Ubuntu 13.10 And mprotect() Restrictions

For a while I’ve had to keep the Restrict mprotect() option in PaX disabled because it wasn’t compatible with certain programs. It was kind of a huge pain to deal with for that reason. But I’ve finally taken the 30 seconds to just deal with it and I’ll post how.

The program that has the biggest issue with the restrictions is Unity, the program that handles your user interface on Ubuntu. So, we need to kill Unity so that we can use the paxctl program to disable mprotect restrictions.

Keep in mind that you need to enable CONFIG_PAX_PT_PAX_FLAGS in your kernel config for this.

1) Download paxctl

A simple ‘apt-get install paxctl’ is enough here.

2) Kill Unity and Xorg

This is the annoying part. Xorg just restarts every time it’s killed. So you have to run the following command:

service lightdm stop

And then hit ctrl + alt + F4.

You should now have a terminal.

3) Apply flags

Run:
paxctl -c /usr/bin/unity
paxctl -m /usr/bin/unity

Now you can reboot and your UI should work. You’ll have to do this for a few programs (like Chrome) as well.
From the Grsecurity wiki on mprotect() restrictions:

Enabling this option will prevent programs from
– changing the executable status of memory pages that were
not originally created as executable,
– making read-only executable pages writable again,
– creating executable pages from anonymous memory,
– making read-only-after-relocations (RELRO) data pages writable again.

You should say Y here to complete the protection provided by
the enforcement of non-executable pages.

12 thoughts on “Ubuntu 13.10 And mprotect() Restrictions

  1. I don’t know about Unity, but Xorg was actually working fine with mprotect() restriction for a while (circa Slackware 13.37), including hardware acceleration. I rather hope this is a problem with Ubuntu’s repo version, as opposed to an upstream issue.

    • Interesting. Perhaps it was only Unity. I’ll try reenabling mprotect restrictions on Xorg and I’ll update if it doesn’t break.

  2. I’ve been reading the PaX Quickstart wiki info from the Hardened Gentoo folks. They say: “While PT_PAX is still supported, the preferred approach is to use XATTR_PAX which places the PaX flags in a file system’s extended attributes.”
    http://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart

    And they suggest using paxctl-ng to adjust XATTR_PAX settings.

    However, I don’t know how to find/install paxctl-ng. Paxctl is readily available on the PaX Team homepage and is in Ubuntu repositories. No idea where paxctl-ng is available. Is it only for Gentoo?

    What do you think about working with XATTR_PAX as opposed to PT_PAX? Do you disagree that XATTR_PAX should be the preferred flag to work with?

  3. Do you still mprotect() restrictions? I have been trying and the white list for applications that break is growing to an extend where I do not find it funny any more. Without mprotect() everything is fine in userspace as long as you do not try to load any proprietary kernel modules, that means without mprotect() restrictions you can still have your old level of usability.
    mprotect() restrictions almost break everything, you wont even get to the login screen at the first time after you installed the kernel.
    mprotect() restrictions seem for absolute freaks that do not bother to keep a list of what breaks, but it definitely hurts you when you try to get things done on your desktop (apps get killed spontaneously by pax because of that restrictions).
    This is my experience. I am no security expert, only a reasonably concerned user, but is disabling the mprotect() restriction so much worse for security?

    I have written a script that helps inexperienced Ubuntu users to compile and install a grsec kernel (all fully automatic after the first questions) and keep it up to date (simply run the script again, it will detect updates and recompile the kernel) and for the above reasons I explicitly ask if they want the mprotect() restrictions. (I recommend to choose n).
    You can find the initial version of the script here: http://pastebin.com/JGkdK0Xu

    • I use mprotect() restrictions on elementaryOS and all I had to do was disable it for:

      1) Xorg
      2) Gala
      3) Chrome

      Everything else works fine.

      That said, mprotect restrictions are not critical, the other features of grsecurity are much more important.

      • Do you use apparmor to restrict applications or rbac? According to your blog apparmor, but not sure if that is up to date. Cool that it works on eos, however stock eos is not much I have to admit. Do you use bigger applications like blender, kdenlive etc.?
        What about compilers?

        • I’ll reply to al 3 posts in order, here.

          Stock eOS is enough for me, though I switched VLC for their media player, and Chrome for Midori. And I removed a ton of stuff.

          I use Apparmor, though you can stack it with RBAC. I’ve never managed to get it working but I may try again sometime.

          For my compiler I’m on GCC 4.8 and I will move to 4.9 soon.

          Any browser will need mprotect restrictions disabled. I may not have needed to disable it on Xorg, I did so just in case.

          I’ve never had problems with VLC and mprotect restrictions, personally. That’s a goo dlist though.

      • BTW: Xorg worked on Ubuntu 14.04 (I had to whitelist compiz). Unity worked too and did not need to be whitelisted separately, but that already outlines the issue: It does not remain constant.
        Chrome or Chromium?

Leave a Reply

Your email address will not be published. Required fields are marked *