ***/gems/ffi-1.9.14/lib/ffi/library.rb:277:in `attach_function'
    from ***/gems/scrypt-3.0.3/lib/scrypt.rb:14:in `<module:Ext>'
    from ***/gems/scrypt-3.0.3/lib/scrypt.rb:12:in `<module:SCrypt>'
    from ***/gems/scrypt-3.0.3/lib/scrypt.rb:10:in `<top (required)>'
    from ***/ruby-2.3.0/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:127:in `require'
    from ***/ruby-2.3.0/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:127:in `rescue in require'
    from ***/ruby-2.3.0/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:40:in `require'
    from (irb):1
    from ***/ruby-2.3.0/bin/irb:11:in `<main>'
@srse
Contributor
srse commented Nov 7, 2016

@asarubbo any luck with reproducing the problem?

@tduehr tduehr merged commit cd1ea5c into ffi:master Nov 11, 2016

1 check was pending

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment