Discussion:
[tomoyo-users-en 636] Akari with grsec: assignments to read-only object
t***@gmail.com
2015-12-31 22:09:00 UTC
Permalink
Hi,

I tried to build akari (1.0.35_20151111) for a grsec patched 4.3.3 Linux kernel (https://grsecurity.net/test/grsecurity-3.1-4.3.3-201512282134.patch). Besides some messages/warnings of the kind "Function ... is missing from the size_overflow hash table ...", I get errors about assignments to read-only object. Akari successfully compiles without grsec enabled. Same happens for the caitsith module

Best regards,
Torsten

==> Making package: akari 1.0.35_20151111-1 (Thu Dec 31 22:50:28 CET 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Found akari-1.0.35-20151111.tar.gz
-> Found akari-1.0.35-20151111.tar.gz.asc
==> Validating source files with sha256sums...
akari-1.0.35-20151111.tar.gz ... Passed
akari-1.0.35-20151111.tar.gz.asc ... Passed
==> Verifying source file signatures with gpg...
akari-1.0.35-20151111.tar.gz ... Passed
==> Extracting sources...
==> Removing existing $pkgdir/ directory...
==> Starting build()...
CC [M] akari/test.o
CC [M] akari/probe.o
CC [M] akari/permission.o
CC [M] akari/gc.o
CC [M] akari/memory.o
Creating an empty policy/profile.conf
Creating an empty policy/exception_policy.conf
Creating an empty policy/domain_policy.conf
Creating an empty policy/manager.conf
Creating an empty policy/stat.conf
CC [M] akari/realpath.o
Function ccs_scan_bprm is missing from the size_overflow hash table +ccs_scan_bprm+fndecl+2+16274+
Function argc is missing from the size_overflow hash table +argc+ccs_condition+0+63399+
Function ccs_scan_bprm is missing from the size_overflow hash table +ccs_scan_bprm+fndecl+4+16274+
Function envc is missing from the size_overflow hash table +envc+ccs_condition+0+56582+
Function total_len is missing from the size_overflow hash table +total_len+ccs_path_info+0+38974+
CC [M] akari/load_policy.o
Function ccs_commit_ok is missing from the size_overflow hash table +ccs_commit_ok+fndecl+2+20580+
Checking whether umode_t is used by include/linux/security.h or not.
LD [M] akari/akari_test.o
Generating built-in policy for TOMOYO 1.8.x.
CC [M] akari/lsm.o
CC [M] akari/policy_io.o
In file included from akari/lsm.c:12:0:
akari/lsm-4.2.c: In function ‘swap_hook’:
akari/lsm-4.2.c:1215:13: error: assignment of read-only location ‘*original’
*original = shp->hook;
^
akari/lsm-4.2.c: In function ‘ccs_init’:
akari/lsm-4.2.c:1236:39: error: assignment of member ‘find_task_by_vpid’ in read-only object
ccsecurity_exports.find_task_by_vpid = probe_find_task_by_vpid();
^
akari/lsm-4.2.c:1239:41: error: assignment of member ‘find_task_by_pid_ns’ in read-only object
ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns();
^
akari/lsm-4.2.c:1242:37: error: assignment of member ‘d_absolute_path’ in read-only object
ccsecurity_exports.d_absolute_path = probe_d_absolute_path();
^
scripts/Makefile.build:258: recipe for target 'akari/lsm.o' failed
make[1]: *** [akari/lsm.o] Error 1
make[1]: *** Waiting for unfinished jobs....
Function ccs_read is missing from the size_overflow hash table +ccs_read+fndecl+3+10+
Function ccs_read_self is missing from the size_overflow hash table +ccs_read_self+fndecl+3+1495+
Function ccs_write_self is missing from the size_overflow hash table +ccs_write_self+fndecl+3+26838+
Function writebuf_size is missing from the size_overflow hash table +writebuf_size+ccs_io_buffer+0+17632+
Function numbers_count is missing from the size_overflow hash table +numbers_count+ccs_condition+0+22932+
Function read_user_buf_avail is missing from the size_overflow hash table +read_user_buf_avail+ccs_io_buffer+0+33672+
Function query_len is missing from the size_overflow hash table +query_len+ccs_query+0+63116+
Function envc is missing from the size_overflow hash table +envc+ccs_condition+0+56582+
Function names_count is missing from the size_overflow hash table +names_count+ccs_condition+0+60468+
Function argc is missing from the size_overflow hash table +argc+ccs_condition+0+63399+
Function condc is missing from the size_overflow hash table +condc+ccs_condition+0+43125+
Makefile:1469: recipe for target '_module_akari' failed
make: *** [_module_akari] Error 2
==> ERROR: A failure occurred in build().
Aborting...
Tetsuo Handa
2016-06-05 11:30:05 UTC
Permalink
Hello.

Sorry, but I didn't know that this post was pending for 5 months
due to "Cause: Post by non-member to a members-only list". I added
your address to the list of "accept" rule.
Post by t***@gmail.com
Hi,
I tried to build akari (1.0.35_20151111) for a grsec patched 4.3.3 Linux kernel
(https://grsecurity.net/test/grsecurity-3.1-4.3.3-201512282134.patch). Besides
some messages/warnings of the kind "Function ... is missing from the
size_overflowhash table ...", I get errors about assignments to read-only object.
Akari successfully compiles without grsec enabled. Same happens for the caitsith module
Best regards,
Torsten
Well, I've never seen these messages.

According to https://forums.grsecurity.net/viewtopic.php?f=7&t=3043 ,
Emese Revfy ( ***@gmail.com ) knows about "Function ... is missing from
the size_overflowhash table ..." message. I think consulting her will be better.

About "error: assignment of read-only location" message and
"error: assignment of member $B!F(B...$B!G(B in read-only object" message,
I can't find problems in my side because they are not marked as "const".
I think consulting PaX team members will be better.
Post by t***@gmail.com
==> Making package: akari 1.0.35_20151111-1 (Thu Dec 31 22:50:28 CET 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Found akari-1.0.35-20151111.tar.gz
-> Found akari-1.0.35-20151111.tar.gz.asc
==> Validating source files with sha256sums...
akari-1.0.35-20151111.tar.gz ... Passed
akari-1.0.35-20151111.tar.gz.asc ... Passed
==> Verifying source file signatures with gpg...
akari-1.0.35-20151111.tar.gz ... Passed
==> Extracting sources...
==> Removing existing $pkgdir/ directory...
==> Starting build()...
CC [M] akari/test.o
CC [M] akari/probe.o
CC [M] akari/permission.o
CC [M] akari/gc.o
CC [M] akari/memory.o
Creating an empty policy/profile.conf
Creating an empty policy/exception_policy.conf
Creating an empty policy/domain_policy.conf
Creating an empty policy/manager.conf
Creating an empty policy/stat.conf
CC [M] akari/realpath.o
Function ccs_scan_bprm is missing from the size_overflow hash table +ccs_scan_bprm+fndecl+2+16274+
Function argc is missing from the size_overflow hash table +argc+ccs_condition+0+63399+
Function ccs_scan_bprm is missing from the size_overflow hash table +ccs_scan_bprm+fndecl+4+16274+
Function envc is missing from the size_overflow hash table +envc+ccs_condition+0+56582+
Function total_len is missing from the size_overflow hash table +total_len+ccs_path_info+0+38974+
CC [M] akari/load_policy.o
Function ccs_commit_ok is missing from the size_overflow hash table +ccs_commit_ok+fndecl+2+20580+
Checking whether umode_t is used by include/linux/security.h or not.
LD [M] akari/akari_test.o
Generating built-in policy for TOMOYO 1.8.x.
CC [M] akari/lsm.o
CC [M] akari/policy_io.o
akari/lsm-4.2.c:1215:13: error: assignment of read-only location $B!F(B*original$B!G(B
*original = shp->hook;
^
akari/lsm-4.2.c:1236:39: error: assignment of member $B!F(Bfind_task_by_vpid$B!G(B in read-only object
ccsecurity_exports.find_task_by_vpid = probe_find_task_by_vpid();
^
akari/lsm-4.2.c:1239:41: error: assignment of member $B!F(Bfind_task_by_pid_ns$B!G(B in read-only object
ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns();
^
akari/lsm-4.2.c:1242:37: error: assignment of member $B!F(Bd_absolute_path$B!G(B in read-only object
ccsecurity_exports.d_absolute_path = probe_d_absolute_path();
^
scripts/Makefile.build:258: recipe for target 'akari/lsm.o' failed
make[1]: *** [akari/lsm.o] Error 1
make[1]: *** Waiting for unfinished jobs....
Function ccs_read is missing from the size_overflow hash table +ccs_read+fndecl+3+10+
Function ccs_read_self is missing from the size_overflow hash table +ccs_read_self+fndecl+3+1495+
Function ccs_write_self is missing from the size_overflow hash table +ccs_write_self+fndecl+3+26838+
Function writebuf_size is missing from the size_overflow hash table +writebuf_size+ccs_io_buffer+0+17632+
Function numbers_count is missing from the size_overflow hash table +numbers_count+ccs_condition+0+22932+
Function read_user_buf_avail is missing from the size_overflow hash table +read_user_buf_avail+ccs_io_buffer+0+33672+
Function query_len is missing from the size_overflow hash table +query_len+ccs_query+0+63116+
Function envc is missing from the size_overflow hash table +envc+ccs_condition+0+56582+
Function names_count is missing from the size_overflow hash table +names_count+ccs_condition+0+60468+
Function argc is missing from the size_overflow hash table +argc+ccs_condition+0+63399+
Function condc is missing from the size_overflow hash table +condc+ccs_condition+0+43125+
Makefile:1469: recipe for target '_module_akari' failed
make: *** [_module_akari] Error 2
==> ERROR: A failure occurred in build().
Aborting...
_______________________________________________
tomoyo-users-en mailing list
http://lists.osdn.me/mailman/listinfo/tomoyo-users-en
Torsten Wörtwein
2016-06-05 12:17:26 UTC
Permalink
Hello,

thanks for your response. I don't have these issues anymore.

Back then I tried to compile the Akari LSM module for a grsec enabled Archlinux kernel, somehow that failed. I use the grsec enabled Archlinux kernel with the in-tree tomoyo (and the caitsith kernel patch) at the moment (no external modules). I don't have any issues with that. I still get some warnings related to the caitsith patch and the size overflow plugin. I guess that all kernel patches applied after the grsec patch will result in these warnings since the size overflow plugin doesn't know about them before hand (not sure how the size overflow plugin works).

I think compiling the LSM module failed back then, because of some constify'ing done by grsec. The in-tree tomoyo and the caitsith kernel patch work flawlessly for me with grsec.

Thanks,
Torsten

On Sun, 5 Jun 2016 20:30:05 +0900
Post by Tetsuo Handa
Hello.
Sorry, but I didn't know that this post was pending for 5 months
due to "Cause: Post by non-member to a members-only list". I added
your address to the list of "accept" rule.
Post by t***@gmail.com
Hi,
I tried to build akari (1.0.35_20151111) for a grsec patched 4.3.3 Linux kernel
(https://grsecurity.net/test/grsecurity-3.1-4.3.3-201512282134.patch). Besides
some messages/warnings of the kind "Function ... is missing from the
size_overflowhash table ...", I get errors about assignments to read-only object.
Akari successfully compiles without grsec enabled. Same happens for the caitsith module
Best regards,
Torsten
Well, I've never seen these messages.
According to https://forums.grsecurity.net/viewtopic.php?f=7&t=3043 ,
the size_overflowhash table ..." message. I think consulting her will be better.
About "error: assignment of read-only location" message and
"error: assignment of member ‘...’ in read-only object" message,
I can't find problems in my side because they are not marked as "const".
I think consulting PaX team members will be better.
Post by t***@gmail.com
==> Making package: akari 1.0.35_20151111-1 (Thu Dec 31 22:50:28 CET 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Found akari-1.0.35-20151111.tar.gz
-> Found akari-1.0.35-20151111.tar.gz.asc
==> Validating source files with sha256sums...
akari-1.0.35-20151111.tar.gz ... Passed
akari-1.0.35-20151111.tar.gz.asc ... Passed
==> Verifying source file signatures with gpg...
akari-1.0.35-20151111.tar.gz ... Passed
==> Extracting sources...
==> Removing existing $pkgdir/ directory...
==> Starting build()...
CC [M] akari/test.o
CC [M] akari/probe.o
CC [M] akari/permission.o
CC [M] akari/gc.o
CC [M] akari/memory.o
Creating an empty policy/profile.conf
Creating an empty policy/exception_policy.conf
Creating an empty policy/domain_policy.conf
Creating an empty policy/manager.conf
Creating an empty policy/stat.conf
CC [M] akari/realpath.o
Function ccs_scan_bprm is missing from the size_overflow hash table +ccs_scan_bprm+fndecl+2+16274+
Function argc is missing from the size_overflow hash table +argc+ccs_condition+0+63399+
Function ccs_scan_bprm is missing from the size_overflow hash table +ccs_scan_bprm+fndecl+4+16274+
Function envc is missing from the size_overflow hash table +envc+ccs_condition+0+56582+
Function total_len is missing from the size_overflow hash table +total_len+ccs_path_info+0+38974+
CC [M] akari/load_policy.o
Function ccs_commit_ok is missing from the size_overflow hash table +ccs_commit_ok+fndecl+2+20580+
Checking whether umode_t is used by include/linux/security.h or not.
LD [M] akari/akari_test.o
Generating built-in policy for TOMOYO 1.8.x.
CC [M] akari/lsm.o
CC [M] akari/policy_io.o
akari/lsm-4.2.c:1215:13: error: assignment of read-only location ‘*original’
*original = shp->hook;
^
akari/lsm-4.2.c:1236:39: error: assignment of member ‘find_task_by_vpid’ in read-only object
ccsecurity_exports.find_task_by_vpid = probe_find_task_by_vpid();
^
akari/lsm-4.2.c:1239:41: error: assignment of member ‘find_task_by_pid_ns’ in read-only object
ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns();
^
akari/lsm-4.2.c:1242:37: error: assignment of member ‘d_absolute_path’ in read-only object
ccsecurity_exports.d_absolute_path = probe_d_absolute_path();
^
scripts/Makefile.build:258: recipe for target 'akari/lsm.o' failed
make[1]: *** [akari/lsm.o] Error 1
make[1]: *** Waiting for unfinished jobs....
Function ccs_read is missing from the size_overflow hash table +ccs_read+fndecl+3+10+
Function ccs_read_self is missing from the size_overflow hash table +ccs_read_self+fndecl+3+1495+
Function ccs_write_self is missing from the size_overflow hash table +ccs_write_self+fndecl+3+26838+
Function writebuf_size is missing from the size_overflow hash table +writebuf_size+ccs_io_buffer+0+17632+
Function numbers_count is missing from the size_overflow hash table +numbers_count+ccs_condition+0+22932+
Function read_user_buf_avail is missing from the size_overflow hash table +read_user_buf_avail+ccs_io_buffer+0+33672+
Function query_len is missing from the size_overflow hash table +query_len+ccs_query+0+63116+
Function envc is missing from the size_overflow hash table +envc+ccs_condition+0+56582+
Function names_count is missing from the size_overflow hash table +names_count+ccs_condition+0+60468+
Function argc is missing from the size_overflow hash table +argc+ccs_condition+0+63399+
Function condc is missing from the size_overflow hash table +condc+ccs_condition+0+43125+
Makefile:1469: recipe for target '_module_akari' failed
make: *** [_module_akari] Error 2
==> ERROR: A failure occurred in build().
Aborting...
_______________________________________________
tomoyo-users-en mailing list
http://lists.osdn.me/mailman/listinfo/tomoyo-users-en
Emese Revfy
2016-06-05 12:24:52 UTC
Permalink
Hi,

On Sun, 5 Jun 2016 20:30:05 +0900
Post by t***@gmail.com
^
akari/lsm-4.2.c:1239:41: error: assignment of member ‘find_task_by_pid_ns’ in read-only object
ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns();
^
akari/lsm-4.2.c:1242:37: error: assignment of member ‘d_absolute_path’ in read-only object
ccsecurity_exports.d_absolute_path = probe_d_absolute_path();
Function names_count is missing from the size_overflow hash table +names_count+ccs_condition+0+60468+
Function argc is missing from the size_overflow hash table +argc+ccs_condition+0+63399+
Function condc is missing from the size_overflow hash table +condc+ccs_condition+0+43125+
Makefile:1469: recipe for target '_module_akari' failed
The "missing" messages are not interesting now because this is an old kernel and
every kernel versions has a new hash table.

The CONSTIFY gcc plugin prints the "read-only" messages. I CC this mail to pipacs
because this plugin is his.
--
Emese
Loading...