Page 1 of 1

kexec / kdump support

PostPosted: Mon Nov 28, 2016 10:57 am
by arno
Dear grsecurity support,

what is the current support of kexec ?

When I was trying to use it, the system could not boot.

Linux 4.8.11 + grsecurity-3.1-4.8.11-201611271225.patch

Code: Select all
root@ubuntu16-grsec:~# kexec -l /boot/vmlinuz-4.8.11-grsec --initrd=/boot/initrd.img-4.8.11-grsec --reuse-cmdline
root@ubuntu16-grsec:~# echo $?
0
root@ubuntu16-grsec:~# cat /sys/kernel/kexec_loaded
1
root@ubuntu16-grsec:~# systemctl kexec



Code: Select all
---
[[0;32m  OK  [0m] Stopped target Remote File Systems.
[[0;32m  OK  [0m] Stopped target Remote File Systems (Pre).
       Stopping Login to default iSCSI targets...
[  423.142097] kexec_core: Starting new kernel
... hangs here ...

# top
  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
28742 107       20   0 1384172 562260  19960 S  99.1  1.7   4:59.50 qemu-kvm



- config-4.8.11-grsec http://pastebin.com/Cp4J2BrG

- crash dump doesn't seem to show anything useful:
http://pastebin.com/CLBUtSSQ

Thank you in advance,

Kind Regards,
Andrey Arapov

Re: kexec support

PostPosted: Mon Nov 28, 2016 4:03 pm
by arno
Update

Previous steps were attempted on a VM (qemu-kvm).

I have just tried to apply the same steps on my laptop and it worked! (the same kernel 1:1)

Re: kexec support

PostPosted: Mon Nov 28, 2016 4:33 pm
by arno
Apparently it is working now, I have changed my VM from 512 RAM to 2GB RAM profile (not sure whether this was the cause). :-)

Code: Select all
[[0;32m  OK  [0m] Stopped target Remote File Systems.
[[0;32m  OK  [0m] Stopped target Remote File Systems (Pre).
[  131.350281] kexec_core: Starting new kernel
[    0.000000] Linux version 4.8.11-grsec (user@96a5d669fea4) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) ) #1 SMP Sun Nov 27 22:44:22 UTC 2016
[    0.000000] Command line: root=UUID=e990f8b3-1d6b-4615-8280-8ead4ed2fe7c ro console=tty1 console=ttyS0 crashkernel=384M-:128M
[    0.000000] KERNEL supported cpus:
...normal boot process continues...

Re: kexec / kdump support

PostPosted: Mon Nov 28, 2016 4:54 pm
by arno
Any idea
Code: Select all
kexec --load-panic
(a.k.a. kdump) isn't working?

Code: Select all
root@ubuntu16-grsec:~# kexec --load-panic --reuse-cmdline --initrd=/boot/initrd.img-4.8.11-grsec /boot/vmlinuz-4.8.11-grsec
Cannot open /proc/kcore: Operation not permitted
Cannot read /proc/kcore: Operation not permitted
Cannot load /boot/vmlinuz-4.8.11-grsec


Code: Select all
root@ubuntu16-grsec:~# strace kexec --load-panic --reuse-cmdline --initrd=/boot/initrd.img-4.8.11-grsec /boot/vmlinuz-4.8.11-grsec
execve("/sbin/kexec", ["kexec", "--load-panic", "--reuse-cmdline", "--initrd=/boot/initrd.img-4.8.11"..., "/boot/vmlinuz-4.8.11-grsec"], [/* 14 vars */]) = 0
brk(NULL)                               = 0x3786900
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x35ccf8f3000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=21007, ...}) = 0
mmap(NULL, 21007, PROT_READ, MAP_PRIVATE, 3, 0) = 0x35ccf8ed000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1864888, ...}) = 0
mmap(NULL, 3967392, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x35ccf30b000
mprotect(0x35ccf4ca000, 2097152, PROT_NONE) = 0
mmap(0x35ccf6ca000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bf000) = 0x35ccf6ca000
mmap(0x35ccf6d0000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x35ccf6d0000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x35ccf8ec000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x35ccf8eb000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x35ccf8ea000
arch_prctl(ARCH_SET_FS, 0x35ccf8eb700)  = 0
mprotect(0x35ccf6ca000, 16384, PROT_READ) = 0
mprotect(0x626000, 4096, PROT_READ)     = 0
mprotect(0x35ccf8f9000, 4096, PROT_READ) = 0
munmap(0x35ccf8ed000, 21007)            = 0
access("/proc/xen", F_OK)               = -1 ENOENT (No such file or directory)
brk(NULL)                               = 0x3786900
brk(0x37a7900)                          = 0x37a7900
brk(0x37a8000)                          = 0x37a8000
open("/proc/iomem", O_RDONLY)           = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(3, "00000100-00000fff : reserved\n000"..., 1024) = 857
read(3, "", 1024)                       = 0
close(3)                                = 0
brk(0x37a7000)                          = 0x37a7000
open("/boot/vmlinuz-4.8.11-grsec", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=7061200, ...}) = 0
mmap(NULL, 7061504, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x35ccec4f000
read(3, "MZ\352\7\0\300\7\214\310\216\330\216\300\216\3201\344\373\374\276@\0\254 \300t\t\264\16\273\7\0"..., 7061200) = 7061200
close(3)                                = 0
open("/proc/cmdline", O_RDONLY)         = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(3, "root=UUID=e990f8b3-1d6b-4615-828"..., 1024) = 100
close(3)                                = 0
stat("/sys/firmware/memmap", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
open("/sys/firmware/memmap", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
getdents(3, /* 9 entries */, 32768)     = 216
open("/sys/firmware/memmap/5/start", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "0xfeffc000\n", 4096)           = 11
close(4)                                = 0
open("/sys/firmware/memmap/5/end", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "0xfeffffff\n", 4096)           = 11
close(4)                                = 0
open("/sys/firmware/memmap/5/type", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "reserved\n", 4096)             = 9
close(4)                                = 0
open("/sys/firmware/memmap/3/start", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "0x100000\n", 4096)             = 9
close(4)                                = 0
open("/sys/firmware/memmap/3/end", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "0x7ffdefff\n", 4096)           = 11
close(4)                                = 0
open("/sys/firmware/memmap/3/type", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "System RAM\n", 4096)           = 11
close(4)                                = 0
open("/sys/firmware/memmap/1/start", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "0x9fc00\n", 4096)              = 8
close(4)                                = 0
open("/sys/firmware/memmap/1/end", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "0x9ffff\n", 4096)              = 8
close(4)                                = 0
open("/sys/firmware/memmap/1/type", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "reserved\n", 4096)             = 9
close(4)                                = 0
open("/sys/firmware/memmap/6/start", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "0xfffc0000\n", 4096)           = 11
close(4)                                = 0
open("/sys/firmware/memmap/6/end", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "0xffffffff\n", 4096)           = 11
close(4)                                = 0
open("/sys/firmware/memmap/6/type", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "reserved\n", 4096)             = 9
close(4)                                = 0
open("/sys/firmware/memmap/4/start", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "0x7ffdf000\n", 4096)           = 11
close(4)                                = 0
open("/sys/firmware/memmap/4/end", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "0x7fffffff\n", 4096)           = 11
close(4)                                = 0
open("/sys/firmware/memmap/4/type", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "reserved\n", 4096)             = 9
close(4)                                = 0
open("/sys/firmware/memmap/2/start", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "0xf0000\n", 4096)              = 8
close(4)                                = 0
open("/sys/firmware/memmap/2/end", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "0xfffff\n", 4096)              = 8
close(4)                                = 0
open("/sys/firmware/memmap/2/type", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "reserved\n", 4096)             = 9
close(4)                                = 0
open("/sys/firmware/memmap/0/start", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "0x100\n", 4096)                = 6
close(4)                                = 0
open("/sys/firmware/memmap/0/end", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "0x9fbff\n", 4096)              = 8
close(4)                                = 0
open("/sys/firmware/memmap/0/type", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=4096, ...}) = 0
read(4, "System RAM\n", 4096)           = 11
close(4)                                = 0
getdents(3, /* 0 entries */, 32768)     = 0
close(3)                                = 0
uname({sysname="Linux", nodename="ubuntu16-grsec", ...}) = 0
open("/proc/cmdline", O_RDONLY)         = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(3, "root=UUID=e990f8b3-1d6b-4615-828"..., 1024) = 100
close(3)                                = 0
open("/boot/initrd.img-4.8.11-grsec", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=27202041, ...}) = 0
mmap(NULL, 27205632, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x35ccd25d000
read(3, "\37\213\10\0\267\"<X\0\3\244\232ol\34\307u\300W\224d\221\227&fl\307V\\\377\31\235"..., 27202041) = 27202041
close(3)                                = 0
open("/proc/iomem", O_RDONLY)           = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(3, "00000100-00000fff : reserved\n000"..., 1024) = 857
read(3, "", 1024)                       = 0
close(3)                                = 0
uname({sysname="Linux", nodename="ubuntu16-grsec", ...}) = 0
open("/proc/iomem", O_RDONLY)           = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(3, "00000100-00000fff : reserved\n000"..., 1024) = 857
read(3, "", 1024)                       = 0
close(3)                                = 0
open("/proc/kcore", O_RDONLY)           = -1 EPERM (Operation not permitted)
write(2, "Cannot open /proc/kcore: Operati"..., 49Cannot open /proc/kcore: Operation not permitted
) = 49
write(2, "Cannot read /proc/kcore: Operati"..., 49Cannot read /proc/kcore: Operation not permitted
) = 49
write(2, "Cannot load /boot/vmlinuz-4.8.11"..., 39Cannot load /boot/vmlinuz-4.8.11-grsec
) = 39
exit_group(-1)                          = ?
+++ exited with 255 +++



Update
This is how its strace supposed to look when loading with ubuntu's 4.4.0 kernel ->> http://pastebin.com/Vxh3GSxZ

Update 2
Though triggering kernel crash on ubuntu's 4.4.0 kernel ( via # echo c > /proc/sysrq-trigger ) is causing 4.8.11-grsec kernel to load, unfortunately resulting in a kernel panic :-/ full log ->> http://pastebin.com/zjMVeekZ

Re: kexec / kdump support

PostPosted: Wed Nov 30, 2016 6:48 am
by arno
Ok, I think I've found the blocker:

Code: Select all
118138 diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c                                 
118139 index 5c89a07..1749d06 100644                                                   
118140 --- a/fs/proc/kcore.c                                                           
118141 +++ b/fs/proc/kcore.c                                                           
118142 @@ -316,7 +316,7 @@ static char *storenote(struct memelfnote *men, char *bufp) 
...
...
118200 @@ -545,10 +544,13 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
118201                                                                                 
118202  static int open_kcore(struct inode *inode, struct file *filp)                 
118203  {                                                                             
118204 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)   
118205 +   return -EPERM;                                                             
118206 +#endif                 
118207     if (!capable(CAP_SYS_RAWIO))                                               
118208         return -EPERM;                                                                     
...


Compiling now the kernel with:
Code: Select all
> # CONFIG_GRKERNSEC_HIDESYM is not set
> # CONFIG_GRKERNSEC_RANDSTRUCT is not set


Which is likely to enable access to /proc/kcore, giving the life to kexec --load-panic & possibly to a crash utility as well, since with the latter one I have had:
Code: Select all
crash /boot/System.map-4.8.11-grsec /usr/lib/debug/lib/modules/4.8.11-grsec/vmlinux


crash: read error: kernel virtual address: ffffffff8207b7b0  type: "pv_init_ops"
crash: this kernel may be configured with CONFIG_STRICT_DEVMEM, which
       renders /dev/mem unusable as a live memory source.
crash: trying /proc/kcore as an alternative to /dev/mem

crash: /proc/kcore: Operation not permitted
crash: seek error: kernel virtual address: ffffffff829214b0  type: "shadow_timekeeper xtime_sec"
crash: seek error: kernel virtual address: ffffffff82204844  type: "init_uts_ns"
crash: /boot/System.map-4.8.11-grsec and /dev/mem do not match!


Will keep updated.

Re: kexec / kdump support

PostPosted: Wed Nov 30, 2016 8:56 pm
by arno
Seems that helped as I was expecting, reg. the permission to read the /proc/kcore.

- Opening up a VM dump with crash utility http://pastebin.com/uF1ffhy9 <-- though it doesn't seem to be fully working.
- kdump http://pastebin.com/Djgvw6W7 <-- there is a warning in apic.c:1349 setup_local_APIC ; no kernel dump in /var/crash/ directory appeared